1.1 - Interpret HTTP and DNS Data To Isolate Threat Actor
1.1 - Interpret HTTP and DNS Data To Isolate Threat Actor
1.1 - Interpret HTTP and DNS Data To Isolate Threat Actor
Topology
Objectives
In this lab, you will review logs during an exploitation of documented HTTP and DNS vulnerabilities.
Part 1: Prepare the Virtual Environment
Part 2: Investigate an SQL Injection Attack
Part 3: Data Exfiltration Using DNS
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
b. In the Kali VM, click the Firefox ESR icon ( ) to open a new web browser.
c. Navigate to 209.165.200.235. Click Mutillidae to access a vulnerable web site.
d. Click OWASP Top 10 > A1 – Injection > SQLi – Extract Data > User Info.
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
f. In the Username field, double-click the 20 and change it to 100 so you can view the longer string as you
enter the query into Name field. Close the Inspect Element when finished.
g. Enter ' union select ccid,ccnumber,ccv,expiration,null from credit_cards -- in the Name field. Click
View Account Details to extract the credit card information from the credit_cards table in owasp10 mysql
database.
Note: There is a single quote ( ' ), followed by a space at the beginning of the string. There is a space
after -- at the end of the string.
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
h. Scroll down the page for the results. The result indicates that you have successfully extracted the credit
card information from the database by using SQL injection. This information should only be available to
authorized users.
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
most recent alerts. Because Sguil displays real time events, the Date/Time in the screenshot is for
reference only. You should note the Date/Time of the selected alert.
e. Right-click the number under the CNT heading for the selected alert to view all the related alerts. Select
View Correlated Events.
f. Right-click an Alert ID in the results. Select Transcript to view the details for this alert.
Note: If you mistyped the user information in the previous step, you should use the last alert in the list.
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
g. In this window, you can see that the GET statement using the UNION operator was used to access the
credit card information. If you do not see this information, try right-clicking another of the correlated
events.
Note: If you entered the injection script more than once because of a typo or some other reason, it may
be helpful to sort the Date/Time column and view the most recent alert.
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
h. You can also determine the information retrieved by the attacker. Click Search and enter username in
the Find: field. Use the Find button to locate the information that was captured. The same credit card
information may be displayed differently than the figure below.
Note: If you are unable to locate the stolen credit card information, you may need to view the transcript in
another alert.
Compare the credit card information from the transcript window and the content extracted by the SQL
injection attack. What is your conclusion?
____________________________________________________________________________________
i. Close the windows when finished.
j. Return to the Sguil window, right-click the same Alert ID that contains the exfiltrated credit card
information and select Wireshark.
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
l. The GET request and the exfiltrated data are displayed in the TCP stream window. Your output may be
different than the figure below, but it should contain the same credit card information as your transcript
above.
m. At this time, you could save the Wireshark data by clicking Save As in the TCP stream window. You can
also save the Wireshark pcap file. You can also document the source and destination IP addresses and
ports, time of incident, and protocol used for further analysis by a Tier 2 analyst.
n. Close or minimize Wireshark and Squil.
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
a. While in the Security Onion VM, start ELSA from the Desktop. If you receive the message "Your
connection is not private", click ADVANCED to continue.
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 9 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
e. Click Info on the last entry. This information is related the successful SQL injection. Notice the union
query that was used during the attack.
f. Click Plugin > getPcap. Enter username analyst and password cyberops when prompted. Click Submit
if necessary. CapMe is a web interface that allows you to get a pcap transcript and download the pcap.
g. The pcap transcript is rendered using tcpflow, and this page also provides the link to access the pcap file.
You can also search for the username information. Type Ctrl + F to open Find… dialog box. Enter
username in the field. You should be able to locate the credit card information that were displayed during
the SQL injection exploit.
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 10 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
b. Display the content of the confidential.txt file using the more command.
c. The xxd command is used to create a hexdump or convert a hexdump back to binary. To transform the
content of confidential.txt into 60-byte long hex strings and save it to confidential.hex, use the
command xxd -p confidential.txt > confidential.hex.
The option -p is used to format the output in Postscript format and > is to redirect the output to
confidential.hex.
Note: Use the xxd man page to learn more about all the available options for the xxd command.
[analyst@secOps lab.support.files]$ xxd -p confidential.txt >
confidential.hex
d. Verify the content of confidential.hex.
[analyst@secOps lab.support.files]$ cat confidential.hex
434f4e464944454e5449414c20444f43554d454e540a444f204e4f542053
484152450a5468697320646f63756d656e7420636f6e7461696e7320696e
666f726d6174696f6e2061626f757420746865206c617374207365637572
697479206272656163682e0a
e. Verify that CyberOps Workstation has been configured to use the local DNS resolver at 209.165.200.235.
Enter cat /etc/resolv.conf at the prompt.
[analyst@secOps lab.support.files]$ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 8.8.4.4
nameserver 209.165.200.235
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 11 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
;; ANSWER SECTION:
;; AUTHORITY SECTION:
example.com. 604800 IN SOA ns.example. root.example.com. 2 604800 86400
2419200 604800
;; ADDITIONAL SECTION:
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 12 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
f. Verify that the file has been copied file on the Kali VM.
g. You will reverse the hex dump to display the content of the exfiltrated file, secret.hex. The xxd command
with -r -p options revert the hex dump. The result is redirected to the secret.txt file.
root@kali:~# xxd -r -p secret.hex > secret.txt
h. Verify that the content of the secret.txt file is the same as the confidential.txt file on CyberOps Workstation
VM.
root@kali:~# cat secret.txt
CONFIDENTIAL DOCUMENT
DO NOT SHARE
This document contains information about the last security breach.
i. You can now power down the CyberOps Workstation, Metasploitable, and Kali VMs.
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 13 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
c. Click one of the links and copy the 63-byte string prepended to ns.example.com.
d. Open a terminal window and use the echo and xxd commands to revert the hex string. The -n option
prevents the output of the trailing newline.
analyst@SecOnion:~/Desktop$ echo -n
"434f4e464944454e5449414c20444f43554d454e540a444f204e4f542053" | xxd -r -p
CONFIDENTIAL DOCUMENT
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 14 of 15 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
DO NOT Sanalyst@SecOnion:~/Desktop$
If you continue to revert the hex strings, what is the result?
____________________________________________________________________________________
____________________________________________________________________________________
© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 15 of 15 www.netacad.com