Documents
HTTP Activity vs User Activity
July 1, 2015
TDP TD USA, AUS, CAN, GER'u-I
II II I
kl - th?June 2009
TUP TO USA, AUS, CAN, GER, NZL
TDP TD USA, AUS, CAN, GER'u-I
II II I
kl - th?June 2009
TUP TO USA, AUS, CAN, GER, NZL
TD USA, we, CAN, GEL
TTP Activity 1. .
HTTP Activity is essentially all web-based
activity from a user?s internet browser (with
some exceptions)
. It includes, web-surfing, Internet Searching
(like Google), Mapping Website (Google
Earth/Maps) etc.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TD USA, we, CAN, GEL
TTP Activity 1. .
HTTP Activity is essentially all web-based
activity from a user?s internet browser (with
some exceptions)
. It includes, web-surfing, Internet Searching
(like Google), Mapping Website (Google
Earth/Maps) etc.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity
HTTP activity comes in two types:
cnn.cem Server
Client-te-Server
?requests?
Server-te-Client
?responses?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity
HTTP activity comes in two types:
cnn.cem Server
Client-te-Server
?requests?
Server-te-Client
?responses?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity Client-to?SerV
GET nl . start=
Accept:
A: I: apt?Language
I -
User?Agent Hazillaf?.? (compatible; HSIE Windows NT 5.1;
HDSE:
Eache? an EU max?3 a e=l
Connectinn: Ee-a?1 -
E?Elue?uat?via
Hn?t UHL Path LIHL ?rga
Hearth
Search Terma Language: Elrnwaer ma
mLJEharraf an Mozillam? (compatible; MSIE Window NT 5.1;
Heferer
CDDME
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity Client-to?SerV
GET nl . start=
Accept:
A: I: apt?Language
I -
User?Agent Hazillaf?.? (compatible; HSIE Windows NT 5.1;
HDSE:
Eache? an EU max?3 a e=l
Connectinn: Ee-a?1 -
E?Elue?uat?via
Hn?t UHL Path LIHL ?rga
Hearth
Search Terma Language: Elrnwaer ma
mLJEharraf an Mozillam? (compatible; MSIE Window NT 5.1;
Heferer
CDDME
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To @531; HEEL
i1
I Tf.l
5
A Cti
User Activity is best described as meta-
data from ?communication based protocols?
like Webmail, Chat, Web Forum, Voip etc.
in which we have protocol processing
capabilities like AppProc.
It?s important to note that there are many
applications that fall within this definition in
which we do not currently have protocol
processing capabilities
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To @531; HEEL
i1
I Tf.l
5
A Cti
User Activity is best described as meta-
data from ?communication based protocols?
like Webmail, Chat, Web Forum, Voip etc.
in which we have protocol processing
capabilities like AppProc.
It?s important to note that there are many
applications that fall within this definition in
which we do not currently have protocol
processing capabilities
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
User Activity
I Most will probably already be
familiar with ?User Activity? from MARINA
Yaehtahe fee Yaehtahep Statue
Speeifj; Date Range {Select}
WMDD [Emma 5131 Data available haelt ta 1 Ma}r
Seareh fer Uaer Aetitritjr Strung Seleetera (Emeel a, Ceekiea, Mail Tel-:ena, Phene Humbera, App-Prue lalaeaj
that-.. ar-zaetly meteh
the value
Deende?rdain
if result limit is re aeheei, newest [late if r! [100,000 raw metaelata result Jimit]
where value El aetiae user
CI in user_a e-r uaeI_b elumn
?lm bit-.. Fialtl Ealulitinll Criteria
*Elu'ieluueut Up?ana: All HIS-HE Selected
Query Juati?e atien I Pie eent Juatifieetien a
Eiutjlr'r'li?r. Fljr'r'r'l FIZI l'r'r'l
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
User Activity
I Most will probably already be
familiar with ?User Activity? from MARINA
Yaehtahe fee Yaehtahep Statue
Speeifj; Date Range {Select}
WMDD [Emma 5131 Data available haelt ta 1 Ma}r
Seareh fer Uaer Aetitritjr Strung Seleetera (Emeel a, Ceekiea, Mail Tel-:ena, Phene Humbera, App-Prue lalaeaj
that-.. ar-zaetly meteh
the value
Deende?rdain
if result limit is re aeheei, newest [late if r! [100,000 raw metaelata result Jimit]
where value El aetiae user
CI in user_a e-r uaeI_b elumn
?lm bit-.. Fialtl Ealulitinll Criteria
*Elu'ieluueut Up?ana: All HIS-HE Selected
Query Juati?e atien I Pie eent Juatifieetien a
Eiutjlr'r'li?r. Fljr'r'r'l FIZI l'r'r'l
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To @531; HEEL
i1
I Tf.l
5
A Cti
While not an exact duplicate, MARINA and
User Activity share a lot in common
XKS runs the same software
(AppProc/WebProc/StarProc) that is used
to break out meta-data for MARINA
In some cases, it?s actually the XKS at the
front-end site that is feeding the meta-data
to MARINA (the source will be
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To @531; HEEL
i1
I Tf.l
5
A Cti
While not an exact duplicate, MARINA and
User Activity share a lot in common
XKS runs the same software
(AppProc/WebProc/StarProc) that is used
to break out meta-data for MARINA
In some cases, it?s actually the XKS at the
front-end site that is feeding the meta-data
to MARINA (the source will be
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, E. @339 ML.
.1
.
I I
q?verla
- Since applications like web-mail are web-
based, HTTP and User activity will contain
information about the same session.
. While HTTP contains information about all
web-based sessions, user activity contains
information on ?user activity protocols? in
which we have identified and developed
exploitation capabilities
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, E. @339 ML.
.1
.
I I
q?verla
- Since applications like web-mail are web-
based, HTTP and User activity will contain
information about the same session.
. While HTTP contains information about all
web-based sessions, user activity contains
information on ?user activity protocols? in
which we have identified and developed
exploitation capabilities
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
How the Search Forms Fit Toggzt:
of all DNI sessions collected
Userac?v?y
I 2:4 . --.. I
.- II
HTTP?Activity
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
How the Search Forms Fit Toggzt:
of all DNI sessions collected
Userac?v?y
I 2:4 . --.. I
.- II
HTTP?Activity
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Examples of traffic
Webmail (client side)
Detetirne Case Netetien Frern Te Frern F'ert Te F'er?t Length
2009-06-1? 12:02:3? ee_t= Iran} nae?{E United States} 3?1?1 TCP 1440
Sessien Heeder??} Met-3(9) I
Enter textte
4
Type: HTFP-GET If: Printer Frienle ?u?ereien
I Raw Date I DNI Fermet 1
Eeruiee5 1r
GET fmefmedt?esf?nfeb?entaets Sejsrend=930373W Serend=2127033459 1 . CI
Accept:
fa
Eeferer:
rde1=up Stateltlat?d=3t53t?lterEy=
que ste d?ttrith: que 3t
Accept?Eneed?tg: gzip, de?ate
User-Agent: Mez??e?? {eempetible; MSIE 5.0; Wind-ewe NT 5.1; Sta-T1; NET ELF:
Heat:
Emma: {1%vaan it
MG edQKvEUeijErl
11:1
n=66k33h6n5551f
[Yahoo Inn-gin id:
p=1n2g255i?130 00000 I: Gender: male, Birth year: - Postal EDIIE:
1=hq
English]
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Examples of traffic
Webmail (client side)
Detetirne Case Netetien Frern Te Frern F'ert Te F'er?t Length
2009-06-1? 12:02:3? ee_t= Iran} nae?{E United States} 3?1?1 TCP 1440
Sessien Heeder??} Met-3(9) I
Enter textte
4
Type: HTFP-GET If: Printer Frienle ?u?ereien
I Raw Date I DNI Fermet 1
Eeruiee5 1r
GET fmefmedt?esf?nfeb?entaets Sejsrend=930373W Serend=2127033459 1 . CI
Accept:
fa
Eeferer:
rde1=up Stateltlat?d=3t53t?lterEy=
que ste d?ttrith: que 3t
Accept?Eneed?tg: gzip, de?ate
User-Agent: Mez??e?? {eempetible; MSIE 5.0; Wind-ewe NT 5.1; Sta-T1; NET ELF:
Heat:
Emma: {1%vaan it
MG edQKvEUeijErl
11:1
n=66k33h6n5551f
[Yahoo Inn-gin id:
p=1n2g255i?130 00000 I: Gender: male, Birth year: - Postal EDIIE:
1=hq
English]
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Examples of traffic
Webmail (server side)
Detetirne Cese Netetien Fren'i Te Fren'l F'e Te F'er Pretee Length
tune-Dem 13:2:35 Intenttenenenet United State: 50315 tel: 139354
Sessiun Heedert?i Meta AttechmentetEi I
aft-gar: IV - 2.3.9., Seam:
. I 1-h-
Document Information Type: F'rinter Friendly Vereien
i DHI Display Hey-I Date DHI Fermet i
Heatler Centent Type: Hi?iF'I?i?eheeWehrneil
Services 1r
Jr.
. MAIL Acute user:
UIS ebmall ct mam.
List in Int:- tat-t
Name
let:
(1555) 4035 t? tt
Daft Fwd: Fw: wit-ii 945G
3 5
Sent 831 Tuesday, June 15, Eli]? 1:14 AM
Free]:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Examples of traffic
Webmail (server side)
Detetirne Cese Netetien Fren'i Te Fren'l F'e Te F'er Pretee Length
tune-Dem 13:2:35 Intenttenenenet United State: 50315 tel: 139354
Sessiun Heedert?i Meta AttechmentetEi I
aft-gar: IV - 2.3.9., Seam:
. I 1-h-
Document Information Type: F'rinter Friendly Vereien
i DHI Display Hey-I Date DHI Fermet i
Heatler Centent Type: Hi?iF'I?i?eheeWehrneil
Services 1r
Jr.
. MAIL Acute user:
UIS ebmall ct mam.
List in Int:- tat-t
Name
let:
(1555) 4035 t? tt
Daft Fwd: Fw: wit-ii 945G
3 5
Sent 831 Tuesday, June 15, Eli]? 1:14 AM
Free]:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
Yahoo Webmail i
Fig? of all DNI sessions collected
Userac?vl??HTTP Activity
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
Yahoo Webmail i
Fig? of all DNI sessions collected
Userac?vl??HTTP Activity
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Examples of traffic
MSN Messenger
Datetirne Case Notation From To From To F'roto Length
aooa-oa-ia 15:1 taa1o14a Isa?{5 United at aiata 1aea 13?
I Header Meta EerTrreoMII-meoa EI1IJEI:
200590515 IEITUTE loggedi? {an} aa?
Eliaplay' It Haw Data UNI Format 1
2 Ell .
MSH Messenger Diaplagr Statue Show Elnlg.r I El Flatterae
Diaplagr
Memagee 1
From To Size: El
?@trahoo.oom logging in
I Sewer Time: 2 me Data Load Time: me Type: MEN Messenger
F'rojeot Manager:
Page Puloliaher:
Vereion: 1-4-I13
Build Date: Thu Felo 153 13:02:15 GMT
or? PRESENTER
TDP USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Examples of traffic
MSN Messenger
Datetirne Case Notation From To From To F'roto Length
aooa-oa-ia 15:1 taa1o14a Isa?{5 United at aiata 1aea 13?
I Header Meta EerTrreoMII-meoa EI1IJEI:
200590515 IEITUTE loggedi? {an} aa?
Eliaplay' It Haw Data UNI Format 1
2 Ell .
MSH Messenger Diaplagr Statue Show Elnlg.r I El Flatterae
Diaplagr
Memagee 1
From To Size: El
?@trahoo.oom logging in
I Sewer Time: 2 me Data Load Time: me Type: MEN Messenger
F'rojeot Manager:
Page Puloliaher:
Vereion: 1-4-I13
Build Date: Thu Felo 153 13:02:15 GMT
or? PRESENTER
TDP USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
MSN Messenger
_L_jisl
of all DNI sessions collected
Userac?v?y
II. '13? I I. l??I
I
.I
HTTP Activity
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
MSN Messenger
_L_jisl
of all DNI sessions collected
Userac?v?y
II. '13? I I. l??I
I
.I
HTTP Activity
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, MEL
. .I
Examples of traffic
Skype sessions:
Dat0tirn0 C000 10010000 Fr0rn Frum F'0r?l: T0 F'0r?t F'r01000l L0ngth
0000-00-10 15:05:05 10.010100 00?0: Iran;- Switzerland} 10010 10510 100
Session H00d0r?'Errt0r'l03-ilt0 000r0l'l
00-: TEIP EECHEHICDMIHTHEIEED 103
0050_0rig_0r00
Tunn' EFFIFlingw .00 001-1an 00mian
1100100100150J 10.0.0.3
00011 with 1110001110 JIJ 002014015E057?W013kyp0?000?
50011 with 11100th10 ID 01605f07f00? 5001:310310010'0003 00201405005T76i01?yp0?0d03
1100 bud-:13! _*iSk3rp0U00r:0
011011010 5000 00? 0000100000500000000100000
10000001053 00? 0000100000500500005000000
?0000500000~ 0000100000500000000000000 0000100000000000005000000r .:
F'r'0j001: 1000000?
P0010 F'L4l01i0h0r:
V0r0i0n: 1 .4 .0 .0
Eluild D010: Thu F010 10 13:02:15 GMT 2000
DNI PRESENTER
TGIF 103
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, MEL
. .I
Examples of traffic
Skype sessions:
Dat0tirn0 C000 10010000 Fr0rn Frum F'0r?l: T0 F'0r?t F'r01000l L0ngth
0000-00-10 15:05:05 10.010100 00?0: Iran;- Switzerland} 10010 10510 100
Session H00d0r?'Errt0r'l03-ilt0 000r0l'l
00-: TEIP EECHEHICDMIHTHEIEED 103
0050_0rig_0r00
Tunn' EFFIFlingw .00 001-1an 00mian
1100100100150J 10.0.0.3
00011 with 1110001110 JIJ 002014015E057?W013kyp0?000?
50011 with 11100th10 ID 01605f07f00? 5001:310310010'0003 00201405005T76i01?yp0?0d03
1100 bud-:13! _*iSk3rp0U00r:0
011011010 5000 00? 0000100000500000000100000
10000001053 00? 0000100000500500005000000
?0000500000~ 0000100000500000000000000 0000100000000000005000000r .:
F'r'0j001: 1000000?
P0010 F'L4l01i0h0r:
V0r0i0n: 1 .4 .0 .0
Eluild D010: Thu F010 10 13:02:15 GMT 2000
DNI PRESENTER
TGIF 103
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
"Skype
Fig? of all DNI sessions collected
Userac?v?y
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
"Skype
Fig? of all DNI sessions collected
Userac?v?y
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
1001
I031 1
T6 A, 631139 @6910 91120.
#1
libTIJI
1
t'l
The typical way to search HTTP Activity is to start with
User Activity in MARINA.
For example, we?ll start with this 16 June activity
T3 .0. USEEID- FHUNE USEELA
20090616 1436293
AC 999? If? USEEJEI
magi-?1111 6m) 99.?
20090616 1499363
20090616 1441293
20090616 1444093
20090616 1444293
20090616 1449153
20090616 1449153
20090616 1449153
20090616 1449153
20090616 1449153
20090616 1449153
20090616 1449193
20090616 1449193
20090616 14491613
20090616 1449603
wage-cli?li?nj aa?
163gediil?jm] aa?
Iagga-cimt?ui
1aggadin {1111)
1aggedin {1'1nd aa?
{1m} 39.
image-man) Ee?
16.6de
1aggedm {1111] as.?
1001
I031 1
T6 A, 631139 @6910 91120.
#1
libTIJI
1
t'l
The typical way to search HTTP Activity is to start with
User Activity in MARINA.
For example, we?ll start with this 16 June activity
T3 .0. USEEID- FHUNE USEELA
20090616 1436293
AC 999? If? USEEJEI
magi-?1111 6m) 99.?
20090616 1499363
20090616 1441293
20090616 1444093
20090616 1444293
20090616 1449153
20090616 1449153
20090616 1449153
20090616 1449153
20090616 1449153
20090616 1449153
20090616 1449193
20090616 1449193
20090616 14491613
20090616 1449603
wage-cli?li?nj aa?
163gediil?jm] aa?
Iagga-cimt?ui
1aggadin {1111)
1aggedin {1'1nd aa?
{1m} 39.
image-man) Ee?
16.6de
1aggedm {1111] as.?
To USA, we, CAN, GEL
"Understand what is behinqjut
Ensure Activity on IP can be associated with
Target
Understand IP usage Dynamic/Static
Research IP using Foxtrail/NKB
Is it a Proxy, DVBLAN, Dial-Up, DSL, etc
- Is it Client to Server or Server to Client
- Still not sure? User Activity pull for 5 minute
period on Foreign IP
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA, we, CAN, GEL
"Understand what is behinqjut
Ensure Activity on IP can be associated with
Target
Understand IP usage Dynamic/Static
Research IP using Foxtrail/NKB
Is it a Proxy, DVBLAN, Dial-Up, DSL, etc
- Is it Client to Server or Server to Client
- Still not sure? User Activity pull for 5 minute
period on Foreign IP
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
MultiSearch on IP Addresle
Let?s take what we used last week and do a Multi-Search to
discover any web activity around the time the account was active
El 5 MuitiSeereh
I I
Emil: Datetime: Custom Start: Stop: l3. 1e:ao
Lleerneme
El 5 a?M
Eel-an
EEileeHElerrlr
35?? eddress:
Z: ICell Loge
2: Ceftegorl.l DNI ?l
Cellular DNI
F'eleeworde EDIE: In!" Tl]
2: one In!" x?Forworded-For
Ellie-14mth l'l-1etedete
I: Document Tegging
u! User Activity
Ill?add
mg? ?573333 Phone Number Extractor
Search Email
F?rm5 Extracted Filee
HTFP Activity
:EIHEF'ereer Fu" Lug
EIHC ICate Seoloeetlon Web Pr??y
Logine end
Microolugin rl-ietedete
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
MultiSearch on IP Addresle
Let?s take what we used last week and do a Multi-Search to
discover any web activity around the time the account was active
El 5 MuitiSeereh
I I
Emil: Datetime: Custom Start: Stop: l3. 1e:ao
Lleerneme
El 5 a?M
Eel-an
EEileeHElerrlr
35?? eddress:
Z: ICell Loge
2: Ceftegorl.l DNI ?l
Cellular DNI
F'eleeworde EDIE: In!" Tl]
2: one In!" x?Forworded-For
Ellie-14mth l'l-1etedete
I: Document Tegging
u! User Activity
Ill?add
mg? ?573333 Phone Number Extractor
Search Email
F?rm5 Extracted Filee
HTFP Activity
:EIHEF'ereer Fu" Lug
EIHC ICate Seoloeetlon Web Pr??y
Logine end
Microolugin rl-ietedete
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Example #1
Note the of results for each search, compared
the 28 MARINA results which was for the same
IP address and same time frame
I. My Recent Results
Help Fictisns I I
IQuery Heme IQuery Type Status Astisns Hum Results Hum DEIs
iune user_sstiyity finished 1 eff
is iune full_ls? finished i 3223 1 aft
15 iune finished 2525 1 DH
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Example #1
Note the of results for each search, compared
the 28 MARINA results which was for the same
IP address and same time frame
I. My Recent Results
Help Fictisns I I
IQuery Heme IQuery Type Status Astisns Hum Results Hum DEIs
iune user_sstiyity finished 1 eff
is iune full_ls? finished i 3223 1 aft
15 iune finished 2525 1 DH
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Results
Of interest we see visits to Web Pages like:
littltau'?elirenlel?lenumm!
well: search: ?rsneleeti?an
get-time semen: grail-W
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Results
Of interest we see visits to Web Pages like:
littltau'?elirenlel?lenumm!
well: search: ?rsneleeti?an
get-time semen: grail-W
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN,
HTTP Results
1? Notice how all of the HTTP GET requests were going to the
same IP address even though they are for different web
going on here?
Tn:- F?nrt taunt 1r
EDEI 4EHEI
.tJlsI: .Lil: EEIE 1 2E
.enm SIZE 5?
SIZE 31
tWitter .enrn SIZE 22
scum EDEI 21
static .tWitter EDS 12
stetshheenult SIZE 12
wisuelscience external .cc- .Lllt EDS
EEIE Ei
pmfile .elt .enrn SIZE 5
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN,
HTTP Results
1? Notice how all of the HTTP GET requests were going to the
same IP address even though they are for different web
going on here?
Tn:- F?nrt taunt 1r
EDEI 4EHEI
.tJlsI: .Lil: EEIE 1 2E
.enm SIZE 5?
SIZE 31
tWitter .enrn SIZE 22
scum EDEI 21
static .tWitter EDS 12
stetshheenult SIZE 12
wisuelscience external .cc- .Lllt EDS
EEIE Ei
pmfile .elt .enrn SIZE 5
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
T0: USA, ALIS, 00021320022
#2
hl'i?
Example
Analysis of 27 May Internet session of PK
based target started in MARINA
T0 1. 0015020- PH01015 0015100 2022200? 1501510}:
20000520 0521502 00 10330001000003. 110-3
20000525 0521502 1000000100000) 110.-
20000525 0521502 10000001201013: 110-53
20000520 0521502 -0200: 10000001 (00100:. 110.-
20000520 0521502 -0200: 1000000100000) 110-
20000520 0522502 _0000000 2-0 10000001000100} 110-3.
20000520 0522502 -0000: 1000000100000} 110-?-
20000520 0522502 -0202 10000001000100} 110-3
20000525 0522502 -0200: 00 1002000120100} 110-3.
20000520 0522502 -0000: 10000001000100} 110-..3.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
T0: USA, ALIS, 00021320022
#2
hl'i?
Example
Analysis of 27 May Internet session of PK
based target started in MARINA
T0 1. 0015020- PH01015 0015100 2022200? 1501510}:
20000520 0521502 00 10330001000003. 110-3
20000525 0521502 1000000100000) 110.-
20000525 0521502 10000001201013: 110-53
20000520 0521502 -0200: 10000001 (00100:. 110.-
20000520 0521502 -0200: 1000000100000) 110-
20000520 0522502 _0000000 2-0 10000001000100} 110-3.
20000520 0522502 -0000: 1000000100000} 110-?-
20000520 0522502 -0202 10000001000100} 110-3
20000525 0522502 -0200: 00 1002000120100} 110-3.
20000520 0522502 -0000: 10000001000100} 110-..3.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Example #2
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
The analyst then did an HTTP activity qur
find all web surfing from that IP address within
the same rough timeframe.
El ?l Ala?M
3 Alert
EllackEarr'f
3 ma
3 Call cha
Categch DNI
3 Cellular Ell'll
Ciacc
3 ans
3 Dccumant Matadata
Dccumcnt Tagging
Email
Extracted Filaa
3 Full ch cal
Activity
3 IHE Paraar
3 cc Cate
china and
Matadata
Search: HTTP Activity
Quart.f Mama:
Juac?ca?cn:
Datatima:
addreaa:
Part:
Part:
21m aiactiuitg
PH IP address uacd by cc target
in pakaitaa
Guatcm start; lacaa?aa?aa'?l Icaac El stun; Icacc El 1r;
m-
Tc
Tc
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Example #2
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
The analyst then did an HTTP activity qur
find all web surfing from that IP address within
the same rough timeframe.
El ?l Ala?M
3 Alert
EllackEarr'f
3 ma
3 Call cha
Categch DNI
3 Cellular Ell'll
Ciacc
3 ans
3 Dccumant Matadata
Dccumcnt Tagging
Email
Extracted Filaa
3 Full ch cal
Activity
3 IHE Paraar
3 cc Cate
china and
Matadata
Search: HTTP Activity
Quart.f Mama:
Juac?ca?cn:
Datatima:
addreaa:
Part:
Part:
21m aiactiuitg
PH IP address uacd by cc target
in pakaitaa
Guatcm start; lacaa?aa?aa'?l Icaac El stun; Icacc El 1r;
m-
Tc
Tc
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
27 May
HTTP meta-data indicated possible Maktoob
activity
SECRETHCUMINTHHEL TU USA, AUS, CAN,
TTP Activity
Detetime Heet URL F'eth
get etln.m?h.teelr.eem
Mil-'45 get etln.meh.teel1u.eem
get edummhteelreem
05:22:31: get etln.m?h.teelr.eem
Millet-5 get
mezzee get etln.mahteelle.een1
get etln.m?h.teelr.eem
Fm eimlF'J Tet: Te Fm TelF'
PH Hem-mew us
HAH-AEHI U5
HAHAIIHI LIE HEHI-IDEIIH
LIE
HAFEAIIHI LIE HEHI-IDEIIH
U5
HEREIN
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
27 May
HTTP meta-data indicated possible Maktoob
activity
SECRETHCUMINTHHEL TU USA, AUS, CAN,
TTP Activity
Detetime Heet URL F'eth
get etln.m?h.teelr.eem
Mil-'45 get etln.meh.teel1u.eem
get edummhteelreem
05:22:31: get etln.m?h.teelr.eem
Millet-5 get
mezzee get etln.mahteelle.een1
get etln.m?h.teelr.eem
Fm eimlF'J Tet: Te Fm TelF'
PH Hem-mew us
HAH-AEHI U5
HAHAIIHI LIE HEHI-IDEIIH
LIE
HAFEAIIHI LIE HEHI-IDEIIH
U5
HEREIN
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CARI-GER
.27 May MARI NA res
MARINA didn?t any Maktoob User:
T5: 1. 05151520 55051515 15515152 2522225?
20050525 0521552 1555555555155) 115-
20050525 0521552 .55- 1555555155555) 115-
20050525 0521552 mm?w??gmgg 55 1533555155555}. 115-
20050525 0521552 15gge55155m553- 115.- .3.
20050525 0521552 1555555155555) 115- 3.
20050525 0522552 55 1555555155552} 115-
20050525 0522552 15555555 {55551} 115-
20050525 0522552 55- 15555555 {55550 115-
55 1555555155550} 115-
.55- 15555555 {55550 115- 53.
LEI
LA
.Eil
I
2005390527 05223533
20(390527 [35223533
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CARI-GER
.27 May MARI NA res
MARINA didn?t any Maktoob User:
T5: 1. 05151520 55051515 15515152 2522225?
20050525 0521552 1555555555155) 115-
20050525 0521552 .55- 1555555155555) 115-
20050525 0521552 mm?w??gmgg 55 1533555155555}. 115-
20050525 0521552 15gge55155m553- 115.- .3.
20050525 0521552 1555555155555) 115- 3.
20050525 0522552 55 1555555155552} 115-
20050525 0522552 15555555 {55551} 115-
20050525 0522552 55- 15555555 {55550 115-
55 1555555155550} 115-
.55- 15555555 {55550 115- 53.
LEI
LA
.Eil
I
2005390527 05223533
20(390527 [35223533
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Datatirna End
05:23:55
27 May
User Activity also didn?t show any
Maktoob activity
Search
Haalrn
yallaa
yallaa
yallaa
yallaa
yallaa
Attributa Tap-a
TU USA, AUS, CAN. GER.- NZL -- Ill
ser Activity Restillt
Attrime Valua
Iragamu??'?'aaw
Iragamu??'?'aaw
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
activityt
layilealamail
lainLwalJamail
la?ilealmmail
lainLwalJamail
Datatirna End
05:23:55
27 May
User Activity also didn?t show any
Maktoob activity
Search
Haalrn
yallaa
yallaa
yallaa
yallaa
yallaa
Attributa Tap-a
TU USA, AUS, CAN. GER.- NZL -- Ill
ser Activity Restillt
Attrime Valua
Iragamu??'?'aaw
Iragamu??'?'aaw
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
activityt
layilealamail
lainLwalJamail
la?ilealmmail
lainLwalJamail
To @531; HEEL
TTP Activity;
.L, I
-
.l'just a visit to the Maktoob home page or
was there an actual web-mail log-in?
In most cases ?active user? and ?previous user?
information from web-mail protocols comes
from the cookie field.
XKS HTTP Activity breaks out the entire cookie
field, even if protocol analysis doesn't know
what each part means
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To @531; HEEL
TTP Activity;
.L, I
-
.l'just a visit to the Maktoob home page or
was there an actual web-mail log-in?
In most cases ?active user? and ?previous user?
information from web-mail protocols comes
from the cookie field.
XKS HTTP Activity breaks out the entire cookie
field, even if protocol analysis doesn't know
what each part means
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
27 May HTTP Activity
Look at the full cell value:
Ceeliie
lang=ar; e= 1lig
la!
Haw nttluns
la:
- ll'iew Sessien
la:
5 El
new esslenl? ew In new} Fm?
In] 55 Shew All Flew 'u'alues ?lm;
m, Mark Metedete new as Impertenl: ?Fun;
Ian 15,: Send tn Agility Realtime
Execute F'ersene Analysis Query? i?zl??
Cell Atti?ns walk;
5? Filters mam;
Ia: re= llig
In] Shew Eell 'u'elue
la, where Ceele'e Equals 'Ieng=ar;
l?l LIn?Ehecl-I: where Ceekie Equals 'Ieng=er; . i?=llkg
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
27 May HTTP Activity
Look at the full cell value:
Ceeliie
lang=ar; e= 1lig
la!
Haw nttluns
la:
- ll'iew Sessien
la:
5 El
new esslenl? ew In new} Fm?
In] 55 Shew All Flew 'u'alues ?lm;
m, Mark Metedete new as Impertenl: ?Fun;
Ian 15,: Send tn Agility Realtime
Execute F'ersene Analysis Query? i?zl??
Cell Atti?ns walk;
5? Filters mam;
Ia: re= llig
In] Shew Eell 'u'elue
la, where Ceele'e Equals 'Ieng=ar;
l?l LIn?Ehecl-I: where Ceekie Equals 'Ieng=er; . i?=llkg
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA. AUS, CAN, GER. NZL
27 May HTTP Activity
By looking at the full cookie, the analyst noticed
what appeared to be the target?s username
lany=ar; A?=tlEeH?E?eymllAE?Lm ?43ll 1?4TPtt;
[ti
1'
1333.3; It:
=33Eu334133.1.13.1343431333; [ti
-
It:
333334 133 Hi
It:
It:
[It
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA. AUS, CAN, GER. NZL
27 May HTTP Activity
By looking at the full cookie, the analyst noticed
what appeared to be the target?s username
lany=ar; A?=tlEeH?E?eymllAE?Lm ?43ll 1?4TPtt;
[ti
1'
1333.3; It:
=33Eu334133.1.13.1343431333; [ti
-
It:
333334 133 Hi
It:
It:
[It
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
27 May HTTP Activity
The content also shows the cookie value:
GET
Accept: 35?"
Reform:
Amopt?nguogo: non-us
14.: I: opt?En: odjng: 321p, de?ate
User??gont: Mo??a??il. [3 (compatible; M3113 5o; Windows NT 5. 3V1)
Host:
ormo otion: Bop
Cookie: 1W3:
I: MCELW
U4 10411315:
I2=pk
1. 1D. 12434U1153
1 59. 12-4 34131933. 1- 1111:1115
omnows ,jokosNowmndo?no :21
MELLD "124340207"?
_uttno=205U5-41559
mm=mhd1fn?3??o4m [1.4.35 CTB 1 oTos aoj @113th
loggo {1:1
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
27 May HTTP Activity
The content also shows the cookie value:
GET
Accept: 35?"
Reform:
Amopt?nguogo: non-us
14.: I: opt?En: odjng: 321p, de?ate
User??gont: Mo??a??il. [3 (compatible; M3113 5o; Windows NT 5. 3V1)
Host:
ormo otion: Bop
Cookie: 1W3:
I: MCELW
U4 10411315:
I2=pk
1. 1D. 12434U1153
1 59. 12-4 34131933. 1- 1111:1115
omnows ,jokosNowmndo?no :21
MELLD "124340207"?
_uttno=205U5-41559
mm=mhd1fn?3??o4m [1.4.35 CTB 1 oTos aoj @113th
loggo {1:1
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To @531; HEEL
.227? V ay Maktoob A?E?fi
Why wasn?t this activity in MARINA or
User Activity (both fed by AppProc)?
Because Protocol Exploitation hadn?t identified
this particular Maktoob service
Since it hadn?t been identified, AppProc could
not produce meta-data and DECODEORDAIN
was not producing permutations for strong
selection
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To @531; HEEL
.227? V ay Maktoob A?E?fi
Why wasn?t this activity in MARINA or
User Activity (both fed by AppProc)?
Because Protocol Exploitation hadn?t identified
this particular Maktoob service
Since it hadn?t been identified, AppProc could
not produce meta-data and DECODEORDAIN
was not producing permutations for strong
selection
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
aktoob Activity
27 May
In this particular case, from Protocol
Exploitation were able to determine that the
cookie was identifying the ?previous
user? but not the ?active user?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
aktoob Activity
27 May
In this particular case, from Protocol
Exploitation were able to determine that the
cookie was identifying the ?previous
user? but not the ?active user?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To usi? mg
.2
Jimdral 0f the story 1i 7
Internet applications are dynamic, and protocol
are not able to identify and build
capabilities to exploit every known application
It?s important that target use tools like
XKS to aggressively deveIOp their target to
uncover applications that are previously
unidentified or are not currently being
processed properly
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To usi? mg
.2
Jimdral 0f the story 1i 7
Internet applications are dynamic, and protocol
are not able to identify and build
capabilities to exploit every known application
It?s important that target use tools like
XKS to aggressively deveIOp their target to
uncover applications that are previously
unidentified or are not currently being
processed properly
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Moral of the story
The lVlulti-Search page gives you the ability to search full log and
HTTP activity based on an IP address at the same time
El-Sl?llassis
El
534' Simply enter In an IP address choose any or all
.3 ?nd-dresses I 5
sesame roles (Ie. fromltolef) and then choose what
Usernams
Elama?gic ?rm
Eel-ea
EEllasHElerry
Ems - n: sales: m-
ICall Legs
2: Cat-sense,f DNI v" Frarn
i
?is-antler DNI IF. EDIE: H. TH
Sissa Passwards
2: ENE at H-Fnrwarded-Far
Basement l'i-lstadata
Dimmers Tagging User Activity
- Phene Number Estraeter
Email addresses Search .
E: Extracted HES Elnall addresses
Extracted Files
2: FullLag DHI nativity-
EHTTP same? Full Lag
IHE F'arser Prim?
IRE: Cafe Gsalasatian
Z: Lagins and Password:
Misraplugin l'i-lstadata
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Moral of the story
The lVlulti-Search page gives you the ability to search full log and
HTTP activity based on an IP address at the same time
El-Sl?llassis
El
534' Simply enter In an IP address choose any or all
.3 ?nd-dresses I 5
sesame roles (Ie. fromltolef) and then choose what
Usernams
Elama?gic ?rm
Eel-ea
EEllasHElerry
Ems - n: sales: m-
ICall Legs
2: Cat-sense,f DNI v" Frarn
i
?is-antler DNI IF. EDIE: H. TH
Sissa Passwards
2: ENE at H-Fnrwarded-Far
Basement l'i-lstadata
Dimmers Tagging User Activity
- Phene Number Estraeter
Email addresses Search .
E: Extracted HES Elnall addresses
Extracted Files
2: FullLag DHI nativity-
EHTTP same? Full Lag
IHE F'arser Prim?
IRE: Cafe Gsalasatian
Z: Lagins and Password:
Misraplugin l'i-lstadata
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, NZL II 3'
Who to contact
If you discover examples that don?t seem to be
processing correctly, don?t hesitate to contact
the experts at
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, NZL II 3'
Who to contact
If you discover examples that don?t seem to be
processing correctly, don?t hesitate to contact
the experts at
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL