Network Topology
1
Capstone Engagement
Assessment, Analysis, �and Hardening of a Vulnerable System
Table of Contents
This document contains the following sections:
01
02
03
04
Network Topology
Red Team: Security Assessment
Blue Team: Log Analysis and Attack Characterization
Hardening: Proposed Alarms and Mitigation Strategies
Network Topology
Network
Address Range: 192.168.1.0/24
Netmask: 255.255.255.0
Gateway: 192.168.1.1
Machines
IPv4: 192.168.1.100
OS: Ubuntu 18.04.4 LTS
Hostname: ELK
IPv4: 192.168.1.105
OS: Ubuntu 18.04.1 LTS
Hostname: server1
IPv4: 192.168.1.1
OS: Windows 10
Hostname: ML-RefVm-684427
IPv4: 192.168.1.90
OS: Kali GNU/Linux Rolling
Hostname: Kali
Red Team
Security Assessment
5
Recon: Describing the Target
Nmap identified the following hosts on the network:
Hostname | IP Address | Role on Network |
Kali | 192.168.1.90 | Attacker machine |
ELK | 192.168.1.100 | Used to Monitor logs from Capstone |
Capstone (server1) | 192.168.1.105 | Victims Machine |
Windows | 192.168.1.1 | RDP (the Gateway Server) |
Vulnerability Assessment
The assessment uncovered the following critical vulnerabilities in the target:
Vulnerability | Description | Impact |
Weak Password and Hash | Password is not complex | Allows attackers to crack the passwords easily and have access to sensitive information |
Code execution via Remote Location | Access the file system of the victim machine to access the secret folder and have unauthorized access which allows a connection back to it via backdoor and being able to upload malicious files | Sensitive data is compromised by and unauthorized access is given to the attacker to the machine being targeted |
RFI | Upload any file to the web server | Allows attackers to upload malicious files such as reverse shell scripts to see all files and directories |
Directory Traversal | Being able go through unauthorized directories | Allowing attackers to sensitive data within the directories and unauthorized access |
Exploitation: Weak Password and Hash
Tools & Processes
How did you exploit the vulnerability? we found usernames specific to directories by accessing the url then Used the hydra command and crackstation to crack the passwords and hashes
01
02
Achievements
What did the exploit achieve? Gave us passwords and hashes for specific users
For example: Did it grant you a user shell, root access, etc.? yes it gave us access to secret directories and files that shouldn’t be accessible by any other users
03
Exploitation: Directory Traversal
Tools & Processes
How did you exploit the vulnerability? Once the passwords and hashes are cracked we were able to access unauthorized directories
Which tool (Nmap, etc.) or techniques (XSS, etc.) did you use? We used dirb tool to find the secret directories.
01
02
Achievements
What did the exploit achieve?
Able to access unauthorized and hidden directories
Did it grant you a user shell, root access, etc.? it showed us the hidden directory where we found the rockyou.txt file containing the password list
03
Exploitation: Code Injection via Remote Location
Tools & Processes
How did you exploit the vulnerability? We uploaded a PHP payload containing a reverse shell script successfully, and then we knew we could inject the code
Which tool (Nmap, etc.) or techniques (XSS, etc.) did you use? We used msfvenom, msfconsole, and meterpreter
01
02
Achievements
What did the exploit achieve? We able to successfully have access to the victims machine and inject the malicious code by uploading a PHP payload
For example: Did it grant you a user shell, root access, etc.? yes it granted root access and we were able to view the secret folder and file contents
03
Blue Team
Log Analysis and �Attack Characterization
11
Analysis: Identifying the Port Scan
Answer the following questions in bullet points under the screenshot if space allows. �Otherwise, add the answers to speaker notes.
Analysis: Finding the Request for the Hidden Directory
Answer the following questions in bullet points under the screenshot if space allows. �Otherwise, add the answers to speaker notes.
Analysis: Uncovering the Brute Force Attack
Answer the following questions in bullet points under the screenshot if space allows. �Otherwise, add the answers to speaker notes.
Analysis: Finding the WebDAV Connection
Answer the following questions in bullet points under the screenshot if space allows. �Otherwise, add the answers to speaker notes.
Blue Team
Proposed Alarms and �Mitigation Strategies
16
Mitigation: Blocking the Port Scan
What kind of alarm can be set to detect future port scans?
Any Higher traffic than normal
should be alerted when reaching the baseline limit and then sending a email/notification to the SOC Team
What threshold would you set to activate this alarm?
Any activity above 20 should set the alarm off
What configurations can be set on the host to mitigate port scans?
Ensure that only required ports are enabled
Command:
Sudo ufw deny PORT
System Hardening
Alarm
Mitigation: Finding the Request for the Hidden Directory
What kind of alarm can be set to detect future unauthorized access?
Any unusual activity within hidden directories be alerted when reaching the baseline limit and then sending a email/notification to the SOC Team
What threshold would you set to activate this alarm?
if any php files are used within 10 times within the hour we should set count alert
What configuration can be set on the host to block unwanted access?
Don't have the access to the folders from the http browser
System Hardening
Alarm
Mitigation: Preventing Brute Force Attacks
What kind of alarm can be set to detect future brute force attacks?
Any unusual activity within port scanning and 401 status codes should be alerted when reaching the baseline limit and then sending a email/notification to the SOC Team
What threshold would you set to activate this alarm?
We could set the threshold at 10-20 hits for the 401 status codes within an hour to set of the alert
What configuration can be set on the host to block brute force attacks?
enforce complex passwords, hashes, and remove the file containing all passwords such as rockyou.txt
System Hardening
Alarm
Mitigation: Detecting the WebDAV Connection
What kind of alarm can be set to detect future access to this directory?
Any unusual activity within hidden web server directories should be alerted when reaching the baseline limit and then sending a email/notification to the SOC Team
What threshold would you set to activate this alarm?
if any php files are used within 10 times within the hour we should set count alert
What configuration can be set on the host to control access?
Don't have the access to the folders from the http browser and have better password complexity
System Hardening
Alarm
Mitigation: Identifying Reverse Shell Uploads
What kind of alarm can be set to detect future file uploads?
Any unusual activity with uploads to a web server and ports should be alerted when reaching the baseline limit and then sending a email/notification to the SOC Team
What threshold would you set to activate this alarm?
alert anything from any open ports or uploads from a web server that are not used by the applications within an hour with threshold of 1 hit
What configuration can be set on the host to block file uploads?
create firewall rules and restrict anything with accessing to port 4444 externally
System Hardening
Alarm
22