Skip to content
Learning by Practising - Hack & Detect - A Practical Guide to Hacking and its Detection via network forensics
HTML Roff Other
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Data_To_Exfil.zip
MS17_010 - exploit.pcap
MS17_010 - exploit.pcap.pcapng
Nik_in_Vegas.exe
README.md
SUWtHEh-XP.txt
SUWtHEh-XP.vbs
SUWtHEh.bat
SUWtHEh.txt
SUWtHEh_10.vbs
SUWtHEh_dns.vbs
SUWtHEh_ncat.vbs
Win10-TCP-Convs.txt
Win10-UDP-Convs.txt
Win10-UDP-DNS.txt
Win10_1-2.pcap
Win2k8-tcp-conv.txt
Win2k8_Stream_0.txt
WinXP-1152-9999-ascii.txt
WinXP-172.pcap
WinXP-4444-1820-tcp-conv.txt
WinXP-4444-1820.pcap
WinXP-445-conv.txt
WinXP-445.pcap
WinXP.pcap
WindowsXP.-Security-logscsv.csv
WindowsXP.-System-logscsv.csv
XP-90.bat
XP-Data.txt
XP-data.zip
access.log.SORTED
all_ports.txt
dns_enum_hosts.txt
dnscat2_results.txt
dnsrecon_output.txt
enum4Linux.txt
enum4linux_v.pcap
hydra_port_21.pcap
hydra_port_21.txt
hydra_port_22.pcap
hydra_port_22.txt
hydra_port_23.pcap
hydra_port_445.pcap
hydra_port_445.txt
index.html
metasploitable_9999_SUWtHEh.pcap
metasploitable_SUWtHEh.pcap.ORIG
metasploitable_Telnet_SUWTHEh.pcap
metasploitable_nc_stream0.txt
metasploitable_stream_0.txt
metasploitable_stream_10.txt
myPasswd.lst
nbtscan-v.pcap
nbtscan-v.txt
nbtscan.pcap
nbtscan.txt
nbtscan_d.txt
nmap_A_scan_tcp.txt
nmap_A_scan_udp.txt
nmap_host_scan_tcp.pcap
nmap_host_status.txt
nmap_ping_scan.pcap
nmap_script_smb_ms17-010.pcap
nmap_script_vuln_ms17-010.pcap
nmap_script_vuln_ms17-010.txt
nmap_smb_ms10-061.txt
nmap_smb_ms17-010.txt
nmap_smb_users.txt
nmap_sn.pcap
nmap_sort_tcp_len.txt
securitynik.lab.WHOIS
ssh-dst-102.txt
ssh-stream.txt
tcp.stream.3
test.txt
tshark-follow-port-389.txt
tshark-follow-stream-6522.txt
tshark-syn-ack-hosts.txt
userlist.txt
wget_index.pcap
x0001SUWtHEh-splunk.csv
x0002SUWtHEh-splunk.csv
x0003SUWtHEh-splunk.csv
x0004SUWtHEh-splunk.csv
x0005SUWtHEh-splunk.csv
x0006SUWtHEh-splunk.csv
x0007SUWtHEh-splunk.csv
x0008SUWtHEh-splunk.csv
x0009SUWtHEh-splunk.csv
x0010SUWtHEh-splunk.csv
x0011SUWtHEh-splunk.csv
x0012SUWtHEh-splunk.csv
x0013SUWtHEh-splunk.csv
x0014SUWtHEh-splunk.csv
x0015SUWtHEh-splunk.csv
x0016SUWtHEh-splunk.csv
x0017SUWtHEh-splunk.csv
x0018SUWtHEh-splunk.csv
x0019SUWtHEh-splunk.csv
x0020SUWtHEh-splunk.csv
x0021SUWtHEh-splunk.csv
x0022SUWtHEh-splunk.csv
x0023SUWtHEh-splunk.csv
x0024SUWtHEh-splunk.csv
x0025SUWtHEh-splunk.csv
x0026SUWtHEh-splunk.csv
x0027SUWtHEh-splunk.csv
x0028SUWtHEh-splunk.csv
x0029SUWtHEh-splunk.csv
x0030SUWtHEh-splunk.csv
x0031SUWtHEh-splunk.csv
x0032SUWtHEh-splunk.csv
x0033SUWtHEh-splunk.csv
x0034SUWtHEh-splunk.csv
x0035SUWtHEh-splunk.csv
x0036SUWtHEh-splunk.csv
x0037SUWtHEh-splunk.csv
x0038SUWtHEh-splunk.csv
x0039SUWtHEh-splunk.csv
x0040SUWtHEh-splunk.csv
x0041SUWtHEh-splunk.csv
x0042SUWtHEh-splunk.csv
x0043SUWtHEh-splunk.csv
x0044SUWtHEh-splunk.csv
x0045SUWtHEh-splunk.csv
x0046SUWtHEh-splunk.csv
x0047SUWtHEh-splunk.csv
x0048SUWtHEh-splunk.csv
x0049SUWtHEh-splunk.csv
x0050SUWtHEh-splunk.csv
x0051SUWtHEh-splunk.csv
x0052SUWtHEh-splunk.csv
x0053SUWtHEh-splunk.csv
x0054SUWtHEh-splunk.csv
x0055SUWtHEh-splunk.csv
x0056SUWtHEh-splunk.csv
x0057SUWtHEh-splunk.csv
x0058SUWtHEh-splunk.csv
x0059SUWtHEh-splunk.csv
x0060SUWtHEh-splunk.csv
x0061SUWtHEh-splunk.csv
x0062SUWtHEh-splunk.csv
x0063SUWtHEh-splunk.csv
x0064SUWtHEh-splunk.csv
x0065SUWtHEh-splunk.csv
x0066SUWtHEh-splunk.csv
x0067SUWtHEh-splunk.csv
x0068SUWtHEh-splunk.csv
x0069SUWtHEh-splunk.csv
x0070SUWtHEh-splunk.csv
x0071SUWtHEh-splunk.csv
x0072SUWtHEh-splunk.csv
x0073SUWtHEh-splunk.csv
x0074SUWtHEh-splunk.csv
x0075SUWtHEh-splunk.csv
x0076SUWtHEh-splunk.csv
x0077SUWtHEh-splunk.csv
x0078SUWtHEh-splunk.csv
x0079SUWtHEh-splunk.csv
x0080SUWtHEh-splunk.csv
x0081SUWtHEh-splunk.csv
x0082SUWtHEh-splunk.csv
x0083SUWtHEh-splunk.csv
x0084SUWtHEh-splunk.csv
x0085SUWtHEh-splunk.csv
x0086SUWtHEh-splunk.csv
x0087SUWtHEh-splunk.csv
x0088SUWtHEh-splunk.csv
x0089SUWtHEh-splunk.csv
x0090SUWtHEh-splunk.csv
x0091SUWtHEh-splunk.csv
x0092SUWtHEh-splunk.csv
x0093SUWtHEh-splunk.csv
x0094SUWtHEh-splunk.csv
x0095SUWtHEh-splunk.csv
x0096SUWtHEh-splunk.csv
x0097SUWtHEh-splunk.csv
x0098SUWtHEh-splunk.csv
x0099SUWtHEh-splunk.csv
x0100SUWtHEh-splunk.csv
x0101SUWtHEh-splunk.csv
x0102SUWtHEh-splunk.csv
x0103SUWtHEh-splunk.csv
x0104SUWtHEh-splunk.csv
x0105SUWtHEh-splunk.csv
x0106SUWtHEh-splunk.csv
x0107SUWtHEh-splunk.csv
x0108SUWtHEh-splunk.csv
x0109SUWtHEh-splunk.csv
x0110SUWtHEh-splunk.csv
x0111SUWtHEh-splunk.csv
x0112SUWtHEh-splunk.csv
x0113SUWtHEh-splunk.csv
x0114SUWtHEh-splunk.csv
x0115SUWtHEh-splunk.csv
x0116SUWtHEh-splunk.csv
x0117SUWtHEh-splunk.csv
x0118SUWtHEh-splunk.csv
x0119SUWtHEh-splunk.csv
x0120SUWtHEh-splunk.csv
x0121SUWtHEh-splunk.csv
x0122SUWtHEh-splunk.csv
x0123SUWtHEh-splunk.csv
x0124SUWtHEh-splunk.csv
x0125SUWtHEh-splunk.csv
x0126SUWtHEh-splunk.csv
x0127SUWtHEh-splunk.csv
x0128SUWtHEh-splunk.csv
x0129SUWtHEh-splunk.csv
x0130SUWtHEh-splunk.csv
x0131SUWtHEh-splunk.csv
x0132SUWtHEh-splunk.csv
x0133SUWtHEh-splunk.csv
x0134SUWtHEh-splunk.csv
x0135SUWtHEh-splunk.csv
x0136SUWtHEh-splunk.csv
x0137SUWtHEh-splunk.csv
x0138SUWtHEh-splunk.csv
x0139SUWtHEh-splunk.csv
x0140SUWtHEh-splunk.csv
x0141SUWtHEh-splunk.csv
x0142SUWtHEh-splunk.csv
x0143SUWtHEh-splunk.csv
x0144SUWtHEh-splunk.csv
x0145SUWtHEh-splunk.csv
x0146SUWtHEh-splunk.csv
x0147SUWtHEh-splunk.csv
x0148SUWtHEh-splunk.csv
x0149SUWtHEh-splunk.csv
x0150SUWtHEh-splunk.csv
x0151SUWtHEh-splunk.csv
x0152SUWtHEh-splunk.csv
x0153SUWtHEh-splunk.csv
x0154SUWtHEh-splunk.csv
x0155SUWtHEh-splunk.csv
x0156SUWtHEh-splunk.csv
x0157SUWtHEh-splunk.csv
x0158SUWtHEh-splunk.csv

README.md

SUWtHEh-

Learning By Practicing

Hack & Detect

A Practical Guide to Hacking and its Detection via network forensics

Nik Alleyne https://www.securitynik.com

Get the book on Amazon @ https://www.amazon.com/dp/1731254458

This site contains the files used for analysis of SecurityNik Inc.'s compromise in the book Hack and Detect. These files represents all the packets, logs and other output files which were created as a result of executing various commands. The original Splunk log file was over 3GB. As a result, I've split that file into multiple 24MB size files. The numbering is sequential so if you wish you can reinsert this data into Splunk or simply use your command line tools to analyze the event files one after the other.


The main idea behind this book, is to leverage the Cyber Kill Chain to teach you how to hack and detect, from a network forensics perspective. Therefore, there will be lots of packet and log analysis as we go along.

There are lots of books that teach you how to hack. So the main purpose of this book is not really about hacking. However, the problem with many of those books, is that they don’t teach you how to detect your activities. This means, you the reader have to go read another book, in order to understand the traces of network evidence, indicators of compromise (IoC), events of interests (EoI) and the breadcrumbs which are left behind, as part of your activities related to system compromise. Therefore, this book is truly meant to help you the reader detect sooner, whenever someone compromises your network. Remember, it is not if you will be compromised but when. This statement is assuming you have not already been compromised.

To ensure you enjoy this book, it is written from the perspective of storytelling. While most technology related books are done from a how-to guide style, this one is not. However, the objectives remain the same. I believe tying the technical material in with a story, will add more context, make the message clearer and the learning process easier.

An important note, as Neysa (Threat Actor) hacks, she plans to use the Lockheed Martin Cyber Kill Chain model as her framework. By leveraging the Cyber Kill Chain, she anticipates she can operate similar to an advanced persistent threat (APT). Where possible, she will follow the model exactly as it is. However, where needed, she may deviate while still being focused on achieving the actions and objectives as identified by the Cyber Kill Chain.

For each of the attacks Neysa (Threat Actor) performs, where possible, Nakia (newly hired Cybersecurity Ninja) will leverage her Cybersecurity Ninja awesomeness, to detect Neysa’s actions.

More importantly, for each of the attacks that Nakia detects, she must provide answers to the who, what, when, where, why and how to Saadia, the owner of SecurityNik Inc. These are critical questions every incident handler must answer. Now, the reality is, in many cases you may not be able to tell “why” it happened, as you don’t typically know your adversaries motive. However, Nakia will do her best to provide the necessary guidance, thus ensuring she gives Saadia actionable intelligence to decide on the way forward.

How will this book help you?

  • Understand the Cyber Kill Chain from a practical perspective. Fully hands on! No fluff!!
  • Learn not just how attacks can be done but how they can be detected.
  • Learn network forensics.
  • Learn how misconfigurations can be taken advantage of by attackers.
  • Learn how to put mitigation strategies in place.
  • Learn how attackers can gain access to your isolated LANS/subnets which have no internet access via pivoting/lateral movement.
  • Learn how exfiltration can be done via relays.
  • Learn about various command and control (C2) mechanisms leveraging different common ports and/or protocols.

Who is this book really for?

  • Individuals now starting off their cybersecurity careers.
  • Individuals working in a Cyber/Security Operations Center (C/SOC).
  • Red Team practitioners who may wish to understand how their efforts may be detected.
  • General practitioners of cybersecurity.
  • Experienced Cybersecurity Ninjas who may be looking for a trick or two.
  • Anyone who just wishes to learn more about cybersecurity, hacking and its detection.
  • Anyone involved in network forensics.
  • Most importantly, anyone looking for a good read :-)

Here are some feedback you may be interested in.

  • "Nik's approach to viewing both the attacker and defender's side of the compromise is an amazing way to correlate the causes and consequences of every action in an attack. This not only helps the reader learn, but is entertaining and will cause readers to flip all around the book to make sure they catch every detail."
    Tyler Hudak, Information Security

  • "By showing both the offensive and defensive sides of an attack, Nik helps each side better understand how the other operates."
    Joe Schottman, SANS Advisory Board Member

  • "Hack and Detect provides a window into a modern day attack from an advanced persistent threat in an easy to follow story format. Nik walks through the Cyber Kill Chain from both an offensive perspective, showing tools and tricks an attacker would leverage, and a defensive perspective, highlighting the breadcrumbs which are left behind. By following along step by step with virtual machines the reader is able to obtain a greater understanding of how the attacks work in the real world and gain valuable insight into defending against them."
    Daniel McAuley, Manager Infrastructure and Technology Group

Looking to follow along and get the full experience without building a lab?

Looking for sample chapters? Don't worry I got you!


NOTE: The .exe file above "Nik_in_Vegas.exe" is actually called "Pam_In_Guyana.exe" in the book. Therefore if you are going through the book, simplay replace "Pam_In_Guyana.exe" with "Nik_In_Vegas.exe".

Feel free to drop me a line and let me know your thoughts on the book.

Enjoy:
Nik Alleyne
www.securitynik.com

You can’t perform that action at this time.