Extract attack fingerprints from NT web server logs

Source: Internet
Author: User
Tags cisco switch mantrap

Extract attack fingerprints from NT web server logs

(QQ: 550669) the addition of technology will never pass the black site .)

When you browse a famous foreign hacker website, you will find that the steps have become the focus of debate by detecting system fingerprints to find hacker intrusion methods. Of course, I am no exception, I like this method, because it allows you to easily find the fingerprints of intruders and better learn hacker intrusion methods.

Due to my limited lab environment, I can only analyze logs on my own virtual machine, I really hope that people with such interests can provide an open environment to study these underlying things. If these things develop in China, the current situation in China's security industry must be much better than today.

Let's get started with a magical journey ..

Honeynet (password Tank System) Introduction:

Honeynet can be said to be a learning tool! It is a specialized network designed to "break down" People. Once attacked by intruders, all information and tools of intruders will be used for analysis and learning. The idea is similar to that of honeypot, but there are some differences between the two: honeypot is also a network used to make people attack, usually used to trick intruders, usually, honeypot simulates some common vulnerabilities, detects other operating systems, or makes settings on a system to make it a "cage" host. For example, The Deception Toolkit (download), CyberCop Sting, and Mantrap. it is a collection of scripts that simulate some common system vulnerabilities. CyberCop Sting runs on the NT platform and simulates the IP stack and inetd services of multiple different systems. Mantrap sets the Solaris System and creates some "Cage hosts ". Without any doubt, these are quite good ideas, but in the current environment, some of them are not suitable and need more improvements.

There are two major differences between Honeynet and honeypot in the traditional sense:

An Honeynet is a network system, rather than a single host. This network system is hidden behind the firewall, and all inbound and outbound data is concerned, captured, and controlled. These captured data can be used to analyze the tools, methods, and motivations used by intruders. In this Honeynet, we can use a variety of operating systems and devices, such as Solaris, Linux, Windows NT, Cisco Switch, and so on. In this way, the network environment looks more authentic and trustworthy. At the same time, we have different systems running different services on different platforms, such as the Linux DNS server, for Windows NT webserver or Solaris FTP server, we can learn different tools and different strategies-maybe some intruders only target specific system vulnerabilities, however, our diversified systems may reveal more of their features.
All systems in Honeynet are standard machines, and the operating systems and applications run on them are real and complete-just like the systems you find on the Internet. We did not deliberately simulate an environment or deliberately make the system insecure. The risky systems found in Honeynet are the same as those of companies on the Internet. You can simply put your operating system in Honeynet without affecting the entire network.
It works in the following way:

Work Mode
Since our purpose is to study the mass of intruders, we must be able to track their actions and establish a transparent environment, so that we can have a clear understanding of everything in Honeynet. The traditional method is to monitor network traffic. The biggest problem here is that the large data volume makes security engineers exhausted. We must determine from a large amount of data what is normal traffic and what is malicious activity. Some tools and technologies such as intrusion detection systems, host-based detection and log analysis will be of great help. However, data overload, information destruction, unknown activities, forged logs, and so on will make our inspection and analysis difficult.

Honeynet adopts the simplest solution. Our goal is to study some system-related events, rather than analyzing network traffic. We believe that from outside access to Honeynet, apart from normal access, other behaviors may be scanning, detecting, and attacking, and the connection initiated from inside the system to the outside world usually indicates that the system has been attacked, intruders use it for some activities. This simplifies our analysis activities.


To successfully establish an Honeynet, we need to face two problems: Information Control and Information Capture. Information Control represents a rule. You must be able to determine where your information package can be sent. The purpose is that when your Honeypot host in Honeynet is intruded, it will not be used to attack machines other than Honeynet. Information Capture is to capture all the traffic of the intruders, from their keys to the information packets they send. Only in this way can I further analyze the tools, policies, and objectives they use.


If you're interested in these things, I recommend a local http://www.xfoucs.org/honeynet.

This is the only honeynet research site in China. Here you will be able to learn a lot about honeynet.

Objectives:

Our goal this time is to analyze the fingerprints of an NT system after it has been successfully intruded into, as well as the process of proposing attack methods and data analysis methods. We hope you can learn a lot of good things here. so I can write this article.

The file we want to analyze this is the http://project.honeynet.org/scans/scan14/ first we want to download the web log file he gave, below I will announce to everyone, http://project.honeynet.org/scans/scan14/snort-0204@0117.log.gz

And http://project.honeynet.org/scans/scan14/snort-0204@0117.log.zip

The problem he gave is:

Which exploit (s) were used to attack the system?
How were the exploits used to access and control the system?
What was done once access was gained?
How cocould this attack been prevented?
How much time did you spend on this analysis and writeup?
Let me give you a simple translation.

1. Which vulnerability does the attacker use to attack the system?

2. How to access and control the system with this vulnerability

3. Once you enter the system, let's talk about how to get control,

4. How can this attack be prevented?

5. How long have you spent analyzing and writing reports?

Well, we have obtained the web log data to think about the problem. What we need to do is to find the answers to these questions in the log.

Official start: Part 1. Analyze Data

I remember that this was the first time I analyzed the data. After compressing the log file, I can also understand some things. I tried to analyze it myself. Although the process was not found much, the answer is similar, but I found that I spent nearly 3-4 times longer than others. I can imagine that there will be so much time for analysis after the system is infiltrated, so I made a lot of detours at the beginning. The purpose of this article is to teach you a method to analyze data. If you want to analyze data like me, I will not disagree, at least you must understand the following:

[Fans:} fans? P @ brief-e nv n Queue ?? I :! HDV ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! :}? P @ brief-e nw n Queue ?? I :! FDX ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! :} S? 'P @ brief-e nx n queue ?? I :! DDZ ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! :} U
E? 'P @ Xiao-e n Xiao n! L queue ?? I: ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! :} W Mutter? 'P @ Yao-e n Zheng n l queue ?? I: ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! :} X? ? P @ quit-e n Yao nl queue ?? I: ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! :}. N? 'P @ lead-E Np qe cluster g ?? I: Comment ': ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! :}. Why? 'P @ random-E Nq qd cluster g ?? I: '<ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! :}.? 'P @ lead-E Nr qc cluster g ?? I: Comment '> ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! :} G limit J? 'P @ example-E <example @#? = 3? G9 o ?? ?} X keys?
Other {:} g n accept -? 'P @ E @ author @?~ H? G = 3 o9p }~ Why ?? Bytes
I? Other {?} G/J? 'P @ example-E <example @#? = 3? L ^ o

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.