Enviar búsqueda
Cargar
File000139
•
0 recomendaciones
•
1,386 vistas
Desmond Devendran
Seguir
Tecnología
Vista de diapositivas
Denunciar
Compartir
Vista de diapositivas
Denunciar
Compartir
1 de 48
Descargar ahora
Descargar para leer sin conexión
Recomendados
Network forensics and investigating logs
Network forensics and investigating logs
anilinvns
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
Cyber forensics
Cyber forensics
pranjal dutta
Network scanning
Network scanning
oceanofwebs
Network forensic
Network forensic
Manjushree Mashal
Ransomware Attack.pptx
Ransomware Attack.pptx
IkramSabir4
Botnets
Botnets
Kavisha Miyan
Vpn presentation
Vpn presentation
Ram Bharosh Raut
Recomendados
Network forensics and investigating logs
Network forensics and investigating logs
anilinvns
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
Cyber forensics
Cyber forensics
pranjal dutta
Network scanning
Network scanning
oceanofwebs
Network forensic
Network forensic
Manjushree Mashal
Ransomware Attack.pptx
Ransomware Attack.pptx
IkramSabir4
Botnets
Botnets
Kavisha Miyan
Vpn presentation
Vpn presentation
Ram Bharosh Raut
Network Security
Network Security
MAJU
Malware analysis
Malware analysis
Prakashchand Suthar
Wired and Wireless Network Forensics
Wired and Wireless Network Forensics
Savvius, Inc
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
Sam Bowne
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
prashant3535
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
PHISHING DETECTION
PHISHING DETECTION
umme ayesha
Mobile Forensics
Mobile Forensics
primeteacher32
Software security
Software security
Roman Oliynykov
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
Cyber Forensics Module 1
Cyber Forensics Module 1
Manu Mathew Cherian
TOR NETWORK
TOR NETWORK
Rishikese MR
Wifi Security
Wifi Security
Shital Kat
Different types of attacks in internet
Different types of attacks in internet
Rohan Bharadwaj
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
rahul kundu
IDS and IPS
IDS and IPS
Santosh Khadsare
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
Prakashchand Suthar
Ethical Hacking
Ethical Hacking
Aditya Vikram Singhania
Ethical Hacking
Ethical Hacking
Nitheesh Adithyan
Network security ppt
Network security ppt
OECLIB Odisha Electronics Control Library
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
File000138
File000138
Desmond Devendran
Más contenido relacionado
La actualidad más candente
Network Security
Network Security
MAJU
Malware analysis
Malware analysis
Prakashchand Suthar
Wired and Wireless Network Forensics
Wired and Wireless Network Forensics
Savvius, Inc
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
Sam Bowne
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
prashant3535
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
PHISHING DETECTION
PHISHING DETECTION
umme ayesha
Mobile Forensics
Mobile Forensics
primeteacher32
Software security
Software security
Roman Oliynykov
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
Cyber Forensics Module 1
Cyber Forensics Module 1
Manu Mathew Cherian
TOR NETWORK
TOR NETWORK
Rishikese MR
Wifi Security
Wifi Security
Shital Kat
Different types of attacks in internet
Different types of attacks in internet
Rohan Bharadwaj
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
rahul kundu
IDS and IPS
IDS and IPS
Santosh Khadsare
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
Prakashchand Suthar
Ethical Hacking
Ethical Hacking
Aditya Vikram Singhania
Ethical Hacking
Ethical Hacking
Nitheesh Adithyan
Network security ppt
Network security ppt
OECLIB Odisha Electronics Control Library
La actualidad más candente
(20)
Network Security
Network Security
Malware analysis
Malware analysis
Wired and Wireless Network Forensics
Wired and Wireless Network Forensics
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
PHISHING DETECTION
PHISHING DETECTION
Mobile Forensics
Mobile Forensics
Software security
Software security
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Cyber Forensics Module 1
Cyber Forensics Module 1
TOR NETWORK
TOR NETWORK
Wifi Security
Wifi Security
Different types of attacks in internet
Different types of attacks in internet
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
IDS and IPS
IDS and IPS
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
Ethical Hacking
Ethical Hacking
Ethical Hacking
Ethical Hacking
Network security ppt
Network security ppt
Similar a File000139
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
File000138
File000138
Desmond Devendran
Ce hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atom
Vi Tính Hoàng Nam
Firewall Analyzer - Middle East Workshop
Firewall Analyzer - Middle East Workshop
ManageEngine, Zoho Corporation
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hacking
Vi Tính Hoàng Nam
Network security
Network security
Fekadu Abera
Web Application Security Testing
Web Application Security Testing
Agile Testing Alliance
File000125
File000125
Desmond Devendran
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
Unit-4-LOS.pdf
Unit-4-LOS.pdf
vijapurasaim71
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
sparkfabrik
Ce hv6 module 63 botnets
Ce hv6 module 63 botnets
Vi Tính Hoàng Nam
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdf
ThangDang53
Ce hv6 module 66 security convergence
Ce hv6 module 66 security convergence
Vi Tính Hoàng Nam
Unix Web servers and FireWall
Unix Web servers and FireWall
webhostingguy
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
Waqas Ahmed Nawaz
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
Best Practices in IBM i Security
Best Practices in IBM i Security
Precisely
Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.
Shin'ichiro Matsuo
Similar a File000139
(20)
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
File000138
File000138
Ce hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atom
Firewall Analyzer - Middle East Workshop
Firewall Analyzer - Middle East Workshop
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hacking
Network security
Network security
Web Application Security Testing
Web Application Security Testing
File000125
File000125
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
Unit-4-LOS.pdf
Unit-4-LOS.pdf
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
Ce hv6 module 63 botnets
Ce hv6 module 63 botnets
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumeration
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdf
Ce hv6 module 66 security convergence
Ce hv6 module 66 security convergence
Unix Web servers and FireWall
Unix Web servers and FireWall
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Best Practices in IBM i Security
Best Practices in IBM i Security
Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.
Más de Desmond Devendran
Siam key-facts
Siam key-facts
Desmond Devendran
Siam foundation-process-guides
Siam foundation-process-guides
Desmond Devendran
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Desmond Devendran
Enterprise service-management-essentials
Enterprise service-management-essentials
Desmond Devendran
Service Integration and Management
Service Integration and Management
Desmond Devendran
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
Desmond Devendran
CHFI 1
CHFI 1
Desmond Devendran
File000176
File000176
Desmond Devendran
File000175
File000175
Desmond Devendran
File000174
File000174
Desmond Devendran
File000173
File000173
Desmond Devendran
File000172
File000172
Desmond Devendran
File000171
File000171
Desmond Devendran
File000170
File000170
Desmond Devendran
File000169
File000169
Desmond Devendran
File000168
File000168
Desmond Devendran
File000167
File000167
Desmond Devendran
File000166
File000166
Desmond Devendran
File000165
File000165
Desmond Devendran
File000164
File000164
Desmond Devendran
Más de Desmond Devendran
(20)
Siam key-facts
Siam key-facts
Siam foundation-process-guides
Siam foundation-process-guides
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Enterprise service-management-essentials
Enterprise service-management-essentials
Service Integration and Management
Service Integration and Management
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
CHFI 1
CHFI 1
File000176
File000176
File000175
File000175
File000174
File000174
File000173
File000173
File000172
File000172
File000171
File000171
File000170
File000170
File000169
File000169
File000168
File000168
File000167
File000167
File000166
File000166
File000165
File000165
File000164
File000164
Último
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Pixlogix Infotech
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
Último
(20)
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
File000139
1.
Module XXVI –
Network Forensics and Investigating Logs
2.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Accused SF Network Hacker Facing Felony Charges Source: http://www.foxreno.com/
3.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Network Forensics • Network Attacks • Where to Look for Evidence • Investigating Logs • Handling Logs as Evidence • Log Injection Attacks This module will familiarize you with:
4.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Network Forensics Investigating Logs Where to Look for Evidence Handling Logs as Evidence Network Attacks Log Injection Attacks
5.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Forensics • Source of security incidents and network attacks • Path of the attack • Intrusion techniques used by attackers Network forensics can reveal: Network forensics can be defined as sniffing, recording, acquisition and analysis of the network traffic, and event logs in order to investigate a network security incident
6.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The Intrusion Process Internet Laptop CORPORATE NETWORK Mainframe Server Computer Laptop Printer Server Server Firewall Router Firewall Server Hub Hub Router Intermediate "Owned" Computer Intermediate "Owned" Computer Intermediate "Owned" Computer Intermediate "Owned" Computer ISP Router ISP Router ISP Router ISP Router ISP Router
7.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Vulnerabilities • These vulnerabilities occur due to the overextension of bandwidth and bottlenecks Internal network vulnerabilities: • These vulnerabilities occur due to the threats such as DoS/DDoS attacks and network data interception External network vulnerabilities:
8.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Attacks IP Spoofing Router attacks Eavesdropping Denial-of-Service Man-in-the-Middle Attack Sniffer Attack Data Modification Attacks Enumeration Virus Trojan E-mail Infection Password Cracking Malware attacks
9.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Where to Look for Evidence Log files from following devices and applications can be used as evidence for network security incidents: • Firewalls • Routers and switches • Intrusion Detection Systems • Intrusion Prevention Systems • Servers, desktops, and mainframes • Business applications • Databases • Anti-virus • VPNs
10.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Logs
11.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Postmortem and Real-Time Analysis Forensic examination of logs are divided into two categories : • Postmortem of logs are done for the investigation of something that has already happened Postmortem • Real-Time analysis are done for the ongoing process Real-Time Analysis Practically, IDS is the real-time analysis where as the forensic examination is postmortem
12.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Handling Logs as Evidence • It is hard to refute one log entry if two separate devices record the same information • Firewall logs, IDS logs, and TCPDump can help to prove that an IP address hits a specific server at a specific time Use Multiple Logs as Evidence • When no log files exist, there is no way of knowing if the server got no hits (say it was offline for a day) or if the log file was actually deleted Avoid Missing Logs
13.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Log File Authenticity Log files can be said to be authentic if it can be proven that they have not been modified since they were originally recorded Move the Logs - If a server has been compromised, you must consider that the log files also could have been compromised Move the logs to a master server and then move them offline to a tape, CD
14.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Use Signatures, Encryption, and Checksums To ensure that the log file is not modified, encrypt the log by using some public- key encryption scheme File signature makes the log file more secure Use Fsum tool, MD5 to generate the hash code Store the signature and hashes with the log Store secure copy in a separate location
15.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Work with Copies Do not use original log files for analysis; always work on copies Ensure that the original logs are never touched to maintain the authenticity of the original log files If you use log files as court evidence, you must present original files in their original form
16.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ensure System’s Integrity Always maintain up-to-date on service packs and hotfixes that assures that the system’s file is valid Audit all changes to binary files in WINNT directory If an intruder modifies the system files that record log files then the usability of the log files as evidence is not valid
17.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Access Control Once a log file is created, it is important to prevent the file from being accessed and audit any authorized and unauthorized access If you properly secure and audit a log file using NTFS permissions, you will have documented evidence to establish its credibility
18.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody As you move log files from the server and later to an offline device, you should keep track of where the file goes This can be done either through technical or non-technical methods such as MD5 authentication
19.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Condensing Log File Log files can be sorted by using a syslog but the output of the syslog contains large log file It is difficult for the forensic team to look for the important log entry Log entries need to be filtered as per the requirement Tools that can be used: • Swatch • Logcheck
20.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Log Injection Attacks
21.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited New Line Injection Attack In this attack, the attacker injects plaintext into the log files The attacker tries to divert the attention of the investigator towards other person The log files application relates the user to the action performed The log file before attack:
22.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited New Line Injection Attack (cont’d) The attacker changes the log file source code by inserting [LINEBREAK] and changing the user name “Tester01” to say “Manager01” The log file after attack: Figure: New lines inserted by attackers
23.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited New Line Injection Attack Countermeasure Remove all the new line characters such as carriage return (0x0D) and line feed (0x0A) characters The resulting log file would be as shown below: Figure: Removing new lines
24.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Separator Injection Attack In this attack, the attacker injects a single pipe character or multiple pipe characters into the log files Some systems contain log files which has several data columns; these log files contain single line of text file and data field separated by a pipe character The sample log file is as shown:
25.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Separator Injection Attack (cont’d) When the attacker injects single or multiple pipe characters the previous values are replaced and shifted from one column to the next Consider the example and if the value in the value field is replaced as “9.99 | WRITE” The values are shifted from one column to the next as shown: Figure: Replaced value field
26.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Separator Injection Attack (cont’d) Shifting log columns causes inconsistency in a log file The attack damages the log file integrity It shows that the attack is performed on a pipe character Though the shifting of values is uncovered, it is difficult to find the defender
27.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Separator Injection Attack Sanitize the inputs by morphing incoming data to a different representation URL encoding and slash (“”) encoding techniques can be used to sanitize the inputs In URL encoding technique the pipe character is encoded to a percentage sign followed by the hexadecimal representation of its ASCII value The log file after implementing URL encoding is as shown: Figure: URL encoding
28.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Timestamp Injection Attack This attack uses combination of the New Lines and Separator injection The log maintains the action that was taken, by whom it was initiated, and when it occurred Consider a stock trading system that stores all trade information in a log file as shown: Figure: Log of all trade information
29.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Timestamp Injection Attack (cont’d) The new line input injection may look like: • “AccountY[LINEBREAK] 21-05-2010 : 1002 : Trader1 has retracted sell order” The log output is as follows: Figure: New line input injection
30.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Timestamp Injection Attack (cont’d) The attacker must know the date and time of the logging component The entries cannot be injected in a chronological order The time stamp should lie between the surrounding time stamps It is easy to find out region of uncertainty if limited number of lines are injected These scenarios create doubts in the legal case
31.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Timestamp Injection Attack Use sequence numbering, it is similar to time stamping and helps in overcoming the predictable entry creation problems The following figure illustrates that line 3 is out of sequence Figure: Example with sequence numbering
32.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Word Wrap Abuse Attack In word wrap abuse attack, unusual log entries are created by using white space padding The line may wrap and cause an attack similar to new line injection attack
33.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Word Wrap Abuse Attack (cont’d) Instead of new line removal technique, the attacker may use the following input: • “Tester01. __________________Failed to delete all files for Manager01.________Failed to move all files for Manager01.__________Failed to remove user Manager01 for Manager01.___Failed to logon for Tester01” The log file looks like: Figure: Word wrap abuse attack
34.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Word Wrap Abuse Attack The solution for this type of attack is entry splitting Log is split into multiple lines after a specific length Insert a marker to indicate that splitting has occurred This technique provides generalized protection forms of injection as they depend on long inputs being undetectable
35.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Word Wrap Abuse Attack (cont’d) The log file entry after splitting looks like: Here [CR] indicates that login software has inserted a carriage return The disadvantage of this method is integrity of entries may be compromised
36.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack In this attack, the attacker injects HTML tags into a log This will control the display of the subsequent entries Consider a HTML log file which is potentially not secure The browser under normal condition displays a list of all the invalid session identifiers along with a timestamp
37.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack (cont’d) The HTML log file looks like: Figure: HTML injection attack
38.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack (cont’d) Line7 in the example shows the potentially malicious Session ID which is under the attacker’s control The attacker can disable logging to perform other attacks changing the Session ID to: • “A345EFF345987435</tr></td> • </table><font color=white>” A new table will start closing the current row of the table with background color as font color Due to this, the session IDs will be logged in white font color which makes it difficult to identify them against the background color
39.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack (cont’d) The log file is changed to: Figure: Changed log file
40.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending HTML Injection Attack Token removal is the solution for this kind of attack Identify the inputs given by the attacker and remove the tokens so that they are not interpreted upon display Remove ‘<’ and ‘>’ characters wherever you find that a malicious input is given The secured log file is written as: Figure: Token removal
41.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Terminal Injection Attack It is an attack on log viewing interface In this attack, terminal emulation is used to interpret character sequence as the special action directives to the terminal Terminal injection can be used on a FTP client log file on a Linux system As an example, a bash shell command is used as a backdoor by an attacker to display all the users’ passwords
42.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Terminal Injection Attack (cont’d) Finally, FTP client leaves the log file with passwords If attacker knows that the administrator of the system inspects the log file via a cat command that displays its output in a terminal window, he can abuse its use of ANSI terminal sequences to clear the screen and make the log file appear empty The log file viewed by the attacker is:
43.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Terminal Injection Attack These attacks can be defended using a raw viewer such as hex editor Using hex editor, the file contents can be viewed without any interpretation It provides an hexadecimal output which is difficult to identify as shown: Figure: Hex output of a terminal injection attack
44.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Other Kinds of Log File Attacks The other forms of attacks that to be known before developing a logging system are: • Buffer overflows in log files may corrupt the records and damage the log file integrity Buffer Overflows: • These are mostly popular in Unix based logging systems and dangerous in unproven components Format Strings: • This is the threat caused to the user data stored in relational database SQL Injection:
45.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Other Kinds of Log File Attacks (Cont’d) • Attackers may use special characters to navigate unauthorized directories or drives to overwrite important files Directory Traversal: • XML stores the different types of information including log data; external and internal entity references and excessive recursion in XML may change the functionality of log writing and reading XML Attacks: • This attack causes overflow of entries, individual logs and storage can be filled to capacity, and log file infrastructure is appended with a ‘noise’ which makes it difficult to identify real entries Denial of Services:
46.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Log files can be sorted by using a syslog but the output of the syslog contains a large log file Log entries need to be filtered Postmortem of logs are done for the investigation of something which has already happened By combining logs from several devices, you strengthen the value of each Investigate the logs for different log injection attacks
47.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
48.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Descargar ahora