Detecting Command Injection Attacks-LetsDefend Course File Practice
Analyzing a Command Injection Attack Couse Files
Command Injection attack (shell injection) is web security vulnerability that executes malicious commands on a host operating system (OS).
Before starting any analyzations…
Prior: Please use a Hypervisor (virtual machine) to analyze any alerts so you will not attract malware on your machine. If you do not know how to install a hypervisor and import an image ISO file, then check this article out: https://medium.com/@mariah.c.spencer/how-to-install-a-vm-with-an-image-iso-bc899676ca8a
- Download File Name: Command Injection — Web Attacks.rar
- You will need to extract the .rar file. I personally use BreeZip application. I downloaded from Microsoft PlayStore
When opening the un-zip file, it will be in a text (txt) document.
Tip (optional): to view logs/code easier instead of in notes/wordpad, you can use Visual Code. but we are using wordpad for now
The documents looks something like this:
- (Investigate ‘Command Injection — Web Attacks’ File) What date did the Command Injection attack begin?
Format Example: 01/Mar/2022:12:00:00
As checking through the logs, its good to look for keywords to easily detect a command injection attack. I searched up, “ls” and some command lines found it. By this, the attack initially started it at 01/Mar/2022:09:03:33.
I found another keyboard, “dir”, but as you can see above, it was executed at 01/Mar/2022:09:04:00.
2. (Investigate ‘Command Injection — Web Attacks’ File) What is the IP address of the attacker who performed the Command Injection attack?
The IP address is 192.168.31.156
3. (Investigate ‘Command Injection — Web Attacks’ File) Was the Command Injection attack successful?
No Because we do not have any evidence of HTTP response size and status code.