Web Security Project

Web Security Project

Web Security ProjectCreating an anonymous proxy server to monitor andAnalyze new web based attacks

Mentors: Amichai ShulmanEldad Chai

Students:Nadav AmitDani Daniel1Main Goals 1. Being able to log real malicious web based attacks. 2. Identify new malicious web attacks. 3. Determine which attacks are in common use in order to be able to focus on defending against them.

Main Objectives 1. Creating a working stable anonymous proxy server that can log real web based attacks Web hackers usually use anonymous servers to avoid getting detected.2. Creating a tool that can analyze the logs in order to detect patterns of web based attacks and create statistics of common used attacks. Project Goals & Objectives2

Proxy ServerOn VMWareHoney PotMachine

Computer AComputer BHacker

Web ServerProject Architecture

Data Search & Index Tool

3

Highly Anonymous Proxy

4Architecture Components1. Proxy Server Unix based machine Installed on a VMWare machine (easy to reconstruct if attacked)Based on a Privoxy server, writes all connections logs to local files. The server also runs an FTP server to allow easy extraction of data.GeoIP API is used to analyze the source IP of attackers Encoding of low ascii characters is preformed to help attack analyzing (like EOF etc.). Cron job for archiving the logs2. Backup AgentCobian BackupUnzip script

3. Splunk Data indexing and search toolEnables logging of known attacksEnables query and analysis of accessesFields and tags were created in order to allow easy data extraction.

5Samples Of IdentifiedMaliciousWeb Attacks6Attack Purpose retrieve Yahoo login credentials.

Attack Scenario- Around the world there are many Yahoo severs (to allow share loading, backup etc..), The communication Between these servers is done through a web API.

Yahoo Brute Force Attack

Hackers use this interfaceTo impersonate servers and Retrieve users credentials!

7How Is It Done?If you just try to login to yahoo too many times you will be requested to decode a Captcha, But if you just use the following API /config/isp_verify_user?l=&p=Against a yahoo server you can verify that a certain username exists, and than brute force to verify Which password grants access to the account.

For Example - http://124.108.120.50/config/isp_verify_user?l=israel&p=israeli

Attack Method using anonymous proxies to try logging in with multiple use names and passwords on Yahoo servers. Since there are many Yahoo servers around the world which are not synchronized, it is possible to try many of them. In addition, once you add Proxy servers into the equation (by multiplying) - you get even more

YahooBrute Force Attack8

YahooBrute Force Attack

Many tools to do so using with and without proxies:

9Yahoo Brute Force Attack

This diagram demonstrates the amount of attempts through our proxy in a 10 day period.This is only from our proxy!

In Blue successful attacks

In Red response 999, meaning the server detected the attack.edit.yahoo.comlogin.yahoo.comedit.europe.yahoo.comedit.in.yahoo.come4.edit.cnb.yahoo.come3.yahoo.co.kredit.vip.tpe.yahoo.coml30.login.scd.yahoo.come3.member.ukl.yahoo.come1.member.ukl.yahoo.come2.member.ukl.yahoo.come4.member.ukl.yahoo.come5.member.ukl.yahoo.come6.member.ukl.yahoo.comsbc1.login.dcn.yahoo.come3.edit.cnb.yahoo.coml2.login.dcn.yahoo.coml3.login.dcn.yahoo.com

l4.login.dcn.yahoo.coml5.login.dcn.yahoo.coml6.login.dcn.yahoo.coml7.login.dcn.yahoo.coml8.login.dcn.yahoo.coml9.login.dcn.yahoo.coml10.login.dcn.yahoo.coml11.login.dcn.yahoo.coml12.login.dcn.yahoo.coml13.login.dcn.yahoo.coml14.login.dcn.yahoo.coml15.login.dcn.yahoo.coml16.login.dcn.yahoo.coml18.login.dcn.yahoo.coml19.login.dcn.yahoo.coml20.login.dcn.yahoo.coml22.login.dcn.yahoo.coml23.login.dcn.yahoo.com

l29.login.dcn.yahoo.coml30.login.dcn.yahoo.comsbc1.login.vip.dcn.yahoo.come1.edit.vip.sc5.yahoo.coml1.login.scd.yahoo.coml2.login.scd.yahoo.coml3.login.scd.yahoo.coml4.login.scd.yahoo.coml5.login.scd.yahoo.coml6.login.scd.yahoo.coml7.login.scd.yahoo.coml8.login.scd.yahoo.coml9.login.scd.yahoo.coml10.login.scd.yahoo.coml11.login.scd.yahoo.coml12.login.scd.yahoo.coml13.login.scd.yahoo.coml15.login.scd.yahoo.com

10Typical Attack headers - Jun 06 12:22:06.101 b2caeb90 Analysis: ip: 24.86.107.62Country: CanadaGET /config/isp_verify_user?l=hu.&p=lillian HTTP/1.0Host: 203.212.170.100Referer:http://203.212.170.100Accept-Language: enX-Forwarded-For:77.125.93.72:8118,yahoo.comCookie: Y=v=1-;Connection: close

Jun 06 12:22:06.292 b34afb90 Analysis: ip: 201.68.195.20Country: BrazilGET /config/isp_verify_user?l=angel_annabel&p=2020 HTTP/1.0Host: 124.108.120.50YahooRemoteIP: 217.12.5.161Referer:http://124.108.120.50Accept-Language: enConnection: CloseX-Forwarded-For: 69.147.112.216,google.comAccept: */*

Jun 06 12:22:10.483 a7497b90 Analysis: ip: 75.184.119.157Country: United StatesGET /config/login?.patner=sbc&login=david+2&passwd=flag&.save=1 HTTP/1.0Connection: closeAccept: */*Accept: -Language: enHost:l05.member.re3.yahoo.comYahoo Brute Force Attack11Attack Description

The essence of HTTP Response Splitting is the attacker's ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response

Typical Attack headers

May 30 00:03:58.496 73c84b90 Analysis: ip: 89.149.242.190ICountry: GermanyGET /lnv/viewHTTP/1.1%20200%20OK%0D%0ADate:%20Sat,%2030%20May%202009%2003:54:07%20GMT%0D%0AServer:%20Apache/1.3.28%20(Unix)%20PHP/4.3.4%0D%0AX-Powered-By:%20PHP/4.3.4%0D%0ASet-Cookie:%20PHPSESSID=6019eb9689437d8b69f93967be7544a9;%20path=/;%20domain=.sundojungmil.co.kr%0D%0AExpires:%20Thu,%2019%20Nov%201981%2008:52:00%20GMT%0D%0ACache-Control:%20no-store,%20no-cache,%20must-revalidate,%20post-check=0,%20pre-check=0%0D%0APragma:%20no-cache%0D%0AConnection:%20close%0D%0ATransfer-Encoding:%20chunked%0D%0AContent-Type:%20text/html%0D%0A%0D%0Ae3d%0D%0A%0D%0A%3Cscript%20language= HTTP/1.1Connection: closeHost: forums.lenovo.comResponse Splitting Attack12Attack Description

Taking advantage of a security vulnerabilitytypically found inweb applicationswhich allowcode injectionby malicious web users into theweb pagesviewed by other users

Typical Attack headers

May 29 22:20:32.730 7f452b90 Analysis: ip: 60.16.140.154ICountry: ChinaGET / HTTP/1.0Referer: js/bdsug.js?v=1.1.0.3>')};window.onunload=function(){};window.onload=function(){document.forms[0http://www.baidu.com/s?ie=gb2312&bs=%B1%F9%E4%BF%C1%E8&sr=&z=&cl=3&f=8&wd=%B1%F9%E4%BF%C1%E8%B0%CD%C8%F0%BF%CB%B1%F9%E4%BF&ct=0Accept: */*Accept-Language: zh-cn,en-usCookie: BAIDUID=33549062C228F38D3ACF4C8FDF85D5C2:FG=1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Hotbar 4.1.8.0; RogueCleaner; Alexa Toolbar)Host: www.baidu.comPragma: no-cacheConnection: closeCross-Site Scripting Attack13Attack Description

Impersonate Google/Msn bots to access forums and internet sites to insert malicious data. Typical Attack headers

Jun 06 00:28:48.276 8acf1b90 Analysis: ip: 123.149.121.132ICountry: ChinaGET /forum-20-1.html HTTP/1.0Accept: */*Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)Host: xgymcn.5d6d.comPragma: no-cacheConnection: closeBots Impersonation Attack14Attack Description

Typical Attack headers Jun 01 17:22:28.436 add54b90 Analysis: ip: 217.86.183.71ICountry: GermanyCONNECT 205.188.251.21:443 HTTP/1.0Host: 205.188.251.21:443Connection: closeSMTP over HTTP Attack

One client can send roughly 500,000 e-mails per hour![http://en.wikipedia.org/wiki/Dark_Mailer]15Automatic posting in forumsClick frauds (simulates clicks to earn money, vote in poles etc.)

Other Attacks

16Attack Types17Attacks by Server TypeServers Distribution in the Internethttp://news.netcraft.com/archives/web_server_survey.htmlServers Attacks18Originating CountriesDependent of posted website and Proxy location19Thank You.20