Referencing; APA
Rubric
Referencing; APA
Criteria and Weighting
C1 Evaluation of security: Assessing the current security of the server.
20%
Exceptional knowledge and understanding evidenced by clear independent insight and critical awareness of server security issues some of which are at the forefront of the discipline; evidence of appropriate independent inquiry with core concepts, methods and techniques to evaluate complex server security problems; exceptional arguments and explanations are provided that are well-supported by the literature and standards that is suited to both technical and non-technical audiences; aspects of the security evaluation are beyond the prescribed range and evidences an exceptional understanding of all of the relevant taught applied content. Flawless.
C2 Recommendations: How the server should be secured for DevOps deployment.
30%
Exceptional knowledge of the range of options available to secure systems evidenced by some clear independent insight and critical awareness of relevant concepts some of which are at the forefront of the discipline; evidence of appropriate independent inquiry operating with core concepts, methods and techniques to solve complex security problems; recommendations to secure the case studys system are well-supported by the literature and/or standards suited to both technical and non-technical audiences; exceptional prioritization of tasks fully contextualizing the suggested recommendations. Flawless.
C3 Implementation: Application of appropriate tools and techniques.
40%
Exceptional knowledge of the wide range of options available to implement security and demonstration of applied skills some of which are at the forefront of the discipline; evidence of appropriate independent inquiry operating with core concepts, methods and techniques to solve complex practical problems in mostly familiar contexts; exceptional arguments and explanations are provided that are well-supported by the literature and/or industry standards and uses a wide range of tools and techniques beyond expectation; a sustained approach to most aspects of the tasks is evidenced; aspects of the implementation are beyond the prescribed range and evidences a competent understanding of all of the relevant taught content. Flawless.
C4 Demonstration: Showing that the system has achieved the desired level of security.
10%
Exceptional knowledge and understanding evidenced by some clear independent insight and critical awareness of evidencing security of systems some of which are at the forefront of the discipline; arguments and explanations are provided that are well-supported by the literature and/or industry and in some cases uses a range of media demonstrating an ability to communicate effectively that is suited to both technical and non-technical audiences; aspects of the work are beyond the prescribed range and evidences a competent understanding of demonstrating applied security. Flawless.
55-704272 Web Applications and E-Commerce Security
Lab 10 Purple Teaming
Aim of lab 10
The aim of this lab is to introduce you to purple teaming using automated pen test frameworks to exploit software configurations. Purple teaming refers to the increasingly common approach of Red teams (pen testers) working in conjunction with Blue teams (defence teams) to more fully understand the threat landscape to an organisation. A good place for an organisation to begin to understand the wider threat landscape is by engaging in Cyber Threat Intelligence (CTI) activities. They can then start to put their defences in place and then test those defences. To achieve this, we will install Suricata, a popular network intrusion detection system to act as our Blue team application that we wish to test. We will then run a series of attacks using Sn1per, an automated pen test tool that incorporates a number of applications, such as metasploit, findsploit and GooHak. Finally, an organisation will begin to map their threats and vulnerabilities to the Mitre Att&ck framework to provide a deeper level of analysis and understanding of their security.
We will be using your LAMP server VM from Lab 6 as the target.
Task 1
1. Understanding the threat landscape through Cyber Threat Intelligence
A key component in understanding an organisations threat landscape is by engaging in Cyber Threat Intelligence (CTI) activities. CTI not only provides the basis for an organisation to understand the threats against it but it also allows for the organisation to prepare for the Incident Response process. CTI enables cyber security analysts to identify the wider threat landscape beyond the organisation to prepare for those threats should they apply to the organisations systems.
OpenCTI is a platform meant for processing and sharing knowledge for cyber threat intelligence purposes. Normally, OpenCTI would be deployed within an organisations infrastructure. However, for the purpose of this lab, you will just need to familiarise yourself with the OpenCTI interface.
Go to https://github.com/OpenCTI-Platform/opencti and scroll down to the Documentation and demonstration section. Click on the demonstration link, which will take you to a Citeum log in page. Click on the log in link. You can either register as a new user or log in via your Google account.
2. Explore the OpenCTI interface
Once you have logged in to the OpenCTI demonstration instance you will be presented with a Dashboard view of the current and historical threat landscape. View the introduction to OpenCTI at https://www.youtube.com/watch?v=2tBDnZYwmBs. Explore the more detailed views of the available data and analysis by clicking through the menu items to familiarise yourself with this platform.
Task 2
Download and install a NIDS
In order that we have a Blue Team target, we will install a Network Intrusion Detection System (NIDS) on the LAMP server that we built in Lab 6. We will install a basic instance of suricata.
Note: suricata is a network-based IDS and is not designed to be installed on our LAMP server. Other options are available to specifically protect Web servers. However, it is being used here as we are not using the LAMP server as a Web server but as a target on the network.
When installing suricata, it is better to SSH into your LAMP server from your Ubuntu Mate VM so that commands can be copied and pasted from a Web browser. Go to https://www.digitalocean.com/community/tutorials/how-to-install-suricata-on-ubuntu-20-04 and follow the instructions to install suricata on your LAMP server.
As you go through the suricata set up make sure that you set the network interface to the one on your internal network (on my VM it is enp0s8).
Task 3
1. Install Sn1per
Sn1per enables you to discover the attack surface of an organisation and prioritize risks with a continuous Attack Surface Management (ASM) platform. It incorporates a range of tools to perform automated testing of a target system.
Open up a new Terminal on your Ubuntu Mate 20.04 desktop to install Sn1per: This will allow you to keep your SSH connection open so that you can observe any results from suricata.
$ git clone https://github.com/1N3/Sn1per
$ cd Sn1per
$ sudo bash install.sh
Given the amount of tools that Sn1per installs it may take some time depending on the speed of your VM.
2. Run a normal scan against your LAMP server
To make sure that you have installed the application correctly and that we have connectivity with our target server, we will run a normal scan.
$ sudo sniper t 30.30.0.50
The scan will take a little while to run depending on your VM settings.
3. Blue team view
Once the scan has run, have a look at the suricata logs to see the Blue team view from the LAMP server. The IDS is by default set to logging rather than dropping packets that it identifies as malicious.
$ sudo cat /var/log/suricata/fast.log
What did the IDS pick up? How could the information in the logs be used to create new rule sets based on the results of this scan? What signatures could you add to enforce packet dropping?
4. Re-run Sn1per attacks
The scan that we performed above is just a simple scan. Go to the project repository on github at https://github.com/1N3/Sn1per and explore the use of Sn1per by running different scans. Observe what is recorded in the IDS logs to see how you could improve the Blue team defences.
Task 4
Now that we have run some exploits against our LAMP server, we will want to analyse the results and place them in the context of our organisation. We will use Mitre Att&ck Navigator to achieve this.
Go to https://attack.mitre.org/resources/working-with-attack/ and scroll down to Tools for working with Att&ck. Click on Open the Application -> Create New Layer -> Enterprise.
Katie Nickels, one of the developers of the Mitre Att&ck Framework, has produced a useful video for getting started with the Navigator tool. Follow along with her Youtube video at https://www.youtube.com/watch?v=pcclNdwG8Vs.
Once you have finished the video, document ways in which you could use this tool to analyse the results obtained from this lab.
Task 5
If there are any labs or exercises that you have not completed as we have gone through the semester, go back to them and complete them. This will ensure that you have all the skills to achieve academic success in this module.
Further Work (Optional)
1. An excellent automated testing framework that integrates with the Mitre Att&ck framework is Atomic Red. This is being increasingly used in industry as more organisations implement Att&ck threat protection. Atomic Red is a Windows-based tool so you will have to download the tools onto a Windows VM (these are available from Microsoft). Go to https://github.com/redcanaryco/atomic-red-team to download and use Atomic Red against your LAMP server.
2. BLUESPAWN is an active defence and endpoint detection and response tool which enables defenders to quickly detect, identify, and eliminate malicious activity and malware across a network. This can be used in conjunction with Atomic Red but from the Blue team perspective. Like Atomic Red, it will refer to Mitre Att&ck. Download and documentation for BLUESPAWN is at https://github.com/ION28/BLUESPAWN. It again is a Windows-based tool so if you have Atomic Red on your attacker machine use BLUESPAWN on your target Windows VM.
3. Infection Monkey is an alternative to Atomic Red for automated pen testing that simulates system breaches and APTs (Advanced Persistent Attacks). Infection Monkey was developed for sysadmins who want to probe a companys security infrastructure. You will need to register to obtain a download from https://www.guardicore.com/infectionmonkey/#download.
4. Download an OpenCTI VM and integrate it within your cyber security lab environment. Details on how to download and configure an OpenCTI server can be found at https://filigran.notion.site/Virtual-machine-template-1789b4442b414dbf87f748db51c85aa5.
55-704272 Web Applications and E-Commerce Security
Lab 9 Web Code Vulnerability Scanning
Aim of lab 9
The aim of this lab is to understand common techniques used for subverting systems and how to prevent them using Web code vulnerability scanning. The ability to create bespoke packets enables us to test systems and security countermeasures to assess a systems security. In particular, we can use packet crafting to test configuration rules and effectiveness of firewall and intrusion detection/prevention systems. Web code scanning can test for vulnerabilities in the way in which systems are configured rather than specific applications. Commonly exploited vulnerabilities that fall into this category include SQLi and XSS.
For this lab, use your Ubuntu Mate 20.04 VM and the OWASP BWA/metasploitable servers you set up in lab 1.
Prior to undertaking this lab, you may want to update your Ubuntu Mate 20.04 VM.
$ sudo apt-get upgrade
Then if you want to free up a little space:
$ sudo apt autoremove
Task 1
Packet crafting using hping3.
Hping3 is a command line packet assembly tool and is used for the creation of TCP, UDP, ICMP and IP packets and datagrams.
Install hping3 on your Ubuntu Mate VM:
$ sudo apt install hping3
hping3 usage:
$ sudo hping3 <target> <parameters>, e.g. $ sudo hping3 10.0.10.40 S -V
Some examples of using hping3:
a. Set the SYN flag (equivalent to nmap sS scan) and check if port 80 is open:
$ sudo hping3 S 30.30.0.20 p 80
If results show SA (Syn Ack) the port is open; RA and the port is closed.
b. Incrementing through ports using p ++ starting at port 1 (we can change this number):
$ sudo hping3 S 30.30.0.20 p ++1
c. Fragment packets to evade firewalls and IDS:
$ sudo hping3 S f 30.30.0.20 p 80
d. Using hping3 to help predict a servers sequence numbers:
$ sudo hping3 Q S 30.30.0.20 p 80
The Q parameter will display the sequence numbers used. This can be used for a MitM attack.
e. Using hping3 to see how long a server has been up. A server must be rebooted to apply patches and updates. Therefore, if it has been a long time since the last reboot, the server may not be patched.
You will need to run 2 hpings separated by sleep to calculate the tick rate and then estimate the uptime:
$ sudo hping3 30.30.0.20 -p 80 -S --tcp-timestamp -c 1; sleep 5; hping3 30.30.0.20 -p 80 -S --tcp-timestamp -c 1
Subtract the first timestamp value from the second, divide by 5 and then divide that result into the first timestamp. This will give you an estimated number of seconds that the server has been up. Obviously, you can then estimate the number of minutes since booting (divide the result by 60).
f. Using hping3 to launch a DoS attack SYN flood:
$ sudo hping3 S p 80 30.30.0.20 --flood --rand-source
As this is a SYN flood using random source addresses you wont receive any replies. However, when you stop the attack, it will display how many packets have been sent.
Note: Depending on the memory allocated to your VM, it may crash etherape.
g. DoS attack LAND. Here we set the source and destination addresses as the same.
$ sudo hping3 S p 80 30.30.0.20 a 30.30.0.20
There are many tutorials on using hping3 available on the Internet. You are encouraged to go through some of the ones that you find to become more competent at using the tool.
Task 2
1. Assessing a Web site using ZAP.
This section builds on the knowledge that you gained during lab 7 but will focus more on session management. For this task, we will use OWASP ZAP. If you have not already installed ZAP or have forgotten how to open the application please refer to lab 7.
The target for our activities in this part is a real Web site, http://testphp.vulnweb.com/ which is a Web application that has been intentionally left vulnerable to Web application attacks.
Click on the left lightning bolt to run an automated scan, enter the URL and launch the attack (vulnerability scan).
Once the scan has completed, click on the alerts tab. Explore which session management methods are vulnerable and identify how may they be subverted by a malicious actor? Write down your answers.
Continue using ZAP to scan a number of alternative vulnerable servers identified on the following Web page: https://github.com/geeksonsecurity/vuln-web-apps. Again, explore any session management methods that are vulnerable to identify how they may be subverted by a malicious actor.
Close OWASP ZAP.
2. Using ZAP for session management analysis.
In this part of the task, we will be again using metasploitable as a target and targeting the vulnerable web application mutillidae.
To launch the attack, you will need to set up two different users. Create a new account for each of the two users by browsing to the following page:
http://30.30.0.20/mutillidae/index.php?page=register.php
For ease of use register user1 with the password password1 and user2 with the password password2 (you can choose different usernames and passwords).
If you get an error message in setting up the account:
In the metasploitable VM navigate to /var/www/mutillidae.
You need to change the database name from metasploit to owasp10 in the config.inc file.
$ sudo nano config.inc
Change $dbname = 'metasploit' to $dbname = 'owasp10' and save the file.
Restart Apache:
$ sudo /etc/init.d/apache2 reload
Open mutillidae in a browser and click 'Reset DB'. Create your two accounts.
We now need to ensure that ZAP can see your browsers traffic. Search for firefox extensions from the Mozilla support site and select FoxyProxy. Details of how to configure this software for firefox and OWASP ZAP are at https://www.thedutchhacker.com/configure-owasp-zap-with-firefox/. When you get to editing your proxy settings, use port 8080 rather than 8081 as detailed in the Web site. Also use the address http://127.0.0.1:8080/ to check that you are proxying.
In your browser, connect to the mutillidae site. You may be asked to log in to the network but click the next button for Advanced. You may get some errors warning you that a MitM attack has been detected but click to accept the risk.
Now open ZAP. When you connect through to the mutillidae site, it should show up under Sites in the left hand area of ZAP.
Log in to mutillidae as user1 and browse to the following URL to add a blog entry for user1:
http://30.30.0.20/mutillidae/index.php?page=add-to-your-blog.php
Type in whatever you wish here, and click "Save Blog Entry" to add the blog.
As ZAP is already listening as a proxy, we can see that this request shows up under the History tab near the bottom of the window (it will be the last entry in the list). This contains information such as the URL, server response code, size of the request, and method used to communicate with the server. Click on the POST entry in the History list. In the upper right-hand corner of ZAP we can view the request by clicking on the "Request" tab. This gives us a little more information including any cookies or tokens in use as well as the text that user1 submitted to the blog.
3. Launching a CSRF attack using ZAP.
We can now launch a Cross-Site Request Forgery (CSRF) attack. ZAP is useful for CSRF in that it has a feature that will essentially take care of this for us automatically. Right-click on the POST request under History and select "Generate anti CSRF test FORM," which will open up in a new tab. This contains the parameters and values of user1s POST request and can be modified by an attacker.
Return to the login page and sign in as user2 who will simulate the victim of this attack. In reality, this would be a random other user. Once the form is loaded and the request goes through, we can see that user1's blog entry shows up under user2's current entries.
Task 3
1. SQLi using ZAP against the DVWA Web site.
Follow the short tutorial at https://www.youtube.com/watch?v=dqKGGCVFTvI to see how you can launch SQLi attacks against the OWASP BWA DVWA web site.
2. Check for SQLi vulnerabilities using OWASP ZAP.
ZAP is a vulnerability detection tool rather than an exploitation tool. However, you can fuzz with ZAP to determine if SQLi is possible and resend packets with a modified input to see how the server responds. This particular sub-task is just to see what the role of tools such as ZAP play in SQLi attacks. However, due to the ability to resend traffic, we can modify parameters to test the security of databases.
Run a scan against the OWASP BWA server to be able to highlight the POST or GET that you wish to try to exploit, then replay it with modified inputs. Find the specific request that you wish to manually exploit under the Messages tab and right click on it. Choose Open/Resend with the Request Editor and modify the data prior to sending.
Spend some time exploring the results of the scan under the Messages tab and the options that ZAP provides.
Further Work (Optional)
1. Having looked at the basic usage of hping3, go through the tutorial at https://iphelix.medium.com/hping-tips-and-tricks-85698751179f to look at more advanced uses for the tool including setting up backdoors and sending malware.
2. To further explore the benefits of using OWASP ZAP to exploit session management, go through the tutorial at https://thehackerish.com/broken-authentication-and-session-management-tutorial/, which uses Juice Shop as the target. You can download Juice Shop from https://github.com/bkimminich/juice-shop#packaged-distributions.
3. Windows has a number of tools that can be used for both SQLi and XSS. Download a Windows 10 VM from https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ and add it to your network. Once the VM is configured download w3af from w3af.org and Xenotix from https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework. W3af is a tool that combines SQLi and XSS whilst Xenotix is a powerful XSS (plus other attack vectors) tool. Practice using these against the OWASP BWA server.
55-704272 Web Applications and E-Commerce Security
Lab 7 Incident Response
Aim of lab 7
The aim of this lab is to introduce you to Incident Response (IR). A key element in IR is packet analysis utilising common tools and techniques used in Network Intrusion Detection (NID). We will be using two popular tools to analyse captured network traffic; wireshark and NetworkMiner. We will then run an investigation on the LAMP server that you set up in the previous lab to identify evidence of an intrusion. The investigation of servers in this context will rely on live forensics tools and techniques. Unlike techniques used in forensics labs, which reconstruct the underlying file system to retrieve evidence through tools such as Encase or FTK, live forensics will tend to use native OS commands to retrieve data to quickly identify security issues.
Task 1
1. Install wireshark
Wireshark is an excellent network analysis tool that allows you to view and parse network traffic using filters. This is a particularly useful tool when dealing with large datasets of network traffic when conducting an incident response investigation.
You should have installed wireshark in an earlier lab. If you did not do this:
$ sudo apt install wireshark
Once wireshark has been installed, you will need to open it as sudo:
$ sudo wireshark
2. Use wireshark to analyse your traffic
Download the 'S2 L1 http_espn.pcap' file from Blackboard and open it in wireshark. The user has logged on to check up on the latest news headlines and sport scores on the Web site http://www.espn.com.
Using Statistics -> Conversations, document your answers the following questions:
How many IP conversations?
How many TCP connections?
How many UDP conversations?
Using Statistics -> Protocol Hierarchy Statistics we can see the application layer protocols used with the TCP and UDP connections noted above. Answer the following questions:
What is the percentage of TCP connections?
What is the percentage of UDP connections?
Using Statistics -> Flow Graph answer the following questions:
During this browsing session, how many servers are communicating with the client?
What kind of a server is 4.2.2.1?
Using Statistics -> Resolved Addresses answer the following questions:
To how many sites is the client is directed?
Is it probable that the client (our browser) is targeted for advertisement and user tracking/data collection? Why?
3. Filtering traffic
A simple way to start parsing your data for packets of interest is to use filters. For example, if you were interested in viewing DNS traffic, you could create a filter. To create a filter for DNS traffic, type 'dns' (without the quotation marks) in the filter box (just under the 'Start Packet Capture graphical icon). All traffic related to DNS, both queries and responses, will be filtered.
There are a number of filter options that wireshark will make available to the user. If you add a full stop at the end of dns (dns.), available filters will be displayed.
However, we may only be interested in displaying DNS queries. Therefore, we would need to refine our filter to dns.flags == 0x0100.
How many individual queries are displayed?
We can verify the source of these queries by examining the HTTP requests.
Select Statistics -> HTTP -> Requests.
Select Statistics -> HTTP -> Request Sequences.
Analyse the results.
You are now going to use filters to explore the HTTP traffic in the pcap file. In the filter section, type http with a full stop to bring up the various filters available to analyse this type of traffic. Explore a number of available filters to see what information is returned in the main wireshark window. Document any results. The following Web site provides a full list of available filters https://www.wireshark.org/docs/dfref/.
Task 2
1. Install and run NetworkMiner
NetworkMiner is an open-source Network Forensics Analysis Tool (NFAT) primarily designed for Windows but it also works in Linux and Mac OS. NetworkMiner can be used as a passive network sniffer and packet capture tool. However, it has more functionality than wireshark in that it is designed to detect operating systems, sessions, hostnames, read files, open ports, etc.
NetworkMiner uses the mono developer environment for compilation and to run. Therefore, we need to install the latest version:
$ sudo apt install mono-devel
Check that it has installed and the version:
$ mono --version
Now install NetworkMiner:
$ wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip
$ sudo unzip /tmp/nm.zip -d /opt/
$ cd /opt/NetworkMiner*
$ sudo chmod +x NetworkMiner.exe
$ sudo chmod -R go+w AssembledFiles/
$ sudo chmod -R go+w Captures/
Run NetworkMiner:
$ mono NetworkMiner.exe --noupdatecheck
Note: You need to be in the /opt/NetworkMiner* directory when you want to use this tool. Therefore, if you have left this directory in the Terminal youll have to repeat the third command (change directory) above.
2. Using NetworkMiner to investigate a pcap file
Download the S2 L1 Capture.pcap file from Blackboard and File -> Open to load the pcap into NetworkMiner. You will see a number of tabs across the top to give views of the data. Use NetworkMiner to answer the following questions:
How many hosts are active in this network?
Which hosts are on the internal network and which are servers on the Internet?
Under the Files tab, what certificates are being sent and is there any information that you can read from them?
Who owns these certificates?
What information is being sent in the text files?
Under the Credentials tab, are there any users that can be identified? If so, who are they?
What sessions can be identified under the Sessions tab?
What do the parameters being sent tell us about passwords?
What other information would be of use during an incident response investigation?
Task 3
In this task, we will collect evidence from our server. There are many other commands that could be used but we will look at collecting the main evidence that could indicate or provide evidence of a security incident.
The target of our investigation is the LAMP server that you created in the previous lab. Start this server and check that you have connectivity from your Ubuntu Mate 20.04 desktop VM:
$ ping 30.30.0.50
1. Network discovery
Prior to starting the investigation of the server itself, we will want to get a picture of the network environment, such as available hosts and open ports. A great tool for this is nmap that we installed previously on the Ubuntu Mate 20.04 VM.
You now need to start a text file in which to collect the relevant network environment information and write it to your home directory. Using the script command will provide a date/timestamp.
$ script ~/environment.txt
For this task we will use just a few basic nmap commands.
What other commands could you use beyond these to give a much richer picture of the network environment?
Conduct a TCP ping sweep to see available hosts on the network. TCP is used as not all machines will be set up for ICMP replies.
$ sudo nmap -sn -PE 30.30.0.50/24
Check open ports on our server to identify any potential backdoors:
$ sudo nmap --open 30.30.0.50
Check available services on the server:
$ sudo nmap -sV 30.30.0.50
Close your network discovery script file:
$ exit
Check that file has been written:
$ nano /home/ubuntu/environment.txt
You can open a text editor to access the file from Menu -> Accessories -> Pluma.
2. Prepare for the local investigation
For the rest of this task, we will be conducting our live investigation of the LAMP server using available native Linux commands. These provide a powerful toolset with which to conduct our investigation. We will be looking at a range of available information which will aid us with the investigation and create evidence files that we can copy to our NID Workstation Mate 20.04 VM for analysis.
In order to achieve this, we will SSH from the Ubuntu Mate 20.04 VM to the server from a Terminal window:
$ ssh ubuntu@30.30.0.50
Accept the key fingerprint (yes) and then supply the servers password when prompted. The Terminal will now display your LAMP server and any command s that we execute will be on the server rather than our Workstation VM.
Note: If the server prompts you that software upgrades are available, do not upgrade. If we do, we will be interfering with the environment that allowed the security incident in the first place and we may lose valuable evidence. You can always run $ sudo apt upgrade to patch the server once you have collected all of your evidence.
3. System information
We will now collect various pieces of information about the system. Set up a text file to collect this information. Note: this file will be set up on the server and we will need to copy this back to our NID Workstation Mate 20.04 VM later on.
$ script ~/sysinfo.txt
Print the name, version and other details about the server and the operating system running on it:
$ uname -a
How long the server has been up:
$ uptime
Time and date settings:
$ timedatectl
The mount command compares file system source and target to detect already mounted file systems, such as attached USB devices:
$ mount
Close your system information script file:
$ exit
We now need to copy our results file back across to our NID Workstation Mate 20.04 VM. We do this using scp (secure copy) and the openssh service that we set up earlier and specify where on the Workstation we will copy the file to:
$ scp /home/ubuntu/sysinfo.txt ubuntu@30.30.0.1:/home/ubuntu
We first specify the text file on the server, then the user at the IP address, and finally the directory on the NID Workstation Mate 20.04 VM.
4. User information
One of the great things about the Terminal is that we can group commands together using && to run multiple commands at once. We will use the collection of user information to demonstrate this functionality.
Set up our script:
$ script ~/userinfo.txt
Now run our commands:
$ sudo w && lastlog && last && faillog -a && cat /etc/passwd && cat /etc/group && getent group sudo | cut -d: -f4 && cat ~/.bash_history && top
The information returned by using these commands relates to user logons, failed logons, the password file to identify users, members of the sudo (administrator accounts), user Terminal commands, and the most memory intensive processes by user.
You will need to stop the top script using ctrl+c. Close your system information script file:
$ exit
Copy the evidence over to your Workstation VM:
$ scp /home/ubuntu/userinfo.txt ubuntu@30.30.0.1:/home/ubuntu
5. Network information
Again, we are going to use multiple commands strung together to gather information about what the network is doing at the current time, e.g. connections in and out of the server, routing tables and IP addresses. This may indicate backdoors onto the system or active connections to the server by malicious actors.
Set up our script:
$ script ~/netinfo.txt
Now run our commands:
$ sudo ip a && ss -antup && ss -plantux && ss -nap && ip route show && arp -a && lsof i
Close your network information script file:
$ exit
Copy the evidence over to your Workstation VM:
$ scp /home/ubuntu/netinfo.txt ubuntu@30.30.0.1:/home/ubuntu
Task 4
These final two exercises show that you do not need a full lab forensics tool, such as Encase or FTK, to conduct an Incident Response investigation. These final two exercises will list all software that is installed on the server and all files with MAC information (Modified, Accessed, Created).
1. List all installed packages
Set up our script:
$ script ~/software.txt
Now run our commands:
$ sudo dpkg --get-selections | grep -v deinstall > ~/software.txt
The -v tag inverts grep to return non-matching lines, i.e. installed software.
Close your software information script file:
$ exit
Copy the evidence over to your Workstation VM:
$ scp /home/ubuntu/software.txt ubuntu@30.30.0.1:/home/ubuntu
2. List all files on the server
We will record file permissions, last access date, last access time, mod date, mod time, inode change date, inode change time, user ownership, group ownership, file size and full path within a users directory and output the information to a CSV file. We will also need to record the time that we did this.
$ date find ~/ -printf "%m,%Ax,%AT,%Tx,%TT,%Cx,%CT,%U,%G,%s,%pn" > ~/files.csv
Copy the evidence over to your Workstation VM:
$ scp /home/ubuntu/files.csv ubuntu@30.30.0.1:/home/ubuntu
Task 5
You have now collected a large amount of evidence from the server that you can analyse at your leisure.
Close the terminal with the SSH connection to the server.
Open a text editor with Menu -> Accessories -> Pluma.
Open the files that you have copied from the server and go through the evidence that you have collected. Identify relevant information that could be used during an investigation and may indicate security issues.
Further Work (Optional)
1. A useful tool for conducting incident response within large organisations is velociraptor. It collects host-based state information for collection, monitoring and threat hunting on Windows, Linux and Mac operating systems, either on an individual system or across endpoints within an organisation. This is all done through a GUI rather than at the command line.
Download and install velociraptor on your VM from their github site, the link is at https://docs.velociraptor.app/. Practice using this software on your VM.
2. This tutorial has only introduced the concept of filters to show a powerful tool for packet analysis. Go through the tutorial at https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/ which looks at using filters for the analysis of infection traffic.
3. Malware of the Day from https://www.activecountermeasures.com/category/ac-hunter/ is a great source of pcap files of captured attacks. In addition, they provide an analysis of those files. Explore some of the resources and attacks by loading the pcaps into both wireshark and NetworkMiner and follow along with their analysis for a better understanding of packet analysis.
4. Similar to Linux, Windows has the command prompt functionality that can be used to conduct DFIR investigations against Windows servers. For this environment, you would have to use both PSTools, a free application from Microsoft that ports Linux-type commands to a Windows environment, and DOS commands. Research which DOS commands you could use to investigate a Windows server, paying particular attention to the Registry. Practice using these commands on your own Windows computer or download a free VM from Microsoft with which to practice.
55-704272 Web Applications and E-Commerce Security
Lab 8 Application Vulnerability Scanning
Aim of lab 8
The aim of this lab is to understand how we can start to identify network and system entry points based on what we discovered using OSInt and network scanning techniques to then apply vulnerability scanning. You will discover that whilst the scanners are good for identifying vulnerabilities, they do sometimes return erroneous results. The target in this lab has been chosen so that it will return a wide range of results. However, you may also want to re-run the scans against the Ubuntu 20.04 server that you set up in lab 6, analyse the results to identify issues and fix those found in your server.
For this lab, use your Ubuntu Mate 20.04 VM and the OWASP BWA server you set up in lab 1.
Prior to undertaking this lab, you may want to update your Ubuntu Mate 20.04 VM.
$ sudo apt-get upgrade
Then if you want to free up a little space:
$ sudo apt autoremove
Task 1
1. Web server vulnerability scanning with nikto.
You should have installed nikto as part of the Sparta installation in a previous lab. However, if you didnt (or just want to check if it is installed):
$ sudo apt install nikto
Run a nikto scan against your OWASP BWA server, which should return a few results to its 6,500 checks.
$ nikto h <OWASP BWA IP address>
Analyse the results to identify the vulnerabilities on the OWASP BWA server. Have a look at some of the nikto functionalities ($ nikto -help) and explore how you would incorporate this tool into a pen test particularly considering the results of your scan.
Task 2
1. Install nessus Essentials.
Nessus Essentials is the community edition of the widely used nessus vulnerability scanner. Go to the nessus Essentials homepage at https://www.tenable.com/products/nessus/nessus-essentials. Note that this vulnerability scanner is aimed at detecting vulnerable software rather than code. We will use another tool to identify issues with Web code.
You will need to register with nessus to be able to download and use the software. Once registered, Tenable will send you an activation code. Once on the downloads page, it should give you the option to download Nessus-10.4.1 or whichever is the latest version. Ensure that you select the correct Platform from the drop down list (we are using Linux Ubuntu - amd64).
Select Save File and once downloaded, go to the Downloads directory in your Terminal and install:
$ cd Downloads/
$ sudo dpkg i Nessus-10.3.0-ubuntu1404_amd64.deb
Start the nessus service:
$ sudo /bin/systemctl start nessusd.service
2. Perform a nessus scan on the OWASP BWA server.
Once installed, you can access nessus through your Web browser by going to https://<your VM name>:8834 (e.g. for me this was https://ubuntu:8834). The browser should identify a potential security risk, so click Advanced -> Accept the Risk and Continue to load the nessus page. You will then need to select the Essentials button and if you have already registered skip the next step (which is just asking for an activation code). On the next page, enter your activation code that you have received through your registered email. Create a user account on the next page.
Once your user account is created, nessus will download and compile the various files required for vulnerability scanning. This may take some time depending on the capability of your VM as there is a lot of data to be downloaded.
When this has completed, run a Basic Network Scan of the OWASP BWA server. Create a new scan, fill out the required fields and save the scan to return to the list of scans. Click on the scan that you have just created and then Launch the scan. Analyse the results obtained by clicking on the various tabs. Consider how you could use the results during a security assessment.
Run scans against the server for Log4J issues and to check for Conti attack-related issues (for more information on the Conti attack, please see https://heimdalsecurity.com/blog/what-is-conti-ransomware/).
Further information on how to run a scan and other training resources can be found at https://static.tenable.com/marketing/whitepapers/Guide-Tenable-for-Education.pdf.
Task 3
1. Install OWASP ZAP.
OWASP ZAP is the open source alternative to BURP Suite and is available for download at https://www.zaproxy.org/download/. Whilst nessus is useful for identifying vulnerable software, ZAP is good for analysing vulnerabilities specifically in Web server applications.
You will need java to be installed on your VM to use OWASP ZAP. This should have been done in the first lab but if you need to install java:
$ sudo apt install openjdk-11-jdk
Choose the Linux Installer package (ZAP 12.2 was the current version at the time of writing this lab). Once the file is downloaded:
$ cd Downloads/
$ chmod +x ZAP_2_12_0_unix.sh
$ sudo ./ZAP_2_12_0_unix.sh
Follow the on-screen instructions to install ZAP.
2. Scanning with OWASP ZAP.
To run ZAP, go to Applications -> Other -> OWASP ZAP. You may need to do a system reboot prior to the launcher showing in the menu.
Alternatively, you can launch it using the following:
$ cd /opt/zaproxy
$ java jar zap-2.12.0.jar
If this command complains about the jar part of the second command, you may have to change java versions to version 11 at the beginning of the task. Check your version of java:
$ java version
If it shows anything but java 11, download openjdk-11-jdk. We will need to change java versions.
$ sudo update-alternatives --config java
This command shows us all the Java versions installed. Enter the selection number for OpenJDK 11.
Go through the tutorial on using OWASP ZAP at https://www.softwaretestinghelp.com/owasp-zap-tutorial/. Replace the URL in the tutorial with the IP address of your OWASP BWA server (remember the URL will have http:// in front of the IP address) as we do not have permission to scan the one in the tutorial.
Explore some of the functionality of ZAP and consider how the information that is returned regarding the OWASP BWA server could aid you in a pen test of this VM.
Further Work (Optional)
1. Greenbone Vulnerability Management, previously known as OpenVAS, is a network security scanner which provides a set of network vulnerability tests (NVTs) to detect security loopholes in systems and applications. GVM is comparable to the nessus vulnerability scanner in functionality but is open source. Two words of warning this is a memory hungry application so give it as much RAM and CPUs as you can in Virtualbox. This is also a time-consuming installation, even with the automatic installer method.
You can by all means adapt and follow instructions for a manual install at https://www.howtoforge.com/how-to-install-and-use-gvm-vulnerability-scanner-on-ubuntu-20-04/. However, a much easier script for an automated install and instructions are available from https://github.com/yu210148/gvm_install. When you run the install file you will need to state the version of GVM that you are installing, either 20 or 21.
Note: There is a bug in GVM when updating the signatures that are used by the application in your VM. This will be indicated by a rsync or update failure during installation. To resolve this issue, rather than use a NAT connection on your VM, change it to Bridged and this should allow the feeds to sync.
2. The golismero project (https://github.com/golismero/golismero) incorporates a number of tools for Web security scanning, including GVM, under the one framework. Download and run golismero on your Ubuntu 20.04 VM and consider how you would use this tool for both pen testing and securing systems.
3. In this lab, I have concentrated on lightweight vulnerability scanners that would work well within your cyber security lab. However, there are other vulnerability scanners available. One such tool is Nexpose, who provide a free community edition (https://docs.rapid7.com/nexpose/download). It does have the advantage in that it is designed to integrate the metasploit framework. This is a memory hungry tool requiring at least 8 GB RAM and 100 GB hard drive space (more really). Download, install and run Nexpose and compare your results to the other scanners in this lab.
4. If you set up a firewall on your network in the further work in lab 2, run nessus and GVM scan against this VM. Go into the firewalls logs to see what a vulnerability scan looks like from a defenders viewpoint.
55-704272 Web-Based Applications and E-Commerce Security
Lab 6 Securing the server
Aim of lab 2
The aim of this lab is to understand what technologies are commonly put in place to protect Web applications. To achieve this, we will set up and secure a Web (LAMP) server. We will set up the LAMP server from scratch and then apply a range of security techniques to protect it. This enables you to see not only how protections are put in place but also the limitations and some configurations that can introduce security errors. It also demonstrates why further hardening techniques suggested in the further work section are required.
This lab will build on learning in the first lab, so you may need to refer to that lab sheet for more detailed instructions if you are unsure.
Task 1
Download the following resources onto your laptop or desktop:
Ubuntu 20.04 LTS server (https://releases.ubuntu.com/20.04/). You will need to choose the Server install image option.
We will use the Ubuntu 20.04 server as this is a stable release and you have become accustomed to the Terminal in your Ubuntu Mate VM.
Task 2
1. Install the Ubuntu 20.04 LTS server image in VirtualBox.
Machine -> New
Work your way through the new machine set up wizard. Give the new machine a name and ensure that the OS type is set as Linux and Ubuntu (64-bit). Allocate some RAM 1024 MB will be sufficient for our needs but if you can, allocate 2048 MB. Create a virtual hard disk and use either VDI or VDMK dynamically allocated. Set the HDD size to 10 GB (the default setting).
We will need to set up 2 network cards, one for Internet connections and the other for our internal network.
Network -> Adapter 1
Ensure that this adapter is enabled and is set to NAT.
Under Advanced, make a note of the MAC address.
Network -> Adapter 2
Enable adapter 2.
Attach it to the internal network.
Make a note of the MAC address
Save your changes to Settings and then start the VM. You will now set up the servers underlying OS. In the Optical Disk Selecter, select the sever image that you have downloaded.
When you get to the various options, you need to use the TAB to move the cursor around them. Select your keyboard layout and follow instructions; keep the network the same as those that are suggested we shall set up the internal network settings after the install. Keep the defaults for next few options.
When you get to the OpenSSH server, hit enter to Install OpenSSH.
We will not be using any Featured Server Snaps, so just select Done and the system will complete the installation. Restart the server once it has been installed (it will notify you that the install is complete) and log in using the credentials you set during the set up.
Check you network cards to see how they are configured:
$ ip a
My network cards are enp0s3 and enp0s8. If you are using VMWare, they may be different so in the command below, make sure that you are referring to the correct configuration and change if necessary.
Open your netplan config file:
$ sudo nano /etc/netplan/00-installer-config.yaml
The file should look like (with indentations using the space bar and not tab) the following:
network:
ethernets:
enp0s3:
dhcp4: true
enp0s8:
addresses: [30.30.0.50/24]
nameservers: {}
version: 2
Save the file and then reboot the server.
2. Check connectivity of the Ubuntu 20.04 server.
Start your Ubuntu Mate desktop machine.
In the Terminal, ping the Ubuntu server to ensure that the network is working and you can reach it.
Ctrl+c to stop the ping test.
If the ping works, you have connectivity; if not, you will need to check your network configuration. Check that the yaml file in the previous section has the correct indentation and information.
Task 3
1. Patch the Ubuntu server and enable automatic security updates.
Using the server interface, patch the server.
$ sudo apt-get update
$ sudo apt-get upgrade
If any software needs to be updated, it will tell you.
Install the unattended upgrades package if it is not already installed.
$ sudo apt-get install unattended-upgrades
Configure the automatic updates file. We need to ensure that security updates are automatically applied to the server. In addition, we may want to (should) update any of our applications.
$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Anything after a double slash // is a comment and has no effect. To enable a line, remove the double slash at the beginning of the line.
Check that the security updates lines are uncommented.
Uncomment the updates line by deleting the two slashes at the beginning of it:
"${distro_id}:${distro_codename}-updates";
Save the file Ctrl+x, y and enter.
2. Set up a basic firewall to restrict remote access.
We will use a simple firewall (UFW) to restrict remote access to the applications available on our server.
Check that access to openssh is available.
$ sudo ufw app list
This will display allowed applications. This should include OpenSSH as this was set up during installation. If not, we can manually allow ssh connections.
As we are building a LAMP server, we will want to allow access to SSH, HTTP and HTTPS.
$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow https
Check the status of the firewall and that the rules have been updated.
$ sudo ufw status verbose
If it returns that your firewall is inactive, you will need to activate it to check that it is now active and enabled on start up.
$ sudo ufw enable
$ sudo ufw status verbose
Ensure that SSH is working by connecting from your Ubuntu 22.04 desktop VM:
$ ssh <username>@30.30.0.50
Log in to the server.
Task 4
You can continue working on your server either through your desktop VM using ssh or directly interacting with the servers interface.
You now need to set up the LAMP stack on the server for it to operate as a Web server. Follow the tutorial at https://upcloud.com/community/tutorials/installing-lamp-stack-ubuntu/ to set up a LAMP stack on your server. You will start from Step 2.
Once you complete this tutorial you will have a fully functional LAMP server.
Task 5
1. PHP hardening.
The PHP on a new installation of the LAMP stack will need some attention as this is a common attack vector.
You should have removed the PHP info page in Task 4. However, if not, you can remove it from the Web site and ensure that it has been deleted using the following commands:
$ sudo rm /var/www/html/phpinfo.php
$ ls /var/www/html
You will then want to make some changes to the PHP configuration to add some security. To find the configuration file that is being used:
$ php --ini | grep Loaded Configuration File
You then need to edit the file to reflect the following settings (base this on the return to the above command mine is shown here):
$ sudo nano /etc/php/7.4/cli/php.ini
Edit the file to reflect the following settings:
expose_php = Off
display_errors = Off
mail.add_x_header = Off
disable_functions =
show_source,system,shell_exec,passthru,exec,phpinfo,popen,proc_open,allow_url_fopen,curl_exec,curl_multi_exec
file_uploads = Off
Save the file Ctrl+x and then restart apache.
$ sudo systemctl restart apache2.service
2. Apache hardening.
You will need to hide sensitive information and headers in your apache installation. You will need to edit the apache configuration to do this.
$ sudo nano /etc/apache2/conf-available/custom.conf
Edit the file to reflect the following settings:
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Options all -Indexes
Header unset ETag
Header always unset X-Powered-By
FileETag None
Save the file Ctrl+x.
$ sudo a2enmod headers
$ sudo a2enconf custom.conf
$ sudo nano /etc/apache2/conf-enabled/security.conf
Change ServerTokens OS to ServerTokens Prod, uncomment Header X-Content and X-Frame.
Save the file Ctrl+x and then restart apache.
$ sudo systemctl restart apache2.service
Task 6
1. Protect the use of su on your server.
The aim of this countermeasure is to limit use of su to admin users only. We will need to add an admin group to the system and add our own admin user name.
$ sudo groupadd admin
$ sudo usermod -a -G admin <YOUR ADMIN USERNAME>
$ sudo dpkg-statoverride --update --add root admin 4750 /bin/su
2. Harden network settings in sysctl
The sysctl utility is used to manage networking and other low-level protective Linux kernel parameters at runtime. This sets the system's behaviour towards incoming traffic and protects the system from a range of attacks, such as TCP SYN floods and malformed packets. We will need to edit the sysctl.conf file.
$ sudo nano /etc/sysctl.conf
Add or uncomment the file as per the text below:
# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions. When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
net.ipv4.tcp_syncookies=1
# Ignore source-routed packets
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
# Ignore ICMP redirects from non-GW hosts
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.default.secure_redirects=1
# Don't pass traffic between networks or act as a router
net.ipv4.ip_forward=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks.
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
# Ignore ICMP broadcasts to avoid participating in Smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts=1
# Ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses=1
# Log spoofed, source-routed, and redirect packets
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
# RFC 1337 fix
net.ipv4.tcp_rfc1337=1
# Addresses of mmap base, heap, stack and VDSO page are randomized
kernel.randomize_va_space=2
# Reboot the machine soon after a kernel panic.
kernel.panic=10
Further Work (Optional)
1. Set up and install SecurityOnion as a VM to monitor your virtual lab network. SecurityOnion is available to download from https://securityonionsolutions.com/software. Alternatively, you can install SecurityOnion on top of the server that you have created in this lab; instructions on how to do this are at https://docs.securityonion.net/en/2.3/installation.html. The distro is aimed for enterprise users and is quite memory hungry so for the best results you will need to allocate as much memory as possible.
2. Download and install a network firewall to protect your server. For example, set up IPFire on your security lab network to protect all traffic over your NAT connection to and from your LAMP server. The set up of this VM will follow a simple to use wizard to get the VM up and running. When setting this VM up, remember to correctly assign your green and red network cards on the device and use googles DNS (4.4.4.4 or 8.8.8.8). You can access the management interface on IPFire through your Ubuntu Mate VMs browser (IPFire network address and port 444). Generate some traffic, such as pings, to your LAMP server and check IPFires logs to see what is being detected.
3. There are a wide range of techniques that will make your server more secure should it be deployed to the Internet. Investigate further tools and techniques that could be applied to your server to provide a more holistic security approach. Once you have identified those tools and techniques, implement them on your LAMP server.
55-704272 Web Applications and E-Commerce Security
Lab 5 Authentication and authorisation
Aim of lab 5
The aim of lab is to explore authentication and authorisation in Ubuntu. A basic skill that any system administrator should be able to perform is to add and remove users, both through a GUI for desktop systems and the command line for servers. In addition, they should be able to add and remove users from admin groups as well as changing file permissions. A vulnerability in many systems is the use of weak passwords. Therefore, as a system administrator you need to generate secure passwords. Finally, a useful skill to develop is password security testing to ensure that deployed access credentials remain robust, particularly on those systems that are accessed from the Internet.
Task 1
1. Adding and deleting users
In this task you will practice adding and deleting users to the system and user groups. You may need to replace some of the group names to reflect your desktop environment. Go through sections 1.1 and 1.3 of the tutorial at https://www.answertopia.com/ubuntu/managing-ubuntu-users-and-groups/.
Continue to practice adding and deleting users until you are comfortable with the task.
Task 2
1. Changing file permissions
At times, you may want to change the permissions of files and you can do this through the Terminal using chmod.
List the files in your home directory in the Terminal showing file permissions:
$ ls l
Change the VeraCrypt set up files you downloaded in the previous lab to all can execute:
$ chmod +x veracrypt-1.25-Ubuntu-20.04-amd64.deb
Take back ownership:
$ chmod -x veracrypt-1.25-Ubuntu-20.04-amd64.deb
Create some text files to save in your home folder and go through tutorial on how to use chmod at https://www.howtoforge.com/tutorial/linux-chmod-command/.
Task 3
1. Creating passwords automatically using gpw
A common weak point in system passwords is that users tend to guess easily cracked passwords by using words commonly found in a dictionary. One way to mitigate this problem is to use a password generator such as gpw.
To install gpw:
$ sudo apt install gpw
To run gpw:
$ gpw
You will notice that by default, it generates ten 8-letter lower case passwords. To change this to 20 12-letter passwords:
$ gpw 20 12
2. Creating passwords automatically using pwgen
Whilst gpw is useful for generating passwords, you may want make them more secure to conform to alpha-numeric upper-lower case conventions. Therefore, we can use pwgen.
Install pwgen:
$ sudo apt install pwgen
To use pwgen:
$ pwgen
You will notice that by default it gives you many more alpha-numeric upper-lower case passwords.
To create passwords with at least one special character:
$ pwgen -y
Go to https://linux.die.net/man/1/pwgen to view the options available when creating passwords and practice using the application with different options set.
3. Creating passwords automatically and storing them in an encrypted container
Another way of generating secure passwords is to use a password manager. This has the added advantage for a user in that it generates and keeps all passwords in an encrypted container (database) such as keepass2. You will only need to remember one strong password to access the database.
To install keepass2:
$ sudo apt install keepass2
Once you have installed keepass2, open it under Applications -> Accessories. Go to https://keepass.info/help/base/firststeps.html which has some simple instructions on how to use the application and set up your own secure password database. This has the added advantage that once you have closed the application, you can copy your database over to another device including mobiles.
Practice using keepass2 by adding some entries and automatically generating secure passwords. Remember to save the database before closing the application.
Task 4
A useful exercise in securing your systems is password testing. This can be done in a number of ways.
A good resource for password lists (as well as other security resources) is Daniel Miesslers github site at https://github.com/danielmiessler/SecLists/tree/master/Passwords. Open the darkweb2017-top100.txt file and copy and paste the passwords into a text file. Also, have a look at some of the other password files that are available on the site.
We now want to customise the darkweb2017-top100.txt file for later use. Open the file you saved with a text editor (Pluma on the Ubuntu 20.04 VM) or copy the list to a text editor. Enter somewhere in the file the word msfadmin, the password for metasploitable 2 and save the file as top-100-passwords.txt in your home directory.
1. Testing Web server passwords by brute force.
For this task, we are going to install three of the most popular password cracking tools that are useful for brute forcing Web server passwords; hydra, ncrack, and medusa.
Install hydra, ncrack and medusa:
$ sudo apt install hydra ncrack medusa
2. Testing the password of our metasploitable 2 server.
Start your metasploitable 2 server as this will be our target. We will run each of the password tools at the target to assess the speed at which they brute force the password for SSH. Use the password file that you created during task 1 of this lab that has the server password.
To run hydra against SSH on metasploitable:
$ hydra l msfadmin P ~/top-100-passwords.txt 30.30.0.20 ssh
The syntax for the above is; l msfadmin is the username, -P the password file in the home directory, target IP address and port/service. The other two tools have a similar syntax.
To run ncrack:
$ ncrack p 22 -user msfadmin P ~/top-100-passwords.txt 30.30.0.20
To run medusa:
$ medusa -u msfadmin -P ~/top-100-passwords.txt -h 30.30.0.20 -M ssh
You should find variations in speed of checks and you can change the command to include multiple threads to speed the process up. Go through the following tutorial replacing the IP addresses to those of your lab: https://hackertarget.com/brute-forcing-passwords-with-ncrack-hydra-and-medusa/.
Task 5
1. Using password crackers; John the Ripper.
John the Ripper supports several common encryption technologies out-of-the-box for UNIX and Windows-based systems. It auto detects the encryption on the hashed data and compares it against a large plain-text file that contains popular passwords, hashing each password, and then stopping it when it finds a match.
Install John the Ripper:
$ sudo apt install john
It will also install a data file.
To get an idea of how John the Ripper works and its capabilities, well run some benchmark tests:
$ /usr/sbin/john --test
This will show you the breadth of encryption algorithms that it can crack.
We will now crack a small password file. Open a text editor (Pluma) and type the following in password format (<user>:<hash>):
myuser:AZl.zWwxIh15Q
Save the text file as password.txt in your home directory. Run John the Ripper against this file:
$ /usr/sbin/john ~/password.txt
This will take a little while to crack. The more powerful the computer, the faster this process takes so on the VM it may be a little slow. If you want to see the status of the cracking operation at any time, press the spacebar.
Once John the Ripper has cracked the password, view the results by:
$ /usr/sbin/john -show ~/password.txt
We are now going to try your real passwords with John the Ripper. All linux systems will use shadow passwords to hide the password. Therefore, we will create a file from our passwd and shadow files using John the Ripper's unshadow tool:
$ unshadow /etc/passwd /etc/shadow > ~/mypasswd.txt
This will place our created file in our home directory. We then run John the Ripper against that file.
$ /usr/sbin/john ~/mypasswd.txt
John the Ripper will try single crack mode first, then wordlist mode, and then incremental mode. A mode is a method it uses to crack passwords. This again may take some time to complete.
If John the Ripper is successful in cracking one of the passwords, it will write to ~/.john/john.pot. However, that file isn't human-readable, so you can read cracked passwords with:
$ /usr/sbin/john --show ~/mypasswd.txt
To check if the root password got cracked, filter by UID:
$ /usr/sbin/john --show --users=0 ~/mypasswd.txt
Further Work (Optional)
1. Download and practice using Hashcat. Hashcat is designed to break even the most complex passwords from a variety of sources including salted hashes. To do this, it enables the cracking of a specific password in multiple ways, combined with versatility and speed. Hashcat uses pre-computed dictionaries, rainbow tables, and even a brute-force approach to find an effective and efficient way crack passwords.
2. Rainbow tables are special dictionary tables that use hash values instead of standard dictionary passwords. Normally, when you crack a password hash, your computer computes a word, generates the hash, then compares to see if there is a match. If there is, the password is correct; if not, it will keep guessing. Rainbow tables work on the principle of a time-memory trade-off. This means that hashes are pre-generated by a computer and stored in a large rainbow table file with all of the hashes and words that correspond to them.
Download the latest version of RainbowCrack from https://project-rainbowcrack.com. Make sure you select the Ubuntu zip file that does NOT only work with purchased tables. Move the file into your home folder and unzip it.
Just generating rainbow tables takes between 2-7 hours, hence this task is in the further work section. Installing RainbowCrack on your host OS will speed the process up.
Go through the tutorial at https://null-byte.wonderhowto.com/how-to/rainbow-tables-create-use-them-crack-passwords-0131470/.
55-704272 Web Applications and E-Commerce Security
Lab 4 Data confidentiality
Aim of lab 4
Encryption is a key tool in maintaining the confidentiality of data and information. The encryption of data can take place at rest and in transit. Encryption at rest refers to data that is stored on the device and in transit refers to data as it traverses inherently insecure networks. There is no one single tool to enable encryption of data; it depends on where the data resides and what type of data that is to be encrypted. The aim of this lab is to explore various tools for data encryption, from the hard drive and in transit through to cloud storage.
We will create a new Ubuntu Mate 20.04 VM to use in this lab that will introduce various layers of encryption to protect the confidentiality of your data.
Task 1
1. Hard drive encryption.
A key tool in maintaining the confidentiality on a device is to encrypt the storage media itself. This ensures that the device will have to decrypted first before any data stored on it can be read. This is done at the time of setting up your operating system for the first time and cannot be done retrospectively (other techniques later in this lab will show alternative approaches to encrypt stored data).
Create a new Ubuntu Mate 20.04 VM (refer to lab 1 for specific details on setting up the VM). It only needs one network card with NAT to allow Internet access.
Once you have gone through the preliminary stages of the installation which includes selecting the installation language, keyboard layout, and Software Updates to be installed, you will be required to select the mode of installation. Two options will be presented: Erase disk and install Ubuntu which wipes all the existing data and automatically partitions the drive and Something else which is used when you want to manually configure the disk partitions yourself.
Select the Erase disk and install Ubuntu option and click on the Advanced Features button.
In the next step, select the Use LVM with the new Ubuntu installation and check the Encryption option below (Encrypt the new Ubuntu installation for Security) to secure your system.
This prompts you to provide a security key (a password). Choose a strong password to avoid being the target of dictionary or brute force attacks. This is the password that will be used to decrypt the system after the system reboots and is not your user password.
Then finally click on the Install Now button to continue with the installation.
When the installation is complete, click the Restart Now button to reboot your system.
At this point the Disk is fully encrypted. Upon booting, you will be prompted to provide the decryption key which is the password you provided earlier.
Type in the password or passphrase and hit ENTER. Once the system boots, you will be asked for your user login.
Patch the system once it is up and running (sudo apt-get update and then sudo apt-get upgrade in the Terminal).
Task 2
1. Volume encryption on the encrypted VM OS
Encrypting your hard drive will give you some level of confidentiality but if you are logged in, the hard drive will be decrypted. Therefore, if you have very sensitive information you may want to consider storing it in an encrypted volume. This will add layers of encryption to your data.
You will need to install 2 dependencies to allow VeraCrypt to run:
$ sudo apt install libayatana-appindicator3-1 libayatana-indicator3-7
Download VeraCrypt via your Web browser from https://sourceforge.net/projects/veracrypt/ and go to the Files tab to see the available downloads. We will be using VeraCrypt 1.25.9 as this was the latest version when writing this lab.
Click into the VeraCrypt 1.25 folder, then the VeraCrypt 1.25.9 folder and then select Linux. Go down to veracrypt-1.25-Ubuntu-20.04-amd64.deb. Click on this download link to obtain the application.
Move the file from Downloads to your home folder.
Right click on the veracrypt-1.25-Ubuntu-20.04-amd64.deb file and select Open with GDebi Package Installer.
Once it is installed, you should see the VeraCrypt application under the Applications -> Accessories menu.
Go through the tutorial at https://www.veracrypt.fr/en/Beginner's Tutorial.html to set up an encrypted container. Practice mounting the encrypted volume and copying files to and from the encrypted drive.
Task 3
File encryption
Another alternative to encrypting data at rest is to encrypt on a file by file basis. Using a tool such as GPG (or GPG4Win in Windows) will add another layer of security whereby our most sensitive files are encrypted but less sensitive files are not.
GPG will already be installed. If you want to use gpg at the command line, follow along with the tutorial at https://www.youtube.com/watch?v=I-4dcpTDWys.
For those that want a more user-friendly approach GPA (GPG's GUI) will need to be installed:
$ sudo apt-get install gpa
Once installed, open GPA - Applications -> Accessories.
Generate a key - Keys -> New Key. You can also follow along with https://www.youtube.com/watch?v=GTyhB-DMwV0.
Create a text file using a text editor. Using GPA's menu icons, click on the folder icon to open GPA's file manager. Add a file using the folder icon in the file manager window. Select the file path and using the icons, encrypt the file.
Practice using GPA to encrypt and decrypt some files. Also, practice sending and receiving public keys and importing them into GPA with other people in the lab.
Task 4
1. File encryption with cloud storage.
When encrypting files for storage on cloud systems, you could of course encrypt them first using GPA and then send them to your cloud service. However, a much more convenient way of achieving this is by using a dedicated application that encrypts all files locally and then sends them to the cloud service. In this way, all files stored on the cloud will be encrypted, should that account be compromised.
To achieve this, we can use an application such as encfs. Please note that in this lab we will be using local directories to demonstrate the principle. In reality, we would change the encrypted folder path to that of our cloud service directory such as your OneDrive directory.
Download encfs:
$ sudo apt-get install encfs
Create two directories in your home folder:
$ mkdir p ~/encrypted
$ mkdir p ~/decrypted
Mount the drive:
$ encfs ~/encrypted ~/decrypted
On first use, it will ask you to configure the encrypted directory. Follow the instructions in the Terminal and use standard mode for ease of use.
In the system file manager, drag and drop files to your decrypted folder and you will see the encrypted versions appear in encrypted folder (you may have to create some text files).
See the tutorial at https://www.howtoforge.com/tutorial/encrypt-your-data-with-encfs-on-ubuntu/. Although this is from a previous version of Ubuntu, it does explain encfs well.
You can automatically mount the encfs drives by installing gnome-encfs-manager.
$ sudo add-apt-repository ppa:gencfsm
$ sudo apt update
$ sudo apt install gnome-encfs-manager
An alternative approach is to use a tool such as cryptomator which works in similar way to veracrypt. For details of cryptomator see https://cryptomator.org.
Task 5
In transit encryption.
A useful way of protecting your data in transit is by using a Virtual Private Network (VPN). There are many VPN services available to use, usually at a price. However, we have to be aware that we dont know the security of our data as it passes through the VPN services servers. There are a number of alternatives available, from web services to creating your own VPN server on your home network (see further work).
1. Using a free VPN Web-based service.
One quick and easy way to use a VPN is to use a free Web-based service. ProtonVPN offers a free plan which will offer access to servers in 3 countries.
Go to https://protonvpn.com and sign up for a free account. Follow the instructions from the Web site on using the VPN service.
You can also install ProtonVPN on your host machine.
2. Using a VPN application.
An advantage of using a dedicated application for using VPNs is that you have more control over the servers to which you connect. One such application is openvpn, whereby scripts are used to connect to specific VPN servers over ports of choice.
Ensure that openvpn is installed:
$ openvpn --version
If it has not been installed by default on your VM:
$ sudo apt-get install openvpn
We now need to download some scripts to use with our openvpn application. Go to https://www.vpngate.net. This is a site that is dedicated to ensuring Internet privacy and makes VPN connections around the world available. Scroll down the page and download a couple of openvpn configuration files. A word of warning here: not all files will work due to the amount of connections the servers may be receiving so you may need to try a couple of files before gaining a VPN connection.
Before you start, identify your public IP address (just google whats my IP).
Open up your downloads folder (or wherever you have downloaded the configuration files). In your Terminal:
$ sudo openvpn --config <filename>
For the filename, either type the path to your openvpn file or click and drag the file from the downloads folder to the Terminal where it will insert the path and filename. Hit enter and it will confirm a connection with the VPN server (or not).
Once you have a connection, again google your IP address (you may have to refresh the page) to confirm that you are now connected to the VPN.
To end the connection, just use Ctrl+c and the connection will terminate. Again, google your IP address to confirm that you are disconnected from the VPN server.
Further Work (Optional)
1. Cryptomator is multi-OS application (mentioned in Task 4) for encrypting files in your cloud services. Download and install cryptomator on your host machine to use with your cloud service of choice.
2. Consider setting up your own VPN server for personal use when using insecure public networks. Two principle ways that this can achieved is by using a Raspberry Pi on your home network or creating a VPN server on Amazon AWS both ways are free. They both make use of openvpn.
For the Pi option - https://dzone.com/articles/how-to-setup-an-openvpn-server-on-a-raspberry-piFor the AWS option - https://aws.amazon.com/blogs/awsmarketplace/setting-up-openvpn-access-server-in-amazon-vpc/
55-704272 Web Applications and E-Commerce Security
Lab 3 Identifying network risks
Aim of lab 3
The aim of this lab is to understand the tools and techniques that could be used to further explore and provide insights into your organisations systems during a security assessment. As part of this process, you will gather and analyse a wide range of data to identify system weaknesses based on what you discovered during your OSInt activities. As with that phase, you will perform both passive and active network and data analysis to fully understand your organisations systems. Undertaking these activities will enable you to understand the countermeasures that will need to be put in place to prevent malicious actors from gaining a foothold on your networked systems.
For this lab, use your Ubuntu Mate 20.04 VM and the OWASP BWA server.
Task 1
1. Download Wireshark, Etherape and some data to import.
You should have installed Wireshark on your Ubuntu Mate 20.04 VM in the first lab, but if you didnt, open a Terminal:
$ sudo apt install wireshark
Next install Etherape. This is a great tool for visualising network traffic either live or that has been captured for analysis at a later time.
$ sudo apt install etherape
We also need some data to import into both applications. Well use a botnet data set captured by the Czech Technical University as it is well documented and contains malicious traffic. Go to their Web page, https://www.stratosphereips.org/datasets-ctu13, and download the botnet-48 (sogou) data set pcap file (an 18 MB file).
2. Use Etherape to visualise live traffic.
Etherape is a great tool for identifying network nodes, for example, the exchange of data between Web server front ends and cloud servers where data is stored.
You will need to open Etherape as sudo to read traffic from the network cards, so in the Terminal:
$ sudo etherape
Open up a Web browser and Etherape should start visualising network traffic. Spend some time exploring Etherapes menus and functionality.
To see how much data some sites exchange when you access them, go to google and search for the BBC and then access the BBC site through the browser; the larger the connection between nodes, the more data being exchanged. Also, note other servers active in the exchange of data.
Next go to Amazon or Netflix and compare the amount of traffic that is exchanged. Spend some time going to various sites that you use regularly to view the nodes in their data exchanges.
3. Use Wireshark and Etherape to analyse a pcap file.
Wireshark is a great tool for analysing network traffic, especially if you have captured some exchanges with your target to view later.
As with Etherape, you will need to open it as sudo, so in another Terminal:
$ sudo wireshark
Capture some traffic (Capture -> Start) and explore some of the traffic that is being recorded. You will need to open a browser and go to some sites to generate traffic.
In particular, look for details about your system that could be logged by your target system that could be used to identify you and the software that you are using. In addition, think about what you could do to mitigate that data being logged.
Next we are going to visualise the botnet file that you have downloaded. In Etherape, File -> Open and navigate to the downloaded file and open to run the network capture. Identify the key network nodes during the attack.
Open the botnet file in Wireshark (File -> Open). Explore the contents of the file. In particular, have a look at the traffic using some of the menu functionalities, such as following TCP streams or statistical analysis of the file. Note down any packets of interest and further identify key features of those packets that may be used to identify machines, such as IP addresses, OS used, etc. and that could be used during a security assessment.
Task 2
For the next couple of tasks, we will be sending data over our VLAN. Therefore, you will need to start up your OWASP BWA server. You could also try these exercises with your metasploitable server.
1. Set up and use masscan.
Masscan is an Internet-scale port scanner in that it can perform scans similar to nmap, but at a much faster rate. This is a very useful tool to go through a wide range of IP addresses as it can send up 25 million packets per second. It is estimated that it can scan the Internet in 6 minutes! For large IP address ranges, this is a great tool to identify which are live.
Install masscan on your Ubuntu 20.04 VM.
$ sudo apt install masscan
Check that masscan is working:
$ sudo masscan <server-IP> -p22
Replace the server-IP with the OWASP BWA server IP and port 22 (-p22) is OpenSSH.
This command will initiate a SYN Stealth Scan on the server. Masscan is not really used for a single port scan and so may produce very little information. The main point of the above command is to test that masscan is installed and running correctly.
Go through the masscan tutorial by Daniel Miessler (https://danielmiessler.com/study/masscan/) to hone your skills with this tool.
Task 3
1. Set up and use nmap.
You may have used nmap quite extensively in previous modules so this is just a refresher exercise. In lab 1, you should have installed nmap. If you didnt do this, then install nmap onto your VM. Use your OWASP BWA server as the target of the scans. If you are unsure of what a scan is testing, research the scan on the Internet.
2. Basic nmap commands.
Note some of the scans may require sudo-level access, so if a scan does not work, try again with sudo.
Basic scan:
$ nmap 30.30.0.50
Scan a range of IPs:
$ nmap 30.30.0.1-50
Scan a subnet:
$ nmap 30.30.0.1/24
Exclude a target:
$ nmap 30.30.0.0/24 --exclude 30.30.0.50
Perform an aggressive scan (note - this is easily detected):
$ nmap 30.30.0.50 -A
Host discovery through a list scan (does not send packets to the hosts themselves and does not always work):
$ nmap sL 30.30.0.45-55
More intrusive host discovery through a ping scan:
$ nmap sn 30.30.0.45-55
TCP-SYN ping and mainly used for Web servers as it defaults to port 80. To check other ports just add the port number after the PS, e.g. PS22:
$ nmap PS 30.30.0.45-55
TCP-ACK ping for checking networks that block ICMP pings. These will normally blocked on network ingress by a firewall:
$ nmap PA 30.30.0.45-55
ICMP timestamp ping to test networks that block normal ICMP pings but may allow timestamp checks:
$ nmap PP 30.30.0.45-55
Another way to get around a network that blocks ICMP pings is to use a ICMP address mask ping:
$ nmap PM 30.30.0.50
ARP ping which is a fast way to discover a network and the packets tend not to be blocked by a firewall on a local network (they will be blocked on the ingress firewall):
$ sudo nmap PR 30.30.0.50
Force a reverse DNS resolution to identify hosts that may be offline:
$ nmap R 30.30.0.50
TCP SYN scan to identify open ports:
$ sudo nmap sS 30.30.0.50
TCP connect scan:
$ nmap sT 30.30.0.50
UDP scan:
$ nmap U 30.30.0.50
TCP NULL scan. By sending a packet without TCP flags, you can get a firewall to respond:
$ sudo nmap sN 30.30.0.50
TCP FIN scan is similar to the NULL scan:
$ nmap sF 30.30.0.50
XMAS scan, which is incredibly noisy as a number of flags are set:
$ nmap sX 30.30.0.50
Show the protocols supported by the target:
$ sudo nmap sO 30.30.0.50
SCTP Cookie Echo scan. This scan is a more silent way of scanning as it drops packets containing Cookie Echo chunks on open ports but it does send an Abort response if the port is closed. It can still can be detected by a well-configured IDS.
$ sudo nmap sZ 30.30.0.50
3. Using nmap scripts.
Nmap is not just a port scanner; it can do a whole lot more such as brute forcing, vulnerability checking, advanced version detection capabilities and vulnerability exploitation. These nmap tools can be accessed through nmap scripts which are written in the LUA programming language. The Nmap Scripting Engine (NSE) conforms to the following syntax:
$ nmap --script <scriptname> <host ip>
A default script is a group of scripts which runs a number of individual analysis scripts at once. They are used to expose information related to the operating system like the workgroup name, the NetBIOS names, FTP bounce check, FTP anonymous login checks, SSH checks, DNS discovery and recursion, clock skew, HTTP methods, rpcinfo, VNC info, SSL check, etc.
$ nmap --script default 30.30.0.50
The external script is a group of scripts which runs multiple individual nmap scripts at once and checks the access and status of services running on the target by using external testing services which includes DNS discovery, HTTP Cross-Domain policy, XSSed database searches, CVSS checks for known vulnerabilities, TOR node checks, SMTP open relay checks, Shodan searches, Geo-location of IP address, etc.
$ nmap --script external 30.30.0.50
A safe script is a group of less intrusive NSE scripts which makes little noise while using them against the remote system. They are used to perform DNS enumeration, DHCP discovery and recursion, HTTP index page finding, finding software versions, HTTP TRACE, IP forwarding checks, IRC info, NFS mounting, etc.
$ nmap --script safe 30.30.0.50
Vulnerability scanning is also a part of NSE scripts which are used to check and find some of the most common vulnerabilities on your target host. The types of vulnerabilities it can find includes HTTP slowloris, Apache Range DOS header, FTP bounce, anonymous login, XSS, Shellshock, SQL injection, CVE, 2010-2861, CVE 20111-3368, etc.
$ nmap --script vuln 30.30.0.50
An auth script scan is a group of scripts which are used to check the authentication mechanism of different services which includes AJP login checks, user enumeration through brute force, X11 server access, SSH authentication, VNC login bypass, MySQL users and hashes, WordPress user enumeration, default login checks, etc.
$ nmap --script auth 30.30.0.50
Note - There are a wide range of other scripts available to use in nmap. Navigate to /usr/share/nmap/scripts to identify which are available on your Ubuntu 20.04 Mate VM. Practice using some scripts that you think are appropriate to test your OWASP BWA server.
Task 4
1. Download and install Sparta.
Sparta is a great network scanning tool as it incorporates nmap scans as well as a range of other tools including hydra. It will also test for common default passwords.
$ sudo apt install python3-sqlalchemy python3-pyqt5 wkhtmltopdf hydra ldap-utils rwho rsh-client x11-apps finger nikto
Download Sparta.
$ cd /usr/share/
$ sudo git clone https://github.com/secforce/sparta.git
Install Sparta.
$ sudo mv sparta /usr/bin/
$ sudo chmod +x /usr/bin/sparta
2. Run a Sparta scan.
Launch Sparta.
$ sudo sparta
If this does not open Sparta, we need to go to the directory to launch the python application:
$ cd /usr/bin/sparta
$ sudo python3 sparta.py
Once Sparta has launched, use your OWASP BWA server as a target and run a scan to see what services are open.
Go through the Sparta tutorial at https://null-byte.wonderhowto.com/how-to/discover-attack-services-web-apps-networks-with-sparta-0167255/.
Task 5
CyberChef is a free tool provided by GCHQ that you may use locally or online to convert, parse or carry out well over 100 different operations on network data. It is provided either as an online service through a Web page or it can be downloaded to be used offline. We'll be using the online version for this lab.
Bear in mind that this is an incredibly powerful tool for network data analysis. The purpose of this lab is to familiarise you with how the tool works and to see the potential of its use in security assessmenting. You are strongly encouraged to go through other tutorials on using CyberChef.
1. CyberChef simple data conversion.
To access the tool, go to https://gchq.github.io/CyberChef/.
There are three columns from L-R; Operations, Recipe, and Input/Output. Operations are the options available to you to apply to your data; Recipe is where you place an operation that you wish to apply to your data; and Input/Output is self-explanatory.
Type in some text that we want to convert to hex in the Input section. Click and drag the To Hex into the Recipe section and it will convert what you typed to hexadecimal format.
Select the output and copy it. Place this in the input section and drag the From Hex operation to the Recipe section to convert the data back to text.
2. Use CyberChef to convert Unix Time Stamps to readable format.
Make sure that you have unticked Auto Bake.
Input the following Unix time stamps:
978346800
1012651200
1046696400
1081087200
1115305200
1149609600
For the Recipe, add a Fork and set the Split and Merge delimiters as n (should be the default).
In Operations, go down to Date / Time and select From UNIX Timestamp. Press Bake to convert the times.
3. Use CyberChef to decrypt an AES encrypted message.
This recipe will perform AES decryption, extracting the IV from the beginning of the cipher stream.
Copy the following encrypted message into the Input field:
51e201d463698ef5f717f71f5b4712af20be674b3bff53d38546396ee61daac4908e319ca3fcf7089bfb6b38ea99e781d26e577ba9dd6f311a39420b8978e93014b042d44726caedf5436eaf652429c0df94b521676c7c2ce812097c277273c7c72cd89aec8d9fb4a27586ccf6aa0aee224c34ba3bfdf7aeb1ddd477622b91e72c9e709ab60f8daf731ec0cc85ce0f746ff1554a5a3ec291ca40f9e629a872592d988fdd834534aba79c1ad1676769a7c010bf04739ecdb65d95302371d629d9e37e7b4a361da468f1ed5358922d2ea752dd11c366f3017b14aa011d2af03c44f95579098a15e3cf9b4486f8ffe9c239f34de7151f6ca6500fe4b850c3f1c02e801caf3a24464614e42801615b8ffaa07ac8251493ffda7de5ddf3368880c2b95b030f41f8f15066add071a66cf60e5f46f3a230d397b652963a21a53f
Load in the Register from Operations to the Recipe (you may need to use the search function to find the operation) and use the following expression:
Extractor: (.{32})
Leave as case insensitive.
Add Drop Bytes to the Recipe. Start at 0 and Length is 32.
Now add AES Decrypt to the Recipe. Add the following key:
1748e7179bd56570d51fa4ba287cc3e5
For the IV, set to $R0 and set mode to CTR. The other settings leave as their default.
The decrypted message will display in the Output field.
Further Work (Optional)
1. A great source of pcap files of recent attacks to analyse is available from https://www.activecountermeasures.com/category/malware-of-the-day/. Not only are the pcap files available to download but there is some excellent analysis of each incident provided. Select an attack of the day to download the pcap file and then visualise it in Etherape. Follow along with the analysis by opening it in wireshark.
2. Wireshark is a powerful tool within the security audit and incident response. However, it can do so much more than just capture packets on a network. Go through the tutorials provided by Brad Duncan at paloalto networks, starting with https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/.
3. As discussed above, CyberChef is an incredibly powerful tool for the analysis of a wide range of data and Internet transactions. Continue exploring the capabilities offered by this tool by going through some examples at https://github.com/mattnotmax/cyberchef-recipes and explore ways in which you could incorporate it into your security audits and incident response activities. Look particularly at the network functions.
55-704272 Web-Based Applications and E-Commerce Security
Lab 2 Exploring the digital landscape
Aim of lab 2
The aim of this lab is to understand the tools and techniques that could be used to explore your organisations online presence and provide insights into potential system vulnerabilities that could be exploited. The nature of the digital landscape means that your targets will leave large footprints of data across multiple sources. As part of the security effort, you will gather and analyse a wide range of data to identify system weaknesses. This involves both passive and active data collection. Passive data collection does not interact with your organisations systems so it is hard for them to detect the presence of your activities. Active data collection will leave footprints on your organisations systems and part of your ing activities is to see if these can be detected. We will use a variety of tools and techniques in this lab, both active and passive, to explore systems to identify the digital landscape for a security assessment.
For this lab, use your Ubuntu Mate 20.04 VM. Bookmark any useful links and install tools that will be of benefit to your security toolkit.
Task 1
1. Web server tools.
The target for the Web tools in this lab is shu.ac.uk.
Go to a DNS tools service such as tools.dnsstuff.com, en.dnstools.ch, etc. or your site of choice and search on the target.
What information does it return (especially about servers)? Whois information? IP addresses? etc.
Use Google images and search on 'cantor building sheffield'.
What images, particularly IT equipment can you see?
Google facebook sir chris husbands sheffield hallam
What activities has the VC been involved with lately?
Google twitter sir chris husbands sheffield hallam
What activities are being tweeted lately?
2. Web-based meta-tools.
Explore the tools at https://www.toddington.com/resources/.
Think about and search on SHU key people and locations. What information can you find? Are there key social media accounts that could be analysed or mapped?
Toddington have a number of tutorials available on youtube (link on the main page of their site). Explore what topics are available and go through some of the tutorials to help with your OSInt skills.
An alternative large online resource of OSInt tools is available at https://start.me/p/rx6Qj8/nixintel-s-osint-resource-list. Go to this Web site and explore some of the tools and think how you could use these during a security assessment. There are also some blogs on different aspects of OSInt at https://nixintel.info/tag/osint-tools/. This provides a little more information on the use of OSInt tools compared to the toddington site.
For both of these sites, bookmark or download any useful tool that you think may add to a security assessment.
Task 2
1. Google Hacking.
Go to the exploit database (https://www.exploit-db.com/) and click on the Google Hacking Database link (GHDB link in the menu on the left).
Copy and paste some of these into a google search bar and explore the results. Explore some of the categories available to see what information they return. How could these techniques be employed during a pen test?
Task 3
1. DNS Zone Transfers.
DNS zone transfers are an example of an active reconnaissance as it can leave a footprint on the target server.
For this exercise, we will use the zonetransfer.me Web site as a target. This Web site is run by a professional pen tester who uses it for training.
Enter the following in a Terminal.
$ dig axfr @nsztm1.digi.ninja zonetransfer.me
nsztm1.digi.ninja is a DNS server that we will have picked up during other reconnaissance activities.
Explore the results. What information could be used to further develop a security assessment against this target?
Task 4
1. Install and run SpiderFoot.
SpiderFoot is an automated OSInt tool that collects and collates data about a target from a wide range of sources. It also enables data to be exported to different formats to enable further analysis, such as social network analysis (SNA).
Install the dependencies to download and install the software on your VM.
$ sudo apt-get install python3-pip git
Install any other new packages that are required by pip and git.
Download the latest SpiderFoot software to your VM and install the prerequisites:
$ git clone https://github.com/smicallef/spiderfoot.git
$ cd spiderfoot
$ sudo pip3 install -r requirements.txt
This installs the latest development version of SpiderFoot.
To get SpiderFoot to run in a Web browser, ensure you are in the SpiderFoot directory in the Terminal and then run the following command:
$ sudo python3 sf.py -l 127.0.0.1:80
This will start the SpiderFoot server engine (the l denotes ip and port to use). I have used the loopback address and port 80 to display the software in your Web browser.
Copy the address from the Terminal (select the address in the Terminal and Edit -> Copy) and paste into the address line of your browser.
To start a scan against your target, click New Scan, give it a name, and set the scan target as zonetransfer.me. Select the Passive scan option and Run Scan Now.
A note about SpiderFoot: This is a very powerful tool as it performs a wide range of tests to gather information. However, as it is quite comprehensive, you will get a large amount of information returned and it takes some time to perform a scan. Therefore, you may want to consider how you run a SpiderFoot scan, for example, running from a dedicated machine, such as a dedicated raspberry pi.
2. Analyse the SpiderFoot results.
As the scan will take some time, I previously ran a scan and the results are available via Blackboard (SFResultsLab3.csv).
Download the results file and analyse its results. What information does it give you about the target Web site? Is all this information useful? What results would help you during a security assessment?
Further Work (Optional)
1. Gephi is a social network analysis tool that allows you to measure networks using graph theory. Download Gephi onto your host machine or VM (note: it is an easier install in Windows and requires JRE to run). Run a Spiderfoot scan and download the resulting Gephi graph file. Load this file into Gephi. Alternatively, download the SocNetFileLab3.net from Blackboard and open in Gephi. To get the most out of this powerful tool, explore some of the layout functionalities and to identify key nodes in the network, do a betweeness centrality analysis. Which network nodes are highlighted as key in the flow of data around the network?
2. Maltego is a tool widely used in digital forensics that is also useful for security assessments. It is similar to Gephi in that it provides graphical link analysis but it offers real-time data mining and information gathering. It represents information found as a node-based graph to identify patterns and multiple order connections between nodes easily identifiable. It is particularly useful for social engineering in that it can link a work email address to personal addresses.
Download the maltego community edition from https://www.maltego.com/maltego-community/ (registration is required) and practice using the tool.
3. A key technology particularly used in DevOps environments is github. Github enables developers to store their code and collaborate with other developers. A wide range of companies use github to host both private and public code. However, developers can sometimes publish data that should not be made publicly available that can lead to compromise of their organisations systems.
There are a number of tools that are available to search for these potential compromising secrets or keys, such as gitrob, trufflehog, and git-secrets. Install these tools on your VM and explore their use by completing the following two tutorials:
https://medium.com/@pig.wig45/setting-up-gitrob-and-using-it-to-find-leaking-repository-of-an-employee-in-a-hackerone-private-e4c40da1bc85
https://sweetcode.io/how-use-truffle-hog-git-secrets/
4. Develop your own dedicated OSInt VM. Follow the tutorial at https://nixintel.info/linux/build-your-own-custom-osint-machine-diy-buscador-part-1.
55-704272 Web-Based Applications and E-Commerce Security
Lab 1 Set up cyber security lab
Aim of lab 1
The aim of this lab is to set up the cyber security lab environment that we will be using throughout the module. To achieve this, we will be using VirtualBox, which is commonly used by security professionals for creating virtual machines (VM). This provides a benign environment to conduct a wide range of cyber security tests. The instructions for the duration of the module will be written for this environment. However, if you are more familiar with VMWare then you are welcome to use that application for the labs. Instructions for installing the cyber security lab in this environment are available on a separate lab sheet on Blackboard. You can use the lab machines or your own computers to go through the lab exercises.
During this lab, you will set up your security toolkit VM to be used throughout the module and connect it to two servers. You will also be introduced to Linux commands as we will be extensively using the command line throughout this module. We will be adding further VMs as and when we need them during the module as well as continuing to build the security toolkit itself.
A note on annotation used in the lab sheets:
Text in italics = software name
Word -> Word = Menu items.
$ Text in courier new font = command line instructions
Task 1
Download the following resources onto your laptop or desktop:
VirtualBox (https://www.virtualbox.org/wiki/Downloads - it should be in the repositories in linux)
Ubuntu Mate 20.04 LTS (https://cdimage.ubuntu.com/ubuntu-mate/releases/20.04/release/) - download the 64-bit version
OWASP BWA Server (https://drive.google.com/file/d/1ea2BbYXo_Hfp82F3sTAzAnOyoHq--ZPZ/view?usp=sharing)
Metasploitable Server (https://drive.google.com/file/d/13AWKcLRPgVeR9nvtGUo6S7uSZVf5KIft/view?usp=sharing)
Install VirtualBox on your computer.
For this stage, you will need to ensure that your computer has virtualization enabled in the BIOS although most modern laptops and desktops will support this out of the box. You may need to refer to user manuals or advice online to do this as each computer has slightly different ways of accessing the BIOS.
Task 2
1. Set up the Ubuntu Mate 20.04 LTS image in VirtualBox.
Machine -> New
Work your way through the new machine set up wizard. Give the new machine a name and ensure that the OS type is set as Linux and Ubuntu (64-bit). Allocate some RAM assuming an 8 GB computer, it will default to 1024 MB, which will work, but give it a bit more up to 3072 MB (as we will be running other devices alongside this one). Create a virtual hard disk and use either VDI or VDMK dynamically allocated. Set the HDD size to 40 GB dynamically allocated (or more if you have the space).
Settings -> System -> Processor
If you can, allocate more of your processor to the VM.
Network -> Adapter 1
Ensure that this adapter is enabled and is set to NAT.
Under Advanced, make a note of the MAC address.
Network -> Adapter 2
Enable adapter 2.
Attach it to the internal network.
Make a note of the MAC address
Save your changes to Settings.
Start the VM. You will need to select the Ubuntu Mate 20.04 LTS iso file that you downloaded. Click on the folder icon -> Add to select the iso. It should have the iso in the Start Up Disk screen, then Start to install.
When installing Ubuntu Mate, set it to normal installation and turn off downloads as we will configure networking in the next task. Follow the wizard to set up the VM.
A note on setting passwords for your VM: although this goes against all security advice, use a memorable, easy to type username and password, such as ubuntu and ubuntu. As the labs are every 2 weeks, students often forget their passwords and it will save you time setting up a new VM.
2. Set up the OWASP BWA server.
File -> Import Appliance
Navigate to where you saved the OWASP BWA VM and then import the VM.
NOTE: This has the username root and password owaspbwa.
3. Set up the Metsploitable server.
Follow the steps in Task 2.2 to import the Metasploitable server.
NOTE: This has the username msfadmin and password msfadmin.
Task 3
1. Set up networking on the Ubuntu Mate VM.
Start and log in to your Ubuntu Mate VM.
Determine which card is attached to which network.
Open up a Terminal window (Ctrl+Alt+T or Menu -> System -> MATE Terminal) and type:
$ ip a
This will bring up the IP addresses and MAC addresses of the two network cards. For me, my two network cards are ensp03 (NAT) and ensp08 (intent).
For the network cards above:
Network icon -> Edit Connections
Select Wired Connection 1 -> Gear icon (Settings) to edit the connection.
Check whether it is ensp03 or ensp08. On my VM this is connection is ensp03.
Go to the IPv4 Settings and ensure that Automatic (DHCP) is selected.
Click Save.
Network icon -> Edit Connections
Select Wired Connection 2 -> Gear icon (Settings) to edit the connection.
On my VM this is connection is ensp08.
Go to the IPv4 Settings and select Manual in the Method list.
Select Add and type the address (30.30.0.1) and netmask (255.255.255.0). Leave the Gateway blank.
Click Save.
Restart your VM to configure your changes.
2. Set up networking on the OWASP BWA VM.
This server will only have 1 network interface set to the internal network (intent). NEVER connect this VM to the Internet.
Start and log in to your OWASP BWA server.
Check the current network set up.
$ ifconfig
If it is not connected to the 30.30.0.0/24 network, it will need to be changed.
Edit the interfaces file.
$ nano /etc/network/interfaces
Under #The primary network interface line, reflect the configuration below.
auto eth0
iface eth0 inet static
address 30.30.0.10
netmask 255.255.255.0
network 30.30.0.0
broadcast 30.30.0.255
gateway 0.0.0.0
Ctrl+x, then y to save the file, then enter.
Restart the VM.
$ reboot now
3. Test the connectivity between your Ubuntu Mate VM and the OWASP BWA server.
In your Ubuntu Mate VM, open a Terminal.
$ ping 30.30.0.10
Ctrl+c to stop the ping test.
Check that there is a network connection between the two VMs. If there is no connection, you will need to look at your network settings by repeating the steps above.
Once you have a network connection between the two VMs, shutdown your OWASP BWA server.
$ shutdown now
4. Set up the Metasploitable server.
Repeat the steps in Task 3.2 and 3.3 for your Metasploitable server.
You will need to open the network configuration file as sudo.
$ sudo nano /etc/network/interfaces
Under #The primary network interface line, reflect the configuration below.
auto eth0
iface eth0 inet static
address 30.30.0.20
netmask 255.255.255.0
network 30.30.0.0
broadcast 30.30.0.255
gateway 0.0.0.0
Restart your VM.
$ sudo reboot now
Test the connectivity between your Ubuntu Mate VM and Metasploitable.
Once there is a connection, shut down your Metasploitable VM.
Task 4
1. Personalise your Ubuntu Mate desktop.
Now we have a basic cyber security lab set up, we need to spend some time personalising both the desktop and installing some additional software. For example:
Settings Icon -> MATE Tweak
Have a play with some of the settings and particularly look at the Panel settings. If you are more familiar with Windows, try the Redmond layout. You can even download a theme to make the desktop look like your favourite Windows environment.
Add some applications to your desktop by selecting them from the menu and right click to add a short cut.
Change the themes or the desktop background.
This is the main tool that we will be using throughout the module so you need to be familiar with it and it needs to feel comfortable to use.
2. Install some software.
Prior to installing software onto our VM, we will need to ensure that it is patched and all existing software is up to date.
$ sudo apt-get update
$ sudo apt-get upgrade
Update will update your list of repositories whilst upgrade installs the latest version of installed software. Technically, update is not needed (since Ubuntu 18.04) but it is good practice.
As this is a desktop straight out of the box, we will need to start adding our tools to develop our pen test toolkit. There are a number of ways that we can install software in this OS, and we will use two ways in this lab. We will look at other ways of installing software as the module progresses.
There are a wide range of tools in Ubuntus repositories. We will install just a few useful tools here; nmap, wireshark, filezilla and putty. We can install them one at a time or all together.
In the Terminal:
$ sudo apt-get install nmap wireshark filezilla putty
Ubuntu 20.04 does not include Java by default, so we will have to install it. We will first find which versions are available in the repositories and then install openjdk 11.
$ apt search openjdk
$ sudo apt-get install openjdk-11-jdk
Check that it has installed correctly.
$ sudo java -version
Download Chrome from google through your Web browser by choosing the 64-bit DEB file. Save it to your computer rather than get the software centre to open it automatically.
Go to the file in your Downloads directory and right click it -> Open with GDebi Installer. Follow the wizard to install Chrome.
Task 5
Practice using the CLI in Linux.
As mentioned in the introduction to this lab, we will be making extensive use of commands in the Terminal throughout this module. Indeed, servers do not have a GUI. Therefore, if you are unfamiliar with the power of the Linux Terminal and the command line interface (CLI) practice using commands by following the tutorials below (at a level that suits your experience with Linux).
Very basic tutorial - https://ubuntu.com/tutorials/command-line-for-beginners#1-overview
Medium level tutorial - https://www.freecodecamp.org/news/the-linux-commands-handbook/
A more advanced user tutorial - https://www.firewall.cx/linux-knowledgebase-tutorials/introduction-to-linux/298-linux-advanced-cmd.html
Further Work (Optional)
1. Install further Virtualbox features on your Ubuntu Mate VM by downloading desktop guest additions. Among other things, this will allow you to create a shared folder to copy files across from the host machine to the VM.
2. Expand your computer security lab to include the Metasploitable 3 VMs by applying what you have learned in this lab to install both the Windows and Linux servers. They install in a slightly different way to the VMs above due to system requirements. Guidance on installing these VMs in VirtualBox can be found at:
https://blog.rapid7.com/2016/11/15/test-your-might-with-the-shiny-new-metasploitable3/https://github.com/rapid7/metasploitable3Once you build the images, you will need to add them to your network and test the connections. You only need one network connection per VM which is connected to the internal network (intent in the VMs settings). Do not make these VMs accessible to the Internet!
3. Download a VM from Vulnhub (https://www.vulnhub.com) and access it from your Ubuntu Mate VM. This resource has a wide range of available VMs which range in levels from easy to difficult. Choose a VM at a level that you are comfortable with.
Assignment Title: Securing a Cloud Server
1. Assessment Requirements
Network security aims to ensure the confidentiality, integrity and availability of interconnected systems and information. Due to the wide-ranging environments and platforms that are in use, and the lack of security awareness by many users, network security is a complex task. This has resulted in a high level of data loss or theft amongst business users, particularly in relation to information stored on Web and cloud servers. This assignment allows you to build your knowledge and understanding of the theoretical and practical issues in Web applications security. In particular, you will demonstrate the threats to networked computers and ways in which these threats may be mitigated by the deployment of appropriate security countermeasures. To pass the coursework you must critically evaluate the security of a networked system and then make recommendations that would enable a server to be safely deployed in a DevOps environment. You will then implement the technical recommendations related to the servers operating system and demonstrate that the desired level of security has been achieved. This assignment builds on experience gained in lecture and lab sessions supported by your own research. This is an individual coursework.
Deliverables:
A report of up to 4000 words written in a style suitable for Managers and Directors. The report will detail your work for the assignment as well as the evaluation of security, recommendations to enhance security, implementation of those recommendations, and a demonstration that the desired level of security has been achieved that would enable DevOps deployment.
You are required to meet the normal academic conventions of structure where necessary, i.e. appropriate use of references.
You are recommended to use headings and sub-headings to provide structure to your report.
As necessary there will be a suitable title page with your name, table of contents, introduction, key findings, as well as the main chapters.
The submitted file to Blackboard should follow the naming convention of WAECS Report Surname, i.e. WAECS Report Smith.docx.
2. Assessment Scenario
With the interconnected nature of technology today, securing our networked systems and data against attack is a major concern for organisations. Security assessments of our data, computers, applications and networks enable us to put in place technical countermeasures to mitigate attacks against those systems.
SoftCorp, a company providing management services to other companies, wishes to make use of the advantages that a move towards a DevOps environment would provide their business. SoftCorp has identified a key server that they wish to deploy to the Internet; a cloud server used for storing and accessing files by SoftCorp employees.
In preparation for this deployment, SoftCorp have tasked you with assessing the security of the server. SoftCorp are interested in knowing whether their system is open to compromise and if sensitive information can be stolen. They therefore require you to evaluate the security of this key system prior to deployment. As this is an assessment of their security, SoftCorp would like your recommendations on how security could be improved should any issues be found and in light of their desire to move to a DevOps environment. You are then tasked with implementing the technical security recommendations on the server. Finally, you will demonstrate that the desired level of security has been achieved. Due to concerns over employee privacy, OSInt is out of scope of the security assessment.
You will be provided with a cloud server virtual machine with the IP address 30.30.0.100. The network administrator account for the server has the username admin and password password123. The cloud file server administrator login is admin and password.
Your report should not exceed 4000 words. Details of all your work on the assignment should be included in the report and supported by screenshots where applicable. You are encouraged to link any references in the practical elements of the assignment to relevant academic literature and industry standards. Particular care should be made to ensure that the report contains correct references to all cited work in an appropriate style, for example, the Harvard Referencing System. You should submit your report to Turnitin and the Blackboard submission point before the assignment deadline.
3. Further Information
The coursework involves a security assessment of a SoftCorp networked system. You will need to identify and utilise various tools and techniques to provide a complete assessment and remediation of the servers security.
The recommendations should take into account both the technical issues surrounding the server that you are assessing as well as addressing the environment to which it will be deployed.
You will write a report detailing your security assessment and details of how you secured the server ready for deployment. This work should be evidenced in the report.
The report should be aimed at management and director level and should be written in a professional manner.
The aim of the assignment is to provide a complete assessment of the security of the cloud server prior to deployment in a DevOps environment. If no results are found to any tests, that is still a result and should be discussed in the report.
4. Assessment Criteria
The breakdown of the assessment criteria is as follows:
Criteria % of Total Mark
Evaluation of the cloud servers security 20%
Critical analysis and recommendations to secure the server for DevOps deployment 30%
Implementation of technical security recommendations 40%
Demonstration of security 10%
