SECURITY+ LAB SERIES. Lab 6: Secure Network Administration Principles Log Analysis

Transcription

1 SECURITY+ LAB SERIES Lab 6: Secure Network Administration Principles Log Analysis Document Version: otherwise noted, is licensed under the Creative Commons Attribution 3.0 Unported License. Development was funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC A-48; The National Information Security, Geospatial Technologies Consortium (NISGTC) is an entity of Collin College of Texas, Bellevue College of Washington, Bunker Hill Community College of Massachusetts, Del Mar College of Texas, Moraine Valley Community College of Illinois, Rio Salado College of Arizona, and Salt Lake Community College of Utah. This workforce solution was funded by a grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties or assurances of any kind, express or implied, with respect to such information, including any information on linked sites, and including, but not limited to accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership.

2 Contents Introduction... 3 Lab Topology... 4 Lab Settings... 5 Pre-Lab Setup Nmap Analysis Using grep Analyzing Different Nmap Reports Parsing Nmap Reports with CLI Parsing Nmap Reports with Scripts Log Analysis Using grep Using grep With Curl Using grep With Logs Log Analysis Using gawk Creating Groups and Users Remotely Using gawk With Logs FTP Log Analysis Password Cracking using Hydra FTP Access Analysis

3 Introduction The material in this lab aligns to the following learning objectives: Objective 1.2: Given a scenario, use secure network administration principles Objective 3.2: Summarize various types of attacks Objective 3.6: Analyze a scenario and select the appropriate type of mitigation and deterrent techniques More information about individual objectives and their sections can be found in CompTIA document SY0-401, which is available from the CompTIA website. In this lab, you will be conducting network log analysis practices using various tools. You will be performing the following tasks: 1. Nmap Analysis Using grep 2. Log Analysis Using grep 3. Log Analysis Using gawk 4. FTP Log Analysis 3

4 Lab Topology 4

5 Lab Settings The information in the table below will be needed in order to complete the lab. The task sections below provide details on the use of this information. Virtual Machine IP Address Account (if needed) Password (if needed) Ubuntu student securepassword DVL Server root toor Security Onion soadmin mypassword pfsense admin pfsense Kali root toor 5

6 Pre-Lab Setup Before continuing to Task 1, log into the following systems below as instructed. I. Kali 1. On the login screen, select Other. 2. When presented with the username, type root. Press Enter. 3. When prompted for the password, type toor. Press Enter. 4. Minimize the PC viewer window. II. Security Onion 1. On the login screen, type soadmin. Press Enter. 2. When prompted for the password, type mypassword. 3. Minimize the PC viewer window. III. DVL 1. On the login screen, type root. Press Enter. 2. When prompted for a password, type toor. Press Enter. 3. When presented with the user prompt, type startx. Press Enter. 4. Once the desktop boots close the X Desktop window. 5. Minimize the PC viewer window. 6

7 1 Nmap Analysis Using grep 1.1 Analyzing Different Nmap Reports 1. Open the DVL PC Viewer. If closed, click on the DVL icon on the Topology page. 2. Click on the Application Menu icon located towards the bottom-left corner. Navigate to Services > HTTPD > Start HTTPD to initialize the HTTP service on the server. 3. Open a new Terminal window. 4. Start the FTP service by typing the command below followed by pressing Enter. proftpd Ignore the IPv6 message. 7

8 5. Open the Kali PC Viewer. If closed, click on the Kali icon on the Topology page. 6. Open a new Terminal window. 7. Navigate to the /tmp/reports directory by typing the command below. cd /tmp/reports 8. Type the command below to open an Nmap report in Leafpad GUI text editor. leafpad dvlscan1.xml 9. Based on this report, we can see what ports/services have been opened on the date listed in the report in an xml format. This format can be difficult to read. Close the test editor window. 10. Open a similar dvlscan report but this time the format will be in.gnmap. Type the command below. leafpad dvlscan1.gnmap 8

9 11. This is the same output from the XML file we just opened except that this format is considered a grepable Nmap (.gnmap) output. Close the window. 1.2 Parsing Nmap Reports with CLI 1. Initiate the command below to grep the first field of the dvlscan1.gnmap file. cat dvlscan1.gnmap grep open cut d f1 Notice that the word Host: appears in the output. When using the cut command with the (-d ) option, we are cutting out the spaces in the file. Adding the -f1 option to that, we are cutting everything out except for the first field, which in this case was Host:. 2. Type the same command from the previous step except this time we will cut the second field. cat dvlscan1.gnmap grep open cut d f2 Notice that we now were able to parse the live host IP from the Nmap report. 3. Issue the same command as before, but this time we will redirect the output to a file called livehosts.txt. cat dvlscan1.gnmap grep open cut d f2 > livehosts.txt 4. Note that no confirmation is given from the command above. Type the ls command to verify the livehosts.txt file has been created. 9

10 5. Type the command below to view the output from the dvlscan1.nmap file. cat dvlscan1.nmap Notice how this output closely resembles the output we usually get from an Nmap scan. 6. Type the command below to grep lines that include the word open. cat dvlscan1.nmap grep open Notice how this is much cleaner. 10

11 7. Include the cut command now as shown below to cut the (/) delimiter character and the first field, as we are mostly interested in greping a list of port numbers. cat dvlscan1.nmap grep open cut d / f1 Notice the clean list of open ports. 8. Issue the same command as before but this time save the output to a file called liveports.txt. cat dvlscan1.nmap grep open cut d / f1 > liveports.txt 9. View the contents of the liveports.txt file by typing the command below followed by pressing Enter. cat liveports.txt 11

12 1.3 Parsing Nmap Reports with Scripts 1. View the output of livehostscan.txt by issuing the command below. cat livehostscan.txt Notice how this scan report includes multiple targets. 2. Use the scanreport.sh script to automatically parse the livehostscan.txt file. Type the command below into the Terminal. /home/scripts/scanreport.sh f livehostscan.txt Notice the output in a nice readable format. 3. We can parse the file even more by taking out the lines that begin with a comment (#) character. Type the command below. grep v ^# livehostscan.txt > parsed.txt 12

13 4. Use the scanrreport.sh script again to see results. Type the command below. /home/scripts/scanreport.sh f parsed.txt 5. Parse even further by only showing output for a specific IP address. Issue the command below show the output for /home/scripts/scanreport.sh f parsed.txt i If interested in knowing which targets have a specific port opened, execute the command below the show results for port 21. /home/scripts/scanreport.sh f parsed.txt p We can also parse by protocol name. /home/scritps/scanreport.sh f parsed.txt s ftp 13

14 2 Log Analysis Using grep 2.1 Using grep With Curl 1. In Kali, see which network system(s) have port 80 open. /home/scripts/scanreport.sh f parsed.txt p 80 Observe the five systems from the output. 2. Use the curl command to pull HTML code from the potential web server on curl 3. Since the results from the curl command are large, it will be helpful to filter through the output using the grep command. See if we can find an address on the web page. curl The helps signify that an address has been found when observing the output. 14

15 4. Next, we will generate some noise by initiating an intense Nmap scan. Type the command below into the Terminal. nmap T4 A v Scan will take approximately 2-3 minutes to complete. Move on to the next step while the Nmap scan is running. 5. Generate more traffic by opening a Web Browser. Click on the Iceweasel icon located on the top menu pane. 6. Enter into the address bar. Press Enter. You should be presented with the Security Onion welcome page. 2.2 Using grep With Logs 1. Open the Security Onion PC Viewer. If closed, click on the Security Onion icon on the Topology page. 15

16 2. Open a new Terminal window. 3. Change the current directory to /var/log/nginx. cd /var/log/nginx 4. View the access_log by typing the command below. cat access.log In the output, you will notice that the access_log file can be extremely long. 5. Cut this down and only analyze potential Nmap scans that were initiated on this server (case sensitive). cat access.log grep Nmap 16

17 6. Type another command only showing entries made with Firefox (case sensitive). cat access.log grep Firefox 7. Type the following command to filter the access_log file for the word curl. cat access.log grep curl 17

18 3 Log Analysis Using gawk 3.1 Creating Groups and Users Remotely 1. Change focus back to the Kali system. 2. Within a Terminal window, type the following command to SSH into the remote system, in this case the DVL Server. ssh a. If prompted with a message asking, Are you sure you want to continue?, type yes. Press Enter. b. When prompted for root@ password, type toor. Press Enter. Notice the prompt change to bt~#. You are now logged in remotely as the root user for the DVL Server. 3. With root privileges, create a group called anongroup. groupadd anongroup No confirmation is given when a group is added like this. 4. View the list of groups on the DVL Server. cat /etc/group 5. Scroll to the bottom of the list to locate the newly created anongroup. 18

19 6. Create a new user ben and put him in the anongroup. useradd ben g anongroup a. Add another user jerry using the same command. b. Add a third user katy using the same command 7. Assign the user ben a new password. passwd ben When prompted, type passb1 for the password. If a warning message displays that the password is too weak, type the password again two more times to confirm. a. Assign user jerry the password: passj1 b. Assign user katy the password: passk1 8. Leave the Terminal window open to continue on the next section. 3.2 Using gawk With Logs 1. While SSH d into the DVL Server from the Kali system, change to the /var/log directory. cd /var/log 19

20 2. View the contents in the log file. cat secure Notice that at the bottom of the log, entries are shown where user accounts have been created, along with password creations. You will also notice information about incoming SSH connections. 3. To search for new instances of new user creation within the secure log file, type the command below. cat secure grep new user Notice the entire lines containing new user are displayed. 4. To determine the name of the new user created, we can use grep and gawk together. gawk {print $6,$7,$8} secure grep new user 5. Logout from the SSH session. logout 20

21 4 FTP Log Analysis 4.1 Password Cracking using Hydra 1. While on the Kali system, start up the Hydra password cracking application to perform a dictionary attack against a remote system. Type the command below in a Terminal window. xhydra 2. A HydraGTK GUI interface will appear. On the Target tab, type into the Single Target field. 3. Select ftp as the Protocol. 4. Click the Passwords tab. 5. Type ftpadmin for the Username. 6. Under the Password category, fill the bubble next to the Password List option. 21

22 7. Click on the white space to the right of the words Password List. A new File Explorer window will appear. 8. Click on the File System menu option. 9. Click on the Type a file name button. 10. Type /tmp/wordlists/passlist in the white space. Press Enter. Notice the Password List field is now populated. 22

23 11. Verify your HydraGTK window displays the options as shown in the picture below. 12. Click on the Start tab. Then, click on the Start button at the bottom of the HydraGTK window Let the scan run for about 30 seconds. 23

24 13. Notice the program has cracked the password with a username as ftpadmin and a password of ftp. 14. Exit the program. 24

25 4.2 FTP Access Analysis 1. Change focus to the DVL Server and open new Terminal window. 2. Navigate to the directory that holds the proftpd.log file. cd /var/log/ 3. View the last 50 recorded items from the FTP service. tail -50 proftpd.log Notice the multiple failed login attempts recorded in the log. 4. View the total amount of failed login attempt by issuing the command below (case sensitive). cat proftpd.log grep Incorrect 5. Close all windows. 25