Shulou(Shulou.com)05/31 Report--

How to detect WebShell from the traffic, I believe that many inexperienced people do not know what to do. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

During HW, in order to prevent phishing, FreeBuf will cancel all external links to submitted articles from now on. Please forgive me for the inconvenience.

Background

As we all know, in the process of attack and defense drills, when the attack team invades the enterprise website, it usually obtains the webshell through various ways, so as to obtain the control of the enterprise website, and then facilitate the subsequent intrusion. Before the emergence of encrypted webshell tools such as ice scorpion and Godzilla, tools such as Chinese kitchen knife and ant sword were often used by attack teams. Unlike kitchen knives and ant swords, ice scorpion and Godzilla use encrypted tunnels to transmit data, which is not easy to be detected by security devices. At the same time, the rise of non-file memory webshell has brought more pressure on detection. Therefore, it is very necessary to detect this kind of encrypted webshell and non-file memory webshell.

Difficult point

At present, this kind of encrypted webshell detection has the following difficulties:

Encrypted tunnels are used to transmit data without plaintext communication characteristics.

Memory webshell has no files on the ground.

target

Through the practice of attack and defense exercise, summarize a set of detection methods about encrypted webshell and memory webshell, analyze and summarize the communication characteristics of this kind of webshell, timely and accurately find the host loss through traffic, and deal with it in time.

Methodology

When a new webshell tool appears, we can summarize the relevant features through the following aspects, so as to achieve related detection.

Webshell sample: analyze the execution logic of webshell, extract the functions and parameters that must exist in the execution process of webshell, and realize the detection of upload and write to this kind of webshell.

There must be parameters in the communication process: analyze the webshell server and client, and extract the parameters that must exist in the interaction process due to implementation problems.

Encryption algorithm characteristics: analyze the encryption method in the webshell communication process, and obtain the collection of ciphertext generated by the encryption method.

The tool itself bug: because the tool is human-developed, it is hard to avoid the existence of some bug, which can be used as a feature to identify such tools.

Not consistent with normal business: analyze the difference between the webshell and normal business in the communication process, you can roughly screen out possible abnormal communications.

Case

We will illustrate how to extract features from several methods summarized in the above methodology.

Upload samples

Threats can be detected by testing uploaded samples. We can extract the features of the generated webshell by analyzing the source code of this kind of webshell tools, so as to achieve detection. Taking Godzilla as an example, you can see that when generating webshell, Godzilla imports a template and generates the corresponding webshell according to the template. Therefore, we summarize the characteristics of the generated template and accurately detect this kind of upload behavior.

There must be parameters in the process of communication.

On the server side of Ice Scorpio 3.0, the post request is read through the following code.

Request.getReader () .readLine ()

The code means to read the contents of the body in the post request directly. So in the requested http, content-type must be application/octet-stream. Otherwise, unexpected http coding will occur. This kind of feature belongs to the parameters that must exist in the communication process, and the relevant webshell communication can be detected through the combination of these features (here is only an example, this kind of detection must be the combination of multiple features).

Some weak characteristics of encryption methods

When ice scorpion communicates, an encrypted communication tunnel will be established. The main contents of the request body and the return body are as follows:

Request body encryption mode

Return body encryption mode

Base64 after AES

Base64 after AES

Base64 after AES

AES

AES

AES

For Base64 encryption after AES, all values fall in [a-zA-Z0-9 +\ =] after encryption, which can be easily overwritten by regularization.

For AES encryption, the encrypted value has no relevant characteristics in Base64, but it is obvious that the invisible characters in the ciphertext content are significantly increased. Invisible characters can be detected to override the recognition of encrypted request bodies or return bodies such as AES.

This kind of features are only some weak features, and only with examples, multiple features are needed to achieve accurate detection.

Bug of the tool itself

These tools are all human-developed, and there will inevitably be some bug, and we can identify such tools in the traffic by finding these bug. For example, in a version of Ice Scorpio, there are two PHPSESSID in a php-related webshell communication, which belongs to the bug of the tool. The tool can be identified by the bug and other features.

Not in line with normal business

For non-file memory webshell, in order to hide the attack behavior, the attacker chooses the path of injecting webshell as the static file path, such as jpg, ico, png, etc., but there will be some behaviors different from normal behavior, such as request static file return content is different, request static file with request body, etc. The following is an example of an ice scorpion memory webshell.

In this article, we summarize the characteristic methods of finding encrypted webshell and fileless memory webshell from traffic, which are:

Webshell sample

There must be parameters in the process of communication.

Characteristics of encryption method

Bug of the tool itself

Not in line with normal business

In the actual combat test, through the above points, the communication flow of encrypted webshell and non-file memory webshell is analyzed, and the relevant weak and strong features are summarized. with the combination of various features, the communication process of this kind of webshell can be accurately identified, and the fallen host can be disposed and found in time.

After reading the above, have you mastered how to detect WebShell from traffic? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.