Attack, Defense, & Analysis of a Vulnerable Network

1. Final Engagement
Attack, Defense, & Analysis of a Vulnerable Network
Jefferson Green
1

2. Table of Contents
2
This document contains the following resources:
Network Topology & Critical Vulnerabilities
Red Team
Blue Team
Network Analysis

3. 3
Network Topology
& Critical Vulnerabilities

4. Network Topology
4

5. Critical Vulnerabilities: Target 1
5
Our assessment uncovered the following critical vulnerabilities in Target 1.
Vulnerability Description Impact
Open ports vulnerabilities
Port 22 / ssh
Port 80 / http
Any internet-connected service requires
specific ports to be open in order to function.
However, when legitimate services are
exploited through code vulnerabilities hackers
can use these services in conjunction with
open ports to gain access to sensitive data.
Members of the Red Team were able to gain
access to the targeted machine using ssh
login credentials
Weak password A weak password is something that could be
rapidly guessed.
Read Team members were able to quickly
guess the password for one user; and easily
brute force the password for another user.
Wordpress user enumeration In a user enumeration attack, an attacker
looks for subtle differences in how WordPress
responds to specific requests.
Use scanning tool such as wpscan to quickly
identify or retrieve users credential such as
names and passwords
Security Misconfiguration Security Misconfiguration Security Misconfiguration

6. 6
Red Team

7. 7
Vulnerability 1 - Open ports
Use nmap to scan and identify devices, hosts and running services

8. 8
web recon
Neat! There’s a blog.
Let’s check that out.

9. 9
Flag1 - embedded in source code as
comments

10. 10
Wordpress Vulnerability - recon w/ wpscan
Now we know 2 users!
Wordpress enumeration using wpscan provided usernames for target 1

11. 11
brute force michael’s password

12. 12
does michael have access to any flags?

13. 13
Now onto #s 3 & 4
This looks like a
great place to start.

14. 14
Neat! More credentials.

15. 15
Let’s check out that SQL DB
Michael & Steven’s
password hashes

16. 16
and with a bit more poking around...
Flags 3 & 4

17. 17
Now that we have all our flags, we still
need root privileges
We’ll start by putting that hash of
Steven’s password to work for us and
then logging in as steven to see if we
can escalate our privileges
It looks like steven can run python
commands with sudo.

18. 18
# whoami
root

19. 19
Avoiding Detection

20. Stealth Exploitation of Brute force target 1 using Hydra
20
Monitoring Overview
● Monitoring all events indicating a new TCP connection being initiated
● Metrics being measured are the HTTP Request Bytes
Mitigating Detection
● The same exploit can be executed using the the -w flag with hydra which is the
wait time for responses between connects

21. Stealth Exploitation of [ssh login through port 22]
21
Monitoring Overview
● Implement Firewalls rules to block failed ssh attempts
Mitigating Detection
● Establish backdoor access to the target

22. 22
Maintaining Access

23. Backdooring the Target
23
Backdoor Overview
● What kind of backdoor did you install (reverse shell, shadow user, etc.)?
Since root access was already established, I simply added a shadow user.
● How did you drop it (via Metasploit, phishing, etc.)?
“useradd --system --no-create-home hacker”
then adder hacker to the sudoers file with the line:
“hacker ALL=(ALL) NOPASSWORD: ALL”
● How do you connect to it?
○ ssh hacker@192.168.1.110

24. 24
Blue Team Alerts and Hardening

25. 25
Alerts Implemented

26. CPU Usage Monitor
26
Summarize the following:
● This monitors the percentage of CPU usage
● It is set to fire at 0.5%

27. Excessive HTTP Errors
27
Summarize the following:
● This metric monitors top 5 http codes to come over the network.
● It is set to alert when the total number of codes exceeds 400 over five minutes.

28. HTTP Request Size
28
● This monitors the total number of http request bytes over the system
● It triggers when the total number of bytes over one minute exceeds 3,500.

29. Hardening
29

30. Hardening Against Bad Passwords on Target 1
30
● Using <cage>, create a strong password policy.
● We would recommend setting a password policy that:
■ Requires 8 or more characters
■ Requires the password to be changed every thirty days (though we could be
persuaded to allow 60; beyond that, don’t push it)

31. Hardening Against Root Privileges on Target 1
31
Removing Steven from the sudoers list is paramount:
● Without the ability to sudo into “root,” we would not have gained access
● <sudo -lU steven> would remove Steven from this list. It should take no more
than ten seconds (fifteen if I run it, because I always have a typo).

32. Removing MySQL Access
32
● We were able, through the wp-config file, to gain the username and password of
the MySQL database:
■ By removing Michael’s access to this file, we can completely avoid this
vulnerability

33. Implementing Patches
33

34. Implementing Patches with Ansible
34
We highly recommend automating this hardening using an ansible playbook!
Your playbook should incorporate the following commands:
sudo -lU <username>
This will remove users from the sudoers group
chage <username> -M
30
This will set the password expiration to 30 days
nano /etc/pam.d/common-password
set pam_pwquality minlen=8 (or 10)
This will set the minimum password length to 8 (or 10)
chmod 700 /var/www/html/wordpress/wp-config.php
This will allow only root users to access the file and restrict everyone else.

35. Network Analysis
35

36. Traffic Profile
36

37. Traffic Profile
37
Our analysis identified the following characteristics of the traffic on the network:
Feature Value Description
Top Talkers (IP Addresses)
172.16.4.205 → 31M
192.168.1.90 → 21M
192.168.1.100 → 21M
Machines that sent the most traffic.
Most Common Protocols
TCP(87.57%)
UDP(12.33%)
NONE(0.10%)
Three most common protocols on
the network.
# of Unique IP Addresses 810 Count of observed IP addresses.
Subnets All three private ranges Observed subnet ranges.
# of Malware Species 1 (june11.dll)
Number of malware binaries
identified in traffic.

38. Behavioral Analysis
Purpose of Traffic on the Network
38
Users were observed engaging in the following kinds of activity.
“Normal” Activity
● Visiting a hospital’s website
● Visiting social media sites including pinterest, reddit, twitter and facebook
● Downloading windows updates
● Reading article from Time magazine
Suspicious Activity
● Setting up a private web server that contained malware
● A malware infected windows host
● A user downloading a copyrighted torrent against company policy

39. Normal Activity
39

40. Normal Behavior: visiting social media sites
Summary:
40
● What kind of traffic did you observe? Which protocol(s)?
● Visiting social media sites including pinterest, reddit, twitter and facebook

41. Malicious Activity
41

42. Time Thieves
Summary:
42
● two users on the network have been wasting time on YouTube
○ frank-n-ted.com is the domain of their custom site
● their custom AD network has malware
○ malware (june11.dll) was found @10.6.12.203

43. Vulnerable Windows Machine
Summary:
43
● User “matthijs.devries” on “ROTTERDAM-PC” got some malware from a website mysocalledchaos.com
● A fake browser update the user clicked on installed a Remote Access Trojan
● The RAT sent a screenshot of matthijs desktop to the bad actors

44. Illegal Downloads
Summary:
44image from https://animationreview.files.wordpress.com/2018/04/rhythm-on-the-reservation-c2a9-max-fleischer.jpg?w=490
● User elmer.blanco at MAC address 00:16:17:18:66:c8
has been downloading illegal torrents onto his
Windows NT 10.0 machine
● Betty Boop Rhythm on the Reservation

45. The End
45