CyberOps – Lab 5 Network Attacks - Lab 5... · 2019. 11. 16. · InfoAcademy Cisco Networking...

InfoAcademy Cisco Networking Academy

www.infoacademy.net

1

CyberOps – Lab 5

Network Attacks

Perform an SQL Injection

Launch VirtualBox. Power-on all the VMs and allow 2-3 minutes for all the services to be

up-and-running.

On CyberOpsWS use Firefox to browse the Mutillidae page on Metasploitable VM (http://209.165.200.235/mutillidae). Choose OWASP Top 10 -> A1 – Injection ->

SQLi – Extract Data -> User Info

To see the intended behavior of this page, enter samurai / samurai as the name and

password and then click on View Account Details

The idea behind this page is that an account owner can display the data that is associated

with their account. Only the account owner knows their password, so viewing this data is

restricted to the account owner.

Mutillidae stores the user account information in an SQL database. The User Lookup page

performs an SQL query that looks something like this:

"SELECT * FROM accounts WHERE username="'.$pUsername."' AND pass-

word='".$pPassword."'";

In English, this is requesting all records from the accounts database where both the

username and the password match the values that were entered in the form. The expec-tation is that the valid user will accurately provide their username and password and ex-

actly one record will match. An invalid user won't know the appropriate password associ-ated with the username; therefore the query won't match any records in the account da-

tabase.

The SQL query that is made with the appropriate input is:

SELECT * FROM accounts WHERE username='samurai' AND password='samurai'

http://209.165.200.235/mutillidae


www.infoacademy.net

2

SQL injection uses creatively crafted input which changes the behavior of the constructed

query in significantly different ways. An example would be using the string ' or 1=1 --<space> in the Name field. When this is done, it really doesn't matter what is entered in

the Password field. The resulting query would look like this:

SELECT * FROM accounts WHERE username='' or 1=1 -- ' AND password='Pres-

ley'

This query will match all the records in the account database. It changes the query from

an AND (which requires two conditions to match) to an OR (which only requires one of

the conditions to match). The two conditions are as follows:

• username='' (which won't be true with any records in the database)

• 1=1 (which is always true)

The double dash (--) indicates that the rest of the query is a comment and should be ig-

nored by the SQL parser.

Note that the trailing space is important. There must be a space after the double dash (--

). By injecting an always true condition with an OR clause and commenting out the rest of

the query, the effect of query degrades to:

SELECT * FROM accounts WHERE TRUE

This matches all records in the database.

Enter ' or 1=1 --<space> in the name field (again, the trailing space is important), and

Blah in the password field, and click View Account Details.

You just extracted all the account data for all the Mutillidae accounts.


www.infoacademy.net

3

Account Access Via Cookie Manipulation

Websites often use cookies to implement various functions. A cookie is a small text file

describing tags and values, and is stored in the browser's data files. Cookies allow data to be stored in the browser, offloading the need to store that data on the server. They can be

used for any number of things. Some possibilities include facilitation of website customiza-

tion themes, browsing history, and shopping carts. In this section of the lab exercise, you will see that Mutillidae tracks the ID of the authenticated user in a cookie, which makes a

clear example of how poorly implemented cookies can be exploited by a threat actor.

Login to Mutillidae using samurai / samurai

Click on the circled i on the left-side of the address-bar and then click on the right-arrow

to select More information.

Click on View cookies to examine the information stored by 209.165.200.235. Examine

the uid to display the value for the samurai user (6, in this case)


www.infoacademy.net

4

From the SQL injection results, you know that the admin account was the first record in

the accounts database. Even if you didn't know this, you could suspect that account num-

ber 1 is important.

Press CTRL+SHIFT+I to toggle Developer Tools and navigate to storage. Search for uid

cookie and modify the value from 6 to 1. Reload the page.

You are now logged as admin.

Explore Reflected Cross-Site Scripting

Cross-site scripting attacks are accomplished by injecting script code into the content that the web server presents to the browser. The primary vulnerability is in the web applica-

tion. Optimally, the web developer will validate input and scrub any potential cross-site scripting code. In a reflected XSS attack, the code is included in form data that is posted

to the web site. Generally, this is implemented by preparing a link to malicious form data

and then tricking a user into clicking the malicious link.

The potential effects of the malicious link are largely limited by the threat actor skill and imagination. Options include the theft of sensitive information, hijacking web accounts,

modification of presented data, redirection to other web sites, and installation of malware.

In this section of the lab exercise, you will demonstrate a vulnerability to reflected cross-

site scripting that is present in Mutillidae.

Navigate to OWASP Top 10 -> A2 – Cross Site Scripting (XSS) -> Reflected (First

Order) -> DNS Lookup.

Enter <script>alert("This is a test!")</script> into the Hostname/IP field. This input is a simple example of Java script. Click Lookup DNS. Because of the XSS vulnerability of

this page, the script will be executed and an alert window should open and display the message "This is a test!".


www.infoacademy.net

5

The Hostname/IP field does not filter the input, and the Java script is parsed directly to

produce output. Click OK to close the alert window.

Use a slightly more complex Java script that extracts data from the session cookie. Enter <script>alert(document.cookie)</script> into the Hostname/IP field and then click

Lookup DNS. Again, an alert window should be displayed.

You just demonstrated that JavaScript code can be accepted as input of this webpage,

and the results of the JavaScript is reflected back from the web server. In the wild, a re-flected XSS attack is implemented by tricking a user to click a link where the link refer-

ences the scripting code. There are different methods to present the link to the unsus-pecting user including in a phishing email or in an advertisement posted to a reputable

web site. Generally the script will not output anything suspicious to the user's screen. In

the case of stealing sensitive data, the script would send the captured data to a logging service under the control of the threat actor.

Identify and Analyze an SQL Injection

On CyberOpsWS use Firefox to browse the Mutillidae page on Metasploitable VM (http://209.165.200.235/mutillidae). Choose OWASP Top 10 -> A1 – Injection ->

SQLi – Extract Data -> User Info

Right-click within the Name field. Select Inspect Element. Change the text-box size

from 20 to 100 to allow input of a malicious string to obtain credit card information. Close the Inspect Element window. This action does not change the element on the server,

just on the screen.

http://209.165.200.235/mutillidae


www.infoacademy.net

6

Enter ' union select ccid,ccnumber,ccv,expiration,null from credit_cards -- into the

Name field. Click View Account Details to extract the credit card information from the credit_cards table in the SQL database. Be sure to include a space after the “--“ in the

query string.

This malicious SQL query string is using the SQL UNION operator to combine the query

results from two or more SELECT statements.

Open Security Onion. Login to Sguil (analyst / cyberops) – select all the interfaces and

review the various SQL Injection Attempt alerts that result from the SQL injection at-

tack.


www.infoacademy.net

7

Right-click an SQL Injection Attempt alert. Select Bro. Scroll through the results.


www.infoacademy.net

8

The results should include a GET request with the union operator from the CyberOpsWS

(192.168.0.11) to the SQL database in Metasploitable (209.165.200.235).

The results should also include data, toward the end, that looks like credit card infor-

mation being successfully captured.

Right-click the same SQL Injection Attempt Alert ID. Select Wireshark to show the

associated captured traffic. Right-click on a packet. Choose Follow TCP Stream. Review

the results.


www.infoacademy.net

9

Extract and Analyze Content from Packet Captures

One way to simulate a security incident is the use of the tcpreplay command. Security

Onion provides many demonstration PCAP files, simulating different types of events. Out-side of the Security Onion distribution, there are consistently updated PCAP repositories

that can be found at sites such as malware-traffic-analysis.net.

On SecurityOnion replay the /opt/samples/markofu/outbound.pcap PCAP file to

the eth1 monitoring interface at a rate of 50 packets per second using the Terminal Emu-

lator, by using the tcpreplay command. The replay should take approximately 1 minute to

complete.

In the replayed PCAP there is only a single TCP connection (one IP 5-tuple): TCP (Protocol

6), 172.16.150.20:1294 <-> 66.32.119.38:80.

Logon to ELSA using analyst / cyberops. In the Query windows enter 66.32.119.38 and

select a date and time in the From window closer to the tcpreplay command. Click on

Submit Query to display the results.

You can group the displayed results using various criteria (source IP, destination IP, protocol

etc.). Since we are interested in capturing and analyzing the malicious file downloaded from

66.32.119.38 – we will group the results by mime_type


www.infoacademy.net

10

Click on application/x-dosexec

From the first log entry we can see a GET request for a file named swing-mechan-

ics.doc.exe

Click on Info and then on Plugins -> getPcap to extract a PCAP file from the ELSA data-

base

Logon to capMe! using analyst / cyberops, examine the content displayed and then click

on the PCAP file to open in Wireshark.


www.infoacademy.net

11

The first three packets are the TCP 3-way handshake. The fourth packet includes the

HTTP GET request. You can see the reference to a file named swing-mechan-ics.doc.exe. The packets show data being sent from the server to the client and client

acknowledgements of the data received.

Extract the file using Wireshark. Navigate to File > Export Objects > HTTP. A list of all

the files that are carried in HTTP is displayed. There is only one file in this PCAP. Select the file that is named swing-mechanics.doc.exe and click Save As. Select the Home folder

under the places list, and then click Save.

It is not safe, nor wise, to attempt to run potential malware on your analyst station for

purposes of analysis and identification of suspected malware. You should instead rely upon tools and services that offer a sandbox to run malware within. The goal is to

properly quarantine the malware from your production environment while observing its behavior. Payload Security is an example of a free malware analysis sandbox solution. The

Payload Security website https://www.hybrid-analysis.com/ allows an analyst to upload a suspected file for analysis. Other web services such as virustotal.com may also be used to

gather information about a suspect file. Analysts often submit samples to different

malware analysis sites to confirm the results.

Open the Terminal Emulator on the Security Onion VM, using either the desktop icon or

the link on the desktop favorites menu.

Run the strings command against the executable that you saved using Wireshark in the

previous section. Using the strings command, you will be able to view all the printable

strings from the executable binary file.

https://www.hybrid-analysis.com/


www.infoacademy.net

12

The executable contains an IP address (221.54.197[.]32), which may be a call-back ad-

dress for a reverse shell.

The likely intent of the name svchosts.exe is to allow a malicious process to hide among

the legitimate svchost.exe processes.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is a registry location

that can be used to launch executable files upon bootup, which is commonly used to pro-

vide malware persistence.

Use the sha256sum command to compute the SHA256 hash value of the file. Use the com-

puted hash value against virustotal.com or hybrid-analysis.com to determine if the file is a

known-bad malicious exe (many malware analysis sites recognized the submitted file by

computing its hash value and comparing that to the hash value computed on previous sub-

missions).


www.infoacademy.net

13

At this point, if you were performing an actual analysis, you should consult the session data to see if the internal host 172.16.150.20, or any other internal hosts have communicated

with 221.54.197.32.

Return to ELSA. Close all the query tabs within ELSA and then start a new query. Focus on

the call-back IP address, 221.54.197.32. Enter 221.54.197.32 in the search query field

of ELSA, and click Submit Query. Examine the query results.

Click on srcip. They show that two different internal IP addresses (172.16.150.20 and 172.16.150.10) have communicated with the suspect 221.54.197.32. Both connections are

to port 443. There is a high probability that this is a CnC channel, probably PoisonIvy, and

they are most likely encrypted by SSL.

The record that is associated with 172.16.150.20 indicates much larger byte counts than

the other connection.

Pivot from ELSA to capME! to analyze the packet data that are associated with the 172.16.150.20 sourced connection. Click the Info link to the far left of this record, then

click the Plugin button, followed by getPcap. Examine the transcript that is returned by capME!. It is evident that the connection is indeed encrypted, leaving few options to deter-

mine precisely what was being sent across the control channel.

Close the capME! tab and return to the ELSA tab in the web browser.

What other connections has 172.16.150.20 been involved with? Start a new query using

172.16.150.20 program="bro_conn". Examine the resulting report.

This query returned five records.


www.infoacademy.net

14

Two of the connections have already been analyzed. There is the download of the mal-

ware via HTTP from 66.32.119.38. There is also the C2 session that is initiated to

221.54.197.32.

The other three connections are associated with FTP. The connection to TCP port 21 is the FTP control channel. The two connections from TCP port 20 are FTP data channels that

were opened dynamically due to requests made in the control channel.

The peer address for the FTP connections is 66.32.119.38, the IP address from which the

malware was downloaded. The path that was taken temporarily steered the analyst away

from 66.32.119.38 when focused on 221.54.197.32.

All results specify the same IP 5-tuple. They are all related to the communication in the FTP control channel. Alternatingly, they document port commands to establish an FTP

data connection and stor commands, which transfer files over the data connection.

In the second record, note that the MIME type that is associated with the transfer is ap-

plication/x-rar.

RAR is an archive format that allows directories of multiple data files to be stored in a sin-gle archive file in a compressed format. RAR files can also be password-protected, making

it difficult to determine their contents.

At this point, it is difficult to determine the contents of the RAR file. But you have col-

lected plenty of evidence. You have documented the download of malware to 172.16.150.20, a C2 connection, and the probable exfiltration of data via FTP in a RAR

file.

CyberOps – Lab 5 Network Attacks - Lab 5... · 2019. 11. 16. · InfoAcademy Cisco Networking...

Documents

Transcript of CyberOps – Lab 5 Network Attacks - Lab 5... · 2019. 11. 16. · InfoAcademy Cisco Networking...