1 of 24

Project:

Red Vs Blue

By: Darnell Antwine & Rishawn Blackwell

2 of 24

Table of Contents

This document contains the following sections:

01

02

03

04

Network Diagram

Red Team (Offense): Security Assessment

Blue Team (Defense): Log Analysis and Attack Characterization

Hardening: Proposed Alarms and Mitigation Strategies

3 of 24

Network Topology

3

4 of 24

4

5 of 24

Red Team

Security Assessment

5

6 of 24

Recon: Describing the Target

Nmap identified the following hosts on the network:

Hostname

IP Address

Role on Network

Kali

192.168.1.90

Hackers Machine

Ubuntu 18.04

192.168.1.100

Company Server

Capstone

192.168.1.105

Company Machine

7 of 24

Vulnerability Assessment

The assessment uncovered the following critical vulnerabilities in the target:

Vulnerability

Description

Impact

Weak Passwords

Strength of password is not strong enough

Allows attackers to easily access someone’s login information

Compromise Credentials

Privilege Escalation

allows attackers to gain access to sensitive credentials

Poor Encryption

The conversion of something to code or symbols so that its contents cannot be understood if intercepted.

Allows attackers to gain access to more sensitive data.

8 of 24

Exploitation: Weak Passwords

Tools & Processes

I used the tool Hydra to exploit and retrieve the password for ashton.

01

02

Achievements

The exploit allowed me to get gain further access into the company’s database using ashtons password.

9 of 24

10 of 24

Exploitation: Poor Encryption & Compromise Credentials

Tools & Processes

Used Crackstation.net to crack the encrypted Hash found using Ashton’s login. Used WebDav. Used php-reverse-shell tool to gain access.

01

02

Achievements

Allowed further access into the company’s data by discovering, manager Ryan’s login credentials. And giving root access to Ryan’s credentials.

11 of 24

12 of 24

13 of 24

14 of 24

Blue Team

Log Analysis and �Attack Characterization

14

15 of 24

Analysis: Identifying the Port Scan

  • Port scan occurred Aug 6, 2020 @ 1:29 am
  • 5 packets were sent

[Insert Here]

Include a screenshot of Kibana logs depicting the port scan.

16 of 24

Analysis: Finding the Request for the Hidden Directory

  • Inside were step by step directions to connect to WebDAV along with whos user name we should use.
  • We found ryans hash ( hidden password) and entered it into a hash decoder to get his password to use.
  • Once we had username and password we had full access.

  • The request occur on Aug 6,2020 at 8:19 pm with 16,000 requests made
  • Files requested were /Secret_folder/
  • Once in the secret_folder we found a folder name connect_to_corp_server

17 of 24

Analysis: Uncovering the Brute Force Attack

  • 30,743 requests were made in the attack
  • 30,730 requests had been made before the attacker �discovered the password

[Insert Here]

Include a screenshot of Kibana logs depicting the brute force attack.

18 of 24

Analysis: Finding the WebDAV Connection

  • 16,832 requests were made to this directory
  • Requested files from WebDAV were PHP file that was inside the secret folder.

19 of 24

Blue Team

Proposed Alarms and �Mitigation Strategies

19

20 of 24

Mitigation: Blocking the Port Scan

Proactive scanning ports once that is in place, the first step is to fix any known vulnerabilities. Next comes audit every open port available externally through the firewall or on the internal network. Services which the public doesn't need to reach should be blocked at the firewall. If employees need to reach them, perhaps they can use the VPN instead. Internal services are often listening even when they aren't being used. They might have been installed or enabled by default, or were enabled due to past use and never disabled.

21 of 24

Mitigation: Identifying Reverse Shell Uploads

There are certain behaviors and characteristics existed in the process that established reverse shell, which are different from other normal processes. TXHunter’s disposable agent runs on the victim computer, collecting process’s behavior and characteristics, analyzing it and detecting reverse shell attacks. The following lists its hunting result of detecting reverse shell attack, where you can see the attacking sequence along with processes and time.

22 of 24

Mitigation: Finding the Request for the Hidden Directory

Send an Email alert if an unknown MAC address (new device) request the directory.

Have a list of all device MAC address that connect to companies servers.

A MAC address is given to a network adapter when it is manufactured. It is hardwired or hard-coded onto your computer's network interface card (NIC) and is unique to it.

System Hardening

Alarm

23 of 24

Mitigation: Preventing Brute Force Attacks & Detecting the WebDAV Connection

Set up alarm protocols that will notify IT staff by email when an accounts locked out due to 5 failed login attempts. For a staff member to access the account they need to call IT verify them self to get account unlocked

  • Limit password attempts to 5
  • Two-Factor Authentication
  • 16 character passwords
  • Change password every 30 days

System Hardening

Alarm

24 of 24

Mitigation: Detecting the WebDAV Connection

Set up alarm protocols that will notify IT staff by email when an accounts locked out due to 5 failed login attempts. For a staff member to access the account they need to call IT verify them self to get account unlocked

  • Limit password attempts to 5
  • Two-Factor Authentication
  • 16 character passwords
  • Change password every 30 days

System Hardening

Alarm