SECURITY+ LAB SERIES. Lab 7: Analyze and Differentiate Types of Attacks and Mitigation Techniques

Transcription

1 SECURITY+ LAB SERIES Lab 7: Analyze and Differentiate Types of Attacks and Mitigation Techniques Document Version: otherwise noted, is licensed under the Creative Commons Attribution 3.0 Unported License. Development was funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC A-48; The National Information Security, Geospatial Technologies Consortium (NISGTC) is an entity of Collin College of Texas, Bellevue College of Washington, Bunker Hill Community College of Massachusetts, Del Mar College of Texas, Moraine Valley Community College of Illinois, Rio Salado College of Arizona, and Salt Lake Community College of Utah. This workforce solution was funded by a grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties or assurances of any kind, express or implied, with respect to such information, including any information on linked sites, and including, but not limited to accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership.

2 Contents Introduction... 3 Lab Topology... 4 Lab Settings... 5 Pre-Lab Setup Bruteforcing SSH Demonstrate Ncrack Against denyhosts Unblock Kali Dangerous Linux Commands Exploiting sudo with vi Editor Demonstrate DOS Attack Destroying the HDD with dd

3 Introduction The material in this lab aligns to the following learning objective: Objective 3.2: Summarize various types of attacks More information about individual objectives and their sections can be found in CompTIA document SY0-401, which is available from the CompTIA website. In this lab, you will be conducting host security practices using the command line along with scripts. You will be performing the following tasks: 1. Bruteforcing SSH 2. Dangerous Linux Commands 3

4 Lab Topology 4

5 Lab Settings The information in the table below will be needed in order to complete the lab. The task sections below provide details on the use of this information. Virtual Machine IP Address Account (if needed) Password (if needed) Ubuntu student securepassword DVL Server root toor Security Onion soadmin mypassword pfsense admin pfsense Kali root toor 5

6 Pre-Lab Setup Before continuing to Task 1, log into the following systems below as instructed. I. Kali 1. On the login screen, select Other. 2. When presented with the username, type root. Press Enter. 3. When prompted for the password, type toor. Press Enter. 4. Minimize the PC viewer window. II. Ubuntu 1. On the login screen, select the student account. 2. When prompted for the password, type securepassword. Press Enter. 3. Minimize the PC viewer window. 6

7 1 Bruteforcing SSH 1.1 Demonstrate Ncrack Against denyhosts 1. Open the Ubuntu PC Viewer. If closed, click on the Ubuntu icon on the Topology page. 2. Open a new Terminal window by clicking on the Terminal icon located on the left menu pane. 3. Verify that the SSH service is running. ps eaf grep v grep grep sshd 4. Next, verify that the service denyhosts is not running. service denyhosts status 5. If the service is running, type the command below to stop the service: sudo service denyhosts stop 7

8 6. If prompted for a password, enter securepassword. Press Enter. 7. Based on the denyhosts.conf file, check to see where it places denied hosts. sudo grep HOSTS_DENY /etc/denyhosts.conf grep v # 8. If prompted for a password, type securepassword. Press Enter. Notice that denied host IPs is placed into /etc/hosts.deny. 9. Open the Kali PC Viewer. If closed, click on the Kali icon on the Topology page. 10. Open a new Terminal window by selecting the Terminal icon on the top pane. 11. Type the command below to test the SSH connection to the Ubuntu system. ssh student@ uptime a. If prompted Are you sure you want to continue?, type yes followed by pressing Enter. b. When prompted for a password, type securepassword. Press Enter. Notice the confirmation of being able to SSH into the Ubuntu system. 12. Change focus to the Ubuntu system. 8

9 13. While logged in the Ubuntu system, focus on the Terminal window. Type the command below to grep the log entry recorded from the SSH connection that was initiated by the Kali system (case sensitive). grep Accepted password /var/log/auth.log grep Notice the log entry outputted. 14. Change focus to the Kali system. 15. Within a Terminal window, type the help command below to see what available options can be used with Ncrack. ncrack -help 16. Initiate the Ncrack tool against Ubuntu s SSH service by entering the command below using a predefined password list. ncrack v user root P /tmp/wordlists/passlist p ssh Let the Ncrack application run for 1-2 minutes. Once finished, notice that the tool has found the password. 17. Change focus to the Ubuntu system. 9

10 18. Within a Terminal window, start the denyhosts script on the Ubuntu system. Type the command below followed by pressing Enter. sudo service denyhosts start 19. If prompted for a password, type securepassword. Press Enter. 20. Change focus to the Kali system. Attempt to SSH to the Ubuntu system with the credentials gained from the Ncrack tool. ssh student@ Notice now how the connection is being automatically closed by the remote system. 21. Determine if the IP address is being blocked or if SSH traffic is being blocked. telnet Noticing the output, we can determine that the IP address is being blocked since the remote host is still listening on port Change focus back to the Ubuntu system and view the contents of the hosts.deny file. Type the command below: grep sshd /etc/hosts.deny Notice that the file is populated with the IP address belonging to the Kali system. It can be concluded that the denyhosts service has blocked Kali s IP address based on its attempt to force itself an SSH connection with the remote system. 10

11 23. Analyze the Ubuntu s auth.log file for failed password attempts (case sensitive). grep Failed password /var/log/auth.log grep Notice multiple failed SSH login attempts created by the Ncrack application. 1.2 Unblock Kali 1. To remove the blocked entry from the hosts.deny file, temporarily stop the rsyslog service. sudo service rsyslog stop 2. If prompted for a password, enter securepassword. Press Enter. 3. Next, stop the denyhosts service. sudo service denyhosts stop 4. If prompted for a password, enter securepassword. Press Enter. 11

12 5. Edit the hosts.deny file by removing the IP entry. sudo nano /etc/hosts.deny 6. If prompted for a password, type securepassword. Press Enter. 7. Use your arrows keys to navigate to the IP entry and press Backspace to erase the entire line: sshd: Once removed, press CTRL+X to exit. 12

13 9. When asked to save modified buffer, press the Y key for Yes. 10. Press Enter to confirm the filename as /etc/hosts.deny. 11. Close all open windows. 13

14 2 Dangerous Linux Commands 2.1 Exploiting sudo with vi Editor 1. Open the Ubuntu PC Viewer. If closed, click on the Ubuntu icon on the Topology page. 2. Open a new Terminal window. 3. Escalate to root privileges. sudo su 4. If prompted for a password, enter securepassword. Press Enter. 5. Type the command below to create and open the hacksrus.txt file. vi hacksrus.txt 14

15 6. Once engaged within the vi editor, type the command below. The input is recorded at the bottom of the vi editor. :!/bin/sh 7. Press Enter. 8. After the command is entered, you ll be presented with the # prompt. Type the id command to print the current user followed by pressing Enter. Notice that you are running a shell as root. 9. Type whoami to confirm you are the user root. Press Enter. 10. Type exit to close the shell. Press Enter. 11. Press Enter once more to continue. 12. When brought back to the vi editor, type the command below to quit. :q! 13. Press Enter. 15

16 14. While in the Terminal, type the command below to analyze the log file showing privileges being escalated to root. grep sudo /var/log/auth.log tail -l 15. Leave the Terminal window open for the next task. 2.2 Demonstrate DOS Attack Warning: Do not attempt this section of the lab on a personal computer. It will cause serious harm to a machine, resulting in an inoperable state. 1. While on the Ubuntu system. Type the command below to monitor live CPU and memory usage within a Terminal window. htop 2. Press Enter. 3. Open a new Terminal window. Right-click on the Terminal icon and click New Terminal. 16

17 4. Make sure to display the new Terminal window in a way where you are able to see both Terminals side-by-side. 5. Within the new Terminal window, type the command below to initiate a fork bomb attack on the Ubuntu system. :(){ : : & };: 6. Watch closely at the Terminal window with htop running. After 1-2 minutes, notice how the CPU usage spikes, reaching almost 100% while both memory and swap memory spike as well. What is happening here is that the Ubuntu system is running out of memory by forking a process infinitely. In other words, it is making multiple copies of itself that is setting off a chain reaction resulting in quickly exhausting the system s resources. 17

18 7. When you are finished analyzing the fork bomb operation, go to the Topology page and click on the Action tab. Select the drop-down menu for Ubuntu and select power off. 8. Wait 1-2 minutes until the task finishes and then select the drop-down menu and click on power on. 2.3 Destroying the HDD with dd Warning: Do not attempt this section of the lab on a personal computer. It will cause serious harm to a machine resulting, in an inoperable state. 1. Open the Ubuntu PC Viewer. If closed, click on the Ubuntu icon on the Topology page. 2. On the Login screen, login as student with the password securepassword. Press Enter. 18

19 3. Open a new Terminal shell. 4. Run iotop to actively monitor disk I/O activity by typing the command below. sudo iotop 5. If prompted for password, enter securepassword. Press Enter. 6. Open another new Terminal window by right-clicking on the Terminal icon and selecting New Terminal. 19

20 7. Position both Terminals so that both can be viewed at the same time. 8. Type the command below to mimic an HDD attack if an attacker had access to a physical machine within a network infrastructure. sudo dd if=/dev/zero of=/dev/sda Notice on the Terminal running iotop a heavy I/O activity is taking place. 20

21 9. Wait 1-3 minutes until the system crashes. 10. Once the system crashes, close the PC Viewer. 11. Change focus on the Topology page and select the Action tab. 12. Click on the drop-down menu for the Ubuntu system and select power off. 13. Wait 1-2 minutes until the task is completed. 14. Select the drop-down menu once more, but this time selecting power on. 15. Open the Ubuntu PC Viewer. If closed, click on the Ubuntu icon on the Topology page. 21

22 16. Wait 1-3 minutes until a message appears showing that no operating system is available. The dd command has been successful in such a way that the damage has been done. The command process kept writing random zeros on the partition sda to the point where it can no longer function because of the overwritten files. 17. Close all windows. 22