Forensics Report 44

docx

School

University of Phoenix *

*We aren’t endorsed by this school

Course

MISC

Subject

Information Systems

Date

Nov 24, 2024

Type

docx

Pages

13

Uploaded by MateWombatMaster968

Report
REPORT Question 1 Introduction A significant feature for discovering and apprehending possible security incidents is involved in examining network traffic captures (PCAP) within the domain of digital forensics. This investigation carries out a PCAP file with some evidence about network breach on an organization’s network. The involvement was centered on the interaction between a server and the attacker’s device. Standard forensic processes will be employed to provide an overall view of the incident using tools such as Wireshark, and Networkminer which will include attack nature, identification of the parties involved, enumeration of what the attacker did, and finally suggestions on how to avoid such things from occurring in future. 1. Incident Type and How it Happened In this challenge we are provided with a PCAP file which contains details of network activities captured. To start our forensic investigation I used wireshark to open the file and try to dig deep to find out what the attacker might have done within the the network. The observed incident encompasses the exploitation of vulnerabilities within an FTP server (vsFTPd 3.0.3) weak authentication in particular using default credentials and attempts at SQL injection, suggesting a targeted effort to gain unauthorized access and potentially manipulate or extract sensitive data. The attacker exploited the SQL Injection in the DVWA web application using SELECT statement in the INFORMATION_SCHEMA. /DVWA-master/vulnerabilities/sqli/?id=1%20AND%20%28SELECT%208353%20FROM %28SELECT%20COUNT%28%2A%29%2CCONCAT%280x7176626a71%2C%28SELECT %20%28ELT%288353%3D8353%2C1%29%29%29%2C0x7170787071%2CFLOOR%28RAND %280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP %20BY%20x%29a%29--%20cEbh&Submit=Submit HTTP/1.1 How it Happened Initial access to the server was likely achieved through the exploitation of vulnerabilities in the vsFTPd 3.0.3 FTP server. The attacker tried to brute-force the FTP server but was not successful as shown by many failed login attempts. Subsequently, the attacker attempted SQL injection, indicating an interest in compromising a connected DVWA database. This implies a methodical and deliberate approach to identifying and exploiting specific weaknesses in the server software.
Table 1.1 : vsFTPd 3.0.3 FTP 2. Attacker and Victim Details: Attacker We begin our investigation by observing the GET and POST requests made to the server. As shown Table 2.1:Attacker below it is clear that the attackers details are: IP Address: 10.10.2.123 MAC Address: 08:00:27:35:f6:e6 Table 2.2: Attackers Mac Address
Victim (Server): The host machine or the target for the attacker details is as follows: IP Address: 192.168.56.101 MAC Address: 52:54:00:12:35:02 Server Information: vsFTPd 3.0.3 3. Attacker's Activities FTP is an acronym for File Transfer Protocol. FTP is a standard network protocol that allows files to be moved between two computers on a network. It is an application that is built upon the Internet Protocol (IP) of the suite, and runs on the application layer. The File Transfer Protocol is used widely for uploading, downloading and managing files on remote servers. FTP Server Exploitation Identification: The attacker exploited the FTP Server version vsFTPd 3.0.3 through brute-force attack on username and password. The attacker experienced many failed login attempt before finally succeeding using the default credentials of admin as both username and password. While in the system the attacker was able to move through the system and escalated privileges. The uploaded malicious file to the server. Table 3.1 : FTP Exploitation
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Potential Actions The attacker had unauthorized access to files on the FTP server. The attacker successfully downloaded data from the FTP server. The attacker uploaded malicious file into the server. Table 3.2 : FTP File transfer SQL Injection Attempt The database layer of a web application is one of the main targets of SQL injection attacks. SQL injection takes place when an attacker manages to inject or modify malicious SQL code into input fields or parameters used by a web application. A SQL injection attack is mostly aimed at tampering with the application’s databases in order to retrieve, modify or delete data from them. From the network traffic captured after filtering the HTTP requests it is evident the attacker attempted to exploit the SQL injection in the DVWA application. Identification: Attempted SQL injection. One of the techniques used to identify SQLi is observing the database errors that result when you input a quote in the url. From our investigation it is evident that the attacker used this technique as shown by the server error below. Table 3.3: SQL injection using SELECT statement. Table 3.4 Server Error; Potential Actions: Extraction or manipulation of database information. The attacker tried to extract data from the database as shown below: The attacker tried to manipulate the query to return the administrators username and password. Table 3.5 : Database manipulation
Attempts to bypass authentication. The attacker attempted to bypass authentication using UNION Statements. Table 3.6 : Authentication Bypass 4. Recommendations to Avoid Future Incidents: Weak Authentication Using weak or default passwords to access FTP servers have been considered one of the vulnerabilities that allows the attackers to exploit FTP servers. From our forensic investigation of the PCAP file when we filter for FTP protocol we are able to observe that the attacker was carrying out brute force attack against the sever. The attacker was able to gain access to the server because of default passwords and user name. As seen below the attacker used Admin as both the username and password. To avoid this kinds of attacks I will recommend the use of strong and unique passwords and adopting a good password policy. Strong passwords are hard to crack hence prevent from brute force attacks. Table 3.7 : Weak Authentication Unencrypted Data One of the drawback with FTP is that it sends data in plaint text without any additional layer of security. This implies that if an attacker intercept the network traffic they can be able to read, write or steal important files and user passwords. These actions may result to data breaches, identity theft, or malicious attack against the organization. To solve this organizations can always opt for secure versions of FTP like SSH File Transfer protocol(SFTP) or File Transfer Protocol Over SSL/TLS (FTPS) which provide additional layer of security by encrypting data between client and the server. Regular Patch and Update All software applications must be regularly updated and patched to get rid off vulnerabilities associated with outdated software. From our forensic investigation we found out that the FTP server was running on outdated version (vsFTPd 3.0.3) which is associated with Remote Denial of Service attack.
Network Monitoring In order to stay updated and respond to security incidents in timely manner organizations should adopt SIEM solutions to help in continuous network monitoring to promptly detect and respond to suspicious activities. Web Application Firewall (WAF) After analyzing the the network traffic from the PCAP file and filtering the HTTP requests we are able to observe the POST requests. The attacker tried to exploit the SQLI in the DVWA web application. In order to prevent SQLI from being exploited in the web applications organizations should deploy WAF to identify and block SQL injection attempts and other malicious activities at the application layer. Table 3.8 : Web Application Firewall User Training and sensitization on best security practices. In conclusion, users or employees are the weakest links to any secure application, since they interact directly with the system. Any organization that down plays their role in coming up with security solutions is bound to fall. Employees must be trained to identify any malicious activities within the network and a proper reporting mechanism must be put in place to address any incidents raised by the employees. Regular trainings must be conducted and mock attack can be adopted to focus on a group of employees anyone who falls victim will be the target for future trainings. This strategy will aid the organization gauge its preparedness in case of an attack. Question 2 Explain the type of incident and how it happened (Extensive summary). Executive Summary It was seen from the analysis of the memory dump that there was a malicious process called “money.exe” in the system. The executable probably came as a result of the user’s click on an unfamiliar file. The file was located in the victims downloads directory. A process which is running with administrative privileges has also been identified, suggesting that there is a potential security breach.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
The analysis also found a transfer of files onto a USB drive. Based on this information, it can be concluded that the offender stole sensitive data from the victim’s computer thereby constituting an instance of information theft. A copy of the file During the memory forensics analysis, it was observed that the Chrome browser on the victim's machine was making suspicious connections to the local network. This behavior raises concerns about potential lateral movement or communication with other dеvicеs within the same network. The memory forensics analysis, I discovered password file dumped on the victim's desktop. This finding raises serious security concerns, as the compromise of sensitive credentials poses a significant risk to the confidentiality and integrity of the victim's data. Victim’s Machine Details The victim’s machine was running a Windows Microsoft operating system and this shown by the file structure and the suggested profiles to use when you run the imageinfo. The suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86 This clearly indicates that the machine is running windows operating system. As shown below the running processes are related to windows. The user name of the victim was adf2023. After running the command to list the running processes below are some of the running processes; smss.exe, csrss.exe, wininit.exe, services.exe, lsass.exe, lsm.exe, svchost.exe, VboxService.exe, svchost.exe, cygrunsrv.exe, wlms.exe, conhost.exe, sshd.exe, sshd.exe, GoogleCrashHan, SearchIndexer, csrss.exe, winlogon.exe, taskhost.exe, dwm.exe, explorer.exe, VboxTray.exe, cmd.exe, wuauclt.exe, WmiPrvSE.exe. The main running application in the victim’s machine was chrome.exe, money.exe, and FTK Imager.exe. Chrome is the web browser and FTK imager is the tool that was used to capture the machine memory dump. Money.exe is suspicious application that was downloaded due to user activity in the internet. When you run the command vol.py -f 'ADF2023 sub.mem' --profile="Win7SP1x86_23418" netscan you are able to identify the IP address of the victim as 172.217.169.35. Attackers Activities To start our investigation we need to dig deeper and get more information about the memory image. When we use the following command; vol.py -f 'ADF2023 sub.mem' imageinfo From the output we can see the suggested profiles to use and the details about when the image was created. For our analysis we will use Win7SP1x86_23418 Profile. Listing the processes.
Now that we have found the profile to use let’s list the processes running. We will use the following command; v ol.py -f 'ADF2023 sub.mem' --profile="Win7SP1x86_23418" pslist From the output there are three interesting processes money.exe, cmd.exe and FTK Imager.exe The output clearly indicates that the image was captured by FTK Imager and there is a command line running. Since money.exe is not one of the known windows processes it draws a lot of suspicion. suspicious processes With this information in mind we know that volatile memory (RAM) is deleted when power goes off and attackers use this run and execute malicious commands. Our analysis basically will focus on any indicators of compromise like malicious files downloaded. Let’s do a network scan to identify any suspicious connections. We will run the following command; vol.py -f 'ADF2023 sub.mem' --profile="Win7SP1x86_23418" netscan From the output there are a lot of connections that goes to the IP 10.0.2.15 this looks suspicious.Chrome also has a connection which raises a lot of questions. Why would chrome make a connection to a local IP address? From the output there is something running the system with administrative privileges and it is making a direct connection with a remote machine. Let’s find out why the connection was established. We will use YARA to scan the files for any malicious contents.
Victim’s Activities In order to examine the actions of the victim within the network and make recommendations on the best incident response mechanisms to deploy we will run the following command. vol.py -f 'ADF2023 sub.mem' --profile="Win7SP1x86_23418" cmdline From the output it is clear the victim clicked a suspicious chrome linked which allowed the attacker to navigate through the system. The victim clicked the following url and the money.exe file was downloaded. "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --origin-trial-disabled- features=WebGPU --disable-gpu-compositing --lang=en-GB --device-scale-factor=1 --num-raster- threads=1 --renderer-client-id=12 --time-ticks-at-unix-epoch=-1695416969694619 --launch-time- ticks=319763595 --mojo-platform-channel-handle=3468 --field-trial- handle=968,i,11633702515255745805,8228807944356618769,131072 /prefetch:1 C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu- preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAA AAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAA AAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAE AAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use- angle=swiftshader-webgl --mojo-platform-channel-handle=1556 --field-trial- handle=968,i,11633702515255745805,8228807944356618769,131072 /prefetch:2 The following link established a network connection that enabled the attacker to listen network traffic. C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub- type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo- platform-channel-handle=1316 --field-trial- handle=968,i,11633702515255745805,8228807944356618769,131072 /prefetch:8 Recommendations One of the critical security identified was password dump on the users Desktop directory. The password was stored as a plain text this posed a greater risk since the attacker had access and might have stolen the password. To mitigate this the organization should review its password policies and carry out training to sensitize its employees on password storage and disposal strategies. To prevent further attack the organization should instruct its employees to change their password and be vigilant for any suspicious activity within the network. Regular update of applications. From our investigation I noticed that chrome was used to run malicious malware. There must have been a security bug that the attacker took advantage of and exploited. I will recommend an update of the chrome web browser and if possible reinstallation of the same to ensure a secure environment. Another notable suspicious activity was presence of USB drive and file transfer within the users Desktop directory. To prevent this the organization can block all the USB ports and only allow legitimate or registered USB to be used. The organization can also use SIEM tools to monitor its network and raise alert in real time to prevent the organization from data loss and ensure business continuity. The organization should employ the principle of least privilege this will grant legitimate users only the minimum access level required for their tasks. This will minimize the attack surface in-case of any security breach that the organization will experience.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Endpoint Security Solutions play a crucial role in fortifying organizational defenses against evolving cyber threats. Deploying these solutions is imperative for maintaining the integrity and security of an organization's network. One key aspect is the capability to detect and block malware, acting as a frontline defense against malicious executables attempting to infiltrate the system. By proactively identifying and preventing the execution of harmful code, organizations can thwart potential breaches and safeguard sensitive data. Furthermore, effective endpoint security involves monitoring for suspicious activities, enabling the identification of unusual system behavior that may indicate a security threat. This constant vigilance ensures a swift response to potential incidents, reducing the risk of extensive damage. Another essential feature is the implementation of application whitelisting, a proactive measure to restrict the execution of applications to a trusted list. This not only prevents unauthorized or potentially malicious applications from running but also enhances control over the software environment. By limiting the scope of executable applications to a predefined whitelist, organizations can mitigate the risk of unauthorized access and maintain a more secure computing environment.
References Hui, B. L. X. HOW DO HACKERS HACK?–MOTIVATIONS, TECHNIQUES AND TOOLS. Singh, A. K., & Roy, S. (2012, March). A network based vulnerability scanner for detecting SQLI attacks in web applications. In 2012 1st international conference on recent advances in information technology (RAIT) (pp. 585-590). IEEE. Mondal, B., Banerjee, A., & Gupta, S. (2022). A review of SQLI detection strategies using machine learning. machine learning , 6 (S2), 9664-9677. Pagani, F., Fedorov, O., & Balzarotti, D. (2019). Introducing the temporal dimension to memory forensics. ACM Transactions on Privacy and Security (TOPS) , 22 (2), 1-21.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

nvcfyfgvgjhbkhkhhnkl.docx
part a.docx
Comprehension_Based_Question_Answering_u.pdf
Case study 4.docx
BSBWHS521_Project_Portfolio_Task_4__3_.pdf.docx
Disc 7.docx
Chapter 3 Case Study 1.docx
BUS 3306 - UNIT 8 DISCUSSION.docx
Unit Review 3 Key.pdf
Screenshot_16.png
Assessment Task 1.docx
BSBPMG430+-+Assessment+Task+3+V1.2.docx