Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks
Objectives After completing this chapter, you should be able to: Recognize the indications of a Web attack Understand the different types of Web attacks Understand and use Web logs Investigate Web attacks Investigate FTP servers Investigate IIS logs 2
Objectives After completing this chapter, you should be able to (cont d): Investigate Web attacks in Windows-based servers Recognize Web page defacement Investigate DNS poisoning Investigate static and dynamic IP addresses Protect against Web attacks Use tools for Web attack investigations 3
Introduction to Investigating Web This chapter: Attacks Discusses the various types of attacks on Web servers and applications Covers how to recognize and investigate attacks, what tools attackers use, and how to proactively defend against attacks 4
Indications of a Web Attack Indications include: Customers being unable to access any online services (possibly due to a denial-of-service attack) Correct URLs redirecting to incorrect sites Unusually slow network performance Frequent rebooting of the server Anomalies in log files Error messages such as 500 errors, internal server error, and problem processing your request 5
Types of Web Attacks Cross-site scripting (XSS) attack Cross-site request forgery (CSRF) SQL injection Code injection Command injection Parameter tampering Cookie poisoning Buffer overflow Cookie snooping 6
Types of Web Attacks DMZ protocol attack Zero-day attack Authentication hijacking Log tampering Directory traversal Cryptographic interception URL interpretation Impersonation attack 7
Cross-Site Scripting (XSS) Cross-site scripting (XSS) Application-layer hacking method used for hacking Web applications Occurs when a dynamic Web page gets malicious data from the attacker and executes it on the user s system XSS attacks can be either stored or reflected 8
Cross-Site Scripting (XSS) Investigating cross-site scripting (XSS) There is a chance that an XSS attacker may use HTML formatting tags Rather than using text for those tags, the attacker may use the hex equivalent to hide the code Regular expressions can be used to detect attacks 9
Cross-Site Scripting (XSS) Table 3-1 These parts of the expression check for various characters and their hex equivalents 10
Cross-Site Request Forgery (CSRF) Attacker forces the victim to submit the attacker s form data to the victim s Web server Attacker creates the host form, containing malicious information, and sends it to the authenticated user User fills in the form and sends it to the server Because the data is coming from a trusted user, the Web server accepts the data Pen-testing CSRF validation fields Before filing the form, it is necessary to confirm that the form is validated before reaching the server 11
SQL Injection Attacks Occurs when an attacker passes malicious SQL code to a Web application Data is placed into an SQL query without being validated for correct formatting Example: Set myrecordset = myconnection.execute( SELECT * FROM mytable WHERE sometext & blah or 11 -- & ) Statement always evaluates as true and returns the record set 12
SQL Injection Attacks Investigating SQL injection attacks Locations to look for evidence of SQL injection attacks: IDS log files Database server log files Web server log files 13
Code Injection Attack When a user sends any application to the server An attacker hacks application and adds malicious code, such as shell commands or PHP scripts Investigating code injection attacks Intrusion detection systems (IDS) and a series of sandbox execution environments provided by the OS detect code injection attacks IDS transfers suspicious packets payload to the execution environment matching the packets destination Packet payload is then executed in the corresponding monitored environment 14
Parameter Tampering Figure 3-1 An attacker can change the parameters in a URL to gain unauthorized access 15
Cookie Poisoning Attacker modifies the contents of a cookie to steal personal information about a user or defraud Web sites Investigating cookie poisoning attacks Intrusion prevention products must be used Trace the cookie s set command given by the Web server Catch every HTTP request sent to the Web server and compares any cookie information sent with all stored cookies 16
Buffer Overflow If a program stores more data in a buffer than it can handle Buffer will overflow and spill data into a completely different buffer, overwriting or corrupting the data currently in that buffer Detecting buffer overflows Nebula (NEtwork-based BUffer overflow Attack detection) detects buffer overflow attacks by monitoring the traffic of the packets into the buffer without making any changes to the end hosts 17
Cookie Snooping Attacker steals a victim s cookies, possibly using a local proxy, and uses them to log on as the victim 18
DMZ Protocol Attack DMZ Protocol Attack DMZ (demilitarized zone) Semitrusted network zone that separates the untrusted Internet from the company s trusted internal network To enhance the security of the DMZ and reduce risk, most companies limit the protocols allowed to flow through their DMZ 19
Zero-Day Attack Exploit previously unknown vulnerabilities They are especially dangerous because preventative measures cannot be taken in advance To minimize damage Important to apply patches as soon as they are released 20
Authentication Hijacking To identify users, personalize content, and set access levels, many Web applications require users to authenticate Authentication hijacking can lead to theft of services, session hijacking, user impersonation, disclosure of sensitive information, and privilege escalation Investigating authentication hijacking Check if the Web browser remembers the password See if the user forgot to log off after using the application 21
Log Tampering Web applications maintain logs to track the usage patterns of an application In order to cover their tracks, attackers will often delete logs, modify logs, change user information, and otherwise destroy evidence of the attack 22
Directory Traversal Also known as a forceful browsing attack Occurs when an attacker is able to browse for directories and files outside normal application access Attackers can do the following: Enumerate contents of files and directories Access pages that otherwise require authentication Gain secret knowledge of the application and its construction Discover user IDs and passwords buried in hidden files 23
Cryptographic Interception Disclosure of private keys and certificates gives an attacker the ability to read, and modify, a hitherto private communication An attacker able to intercept cryptographically secured messages can read and modify sensitive, encrypted data 24
URL Interpretation Attack Attacker takes advantage of different methods of text encoding, abusing the interpretation of a URL URLs used for this type of attack typically contain special characters that require special syntax handling for interpretation 25
Impersonation Attack Attacker spoofs Web applications by pretending to be a legitimate user Attacker enters the session through a common port as a normal user, so the firewall does not detect it 26
Overview of Web Logs Source, nature, and time of attack can be determined by analyzing the log files of the compromised system Log files have HTTP status codes that are specific to the types of incidents Table 3-3 Status codes are three digit numbers divided into five categories 27
Overview of Web Logs Log security Web servers that run on IIS or Apache run the risk of log file deletion by any attacker who has access to the Web server because the log files are stored on the Web server itself Network logging is the preferred method for maintaining the logs securely 28
Overview of Web Logs Log file information When investigating log files, the information is stored in a simple format with the following fields: Time/date Source IP address HTTP source code Requested resource 29
Investigating a Web Attack Steps: Analyze the Web server, FTP server, and local system logs to confirm a Web attack Check log file information Identify the nature of the attack Check if someone is trying to shut down the network Localize the source Use the firewall and IDS logs to identify the source of attack 30
Investigating a Web Attack Steps (cont d): Block the attack Disconnect compromised systems from the network Initiate an investigation from the IP address Example of FTP compromise Before making an attempt to compromise FTP, an intruder performs port scanning After doing port scanning, the attacker connects to FTP 31
Investigating a Web Attack Investigating FTP logs IIS keeps track of hosts that access the FTP site In Windows, the rule is to ensure continuity in the logs Another rule is to ensure that logs are not modified in any way after they have been originally recorded 32
Investigating FTP Servers FTP servers providing service to an internal network are not immune to attack Administrators should establish access controls Defensive measures include the following: Protection of the server file system Isolation of the FTP directories Creation of authorization and access control rules Regular review of logs Regular review of directory content to detect unauthorized files and usage 33
Investigating IIS Logs IIS logs all visits in log files, located in <%systemroot%>\logfiles If proxies are not used, then the IP can be logged The following URL lists the log files: http://victim.com/scripts/..%c0%af../..%c0%af../..%c0 %af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../.. %c0%af../winnt/system32/cmd.exe?/c+dir+c:\winnt\ system32\logfiles\w3svc1 34
Investigating Apache Logs Apache server has two logs: the error log and the access log Apache server saves diagnostic information and error messages that it encounters while processing requests in the error logs Format of the error log is descriptive Requests processed by the Apache server are contained in the access log By default, access logs are stored in the common.log format 35
Investigating Web Attacks in Windows- Steps: Run Event Viewer Based Servers Check for suspicious events Look for a large number of failed logon attempts or locked-out accounts Look at file shares Look at which users have open sessions Look at which sessions the machine has opened with other systems Look at NetBIOS over TCP/IP activity 36
Investigating Web Attacks in Windows- Steps: (cont d) Based Servers Look for unusual listening TCP and UDP ports Look for unusual tasks on the local host Look for new accounts in the administrator group Look for unexpected processes by running the Task Manager Look for unusual network services Check file space usage to look for a sudden decrease in free space 37
Web Page Defacement Unauthorized modification to a Web page leads to Web page defacement Requires write-access privileges in the Web server root directory Web page defacements are the result of the following: Weak administrator password Application misconfiguration Server misconfiguration Accidental permission assignment 38
Web Page Defacement Attacker can compromise the authoritative domain name server for a Web server By redirecting DNS requests for a Web site to the attacker s defaced Web site Investigating DNS poisoning (steps) Start a packet sniffer, such as Wireshark Capture DNS packets Identify the IP being used to resolve the domain name 39
Web Page Defacement Investigating DNS poisoning (cont d) Start investigating the IP. Try to determine who owns it and where it is located Do a WHOIS lookup of the IP 40
Intrusion Detection A technique that detects inappropriate, incorrect, or anomalous activity in a system or network Two types of intrusion detection: Host-based IDS the IDS analyzes each system s behavior Network-based IDs checks every packet entering the network for the presence of anomalies and incorrect data Intrusion prevention system (IPS) monitors attacks and actively prevents attacks 41
Security Strategies for Web Strategies include: Applications Respond quickly to vulnerabilities Earlier detected vulnerabilities should be solved and fixed Pen-test the applications Check for flaws in security through IDS and IPS tools Improve awareness of good security 42
Investigating Static and Dynamic IP Addresses DHCP log file stores information regarding the IP address allocated to a particular host at a particular time Static IP address of a particular host can be found with the help of tools such as Nslookup, WHOIS, Traceroute, ARIN, and NeoTrace 43
Checklist for Web Security Make sure user accounts do not have weak or missing passwords Block unused open ports Check for various Web attacks Check whether IDS or IPS is deployed Use a vulnerability scanner to look for possible intrusion areas Test the Web site to check whether it can handle large loads and SSL (if it is an e-commerce Web site) Document the list of techniques, devices, policies, and necessary steps for security 44
Tools for Web Attack Investigations Analog Deep Log Analyzer AWStats Server Log Analysis WebLog Expert AlterWind Log Analyzer N-Stealth Acunetix Web Vulnerability Scanner dotdefender 45
Tools for Web Attack Investigations Figure 3-2 Deep Log Analyzer is designed specifically for small and medium-sized sites 46
Tools for Web Attack Investigations AppScan AccessDiver WebWatchBot Paros HP WebInspect keepni N-Stalker Web Application Security Scanner Scrawlr Exploit-Me 47
Tools for Locating IP Addresses Nslookup Queries DNS information for host name resolution N-Stalker Web Application Security Scanner Offers a complete suite of Web security assessment checks to enhance the overall security of Web applications against vulnerabilities and attacks Traceroute Utility that can detail the path IP packets travel between two systems Can trace the number of routers packets travel through and time it takes to travel between them 48
Tools for Locating IP Addresses WHOIS Format to conduct a query from the command line: whois h <host name> <identifier> Hide Real IP Automatically locates anonymous proxy servers and routes Internet traffic through them so the user s IP is invisible www.whatismyip.com Can be used to see a computer s external IP address 49
Tools for Locating IP Addresses Whois Lookup An online tool offering both WHOIS lookup and domain name search SmartWhois A WHOIS tool with lots of features ActiveWhois A WHOIS program that has a WHOIS-hyperlink feature, allowing users to browse its results 50
Tools for Locating IP Addresses LanWhosIs Saves its results in HTML files for later viewing in Web browsers CountryWhois A WHOIS program focused on determining the geographic location of an IP address IP2country A lightweight tool for determining the geographical location of an IP address or host 51
CallerIP Tools for Locating IP Addresses Reports the IP address of any computer connected to the current system Can also run a trace on that IP address Whois.Net Another online WHOIS tool 52
Summary Cross-site scripting (XSS or CSS) is an applicationlayer hacking technique SQL injection involves passing SQL code not created by the developer into an application Cookie poisoning is the process of tampering with the values stored in cookies The source, nature, and time of an attack can be determined by analyzing the log files of the compromised system 53
Summary FTP server vulnerabilities allow an attacker to directly compromise the system hosting the FTP server Web page defacement requires write access privileges in the Web server root directory Intrusion detection is the art of detecting inappropriate, incorrect, or anomalous activity 54