TCIP T0 USA, AUS, CAN, GER, NZLH20291123 13 August 2009 DERIVED . TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GER, NZLH20291123 SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL Agenda Overview of how work and what the raw data looks like in XKS Targets use of How to eXploit in XKS - HTTP Activity Search I (new) Web File Transfer Search TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL To @531; HEEL {What is a 7 $511 A free file uploader is a website that allows you to upload a file and then hosts that file for others to download. Think of the ?dropbox? service that we have on NSAnet. Since Free File Upoaders are web-based, the HTTP Activity plug-in will be the first place to look for activity We?ll also introduce the Web File Transfer plug-in TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL To USA, ALIS, gin. gamma; rt of 7t hl'i? ree? a - Most FFU sites are free and don?t require accounts, but only allow for basic service - For example, files might only stored for a short period of time - Or the person who uploads it does not have a lot of access into who has downloaded their files and how many times TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL To usiSome FFU sites allow for ?premium? access, maybe just by registering or maybe by charging the user a fee Premium access might allow for more uploads per account, or files that can be stored longer Some premium accounts give the uploader ?admin? insight into how many times a given file was downloaded (commonly referred to as a ?counter?). Some premium account sites will even allow the uploader to see the IP address and datetimes associated with each download. TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Example of ?Premium? acces? For Zshare.com: Messian uplseel sise New 111:: EGEI fer users! end 133 fer registered users! Prisseje: Share Ere-111? ?le with the we?el Fee ensues eyes e111}? {Release} dussrs gees TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL To USA, Ans, ?rm. GEL ha es with - . Almost no FFU activity contains strong selectors (Username or E-mail Addresses) making it difficult to identify our target?s use of these services In most cases we see a URL to the file that doesn?t contain the original filename (eg: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL HTTP Activity HTTP activity comes in two types: FFU Sewers Client-te-Server ?requests? Server-te-Client ?responses? TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL How work CIient?to?Server request of the homepag GET User?Agent: (Witt-items NT 5.1; ea] Heat: teauhtml, appheatiea?aalg??, applieatiem?e?taal :aal, imagefpag, anagefjpeg, imagefgif, ?agefa?atatmap, Language: elf-E, utf?l?, de?ate, gap, a-geip, identity, Caehe?Centrel: maa?etale=U Cemeetie?: K?BlaeCeat??Jia: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL How work I Server-to?client response of the homepage HF: Bessie-n viewer Presenter - embedded Wireleeme te ESHARE Wi?1 ESM- sen ?les, Lmeges, iridees, 311:1 ?esh fer Simply: use the upleed ferns belew seed steel: sharing! "5 e11 een else use as Ere-er persenel ?le sterege heel-Lu}: lee-111' date 3111-21 prete e: ?les. First Time? Read eus' FAQ I UE less-:1 new i lee IGeesee Free 1- Premium FAQ Upleed 3 File, Image, Videe. Audie er Flesh Unlimited Dewnleeds I'u'Iisjnun size New up 1e EGE fe: Presmsre users! end 1GB fer registered 115 ere! File: I Desenp?een: PIis tits. 43} Share ?e with tee werle s) fer greet eyes enljs {Peseta} dusee erly Nudity {1 s+js I Have seed and agree te the TEE TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL How work CIient?to-Server POST of the file POST a981de0b38312900b149ae9 .1 User?Agent: Opera/9.22 (Windows NT 5.1; en) Host: Aooept: text/html, imageipng, imageIJpeg, image/git, imagelx-xbitmap, Accept?Language: Acoept?Charset: iso?8859?1, utf?S, utf?16, Accept-Encoding: deflate, gzipj x?gzip, identity, Expect: 1UO?continue Referer: Cookie: Cookie2: $Version=1 Connection: Keep-Alive, TE TE: deflate, gzip, chunked, identity, trailers Content?Length: 17048 Content-Type: multipart/form-data; boundary: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL Te USA, AUS, CAN. GER.- OW work Lil -. I The POST contains the file, but also the answers to the checkboxes on the homepage Privaegr: Share yeur ?le with the werl-zl d] Herr greet ejgee etij? {Rivets} Ira-igiigd men: Nudity I have read ail-:1 agree te the T03 Centent-Diepeeitien: term-data; names-descr" Centent-Diepeeitien: term-data; Centent-Diepesitien: term-data; name="TOS" 1 "Elny?JQJxOmSCCaMhF?leHns Centent-Diepeeitien: term-data; name="paee? SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL How work [Tsar?Agent: [111111110113 HT 5- 1; 1311} Hrs-st: 3.1511111: 311111111: 311111115151111111 111111, magnify-11g, ?nagafjpeg, ?nagafgif, ?nagafx-Ebitmap, r21= 3. 1 Anew?11311915133 Ancept?Charset: 1511?33594, utF?E?l, 11115?15, Acct-apt-E?mdmg: c?a?ata, gzip, H-gzip, id??ti?f', ?211:0 Referer: :1r 3113111111311? (3901111153 _11t111b=2135303395 _11t111:1=2 1 EQUESQE 1249553234- 1- {3901:1152 CID-11111312111111: Keep?Alive, TE TE: 11131131111:r gzzip, Ehll?k?d, identity, trailers TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL How work I Server-to?client response after successful uploa W'eleeme te ESHARE With 33% areu eah uelead ?les. images, sides-s, and ?ash fer ?ee. Sirh'el';r use the Lie-lead ferrii helew and start sharing! Teu earl alse use as freer persenal ?le sterage: backup data and pretest j??LlI' ?les. First Time" Read eur I UElead new it Leg 1! Create free 1! Premium I Fi?-lg File Upleaded The ?le lehi piesazip was upleaded! (til. Teu're new re ad}:r te share it with unlimited peeple er keep it as a haelzup. Dewrile ad Ll?l-E dewale ad? 537 9957 Uh lTrile?'?? Ts?lr Fer Fer-urns [l =htrp'm-ww sshare I?d Direct Link: Delete Liril-L: I: FL?rn ail Me This Tri?e Te all the irife en the ?le F?ll upleaded, sueh as :remeval instructielis arid [lewnlead link, enter year e?mail address en the ?eld helew: Teur e?inail: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Critical piece of collect! This one server to client session serves as proof of the uces of the upload and it connects the original filename to the URL that will be passed around in E-mail or forum posts File Upleaded successfully uplcaded! Ycu're new read};r tc share it with unlimited peep-1e ci? keep it as a backup. Ii piessip 1 Little :Ifwstuteeshareiietf'dewnle adf? 37 9957' Ella 1T4 c5315r Link fer fetuses: Direct Link: I?ilcEll,l Delete Little: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL How work activity in time order HTTP T'gie Heet LIRL F'eth LIRL siege get peet tiltl?i .zeherenet?lillillil get 1 get get i get i! get TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL How does HTTPI User?Ayn: ClperaI'QEE William NT 5. 1; e11} Heat: Aenpt: applitarien?zhtn? E1111, imageipng, ?nage?F-Eg ?agefgiif, Lmagafa-Ebimap, gig: Amept-Charsat ?ccht-Elm?jigg Ca2he?C-3ntrel: ism-33591, thE-E, de?att, H-g?p, identtj', Cement-n: lie-5 : E?Ehe?eat-?Jia: HTTP activity meta-data: Datetime get .?npplicati-Jn Int:- applicatinn Type ?letranefer applicatinn ?letranefera?weIri?zelmre TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL that activity look in "Client to server request for the homepage: ?ippID E+Fingerprintaj ?letraneferi?welti?zelmre SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL How does that activity look in 'iServer-to?Client?reciuest of the homepage: Mix-[Pruimmr ?"elrmne H. 1511mm. II I I :rll 'J-l ll II.- 1 I Cram: i Ir:rn.u; ?l L'pleml a l-?ile. hinge. ?Ir?ideu. Audie cur t'lnell L'nlimited H.I: rr'.r I: n: HI L.-. II-.-. .HTTP activity meta-data: HTTP Time application Irith - Free Image, Uitlee, Jitutlie, Flash and File ?eeting Applieetien Type Applieetien App": [+Fingerprinte] ?letranef'er ?letr?neferi'wehi'z elmre ?letraneferiwelli?elmre TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL How does that activity look in 'IICIient-to-Server POST of me; PD 3T Iegi-binm 3r_u User?Agent: DperetEiEE {Windewe NT 5.1; eh] Heet: Accept: imegefpng, imegefjpeg, imegetgit, imegefI-Ihitmee, Accept-Language: Aenept?Eneeding: deflate, gzip. I?gzip. identity, Expect: t??-eehtinue Reterer: Beet-tie: eid=35935232ee?ff4f?fd 32359 CeehieE: $3ereieh=1 C??r?t??ti?ni Heep-Alive, TE TE: deflate. gzie. ehunkee, identity: treilere Centent? Length: ?1??343 Cement-Type: multipel?ferm?dete: bene?ciary: Heet URL Feth LIHL erge INST - ?ggkig Hefarer Attachment Filener'ne Ithi Irina-zip Dete Length Length ?pplieetien Type Applieetien 3%me ?+Finger erintej 13323 13343 ?letr?nsfer HEI Ice mpr-eesienr'uI-zzin TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL How does that activity look in "ICIient-to-Server checks up upload status: 149335! Elm-t5] uplaaci sm?l'IWH ?at-mi User-Agar Clpem'F'EE IT 5 an) East: 1.:shmc.r.ct3 Accept: text-?hunt, applimtic-ru??iun] Hm], ?ageip?g. imagexjpeg, imagefgi? magefH-Hhimap, ?cw-?1311 :"Lccegat Chit-mat inc: E359 1, mi 3, mi Em'p H?Erip. it'l??l'jlj? Ectt?r immii' 1 Std-El'EiJlFl Keep-?bre, IE HTTP activity meta-data: HTTP H??t LIHL Path LIHL Arg? ?eet 493139 CDCIHE: A at' A ID 'nt 33' TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL How does that activity look in "'Server-to-Client successful upload: ??elmme tn miia:h :rar. Lain; can rkn: I13: nrl?: m: 1 I I- I II- Uplml dud IF- I'll I 7-1 l'r.r'l :qu-it'IhJIrEI 5r ml- I.- U: Iii-El H- IJI HTTP activity meta-data: application Into HTTP Type - Free Image, Uitlee, Jitmlie, Flash File ?eeting applicatien Type Applieetien ?letranefer ?letrenefe #3.me [+Fingerprirrte] ?letranefien'weln?tlieletelink TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL To USA.- ML the Web File Transe search Web File Transfer plug-ins were built to harvest valuable pieces of information which are not pulled out by default in the HTTP activity search For example, in the server to client response we see the name of the file that was uploaded, the URL to be used to download the file and the delete key, all great pieces of information! TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL Web File Transfer search I For example: VVeleeme te ESHARE With 33m areu uelead ?les. images, iridees, and ?ash fer ?ee. Siren-11:r use the uelead ferrii helewr and start sharing! Teu earl alse use ESHAEE as yeur persenal ?le sterage: haeltup }.reur data and pretest j??LlI' ?les. First Time" Read eur I UElead new it Leg l- Create free l- Preruiiur. I Fag File Upleaded Tee ?le lehi pissed]: was upleaded! ewes}. Teu're new read}:r te share it with unlimited peeple er keep it as a haelzup. Dewrile ad Ll?l-E htte?vnwersharehetldeueile adfti?? 9957 We Ts?lr Fer Fer-urns [l =htlp'mru'mm rshere I?d Direet Linl-L: Delete Liril-L: :3 393m I: Fi?rn ail Me This Tn?e Te all the irife en the ?le greu uple aded, sueh as remeval instruetielis arid [lewulead link, enter Feur e?iuail address en the ?eld helew: Teur e?iuail: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL I Web File Transfer search Web File Transfer plug-ins were built to extract fields like this File Uplaaded a3 uplaaclacl! Yau'ra new raaclj; ta abate it with ut?jmitad peep-la at keep it as a backup. Dawniaac? Link L?ik Ear Banana: Direct Link: Liak: File URL Filanama Q?i??ll? Ham? khi Tranafar Tarp-a Llplaatl ID Dalata ID Site Name uplaatl Eallaramat TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Web File Transfer searc Other examples: Eentents (ll ?ilr??h Expand all El Cellapse al File name File tgge File size Attachments i] 'Itl'l'li ease a Display l-l'l'lF'f-l'l'l'ilL Send ta Fin lit".r la The warld's biggest Fin 1mm: PHEMIUM-Dewnlnads Fcreet Premium-easswerd? PREMIUM 1 and" wahh?st?r wnemne eF FIIE Upluiul link I hanlc: yeu fer yeur upleacl. henemtle? 1: Hapitltihare is a ?ile 1. Click. 31:1:- in Ell: Yum Dawn Dag-er WI rajmgh htt?iil'laj'd?h MDT: Send Li?W?i??Li link via e?Ineil "He send mid Tar-:- ether recipient a-f 33-511: eat-ice The dawniaaci and delete-n Units per 3131'] ?int fir-3L; can aliens: an: fir-3111? data. Heme (sen-ear]: [trim-r. Ef- elzun'nzctua Lang] Erna-.1 address c-f?tst FECiF-i??ii (mm-r. Ef- Lang") Ti-Tr a'i HI (arias: chaiai'tsts 3::sz ale-dress adeiltansl recijaimt: LilJ? tultIs Lungl %at?r message as The recipient lane; Berti dewnleed link] Litai'nzatieu f.1:U5t' TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL To @531; HEEL 1 earc hi up When you see an FFU URL passed around, you can use the HTTP activity parser to see if anyone went to that URL. Use the HTTP activity search and simply copy and paste the URL into the field builder? Make sure to add a valid foreign IP address or foreign country code to your search to make it USSID18 compliantll TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Searching on in XK For example, if we see this URL passed around In traffic: Search: HTTP Activity- Query' Name: JUStifiE?ti?l?l: Justificatien: Mireede Number: Datetime: Time: Hest URL F'eth: Egg URL used by CT target I 1: i Menth Start: Ended?- 12 Ind Rel:th Juetifieetiene URL Field Builder Enter a LIFLI. I:th will he autumeticellr parsed tn pepulete the :iel:hll and argument ?elds: htte waw . I Errter I I Ceneel [Pet-elete with LJFIL Field Builder] TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL $3.11 Searching on in Make sure to and your search with a valid foreign targetI like IP address or county or city codel! Type: Heat: i1!- [Peddlete with em Field Edilder] URL Path: ?3 EDS i?l Field EiLiiIder] ?3 .Eiddrees: Te I?l eddiess Field Builder] F'ei't: Port: Td SD TE. 1.: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL Searching on in 18 It?s also worth it to search the URL as the ?referer? and again remember to add something ?foreign? Referer: IF'eddrees: From '11" HP eddrese Field Builder] To HP Field Eluilder] l:I rt From Fl: TE. Eountry: '50 Pram or Countr'r: i Vi To TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL Searching on in To find all files being uploaded to from a given IP address/range or city/country code use the HTTP activity 6 Type: ?tteehmertt Filename: . angling.th ?letranaferlwebfzaharelupldad Cuuntw: Frurn ?3 address: Fran": TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL Searching 0n in Xi'? If you want to try to find who uploaded the file that generated that URL, use the Web File Transfer Plug-in El '5 Network Lege Metedete ?i-?elF Metedete Phone Number Extreeter REGAN Hediue Lege en:- ESL F'ereer TIDE Leg Teeh Etringe in Deegment: Lleer ?aetie?y WLAN TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL Searching on in To find all file upload success web-pages, which have the filename and the FFU URL, use the Web File Transfer Search Tra?sfer Type: uplnad Bite Harrie: setter-shat ?3 .Eujclress: Tn: Gauntry: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Searching 0n in XK To try to find the filename associated with a URL, enter in the URL into the ?File field, again remember to add something ?foreign? mt:? "smut: Eliot-.- i:d:n Smro?: 'idd: Cit-1' Eca'd' Hot-1:1 Saar-r fit-EE- Eoorm: Wei:- Transfqu Query Nun-t?rUCt JL sLi' .E-ddit ono JLsti? :31: on: I HI I Untetime: llh?cnth - u-m: 0::03'3i LitorJ: 23:55'3l vi Fil: Iilena?ie: I we: ousuiuLun: HHS 'wngm-n: IFrn'n ?l [rr L'u'Jn?n?r. 1W- rr Frn H: 1' IFn-TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL