web forensics and analysis tool - bruconfiles.brucon.org/2010/brucon2010-schenette-final.pdf ·...
TRANSCRIPT
![Page 1: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/1.jpg)
Fireshark [ BruCON 2010 ]
Web Forensics and Analysis ToolStephan ChenettePrincipal Security Researcher, Websense Labs
![Page 2: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/2.jpg)
Fireshark Agenda
Overview
Who Am I
What is Fireshark
The Malicious Webscape
Fireshark Introduction
Down the Rabbit hole (use cases) – Website Architecture / Redirection Chains
– Mass Injection Points (dead or alive)
– Content Profiling
Fireshark Releases
Download Location
Q&A
2
![Page 3: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/3.jpg)
WHAT IS FIRESHARK
Let’s start at the beginning…
3
![Page 4: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/4.jpg)
The Fireshark Project
Author: Stephan Chenette
Contributions by: Wladimir Palant (AdBlockPlus FF Plugin)
Organize and analyze
malicious website data
Correlate data
Similar mass injection attacks (C/R/E)
attacker patterns (providers/content/kits)
4
![Page 5: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/5.jpg)
The Fireshark Project
Current Status
– 1.0 Release - April 2010 (GPL v3 license)
– 1.1 Release - due in November 2010 (selective beta)
5
![Page 6: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/6.jpg)
Overview of Fireshark Architecture
Browser Plugin allows automated control of browser
Passively logs information to log file
– Connections (contextual reference)
– Source and DOM content
– JavaScript function calls
– Page Links
– Screen Shot
Your Job: Use post-processing scripts/database to output
organized results
6
![Page 7: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/7.jpg)
THE MALICIOUS WEBSCAPE
Understanding the interweb…
7
![Page 8: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/8.jpg)
URL Injection attacks are increasing
225% increase in the number of new
compromised legitimate websites in the
last 12 months.Source: Websense Security Labs, State of Internet Security, Q3-Q4 2009 Report
Translation:
There is a large chance that a website you have visited
In the recent past served malicious code.
8
![Page 9: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/9.jpg)
Victims of “Malvertisements” (2009)
The Drudge Report
Horoscope.com
Lyrics.com
slacker.com
Eweek.com
The New York Times
Philadelphia Inquirer
Expedia, Rhapsody
9
![Page 10: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/10.jpg)
Redirection chains/ Mass Compromises
Nine-ball mass-injection
10
![Page 11: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/11.jpg)
Redirection chains/ Mass Compromises
Nine-ball mass-injection
There are a varied but unique set of hosts involved in the redirection chain
Any repeat visitor is diverted to ask.com instead of a malicious landing page
The structure of the injected deobfuscation algorithm is equivalent throughout
all the infected sites
11
![Page 12: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/12.jpg)
compromised website using an iframe
12
![Page 13: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/13.jpg)
compromised website using a redirector
13
![Page 14: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/14.jpg)
Exploit site goes through redirector
14
![Page 15: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/15.jpg)
15
![Page 16: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/16.jpg)
Exploit Site Serves Rogue Anti-Virus
16
![Page 17: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/17.jpg)
Exploit Site Serves Rogue Anti-Virus
XP Security Tool 2010
XP Defender Pro
Vista Security Tool 2010
Vista Defender Pro
17
![Page 18: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/18.jpg)
Malicious Site Serves – Exploit Kits
18
![Page 19: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/19.jpg)
Malicious Site Serves – Exploit Kits
CRIMEPACK
PHOENIX
ELEONORE
FRAGUS
YES EXPLOIT
SEBERIA
EL FIESTA
ICEPACK
MPACK
WEB ATTACKER
19
![Page 20: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/20.jpg)
Malicious Site Serves – Exploit Kits
CVE-2003-0111
CVE-2004-1043
CVE-2005-2265
CVE-2006-0003
CVE-2006-0005
CVE-2006-1359
CVE-2006-3643
CVE-2006-3677
CVE-2006-3730
CVE-2006-4868
CVE-2006-4777
CVE-2006-5559
CVE-2006-5745
CVE-2006-5820
CVE-2006-6884
CVE-2007-0015
CVE-2007-0018
CVE-2007-0024
CVE-2007-0071
CVE-2007-3147
CVE-2007-3148
CVE-2007-4034
CVE-2007-4336
CVE-2007-5327
CVE-2007-5659
CVE-2007-0655
CVE-2007-5755
CVE-2007-6250
CVE-2008-0015
CVE-2008-1309
CVE-2008-2463
CVE-2008-2992
CVE-2008-4844
CVE-2008-5353
CVE-2009-0075
CVE-2009-0076
CVE-2009-0355
CVE-2009-0806
CVE-2009-0927
CVE-2009-1136
CVE-2009-1869
CVE-2009-2477
CVE-2009-3269
CVE-2009-3867
CVE-2009-4324
CVE-2010-0188
CVE-2010-0806
20
![Page 21: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/21.jpg)
Malicious Site Serves – Exploit Kits
Firefox
Internet Explorer
Opera
Java/Reader/Flash
21
![Page 22: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/22.jpg)
Obfuscated content (Phoenix pack)
22
![Page 23: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/23.jpg)
Crimepack 2.8 released before March 10’
Exploits include:
• Adobe Acrobat Reader Exploits
(including CVE-2010-0188)
• JRE (GSB & SERIALIZE)
• MDAC (IE)
• MS09-032 (IE)
• MS09-002 (IE)
• CVE-2010-0806 (IE)
23
![Page 24: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/24.jpg)
Crimepack 2.8 Anti-Analysis
Features include:
1.Undetected by AV Scanners (JavaScript &
PDF/JAR/JPG files)
2.Random PDF Obfuscation (Not using static PDF file
like other packs)
3.Blacklist checker & AutoChecker
4.Prevent Wepawet, JSunpack and other JavaScript
unpackers to decode your page
24
![Page 25: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/25.jpg)
Crimepack 2.8 Changes
Added CVE-2010-0806
Added CVE-2010-0188
Added more ip's to block
IFrame generator
Redirector for non-vulnerable traffic
New JS cryptor
Anti-Kaspersky emulation
25
![Page 26: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/26.jpg)
RECAP OF NEEDS: Track and Organize
Organize and analyze
malicious website data
Correlate data
Similar mass injection attacks (C/R/E)
attacker patterns (providers/content/kits)
26
![Page 27: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/27.jpg)
Current Resources
Websites:
Wepawet
Anubis
ZeusTracker
BLADE (*new*)
Robtex
Unmask Parasites
Malwaredomainlist.com
Badwarebusters.org
VirusTotal.com
Etc.
Tools:
Malzilla
Rhino Debugger
FF JavaScript
Deobfuscator
DS’s SpiderMonkey
Jsunpack
Caffeine Monkey
NJS
Etc.
27
![Page 28: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/28.jpg)
Malzilla V.S. The Phoenix Exploit Kit
28
![Page 29: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/29.jpg)
Malzilla V.S. The Phoenix Exploit Kit
29
![Page 30: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/30.jpg)
JSUNPACK V.S. The Phoenix Exploit Kit
30
![Page 31: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/31.jpg)
JSUNPACK V.S. The Phoenix Exploit Kit
ERROR: CAN NOT FULLY DECODE
31
![Page 32: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/32.jpg)
Spidermonkey/ CaffeineMonkey
JavaScript Engine + Limited browser features
32
![Page 33: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/33.jpg)
Emulation -> Implementation is behind
document.body is undefined
document.title is undefined
document.forms is undefined
document.documentElement is undefined
document.URL is undefined
document.getElementsByTagName is not a
function
33
![Page 34: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/34.jpg)
Emulation -> Implementation is behind
window.location.search
window.addEvent is not a function
window.onDomReady is not a function
window.parent is undefined
window.screen is undefined
window.top is undefined
screen is not defined
top is not defined
parent is not defined
self is not defined
location.protocol
34
![Page 35: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/35.jpg)
FIRESHARK INTRODUCTION
When an alternative just won’t do…
35
![Page 36: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/36.jpg)
Why do we need Fireshark?
Researcher
Network Administrator
Penetration Tester
We need tools to analyze mass injection attacks
– Website Architecture/Redirection Chains
– Source / Changes to DOM / JavaScript function calls
– Content Profiling / Screen shot
Using an organized and ultimately VISUAL approach
36
![Page 37: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/37.jpg)
List view V.S. Graph view
37
![Page 38: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/38.jpg)
List view V.S. Graph view
38
![Page 39: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/39.jpg)
Architecture of a youtube.com
39
![Page 40: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/40.jpg)
horoscope.com (Content responsibility)
40
![Page 41: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/41.jpg)
![Page 42: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/42.jpg)
42
![Page 43: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/43.jpg)
43
![Page 44: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/44.jpg)
44
![Page 45: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/45.jpg)
Original Source code (Phoenix pack)
45
![Page 46: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/46.jpg)
DOM result (Phoenix pack)
46
![Page 47: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/47.jpg)
How to use Fireshark 1.0
Install Fireshark Firefox plugin (.xpi file)
Create data.txt file, place in your home directory
Tools->Go! (then go and get a cup of coffee)
** Reportlog.yml **
Use post-processing scripts
– FiresharkInitInfo.pl (must be run first)
– GraphViz.pl
– IngressEgress.pl
47
![Page 48: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/48.jpg)
48
![Page 49: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/49.jpg)
Post-Run Analysis / data correlation
Log is analyzed manually or automatically via post-
analysis correlation process
![Page 50: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/50.jpg)
Local FireShark Demo
![Page 51: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/51.jpg)
DOWN THE RABBIT HOLE
Use cases…
51
![Page 52: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/52.jpg)
Down the Rabbit hole
Analysis of Three exemplary Injection campaigns
Injection campaigns occur daily
A breadth view analysis
Gain a better understanding of the malicious webscape
Use Fireshark to do it.
![Page 53: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/53.jpg)
Down the Rabbit hole
•Injection Example #1
![Page 54: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/54.jpg)
Injection Example #1
13k matches/24hrs
![Page 55: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/55.jpg)
Injection Example #1
Step 1) Analyze a subset (500/13k)
Breadth
– Popular campaign will emerge
• Injections into unique websites will lead to same hosts
Depth
– Details of the attack
• Screen Shots
• Source code, Deobfuscted DOM, Network traffic
![Page 56: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/56.jpg)
Bird’s Eye View of 500/13k
![Page 57: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/57.jpg)
Popularity of Requests
![Page 58: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/58.jpg)
Popularity of Requests
![Page 59: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/59.jpg)
Popularity of Requests
![Page 60: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/60.jpg)
Down the Rabbit hole
•Injection Campaign #1: 93.186.127.49
![Page 61: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/61.jpg)
“W93.186” Injection Campaign
![Page 62: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/62.jpg)
“W93.186” Injection Campaign
![Page 63: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/63.jpg)
“W93.186” Injection Campaign SS
![Page 64: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/64.jpg)
Observations from 93.186.127.49 attack
•Operation b49
![Page 65: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/65.jpg)
Rascop.com…a familiar foe?
![Page 66: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/66.jpg)
![Page 67: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/67.jpg)
Infamous Rascop.com
•rascop.com = NXD (feb 10’)
•Waledac
•Fast-flux
•domain
![Page 68: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/68.jpg)
Rascop.com and friends gone but landing pages here to stay
Waladec domains were NXD in the takedown
Landing pages were still online though
![Page 69: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/69.jpg)
Injection Example #2
•Attack #2: ru:8080
![Page 70: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/70.jpg)
Popularity of Requests
250/5k URLs lead to homesalesplus.ru
![Page 71: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/71.jpg)
Breadth – Popularity of Request connection
250/5k URLs lead to homesalesplus.ru
![Page 72: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/72.jpg)
Injected Code Variation #1
![Page 73: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/73.jpg)
Injected Code Variation #2
![Page 74: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/74.jpg)
Injected Code Variation #3
![Page 75: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/75.jpg)
Depth – Diff DOM/SRC
![Page 76: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/76.jpg)
Depth – Script link in DOM
![Page 77: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/77.jpg)
Injected Code Variation #3
![Page 78: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/78.jpg)
DOM View
DOM ==> Mutable Memory representation
(Final View of DOM after JS/events)
![Page 79: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/79.jpg)
Log Analysis
Further Analysis showed variations:
1. hxxp://clicksor-com.eastmoney.com.mobile-
de.homesaleplus.ru:8080/ocn.ne.jp/ocn.ne.jp/classmat
es.com/linkhelper.cn/google.com/
2. hxxp://chip-de.ggpht.com.deezer-com.viewhomesale
.ru:8080/google.com/google.com/timeanddate.com/avg.
com/zshare.net/
![Page 80: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/80.jpg)
ru:8080 URL Injection Campaign
Similarities between infected sites:
Port 8080
Various changing .ru domains
Legitimate content on port 80 served by Apache
Malicious domains are mapped to 5 different IPs
Malicious IP addresses are on hosting providers
Leaseweb (Netherlands) and OVH.com (France)
Landing domains were NXD Dec 09’/Jan 10’
![Page 81: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/81.jpg)
The Never-ending story
Fresh injections
![Page 82: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/82.jpg)
Observations from ru:8080 attack
Compromised websites can and are updated automatically
Compromised websites are injected with multiple
redirectors
Sharing of stolen FTP credentials
e.g. Many infected sites also led to Gumblar infected
domains, indicating that attackers perhaps had shared
stolen FTP credentials
![Page 83: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/83.jpg)
Injection Example #3
Mass Injection #3
~5700 infected pages
~5300 unique hosts…sent 1k for analysis
![Page 84: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/84.jpg)
Breadth – Popularity of Responses
![Page 85: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/85.jpg)
Breadth – Popularity of Responses
sportgun.pl.ua very common type of attack
sends a response back to 50+ hosts
![Page 86: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/86.jpg)
![Page 87: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/87.jpg)
Connection Request/No Response
Src: hxxp://sportgun.pl.ua/st/go.php?sid=2&
Dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php
![Page 88: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/88.jpg)
Round #2 Connection Request/Response
Success!
![Page 89: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/89.jpg)
Fetches Exploits
Fetches PDF and Java Exploits
- connection:type: responsesrc: hxxp://uplevelgmno.vn.ua/111/sv777/pdf.phpdst: hxxp://uplevelgmno.vn.ua/111/sv777/index.phpstatus: 200
- connection:type: responsesrc: hxxp://uplevelgmno.vn.ua/111/sv777/dev.s.AdgredY.classdst: hxxp://uplevelgmno.vn.ua/111/sv777/index.phpstatus: 200
![Page 90: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/90.jpg)
PDF VirusTotal Results
![Page 91: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/91.jpg)
Eleonore Exploits Pack
hxxp://uplevelgmno.vn.ua/111/sv777/stat.php
![Page 92: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/92.jpg)
Obfuscated Chunk in Source Code
howtofindmyip.com obfuscation
![Page 93: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/93.jpg)
Deobfuscated DOM
howtofindmyip.com deobfuscated
![Page 94: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/94.jpg)
Exploit Kit
uplevelgmno.vn.ua
![Page 95: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/95.jpg)
Observations from Injection attack #3
The bad guys are tracking/hiding, redundancy redirectors
are common
Exploits that are being used are current e.g. all
platforms/browsers are targeted
Exploit kits are easily attainable, setup is quick
Many kits serve user polymorphic exploits/malware, thus
traditional AV signatures are always behind
![Page 96: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/96.jpg)
FIRESHARK RELEASES
From 1.0 to 1.1…
96
![Page 97: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/97.jpg)
Fireshark 1.0
Released Blackhat Europe
April 2010
– Firefox Browser-Plugin
– PERL Post processing scripts
– CYMRU ASN
– GraphViz
97
![Page 98: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/98.jpg)
Fireshark 1.0
YAML Log format
Scripts:
GraphViz.pl
IngressEgress.pl
98
![Page 99: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/99.jpg)
Fireshark 1.1 (Release in November 10’)
XUL GUI Front-end
– Shows network traffic
– Redirection chains
– DOM/SOURCE/DIFF
– Top Destination and Source URLs
– Suspected Redirectors/Exploit Sites
Configurable options
Output in JSON (1.0 was in YAML)
99
![Page 100: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/100.jpg)
FIRESHARKWHERE TO DOWNLOAD
Get it!…
100
![Page 101: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/101.jpg)
Download Fireshark 1.0
http://fireshark.org/ Free (GPL v3)
Open Source
PERL/Python scripts
included for post-
processing
101
![Page 102: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/102.jpg)
CONCLUSION + Q&A
The end…
102
![Page 103: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/103.jpg)
Conclusions/Take-away
Compromised websites:
– Increase of 225% over the last 12 months
– Frequently updated to contain fresh links
– Current tools are insufficient if desire is to monitor and analyze mass URL injections
Use Fireshark for:
– Mass Injection Analysis
– Redirection Chaining
– Content Profiling
103
![Page 104: Web Forensics and Analysis Tool - BruCONfiles.brucon.org/2010/brucon2010-schenette-final.pdf · 2012. 4. 2. · Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette](https://reader036.vdocuments.site/reader036/viewer/2022071214/604222d904f10c28345eef02/html5/thumbnails/104.jpg)
Q&A
Questions?
Contact:
Stephan Chenette
Twitter: StephanChenette
Email: [email protected]
Fireshark Feedback:
Join the Fireshark mailing list!! or..
send an email to [email protected]
104