Documents

HTTP Activity vs User Activity

July 1, 2015

1/36
Download
Page 1 from HTTP Activity vs User Activity
TDP TD USA, AUS, CAN, GER'u-I II II I kl - th?June 2009 TUP TO USA, AUS, CAN, GER, NZL
TDP TD USA, AUS, CAN, GER'u-I II II I kl - th?June 2009 TUP TO USA, AUS, CAN, GER, NZL
Page 2 from HTTP Activity vs User Activity
TD USA, we, CAN, GEL TTP Activity 1. . HTTP Activity is essentially all web-based activity from a user?s internet browser (with some exceptions) . It includes, web-surfing, Internet Searching (like Google), Mapping Website (Google Earth/Maps) etc. TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TD USA, we, CAN, GEL TTP Activity 1. . HTTP Activity is essentially all web-based activity from a user?s internet browser (with some exceptions) . It includes, web-surfing, Internet Searching (like Google), Mapping Website (Google Earth/Maps) etc. TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 3 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL HTTP Activity HTTP activity comes in two types: cnn.cem Server Client-te-Server ?requests? Server-te-Client ?responses? TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL HTTP Activity HTTP activity comes in two types: cnn.cem Server Client-te-Server ?requests? Server-te-Client ?responses? TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 4 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL HTTP Activity Client-to?SerV GET nl . start= Accept: A: I: apt?Language I - User?Agent Hazillaf?.? (compatible; HSIE Windows NT 5.1; HDSE: Eache? an EU max?3 a e=l Connectinn: Ee-a?1 - E?Elue?uat?via Hn?t UHL Path LIHL ?rga Hearth Search Terma Language: Elrnwaer ma mLJEharraf an Mozillam? (compatible; MSIE Window NT 5.1; Heferer CDDME TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL HTTP Activity Client-to?SerV GET nl . start= Accept: A: I: apt?Language I - User?Agent Hazillaf?.? (compatible; HSIE Windows NT 5.1; HDSE: Eache? an EU max?3 a e=l Connectinn: Ee-a?1 - E?Elue?uat?via Hn?t UHL Path LIHL ?rga Hearth Search Terma Language: Elrnwaer ma mLJEharraf an Mozillam? (compatible; MSIE Window NT 5.1; Heferer CDDME TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 5 from HTTP Activity vs User Activity
To @531; HEEL i1 I Tf.l 5 A Cti User Activity is best described as meta- data from ?communication based protocols? like Webmail, Chat, Web Forum, Voip etc. in which we have protocol processing capabilities like AppProc. It?s important to note that there are many applications that fall within this definition in which we do not currently have protocol processing capabilities TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To @531; HEEL i1 I Tf.l 5 A Cti User Activity is best described as meta- data from ?communication based protocols? like Webmail, Chat, Web Forum, Voip etc. in which we have protocol processing capabilities like AppProc. It?s important to note that there are many applications that fall within this definition in which we do not currently have protocol processing capabilities TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 6 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL User Activity I Most will probably already be familiar with ?User Activity? from MARINA Yaehtahe fee Yaehtahep Statue Speeifj; Date Range {Select} WMDD [Emma 5131 Data available haelt ta 1 Ma}r Seareh fer Uaer Aetitritjr Strung Seleetera (Emeel a, Ceekiea, Mail Tel-:ena, Phene Humbera, App-Prue lalaeaj that-.. ar-zaetly meteh the value Deende?rdain if result limit is re aeheei, newest [late if r! [100,000 raw metaelata result Jimit] where value El aetiae user CI in user_a e-r uaeI_b elumn ?lm bit-.. Fialtl Ealulitinll Criteria *Elu'ieluueut Up?ana: All HIS-HE Selected Query Juati?e atien I Pie eent Juatifieetien a Eiutjlr'r'li?r. Fljr'r'r'l FIZI l'r'r'l TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL User Activity I Most will probably already be familiar with ?User Activity? from MARINA Yaehtahe fee Yaehtahep Statue Speeifj; Date Range {Select} WMDD [Emma 5131 Data available haelt ta 1 Ma}r Seareh fer Uaer Aetitritjr Strung Seleetera (Emeel a, Ceekiea, Mail Tel-:ena, Phene Humbera, App-Prue lalaeaj that-.. ar-zaetly meteh the value Deende?rdain if result limit is re aeheei, newest [late if r! [100,000 raw metaelata result Jimit] where value El aetiae user CI in user_a e-r uaeI_b elumn ?lm bit-.. Fialtl Ealulitinll Criteria *Elu'ieluueut Up?ana: All HIS-HE Selected Query Juati?e atien I Pie eent Juatifieetien a Eiutjlr'r'li?r. Fljr'r'r'l FIZI l'r'r'l TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 7 from HTTP Activity vs User Activity
To @531; HEEL i1 I Tf.l 5 A Cti While not an exact duplicate, MARINA and User Activity share a lot in common XKS runs the same software (AppProc/WebProc/StarProc) that is used to break out meta-data for MARINA In some cases, it?s actually the XKS at the front-end site that is feeding the meta-data to MARINA (the source will be TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To @531; HEEL i1 I Tf.l 5 A Cti While not an exact duplicate, MARINA and User Activity share a lot in common XKS runs the same software (AppProc/WebProc/StarProc) that is used to break out meta-data for MARINA In some cases, it?s actually the XKS at the front-end site that is feeding the meta-data to MARINA (the source will be TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 8 from HTTP Activity vs User Activity
TU USA, E. @339 ML. .1 . I I q?verla - Since applications like web-mail are web- based, HTTP and User activity will contain information about the same session. . While HTTP contains information about all web-based sessions, user activity contains information on ?user activity protocols? in which we have identified and developed exploitation capabilities TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, E. @339 ML. .1 . I I q?verla - Since applications like web-mail are web- based, HTTP and User activity will contain information about the same session. . While HTTP contains information about all web-based sessions, user activity contains information on ?user activity protocols? in which we have identified and developed exploitation capabilities TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 9 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, How the Search Forms Fit Toggzt: of all DNI sessions collected Userac?v?y I 2:4 . --.. I .- II HTTP?Activity TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, How the Search Forms Fit Toggzt: of all DNI sessions collected Userac?v?y I 2:4 . --.. I .- II HTTP?Activity TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 10 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Examples of traffic Webmail (client side) Detetirne Case Netetien Frern Te Frern F'ert Te F'er?t Length 2009-06-1? 12:02:3? ee_t= Iran} nae?{E United States} 3?1?1 TCP 1440 Sessien Heeder??} Met-3(9) I Enter textte 4 Type: HTFP-GET If: Printer Frienle ?u?ereien I Raw Date I DNI Fermet 1 Eeruiee5 1r GET fmefmedt?esf?nfeb?entaets Sejsrend=930373W Serend=2127033459 1 . CI Accept: fa Eeferer: rde1=up Stateltlat?d=3t53t?lterEy= que ste d?ttrith: que 3t Accept?Eneed?tg: gzip, de?ate User-Agent: Mez??e?? {eempetible; MSIE 5.0; Wind-ewe NT 5.1; Sta-T1; NET ELF: Heat: Emma: {1%vaan it MG edQKvEUeijErl 11:1 n=66k33h6n5551f [Yahoo Inn-gin id: p=1n2g255i?130 00000 I: Gender: male, Birth year: - Postal EDIIE: 1=hq English] TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Examples of traffic Webmail (client side) Detetirne Case Netetien Frern Te Frern F'ert Te F'er?t Length 2009-06-1? 12:02:3? ee_t= Iran} nae?{E United States} 3?1?1 TCP 1440 Sessien Heeder??} Met-3(9) I Enter textte 4 Type: HTFP-GET If: Printer Frienle ?u?ereien I Raw Date I DNI Fermet 1 Eeruiee5 1r GET fmefmedt?esf?nfeb?entaets Sejsrend=930373W Serend=2127033459 1 . CI Accept: fa Eeferer: rde1=up Stateltlat?d=3t53t?lterEy= que ste d?ttrith: que 3t Accept?Eneed?tg: gzip, de?ate User-Agent: Mez??e?? {eempetible; MSIE 5.0; Wind-ewe NT 5.1; Sta-T1; NET ELF: Heat: Emma: {1%vaan it MG edQKvEUeijErl 11:1 n=66k33h6n5551f [Yahoo Inn-gin id: p=1n2g255i?130 00000 I: Gender: male, Birth year: - Postal EDIIE: 1=hq English] TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 11 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Examples of traffic Webmail (server side) Detetirne Cese Netetien Fren'i Te Fren'l F'e Te F'er Pretee Length tune-Dem 13:2:35 Intenttenenenet United State: 50315 tel: 139354 Sessiun Heedert?i Meta AttechmentetEi I aft-gar: IV - 2.3.9., Seam: . I 1-h- Document Information Type: F'rinter Friendly Vereien i DHI Display Hey-I Date DHI Fermet i Heatler Centent Type: Hi?iF'I?i?eheeWehrneil Services 1r Jr. . MAIL Acute user: UIS ebmall ct mam. List in Int:- tat-t Name let: (1555) 4035 t? tt Daft Fwd: Fw: wit-ii 945G 3 5 Sent 831 Tuesday, June 15, Eli]? 1:14 AM Free]: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Examples of traffic Webmail (server side) Detetirne Cese Netetien Fren'i Te Fren'l F'e Te F'er Pretee Length tune-Dem 13:2:35 Intenttenenenet United State: 50315 tel: 139354 Sessiun Heedert?i Meta AttechmentetEi I aft-gar: IV - 2.3.9., Seam: . I 1-h- Document Information Type: F'rinter Friendly Vereien i DHI Display Hey-I Date DHI Fermet i Heatler Centent Type: Hi?iF'I?i?eheeWehrneil Services 1r Jr. . MAIL Acute user: UIS ebmall ct mam. List in Int:- tat-t Name let: (1555) 4035 t? tt Daft Fwd: Fw: wit-ii 945G 3 5 Sent 831 Tuesday, June 15, Eli]? 1:14 AM Free]: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 12 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, Yahoo Webmail i Fig? of all DNI sessions collected Userac?vl??HTTP Activity TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, Yahoo Webmail i Fig? of all DNI sessions collected Userac?vl??HTTP Activity TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 13 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Examples of traffic MSN Messenger Datetirne Case Notation From To From To F'roto Length aooa-oa-ia 15:1 taa1o14a Isa?{5 United at aiata 1aea 13? I Header Meta EerTrreoMII-meoa EI1IJEI: 200590515 IEITUTE loggedi? {an} aa? Eliaplay' It Haw Data UNI Format 1 2 Ell . MSH Messenger Diaplagr Statue Show Elnlg.r I El Flatterae Diaplagr Memagee 1 From To Size: El ?@trahoo.oom logging in I Sewer Time: 2 me Data Load Time: me Type: MEN Messenger F'rojeot Manager: Page Puloliaher: Vereion: 1-4-I13 Build Date: Thu Felo 153 13:02:15 GMT or? PRESENTER TDP USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Examples of traffic MSN Messenger Datetirne Case Notation From To From To F'roto Length aooa-oa-ia 15:1 taa1o14a Isa?{5 United at aiata 1aea 13? I Header Meta EerTrreoMII-meoa EI1IJEI: 200590515 IEITUTE loggedi? {an} aa? Eliaplay' It Haw Data UNI Format 1 2 Ell . MSH Messenger Diaplagr Statue Show Elnlg.r I El Flatterae Diaplagr Memagee 1 From To Size: El ?@trahoo.oom logging in I Sewer Time: 2 me Data Load Time: me Type: MEN Messenger F'rojeot Manager: Page Puloliaher: Vereion: 1-4-I13 Build Date: Thu Felo 153 13:02:15 GMT or? PRESENTER TDP USA, AUS, CAN, GER, NZL
Page 14 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, MSN Messenger _L_jisl of all DNI sessions collected Userac?v?y II. '13? I I. l??I I .I HTTP Activity TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, MSN Messenger _L_jisl of all DNI sessions collected Userac?v?y II. '13? I I. l??I I .I HTTP Activity TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 15 from HTTP Activity vs User Activity
TU USA, AUS, CAN, GER, MEL . .I Examples of traffic Skype sessions: Dat0tirn0 C000 10010000 Fr0rn Frum F'0r?l: T0 F'0r?t F'r01000l L0ngth 0000-00-10 15:05:05 10.010100 00?0: Iran;- Switzerland} 10010 10510 100 Session H00d0r?'Errt0r'l03-ilt0 000r0l'l 00-: TEIP EECHEHICDMIHTHEIEED 103 0050_0rig_0r00 Tunn' EFFIFlingw .00 001-1an 00mian 1100100100150J 10.0.0.3 00011 with 1110001110 JIJ 002014015E057?W013kyp0?000? 50011 with 11100th10 ID 01605f07f00? 5001:310310010'0003 00201405005T76i01?yp0?0d03 1100 bud-:13! _*iSk3rp0U00r:0 011011010 5000 00? 0000100000500000000100000 10000001053 00? 0000100000500500005000000 ?0000500000~ 0000100000500000000000000 0000100000000000005000000r .: F'r'0j001: 1000000? P0010 F'L4l01i0h0r: V0r0i0n: 1 .4 .0 .0 Eluild D010: Thu F010 10 13:02:15 GMT 2000 DNI PRESENTER TGIF 103 TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, MEL . .I Examples of traffic Skype sessions: Dat0tirn0 C000 10010000 Fr0rn Frum F'0r?l: T0 F'0r?t F'r01000l L0ngth 0000-00-10 15:05:05 10.010100 00?0: Iran;- Switzerland} 10010 10510 100 Session H00d0r?'Errt0r'l03-ilt0 000r0l'l 00-: TEIP EECHEHICDMIHTHEIEED 103 0050_0rig_0r00 Tunn' EFFIFlingw .00 001-1an 00mian 1100100100150J 10.0.0.3 00011 with 1110001110 JIJ 002014015E057?W013kyp0?000? 50011 with 11100th10 ID 01605f07f00? 5001:310310010'0003 00201405005T76i01?yp0?0d03 1100 bud-:13! _*iSk3rp0U00r:0 011011010 5000 00? 0000100000500000000100000 10000001053 00? 0000100000500500005000000 ?0000500000~ 0000100000500000000000000 0000100000000000005000000r .: F'r'0j001: 1000000? P0010 F'L4l01i0h0r: V0r0i0n: 1 .4 .0 .0 Eluild D010: Thu F010 10 13:02:15 GMT 2000 DNI PRESENTER TGIF 103 TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 16 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, "Skype Fig? of all DNI sessions collected Userac?v?y TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, "Skype Fig? of all DNI sessions collected Userac?v?y TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 17 from HTTP Activity vs User Activity
1001 I031 1 T6 A, 631139 @6910 91120. #1 libTIJI 1 t'l The typical way to search HTTP Activity is to start with User Activity in MARINA. For example, we?ll start with this 16 June activity T3 .0. USEEID- FHUNE USEELA 20090616 1436293 AC 999? If? USEEJEI magi-?1111 6m) 99.? 20090616 1499363 20090616 1441293 20090616 1444093 20090616 1444293 20090616 1449153 20090616 1449153 20090616 1449153 20090616 1449153 20090616 1449153 20090616 1449153 20090616 1449193 20090616 1449193 20090616 14491613 20090616 1449603 wage-cli?li?nj aa? 163gediil?jm] aa? Iagga-cimt?ui 1aggadin {1111) 1aggedin {1'1nd aa? {1m} 39. image-man) Ee? 16.6de 1aggedm {1111] as.?
1001 I031 1 T6 A, 631139 @6910 91120. #1 libTIJI 1 t'l The typical way to search HTTP Activity is to start with User Activity in MARINA. For example, we?ll start with this 16 June activity T3 .0. USEEID- FHUNE USEELA 20090616 1436293 AC 999? If? USEEJEI magi-?1111 6m) 99.? 20090616 1499363 20090616 1441293 20090616 1444093 20090616 1444293 20090616 1449153 20090616 1449153 20090616 1449153 20090616 1449153 20090616 1449153 20090616 1449153 20090616 1449193 20090616 1449193 20090616 14491613 20090616 1449603 wage-cli?li?nj aa? 163gediil?jm] aa? Iagga-cimt?ui 1aggadin {1111) 1aggedin {1'1nd aa? {1m} 39. image-man) Ee? 16.6de 1aggedm {1111] as.?
Page 18 from HTTP Activity vs User Activity
To USA, we, CAN, GEL "Understand what is behinqjut Ensure Activity on IP can be associated with Target Understand IP usage Dynamic/Static Research IP using Foxtrail/NKB Is it a Proxy, DVBLAN, Dial-Up, DSL, etc - Is it Client to Server or Server to Client - Still not sure? User Activity pull for 5 minute period on Foreign IP TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA, we, CAN, GEL "Understand what is behinqjut Ensure Activity on IP can be associated with Target Understand IP usage Dynamic/Static Research IP using Foxtrail/NKB Is it a Proxy, DVBLAN, Dial-Up, DSL, etc - Is it Client to Server or Server to Client - Still not sure? User Activity pull for 5 minute period on Foreign IP TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 19 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL MultiSearch on IP Addresle Let?s take what we used last week and do a Multi-Search to discover any web activity around the time the account was active El 5 MuitiSeereh I I Emil: Datetime: Custom Start: Stop: l3. 1e:ao Lleerneme El 5 a?M Eel-an EEileeHElerrlr 35?? eddress: Z: ICell Loge 2: Ceftegorl.l DNI ?l Cellular DNI F'eleeworde EDIE: In!" Tl] 2: one In!" x?Forworded-For Ellie-14mth l'l-1etedete I: Document Tegging u! User Activity Ill?add mg? ?573333 Phone Number Extractor Search Email F?rm5 Extracted Filee HTFP Activity :EIHEF'ereer Fu" Lug EIHC ICate Seoloeetlon Web Pr??y Logine end Microolugin rl-ietedete TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL MultiSearch on IP Addresle Let?s take what we used last week and do a Multi-Search to discover any web activity around the time the account was active El 5 MuitiSeereh I I Emil: Datetime: Custom Start: Stop: l3. 1e:ao Lleerneme El 5 a?M Eel-an EEileeHElerrlr 35?? eddress: Z: ICell Loge 2: Ceftegorl.l DNI ?l Cellular DNI F'eleeworde EDIE: In!" Tl] 2: one In!" x?Forworded-For Ellie-14mth l'l-1etedete I: Document Tegging u! User Activity Ill?add mg? ?573333 Phone Number Extractor Search Email F?rm5 Extracted Filee HTFP Activity :EIHEF'ereer Fu" Lug EIHC ICate Seoloeetlon Web Pr??y Logine end Microolugin rl-ietedete TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 20 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Example #1 Note the of results for each search, compared the 28 MARINA results which was for the same IP address and same time frame I. My Recent Results Help Fictisns I I IQuery Heme IQuery Type Status Astisns Hum Results Hum DEIs iune user_sstiyity finished 1 eff is iune full_ls? finished i 3223 1 aft 15 iune finished 2525 1 DH TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Example #1 Note the of results for each search, compared the 28 MARINA results which was for the same IP address and same time frame I. My Recent Results Help Fictisns I I IQuery Heme IQuery Type Status Astisns Hum Results Hum DEIs iune user_sstiyity finished 1 eff is iune full_ls? finished i 3223 1 aft 15 iune finished 2525 1 DH TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 21 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL HTTP Results Of interest we see visits to Web Pages like: littltau'?elirenlel?lenumm! well: search: ?rsneleeti?an get-time semen: grail-W TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL HTTP Results Of interest we see visits to Web Pages like: littltau'?elirenlel?lenumm! well: search: ?rsneleeti?an get-time semen: grail-W TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 22 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, ALIS, CAN, HTTP Results 1? Notice how all of the HTTP GET requests were going to the same IP address even though they are for different web going on here? Tn:- F?nrt taunt 1r EDEI 4EHEI .tJlsI: .Lil: EEIE 1 2E .enm SIZE 5? SIZE 31 tWitter .enrn SIZE 22 scum EDEI 21 static .tWitter EDS 12 stetshheenult SIZE 12 wisuelscience external .cc- .Lllt EDS EEIE Ei pmfile .elt .enrn SIZE 5 TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, HTTP Results 1? Notice how all of the HTTP GET requests were going to the same IP address even though they are for different web going on here? Tn:- F?nrt taunt 1r EDEI 4EHEI .tJlsI: .Lil: EEIE 1 2E .enm SIZE 5? SIZE 31 tWitter .enrn SIZE 22 scum EDEI 21 static .tWitter EDS 12 stetshheenult SIZE 12 wisuelscience external .cc- .Lllt EDS EEIE Ei pmfile .elt .enrn SIZE 5 TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 23 from HTTP Activity vs User Activity
T0: USA, ALIS, 00021320022 #2 hl'i? Example Analysis of 27 May Internet session of PK based target started in MARINA T0 1. 0015020- PH01015 0015100 2022200? 1501510}: 20000520 0521502 00 10330001000003. 110-3 20000525 0521502 1000000100000) 110.- 20000525 0521502 10000001201013: 110-53 20000520 0521502 -0200: 10000001 (00100:. 110.- 20000520 0521502 -0200: 1000000100000) 110- 20000520 0522502 _0000000 2-0 10000001000100} 110-3. 20000520 0522502 -0000: 1000000100000} 110-?- 20000520 0522502 -0202 10000001000100} 110-3 20000525 0522502 -0200: 00 1002000120100} 110-3. 20000520 0522502 -0000: 10000001000100} 110-..3. TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
T0: USA, ALIS, 00021320022 #2 hl'i? Example Analysis of 27 May Internet session of PK based target started in MARINA T0 1. 0015020- PH01015 0015100 2022200? 1501510}: 20000520 0521502 00 10330001000003. 110-3 20000525 0521502 1000000100000) 110.- 20000525 0521502 10000001201013: 110-53 20000520 0521502 -0200: 10000001 (00100:. 110.- 20000520 0521502 -0200: 1000000100000) 110- 20000520 0522502 _0000000 2-0 10000001000100} 110-3. 20000520 0522502 -0000: 1000000100000} 110-?- 20000520 0522502 -0202 10000001000100} 110-3 20000525 0522502 -0200: 00 1002000120100} 110-3. 20000520 0522502 -0000: 10000001000100} 110-..3. TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 24 from HTTP Activity vs User Activity
Example #2 SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL The analyst then did an HTTP activity qur find all web surfing from that IP address within the same rough timeframe. El ?l Ala?M 3 Alert EllackEarr'f 3 ma 3 Call cha Categch DNI 3 Cellular Ell'll Ciacc 3 ans 3 Dccumant Matadata Dccumcnt Tagging Email Extracted Filaa 3 Full ch cal Activity 3 IHE Paraar 3 cc Cate china and Matadata Search: HTTP Activity Quart.f Mama: Juac?ca?cn: Datatima: addreaa: Part: Part: 21m aiactiuitg PH IP address uacd by cc target in pakaitaa Guatcm start; lacaa?aa?aa'?l Icaac El stun; Icacc El 1r; m- Tc Tc TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Example #2 SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL The analyst then did an HTTP activity qur find all web surfing from that IP address within the same rough timeframe. El ?l Ala?M 3 Alert EllackEarr'f 3 ma 3 Call cha Categch DNI 3 Cellular Ell'll Ciacc 3 ans 3 Dccumant Matadata Dccumcnt Tagging Email Extracted Filaa 3 Full ch cal Activity 3 IHE Paraar 3 cc Cate china and Matadata Search: HTTP Activity Quart.f Mama: Juac?ca?cn: Datatima: addreaa: Part: Part: 21m aiactiuitg PH IP address uacd by cc target in pakaitaa Guatcm start; lacaa?aa?aa'?l Icaac El stun; Icacc El 1r; m- Tc Tc TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 25 from HTTP Activity vs User Activity
27 May HTTP meta-data indicated possible Maktoob activity SECRETHCUMINTHHEL TU USA, AUS, CAN, TTP Activity Detetime Heet URL F'eth get etln.m?h.teelr.eem Mil-'45 get etln.meh.teel1u.eem get edummhteelreem 05:22:31: get etln.m?h.teelr.eem Millet-5 get mezzee get etln.mahteelle.een1 get etln.m?h.teelr.eem Fm eimlF'J Tet: Te Fm TelF' PH Hem-mew us HAH-AEHI U5 HAHAIIHI LIE HEHI-IDEIIH LIE HAFEAIIHI LIE HEHI-IDEIIH U5 HEREIN TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
27 May HTTP meta-data indicated possible Maktoob activity SECRETHCUMINTHHEL TU USA, AUS, CAN, TTP Activity Detetime Heet URL F'eth get etln.m?h.teelr.eem Mil-'45 get etln.meh.teel1u.eem get edummhteelreem 05:22:31: get etln.m?h.teelr.eem Millet-5 get mezzee get etln.mahteelle.een1 get etln.m?h.teelr.eem Fm eimlF'J Tet: Te Fm TelF' PH Hem-mew us HAH-AEHI U5 HAHAIIHI LIE HEHI-IDEIIH LIE HAFEAIIHI LIE HEHI-IDEIIH U5 HEREIN TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 26 from HTTP Activity vs User Activity
TU USA, AUS, CARI-GER .27 May MARI NA res MARINA didn?t any Maktoob User: T5: 1. 05151520 55051515 15515152 2522225? 20050525 0521552 1555555555155) 115- 20050525 0521552 .55- 1555555155555) 115- 20050525 0521552 mm?w??gmgg 55 1533555155555}. 115- 20050525 0521552 15gge55155m553- 115.- .3. 20050525 0521552 1555555155555) 115- 3. 20050525 0522552 55 1555555155552} 115- 20050525 0522552 15555555 {55551} 115- 20050525 0522552 55- 15555555 {55550 115- 55 1555555155550} 115- .55- 15555555 {55550 115- 53. LEI LA .Eil I 2005390527 05223533 20(390527 [35223533 TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CARI-GER .27 May MARI NA res MARINA didn?t any Maktoob User: T5: 1. 05151520 55051515 15515152 2522225? 20050525 0521552 1555555555155) 115- 20050525 0521552 .55- 1555555155555) 115- 20050525 0521552 mm?w??gmgg 55 1533555155555}. 115- 20050525 0521552 15gge55155m553- 115.- .3. 20050525 0521552 1555555155555) 115- 3. 20050525 0522552 55 1555555155552} 115- 20050525 0522552 15555555 {55551} 115- 20050525 0522552 55- 15555555 {55550 115- 55 1555555155550} 115- .55- 15555555 {55550 115- 53. LEI LA .Eil I 2005390527 05223533 20(390527 [35223533 TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 27 from HTTP Activity vs User Activity
Datatirna End 05:23:55 27 May User Activity also didn?t show any Maktoob activity Search Haalrn yallaa yallaa yallaa yallaa yallaa Attributa Tap-a TU USA, AUS, CAN. GER.- NZL -- Ill ser Activity Restillt Attrime Valua Iragamu??'?'aaw Iragamu??'?'aaw TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL activityt layilealamail lainLwalJamail la?ilealmmail lainLwalJamail
Datatirna End 05:23:55 27 May User Activity also didn?t show any Maktoob activity Search Haalrn yallaa yallaa yallaa yallaa yallaa Attributa Tap-a TU USA, AUS, CAN. GER.- NZL -- Ill ser Activity Restillt Attrime Valua Iragamu??'?'aaw Iragamu??'?'aaw TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL activityt layilealamail lainLwalJamail la?ilealmmail lainLwalJamail
Page 28 from HTTP Activity vs User Activity
To @531; HEEL TTP Activity; .L, I - .l'just a visit to the Maktoob home page or was there an actual web-mail log-in? In most cases ?active user? and ?previous user? information from web-mail protocols comes from the cookie field. XKS HTTP Activity breaks out the entire cookie field, even if protocol analysis doesn't know what each part means TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To @531; HEEL TTP Activity; .L, I - .l'just a visit to the Maktoob home page or was there an actual web-mail log-in? In most cases ?active user? and ?previous user? information from web-mail protocols comes from the cookie field. XKS HTTP Activity breaks out the entire cookie field, even if protocol analysis doesn't know what each part means TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 29 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL 27 May HTTP Activity Look at the full cell value: Ceeliie lang=ar; e= 1lig la! Haw nttluns la: - ll'iew Sessien la: 5 El new esslenl? ew In new} Fm? In] 55 Shew All Flew 'u'alues ?lm; m, Mark Metedete new as Impertenl: ?Fun; Ian 15,: Send tn Agility Realtime Execute F'ersene Analysis Query? i?zl?? Cell Atti?ns walk; 5? Filters mam; Ia: re= llig In] Shew Eell 'u'elue la, where Ceele'e Equals 'Ieng=ar; l?l LIn?Ehecl-I: where Ceekie Equals 'Ieng=er; . i?=llkg TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL 27 May HTTP Activity Look at the full cell value: Ceeliie lang=ar; e= 1lig la! Haw nttluns la: - ll'iew Sessien la: 5 El new esslenl? ew In new} Fm? In] 55 Shew All Flew 'u'alues ?lm; m, Mark Metedete new as Impertenl: ?Fun; Ian 15,: Send tn Agility Realtime Execute F'ersene Analysis Query? i?zl?? Cell Atti?ns walk; 5? Filters mam; Ia: re= llig In] Shew Eell 'u'elue la, where Ceele'e Equals 'Ieng=ar; l?l LIn?Ehecl-I: where Ceekie Equals 'Ieng=er; . i?=llkg TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 30 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA. AUS, CAN, GER. NZL 27 May HTTP Activity By looking at the full cookie, the analyst noticed what appeared to be the target?s username lany=ar; A?=tlEeH?E?eymllAE?Lm ?43ll 1?4TPtt; [ti 1' 1333.3; It: =33Eu334133.1.13.1343431333; [ti - It: 333334 133 Hi It: It: [It TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA. AUS, CAN, GER. NZL 27 May HTTP Activity By looking at the full cookie, the analyst noticed what appeared to be the target?s username lany=ar; A?=tlEeH?E?eymllAE?Lm ?43ll 1?4TPtt; [ti 1' 1333.3; It: =33Eu334133.1.13.1343431333; [ti - It: 333334 133 Hi It: It: [It TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 31 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL 27 May HTTP Activity The content also shows the cookie value: GET Accept: 35?" Reform: Amopt?nguogo: non-us 14.: I: opt?En: odjng: 321p, de?ate User??gont: Mo??a??il. [3 (compatible; M3113 5o; Windows NT 5. 3V1) Host: ormo otion: Bop Cookie: 1W3: I: MCELW U4 10411315: I2=pk 1. 1D. 12434U1153 1 59. 12-4 34131933. 1- 1111:1115 omnows ,jokosNowmndo?no :21 MELLD "124340207"? _uttno=205U5-41559 mm=mhd1fn?3??o4m [1.4.35 CTB 1 oTos aoj @113th loggo {1:1 TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL 27 May HTTP Activity The content also shows the cookie value: GET Accept: 35?" Reform: Amopt?nguogo: non-us 14.: I: opt?En: odjng: 321p, de?ate User??gont: Mo??a??il. [3 (compatible; M3113 5o; Windows NT 5. 3V1) Host: ormo otion: Bop Cookie: 1W3: I: MCELW U4 10411315: I2=pk 1. 1D. 12434U1153 1 59. 12-4 34131933. 1- 1111:1115 omnows ,jokosNowmndo?no :21 MELLD "124340207"? _uttno=205U5-41559 mm=mhd1fn?3??o4m [1.4.35 CTB 1 oTos aoj @113th loggo {1:1 TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 32 from HTTP Activity vs User Activity
To @531; HEEL .227? V ay Maktoob A?E?fi Why wasn?t this activity in MARINA or User Activity (both fed by AppProc)? Because Protocol Exploitation hadn?t identified this particular Maktoob service Since it hadn?t been identified, AppProc could not produce meta-data and DECODEORDAIN was not producing permutations for strong selection TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To @531; HEEL .227? V ay Maktoob A?E?fi Why wasn?t this activity in MARINA or User Activity (both fed by AppProc)? Because Protocol Exploitation hadn?t identified this particular Maktoob service Since it hadn?t been identified, AppProc could not produce meta-data and DECODEORDAIN was not producing permutations for strong selection TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 33 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, aktoob Activity 27 May In this particular case, from Protocol Exploitation were able to determine that the cookie was identifying the ?previous user? but not the ?active user? TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, aktoob Activity 27 May In this particular case, from Protocol Exploitation were able to determine that the cookie was identifying the ?previous user? but not the ?active user? TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 34 from HTTP Activity vs User Activity
To usi? mg .2 Jimdral 0f the story 1i 7 Internet applications are dynamic, and protocol are not able to identify and build capabilities to exploit every known application It?s important that target use tools like XKS to aggressively deveIOp their target to uncover applications that are previously unidentified or are not currently being processed properly TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To usi? mg .2 Jimdral 0f the story 1i 7 Internet applications are dynamic, and protocol are not able to identify and build capabilities to exploit every known application It?s important that target use tools like XKS to aggressively deveIOp their target to uncover applications that are previously unidentified or are not currently being processed properly TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 35 from HTTP Activity vs User Activity
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Moral of the story The lVlulti-Search page gives you the ability to search full log and HTTP activity based on an IP address at the same time El-Sl?llassis El 534' Simply enter In an IP address choose any or all .3 ?nd-dresses I 5 sesame roles (Ie. fromltolef) and then choose what Usernams Elama?gic ?rm Eel-ea EEllasHElerry Ems - n: sales: m- ICall Legs 2: Cat-sense,f DNI v" Frarn i ?is-antler DNI IF. EDIE: H. TH Sissa Passwards 2: ENE at H-Fnrwarded-Far Basement l'i-lstadata Dimmers Tagging User Activity - Phene Number Estraeter Email addresses Search . E: Extracted HES Elnall addresses Extracted Files 2: FullLag DHI nativity- EHTTP same? Full Lag IHE F'arser Prim? IRE: Cafe Gsalasatian Z: Lagins and Password: Misraplugin l'i-lstadata TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Moral of the story The lVlulti-Search page gives you the ability to search full log and HTTP activity based on an IP address at the same time El-Sl?llassis El 534' Simply enter In an IP address choose any or all .3 ?nd-dresses I 5 sesame roles (Ie. fromltolef) and then choose what Usernams Elama?gic ?rm Eel-ea EEllasHElerry Ems - n: sales: m- ICall Legs 2: Cat-sense,f DNI v" Frarn i ?is-antler DNI IF. EDIE: H. TH Sissa Passwards 2: ENE at H-Fnrwarded-Far Basement l'i-lstadata Dimmers Tagging User Activity - Phene Number Estraeter Email addresses Search . E: Extracted HES Elnall addresses Extracted Files 2: FullLag DHI nativity- EHTTP same? Full Lag IHE F'arser Prim? IRE: Cafe Gsalasatian Z: Lagins and Password: Misraplugin l'i-lstadata TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Page 36 from HTTP Activity vs User Activity
TU USA, AUS, CAN, GER, NZL II 3' Who to contact If you discover examples that don?t seem to be processing correctly, don?t hesitate to contact the experts at TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, NZL II 3' Who to contact If you discover examples that don?t seem to be processing correctly, don?t hesitate to contact the experts at TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL