1 / 20

Web Security Project

Web Security Project. Creating an anonymous proxy server to monitor and Analyze new web based attacks Mentors: Amichai Shulman Eldad Chai Students: Nadav Amit Dani Daniel. Project Goals & Objectives. Main Goals – 1. Being able to log real malicious web based attacks.

joaquin-perez
Download Presentation

Web Security Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Security Project Creating an anonymous proxy server to monitor and Analyze new web based attacks Mentors: Amichai Shulman Eldad Chai Students: Nadav Amit Dani Daniel

  2. Project Goals & Objectives Main Goals – 1. Being able to log real malicious web based attacks. 2. Identify new malicious web attacks. 3. Determine which attacks are in common use in order to be able to focus on defending against them. Main Objectives – 1. Creating a working stable anonymous proxy server that can log real web based attacks – Web hackers usually use anonymous servers to avoid getting detected. 2. Creating a tool that can analyze the logs in order to detect patterns of web based attacks and create statistics of common used attacks.

  3. Project Architecture Computer A Proxy Server On VMWare Honey Pot Machine Web Server Hacker Data Search & Index Tool Computer B

  4. Highly Anonymous Proxy

  5. Architecture Components 1. Proxy Server • Unix based machine • Installed on a VMWare machine (easy to reconstruct if attacked) • Based on a “Privoxy” server, writes all connections logs to local files. • The server also runs an FTP server to allow easy extraction of data. • GeoIP API is used to analyze the source IP of attackers • Encoding of low ascii characters is preformed to help attack analyzing (like EOF etc.). • Cron job for archiving the logs 2. Backup Agent • Cobian Backup • Unzip script 3. Splunk • Data indexing and search tool • Enables logging of known attacks • Enables query and analysis of accesses • Fields and tags were created in order to allow easy data extraction.

  6. Samples Of Identified Malicious Web Attacks

  7. Yahoo Brute Force Attack Attack Purpose – retrieve Yahoo login credentials. Attack Scenario- Around the world there are many Yahoo severs (to allow share loading, backup etc..), The communication Between these servers is done through a web API. Hackers use this interface To impersonate servers and Retrieve users credentials!

  8. Yahoo Brute Force Attack How Is It Done? If you just try to login to yahoo too many times you will be requested to decode a “Captcha”, But if you just use the following API – “/config/isp_verify_user?l=<SomeUsername>&p=<SomePassword>” Against a yahoo server you can verify that a certain username exists, and than brute force to verify Which password grants access to the account. For Example - http://124.108.120.50/config/isp_verify_user?l=israel&p=israeli Attack Method – using anonymous proxies to try logging in with multiple use names and passwords on Yahoo servers. Since there are many Yahoo servers around the world which are not synchronized, it is possible to try many of them. In addition, once you add Proxy servers into the equation (by multiplying) - you get even more

  9. Yahoo Brute Force Attack Many tools to do so using with and without proxies:

  10. Yahoo Brute Force Attack This diagram demonstrates the amount of attempts through our proxy in a 10 day period. This is only from our proxy! In Blue – successful attacks In Red – response 999, meaning the server detected the attack. edit.yahoo.comlogin.yahoo.comedit.europe.yahoo.comedit.in.yahoo.come4.edit.cnb.yahoo.come3.yahoo.co.kredit.vip.tpe.yahoo.coml30.login.scd.yahoo.come3.member.ukl.yahoo.come1.member.ukl.yahoo.come2.member.ukl.yahoo.come4.member.ukl.yahoo.come5.member.ukl.yahoo.come6.member.ukl.yahoo.comsbc1.login.dcn.yahoo.come3.edit.cnb.yahoo.coml2.login.dcn.yahoo.com l3.login.dcn.yahoo.com l4.login.dcn.yahoo.coml5.login.dcn.yahoo.com l6.login.dcn.yahoo.coml7.login.dcn.yahoo.coml8.login.dcn.yahoo.coml9.login.dcn.yahoo.coml10.login.dcn.yahoo.coml11.login.dcn.yahoo.coml12.login.dcn.yahoo.coml13.login.dcn.yahoo.coml14.login.dcn.yahoo.coml15.login.dcn.yahoo.coml16.login.dcn.yahoo.coml18.login.dcn.yahoo.coml19.login.dcn.yahoo.coml20.login.dcn.yahoo.coml22.login.dcn.yahoo.coml23.login.dcn.yahoo.com l29.login.dcn.yahoo.coml30.login.dcn.yahoo.comsbc1.login.vip.dcn.yahoo.come1.edit.vip.sc5.yahoo.coml1.login.scd.yahoo.coml2.login.scd.yahoo.coml3.login.scd.yahoo.coml4.login.scd.yahoo.coml5.login.scd.yahoo.coml6.login.scd.yahoo.coml7.login.scd.yahoo.coml8.login.scd.yahoo.coml9.login.scd.yahoo.coml10.login.scd.yahoo.coml11.login.scd.yahoo.coml12.login.scd.yahoo.coml13.login.scd.yahoo.coml15.login.scd.yahoo.com

  11. Yahoo Brute Force Attack Typical Attack headers - Jun 06 12:22:06.101 b2caeb90 Analysis: ip: 24.86.107.62Country: CanadaGET /config/isp_verify_user?l=hu.&p=lillian HTTP/1.0Host: 203.212.170.100Referer: http://203.212.170.100Accept-Language: enX-Forwarded-For: 77.125.93.72:8118,yahoo.comCookie: Y=v=1-;Connection: closeJun 06 12:22:06.292 b34afb90 Analysis: ip: 201.68.195.20Country: BrazilGET /config/isp_verify_user?l=angel_annabel&p=2020 HTTP/1.0Host: 124.108.120.50YahooRemoteIP: 217.12.5.161Referer: http://124.108.120.50Accept-Language: enConnection: CloseX-Forwarded-For: 69.147.112.216,google.comAccept: */*Jun 06 12:22:10.483 a7497b90 Analysis: ip: 75.184.119.157Country: United StatesGET /config/login?.patner=sbc&login=david+2&passwd=flag&.save=1 HTTP/1.0Connection: closeAccept: */*Accept: -Language: enHost: l05.member.re3.yahoo.com

  12. Response Splitting Attack Attack Description – The essence of HTTP Response Splitting is the attacker's ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response Typical Attack headers – May 30 00:03:58.496 73c84b90 Analysis: ip: 89.149.242.190 ICountry: Germany GET /lnv/viewHTTP/1.1%20200%20OK%0D%0ADate:%20Sat,%2030%20May%202009%2003:54:07%20GMT%0D%0AServer:%20Apache/1.3.28%20(Unix)%20PHP/4.3.4%0D%0AX-Powered-By:%20PHP/4.3.4%0D%0ASet-Cookie:%20PHPSESSID=6019eb9689437d8b69f93967be7544a9;%20path=/;%20domain=.sundojungmil.co.kr%0D%0AExpires:%20Thu,%2019%20Nov%201981%2008:52:00%20GMT%0D%0ACache-Control:%20no-store,%20no-cache,%20must-revalidate,%20post-check=0,%20pre-check=0%0D%0APragma:%20no-cache%0D%0AConnection:%20close%0D%0ATransfer-Encoding:%20chunked%0D%0AContent-Type:%20text/html%0D%0A%0D%0Ae3d%0D%0A%0D%0A%3Cscript%20language= HTTP/1.1 Connection: close Host: forums.lenovo.com

  13. Cross-Site Scripting Attack Attack Description – Taking advantage of a security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users Typical Attack headers – May 29 22:20:32.730 7f452b90 Analysis: ip: 60.16.140.154 ICountry: China GET / HTTP/1.0 Referer: js/bdsug.js?v=1.1.0.3><\/script>')};window.onunload=function(){};window.onload=function(){document.forms[0http://www.baidu.com/s?ie=gb2312&bs=%B1%F9%E4%BF%C1%E8&sr=&z=&cl=3&f=8&wd=%B1%F9%E4%BF%C1%E8%B0%CD%C8%F0%BF%CB%B1%F9%E4%BF&ct=0 Accept: */* Accept-Language: zh-cn,en-us Cookie: BAIDUID=33549062C228F38D3ACF4C8FDF85D5C2:FG=1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Hotbar 4.1.8.0; RogueCleaner; Alexa Toolbar) Host: www.baidu.com Pragma: no-cache Connection: close

  14. Bots Impersonation Attack Attack Description – Impersonate Google/Msn bots to access forums and internet sites to insert malicious data. Typical Attack headers – Jun 06 00:28:48.276 8acf1b90 Analysis: ip: 123.149.121.132 ICountry: China GET /forum-20-1.html HTTP/1.0 Accept: */* Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Host: xgymcn.5d6d.com Pragma: no-cache Connection: close

  15. SMTP over HTTP Attack Attack Description – Typical Attack headers – Jun 01 17:22:28.436 add54b90 Analysis: ip: 217.86.183.71 ICountry: Germany CONNECT 205.188.251.21:443 HTTP/1.0 Host: 205.188.251.21:443 Connection: close One client can send roughly 500,000 e-mails per hour! [http://en.wikipedia.org/wiki/Dark_Mailer]

  16. Other Attacks • Automatic posting in forums • Click frauds (simulates clicks to earn money, vote in poles etc.)

  17. Attack Types

  18. Attacks by Server Type Servers Distribution in the Internet http://news.netcraft.com/archives/web_server_survey.html Servers Attacks

  19. Originating Countries Dependent of posted website and Proxy location

  20. Thank You.

More Related