4. Page §4
基礎知識: 什麼是Web Service (Cont.)
4
Firewall
Port 80HTTP Traffic
Web
Client
Web
Server
Application
Application
Database
Server
送出URL,
找到服務
提供的網
站位置
JSP,PHP,
HTML,ASP,
Javascript,
Apache, IIS,
5. Page §5
5
基礎知識:網⾴頁傳送運作流程
l 使⽤用者使⽤用瀏覽器(IE、Firefox),輸⼊入網址URL
l 透過網路(Internet)將Request傳送到Web Server
l Web Server解讀使⽤用者所送來的Request,並將網⾴頁內容藉網路
傳回,瀏覽器將內容顯⽰示出來。
網⾴頁內容組成:網⾴頁內容描述語⾔言為HTML (Hyper Text Markup
Language),主要由標籤與內容所組成,⽽而瀏覽器會解讀標籤,再
依不同標籤屬性(⽂文字、動畫、圖⽚片、javascript、…等),解讀內容。
Interne
t
23. Page §23
23
1.
利⽤用網站弱點以及RFI攻擊
⼿手法,
Site
A 變成駭客的Host
Proxy,
駭客可透過A控制Bot
Compromise
Web
A
網頁掛馬
將Malicious
Code植⼊入Page,
回報站
1.
使⽤用者瀏覽網⾴頁,
即下載惡意程式,中毒
回報IP,Email,使⽤用者帳號,
作業系統,CPU,MSN
(Web
,
Smtp)
下載更多惡意程式
寄發內含釣⿂魚連結
假冒信件
洩漏隱私
性資料
Malicious
Web
+
RFI
+
Fast-‐Flux+
Phishing=
完整的駭客社群⾦金流體系
申請一個網域
名稱
3322.org
2.
建⽴立MalwareFile
Server
SMTP
Server
SMTP
Server
Malicious
Web Site B2
Malicious
Web Site B1
3322.org
3322.org Malicious
Web Site B3
3322.org
Phishing
Web Site C1
3322.org
Phishing
Web Site
C2
3322.org
43. Page §43
Capture-HPC 介紹
§ High-Interaction Client Honeypot
§ Open Source Tool
– Developed by Victoria University of Wellington and NZ
Honeynet Project
§ Purpose: Capture-HPC 為⼀一⾼高互動式的Client Honeypot
,探測Malicious Web servers (監控Client-Side Attacks)
– 探測惡意伺服器,收集被植⼊入Client的惡意程式
– Virtual Machine Based
– Client-Server 架構 (⼀一對多控制,Logs Centralized)
– ⽀支援不同的Browser與不同的應⽤用程式,進⾏行探測
– 可監控file system, registry, process of a system
43
44. Page §44
Capture-HPC 介紹 (Cont.)
§ 判斷⽅方式:
– Monitor our client system for unauthorized modifications with client-
side attack code
– 以⼀一個乾淨的環境開始進⾏行探測,探測過程中,若是環境被改變
(Create、Write) ,代表該網站可能為Malicious Server
§ 官⽅方網站:
– https://projects.honeynet.org/capture-hpc/
– 建議加⼊入Mailing List:
https://public.honeynet.org/mailman/listinfo/capture-hpc
44
50. Page §50
Capture-HPC 介紹 (Cont.)
§ Capture-HPC 以Capture-BAT為基礎,進⾏行發展,控制
Client Application對RemoteServer 探測,藉由Capture-
BAT來對整體系統狀態改變進⾏行監控:
– Drives compete O/S and application
– Extended to control and monitor VMware instances
– Control server for client control and data collection
– Provide proxies to access Internet
61. Page §61
Log Information on Capture-Server
§ Safe.log : the clear and deemed benign URLs
§ Process.log : visiting information for URLs
§ Error.log : URLs that could not be visited
§ States.log: the performance of the Capture-System
§ Malicious.log : the list of deemed malicious URLs
§ Server_timestamp.log : a list of state changes for visiting each URLs
§ Server_timestamp.zip: the files with modified or deleted off on the client
machine during the interaction with a malicious servers
65. Page §65
PHoneyC -- Pure Python honeyclient implementation
§ Low interactionvirtualhoneyclient
§ http://code.google.com/p/phoneyc/
§ Code License : GNU GPL v2
§ Design Concept:
– emulates the core functionality of a web cliente
– emulates specific vulnerabilities to pinpoint the attack vector
68. Page §68
PHoneyC running
§ Usage:
§ python phoneyc.py [ options ] url
§ Options:
§ -h, --help Display this help information.
§ -lfilename , --logfile=filename Output file name for logs.
§ -v, --verbose Explain what is being done (DEBUG mode).
§ -ddebuglevel , --debug=debuglevel Debug Level, 1-10.
§ -r, --retrieval-all, Retrieval all inline linking data.
§ -c , --cache-response Cache the responses from the remote sites.
§ -upersonality, --user-agent=personality Select a user agent (see below for values, default: 1)
§ -n, Replace all non-ASCII characters with spaces(0x20) in all HTML or JS contents
§ -m Enable Universal ActiveX object
§ User Agents:
§ [1] Internet Explorer 6.1 (Windows XP)
§ [2] Internet Explorer 7.0 (Windows XP)
§ [3] Internet Explorer 8.0 (Windows XP)
§ [4] Internet Explorer 6.0 (Windows 2000)
84. Page §84
Joint web-based malware fighting projects
§ Develope to allow you to verify a website's content before you visit it
– http://www.it-mate.co.uk/
§ Fiddler : Web Debugging Proxy which logs all HTTP(S) traffic between
your computer and the Internet
– http://www.fiddlertool.com/fiddler/
84