February 2016 Meeting

Web Defacement and Spear Phishing

3 Objectives Going through a scenario from a Capture the Flag event Using all available data and tools from a Security Onion Image Demonstrate some techniques to reverse engineer the attack Discuss common avenues during web defacement/spear phishing Tools used: –Wireshark –Network Miner –Tshark –StreamCarver –Argus –Js-Didier (spidermonkey) –Security Onion –Kali Linux Going through a scenario from a Capture the Flag event Using all available data and tools from a Security Onion Image Demonstrate some techniques to reverse engineer the attack Discuss common avenues during web defacement/spear phishing Tools used: –Wireshark –Network Miner –Tshark –StreamCarver –Argus –Js-Didier (spidermonkey) –Security Onion –Kali Linux

About the Presenter Name: Christopher Davis Experience: –7 years in IT, 3 of which being Security –DOD/Military –Healthcare –IT Contractor Works for UPS as an Info-Sec Analyst. Name: Christopher Davis Experience: –7 years in IT, 3 of which being Security –DOD/Military –Healthcare –IT Contractor Works for UPS as an Info-Sec Analyst

5 Challenge Questions VM/Write-up available here – – You will need Oracle virtual box to play the virtual machine –We will be covering two incidents (Web defacement, Spear Phishing) –I’ll present each question, my answer and how I came up with it –There is more than one way to do this and probably more efficient ways –If you’d like to do this yourself, you may want to leave –I could be wrong or inaccurate VM/Write-up available here – – You will need Oracle virtual box to play the virtual machine –We will be covering two incidents (Web defacement, Spear Phishing) –I’ll present each question, my answer and how I came up with it –There is more than one way to do this and probably more efficient ways –If you’d like to do this yourself, you may want to leave –I could be wrong or inaccurate

6 Incident 1 A Linux web server “ has been defaced ( ). Hacking team, Frog Squad, has claimed responsibility for the defacement that took place on Mar 12, The systems administrator has told you the defacement was a file named fr.jpg. You have been asked to investigate how the files got on the box and whatever else may have happened. You are given an image of the Security Onion IDS that was monitoring all of the traffic. You can use all tools available at your disposal and within the VM. A Linux web server “ has been defaced ( ). Hacking team, Frog Squad, has claimed responsibility for the defacement that took place on Mar 12, The systems administrator has told you the defacement was a file named fr.jpg. You have been asked to investigate how the files got on the box and whatever else may have happened. You are given an image of the Security Onion IDS that was monitoring all of the traffic. You can use all tools available at your disposal and within the VM.

7 Lets start with the Leading Question 1. What IP address did the attackers use? -Lets start with what we know, -They uploaded fr.jpg -The web server is pwned.se with an ip of: Lets do a ‘frame contains fr.jpg’ in wireshark. Attacker IP is: What IP address did the attackers use? -Lets start with what we know, -They uploaded fr.jpg -The web server is pwned.se with an ip of: Lets do a ‘frame contains fr.jpg’ in wireshark. Attacker IP is:

What I typically do next: With my leading information: –Attacker –Web server I can use streamcarver to dump the entire conversation. More efficient than manually viewing multiple streams in wireshark Requires specific wireshark filters Not good for encrypted traffic Puts it in near-chronological order Carves out HTTP files -./ streamcarver.py -r../1.0.pcap -Y "ip.addr == and ip.addr == " -p tcp -w../1.0.dump With my leading information: –Attacker –Web server I can use streamcarver to dump the entire conversation. More efficient than manually viewing multiple streams in wireshark Requires specific wireshark filters Not good for encrypted traffic Puts it in near-chronological order Carves out HTTP files -./ streamcarver.py -r../1.0.pcap -Y "ip.addr == and ip.addr == " -p tcp -w../1.0.dump 8

9 Questions/Answers What type of OS is the compromised server possibly running? 1.3 What type of Content Management Server is being used? 1.4 What is the CVE for the vulnerability? CVE How did the attacker get the fr.jpg file to the webserver? 1.2 What type of OS is the compromised server possibly running? 1.3 What type of Content Management Server is being used? 1.4 What is the CVE for the vulnerability? CVE How did the attacker get the fr.jpg file to the webserver? Using the dump from streamcarver, lets answer the remaining questions

10 Questions/Answers What is Ned’s UID? 1.7 Show how the web page looked after the defacement What is Ned’s UID? 1.7 Show how the web page looked after the defacement Before

11 Question/Answer – FrogSquad placed a webshell (PHP backdoor) named cm0.php. List all commands sent using the cm0 backdoor. We could manually copy and paste each command we saw from the dump or do tshark for efficiency: tshark -r 1.0.pcap -Y "http and frame contains cm0.php" -T fields -e http.request.full_uri

12 Questions/Answers What text was contained in the HTTP comment for the PHP webshell? Did FrogSquad come back at a later time from the same class C IP network? We can use argus netflow data to determine this: rafilteraddr -R * -v -f /usr/local/etc/ip_whitelist.txt -w - -- src net /8 and dst host | racluster –w - | resort –m dbytes –n | head

Incident Timeline

Questions for Incident 1? 20

15 Incident 2 Ned was the victim of a Spear Phishing attack which resulted in his system being infected with CryptoLocker. Using the same Security Onion IDS VM image and any tools at your disposal, determine how it is that this happened. Ned was the victim of a Spear Phishing attack which resulted in his system being infected with CryptoLocker. Using the same Security Onion IDS VM image and any tools at your disposal, determine how it is that this happened.

16 Question/Answer From which three IP’s were the largest downloads made by Ned's computer ( )? Tip: disregard downloads from Microsoft/Google/Facebook/Akamai and other common domains using /usr/local/bin/ip_whitelist.py Once again, Argus netflow data is perfect for this task: rafilteraddr -R * -v -f /usr/local/etc/ip_whitelist.txt -w - -- src host and not dst net /16 | racluster -w - | rasort -m dbytes -n | head ip.addr == or ip.addr == or ip.addr ==

17 Question/Answer Are the files downloaded from ( ) malicious? Present the VirusTotal output. Carve the file a little bit smaller so that it is easier to deal with. –tcpdump -nnr 2.0Fixed.pcap -w./carved.pcap host and host –wireshark -> export -> http –> save as dump – 86de1a36c7a74d9f7/analysis/ – d8fa7e4f99c82f05/analysis/ – c5130dc7fd50/analysis/ Are the files downloaded from ( ) malicious? Present the VirusTotal output. Carve the file a little bit smaller so that it is easier to deal with. –tcpdump -nnr 2.0Fixed.pcap -w./carved.pcap host and host –wireshark -> export -> http –> save as dump – 86de1a36c7a74d9f7/analysis/ – d8fa7e4f99c82f05/analysis/ – c5130dc7fd50/analysis/

18 Question/Answer Does the HTML page downloaded from look legitimate? Once again, we can carve it smaller and then export the page: tcpdump -nnr 2.0Fixed.pcap -w./carved.pcap host and host Then we run it through network miner (ws fails to carve this properly)

19 Question/Answer Did the download from 1.webcounter.info ( ) use HTTP, SSL or something else? Lets look at the conversation in wireshark: ip.addr == and ip.addr ==

20 Question/Answer Forensics of Ned's computer ( ) indicates that the first infection came from "Delivery_Notification_ zip", on How was this delivered to Ned’s computer? frame contains 832.zip Follow the first stream -> find 832.zip Copy and then paste via nano into file (dump into notepad first) cat base64.txt | base64 -d > doc.zip unzip the file to get javascript This was delivered via pop Forensics of Ned's computer ( ) indicates that the first infection came from "Delivery_Notification_ zip", on How was this delivered to Ned’s computer? frame contains 832.zip Follow the first stream -> find 832.zip Copy and then paste via nano into file (dump into notepad first) cat base64.txt | base64 -d > doc.zip unzip the file to get javascript This was delivered via pop 110

21 Answers/Questions Deobfuscate the JavaScript in Delivery_Notification_ doc.js Where does this download additional malware from? -remnux has a version of spidermonkey that can do this called js-Didier mybusinessdoc.com and nursealarmsystems.com and carina- pairs-hotel.com

Incident Timeline – April 7, 2015 Neds computer ( ) downloads spear phishing –Contains malware to download more malware. Malware is downloaded from mybusinessdoc.com and others –Cryptolocker is downloaded and encrypts Neds Machine Ned’s machine is pwned. Neds computer ( ) downloads spear phishing –Contains malware to download more malware. Malware is downloaded from mybusinessdoc.com and others –Cryptolocker is downloaded and encrypts Neds Machine Ned’s machine is pwned. 22

Questions? 20