Challenge 7 of the Forensic Challenge 2011 - Forensic Analysis of a Compromised Server. Challenge 7 - Forensic Analysis of a Compromised Server - (provided by Guillaume Arcas from the French Honeynet Project Chapter, Hugo Gonzales from the Mexican Honeynet Project Chapter, Julia Cheng from the Taiwan Honeynet Project Chapter) Pls submit your solution using the submission template below by March 30th 2011 at Results will be announced around the third week of April. For any questions and inquiries, please contact forensicchallenge2010@honeynet.org. Skill Level: BeginnerThe Challenge: A Linux server was possibly compromised and a forensic analysis is required in order to unterstand what really happened. Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge.
What service and what account triggered the alert? (1pt)What kind of system runs on targeted server? Bonus question: From memory image, can you say what network connections were opened and in which state ? Share: The Winners: 1. Cool and Illegal Wireless Hotspot Hacks. Surf Jack – HTTPS will not save you « EnableSecurity. HTTPS: Surf jacking makes it vulnerable. Cookies and redirection seem to be this year's "attack vector du jour. " At DefCon, Mike Perry gave a rather disconcerting talk about surf jacking and how it can be used to capture SSL session cookies. Michael Kassner would like to explain how surf jacking compromises HTTPS security. The infamous cookie causes yet more grief In reality, it's not the cookie that causes the problems; they are just an easy way to subvert HTTP and now HTTPS connections. There are two major categories, persistent cookies and session cookies.
Persistent cookies are so named because they have a time-to-live that lasts longer than the current Web-browsing session. To help explain, let's look at the life of a session cookie in the following example: Using my Web browser, I log on to mybankxy.com Web server authenticates my credentials and places a small text file on my computer, called a session cookie. 301 Moved Permanently Now, I'd like to take a look at HTTP redirection.
Surf jacking. Tcpdump. Dump traffic on a network Syntax: tcpdump [-AdDefKlLnNOpqRStuUvxX] [-c count] [-C file_size] [-E spi@ipaddr algo:secret,...] [-F file] [-G rotate_seconds] [-i interface] [-m module] [-M secret] [-r file] [-s snaplen] [-T type] [-w file] [-W filecount] [-y datalinktype] [-z postrotate-command] [-Z user] [expression] Runs on: Neutrino Options: Print each packet (minus its link level header) in ASCII. -c count Exit after receiving count packets. -C file_size Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. -d Dump the compiled packet-matching code in a human readable form to standard output and stop.
-dd Dump packet-matching code as a C program fragment. -ddd Dump packet-matching code as decimal numbers (preceded with a count). Print the list of the network interfaces available on the system and on which tcpdump can capture packets. -e Print the link-level header on each dump line. -f -F file -l -n. Understanding tcpdump. Document specs operating system used OpenBSD 3.7 stable (kernel and sourcecode: Aug 5, 2005) software used program version manner of installation tcpdump OpenBSD default install document history date changes conceived - new document history scheme - minor corrections and some new examples preamble In order to benefit from this tutorial, you should already understand the basics of the TCP/IP suite and have some experience in network administration.
The tutorial is organized like so: introducing tcpdump decomposing a sample packet basic usage intermediate usage advertisement packet capture is the real-time collection of data as it travels over a network. Let us start off by looking at one such packet as displayed by tcpdump: What we see here does not accurately represent the structure of the packet at all. Here is a breakdown: The black stuff is the time the packet came across our network card (not part of the packet) The red stuff are TCP flags The olive stuff is the byte sequence/range TCP Flag Flag in tcpdump s f r. A Tcpdump Tutorial and Primer.