sharkin' · seems our subject web magazine isn't handling logins properly. ssl/tls should...
TRANSCRIPT
![Page 1: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/1.jpg)
Ben S. Knowles, @adricnet BBST, CISSP, GCIA, GCIH, GNFA, GSEC, LPIC-1 , et cetera
Sharkin'Using Wireshark to find evil in packet captures
![Page 2: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/2.jpg)
Packet Captures
● Recordings of Internet(work) activity
● Often used by analysts and researchers
What can you quickly find out from a pcap ?
Buy the official Three Investigators Cluedo (auf Deutsch) at http://www.eastforkids.com/
![Page 3: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/3.jpg)
pcaps: quick answers
Basic packet analysis should find:
● IP addresses involved → hosts → who
● Protocols used → how → characterization
● Directionality → who did to whom
● Application used (if any) →how → TTP
● Time and date → when, but watch out for timezones!
Adds up to Characterization of the traffic and a possible story it tells:
● Who?, Did What?, When?, To Whom? (Cluedo questions)
● What is the significance (so what)? (CISO questions)
● What should someone do about it? (actionable intelligence)
![Page 4: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/4.jpg)
IDS: a source of packets for analysis
● Network Intrusion Detection Systems (NIDS):
– Bro IDS, Snort, Suricata, RealSecure, McAfee NSM
● Alert on traffic that matches signature rules (Snort, Suricata et al)
– Or log and notify based on policy (Bro IDS)
● Alerts are displayed in consoles:
– MSSP Portal, ELSA, sguil, Snorby, SiteProtector, EPO
● Consoles display many event details
– And (usually) give you option to pull a pcap file
● Some shops have dedicated packet capture technology
– Solera, NetWitness, Moloch, SecurityOnion
![Page 5: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/5.jpg)
Wireshark: about
Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.
Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998
from: https://wireshark.org/about.html
Looks a bit like this –>
![Page 6: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/6.jpg)
Packet analysis tips: safety and accuracy
● Get offline!
– Isolate your analysis environment for safety and cleaner results
● Disable lookups in your tools
– tcpdump -nn
– Wireshark: uncheck in View / Name Resolution
● Keep your analysis tools updated!
– Analysis tools are a juicy target for attackers.
– File and protocol parsers are a constant source of vulnerabilities
● No captures on production networks or other peoples networks!
– Check with your boss / client / spouse / lawyer before capturing traffic.
● Double-check those timezones again.
– Most computer systems record time in UTC no matter where they are.
![Page 7: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/7.jpg)
Packets!Let's get some packets and take a look!
PCAP files are at: http://www.atlbbs.com/sharkin/
![Page 8: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/8.jpg)
Snorby: a few events
![Page 9: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/9.jpg)
Snorby: id check returned root : testmy-handout.pcap
![Page 10: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/10.jpg)
testmy-handout.pcap: questions
Let's find:
● IP addresses involved → hosts → who
● Protocols used → how → characterization
● Directionality → who did to whom
● Application used (if any) →how → TTP
● Time and date → when, but watch out for timezones!
Adds up to Characterization of the traffic and a possible story it tells:
● Who?, Did What?, When?, To Whom? (Cluedo questions)
● What is the significance (so what)? (CISO questions)
● What should someone do about it? (actionable intelligence)
![Page 11: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/11.jpg)
Wireshark tricks: Statistics Summary
In Wireshark menu:
Statistics / Summary
Gives times and packet statistics
Similar output to capinfos command
![Page 12: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/12.jpg)
testmy-handout.pcap: answers
● Root user is super admin on UNIX systems
● This suggests an attacker has gotten remote root
● Game over?
Found at anvari.org
![Page 13: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/13.jpg)
Snorby: Wordpress login: ptmag-login.pcap
![Page 14: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/14.jpg)
ptmag-login.pcap: questions
Let's find:
● IP addresses involved → hosts → who
● Protocols used → how → characterization
● Directionality → who did to whom
● Application used (if any) →how → TTP
● Time and date → when, but watch out for timezones!
Adds up to Characterization of the traffic and a possible story it tells:
● Who?, Did What?, When?, To Whom? (Cluedo questions)
● What is the significance (so what)? (CISO questions)
● What should someone do about it? (actionable intelligence)
![Page 15: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/15.jpg)
Wireshark tricks: filters
● Powerful filters let us sift and sort through captures
● Color highlighting for syntax check
● Suggestions help you pick fields
● Use what you already know
● To find what you are looking for faster
![Page 16: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/16.jpg)
Wireshark tricks: display filters
We know from the alert and can filter on to sift out packets:
● Protocols:
– TCP/IP (2445)
– HTTP (2445)
● Hosts
– 192.168.15.105 (1082)
– & 79.125.109.24 ?
● Applications:
– PenTestMag site (73)
– HTML form (1)
– WordPress blog (1)
![Page 17: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/17.jpg)
research: reproduce it and pcap it, search pcaps ...
## check my tcpdump settings with a live capture ##
sudo tcpdump -i en0 -v 'host 79.125.109.24'
## verified, capture session to a file ##
sudo tcpdump -i en0 -w ptmag.pcap 'host 79.125.109.24'
Offstage: login to suspect site again in browser, then
## read back the capture file and dump text to another file ##
tcpdump -r ptmag.pcap -X 2>&1 > outfile.txt
## Look for suspicious strings in the output, grep -c counts ##
grep Password -c outfile.txt ; grep Password outfile.txt
grep adricnet -c outfile.txt ; grep adricnet outfile.txt
![Page 18: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/18.jpg)
Much easier in Wireshark: Find Packet
● Edit / Find Packets● By: String● Packet: bytes
![Page 19: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/19.jpg)
ptmag-login.pcap: answers
Seems our subject web magazine isn't handling logins properly.
● SSL/TLS should be used for all logins and all login pages.
● Especially for public and commercial sites (this one is both).
We should verify this, and then maybe send them a nice note about this after the brownbag is over.
Found on InfoSec Reactions, a very silly place.
![Page 20: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/20.jpg)
pcaps from ATTACK research ;)
Trying out some IE8 attacks on a WinXP VM on my Mac at home
Packets captured to file:
msf_ie0day_winxpsp3.pcap
Zipped: infected
![Page 21: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/21.jpg)
msf_ie0day_winxpsp3.pcap
![Page 22: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/22.jpg)
msf_ie0day_winxpsp3.pcap: questions
Let's find:
● IP addresses involved → hosts → who
● Protocols used → how → characterization
● Directionality → who did to whom
● Application used (if any) →how → TTP
● Time and date → when, but watch out for timezones!
Adds up to Characterization of the traffic and a possible story it tells:
● Who?, Did What?, When?, To Whom? (Cluedo questions)
● What is the significance (so what)? (CISO questions)
● What should someone do about it? (actionable intelligence)
![Page 23: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/23.jpg)
Wireshark tricks: Conversations
In Wireshark menu:
Statistics / Conversations
Shows all network flows at multiple layers:
● Ethernet
● IP
● TCP
![Page 24: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/24.jpg)
Wireshark tricks: Follow Stream
In Conversations panel:
Select a line and
Follow Stream
![Page 25: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/25.jpg)
Wireshark tricks: Evil found!
This is a Windows Executable.
Attacker is delivering a payload to the victim host.
This is pretty bad.
In Wireshark you can Save As to pull the file contents out for analysis or RE.
Congratulations, you found some evil with Wireshark!
![Page 26: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/26.jpg)
Next Steps?
Wireshark, analysis books:
● The Practice of Network Security Monitoring http://nostarch.com/nsm
● Practical Packet Analysis, 2nd Ed http://nostarch.com/packet2.htm
● Wireshark 101 http://www.wiresharkbook.com/
Network analysis, forensics courses:
● OST PCAP
– http://opensecuritytraining.info/Pcap.html
● SANS SEC503, GCIA
– https://www.sans.org/course/intrusion-detection-in-depth
● SANS FOR572, GNFA
– https://www.sans.org/course/advanced-network-forensics-analysis
![Page 27: Sharkin' · Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this](https://reader034.vdocuments.mx/reader034/viewer/2022051910/60006f859624ff6c7955ea17/html5/thumbnails/27.jpg)
References
Slide deck, pcaps, and links available online:
http://f.adric.net/index.cgi/wiki?name=Sharkin