1 of 22

Capstone Engagement

Assessment, Analysis, �and Hardening of a Vulnerable System

2 of 22

Table of Contents

This document contains the following sections:

01

02

03

04

Network Topology

Red Team: Security Assessment

Blue Team: Log Analysis and Attack Characterization

Hardening: Proposed Alarms and Mitigation Strategies

3 of 22

Network Topology

3

4 of 22

Network Topology

Network

Address Range: 192.168.1.0/24

Netmask: 255.255.255.0

Gateway: 192.168.1.1

Machines

IPv4: 192.168.1.1

OS: Linux

Hostname: ML-RefVm-684427

IPv4: 192.168.1.105

OS: Linux

Hostname: server1

IPv4: 192.168.1.100

OS: Linux

Hostname: ELK

IPv4: 192.168.1.90

OS: Linux

Hostname: Kali

5 of 22

Red Team

Security Assessment

5

6 of 22

Recon: Describing the Target

Nmap identified the following hosts on the network:

Hostname

IP Address

Role on Network

ML-RefVm-684427

192.168.1.1

Hyper-V Manager Gateway

(Virtual Machine)

server1

192.168.1.105

Capstone Web Server

ELK

192.168.1.100

Web Monitoring for Capstone

Web Server

Kali

192.168.1.90

Attack Machine

7 of 22

Vulnerability Assessment

The assessment uncovered the following critical vulnerabilities in the target:

Vulnerability

Description

Impact

Sensitive Data Exposure - Directory Traversal

The hidden directory /secret_folder exposed through the website which is accessible by the public.

Directory traversal allows an attacker to access the unauthorized areas of the web server.

Unauthorized File Upload

Users allowed to upload potentially dangerous file types directly onto the web server.

In this case PHP scripts were able to be uploaded onto the web server allowing the attacker to access the root directory.

Remote Code Execution - LFI (Local File Inclusion) Vulnerability

PHP shell script able to be uploaded onto the web server and run through the public webpage.

This LFI vulnerability allowed attacker to open a reverse shell to gain access to the server and access sensitive information.

8 of 22

Exploitation: Sensitive Data Exposure - Directory Traversal

Tools & Processes

  • nmap was used to scan the network and look for servers on the network.
  • Firefox browser was used to access 192.168.1.105 and also utilized to perform directory traversal to gain access to the secret folder.
  • Hydra program utilized to run a brute force attack against the secret folder.

01

02

Achievements

  • Webpage refers to /company_folders/secret_folder/, by using directory traversal able to access the secret folder
  • Folder password protected but refers to user ‘ashton’
  • Ran brute-force attack using Hydra and discovered password is ‘leopoldo’
  • Gained access to secret folder and discovered instructions on how to access corporate server

03

9 of 22

Exploitation: Unauthorized File Upload

Tools & Processes

  • Used crackstation.net to crack stolen hashed password and gain access to corporate server’s /webdav page
  • Used msfvenom to create a PHP script to upload onto the /webdav page.
  • Uploaded the exploit.php shell using WebDAV.
  • Ran exploit.php using FireFox browser and clicking on the file link.

01

02

Achievements

  • Used cracked password to gain access to corporate server’s WebDAV.
  • Created an exploit.php shell and uploaded this onto the web server.
  • Was able to run the exploit directly from the /webdav page on the web server allowing me to create a meterpreter session and gain access to the corporate server.

03

10 of 22

Exploitation: Remote Code Execution - LFI Vulnerability

Tools & Processes

  • Used meterpreter to run reverse_tcp to connect to the uploaded PHP shell
  • Used the reverse shell to gain access to corporate server
  • Used cat command to read flag.txt to discover hidden flag.

01

02

Achievements

  • Opened a meterpreter session using reverse_tcp and gained access to the corporate server.
  • Utilized reverse shell to search corporate server’s directory structure and was able to find a hidden flag.
  • Discovered hidden flag using cat command.

03

11 of 22

Blue Team

Log Analysis and �Attack Characterization

11

12 of 22

Analysis: Identifying the Port Scan

  • What time did the port scan occur? The port scan occurred at ~01:00:00 on February 9, 2022
  • How many packets were sent, and from which IP? Over a 7 minute period of time 10,094 packets of data were sent from IP 192.168.1.90 to 192.168.1.105
  • What indicates that this was a port scan? The telltale feature that the above data indicates this was a port scan is due to the fact that in a very short period of time many different ports had hits to them.

13 of 22

Analysis: Finding the Request for the Hidden Directory

  • What time did the request occur? February 9, 2022 @ 01:05:56
  • How many requests were made? 16,162 requests were made
  • Which files were requested? The requested file was ‘connect_to_corp_server
  • What did they contain? This file contained instructions on how to access Capstone’s corporate webdav server

14 of 22

Analysis: Uncovering the Brute Force Attack

  • How many requests were made in the attack? There were a total of 16,156 requests made during the attack.
  • How many requests had been made before the attacker discovered the password? Out of the 16,156 hits only 4 successfully accessed the hidden file.

15 of 22

Analysis: Finding the WebDAV Connection

  • How many requests were made to this directory? There were a total of 498 hits made to the /webdav directory. Looking at port 4444 traffic we can see a meterpreter session was opened with a total of 24 hits.
  • Which files were requested? The files that were requested were /webdav/exploit.php and /webdav/password.dav

16 of 22

Blue Team

Proposed Alarms and �Mitigation Strategies

16

17 of 22

Mitigation: Blocking the Port Scan

What kind of alarm can be set to detect future port scans?

  • We can set an alert for “number of requests per second”
  • We can set an alert if many different ports are hit in less than a minute.

What threshold would you set to activate these alarms?

  • Threshold set for greater than 10 requests per second for more than 10 second period of time.
  • Threshold set for more than 10 different ports hit over a 10 second period of time.

What configurations can be set on the host to mitigate port scans?

  • Create firewall rules that can rate-limit incoming traffic
  • Filter incoming traffic through an IDS (Intrusion Detection System) and alert if the threshold has been met.
  • Only allow white-listed IP addresses through the firewall.

System Hardening

Alarm

18 of 22

Mitigation: Finding the Request for the Hidden Directory

What kind of alarm can be set to detect future unauthorized access?

  • The file should be accessible only by certain IP addresses (white-listed)
  • If a non-white-listed IP address attempts to access the file the alarm should trip.

What threshold would you set to activate this alarm?

  • Any IP address not on the white-list should trip the alarm. Therefore the threshold is any non-white-listed IP address.

What configuration can be set on the host to block unwanted access?

  • Ultimately, the file should not be stored on the public web server.
  • File should be in an encrypted state to prevent prying eyes access to info.
  • This file should only be accessible through an IP “white-list”.
  • SIEMs monitoring of this folder to alert if non-white-listed IP address access.

System Hardening

Alarm

19 of 22

Mitigation: Preventing Brute Force Attacks

What kind of alarm can be set to detect future brute force attacks?

  • A 401 Unauthorized response code will be returned on an unsuccessful login attempt. Create an alert for certain number of 401 response codes in a 10 second window.
  • Hydra user-agent can be used in a brute-force attack. Create an alert if user-agent equals “hydra”.

What threshold would you set to activate this alarm?

  • More than (15) “401 Unauthorized” codes in an hour period.
  • Anytime user-agent is equal to “hydra”.

What configuration can be set on the host to block brute force attacks?

  • Set an account lockout period of 30 minutes for any account that returns 7 unsuccessful login attempts.
  • We can set a rule that after 15 unauthorized login attempts from a given IP address we can auto-lock that IP for 1 hour.

System Hardening

Alarm

20 of 22

Mitigation: Detecting the WebDAV Connection

What kind of alarm can be set to detect future access to this directory?

  • The /webdav directory should be accessible only by certain IP addresses (white-listed).
  • If a non-white-listed IP address attempts to access the directory the alarm should trip.

What threshold would you set to activate this alarm?

  • Any IP address not on the white-list should trip the alarm. Therefore the threshold is any non-white-listed IP address.

What configuration can be set on the host to control access?

  • Ultimately, the /webdav directory should not be accessible through the public web server interface.
  • The /webdav shared folder should only have “white-listed” IP access.

System Hardening

Alarm

21 of 22

Mitigation: Identifying Reverse Shell Uploads

What kind of alarm can be set to detect future file uploads?

  • We can set an alert if any activity is present over port 4444 which is meterpreter’s default port number.
  • We can set an alert if any HTTP POST request contains a .php file.

What threshold would you set to activate this alarm?

  • The alarm should be tripped if any port 4444 activity occurs.
  • The alarm should trip for any HTTP POST response with a .php file.

What configuration can be set on the host to block file uploads?

  • We can remove the ability to upload files into the /webdav directory.
  • We can restrict write permissions on the host and only allow certain users to enact changes.

System Hardening

Alarm

22 of 22

22