Provide steps to investigate an SQL injection attack.
As you reviewed the Sguil log, you noticed that there is a possible SQL injection attack. You will inves-
tigate the events to determine the extent of the possible exploitation.
Step 1. Review the Sguil logs.
a. Navigate to the Alternate Security Onion VM. Double-click the Sguil icon on the
Desktop. Enter the username analyst and password cyberops when prompted.
b. Click Select All to monitor all the networks. Click Start SGUIL to continue.
c. In the bottom-right window of the Sguil console, click Show Packet Data and Show
Rule to view the details of a selected alert.
d. Search for alerts related to ET WEB_SERVER Possible SQL Injection Attempt
UNION SELECT. Select the alerts that start with 5. These alerts are related to sec-
onion-eth1-1, and they are probably the most recent alerts. Select the alert with ID
5.5836. Because Sguil displays real time events, the Date/Time in the screenshot is
for reference only. You should note the Date/Time of the selected alert for analysis in
ELSA.
e. Right-click the number under the CNT heading for the selected alert to view all the
related alerts. Select View Correlated Events.
f. Right-click an Alert ID in the results. Select Transcript to view the details for this alert.
g. In this window, you can see that the GET statement using the UNION operator was
used to access the credit card information. If you do not see this information, try right-
clicking another of the correlated events.
What information can you gather from the Transcript window?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
The Transcript window displays the transaction between the source
209.165.201.17:47144 and the destination 209.165.200.235:80. The transcript indicates
209.165.201.17 is trying to access credit card information using a SQL UNION opera-
tor. The transcript for the web server at 209.165.200.235 shows the HTML content that
was displayed to the attacker.
h. You can also determine the information retrieved by the attacker. Click Search and
enter username in the Find: field. Use the Find button to locate the information that
was captured. The same credit card information may be displayed differently than the
figure on the next page.
Compare the credit card information from the Transcript window and the content
extracted by the SQL injection attack. What is your conclusion?
____________________________________________________________________________
The credit card information is the same because the transcript shows all the content
transmitted between the source and destination.
i. Close the windows when finished.
j. Return to the Sguil window, right-click the same Alert ID that contains the exfiltrated
credit card information and select Wireshark.
l. The GET request and the exfiltrated data are displayed in the TCP stream window. Your
output may be different than the figure below, but it should contain the same credit
card information as your transcript above.
m. At this time, you could save the Wireshark data by clicking Save As in the TCP stream
window. Alternatively, you can also save the Wireshark pcap file. You can also docu-
ment the source and destination IP addresses and ports, time of incident, and protocol
used for further analysis by a Tier 2 analyst.
n. Close or minimize Wireshark and Squil.
Step 2. Review the ELSA logs.
The ELSA logs can also provide similar information.
a. While in the Security Onion VM, double-click to start ELSA from the Desktop. If you
receive the following “Your connection is not private” message, click ADVANCED to
continue.
b. Click Proceed to localhost (unsafe) to continue to the localhost.
c. Log in with the username analyst and password cyberops. You will now perform a
query looking for HTTP SQL injection of the Sguil alert.
d. Click in the From to open a calendar. Select the date that is a day before the timestamp
in selected alert ID in Sguil. By default, ELSA only shows the events for the last 48
hours.
e. In the left panel, select HTTP > Top Potential SQL Injection. Select 209.165.200.235.
f. This opens detailed information of the alert. Click Info on the first entry. This informa-
tion is related to the successful SQL injection. Notice the union query that was used
during the attack.
g. Click Plugin > getPcap. Enter username analyst and password cyberops when prompt-
ed. Click Submit if necessary. CapMe is a web interface that allows you to get a pcap
transcript and download the pcap.
h. The pcap transcript is rendered using tcpflow, and this page also provides the link to
access the pcap file. You can also search for the username information. Type Ctrl +
F to open the Find... dialog box. Enter username in the field. You should be able to
locate the credit card information that was displayed during the SQL injection exploit.
You might also like to view...
When an Append query is run on a table that has no primary key, where do the new records appear?
A) Alphabetically in ascending order mixed in with the current list B) You cannot run an Append query on a table with no primary key C) Top of the table D) Bottom of the table
Is any project, even if it's really small, subject to those three stages?
A. Not really, because for something very small, such as a photograph, they're not needed. B. Yes! Even a photograph goes through those three stages to get a nice result. C. Sometimes. D. Yes, but only if you want.
The basic ____________________ control structure is the if-then-else statement, in which the condition can only result in two possibilities-true or false.
Fill in the blank(s) with the appropriate word(s).
?In Fedora 20, the logging system used to record the messages normally stored within the boot.log, messages, and syslog files has been replaced by a journaling database system called?
A. ?systemd B. ?messaged C. ?logd D. ?journald