Write-Up CyberDefender : Web Investigation

This is write up CyberDefender Labs : Web Investigation

You are a cybersecurity analyst working in the Security Operations Center (SOC) of BookWorld, an expansive online bookstore renowned for its vast selection of literature. BookWorld prides itself on providing a seamless and secure shopping experience for book enthusiasts around the globe. Recently, you've been tasked with reinforcing the company's cybersecurity posture, monitoring network traffic, and ensuring that the digital environment remains safe from threats.

Late one evening, an automated alert is triggered by an unusual spike in database queries and server resource usage, indicating potential malicious activity. This anomaly raises concerns about the integrity of BookWorld's customer data and internal systems, prompting an immediate and thorough investigation.

As the lead analyst in this case, you are required to analyze the network traffic to uncover the nature of the suspicious activity. Your objectives include identifying the attack vector, assessing the scope of any potential data breach, and determining if the attacker gained further access to BookWorld's internal systems.

First, we need a tool to analyze the captured packets (.pcap), which is Wireshark.

In the Wireshark application, since this is an attack against a website, we'll filter by "http" to display packets with HTTP protocol transactions.

Question 1 : By knowing the attacker's IP, we can analyze all logs and actions related to that IP and determine the extent of the attack, the duration of the attack, and the techniques used. Can you provide the attacker's IP?

To identify the attacker's IP, we first need to determine when and where the attack occurred. This involves analyzing the attacker's step-by-step process, starting from their attempts to gain access, all the way to identifying vulnerabilities (scanning). One common attack method against websites is SQL Injection, where user-inputted queries can directly interact with the database or data on the server.

In Wireshark, the Source IP is the sender of the packet, and the Destination IP is the receiver. The web operates on a Request and Response model; every time a user makes a request, the server responds. Unusual request packets (for example, those containing operators like AND or OR, and symbols such as ' ) often indicate an attempted attack.

Question 2: If the geographical origin of an IP address is known to be from a region that has no business or expected traffic with our network, this can be an indicator of a targeted attack. Can you determine the origin city of the attacker?

Once the attacker's IP address (typically a public IP) is identified, we can use public services like IP Address Lookup, WhatIsMyIP, or similar tools to pinpoint its location. These services will provide details such as the country, province, city, and other registered information associated with that IP address.

Question 3: Identifying the exploited script allows security teams to understand exactly which vulnerability was used in the attack. This knowledge is critical for finding the appropriate patch or workaround to close the security gap and prevent future exploitation. Can you provide the vulnerable PHP script name?

When an attacker attempts to breach a website's system, their requests will be directed at a specific URL. This URL is often where the security vulnerability lies. In cases involving SQL Injection, particularly when tools like SQLMap are likely used, you'll observe numerous requests to unusual URLs, with SQL commands embedded within them.

Here are some examples of SQL Injection attempts commonly inserted into a request URL:

Let's assume the legitimate URL for a product page is: https://example.com/products.php?id=123

The attacker manipulates the id parameter to inject malicious SQL queries:

https://example.com/products.php?id=123%20AND%201=1

https://example.com/products.php?id=123%20UNION%20SELECT%201,2,database(),4--

https://example.com/products.php?id=123%20%27%20AND%20(SELECT%201%20FROM%20(SELECT%20COUNT(*),CONCAT(0x71716b6b71,(SELECT%20(ELT(2836=2836,1))),0x7170707871,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20--%20

Question 4: Establishing the timeline of an attack, starting from the initial exploitation attempt, what is the complete request URI of the first SQLi attempt by the attacker?

In Wireshark, packet captures are presented sequentially with clear source and destination information. When an attacker attempts to compromise a website using SQL Injection, there will be a first suspicious request that stands out. This initial unusual request is what indicates the very beginning of the attack attempt. By identifying this first anomalous packet, analysts can trace the start of the attacker's activities.

When analyzing URLs in captured packets, you'll notice that their format isn't always straightforward. They often contain special symbols that have been URL-encoded, meaning they are represented by specific codes. For instance, a space character is commonly encoded as %20, and a single quote (') becomes %27.

Manually decoding these characters can be incredibly tedious and time-consuming, especially when dealing with numerous or complex requests, such as those found during SQL Injection attempts. To streamline this process and make the URLs readable, we can use a tool like CyberChef. Specifically, the "URL Decode" operation within CyberChef can automatically detect and convert these encoded formats back into their normal, human-readable form, significantly simplifying the analysis.

Question 5: Can you provide the complete request URI that was used to read the web server's available databases?

When an SQL Injection attempt is successful, the server will typically respond with an HTTP status code 200 (OK), while simultaneously delivering the leaked data. In Wireshark, this can be observed in the response packet or the data-text-lines, which contain the server's transmission back to the requesting user. When database information is leaked, the server will often present this information, usually in the form of a vardump or a JSON response, displayed directly on the web page that was supposed to render.

Question 6: Assessing the impact of the breach and data access is crucial, including the potential harm to the organization's reputation. What's the table name containing the website users data?

Similarly, upon a successful SQL Injection, not only the database name but also its entire contents can be leaked. When SQL Injection succeeds, the server's response will visibly provide this data leakage, often accompanied by the XML structure of the page that was supposed to appear. This allows the attacker to view and potentially extract sensitive information directly from the database through the web application's response.

Question 7: The website directories hidden from the public could serve as an unauthorized access point or contain sensitive functionalities not intended for public access. Can you provide the name of the directory discovered by the attacker?

A directory on a website functions much like a folder in a file system, containing files grouped together based on shared characteristics, features, or access permissions. Often, sensitive parts of a website, such as administration panels or configuration files, are intentionally hidden within specific directories. Within these directories, various URL endpoints are used to manage the website comprehensively.

These hidden directories are prime targets for attackers who aim to gain unauthorized access to the system. During an automated website directory search (often called "directory brute-forcing" or "enumeration"), the server commonly responds with a 404 (Not Found) status code if the directory or URL does not exist. However, if the attacker successfully finds a hidden directory or a valid endpoint, the server will abruptly respond with a 200 (OK) status code, indicating its presence and allowing the attacker to proceed further into the system.

Furthermore, if a website is highly vulnerable, it might directly display a directory listing if it lacks an index page (e.g., index.html or index.php). This scenario can sometimes be observed with a 302 (Found) HTTP response, redirecting the attacker to the directory's content instead of a 404 error or a rendered web page.

Question 8: Knowing which credentials were used allows us to determine the extent of account compromise. What are the credentials used by the attacker for logging in?

Once SQLMap successfully injects code and causes a database leak, the attacker can then easily attempt to log in to the website's administrative URL. In Wireshark, these login attempts can also be observed. The transmission data can be inspected by looking at packets sent to the admin URL, which will often show clear indications of username and password variables within the request payload. This allows analysts to identify the credentials the attacker is attempting to use.

Question 9: We need to determine if the attacker gained further access or control of our web server. What's the name of the malicious script uploaded by the attacker?

After an attacker successfully gains control or administrative access to a website, they will often discover even more vulnerabilities, such as data upload functionalities and opportunities to establish backdoors. However, these actions are also observable through Wireshark analysis.

In the packet capture, we can see the attacker successfully entering the admin system. Subsequent actions like uploading a backdoor will typically be visible as HTTP requests using the POST method to a relevant upload endpoint. Following the upload, the attacker will often attempt to execute the backdoor. This execution is usually evident as a subsequent GET method request to a URL containing the malicious file, often identifiable by its unusual name or a suspicious file extension (e.g., .php). Observing these patterns allows analysts to pinpoint when and how the backdoor was deployed and activated.

CyberDefenders : Web Investigation