web security project
DESCRIPTION
Web Security Project. Creating an anonymous proxy server to monitor and Analyze new web based attacks Mentors: Amichai Shulman Eldad Chai Students: Nadav Amit Dani Daniel. Project Goals & Objectives. Main Goals – 1. Being able to log real malicious web based attacks. - PowerPoint PPT PresentationTRANSCRIPT
Web Security ProjectCreating an anonymous proxy server to monitor and
Analyze new web based attacks
Mentors :Amichai Shulman
Eldad Chai
Students:Nadav AmitDani Daniel
Main Goals –1 .Being able to log real malicious web based attacks .
2 .Identify new malicious web attacks .3 .Determine which attacks are in common use in order
to be able to focus on defending against them.
Main Objectives –1 .Creating a working stable anonymous proxy server that
can log real web based attacks – Web hackers usually use anonymous
servers to avoid getting detected.
2 .Creating a tool that can analyze the logs in order to detect patterns of
web based attacks and create statistics of common used attacks .
Project Goals & Objectives
Proxy ServerOn VMWare
Honey PotMachine
Computer A
Computer B
Hacker
Web Server
Project Architecture
Data Search & Index Tool
Highly Anonymous Proxy
Architecture Components
1. Proxy Server Unix based machine Installed on a VMWare machine (easy to reconstruct if attacked) Based on a “Privoxy” server, writes all connections logs to local files. The server also runs an FTP server to allow easy extraction of data. GeoIP API is used to analyze the source IP of attackers Encoding of low ascii characters is preformed to help attack analyzing (like
EOF etc.). Cron job for archiving the logs
2. Backup Agent Cobian Backup Unzip script
3. Splunk Data indexing and search tool Enables logging of known attacks Enables query and analysis of accesses Fields and tags were created in order to allow easy data extraction.
Samples Of IdentifiedMalicious
Web Attacks
Attack Purpose – retrieve Yahoo login credentials.
Attack Scenario- Around the world there are many Yahoo severs (to allow share loading, backup etc..),
The communication Between these servers is done through a web API.
Yahoo Brute Force Attack
Hackers use this interfaceTo impersonate servers and Retrieve users credentials!
How Is It Done?If you just try to login to yahoo too many times you will be requested to decode a
“Captcha”, But if you just use the following API – “/config/isp_verify_user?
l=<SomeUsername>&p=<SomePassword>”Against a yahoo server you can verify that a certain username exists, and than brute
force to verify Which password grants access to the account.
For Example - http://124.108.120.50/config/isp_verify_user?l=israel&p=israeli
Attack Method – using anonymous proxies to try logging in with multiple use names and passwords on Yahoo servers. Since there are many Yahoo servers around the world which are not synchronized, it is possible to try many of them. In addition, once you add Proxy servers into the equation (by multiplying) - you get even more
Yahoo Brute Force Attack
Yahoo Brute Force Attack
Many tools to do so using with and without proxies:
Yahoo Brute Force Attack
This diagram demonstrates the amount of attempts through our proxy in a 10 day period.This is only from our proxy!
In Blue – successful attacks
In Red – response 999, meaning the server detected the attack.
edit.yahoo.comlogin.yahoo.comedit.europe.yahoo.comedit.in.yahoo.come4.edit.cnb.yahoo.come3.yahoo.co.kredit.vip.tpe.yahoo.coml30.login.scd.yahoo.come3.member.ukl.yahoo.come1.member.ukl.yahoo.come2.member.ukl.yahoo.come4.member.ukl.yahoo.come5.member.ukl.yahoo.come6.member.ukl.yahoo.comsbc1.login.dcn.yahoo.come3.edit.cnb.yahoo.coml2.login.dcn.yahoo.coml3.login.dcn.yahoo.com
l4.login.dcn.yahoo.coml5.login.dcn.yahoo.coml6.login.dcn.yahoo.coml7.login.dcn.yahoo.coml8.login.dcn.yahoo.coml9.login.dcn.yahoo.coml10.login.dcn.yahoo.coml11.login.dcn.yahoo.coml12.login.dcn.yahoo.coml13.login.dcn.yahoo.coml14.login.dcn.yahoo.coml15.login.dcn.yahoo.coml16.login.dcn.yahoo.coml18.login.dcn.yahoo.coml19.login.dcn.yahoo.coml20.login.dcn.yahoo.coml22.login.dcn.yahoo.coml23.login.dcn.yahoo.com
l29.login.dcn.yahoo.coml30.login.dcn.yahoo.comsbc1.login.vip.dcn.yahoo.come1.edit.vip.sc5.yahoo.coml1.login.scd.yahoo.coml2.login.scd.yahoo.coml3.login.scd.yahoo.coml4.login.scd.yahoo.coml5.login.scd.yahoo.coml6.login.scd.yahoo.coml7.login.scd.yahoo.coml8.login.scd.yahoo.coml9.login.scd.yahoo.coml10.login.scd.yahoo.coml11.login.scd.yahoo.coml12.login.scd.yahoo.coml13.login.scd.yahoo.coml15.login.scd.yahoo.com
Typical Attack headers - Jun 06 12:22:06.101 b2caeb90 Analysis: ip: 24.86.107.62Country: CanadaGET /config/isp_verify_user?l=hu.&p=lillian HTTP/1.0Host: 203.212.170.100Referer: http://203.212.170.100Accept-Language: enX-Forwarded-For: 77.125.93.72:8118,yahoo.comCookie: Y=v=1-;Connection: close
Jun 06 12:22:06.292 b34afb90 Analysis: ip: 201.68.195.20Country: BrazilGET /config/isp_verify_user?l=angel_annabel&p=2020 HTTP/1.0Host: 124.108.120.50YahooRemoteIP: 217.12.5.161Referer: http://124.108.120.50Accept-Language: enConnection: CloseX-Forwarded-For: 69.147.112.216,google.comAccept: */*
Jun 06 12:22:10.483 a7497b90 Analysis: ip: 75.184.119.157Country: United StatesGET /config/login?.patner=sbc&login=david+2&passwd=flag&.save=1 HTTP/1.0Connection: closeAccept: */*Accept: -Language: enHost: l05.member.re3.yahoo.com
Yahoo Brute Force Attack
Attack Description –
The essence of HTTP Response Splitting is the attacker's ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response
Typical Attack headers –
May 30 00:03:58.496 73c84b90 Analysis: ip: 89.149.242.190ICountry: GermanyGET /lnv/viewHTTP/1.1%20200%20OK%0D%0ADate:%20Sat,%2030%20May%202009%2003:54:07%20GMT%0D
%0AServer:%20Apache/1.3.28%20(Unix)%20PHP/4.3.4%0D%0AX-Powered-By:%20PHP/4.3.4%0D%0ASet-Cookie:%20PHPSESSID=6019eb9689437d8b69f93967be7544a9;%20path=/;%20domain=.sundojungmil.co.kr%0D%0AExpires:%20Thu,%2019%20Nov%201981%2008:52:00%20GMT%0D%0ACache-Control:%20no-store,%20no-cache,%20must-revalidate,%20post-check=0,%20pre-check=0%0D%0APragma:%20no-cache%0D%0AConnection:%20close%0D%0ATransfer-Encoding:%20chunked%0D%0AContent-Type:%20text/html%0D%0A%0D%0Ae3d%0D%0A%0D%0A%3Cscript%20language= HTTP/1.1
Connection: closeHost: forums.lenovo.com
Response Splitting Attack
Attack Description –
Taking advantage of a security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users
Typical Attack headers –
May 29 22:20:32.730 7f452b90 Analysis: ip: 60.16.140.154ICountry: ChinaGET / HTTP/1.0Referer: js/bdsug.js?v=1.1.0.3><\/script>')};window.onunload=function(){};window.onload=function()
{document.forms[0http://www.baidu.com/s?ie=gb2312&bs=%B1%F9%E4%BF%C1%E8&sr=&z=&cl=3&f=8&wd=%B1%F9%E4%BF%C1%E8%B0%CD%C8%F0%BF%CB%B1%F9%E4%BF&ct=0
Accept: */*Accept-Language: zh-cn,en-usCookie: BAIDUID=33549062C228F38D3ACF4C8FDF85D5C2:FG=1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Hotbar 4.1.8.0; RogueCleaner; Alexa Toolbar)Host: www.baidu.comPragma: no-cacheConnection: close
Cross-Site Scripting Attack
Attack Description –
Impersonate Google/Msn bots to access forums and internet sites to insert malicious data.
Typical Attack headers –
Jun 06 00:28:48.276 8acf1b90 Analysis: ip: 123.149.121.132ICountry: ChinaGET /forum-20-1.html HTTP/1.0Accept: */*Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
+http://www.google.com/bot.html)Host: xgymcn.5d6d.comPragma: no-cacheConnection: close
Bots Impersonation Attack
Attack Description –
Typical Attack headers – Jun 01 17:22:28.436 add54b90 Analysis: ip: 217.86.183.71
ICountry: GermanyCONNECT 205.188.251.21:443 HTTP/1.0Host: 205.188.251.21:443Connection: close
SMTP over HTTP Attack
One client can send roughly 500,000 e-mails per hour![http://en.wikipedia.org/wiki/Dark_Mailer]
1. Automatic posting in forums2. Click frauds (simulates clicks to earn money,
vote in poles etc.)
Other Attacks
Attack Types
55.35%
26.17%
7.23%
4.71%
4.11% 1.55% 0.88%
Yahoo Passwords Brute-ForceSMTP Over HTTPGoogle Board PostingX-site scripting / Response SplittingClick-FraudsProxy CheckersCrawler-Impersonating
Attacks by Server Type
Servers Distribution in the Internethttp://news.netcraft.com/archives/web_server_survey.html
53.40%
18.59%
12.17%
7.76%
1.14%1.09% 0.75% 0.66% 0.53%0.46% 0.44%0.42%1.58%Apache
Microsoft-IISGooglenginxBaiduResinIBM_HTTP_ServerYahooSqueegithttpdFriendFeedServerlighttpdOthers
47.17%
23.34%
12.71%
5.94%4.25%0.55%
ApacheMicrosoftqq.comGooglenginxlighttpd
Servers Attacks
Originating Countries
44%
8%8%
6%
6%
5%
5%
5%
2%2%
2%1% 7%
GermanyUnited KingdomUnited StatesIsraelChinaNetherlandsBrazilLuxembourgRussian FederationMalaysiaAustraliaFranceOther
Dependent of posted website and Proxy location
Thank You.