xfeng

xfeng

Sporting | Reading | Technology | Recording
github
bilibili
Home作品集ArchivesAbout

Source analysis

#溯源71
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the process of source tracing analysis in the context of defense in cybersecurity. It explains that source tracing involves identifying the virtual and real identities of hackers, as well as tracing the attack chain and the attack team members. The article highlights the importance of analyzing data obtained from sources such as honeypots, traffic detection platforms, WAF, IDS, IPS, and phishing emails. It outlines the general process of source tracing, including capturing the attack source, analyzing security device alerts, analyzing log traffic, examining server resource anomalies, and analyzing phishing emails and honeypot data. The article also mentions the use of IP location technology, ID tracking techniques, website URL analysis, and malicious sample analysis to gather information about the attacker's virtual and real identities, contact information, and organizational details. It emphasizes the significance of WAF and traffic detection devices in analyzing attack data and mentions threat intelligence analysis platforms that can provide information about host details, recent activities, and domain analysis. The article also discusses the importance of analyzing port information and domain name resolution records in threat intelligence analysis. It explains the process of IP and domain tracing, including using threat intelligence queries, Nmap scans, network asset mapping engines, and submitting reports to VPS providers. The article also mentions the use of honeypots to gather social information and discusses the challenges and methods of obtaining information such as QQ numbers, phone numbers, and social media accounts. It suggests using various tools and techniques to extract useful information from social media platforms, forums, and search engines. The article concludes by emphasizing the importance of social engineering techniques and cross-validation with social engineering databases in the source tracing process.

image

1. Overview#

In general, source tracing in attack and defense drills involves: reconstructing the attack chain, tracing back to the hacker's virtual identity, real identity, tracing back to the attacking team members, and taking control of the attacker's host.

Generally, the data obtained by the blue team members comes from the following sources:

  • Honeypot platforms
  • Traffic detection platforms
  • WAF, IDS, IPS
  • Phishing emails

After obtaining the data information, we need to analyze the data.

Key information to focus on:

  • IP addresses
  • DNSLOG, C2 addresses
  • Information in phishing emails
  • Hacker IDs captured by honeypots

Different devices have different analysis approaches.

2. General Process of Source Tracing#

Capturing the attack source

  • Security device alerts (scanned IP addresses, intrusion events)
  • Log traffic analysis
  • Abnormal server resources (abnormal files, processes, ports, scheduled tasks, etc.)
  • Phishing emails (obtaining malicious file samples)
  • Honeypot system (capturing attacker behavior)

Countermeasures for source tracing

  • IP geolocation technology
  • ID tracking techniques (search engines, social platforms, etc.)
  • Website URLs (whois queries, etc.)
  • Malicious samples (extracting sample features, usernames, IDs, etc.)

Attacker profiling

  • Reconstructing the attack path
  • Attack objectives
  • What network proxies are used
  • Attack techniques (web penetration, near-source penetration, social engineering, etc.)
  • Obtaining information about the attacker's: virtual identity, real identity, contact information, organizational situation, etc.

3. WAF, Traffic Detection Devices#

  • Request packets -> may contain bounced C2 addresses or DNSLOG addresses
  • Certain registrable websites -> obtain attacker's registered phone numbers, ID card information, etc.
  • IP addresses -> analyze the attack behavior path -> filter foreign zombie IP addresses
  • Pay special attention to attack traffic from cloud servers such as Alibaba and Tencent

4. Threat Intelligence Analysis#

After obtaining the attack IP, we can search on threat intelligence analysis platforms to obtain information such as host information, recent activities, and domain name resolution.

Useful websites:

ThreatBook Online Intelligence Community

Qihoo 360 Threat Intelligence Center

360 Threat Intelligence Center

VenusEye Threat Intelligence Center

RiskIQ Community

4.1 Host Information#

Pay attention to port information

4.2 Domain Name Resolution Records#

Recently resolved domain names on that IP

  • If they exist -> continue analysis
  • If they do not exist, and the result of pinging the domain name is not an attack IP, stop the analysis

.cn domain names

5. IP & Domain Name Tracing#

In some cases, attackers may leave behind the IP or domain name they used, usually for downloading malicious code, reverse proxying, etc. After obtaining the IP or domain name used by the attacker, I usually use the following methods for tracing:

5.1 IP#

  1. Through threat intelligence queries, you may obtain the location, ISP, and resolved domain names of the IP.
  2. Perform Nmap full port scanning on the ports opened by the IP, conduct vulnerability scanning on the ports that provide services, and try to take down the attacking server.
  3. Use network asset mapping engines to search for the IP used for attack tracing and obtain the services provided by that IP.
  4. Query precise location data for that IP.
  5. Launch a DoS attack on the services provided by that IP to prevent further attacks.
  6. Most attackers use VPS for proxy forwarding or directly for attacks. You can submit a ticket to the VPS provider, explaining the attack behavior of that IP. The service provider may prohibit the attack behavior of that IP or ban the attacker's account.

5.2 Domain Name#

  1. Use Whois queries to obtain email addresses and names.
  2. Check the domain name registration information in the Ministry of Industry and Information Technology's ICP query.
  3. Check the historical Whois information of the domain name.
  4. Search the domain name in search engines, and you may discover the attacker's other account information.

Geolocation query:

IP Location Website

Red team attackers may launch attacks using mobile hotspots. We can use geolocation queries to determine their location.

6. Honeypot Tracing#

In modern browsers, the same-origin policy is the core of ensuring user access security. In order to allow cross-origin requests, JSONP was born.

In HTML, the src attribute of the script tag is not affected by the same-origin policy. By using the script tag to reference a JavaScript file from a different domain, cross-origin requests can be made, which is JSONP.

Honeypots also use this principle to obtain social information.

Obtaining social information through JSONP in honeypots is relatively difficult and generally requires the following two conditions:

  1. The third-party website to be obtained allows cross-origin requests and contains sensitive information in the cross-origin information.
  2. The attacker has logged in to the third-party website and has not logged out.

After obtaining social information through honeypots, the following aspects are generally targeted:

6.1 QQ Number#

  1. If the obtained information is a QQ number, you can try to obtain personal information associated with the QQ number by making a large transfer to the QQ number bound bank card, which can generally obtain one character from the first name or last name.
  2. Search for the QQ number or the email address associated with the QQ number on Baidu Tieba and other forums, and you may obtain a Baidu Tieba account.
  3. Use Whois to reverse lookup the QQ email address, and you may obtain the name or domain name.
  4. Search for the QQ number in WeChat, and you may get the attacker's WeChat account.
  5. Add the QQ number using a secondary account and try to obtain more information through social engineering methods (based on obtaining a large amount of personal information).

6.2 Phone Number#

  1. Transfer money to the account associated with the phone number in Alipay and try to obtain the real user's name corresponding to the phone number.
  2. Search for the phone number in WeChat and try to obtain the WeChat account.
  3. Search for the phone number on DingTalk, and you may obtain part of the real name and work unit.
  4. Search the phone number on search engines, and you may obtain other account information.
  5. Check the website registration information associated with the phone number.

6.3 Tieba Account#

  1. Use Tieba Toolbox to obtain the account homepage and posted content.
  2. Check the posted content to see if you can find QQ numbers, phone numbers, email addresses, approximate age, names, etc.

6.4 Social Engineering Databases#

In my opinion, social engineering databases are more used for cross-validation and are not a direct way to obtain data. Therefore, they should be compared with social engineering databases after obtaining enough information to confirm the real information.

6.5 Other Account Information#

  1. Search for QQ nicknames, WeChat nicknames, Alipay nicknames, Tieba nicknames, etc., and you may obtain information from other platforms, such as Weibo, Zhihu, GitHub, and other forums and SNS communities.
  2. Carefully check the information in the account to extract more useful information, such as name, gender, age, address, work unit, school, etc.

6.6 School#

  1. If you obtain school information and name, you can search on search engines to obtain the attacker's major information, class, enrollment time, graduation time, student ID, etc.
  2. You can inquire on the school's Tieba, QQ groups, etc., to obtain more personal information.
  3. For master's degree or above, you can search for papers on the China National Knowledge Infrastructure (CNKI) to confirm the research direction.

6.7 Email#

  1. Check the website registration information associated with the email.

6.8 Hacker ID Tracing#

  1. Search engines
  2. Major security response centers (SRCs)
  3. Community consultations

7. Conclusion#

The results of source tracing are generally as follows:

  • Name/ID:
  • Attack IP:
  • Geolocation:
  • QQ:
  • IP address owner company:
  • IP address associated domain names:
  • Email:
  • Phone number:
  • WeChat/Weibo/SRC/ID proof:
  • Profile picture:
  • Jump host:
  • Associated attack events

In the process of source tracing, social engineering databases are the most important, followed by the above source tracing analysis approaches.

If there are honeypot devices, try to set them to high interaction.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.