Web Shells - the Conference Exchange€¦ · 1 Web Shells: Hidden Access to Your Network Tim...
Transcript of Web Shells - the Conference Exchange€¦ · 1 Web Shells: Hidden Access to Your Network Tim...
8/31/2016
1
Web Shells:
Hidden Access to Your Network
Tim Slaybaugh
CyberBrink
2
What is a Web Shell?
» Shells can be written in any scriptable web language that the site supports, ASP, ASPX,PHP, JSP, CFM, PY, PL, etc.
» OS Platform Independent
» Add, delete, modify and execute files.
» Run shell commands and scripts.
» Establish persistence on a network
3
8/31/2016
2
Web Shells are Freely Available!
Web Shell Usage
» Harvest and exfiltrate data
» Upload malware to create a Watering Hole
» Internet Relay
» Mass Mailer
» Network Reconnaissance
» Database Access
Are You Vulnerable?
» Cross site scripting
» SQL Injection
» Remote File, Local File inclusion vulnerabilities
» Open Admin interface
» Vulnerabilities in third party plugins and
content management applications
8/31/2016
3
Are You Vulnerable?
Are You Vulnerable?
www.infosecurity-magazine.com, 7 April 2016
Gaining Access
» Once a shell is established, additional tools will be uploaded.
» Larger tools maybe echoed in line by line.
» Newly uploaded tools can be hidden anywhere, even in the
Recycler.
» The first objective is PRIVILEGE ESCALATION, tools like
WCE.exe or Mimikatz will be uploaded to steal credentials.
8/31/2016
4
Webshell Capability
This shell will check for Antivirus and other security tools before installing all of its
features. If any of the tools from the default list are found, the site is reported back
to the controller as ‘Dangerous’.
Webshell Capability
A GIF header was added to this shell to bypass file checking by the server.
Webshell Capability
This shell checks the User-agent string of the connecting IP address. If the string belongs
to one of the listed web crawlers, the shell returns ‘HTTP 404 Not Found’.
8/31/2016
5
Detection Challenges
» No Beaconing Activity.
» No Autorun key, or unusual running services.
» Small Footprint.
» Code is often obfuscated.
» Designed to hide from Web Crawlers and scanning services.
» Connections can be initiated from any source IP.
Detection Challenges
This simple shell from Deep Panda will execute anything passed
to it.
This could be found as its own file, or embedded in another
Internet accessible file.
Identifying Suspicious Files
» Files with odd time stamps
» Suspicious files in Web root or other Internet accessible locations:
• Files that contain any of the keywords listed below.
• Files that are out of place, e.g. a PHP file in an image folder.
8/31/2016
6
Common Paths» /var/lib/tomcat7/webapps/files
» /var/cache/tomcat7/Catalina/localhost/files/org/apache/jsp
» /var/www/files/
» /webroot/
» /inetpub/wwwroot/
» /inetpub/logs/LogFiles/
» C:/Windows/System32/LogFiles
» /var/log/httpd/
» /var/log/apache
Network Activity
This shell looks for the string, ‘jexboss’ as part of the user-agent before it allows a
connection.
Network Activity
» High site usage during abnormal periods.
» Unexpected connections in the logs.
» Log entries missing a Referer.
» Log entries for newly accessed URIs.
» .htaccess in your HTTP logs.
» filemanager in your HTTP logs.
» Suspicious GETs or POSTs with odd parameter names.
8/31/2016
7
Network Activity
• Suspicious .war file installation
• Deployment time is 2:32:55 AM.
Network Activity
• GET Request with an unusual URI
Network Activity
• Suspicious User-Agent string
8/31/2016
8
Network Logs
Event Logs
Event Logs
8/31/2016
9
Keywords
Keywords
Keywords
This shell used code pages for the Cyrillic and Ukrainian alphabet.
8/31/2016
10
Pagefile.sys
On a busy server multi-threaded processes are often pushed to the pagefile
or swap
Pagefile.sys
Regex Searching
» egrep –re ‘[<][?]php\s\@eval[(]\&_POST\[.+][)];[?][>]’*.php
» egrep –re ‘[<]\%\@\sPage\sLanguage=.Jscript.\%[>][<]\%eval.Request\.
» Regular expressions can be written to identify webshells based on the syntax of the scripting language.
8/31/2016
11
Indicators of Compromise (IOCs)
» Unplanned deployment events, e.g. pushing out a .war file in a Java base application.
» Modification of user accounts.
» Creation or editing of scheduled tasks or maintenance events.
» Unplanned configuration updates or backup operations.
» Failed or non-standard login events.
Mitigation
» Regular updates.
» Set up a DMZ between the Internet facing servers and the internal corporate network.
» Limit traffic to/from DMZ to internal network.
» Least Privilege Policy (for web server and application user context).
• Attacker cannot escalate privileges
• Attacker cannot create files and access certain directories
Mitigation
» Limit Trust Relationships between domains.
» Keep known good versions of the server.
» User Input Validation (to stop remote file inclusion vulnerability).
» Vulnerability scans.
» Monitor changes to web content; Tripwire, Samhain, etc.
» Ask your hosting provider for the logs.
8/31/2016
12
Mitigation
» Update that legacy application.
» Keep good network logs.
» Secure configuration of Internet facing servers:
• Close ports
• Turn off services
• Use a whitelist application
Mitigation
» Hide server information by turning off ServerSignature in Apache, or server_tokens in Nginx.
» Change the default name for the Admin account.
» Disable unused PHP functions and HTTP verbs.
» Be sure that shell history and timestamps are enabled on .nix servers.
File Stacking
» Sort by common extensions such as asp, aspx, php, jsp, cfm, etc.
» Sort by accessible directories, %systemdrive, %Inetpub/www/root, %Program Files, etc.
» Sort by creation time
» Sort by unique paths or directories not common across the network
8/31/2016
13
Detection Tools
» Online web shell analyzers
Online analyzers like
www.shellray.com or
www.shelldetector.com can
be used to identify suspicious
files. These tools may be
limited to specific scripting
languages.
NeoPI
» Originally developed by Ben Hagen and Scott Behrens at NeoHapsis.
» Open source (GitHub) so a user can customize their searches.
» Ranks files by predetermined characteristics.
» Very little development since NeoHapsis was acquired by Cisco in 2014.
NeoPI
8/31/2016
14
MalSpider
» Web spidering framework developed by James Sheppard at Cisco.
» Searches a web site for any changes.
» Detects vbscript injection, email address disclosure and hidden iframes.
» Malspider can be run through a proxy.
» User agent strings can be customized.
Thank You
Tim Slaybaugh