Capstone Engagement

Assessment, Analysis, �and Hardening of a Vulnerable System

Gezahegn Hora, February 8, 2022

Table of Contents

​

This document contains the following sections:

Network Topology

Red Team: Security Assessment

Blue Team: Log Analysis and Attack Characterization

Hardening: Proposed Alarms and Mitigation Strategies

Network Topology

3

Network Topology

Network

Address Range:192.168.1.0/24

Netmask:255.255.255.0

Gateway:192.168.1.1

​

Machines

IPv4:192.168.1.90

OS:Linux

Hostname:Kali

​

IPv4:192.168.1.100

OS:Linux

Hostname:ELK

​

IPv4:192.168.1.105

OS:Linux

Hostname:Capstone

​

IPv4:192.168.1.1

OS:Windows

Hostname:Red Vs Blue

​

​

​

​

​

​

​

​

​

Red Team

Security Assessment

​

5

Recon: Describing the Target

Nmap identified the following hosts on the network:

Vulnerability Assessment

The assessment uncovered the following critical vulnerabilities in the target:

Exploitation: [Open port 80]

Tools & Processes

The attacker used nmap to scan for any open port in the network

​

Achievements

The attacker found out that a machine with an ip address of 192.168.1.105 has an open port 80. He was able to connect into the website and have access to important company folders.

Exploitation: [Brute Force Attack]

Tools & Processes

The attacker used one of brute forcing tools, hydra to crack Ashton’s password from word lists of passwords.

​

Achievements

The attacker was able to crack Ashton’s password and ssh into ashton’s machine to be able to access a secret_folder.

Exploitation: [Brute Force Attack]

Tools used and Processes:

Exploitation: [Unrestricted File Upload]

Tools & Processes

The open port 80 allowed the attacker to connect to the company website so that he uploaded .php file by using local file inclusion (LFI)

Achievements

The attacker uploaded the .php file onto the website. This allowed the execution of the file to initiate reverse shell.

Blue Team

Log Analysis and �Attack Characterization

12

Analysis: Identifying the Port Scan

• The port scan occurred on Feb 01, 2022 at 18:00
• 4474 packets were sent from 192.168.1.90
• A large number of requests were made within a short period of time which indicates that it is a port scan.

Analysis: Finding the Request for the Hidden Directory

​

​

• 16,440 requests were made for the hidden file on Feb 3, 2022 @ 12:45 pm.
• /Company_folders/Secret_folder were requested and it contains document (.doc)

Analysis: Uncovering the Brute Force Attack

• 16,401 requests were made in the brute force attack

​

​

​

​

​

​

​

​

​

Analysis: Uncovering the Brute Force Attack

• 16,401 requests were made in the brute force attack
• Out of the 16,401 requests only 2 were successful.

​

Search command: user_agent.original : "Mozilla/4.0 (Hydra)" and not http.response.status_phrase : "unauthorized"

​

​

​

​

​

​

​

​

​

​

Analysis: Finding the WebDAV Connection

• 70 requests were made for the Webdav directory.
• Shell.php, lib, and passwd.dav files were located in the webdav directory.

Blue Team

Proposed Alarms and �Mitigation Strategies

18

Mitigation: Blocking the Port Scan

• We can set up an alert for 10 port scans in a minute or 100 consecutive ICMP requests.

​

• The alert should be set based on the average requests made.

​

• The threshold would be more than 10 attempts.

​

​

​

​

• Block any untrusted ip reputations or suspicious ip addresses.

​

• Firewall rule: Block any incoming traffic from 192.168.1.90.

​

• Block ping requests.

​

System Hardening

Alarm

Mitigation: Finding the Request for the Hidden Directory

• Alert for any attempt to access the directory or file.

​

• The threshold should be more than one attempt.

​

​

​

​

​

• The Server containing the hidden folder should be partitioned and not allowed to be shared for public access.

​

• Encrypt all data in the secret folder incase of any breach.

​

• Remove the folder from the server.

​

​

​

​

​

System Hardening

Alarm

Mitigation: Preventing Brute Force Attacks

• Alert if ‘401 unauthorized’ is returned to the server.

​

• Alert if the ‘user_agent.original’ contains ‘hydra’ in the name.

​

• We can set a threshold of 5 attempts per hour.

​

​

​

​

• We can drop traffic from the attempting ip address if the number of attempts exceeds the threshold.
• Temporarily lock account exceeding 5 attempts in 30 minutes.
• No root access over ssh.

​

​

​

​

​

​

System Hardening

Alarm

Mitigation: Detecting the WebDAV Connection

• Alert on HTTP, POST, and GET requests.

​

• An alert on an attempt to access the directory from any machine and/or IP that is not recognized by whitelisted IP addresses.�
• Threshold would be one attempt, as access to the folders should not be allowed.

​

​

​

​

​

​

• Connections to this shared folder should not be accessible from the web interface.

​

• Important files/folders should be saved in a more restricted area.

​

• Connection to these folders should be restricted by a firewall rule.

​

System Hardening

Alarm

Mitigation: Identifying Reverse Shell Uploads

• Alert for any incoming traffic over port 4444.

​

• Alert for any file with .php extension.

​

• The threshold should be more than 1 attempt.

​

• Block the ability to upload files to the directory over the web interface.

​

• Only allow specific file extensions.

Store files in a non public accessible directory if possible.

​

• Only allow authorized users to use the feature.

​

System Hardening

Alarm

24