Time
2 hours 19 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
Hello and welcome back to the course. You need 500 text through logs. I mean, over here, eating the last video we talked about. What implication Tax owe us, and you are components
00:11
in this video. It's because our first attack vulnerability scans. Let's start with the Lord objectives.
00:18
In this video, the lot objectives are riveted vulnerabilities cans and its tools and identify vulnerabilities Cans with Webb. Seven. Log analysis.
00:27
First, let's remember what is a vulnerability. As we said before, A vulnerability is a weakness that can be exploited,
00:35
and there is a specific top above your abilities. You know what? Stop then you'll remember. Each stop
00:42
is the top 89
00:44
using components with no vulnerabilities.
00:47
This is more related to the components needed to the Web application to work, for example, using an old verse off PHP, although your application can be vulnerable even if all the components are updated. So if you have invulnerability Europe application, it's better to know.
01:04
Suppose your stock analysts working a big company.
01:07
How do you know that you're a Web application is vulnerable? You can investigation the Web application called in look for vulnerabilities, but this will need a lot of time. Another way is using vulnerability. Skinner's within our ability. Scanners are sorceress that try to find weakness in our Web application.
01:26
It's along some no attacks and check your application response. Depending on the weather application response, it will say that you have a vulnerability or not vulnerability. Scanners are available to everyone
01:40
so you can use to protect your application, and an attacker
01:44
can use to find vulnerabilities to exploit it later. Vulnerabilities Scanners are always good to test your security tools like ideas I PS and Web application fire. Oh, there are many vulnerability. Skinner's available some open sores and some paid
02:01
in. Some companies from our very skins are not considered as an attack. Sometimes it's called
02:08
pre attack. So in this course,
02:10
different are very skins. We'll be one type of attack,
02:15
so the vulnerability scanners can be used to perform for their ability skins.
02:20
And do you know any soft there is considered our vulnerability scanner
02:23
here? Some examples off, then I believe the scanners.
02:28
There are many others available. Some of them are specific for one from an ability like it's killing me.
02:35
Eskil map is really useful to touch your Web application against that's Kevin's actual attacks.
02:40
Another examples are nikto Zad Burp in AP skin.
02:46
You can find out about the lease on this website.
02:50
Can you think in one way? You then try them.
02:53
The easiest way to get five different abilities scanner is checking the user Asians, like in this example
03:00
they use their agent is the SQL map.
03:01
If you see in the log, I use their agents. We let it you have another ability scanner. There is a good chance there was 100 scan is happening against the Web server,
03:12
But what is the problem here?
03:14
Well, normally is not that easy. Remember that user agents are used to detect, but they can be fake it
03:22
and the vulnerability. Skinner's usually have the option to change. They use their agents,
03:28
so be careful. It's also possible to you see different user agents like programming language,
03:35
for example, by some requests.
03:38
Let's use nikto to perform my skin on our lab.
03:40
The 1st 2 lines are examples of the need to requests.
03:45
We didn't change the user agent so you can identify the nikto as a user agent. We had close to 1000 requests Lesson one minutes. So we have a big number of requests. Nice. My period of time. This is a common behavior off different abilities scanners, but if you want,
04:03
you can one. The skin is lower.
04:05
If you are doing a vulnerability skin,
04:09
you should look for all no vulnerabilities. As we saw this region rage, a lot off requests
04:15
and men off this request, we were turned Cheryl's, especially for hundreds for Do you agree with that?
04:21
So let's try to confirm the theory.
04:25
We will catch the number off the requests with NIKTO user agents
04:29
and after we count the same lines. Looking for 400 for the first is the number off the lines that have nikto as user agent. And the second is the number off the lines that have nikto as user agents and also the 404 ever.
04:45
You can see that the number is not really different.
04:47
That's happens because we do a lot of requests
04:50
and most of this request don't work.
04:54
This is a chip co case off the rabbit skin.
04:57
Important things to look for the user agent, the number off the requests in the number off the errors.
05:03
Now let's analyze this log.
05:06
The first line you can see the user agents nikto
05:10
Ahh! Weird request in house 400 for error. Other lines are similar, but some off the lines do not have nikto as user agents,
05:19
and if you look there, request the request is the same.
05:24
This is an example off requests, which crafted user agents. In both cases, they use their Agent Watts nikto
05:31
season when our baby skin has a known behavior. Here you have some directions that can help you to identify a vulnerability skin, start looking for the user. Agents look for scanners are no user agents.
05:46
Check the number off the requests.
05:48
Is their main requests a nice ma period of time?
05:51
And all these requests are coming from the same client I p address.
05:57
Look for the number off the errors and unexpected requests like PHP requests in a page that doesn't have PHP. As much as you know your application, it will be easier.
06:09
Also, Jack is the requests are two configuration pages are administration pace
06:15
Commons Operational system. Words in requests are suspicious, too.
06:21
It was like being catch shell
06:25
are examples off words. Use it even I believe skin
06:29
***, says my question.
06:30
Consider this in area
06:32
you're not. Team asked you to check their behavior off one Web server
06:36
because they found an increased number off the weed requests and 404 errors
06:43
the *** team sent up rich off the Web service of you
06:46
and say is that it looks normal.
06:48
US. The Web server logs in more information about the Web server.
06:53
They say that is on a party, and this is not a WordPress employ
06:58
here. A push off the Web. Several logs In the next life, we'll have some questions about this case.
07:04
I suggest that you pause the video and make the log analysis.
07:09
Remember to get the information on the logs like I p requests and remember to answer their who went in. What?
07:18
I hope that you like doing this. Log analysis.
07:21
Let's analyze together. No,
07:24
we have the same client. I P address There is doing lots off requests, then that 10 dot in
07:32
you also have Martin one request in the same time.
07:35
And man you 400 for errors
07:39
for the first line. Can you explain the 404
07:43
The reason is
07:44
this request. Looks like a WordPress request
07:47
in this application is not a WordPress.
07:51
Now, based on this in a room is a stock analyst. Answer the questions
07:56
we checked. The address is causing the trouble.
07:59
The answer is little c
08:01
All the log lines contains this I p address.
08:05
Do what behavior did you even trying this log
08:07
did you find in the attack?
08:09
The answer is literacy vulnerability skin in the lessons like we saw some behaviors that confirms
08:18
different our beauty. You scan
08:20
like many 400 for errors.
08:22
Weird. Your requests,
08:24
many requests you nice. My period of time
08:26
inspected requests and others
08:30
you're not Jean is wearing for your Nancy's.
08:33
Let's compose a possible answer to the no
08:35
here, a possible answer
08:37
and the answer to the questions who went in what in the real world, there are no other activities that need to be performed
08:46
Well, I'll check if the website is vulnerable. Are if invulnerability waas exploited
08:52
a suggested action would be blocking this I p address
08:56
because it performing an attack
08:58
video summary in today's reader which coast
09:01
for the nobility skin attacks.
09:03
We showed something I really scanner examples and How didn't fight its behavior?
09:09
First,
09:11
check the user. Asians
09:13
look for many requests. A nice small period of time,
09:16
Lou for many errors
09:18
specially 404.
09:20
Look for weird awards and unexpected requests. So this concludes our first attack example in law organizes
09:28
for the next video, we will review brute force attacks
09:31
and we need tried to brute force attacks. Join Web server logs and that is this.

Up Next

Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By

Instructor Profile Image
Igor Vieira
Information Security Analyst
Instructor