on some common postures in the process of invasion tracing

*Author of this article: si1ence, this article belongs to freebuf original award program, and is not allowed to be reproduced without permission.

0 * 0 background

As an important part of post response in security incidents, attack tracing can restore the attacker's attack path and attack tactics to a certain extent by analyzing the victim assets and Intranet traffic, which is helpful to repair vulnerabilities and risks and avoid secondary incidents. Attack knowledge can be converted into defensive advantage. If we can be proactive and predictable, we can better control the consequences.

Say a person words: be black to want to know why be black how be black, can't be so blatant.

0 × 1 main idea

In the process of traceability, in addition to relevant technical means, it is necessary to confirm an overall idea first. Analyze the abnormal points as a whole and give several possible solutions according to the actual environment. In this way, the problem can be handled easily and the mind has spectrum, and the hands will not panic.

Examples of normal abnormal points that are easy to be perceived by users are as follows:

1. The webpage has been tampered, black chain has been hung, web file has been lost, etc

2. The database has been tampered with, the web system operation abnormally affects the usability, the web user password has been tampered with, etc

3. If the host runs abnormally, it will react to jamming, the file will be encrypted, and other users will appear in the host system

4. A large amount of abnormal traffic occurs in the host traffic layer

According to the user's site conditions, some information collection work is often needed, such as the abnormal time point (very important), the main business situation of the abnormal server, whether a network topology is in the DMZ area, whether it can be accessed by the public network, whether the ports are opened, whether there is a patch, how a web technology is used, and whether any changes have been made recently Is there any safety equipment or the like.

Based on the information collected, several possibilities can often be drawn. A web server public network can access the event of being linked to the black chain using S2 framework, so it can be initially suspected that s2-045 There is a vulnerability in the execution of commands such as s2-046. If a public network server does not have patches or firewall protection, and the password of the administrator is p @ sswrod, there is a great possibility that it will be successfully cracked by violence. The following work is mainly to collect various materials to prove this conjecture.

0 × 2 Web System

Last time I deployed a web system on VPS, I looked at the access log. Basically, there are many web system scanning events every day. It's a headache to filter the path detection, exp scanning and file traversal.

Generally, web security events can find some clues in the web log. After all, not every hacker can clear the log.

The logs of common middleware are as follows:

1. The log path of Apache is generally configured in the directory of httpd.conf or in / var / log / HTTP

2. IIS logs are in the logfiles directory of the system directory by default

3. Tomcat is generally located under a logs folder under the Tomcat installation directory

4. Nginx log is generally configured in the conf file of nginx.conf or Vhost

The log is generally named after the date, which is convenient for subsequent audit and security personnel to analyze.

If you want to be good at your work, you must first make use of your tools. In general, there is a large amount of logs. There are still a lot of log detection tools on the Internet. I don't like to use the main tools or Notepad + + and sublime text to follow up the collected information, such as the time point. When analyzing the request logs before and after the time point, some exceptions can be found generally.

In order to facilitate the identification of some logs, GitHub also has many open-source projects that specifically look for security related attacks or statistics in the logs. Because now many scanners are also more, a check will often find a lot of invalid attacks, but it is more troublesome to filter them.

Recommend a small tool: Web log parser is an open-source analysis web log tool, which is developed by Python language and has flexible log format configuration. There are many excellent projects. They love each other. If they can't, they need to define their own rules.

The connection is as follows: https://github.com/JeffXue/web-log-parser

In dealing with some visits, web page changes, upload path, source IP and other information can be better collected. Through the identification of some critical paths, combined with certain information, we can often locate the entry point.

Some common entry points are as follows:

1. Some CMS Exps, such as discuz Empire spring and other command execution and permission bypass logic vulnerabilities, are relatively common, and many of them are public on the Internet, so they cover a relatively wide range.

2. Upload vulnerability of editor, such as well-known fck editor, ueditor and so on.

3. The functional upload filtering is not strict, such as some upload loopholes caused by strict filtering on the upload interface of the avatar upload data.

4. The weak password of the web system is admin account, or the weak password of manager user of tomcat, Axis2 weak password user, openfire weak password, etc

At the same time, the web system is easy to have some webshell, often find some webshell in some upload directories, which is clearly a JSP page, but also a PHP sentence. Generally, we need to focus on it. It is recommended to scan the directory of web system with d-shield.

The scanned webshell time upload time, file creation time, and file modification time are all relatively accurate. Generally, this time will not be changed, so it is relatively easy to check in the log.

0 × 2 host system

Before, I always thought that a lot of transmission methods of some worms were funny were just relying on brute force cracking and ms17-010 loopholes. I felt that the coverage should be relatively small before I found that this method was simple and rough but most effective.

For Linux platform, the relative security is a little bit higher. Several common viruses, such as xordos, DDG, and XNote series, are also spread by brute force. Brute force cracking is also considered in the process of traceability.

Some common logs are as follows:

/var/log/auth.log 包含系统授权信息，包括用户登录和使用的权限机制等信息
/var/log/lastlog 记录登录的用户，可以使用命令lastlog查看
/var/log/secure 记录大多数应用输入的账号与密码，登录成功与否
/var/log/cron 记录crontab命令是否被正确的执行

/Var / log / auth.log contains system authorization information, including user login and permission mechanism used

/Var / log / lastlog records the logged in user, which can be viewed with the command lastlog

/Var / log / secure records the account and password entered by most applications, and whether the login is successful or not

/Var / log / cron records whether crontab command is executed correctly

The commands grep, SED, sort and awk can be used flexibly, and special keywords such as accepted, failed password and invalid can also be found easily as follows:

Often some attackers forget to clear the log, so it is convenient to view the details. A history command, the operation of the hacker is clear at a glance.

Of course, after some scripts are executed, the logs will be cleared finally. For example, the following is often more difficult, and the logs will be more abnormal if cleared. You can focus on the remaining logs, or whether there are other security devices in the network layer that can be traced in the traffic layer.

All the features of Linux are file and open source. In the process of traceability, there are advantages and disadvantages. Rootkit is the most troublesome thing. Because some common command plaintext of the system has been changed and replaced, the system has become completely untrustworthy. In the process of tracing, it is not easy to find that there are high technical requirements for security service personnel.

It is relatively easy to trace the source under the windows platform. Of course, it mainly depends on the windows logs. Generally, the event viewer is opened with the eventvwr command. There are three types by default: l application, security, and sex system store% systemroot% \ system32 \ config directory in the form of EVT file:

The reasonable use of filters can help us to better check the logs, such as the logs suspected to be the failed audit event id = = 4625 of brute force attack. Later, we can judge whether the brute force attack originated from the intranet by analyzing the time check, the source IP address, type and request frequency.

The internal log of the system is used to determine whether the malicious process is running.

Through the numerical confirmation of logontype, we can confirm the protocol through which the brute force is successfully cracked. The relative numerical relationships are as follows:

local WINDOWS_RDP_INTERACTIVE = "2"
local WINDOWS_RDP_UNLOCK = "7"
local WINDOWS_RDP_REMOTEINTERACTIVE = "10"
local WINDOWS_SMB_NETWORK = "3"

local WINDOWS_RDP_INTERACTIVE = "2"

local WINDOWS_RDP_UNLOCK = "7"

local WINDOWS_RDP_REMOTEINTERACTIVE = "10"

local WINDOWS_SMB_NETWORK = "3"

The following figure is a typical SMB authentication failure:

The patches of windows system are relatively important. Some critical patches are not patched and are vulnerable to successful attacks. Focus on some common security patches, such as ms17-010 ms08-067 ms16-032, which are commonly used attack packages for intranet penetration. You can view the installed patches in the current system through sysintemfo.

In addition, there are many domain control security logs under windows. Because there are too many contents, there will be no more narratives. The main purpose of tracing is to restore the attack path. Through windows logs, we can understand the attack chain of the access relationship attacker and give the user an explanation.

0 × 3 other common systems

The database system is also some of the hardest hit areas of the attacker's entry point, such as msssql Because the data of server is often installed in the window environment with higher permissions, some users often do not strengthen the database after the installation. Based on the principle of separation of database and station, many MSSQL public networks can directly access the access control strategy is weak, and the problem of weak password is particularly prominent.

Compared with the following log for SA user brute force cracking of MSSQL, it also records the IP address of the client. If there is no relevant locking policy configured, it is easy to be attacked if the password is not strict enough.

After the successful blasting, the attacker can often execute system commands with high permission by launching xp_shell. If he gets a Windows shell, he can do whatever he wants.

Redis under the Linux platform is also very popular, but the problem of unauthorized access after a few years of default installation is relatively widespread. For example, the recently popular viruses such as DDG mining and watchdog mining mainly use redis unauthorized access to execute commands and pull mining programs from the Internet to write SSH public key and other functions.

When you see that port 6379 is open locally, you still need to pay attention to this problem. Consult the user more about the usage and view the default configuration.

There are also some common systems, such as MySQL database brute force cracking and power lifting package, Hadoop unauthorized access vulnerability, phishing email, software backdoor cracking, malicious office macro, Office Code Execution Vulnerability, mailbox defect, VPN configuration defect and so on, which may be the specific situation of the attacker's entry point needs to be specifically checked in combination with the current situation of the user.

0 * 4 Summary

It's said that the essence of security is ultimately a contest between people. It's interesting to investigate the security events of many directional attacks. The logs of the host end are cleared away from the traffic level and the whole tunnel communication is ha ha.

From the perspective of attack and defense, we can do emergency response from the attacker's thinking model, think about more possible ways of attackers, often use posture, loopholes and common attack techniques to use data to verify, not limited to known loopholes but let go of other problems. If we can be proactive and predictable, we can better control the consequences, but in the process, we can still It's a surprise to find several 0days.