1 of 22

Capstone Engagement

Assessment, Analysis, �and Hardening of a Vulnerable System

Report By: Troy Perry

2 of 22

Table of Contents

This document contains the following sections:

01

02

03

04

Network Topology

Red Team: Security Assessment

Blue Team: Log Analysis and Attack Characterization

Hardening: Proposed Alarms and Mitigation Strategies

3 of 22

Network Topology

3

4 of 22

Network Topology

Network

Address Range: 192.168.1.0/24

Netmask: 255.255.255.0

Gateway: 10.0.0.1

Machines

IPv4: 192.168.1.1

OS: Windows 10

Hostname: Azure Hyper-V ML-RefVm-684427

IPv4: 192.168.1.90

OS: Linux 2.6.32

Hostname: Kali

IPv4: 192.168.1.100

OS: Linux

Hostname: ELK

IPv4: 192.168.1.105

OS: Linux

Hostname: Capstone

[Insert Here]

Use draw.io to create a diagram of the network.

Add your diagram to this slide and fill out the data in the sidebar.

5 of 22

Red Team

Security Assessment

5

6 of 22

Recon: Describing the Target

Nmap identified the following hosts on the network:

Hostname

IP Address

Role on Network

Azure Hyper-V Machine

ML-RefVm-684427

192.168.1.1

Host Machine - Cloud based.

Kali

192.168.1.90

Attacker Machine

ELK Server

192.168.1.100

Network monitoring via Kibana

Capstone

192.168.1.105

Target Machine

7 of 22

Vulnerability Assessment

The assessment uncovered the following critical vulnerabilities in the target:

Vulnerability

Description

Impact

Brute Force Attack

When an attacker uses different username and password combinations to gain access to a device or system.

Use of programs such as Hydra or ‘John the Ripper’ in conjunction with a password list such as rockyou.txt can provide easy access to a device or system.

Local File Inclusion Vulnerability

If an LFI vulnerability exists in a website or web application, an attacker can include malicious files that are later run by this website or web application.

An LFI attack may lead to information disclosure including access to files and or credentials. It can also lead to remote code execution or cross site scripting.

Hashed Passwords

If a password is not salted it can be cracked by using programs such as hashcat or online tools like crackstation.net

If an attacker had access to usernames or had used tools to acquire or guess such information correctly, the attacker could crack a hashed password and access system files or information.

WebDAV Vulnerability

WebDAV is an extension to the HTTP specification that adds a capability for authorized users to remotely add and manage the content of a web server.

Exploitation can allow shell access to an attacker.

8 of 22

Exploitation: Brute Force

Tools & Processes

I used Hydra on the attacking Kali Linux machine in conjunction with rockyou.txt(password list) to obtain the system password for user ashton.

Command:

hydra -l ashton -P /usr/share/wordlists/rockyou.txt -s 80 -f 192.168.1.105 http-get /company_folders/secret_folder

01

Achievements

The exploit returned a valid pair found for login: ashton and password: leopoldo allowing system access.

02

03

9 of 22

Exploitation: Hashed Passwords

Tools & Processes

I used crackstation.net to crack the hashed password for Ryan that was located on the Capstone machine after logging in with Ashton’s credentials.

01

02

Achievements

The cracked hash revealed the password for user ryan was “linux4u” which was used to access the /webdav folder.

03

10 of 22

Exploitation: LFI Vulnerability

Tools & Processes

I used msfvenom to create a deliverable payload that was uploaded by accessing the webdav page.

01

02

Achievements

Then used msfconsole and the multi/handler exploit to gain a meterpreter shell on the Capstone machine.

03

11 of 22

Blue Team

Log Analysis and �Attack Characterization

11

12 of 22

Analysis: Identifying the Port Scan

  • The port scan started around 4:00 pm on October 20, 2021
  • 16,850 packets were sent, and from 192.168.1.90
  • The spike in traffic indicates that this was a port scan.

13 of 22

Analysis: Finding the Request for the Hidden Directory

  • The request began at 4:00 pm on 10/20/2021. 16,204 requests were made.
  • The /secret_folder (hidden directory) contained the connect_to_corp_server file which contained a hash for user ryan’s password.
  • Cracking the hash for ryan’s password allowed me to login to /webdav and deliver the php payload.

14 of 22

Analysis: Uncovering the Brute Force Attack

  • 16,204 requests were made in the brute force attack.
  • 16,202 requests were made before the password was discovered.

[Insert Here]

Include a screenshot of Kibana logs depicting the brute force attack.

15 of 22

Analysis: Finding the WebDAV Connection

  • There were 78 hits in webdav.
  • shell.php was the only file requested.

16 of 22

Blue Team

Proposed Alarms and �Mitigation Strategies

16

17 of 22

Mitigation: Blocking the Port Scan

An Intrusion Detection System and Intrusion Prevention System would be a good option for detecting port scans and reacting with mitigation. The IDS would have multiple rules set to detect different types of scans and the IPS would be set to send an alarm or block the traffic all together.

A threshold could be set to block a machine trying to create 1,000 TCP connections using numerous ports.

Having an IDS/IPS system or having a firewall in order to mitigate port scans.

  • ipset create port_scanners hash:ip family inet hashsize 32768 maxelem 65536 timeout 600
  • ipset create scanned_ports hash:ip,port family inet hashsize 32768 maxelem 65536 timeout 60
  • iptables -A INPUT -m state --state INVALID -j DROP
  • iptables -A INPUT -m state --state NEW -m set ! --match-set scanned_ports src,dst -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name portscan --hashlimit-htable-expire 10000 -j SET --add-set port_scanners src --exist
  • iptables -A INPUT -m state --state NEW -m set --match-set port_scanners src -j DROP
  • iptables -A INPUT -m state --state NEW -j SET --add-set scanned_ports src,dst

System Hardening

Alarm

18 of 22

Mitigation: Finding the Request for the Hidden Directory

Alerts should be set for any machine accessing the location other than those that are authorized to access it.

If any unauthorized IP address tries to access the folder an alert should be sent.

Rules should be set to only allow access to IP addresses that need to access the directory and to deny any other trying to access it.

The firewall rules would need to be set to allow access for each IP address that you want to have access.

System Hardening

Alarm

19 of 22

Mitigation: Preventing Brute Force Attacks

An alert should be set for a spike in failed login attempts to any part of the system.

The threshold for this alarm should be fairly low but high enough to avoid false positives. 4-10 failed logins would be sufficient.

Setting the firewall and load balancers to prevent access to the system and lock out an account if it fails to login more than 4-10 times. Also set up the firewall to block an IP address if it attempts to access the system and fails more than 5 times within 1 minute.

System Hardening

Alarm

20 of 22

Mitigation: Detecting the WebDAV Connection

Alerts should be set for any machine accessing the location other than those that are authorized to access it.

If any unauthorized IP address tries to access this location an alert should be sent.

Rules should be set to only allow access to IP addresses that need to access this location and to deny any other trying to access it.

The firewall rules would need to be set to allow access for each IP address that you want to have access.

System Hardening

Alarm

21 of 22

Mitigation: Identifying Reverse Shell Uploads

Set an alert for any HTTP PUT requests from unauthorized IP addresses.

The threshold would be set for any HTTP PUT request made from unauthorized IP addresses.

Set rules that block all attempts to upload files to the webdav from any unauthorized IP address.

Set the configuration file to allow access from 192.168.1.1 and 192.168.1.105 and deny all others.

System Hardening

Alarm

22 of 22

22