1 of 46

Final Engagement

Attack, Defense & Analysis of a Vulnerable Network

Team 4: Anar Jafarov, Mohamed Mohamed, Sabrina Yussef, William Song, Yevgeniya Poshtar

1

2 of 46

Table of Contents (PART 1 - RED TEAM)

2

This document contains the following resources:

Network Topology & Critical Vulnerabilities

Exploits Used

Avoiding Detect

Maintaining Access

3 of 46

Network Topology

& Critical Vulnerabilities

3

4 of 46

Network Topology

Network

Address Range: 192.168.1.0/24

Netmask:

Gateway:

Machines

IPv4: 192.168.1.110�OS: Linux

Hostname: Target 1

IPv4: 192.168.1.115

OS: Linux

Hostname: Target 2

IPv4: 192.168.1.90

OS: Linux

Hostname: Kali

IPv4: 192.168.1.105

OS: Linux

Hostname: Capstone

IPv4: 192.168.1.100

OS: Linux

Hostname: ELK

5 of 46

Critical Vulnerabilities: Target 1

Our assessment uncovered the following critical vulnerabilities in Target 1.

5

Vulnerability

Description

Impact

Wordpress Website Vulnerability Version 4.8.14

wpscan will scan WordPress websites for known vulnerabilities, users, passwords etc. As well, running website on HTTP which is insecure service, the data sent over the internet between servers and browsers aren’t encrypted. It’s sent in plain text. It allows hackers to intercept connection and steal data

Enumerates users, displays weak passwords, vulnerable plugins and detects the version of WordPress used. We were able to get access to the Raven website by accessing it through insecure http; we could intercept the data sent over and identify flag 1. We were also able to gain access to user’s account applying brute force attack to get user’s credentials

SSH Vulnerability

Exploitation of SSH vulnerability allows to gain access to remote systems and privileged accounts

Ability to get access to the privileged account and navigate to root directory (in our example we were able to navigate to /var directory where we captured flag2.txt)

MySQL Database Exploit

This vulnerability allows to exploit a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server

Having access to usernames and passwords of privileged users an attacker can establish connection with target machine and gain access to confidential information

6 of 46

Critical Vulnerabilities: Target 1 (cont’d)

Vulnerability

Description

Impact

Weak username and passwords

the username and passwords were very weak and easy to guess

Attackers can easily gain access to the system by guessing or bruteforcing using john the ripper

Python privilege escalation

python utility was available to use without the root privilege

An attacker can spawn a shell and gain access to root

7 of 46

Critical Vulnerabilities: Target 2

Our assessment uncovered the following critical vulnerabilities in Target 2.

7

Vulnerability

Description

Impact

Wordpress Website Vulnerability

Ability to Execute Code from Unknown Folders. WordPress has no system in place to curb the execution of codes in unknown folders, hackers can easily use malicious codes to carry out malicious activities

In our example we were able to get access to Uploads folder where we found flag 3.png. An attacker would be able to inject malicious codes into that folder

PHPMailer Remote Code Execution Vulnerability (or CVE-2016-10033)

PHPMailer - is an open source PHP library for sending emails from PHP websites.�This critical vulnerability is caused by class.phpmailer.php incorrectly processing user requests. In a result, remote attackers are able to execute code on vulnerable servers

In order to exploit this vulnerable we were able to install and run a script executing.a malicious code on a vulnerable machine. In a result we were able to navigate to root /var directory on a Target 2. From there we got access to other directories, in that case to /www directory where we found flag 2

MySQL UDF Dynamic Library Exploit

User Defined Functions (UDF) in MySQL are mainly a default set of functions that can be carried out inside a dynamic library called inside of MySQL. The MySQL databases are usually running on root privileges and the UDF technique allowed us to install and run code as root.

Using a default install of MySQL and having it run as a root user is a huge threat, an attacker would be able to escalate their privileges to a root user by using the User Defined Functions technique.

8 of 46

Exploits Used

8

9 of 46

Exploitation 1: Wordpress Website Vulnerability

  • Run command: wpscan —url http://192.168.1.110/wordpress —wp-content-dir -ep -et -eu
  • Got access to vulnerable insecure website form which we were able to intercept data (flag 1)

9

10 of 46

Exploitation 2: SSH Vulnerability

  • In a result of running wpsacn command from the previous step we identified 2 users: Michael and Steven
  • SSH to user’s (michael’s) account after obtaining user’s credentials in a result of Brute Force Attack:

10

11 of 46

Exploitation 3: MySQL Database Exploit

  • By exploiting MySQL and WordPress services we were able to obtain password to MySQL database

11

12 of 46

Exploitation 4: WordPress Website Vulnerability (on Target 2)

Install gobuster - tool used to brute force URI (incl. directories and files) on the web site

  • Run: gobuster dir -u 192.168.1.115/ -w /usr/share/wordlists/dirbuster/directory-list-2.3.-medium.txt/ - this command allows to get access to the directories of user 192.168.1.115

13 of 46

    • From the previous step we discovered that PHP vendor is 5.2.16
    • Allowed to discover vulnerability: PHPMailer Remote Code Execution Vulnerability (CVE-2016-10033).
    • Where PHPMailer is open source PHP library that is used for for sending emails from PHP websites. In a result of compromise, remote attackers are able to execute code

Exploitation 4: WordPress Website Vulnerability (on Target 2, cont’d)

14 of 46

In a previous step we identified a vulnerability HPMailer Remote Code Execution Vulnerability (CVE-2016-10033)

In order to exploit that vulnerability we ran a script running the following commands:

In a result we were able to navigate to root /var directory on a Target 2. From there we got access to /www directory where we found flag 2

Exploitation 5: PHPMailer Remote Code Execution Vulnerability (or CVE-2016-10033)

15 of 46

Exploitation 5: PHPMailer Remote Code Execution Vulnerability - Exploitation of Uploads Folder

16 of 46

  • We carried out this exploit by firstly using searchsploit to pull a copy of the exploit #1518 that we found on Exploit-DB and created a folder to save our new files on.

Exploitation 6: Escalating to Root Privileges

17 of 46

Exploitation 6: Escalating to Root Privileges

  • After editing our 3 files we imported them onto the www-data user we gained access to previously to upload our dynamic UDF library
  • These files were a default set of custom written dynamic libraries that contained the UDFs we needed to gain root access.

18 of 46

Exploitation 6: Escalating to Root Privileges

  • After accessing MySQL remotely as root we were able to add our UDF to the functions table we had created in the MySQL database.
  • We had configured MySQL to dump our dynamic library files onto a table on the target victims host system
  • Shortly after we transferred a copy of Netcat to the victims host so we could obtain a shell on the the target host.

19 of 46

Exploitation 6: Escalating to Root Privileges

  • After setting up our Netcat listener on port 4321, we were able to gain root access where had unlimited access to the target system and we discovered Flag 4!

20 of 46

Avoiding Detection

20

21 of 46

Stealth Exploitation of Wordpress Website Vulnerability

Monitoring Overview

  • Which alerts detect this exploit?

Excessive HTTP Errors, but did not detect

  • Which metrics do they measure?

Metric: number of HTTP 400+ error responses

  • Which thresholds do they fire at?

Threshold: top five HTTP response status codes above 400 for last 5 minutes

-did not fire at above threshold

-recommend to reconfigure to lower threshold or shorter timeframe (ex. 1 min interval)

21

Mitigating Detection

  • How can you execute the same exploit without triggering the alert?
  • Are there alternative exploits that may perform better?

A new exploit called the Themegrill Demo Importer that was installed on over 100,00 sites in February. A severe vulnerability that resets the whole database.

22 of 46

Stealth Exploitation of Wordpress Website Vulnerability

23 of 46

Maintaining Access

23

24 of 46

Backdooring the Target

Backdoor Overview

24

25 of 46

Table of Contents (PART 2 - BLUE TEAM)

25

This document contains the following resources:

Network Topology & Critical Vulnerabilities

Alerts Implemented

Hardening

Implementing Patches

26 of 46

Alerts Implemented

26

27 of 46

Alert 1 - Excessive HTTP Errors

Alert 1 - Excessive HTTP Errors

Excessive HTTP Errors is implemented as follows:

  • Metric: number of HTTP 400+ error responses
  • Threshold: top five HTTP response status codes above 400 for last 5 minutes
  • Should be fired up when user has sent too many requests in a given amount of time (here 5 minutes)

27

28 of 46

Alert 2 - HTTP Request Size Monitor

Alert 2 - HTTP Request Size Monitor

HTTP Request Size Monitor is implemented as follows:

  • Metric: triggered when HTTP request contains a larger-than-average amount of data measured in bytes
  • Threshold: sum of bytes in incoming HTTP requests over all documents is above 3,500 for the last 1 minute

28

29 of 46

Alert 2 - HTTP Request Size Monitor (Cont’d)

29

30 of 46

Alert 3 - CPU Usage Monitor

Alert 3 - CPU Usage Monitor

CPU Usage Monitor is implemented as follows:

  • Metric: CPU usage percentage
  • Threshold: max of the system process CPU total percentage over all documents is above 0.5 for the last 5 minutes

30

31 of 46

Alert 3 - CPU Usage Monitor (Cont’d)

31

32 of 46

Hardening Against Vulnerabilities

Hardening Against WordPress HTTP Vulnerability:

  • Change WordPress Default Login URL
  • Switch from HTTP to secure HTTPS
  • Get SSL certificate

Hardening Against SSH Vulnerability:

  • Configure the firewall allowing those IP addresses that are trusted
  • Use public keys instead of passwords as public keys are less prone to brute-force attacks
  • Limit max number of authentication attempts which will also eliminate brute-force attacks

Hardening Against MySQL Database Exploit Vulnerability:

  • Do not give root privilege to the MYSQL database
  • Do not give sudo rights to services

Hardening Against PHPMailer Vulnerability:

  • Upgrade WordPress to the official release of 4.7.4 or later to fix the vulnerability

32

33 of 46

Table of Contents

This document contains the following resources:

Network Topology & Critical Vulnerabilities

Traffic Profile

Normal Activity

Malicious Activity

33

34 of 46

Traffic Profile

34

35 of 46

Traffic Profile

Our analysis identified the following characteristics of the traffic on the network:

35

Feature

Value

Description

Top Talkers (IP Addresses)

10.0.0.201, 10.11.11.11, 10.11.11.121, 10.11.11.179, 10.11.11.195, 10.11.11.200, 10.11.11.217, 172.16.4.205

Machines that sent the most traffic.

Most Common Protocols

DNS, HTTP, Kerberos, LDAP, HTTPS, SMB

Three most common protocols on the network.

# of Unique IP Addresses

808

Count of observed IP addresses.

Subnets

10.6.12.0/24, 172.16.4.0/24, 10.0.0.0/24

Observed subnet ranges.

# of Malware Species

  1. june11.dll (trojan)

Number of malware binaries identified in traffic.

36 of 46

Behavioral Analysis

Purpose of Traffic on the Network

Users were observed engaging in the following kinds of activity.

�“Normal Activity

  • General internet browsing (DNS caching)
  • Youtube

Suspicious Activity

  • Downloaded malware
  • Infected machine
  • Illegal torrenting

36

37 of 46

Normal Activity

37

38 of 46

General Internet Browsing

Summarize the following:

  • DNS traffic (UDP) was observed.
  • Users were browsing various ordinary websites including:
    • apple
    • microsoft
    • google

38

39 of 46

Youtube

Summarize the following:

  • Youtube traffic observed over protocols TLS and SSL

39

40 of 46

Malicious Activity

40

41 of 46

Downloaded Malware

  • A custom DC was set up:
    • frank-n-ted-dc.frank-n-ted.com
    • 10.6.12.12
    • used to constantly watch Youtube videos

41

42 of 46

Downloaded Malware

  • Malware downloaded:
    • june11.dll
    • by 10.6.12.203
  • Virus Total identified as malware
    • 53/71 engines detected
    • identified as a trojan

42

43 of 46

Infected Machine

Summarize the following:

  • Infected machine (172.16.4.205) connected via Http protocol to malicious IP address.When we check it out we can see bunch of Http:POST request going from same source IP to same destination.
  • Infected machine tried to open the suspicious web link http://31.7.62.214/fakeurl.html

43

44 of 46

Infected Machine

Summarize the following:

  • When we check for the destination IP address we observed that it is potential malicious IP.

44

45 of 46

Illegal Torrenting

Summarize the following:

  • There was normal bittorrent traffic of handshakes (both machines acknowledging each other) using the Bittorrent protocol.
  • Bittorrent involves two machines sharing files which is allowed.
  • The infected machine, called BLANCO’s desktop with an IP address of 10.0.0.201 and a MAC address of 00:16:17:18:66::c8 operates using a Windows 10 OS.
  • There was a slew of suspicious activity that involved JPEG files being shared using HTTP protocol and in the midst of it was a file that was downloaded.
  • The user downloaded a file called Betty_Boop_on_the_Reservation.avi.torrent

45

46 of 46

The End

46