Capstone Engagement
Assessment, Analysis, �and Hardening of a Vulnerable System
by Kurt Anderson
Table of Contents
This document contains the following sections:
01
02
03
04
Network Topology
Red Team: Security Assessment
Blue Team: Log Analysis and Attack Characterization
Hardening: Proposed Alarms and Mitigation Strategies
Network Topology
3
Network Topology
Network
Address Range: 192.168.1.0/24
Netmask: 255.255.255.0
Gateway: 10.0.0.76
Machines
IPv4: 192.168.1.105
OS: Windows
Hostname: Capstone
IPv4: 192.168.1.90
OS: Kali Linux
Hostname: Kali
IPv4: 192.168.1.100
OS: Linux
Hostname: ELK
IPv4: 192.168.1.1
OS: Windows Hyper-V
Hostname: Hyper-V Manager ML-REFVM-684427
�The Attacker Machine (Kali VM) connected to the Victim Machine (Capstone Server) via port 80, was able to exploit its vulnerabilities, and then used a brute force attack to obtain user passwords from the victim machine.
This activity was then logged by the ELK server and then stored in Kibana for analysis.
Red Team
Security Assessment
5
Recon: Describing the Target
Nmap identified the following hosts on the network:
Hostname | IP Address | Role on Network |
ELK Machine | 192.168.1.100 | Monitoring and Logging |
Capstone Server | 192.168.1.105 | Company Database |
Kali Linux Machine | 192.168.1.90 | Attacker Machine |
Hyper-V Manager ML-REFVM-684427 | 192.168.1.1 | Virtual Machine Host |
Vulnerability Assessment
The assessment uncovered the following critical vulnerabilities in the target:
Vulnerability | Description | Impact |
CVE-2019-6579: Port 80 (http) is open allowing public access | An attacker with web access could exploit this vulnerability and gain access to server folders and files. | The impact of this is successful exploitation compromises the CIA triad: Confidentiality, Integrity, and Accessibility. |
Basic Usernames | Usernames are only first and/or last names, and can be easily guessed by anyone with access to a company’s contacts. | Social engineering attacks can be used to access employee basic info, such as ‘Ashton’ or ‘Ryan’, and can be used to gain access with a simple password. |
CVE-2019-3746: Brute Force of Weak Passwords | Common passwords that are used for company logins are easily guessed and can be ‘brute forced’ using a basic wordlist like ‘rockyou.txt’. | Used with easily guessed usernames, a brute force attack can easily guess simple and hashed (unsalted) passwords to gain access to sensitive data. |
WebDAV Vulnerability | An exploitation of WebDAV could grant shell access to the server. | Improper configuration of WebDAV will allow attackers to modify a website’s content by uploading malicious shell scripts that could gain control of other servers connected to the network. |
Exploitation: CVE-2019-6579 Port 80 Open
Tools & Processes
Using Nmap, I was able to scan the network and find that port 80 was open on 192.168.1.105. If port 80 is open, I can attempt to connect through it to potentially exploit vulnerabilities in the system.
01
02
Achievements
I found 4 hosts in the scan, resulting in the discovery of ports 22 and 80 open on host 192.168.1.105, and I can now attempt to access the host through port 80.
03
Exploit
Exploitation: Basic Usernames
Tools & Processes
Using Firefox browser I accessed host http://192.168.1.105, and attempted to access the different folders and files, and received the error message that showed there is a folder named ‘/company_folders/secret_folder’. As I tried to access the folder, a login prompt saying “For ashtons eyes only” appeared. �Ashton is an employee at the company and I assumed his username was ‘ashton’ and attempted to find his password using brute force.
01
02
Achievements
I found that the username ‘ashton’ was a valid username, and according to site, Ashton is the manager of the ‘company_folders/secret_folder’. I now have the username I need in order to start a brute force attack for Ashton’s password.
03
Exploitation: CVE-2019-3746: Brute Force of Weak Passwords
Tools & Processes
I used Hydra to brute force Ashton’s password using the command:�‘hydra -l ‘ashton’ -P /usr/share/wordlists/rockyou.txt -s 80 -f -vV 192.168.1.105 http-get /company_folders/secret_folder’
01
02
Achievements
After letting hydra run, I was able to find ashton’s password ‘leopoldo’ after just a couple of minutes. This gave me access to the secret folder. The secret folder contained instructions on how to access the WebDAV folder on the site, where I can upload a reverse shell script to the site and ultimately gain complete control of the server.
03
Exploitation: WebDAV Vulnerability
Tools & Processes
Using the tool dirb, I was able to find URLs and directories on the host 192.168.1.105. Based on the instructions from Ashton’s personal note, it had instructions for accessing the /webdav folder, specifically using ‘ryan’ as the username, along with a hashed password. I then used CrackStation to crack Ryan’s password. After gaining access to WebDAV, I can create and deliver a payload using msfvenom, then run the exploit using msfconsole.
01
02
Achievements
I was able to access the dav://192.168.1.105/webdav through the Linux file manager, and after unhashing Ryan’s password I got “linux4u”. I now have access to WebDAV on the host machine and uploaded a reverse shell to grant me root access to the host’s directories.
03
Blue Team
Log Analysis and �Attack Characterization
12
Analysis: Identifying the Port Scan
Analysis: Finding the Request for the Hidden Directory
Analysis: Uncovering the Brute Force Attack
Analysis: Finding the WebDAV Connection
Blue Team
Proposed Alarms and �Mitigation Strategies
17
Mitigation: Blocking the Port Scan
�To detect this and prevent another port scan in the future, an alert to send an email with a high priority to notify the SOC that requests to port 80 or port 443 are being made on the server.���An alert should be sent if the request surpass more than 3 requests in a 15 to 30 minute interval.
��To harden the system from a port scan is to use a firewall to block unauthorized requests to open ports, and to create firewall rules to reject ping requests from suspicious IP addresses.
Running ‘nmap 192.168.1.105’ will determine which ports are open, and if an open port is found, take necessary steps with IT to create firewall rules to block incoming traffic.
System Hardening
Alarm
Mitigation: Finding the Request for the Hidden Directory
Based on the number of hits to the ‘/company_folders/secret_folder’ directory, there were over 16,000 get requests. I suggest we set an alarm to alert us about any requests that surpass the threshold of 100, and check for these requests hourly.
I found a document containing sensitive information, and also login information that was not complex enough. The hidden directory was accessed easily due to these factors.
��In order to prevent unauthorized access to the hidden directory ‘/secret_folder’, I suggest using multi-factor authentication in combination with complex usernames and passwords. There should also be a password update every 3 to 6 months to ensure further security of logins. ��In regards to the the sensitive information contained in the folder, encryption should be used.
Monitoring for any type of access as well as the source ip should be put in place.
System Hardening
Alarm
Mitigation: Preventing Brute Force Attacks
�I found there were 31,175 “unauthorized” hits to the target machine, and it occurred within 30 minutes. An alert should be set to notify IT of more than 7 failed logins for each user credential.
�Using multi-factor authentication, limiting incorrect login attempts, and implementing a strong password policy are simple ways to mitigate brute force attacks and unauthorized access.
Monitoring multiple failed logins based on source IP address will help keep track of authorized access as well.
System Hardening
Alarm
Mitigation: Detecting the WebDAV Connection
Access to the WebDAV connection should only be for authorized personnel, therefore a list of authorized users and their ip addresses should be placed on a whitelist where the system can allow access to WebDAV. Any instance of access from an unauthorized IP address should be investigated.
In order to harden the system from unauthorized connections to WebDAV, I recommend putting stricter password policies and more complex usernames. ��If WebDAV could be avoided completely, I would recommend using other means of remote access, like a VPN or using SSH.
System Hardening
Alarm
Mitigation: Identifying Reverse Shell Uploads
�An alarm should be set for any uploads to the system, especially for certain file types such as the ‘reverse_shell.php’ file that was uploaded. An alert for any upload activity should be sent to IT to be investigated.
A filter to allow only certain file types should be put in place in order to mitigate malicious scripts or injections to be uploaded to a web-based server.
Authentication for file uploads, including password verification and multi-factor authentication should be put in place to help reduce harmful content to be uploaded.
System Hardening
Alarm
23