1 of 22

Capstone Engagement

Assessment, Analysis, �and Hardening of a Vulnerable System

2 of 22

Table of Contents

This document contains the following sections:

01

02

03

04

Network Topology

Red Team: Security Assessment

Blue Team: Log Analysis and Attack Characterization

Hardening: Proposed Alarms and Mitigation Strategies

3 of 22

Network Topology

3

4 of 22

Network Topology

Network

Address Range: 1-255

Netmask: 225.255.255.0

Gateway: 192.168.1.1

Machines

IPv4: 192.168.1.1

OS: Windows/CPE

Hostname: 192.168.1.1

IPv4: 192.168.1.90

OS: Linux

Hostname: 192.168.1.90

IPv4: 192.168.1.100

OS: Linux

Hostname:192.168.1.100

IPv4: 192.168.1.105

OS: Linux

Hostname:192.168.1.105

5 of 22

Red Team

Security Assessment

5

6 of 22

Recon: Describing the Target

Nmap identified the following hosts on the network:

Hostname

IP Address

Role on Network

192.168.1.1

192.168.1.1

Virtual network

192.168.1.90

192.168.1.90

Attacker Machine

192.168.1.100

192.168.1.100

Elk Stack

192.168.1.105

192.168.1.105

Web Server

7 of 22

Vulnerability Assessment

The assessment uncovered the following critical vulnerabilities in the target:

Vulnerability

Description

Impact

Company Website About Us Page

There was excessive information available on the company website about its employees.

The amount of information provided makes social engineering very easy.

Open Ports On Network

Port scans show open ports with lots of data about target machines.

This allowed attackers to gain lots of recon information about target.

Employees storing hashes on the website.

Employees stored text files with hashes as well as step by step instructions on how to access web server

Attackers were able to very easily copy and break hashes to access file server and obtain sensitive files.

PHP reverse shell

Uploaded an MSFvenom reverse shell script to target webserver.

This allowed attackers access to the server with meterpreter.

8 of 22

Exploitation: Open port 80/tcp HTTP

Tools & Processes

  1. Ifconfig to find IP of Kali Linux machine.
  2. Nmap -A 192.168.1.90/24
  3. Firefox 192.168.1.105/company_folders/
  4. 192.168.1.105/company_folders/secret_folder/

01

02

Achievements

With this exploitation we find that Ashton has secret folder that needs username and password. That leads us to the next exploit.

03

9 of 22

Exploitation: Username and Password

Tools & Processes

From the last exploitation we hit a roadblock needing a password. With the reconnaissance we did before we know that port 80 open, path directory, username, and IP address. The tool we used is Hydra to brute force password.

01

02

Achievements

Attempt successful, allowed access to Ashton. From there we were able find Ryan’s hash

03

10 of 22

Exploitation: PHP Reverse Shell

Tools & Processes

Uploaded MSFVenom payload to WEBDAV with File Manager

01

02

Achievements

Successful call back from Web Server to attacker machine. Gained access to root user

03

11 of 22

Blue Team

Log Analysis and �Attack Characterization

11

12 of 22

Analysis: Identifying the Port Scan

Answer the following questions in bullet points under the screenshot if space allows. �Otherwise, add the answers to speaker notes.

  • What time did the port scan occur?
  • How many packets were sent, and from which IP?
  • What indicates that this was a port scan?
  • Time of occurrence: Vm local time: 1:05am.
  • Around 5000 packets were sent from 192.168.1.90.
  • The logs reported that each open port got traffic.

13 of 22

Analysis: Finding the Request for the Hidden Directory

Answer the following questions in bullet points under the screenshot if space allows. �Otherwise, add the answers to speaker notes.

  • What time did the request occur?
  • Which files were requested? What did they contain?
  • The time requested started at 1:45-2:02 am
  • company_folder/secret_folder
  • Contained password hash and instructions to access the CEO’s file server account

14 of 22

Analysis: Uncovering the Brute Force Attack

Answer the following questions in bullet points under the screenshot if space allows. �Otherwise, add the answers to speaker notes.

  • How many requests were made in the attack?
  • How many requests had been made before the attacker �discovered the password?
  • 112,277 requests were made during the attack.
  • It took 112,276 requests for the attacker to discover the password.

15 of 22

Analysis: Finding the WebDAV Connection

Answer the following questions in bullet points under the screenshot if space allows. �Otherwise, add the answers to speaker notes.

  • How many requests were made to this directory?
  • Which files were requested?
  • 32 requests were made.
  • The file that was requested was passwd.dav

16 of 22

Blue Team

Proposed Alarms and �Mitigation Strategies

16

17 of 22

Mitigation: Blocking the Port Scan

What kind of alarm can be set to detect future port scans?

  • Set an alarm for multiple SYN attempts within 1 minute

What threshold would you set to activate this alarm?

  • 5 SYN attempts within 1 minute

What configurations can be set on the host to mitigate port scans?

  • Setting up firewall and intrusion detection system (IDS).

Describe the solution. If possible, provide required command lines.

  • Network-based IDSs such as the Cisco 4200 series appliances are dedicated to one task—monitoring the entire network. They are located at check points or special ports where they can monitor network traffic that is directed to any host.

System Hardening

Alarm

18 of 22

Mitigation: Finding the Request for the Hidden Directory

What kind of alarm can be set to detect future unauthorized access?

  • Monitor for excessive failed login attempts, throw alarms if threshold is met.

What threshold would you set to activate this alarm?

  • Monitor failed logins within a 5 minute window.

What configuration can be set on the host to block unwanted access?

  • Be careful about blog posts and 2 factor authentication.

Describe the solution. If possible, provide required command lines.

  • Company training on what should and should not be shared on the blog post. Along with training to prevent social engineering.

System Hardening

Alarm

19 of 22

Mitigation: Preventing Brute Force Attacks

What kind of alarm can be set to detect future brute force attacks?

  • Alarm that triggers if failed login attempts exceed a specified amount in a certain amount of time.

What threshold would you set to activate this alarm?

  • 10 login attempts in under 1 minute

What configuration can be set on the host to block brute force attacks?

  • Implement a cut level on user accounts after a number of failed login in attempts

Describe the solution. If possible, provide the required command line(s).

  • Add the cutting level at 10 attempts and a 10 min lockout, if continues has to be unlocked by IT and send alert to IT

System Hardening

Alarm

20 of 22

Mitigation: Detecting the WebDAV Connection

What kind of alarm can be set to detect future access to this directory?

  • Acces to the directory from outside of the VPN IP address range would trigger an alarm.

What threshold would you set to activate this alarm?

  • Anything outside the VPN should trigger the alarm.

What configuration can be set on the host to control access?

  • Disallow all access from outside VPN

Describe the solution. If possible, provide the required command line(s).

  • Make sure the VPN is set correctly and train all employees on how to access. Forbid internet access without going through VPN

System Hardening

Alarm

21 of 22

Mitigation: Identifying Reverse Shell Uploads

What kind of alarm can be set to detect future file uploads?

  • An alarm that goes off when detecting any uploads from IPs outside of accepted pre set range.

What threshold would you set to activate this alarm?

  • Any uploads from IPs outside pre-set range would trigger the alarm.

What configuration can be set on the host to block file uploads?

  • Require all file uploads to go through a VPN so that they are always from a set static IP

Describe the solution. If possible, provide the required command line(s).

  • Set up VPN and train all employees on use of the VPN.

System Hardening

Alarm

22 of 22

22