I concluded this report with an immersive and very hands-on assessment where I was able to use the tactics and tools available as a Red team player giving me a better understanding of how data exploitation happens and on the Blue side then once the vulnerability has been identified via SIEM (Kibana), I was aware of the same malicious tactics, techniques, and best procedures in order to build a better response strategy around them.
Nmap allowed me to identified the following hosts on the network:
| Hostname | IP Address | Role on Network |
|---|---|---|
| Hyper-V Azure machine ML-RefVm-684427 | 192.168.1.1 | Host Machine Cloud based |
| Kali | 192.168.1.90 | Attacking Machine |
| ELK Stack | 192.168.1.100 | SIEM VM |
| Capstone | 192.168.1.105 | Target Machine Replicating a vulnerable server |
| Vulnerability | Description | Impact |
|---|---|---|
| Port 80 open - CVE-2019-6579 | Open and unsecured access to anyone attempting entry using Port 80. | Files and Folders are readily accessible. Sensitive (and secret) files and folders can be found. |
| Ability to discover password by Brute force CVE-2019-3746 | When an attacker uses numerous user and password combinations to access a device or system. | Easy access by use of brute force by programs such as ‘John the ripper’, Hydra and so on. |
| LFI Vulnerability | LFI allows access into confidential files on a vulnerable machine. | Allows attackers to gain access to sensitive credentials. |
| Weak Passwords | Common passwords, and the lack of complexity, such as the inclusion of symbols, numbers and capitals. | System access could be discovered by social engineering. that ‘Leopoldo’ password could be cracked in 21 seconds by a computer. |
Findings
After mapping the network with nmap I was able to gather valuable data about user information. I tried all the possibilites and the user ‘ashton’ was a good option to explore since he is the Manager/admin.
Tools & Processes
I used Hydra along with a wordlist rockyou.txt using the brute force technique.
Command: # hydra -l ashton -P /usr/share/wordlists/rockyou.txt -s 80 -f -vV 192.168.1.105 http-get /company_folders/secret_folder/
Achievements
After getting all the information I was able to use the login name ‘ashton’ as well as the password ‘leopoldo’ to gain access.
Tools & Processes
NMAP was used to scan for open ports.
Achievements
I found 4 hosts up: On the Capstone Machine two ports was open: 22 and 80 (192.68.1.105).
After getting access to "connect_to_corp" it shows details about the hashed password.
Findings
Tools & Processes
I used an online tools such as: hashes.com and md5decrypt.net to crack the hashed password.
Achievements
The username Ryan used the password ‘linux4u’ to access the /webdav folder. On my attacker machine I was able to access the server dav://172.16.84.205/webdav and I was able to login successfully.
Tools & Processes
For the next step I used msfvenom and meterpreter to deliver a payload (php file) onto the vulnerable machine using the reverse shell payload script.
Achievements
Using the multi/handler exploit I could get access to the machine’s shell.
● The port scan started on October 23, 2021 at 18:00.
● 84,041 connections occurred, the source IP: 192.168.1.90.
● The sudden peaks in network traffic indicate that this was a port scan.
Analysis: Finding the Request for a Hidden Directory
● The request started at 17:00 hrs on October 23th, 2021.
● 30,450 requests were made to access the /secret_folder.
● This folder contained a hash that I could use to access the system using another employee’s credentials (Ryan).
● 30,450 requests were made in the attack to access the /secret_folder.
● 30 attacks were successful. 100% of these attacks returned a 301 HTTP status code “Moved Permanently”.
● 96 requests were made to access the /webdav directory.
● The primary requests were for the passwd.dav and shell.php files.
● I recommend an alert to be sent once 1000 connections occurs in 30 minutes.
● Automatize a Python script along with NMAP Scan to proactively detect and audit any open ports.
● Ensure the firewall has the latest patched constantly in order to avoid zero-day attacks.
● Redirect open ports to “honeypots” or empty hosts.
● Enable 3rd gen. of Deception Technology.
Mitigation: Finding the Request for the Hidden Directory
● Set an alert when an invader requests access to hidden folder occur.
● I would recommend a threshold of maximum 3 attempts per every 30 minutes that would trigger an alert to be sent.
● Store highly sensitive information on a offline environment or a secured private cloud.
● Rename folders containing critical data.
● Encrypt data contained within confidential folders
● Manage IP addresses either to add on the whitelist or blocklist.
A HTTP 401 Unauthorized client error indicates that the client failed to provide any such authentication.
● I would detect future brute force attacks by setting an alarm that alerts if a 401 error is returned.
● The threshold I would set to activate this alarm would be when 10 errors are returned.
● I would create a policy that locks out accounts after 3 unsuccessful attempts and contact Service Desk to confirm PII and unlock account.
● I would create a password policy that requires password complexity (Lowercase, Uppercase, Number and a Special character.) expiring every 3 months and not accepting same old passwords.
● I would create a blocklist of IP addresses based on IP addresses that have 30 unsuccessful attempts in 3 months. If the IP address happens to be a staff member, advise may be required by the cybersecurity team.
● First, I would create a Whitelist of trusted IP Addresses. According to the least privilege access On HTTP GET request, I would set an alarm that activates on any IP address trying to access the webDAV directory. The threshold I would set to activate this alarm would be when any HTTP PUT request is made.
● Create a whitelist of trusted IP addresses and ensure that the firewall security policy prevents all other access.
● In conjunction with other mitigation strategies, I would ensure that any access to the WebDAV folder is only permitted by users with ‘Salted’ passwords.
● Enable MFA.
● Create an alert for any suspicious traffic on port 4444. The alert needs to be sent is when one or more attempt is made.
● I recommend setting an alert for suspicious extensions being uploaded into the /webDAV folder. The alert needs to be sent is when one or more attempt is made.
● Block all IP addresses other than whitelisted IP addresses (because reverse shells can be created over DNS, this action will only limit the risk of connect-back shell).
● On the /webDAV folder enable read only to prevent payloads uploaded.
● Only necessary ports are open.
● File Inclusion Vulnerabilities
● Hydra
● Hashes
● Zero-Day
● Honeypot