Level: minimum understanding of networking and basic protocols needed.
Workshop:
Brute-forcing is one of the most common types of attacks against CMS. With more than 18M websites on the internet using WordPress and hundreds of known vulnerabilities reports, CMS are always an easy target for attackers. But, what does an attack like this looks like in real life?
In this hands-on workshop, we will guide attendees on how to analyze a real brute-forcing botnet traffic capture, how to break it down, how to understand what it does and the critical components of the botnet infrastructure. We will guide attendees through a simple methodology to tackle similar analysis and the critical questions a researcher needs to ask themselves in the process. The workshop will also provide hands-on experience on the most common tools used for network traffic analysis and how to deal with large traffic captures.
Outline:
- Introduction of speakers and attendees
- A brief introduction to brute-forcing attacks, what the workshop dynamic will be, and downloading of the traffic capture to analyze.
- Toolbox intro: what tools we will use. Installation of them if needed.
- Methodology: create a methodology with attendees on how to do the analysis of this capture. Each may have a different strategy so we will guide them through the process and introduce the methodology we followed. (20’)
- What are the questions we need to answer?
- How do we answer those questions?
- Hands-on analysis:
- Open the packet capture:
- Choose the best tool (large capture)
- Slicing pcaps: edit cap, tshark, tcpdump
- Strategies for slicing pcaps: a different strategy according to what we want to know (slicing by time, protocol, IPs, ports, hostnames)
- Walk through the capture:
- How do we know this is a brute-forcing attack?
- What CMS is being attacked?
- Is this a botnet? How do we know that?
- Where is the list of sites to brute-force coming from?
- Documenting findings: let’s build the big picture of what is happening on the capture.
- New questions will start appearing after the first analysis iteration is done. What other information can we get from this capture?
- Open the packet capture:
- Building together the final report on the capture analysis. Review methodology, what things worked, what things failed. Limitations of the tools.
- Closing workshop
What to bring:
- Attendees should bring their laptops with at least Wireshark and tcpdump already installed.
Bio:
Veronica Valeros is a hacker, researcher and intelligence analyst from Argentina. Her research has a strong focus on helping people and involves different areas from wireless and bluetooth privacy issues to malware, botnets and intrusion analysis. She has presented her research on international conferences such as BlackHat, EkoParty, Botconf and others. She is the co-founder of the MatesLab hackerspace based in Argentina. Since 2013 she is part of the Cognitive Threat Analytics team (Cisco Systems) where she specialises on malware network traffic analysis and threats’ categorisation at big scale. She is also part of the core team of Security Without Borders, a collective of cyber security professionals who volunteer assisting people at risk and NGOs on cyber security issues.
Anna Shirokova is a threat researcher at Cisco. Her passion for all things relating to malware eventually grew into a career as an information security analyst. As of 2017 she is a part of the Cognitive Threat Analytics team at Cisco. Her interests focus on network security, data mining for malware recognition patterns, malware behavior and cyber crimes. She has presented her researcher in international security conferences such as Botconf, Brucon, and BSides Vienna.