Capstone build it break it fix it
•Download as PPTX, PDF•
1 like•84 views
My team and I designed and implemented a web server using Linux, Apache, MySQL, and PHP along with Prestashop which is an open source web storefront. We then used a variety of penetration tools to uncover vulnerabilities in the software and implement patches or fixes and continued adding features as part of continuous development of the platform and subsequently performing vulnerability testing on the new features rolled out.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Capstone build it break it fix it
Similar to Capstone build it break it fix it (20)
Recently uploaded
Recently uploaded (20)
Capstone build it break it fix it
- 1. Build It, Break It, Fix It IAN KANE, MATT VIEYRA, MOHAMMED ALDHAHERI 1
- 2. Build It: Plans Webserver with Online Store Continuous improvement 2
- 3. Requirements PCI compliant Proper database security Secure checkout 3
- 4. Architecture Prestashop 1.7 Apache 2.4.7 Ubuntu 14 Dell PowerEdge R730 4
- 5. Security Auditing Tool: Nessus Nessus allows scans for the following types of vulnerabilities: Vulnerabilities that allow a remote hacker to control or access sensitive data on a system. Misconfiguration (e.g. open mail relay, missing patches, etc.). Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack. Denials of service against the TCP/IP stack by using malformed packets Preparation for PCI DSS audits 5
- 6. Break It: Nessus Vulnerability Scanning Results from Scans No Critical or High Results Most significant result was SSH Weak Algorithms Supported Some leads HTTPS not being used 6
- 7. Break It: Man In the Middle 7
- 8. Break It: Man in the Middle 8
- 9. Password Capture at Login 9
- 10. Fix It: Enable SSL 10
- 11. Break It: Social Engineering 11
- 12. Break It: Social Engineering 12 • Email used to setup Prestashop advertised as web administrator account.
- 13. Fix It: Social Engineering Train Employees to recognize social engineering attacks Ensure email is a business email and is separate from personal emails i.e. help@business.com 13
- 14. Break It: Brute force Password Attack 14 • Tool used hydra • Used known User ID against list of common passwords • 3.55 tries per second=213 tries per minute
- 15. Fix It: Captcha 15
- 16. Break It Tool: hping3 hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies. hping3 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols. 16
- 17. Break It: DDOS Attack 17
- 18. Break It: DDOS Attack 18
- 19. Break It: DDOS Results 19
- 20. Fix It: DDOS 20
- 21. Roadblocks Difficulty setting up the server Poor to non-existent install documentation online Difficulty scanning the server Initial scans were limited to minor vulnerabilities Some hardware limitations Hardware managed by Cyber Lab IT 21
- 22. Future Plans Additional rounds of Attacking and patching the shop Implement the database Certify the server 22
- 23. Questions? 23
Editor's Notes
- We're the build it, break it, fix it team. We designed and implemented a webserver with an online shopping cart with free software and ran tests with a variety of tools to uncover vulnerabilities or bugs that could be exploited by hackers and implement patches or fixes for those exploits.
- For the shop we chose the software Prestashop because of its claims to being open source and PCI Compliant. The shop runs on top of Apache 2.4.7 which was installed from the Ubuntu Repositories. We used Ubuntu 14 as it is still supported until 2019 All the software is running on Dell PowerEdge R730 Rack Servers here in the cyber lab.
- -Nessus categorizes results in 5 groups: Critical, High, Medium, and Low -Most significant result was SSH Weak Algorithms Supported: -The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all. -Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys. https://threatpost.com/attack-exploits-weakness-rc4-cipher-decrypt-user-sessions-031413/77628/ -Some leads:Site using port 80 rather than port 443 which meant it was using the insecure HTTP protocol rather than HTTPS for user session.
- Allow web team to access help@business.com email address.
- To test password security we used the tool hydra which automates the process of password attempts In our example we know a valid user id and use a list of common passwords to find a match. Our list of common passwords was small as to come up with a positive result within a few seconds. Dell OptiPlex 7010 3.55 tries per second=213 tries per minute
- For fixes we first checked Prestashop settings but didn't find anything that would either force password complexity or prevent excessive login attempts. In the Prestashop modules page one can purchase a re Captcha module that will significantly prevent bots from creating fake accounts
- To test network capacity we used the tool hping to send TCP/IP packets to the server to simulate a DDOS attack as well as aguge the capability of the server under severe network strain.
- We utilized three Dell Optiplex 7010 desktop computers running the hping command. A forth computer recorded the test using wireshark to capture the packets being sent. ~3300 packets over 200 seconds over 3 computers 23.66 packets per second per computer.
- One potential fix for a DDOS or SYN flood attack is to create what's known as a chain in iptables which is the default firewall in Ubuntu. We create a custom chain called syn-flood and using the data captured earlier create a rule that ignores SYN requests from the same IP addresses if they exceed a certain limit. Upon implementing the fix we performed another test where we discovered we were preventing access to the internet in addition to our server which meant we were overloading the switch or router that provides internet access to the lab. Because of this we weren't able to log-in remotely to the server to see if the fix was working.
- Setting up Prestashop took longer than expected due to the fact it has a large list of dependencies that are not installed along with it. The Prestashop website has install documentation that only covers installing their software and not all the dependencies. Since the hardware was managed by the Cyber Lab IT we didn't have much control over the hardware design of the server or the network connection of the server. Time was spent determining the architecture of the Cyber Lab when we weren't getting the results expected during our initial scans and during the DDOS attack.
- Creating a DMZ