Capstone Engagement

Assessment, Analysis, �and Hardening of a Vulnerable System

Table of Contents

​

This document contains the following sections:

Network Topology

Red Team: Security Assessment

Blue Team: Log Analysis and Attack Characterization

Hardening: Proposed Alarms and Mitigation Strategies

Network Topology

3

Network Topology

Network

Address Range: 192.168.1.0/24

Netmask: 255.255.255.0

Gateway: 192.168.1.1

​

Machines

IPv4: 192.168.1.90

OS: Linux

Hostname: Kali

​

IPv4: 192.168.1.100

OS: Linux

Hostname: ELK

​

IPv4: 192.168.1.105

OS: Linux

Hostname: Capstone

​

​

​

​

​

​

​

​

[Insert Here]

​

Use draw.io to create a diagram of the network.

Add your diagram to this slide and fill out the data in the sidebar.

​

​

Red Team

Security Assessment

​

5

Recon: Describing the Target

Nmap identified the following hosts on the network:

Vulnerability Assessment

The assessment uncovered the following critical vulnerabilities in the target:

Exploitation: [Brute Force Attack]

Tools & Processes

I was able to exploit the Target VM using brute force. Since we were exposed to the possibility of using the secret_folder(1).

We were able to break into one of the employee’s accounts. We had three employee’s information. Hannah, Ashton, and Ryan (2,3,4).

After unzipping the rockyou.txt file in the attacker machine. I was able to run the hydra command (hydra -l ashton -P /usr/share/wordlists/rockyou.txt -s 80 -f -vV 192.168.1.105 http-get /company_folders/secret_folder). (5)

This command let me use Ashton as one of our employee’s username and find the password to his account.

This lets to me login into his account and access the secret_folder

​

Achievements

This exploit let me login to website with Ashton’s credentials.

This helped me (Attacker) move onto my next step in viewing the secret_folder directory and going through with my plan (6).

After viewing the directory, I was able to view the connect_to_corp_server file (7). This eventually leads me to my next step which is to login into the web_dav.

Exploitation: [Cryptographic Failures]

Tools & Processes

Cryptographic Failures was a big exploitation in this project because without it, it would have made my job (attacker) much harder.

The simple job of protecting the secret_folder directory wasn’t accomplished leading me to eventually login to the web_dav, send a hang with reverse_shell and eventually find the flag.txt file.

It is a common exploitation.

I was able to access the secret_folder directory because all the files on the website mentioned about it (1). Next, in order to access it, I brute forced one of the employee’s account (Ashton)(2) because he had accessed to it. After brute forcing, I was able to go to the secret_folder directory and view the connect_to_corp_server file(3), which helped me to eventually login to the web_dav and plant my reverse_shell

​

Achievements

This exploit helped me achieve my end goal of finding the flag.txt file. The mention of the secret_folder in every file, led me to believe there is something important. I tried accessing it from the web but I needed credentials. After viewing the context of a certain file about Ashton. I knew I needed to brute force with his credentials. After brute forcing, I was able to view the secre_folder directory(4) and move forward to the next step of my plan.

Exploitation: [Reverse Shell Upload Exploit]

Tools & Processes

In order to start this process, we received the credentials for Ryan, who had the access to upload our needed reverse shell payload.

Through our attacking machine (Kali), I saved my command (1) into a shell.php file.

Then I launched msf console, and ran these commands (2)

The Shell payload file was placed in my root directory so I moved it to my WebDav directory (3,4,5)

Next I logged into the site as seen on our Front-End, where I was able to enter Ryan’s credentials (6)

After I logged into the webdav, and clicked on the shell.php file (7)

Then I was able to find the flag.txt file (8,9)

​

Achievements

Since I ran the reverse shell, the upload was able to send a hang onto the device because it was able to open ports on the user device, in which it allowed to the hacker to access the files located on the user device.

Blue Team

Log Analysis and �Attack Characterization

11

Analysis: Identifying the Port Scan

• What time did the port scan occur?
• The port scan occurred on July 18th at 2:20 am
• How many packets were sent, and from which IP?
• The count shows up at 16,620, it was sent from 192.168.1.90 (Kali: Attacker)
• What indicates that this was a port scan?
• This indicates a port scan we are checking how many scans have happened (HTTP transactions). We have also filtered it between the source ip: Kali and destination ip: Capstone

[Insert Here]

Include a screenshot of Kibana logs depicting the port scan.

Analysis: Finding the Request for the Hidden Directory

• What time did the request occur? How many requests were made?
• Request occurred from 2:20 am till 2:45 am on July 18th 2022
• There were 16,416 request occurred during that time frame
• Which files were requested? What did they contain?
• In this instance, the company_folders/secret_folder/connect_to_corp_server file was requested.
• This contains the needed data to carry out the reverse shell and locate the flag.txt file

[Insert Here]

Include a screenshot of Kibana logs depicting the request for the hidden directory.

Analysis: Uncovering the Brute Force Attack

• How many requests were made in the attack?
• There were 16,416 requests made in the attack
• How many requests had been made before the attacker �discovered the password?
• The attacker took 4 requests before identifying the password
• ​

[Insert Here]

Include a screenshot of Kibana logs depicting the brute force attack.

Analysis: Finding the WebDAV Connection

• How many requests were made to this directory?
• 98 requests were made to the webdav directory
• Which files were requested?
• 24 requests were made for the webdav/shell.php file
• 16 requests were made for the webdav/passwd.dav file

[Insert Here]

Add a screenshot of Kibana logs depicting the WebDAV connection.

Blue Team

Proposed Alarms and �Mitigation Strategies

16

Mitigation: Blocking the Port Scan

What kind of alarm can be set to detect future port scans?

• It would be very useful to have alarms for future port scans, but I believe the best option would be to install low level alerts with thresholds, where after a certain threshold, the system admin gets an email regarding for any request higher than a certain amount

​

What threshold would you set to activate this alarm?

• The threshold I would have would be anything over 10 scans in the hour.

What configurations can be set on the host to mitigate port scans?

• I would implement regular security check ups on all the open ports in the system.
• I would have an intrusion detection system and review it regularly. If the IDS alerts me often about scanning for open ports by a non-user. I would have the directory/file the non-user(attacker) was looking for disabled or removed from the server.

​

System Hardening

Alarm

Mitigation: Finding the Request for the Hidden Directory

What kind of alarm can be set to detect future unauthorized access?

• Implement an alert where system admin gets an email for any access to a folder that a non-authoritative user has, specifically on this directory.

​

What threshold would you set to activate this alarm?

• I wouldn’t have a threshold. If one offense is committed, alarm goes off.

What configuration can be set on the host to block unwanted access?

• After a user has committed one offense, The account is blocked till further notice. Only a user with authority can unlock the account. If pattern of multiple users are seen accessing, The directory/file will be terminated from the server

​

System Hardening

Alarm

Mitigation: Preventing Brute Force Attacks

What kind of alarm can be set to detect future brute force attacks?

• I would implement multi level alerts.
• One would be an alert for when a user has 3 password failures
• My other alert would be critical for when a user has more than 8 password failures.

​

What threshold would you set to activate this alarm?

• Threshold would be 3 to alert the system admin and when it reaches 5, the account is locked for the whole day.

​

What configuration can be set on the host to block brute force attacks?

• After 3 failed attempts, the account is temporarily disabled for one hour. After the hour has passed, user has 2 more attempts before it gets locked.
• Make every user use a multi-factor authentication to log-in into the account.
• I would limit access to the user, (not give them the same access as a system admin)
• Implement a password strength requirement and force a password change every 6 months

​

System Hardening

Alarm

Mitigation: Detecting the WebDAV Connection

What kind of alarm can be set to detect future access to this directory?

• Create an alert where anytime a directory is accessed from a machine that doesn’t have access, the system admin would get an urgent email about it.

​

What threshold would you set to activate this alarm?

• There wouldn’t be a threshold, after one urgent alert, the authorized users are urgently alerted

​

What configuration can be set on the host to control access?

• I would block access to anyone operating from a public ip that isn’t registered in the system
• Have users who have access, only access it from a Vm that is private.
• Place firewall rules on shared folders that are only accessed by allowed machines.

System Hardening

Alarm

Mitigation: Identifying Reverse Shell Uploads

What kind of alarm can be set to detect future file uploads?

• Since the reverse shell was implemented through port 4444. I would implement an alert over any traffic moving through port 4444.
• Another alert implemented will deal with any uploads of files that ends in a .php.

​

What threshold would you set to activate this alarm?

• There wouldn’t be a threshold as any traffic over port 4444 would be alerted to the authoritative users.
• Any upload of .php will be blocked.

​

​

What configuration can be set on the host to block file uploads?

• Best way to block traffic through port 4444 would be to close it down completely or block it during unwanted hours.
• Best way to block .php files being uploaded would be to remove the ability to upload .php extensions but if hackers can change the extension and still upload, I would have the ability to upload files removed.

​

​

System Hardening

Alarm

22