The tactics, techniques, methods and procedures in this repository were used during an authorized penetration test and were compiled into a written report.
This project was split into three phases to provide insight about how an attack may occur, how the incident response team analyzes the logs to discover the attack, and provide a report detailing the attack along with mitigation strategies.
The Red Team phase will cover:
- Network Discovery
- OSINT
- Brute Force Attacks
- Breaking encryption
- Researching vulnerabilities
- Creating and deploying exploits
The Blue Team phase will cover analyzing:
- Metricbeat log data for operating system metrics
- Filebeat Log data for folder and file data
- Packetbeat log data for network traffic
The reporting phase will provide a report summariazing the egagement and providing:
- The methods and tools used to exploit the vilnerabilities disovered
- The log data used to discover evidence of the attack
- Mitigation strategies for hardening the network from future attacks
This is a virtual network created within Microsoft Azure for educational purposes.
This virtual network is depicted below:
The main purpose of this network is to expose a web server to an penetration test and have the ELK machine capture log data for data analysis to gain visibility of the attack vectors. It should be noted that for this project all machines were located on the same subnet.
The configuration details of each machine may be found below.
| Name | Function | IP Address | Operating System |
|---|---|---|---|
| Kali | Attacker | 192.168.1.90 | Linux |
| Capstone | Target | 192.168.1.105 | Windows - Apache |
| ELK | Elk Stack | 192.168.1.100 | Windows |
The attacker machine used was a VM operating with 5.10.0-Kali7-amd64 The target machine used was a VM operating with Windows as an Apache web server. The Elk Stack machine was a VM operating Windows as an Elk Stack server.
The Capstone machine (apache server) was configured with Kibana and utilized the following log data capture agents:
- Metricbeat
- Filebeat
- Packetbeat
To gain a picture of the network landscape we first determined our ip address using the command line entry:
- IP addr provided an IP address of 192.168.1.90/24 as shown with this Screenshot
Nmap was used to perform a scan of the subnet using the command line entry:
- nmap -sX 192.168.1.0/24 as seen in this Screenshot
With the identification of a web server at 192.168.1.105, firefox was opened and an OSINT investigation found the following page with open sensitive data:
-
This page is viewable in this Screenshot
-
Upon entering the path to the "Secret Folder", we were provided a login page depicted in this Screenshot
A brute force attack was initiated against this page using the hydra tool, with the username "ashton" as discovered by OSINT. The hydra command was hydra -l ashton -P /usr/share/wordlists/rockyou.txt -f -vV http-get://192.168.1.105/company_folders/secret_folder.
- We discovered ashton's password as shown In this Capture
Upon entering the credentials and gaining access, we located the following page which provided the user name ryan.
- We broke the encryption using the website CrackStation and learned Ryan's password
We researched vulnerabilities with WebDav and discovered:
- CVE 2006-2849, which provides for remote file inclusion.
Using msfvenom, we created a PHP payload:
- A reverse_tcp connection to our kali machine.
We then logged into to the web server via WebDav:
The Blue Team analysis and the final report can be seen Here