- As the Red Team, I attacked a VM, discovering several critical vulnerabilities.
- As the Blue Team, I used Kibana to review logs taken during the Red Team Engagement.
- I used the logs to extract hard data and visualizations for the report.
- Then, I interpreted log data to suggest mitigation measures for each exploit.
Here is the PowerPoint Presentation of the Capstone.
The following machines live on the network:
Name | IP Address |
---|---|
Kali | 192.168.1.90 |
Target | 192.168.1.105 |
ELK | 192.168.1.100 |
Azure Hyper-V ML-RefVm-684427 | 192.168.1.1 |
While the web server suffers from several vulnerabilities, the three below are the most critical:
Vulnerability | Description | Impact | |
---|---|---|---|
1 | Sensitive Data Exposure OWASP Top 10 #3 Critical | The secret_folder is publicly accessible, but contains sensitive data intended only for authorized personnel. | The exposure compromises credentials that attackers can use to break into the web server. |
2 | Unauthorized File Upload Critical | Users are allowed to upload arbitrary files to the web server. | This vulnerability allows attackers to upload PHP scripts to the server. |
3 | Remote Code Execution via Command Injection OWASP Top 10 #1 Critical | Attackers can use PHP scripts to execute arbitrary shell commands. | Vulnerability allows attackers to open a reverse shell to the server. |
Additional vulnerabilities include:
Vulnerability | Description | Impact |
---|---|---|
Directory Indexing Vulnerability CWE-548 | Attacker can view and download content of a directory located on a vulnerable device. CWE-548 refers to an informational leak through directory listing. | The attacker can gain access to source code, or devise other exploits. The directory listing can compromise private or confidential data. |
Hashed Passwords | If a password is not salted it can be cracked via online tools such as www.crackstation.net/ or programs such as hashcat. | Once the password is cracked, and if a username is already known, a hacker can access system files. |
Weak usernames and passwords | Commonly used passwords such as simple words, and the lack of password complexity, such as the inclusion of symbols, numbers and capitals. | System access could be discovered by social engineering. https://thycotic.com/resources/password-strength-checker/ suggests that ‘Leopoldo’ could be cracked in 21 seconds by a computer. |
Port 80 Open with Public Access CVE-2019-6579 | Open and unsecured access to anyone attempting entry using Port 80. | Files and Folders are readily accessible. Sensitive (and secret) files and folders can be found. |
Ability to discover passwords by Brute Force CVE-2019-3746 | When an attacker uses numerous username and password combinations to access a device and/or system. | Easy system access by use of brute force with common password lists such as rockyou.txt by programs such as Hydra |
No authentication for sensitive data, e.g., secret_folder | ||
Plaintext protocols (HTTP and WebDAV) |
-
Explotation: Sensitive Data Exposure
-
Tools & Processes
nmap
to scan networkdirb
to map URLs- Browser to explore
-
Achievements
- The exploit revealed a
secret_folder
directory - This directory is password protected, but susceptible to brute-force
- The exploit revealed a
-
Exploitation
- The login prompt reveals that the user is
ashton
- This information is used to run a brute force attack and steal the data
- The login prompt reveals that the user is
-
-
Explotation: Sensitive Data Exposure
-
Tools & Processes
- Crack stolen credentials to connect via WebDAV
- Generate custom web shell with msfconsole
- Upload shell via WebDAV
-
Achievements
- Uploading a web shell allows us to execute arbitrary shell commands on the target
-
Aftermath
- Running arbitrary shell commands allows Meterpreter to open a full-fledged connection to the target
-
A considerable amount of data is available in the logs. Specifically, evidence of the following was obtained upon inspection:
- Traffic from attack VM to target, including unusually high volume of requests
- Access to sensitive data in the secret_folder directory
- Brute-force attack against the HTTP server
- POST request corresponding to upload of shell.php
Unusual Request Volume: Logs indicate an unusual number of requests and failed responses between the Kali VM and the target. Note that 401, 301, 200, 207, and 404 are the top responses.
HTTP Status Code | Count |
---|---|
401 | 15,981 |
301 | 2 |
200 | 952 |
207 | 12 |
404 | 6 |
Time: 11/09/2021 16:00-19:00 PM
In addition, note the connection spike in the Connections over time [Packetbeat Flows] ECS, as well as the spike in errors in the Errors vs successful transactions [Packetbeat] ECS
Access to Sensitive Data in secret_folder: On the dashboard you built, a look at your Top 10 HTTP requests [Packetbeat] ECS panel. In this example, this folder was requested 15,987 times.
HTTP Brute Force Attack: Searching for url.path: /company_folders/secret_folder/ shows conversations involving the sensitive data. Specifically, the results contain requests from the brute-forcing tool Hydra, identified under the user_agent.original section:
In addition, the logs contain evidence of a large number of requests for the sensitive data, of which only 2 were successful. This is a telltale signature of a brute-force attack.
- 15,987 HTTP requests to http://192.168.1.105/company_folders/secrets_folder
- 2 successful attempts (Code 301)
- 11/09/2021 16:00-19:00 PM
- Source IP: 192.168.1.105
WebDAV Connection & Upload of shell.php: The logs also indicate that an unauthorized actor was able to access protected data in the webdav directory. The passwd.dav file was requested via GET, and shell.php uploaded via POST.
-
Blocking the Port Scan
- The local firewall can be used to throttle incoming connections
- Firewall should be regularly patched to minimise new attacks
- ICMP traffic can be filtered
- An IP allowed list can be enabled
- Regularly run port scans to detect and audit any open ports
-
High Volume of Traffic from Single Endpoint
- Rate-limiting traffic from a specific IP address would reduce the web server's susceptibility to DoS conditions, as well as provide a hook against which to trigger alerts against suspiciously suspiciously fast series of requests that may be indicative of scanning.
-
Access to sensitive data in the secret_folder directory
- The secret_folder directory should be protected with stronger authentication.
- Data inside of secret_folder should be encrypted at rest.
- Filebeat should be configured to monitor access to the secret_folder directory and its contents.
- Access to secret_folder should be whitelisted, and access from IPs not on this whitelist, logged.
-
Brute-force attack against the HTTP server
- The fail2ban utility can be enabled to protect against brute force attacks.
- Create a policy that locks out accounts after 10 failed attempts
- Create a policy that increases password complexity (requirements)
- Enable MFA
-
POST request corresponding to upload of shell.php
- File uploads should require authentication.
- In addition, the server should implement an upload filter and forbid users from uploading files that may contain executable code.
Red Team | Blue Team |
---|---|
Accessed the system via HTTP Port 80 CVE-2019-6579 | Confirmed that a port scan occurred |
Found Root accessibility | Found requests for a hidden directory |
Found the occurrence of simplistic usernames and weak passwords | Found evidence of a brute force attack |
Brute forced passwords to gain system access CVE-2019-3746 | Found requests to access critical system folders and files |
Cracked a hashed password to gain system access and use a shell script | Identified a WebDAV vulnerability |
Identified Directory Indexing Vulnerability CWE-548 | Recommended alarms |
Recommended system hardening |
- Josh Black
- Laura Pratt
- Courtney Templeton
- Robbie Drescher
- Julian Baker