网络攻击取证

Web应用程序是我们日常生活中不可或缺的一部分,用于各种活动,从在线购物到银行和社交媒体。然而,它们的广泛使用为不良行为者提供了巨大的攻击面,以利用它们并在系统中获得初步立足点。

在本实验中,我们将了解针对Web应用程序常见的不同类型的攻击,并通过分析Web应用程序日志和Web应用程序防火墙日志来探索用于检测这些攻击的各种技术,找到攻击点并追踪攻击点。通过识别被利用的漏洞来找出根本原因。

Web应用程序和WAF日志

常见网络攻击和日志

路径遍历/目录遍历

远程命令执行

SQL注入

这一课主要是针对常见的web应用日志和waf日志分析,介绍常见的攻击方式。这些基础知识对于红蓝队成员并不陌生,因此不做过多笔记。

练习题

科目一

您是一名网络安全专家,被要求调查重大网络安全漏洞。

该公司的网络服务器已被攻破,攻击者试图利用多个漏洞。您的任务是拼凑攻击者的意图并揭示损害的程度。考虑到这一点,您面临的挑战是回答以下问题:

日志可以从https://github.com/vonderchild/digital-forensics-lab/tree/main/Lab%2004/files/logs.zip下载

下载日志文件,并解压日志文件,可以看到是apache日志。

1
2
3
4
5
6
$ ls -l
total 392
-rw-r----- 1 linus linus   6813 Feb 16  2023 access.log
-rw-r----- 1 linus linus 109647 Feb 16  2023 error.log
-rw-r----- 1 linus linus 281738 Feb 16  2023 modsec_audit.log
-rw-r----- 1 linus linus      0 Feb 14  2023 other_vhosts_access.log
  • 攻击似乎源自哪个IP地址?

分析access.log,发现攻击主要源自:192.168.0.106

  • 您认为哪些漏洞正在被利用,您有哪些证据支持您的发现?

目录遍历:access.log GET /view.php?image=../../../../etc/passwd && [Thu Feb 16 01:35:27.207149 2023] [:error] [pid 273] [client 192.168.0.106:60308] [client 192.168.0.106] ModSecurity: Warning. Matched phrase “etc/passwd” at ARGS:image. [file “/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf”] [line “500”] [id “932160”] [msg “Remote Command Execution: Unix Shell Code Found”] [data “Matched Data: etc/passwd found within ARGS:image: ../../../../etc/passwd”] [severity “CRITICAL”] [ver “OWASP_CRS/3.3.2”] [tag “application-multi”] [tag “language-shell”] [tag “platform-unix”] [tag “attack-rce”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/152/248/88”] [tag “PCI/6.5.2”] [hostname “192.168.0.101”] [uri “/view.php”] [unique_id “Y-1CD4t76EP2ZdvYturyYAAAAAM”]

SQL注入:error.log [Thu Feb 16 01:36:25.133354 2023] [:error] [pid 271] [client 192.168.0.106:46382] [client 192.168.0.106] ModSecurity: Warning. detected SQLi using libinjection with fingerprint ‘s&1c’ [file “/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf”] [line “65”] [id “942100”] [msg “SQL Injection Attack Detected via libinjection”] [data “Matched Data: s&1c found within ARGS:search: user2’ and 1=1#”] [severity “CRITICAL”] [ver “OWASP_CRS/3.3.2”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-sqli”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/152/248/66”] [tag “PCI/6.5.2”] [hostname “192.168.0.101”] [uri “/users.php”] [unique_id “Y-1CSR1ILvAGFIiKbK7QJwAAAAE”], referer: http://192.168.0.101:9090/users.php

远程命令执行:

“POST /command.php HTTP/1.1
Host: 192.168.0.101:9090
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Origin: http://192.168.0.101:9090
Connection: keep-alive
Referer: http://192.168.0.101:9090/command.php
Upgrade-Insecure-Requests: 1

–f0015c41-C–
cmd=whoami
–f0015c41-F–”

  • 我们如何确定攻击者使用的网络浏览器?

Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

  • 攻击者在攻击过程中是否使用了任何自动化工具?如果是,您能指出该工具的名称及其用途吗?

sqlmap/1.6.11#stable (https://sqlmap.org)

  • 攻击者试图访问哪个文件,但由于服务器访问受限而无法访问?

/etc/passwd

  • 攻击者是否获得了任何机密数据的访问权限?如果是,有多少数据被泄露?

未发现通过sql注入的方式获取到数据的访问权限。cat error.log | grep sqlmap

但是攻击者通过远程命令执行的方式获取到相关数据。

  • 一个重要的秘密被泄露了。你能弄清楚吗?提示:您要查找的秘密不在某个.sql文件中。
1
2
3
4
5
6
7
$ cat modsec_audit.log | grep cmd=
cmd=ls+-la
cmd=cat+%2Fetc%2Fshadow
cmd=whoami
cmd=ls+-la+%2F
cmd=cat+%2Fdatabase.sql
cmd=cat+%2Fimportant_note.txt
1
2
3
4
5
6
7
INSERT INTO users (username, email, password)
VALUES 
    ('user1', 'user1@local.host', 'password1'),
    ('user2', 'user2@local.host', 'password2'),
    ('user3', 'user3@local.host', 'password3'),
    ('user4', 'user4@local.host', 'password4'),
    ('user5', 'user5@local.host', 'password5');  ;
  • 攻击者给服务器管理员留下了一条消息。找出该消息的内容,并说明您是如何找到它的。
1
2
Hey there! Just a heads up - if we don't add security checks to our web app, our top-secret files might as well be written on a billboard. And trust me, we don't want that kind of attention. So let's get those checks in place, okay? We wouldn't want the world to know that our password is 'sup3r_s3cr3t_4nd_1mp0rt4nt_p4ssw0rd', now would we? ;)
Hey there! Just a heads up - if we don't add security checks to our web app, our top-secret files might as well be written on a billboard. And trust me, we don't want that kind of attention. So let's get those checks in place, okay?
  • 有哪些指标可以确认发生了攻击?您从这次攻击中得到的主要收获是什么?

状态码,waf日志记录等

  • 基于此攻击,哪些指标可用于检测未来的攻击?