Capstone Engagement

Assessment, Analysis, �and Hardening of a Vulnerable System

Table of Contents

​

This document contains the following sections:

Network Topology

Red Team: Security Assessment

Blue Team: Log Analysis and Attack Characterization

Hardening: Proposed Alarms and Mitigation Strategies

Network Topology

3

Network Topology

Network

Address Range: 192.168.1.0/24

Netmask:192.168.1.0

Gateway:192.168.1.24

​

Machines

IPv4: 192.168.1.90

OS: Linux

Hostname: Kali

​

IPv4:192.168.1.105

OS:Linux

Hostname: Capstone

​

IPv4: 192.168.1.100

OS: Linux

Hostname: Capstone

​

IPv4: 192.168.1.100:22

OS:Linux

Hostname: Elk Server

​

​

​

​

​

​

​

Red Team

Security Assessment

​

5

Recon: Describing the Target

Nmap identified the following hosts on the network:

Vulnerability Assessment

The assessment uncovered the following critical vulnerabilities in the target:

Exploitation: CWE-548/ Webserver

Tools & Processes

To exploit the webserver I used webdav.

Cadaver http://192.168.1.105

​

Achievements

To achieve this I used

Cadaver http://192.168.1.105

From there I was able to gain access to Ryans shell and gain access to his passwords.

Put shell.php

Exploitation: SQL Injections

Tools & Processes

I used the nmap to reveal the vulnerability for Ryans machine.

​

Achievements

After using

nmap -sV -v 192.168.1.105, I was able to see which usernames and which ports were open.

[INSERT: screenshot or command output illustrating the exploit.]

Exploitation: Brute Force Attack

Tools & Processes

For this exploitation, I used the hydra command to brute force Ashtons machine.

​

Achievements

By using hydra -l ashton -P /usr/share/wordlists/rockyou.txt -s 80 -vV 192.168.1.105 http-get /company_folders/secret_folder I was able to gain access to his login credentials including to some his company folders and hidden folders.

[INSERT: screenshot or command output illustrating the exploit.]

Blue Team

Log Analysis and �Attack Characterization

11

Analysis: Identifying the Port Scan

Answer the following questions in bullet points under the screenshot if space allows. �Otherwise, add the answers to speaker notes.

​

• What time did the port scan occur?

The time of port scan occurred at 1:00pm.

• How many packets were sent, and from which IP?

There were 8 hits were sent to 192.168.1.105

• What indicates that this was a port scan?

This port scan indicates how many times the IP was trying to grain access.

Analysis: Finding the Request for the Hidden Directory

Answer the following questions in bullet points under the screenshot if space allows. �Otherwise, add the answers to speaker notes.

​

• What time did the request occur? How many requests were made?

The time that the request occurred was 6:30pm and there were 62,768 hits

• Which files were requested? What did they contain?

The files contained passwords and logins credentials.

Analysis: Uncovering the Brute Force Attack

Answer the following questions in bullet points under the screenshot if space allows. �Otherwise, add the answers to speaker notes.

​

• How many requests were made in the attack?

There 62,768 hits were made in this attack.

• How many requests had been made before the attacker �discovered the password?

There were 334,331 hits before the attacker discovered the password.

[Insert Here]

Include a screenshot of Kibana logs depicting the brute force attack.

Analysis: Finding the WebDAV Connection

Answer the following questions in bullet points under the screenshot if space allows. �Otherwise, add the answers to speaker notes.

​

• How many requests were made to this directory?

20 hits were made to this directory.

• Which files were requested?

The files requested were the shell.php files.

Blue Team

Proposed Alarms and �Mitigation Strategies

16

Mitigation: Blocking the Port Scan

What kind of alarm can be set to detect future port scans?

It would be nice to have alerts for every port but unfortunately it would not be possible.

​

​

What threshold would you set to activate this alarm?

Setting up a low-level alert for any port scanning of 10 and a high-level alert for anything above 100. Especially using nmap.

What configurations can be set on the host to mitigate port scans?

Knowing IPS and having firewall block from unauthorised IPs.

​

​

​

Describe the solution. If possible, provide required command lines.

Scheduling a regular security checks on all ports and close ports that don’t need to be opened. Reviewing IDS regularly and block the probe, host sweeps and slow down scan attempts.

System Hardening

Alarm

Mitigation: Finding the Request for the Hidden Directory

What kind of alarm can be set to detect future unauthorized access?

Creating 2 alerts:

1. A low-level alert for more than 3 password failures.

2. A critical alert for more than 10 failures.

​

​

What threshold would you set to activate this alarm?

Creating an alert for non-whitelisted IPs trying to access the directory.

What configuration can be set on the host to block unwanted access?

Setting a timeout of 30min+ for more than 3 failure attempts. The time increases with every failure. Blacklist the IP after 10 failed password attempts. Increasing password strength requirements for that specific directory.

​

​

Describe the solution. If possible, provide required command lines.

Forcing a password change every 3 months for important accounts and create a multi-factor authentication. Limiting user access to the specific directory and hiding it from public directories.

System Hardening

Alarm

Mitigation: Preventing Brute Force Attacks

What kind of alarm can be set to detect future brute force attacks?

For all password portals like the webserver and SSH setting up alerts for more than 3 failed attempts.

​

​

What threshold would you set to activate this alarm?

Having critical alerts for more than 10 failed attempts.

What configuration can be set on the host to block brute force attacks?

Setting up timeouts and lockout rules for failed password attempts to stop brute force attacks. Having 3 failed attempts a 30 min timer is activities and increased every failed attempt.

​

Describe the solution. If possible, provide the required command line(s).

Increase password requirements and have an expiry for the password every 3 months. A locked account will be notified to the security team.

System Hardening

Alarm

Mitigation: Detecting the WebDAV Connection

What kind of alarm can be set to detect future access to this directory?

Creating an alert for non-whitelisted IPs attempting to connect to the WebDav and non-secure locations.

​

​

What threshold would you set to activate this alarm?

For every failed attempt there should a 30min+ lockout for the account and trigger an alert for the security team to confirm if the account has access.

What configuration can be set on the host to control access?

Limiting access to the WebDav. Hardening password authentication to WebDav requirements and whitelisting IPs.

​

​

Describe the solution. If possible, provide the required command line(s).

Scanning all incoming traffic with an anti-malware and updating the server regularly. Only allowing internal access to the specific device or network blocking external connections.

System Hardening

Alarm

Mitigation: Identifying Reverse Shell Uploads

What kind of alarm can be set to detect future file uploads?

Keeping an eye on all incoming uploads and setup an alert from anti-virus/anti-malware.

​

​

​

What threshold would you set to activate this alarm?

Creating an alert for files that contain suspicious files/codes and script extensions.

​

What configuration can be set on the host to block file uploads?

Using a secure anti-malware application that scans all incoming files and have it automatically updates everyday.

​

​

​

Describe the solution. If possible, provide the required command line.

Updating the firewall rules. Limiting file types that are being uploaded and include a restricting php.

​

System Hardening

Alarm

22