Assessment Prep - Cyber-JL/SEC-350-01 GitHub Wiki

Systems:

  • traveler-jude - A WAN based road warrior user running Windows 10. (this replaces the linux rw01)
  • edge01-jude - A vyOS Firewall with three interfaces (WAN, DMZ, LAN). You will need to add an interface using vCenter. (this replaces fw01)
  • nginx01-jude - A DMZ based nginx web server running Ubuntu (this replaces web01 and apache)
  • dhcp01-jude - A LAN based dhcp server running Ubuntu

Requirements:

  • All systems should have an accurate hostname.
  • All Linux systems should have a named sudo or administrator user.
  • The two new ubuntu systems do not have a firewall enabled, this is ok (for now)
  • wks1, mgmt01 should be able to surf the internet.
  • wks1, mgmt1 should be able to navigate to nginx01
  • mgmt01 should be able to ssh to nginx01
  • nginx01 should be able to ping log01
  • nginx01 and dhcp01 should have wazuh agents installed
  • nginx01 should have a custom web page (practice this on jump)
  • traveler should be able to get to nginx01's custom test page by navigating to edge01's WAN IP address.
  • traveler should be able to perform ssh keybased authentication with jump. Traveler is a Windows box, but ssh on powershell is nearly exactly the same as linux to include key generation. You will need to add a new public key to authorized_keys.
  • dhcp01 should serve a pool of dhcp addresses to the LAN from .100 to .150.
  • WKS1 should use dhcp addressing

Hints

  • You do not need to work serially through this assessment, it is the end result that matters. If you are waiting for a reboot on traveler, then start configuring your other servers.
  • Get all communications working BEFORE creating zones and locking down the firewalls. It's terribly difficult to debug both services and network firewalls at the same time.
  • Make sure to link your firewalls to the appropriate From and To zones.
  • Make sure you have the correct netmask on all Linux systems.
  • --permanent flag on centos firewall configurations, reload after change.
  • Restart any service if you touch a configuration file (network, nginx, rsyslog, etc…).
  • Make sure you include the appropriate vsphere label on all deliverables where your name is not obvious in the console.
  • Check every VM's network settings to make sure they are on the correct segment.
  • Don't forget to look at /var/log/messages to debug firewall issues.
  • Do not try to use the default gateway address 10.0.17.2 as your WAN interface IP address as this will cause problems for other students and might be embarrassing.

IP TABLE

fw01 Edge01 fw01 Edge01 fw01 Edge01 web01, nginx log01 jump rw01, traveler wks01 fw-mgmt fw-mgmt mgmt01 wazuh mgmt02 ca
WAN/24 DMZ/29 LAN/24 DMZ/29 DMZ/29 DMZ/29 WAN/24 LAN/24 LAN/24 MGMT/28 LAN/24 MGMT/28 MGMT/28 MGMT/28
10.0.17.119 172.16.50.2 172.16.150.2 172.16.50.3 172.16.50.5 172.16.50.4 10.0.17.19 172.16.150.50 172.16.150.3 172.16.200.2 172.16.150.10 172.16.200.10 172.16.200.11 172.16.200.12

2023-03-06 09_37_22-Assessment Prep - Google Slides

Default Passwords

All CentOS / Rocky VMs root Ch@mpl@1n!22
All CentOS / Rocky VMs champuser Ch@mpl@1n!22
xubuntu VMs champuser Ch@mpl@1n!22
Ubuntu Servers champuser Ch@mpl@1n!22
pfsense admin pfsense
Windows 10 champuser Ch@mpl@1n!22
Server 2019 Administrator no password
vyos vyos Ch@mpl@1n!22
Kali Linux champuser Ch@mpl@1n!22

FIREWALL

SSH, Hostname, Route, and Server name

   set system host-name 'edge01-jude'
   set system name-server '10.0.17.2'
   set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
   set service ssh listen-address '0.0.0.0'

   set system login user vyos authentication plaintext-password <Password>

   # Leave out this line till the end...
   del service ssh listen-address '0.0.0.0'
   set service ssh listen-address '172.16.150.2'

Interfaces

   set interfaces ethernet eth0 address '10.0.17.119/24'
   set interfaces ethernet eth0 description 'SEC350-WAN'

   set interfaces ethernet eth1 address '172.16.50.2/29'
   set interfaces ethernet eth1 description 'JUDE-DMZ'

   set interfaces ethernet eth2 address '172.16.150.2/24'
   set interfaces ethernet eth2 description 'JUDE-LAN'

Zone

   set zone-policy zone DMZ from LAN firewall name 'LAN-to-DMZ'
   set zone-policy zone DMZ from WAN firewall name 'WAN-to-DMZ'
   set zone-policy zone DMZ interface 'eth1'

   set zone-policy zone LAN from DMZ firewall name 'DMZ-to-LAN'
   set zone-policy zone LAN from WAN firewall name 'WAN-to-LAN'
   set zone-policy zone LAN interface 'eth2'

   set zone-policy zone WAN from DMZ firewall name 'DMZ-to-WAN'
   set zone-policy zone WAN from LAN firewall name 'LAN-to-WAN'
   set zone-policy zone WAN interface 'eth0'

RIP

   set protocols rip interface eth2
   set protocols rip network '172.16.50.0/29'
   set protocols static route 0.0.0.0/0 next-hop 10.0.17.2

DNS

   set service dns forwarding allow-from '172.16.50.0/29'
   set service dns forwarding allow-from '172.16.150.0/24'
   set service dns forwarding allow-from '172.16.200.0/28'
   set service dns forwarding listen-address '172.16.50.2'
   set service dns forwarding listen-address '172.16.150.2'
   set service dns forwarding system

NAT source

   set nat source rule 10 description 'NAT FROM DMZ to WAM'
   set nat source rule 10 outbound-interface 'eth0'
   set nat source rule 10 source address '172.16.50.0/29'
   set nat source rule 10 translation address 'masquerade'

   set nat source rule 20 description 'NAT FROM LAN to WAN'
   set nat source rule 20 outbound-interface 'eth0'
   set nat source rule 20 source address '172.16.150.0/24'
   set nat source rule 20 translation address 'masquerade'

   set nat source rule 30 description 'NAT FROM MGMT to WAN'
   set nat source rule 30 outbound-interface 'eth0'
   set nat source rule 30 source address '172.16.200.0/28'
   set nat source rule 30 translation address 'masquerade'

NAT destination

   set nat destination rule 10 description 'WAN HTTP to NGINX'
   set nat destination rule 10 destination port '80'
   set nat destination rule 10 inbound-interface 'eth0'
   set nat destination rule 10 protocol 'tcp'
   set nat destination rule 10 translation address '172.16.50.3'
   set nat destination rule 10 translation port '80'

   set nat destination rule 20 description 'WAN to JUMP'
   set nat destination rule 20 destination port '22'
   set nat destination rule 20 inbound-interface 'eth0'
   set nat destination rule 20 protocol 'tcp'
   set nat destination rule 20 translation address '172.16.50.4'
   set nat destination rule 20 translation port '22'

Firewall

DMZ-to-LAN

   set firewall name DMZ-to-LAN  
   set firewall name DMZ-to-LAN default-action 'drop'
   set firewall name DMZ-to-LAN enable-default-log

   set firewall name DMZ-to-LAN rule 1 action 'accept'
   set firewall name DMZ-to-LAN rule 1 state established 'enable'

   set firewall name DMZ-to-LAN rule 10 action 'accept'
   set firewall name DMZ-to-LAN rule 10 description 'wazuh agent communications with wazuh server'
   set firewall name DMZ-to-LAN rule 10 destination address '172.16.200.10'
   set firewall name DMZ-to-LAN rule 10 destination port '1514,1515'
   set firewall name DMZ-to-LAN rule 10 protocol 'tcp'

DMZ-to-WAN

   set firewall name DMZ-to-WAN
   set firewall name DMZ-to-WAN default-action 'drop'
   set firewall name DMZ-to-WAN enable-default-log

   set firewall name DMZ-to-WAN rule 1 action 'accept'
   set firewall name DMZ-to-WAN rule 1 state established 'enable'

   # Only use line below if NGINX needs network
   set firewall name DMZ-to-WAN rule 999 action 'accept'
   set firewall name DMZ-to-WAN rule 999 source address '172.16.50.3'

LAN-to-DMZ

   set firewall name LAN-to-DMZ
   set firewall name LAN-to-DMZ default-action 'drop'
   set firewall name LAN-to-DMZ enable-default-log

   set firewall name LAN-to-DMZ rule 1 action 'accept'
   set firewall name LAN-to-DMZ rule 1 state established 'enable'

   set firewall name LAN-to-DMZ rule 10 action 'accept'
   set firewall name LAN-to-DMZ rule 10 description "Allow HTTP from LAN to NGINX"
   set firewall name LAN-to-DMZ rule 10 destination address '172.16.50.3'
   set firewall name LAN-to-DMZ rule 10 destination port '80'
   set firewall name LAN-to-DMZ rule 10 protocol 'tcp'

   set firewall name LAN-to-DMZ rule 20 action 'accept'
   set firewall name LAN-to-DMZ rule 20 description "ssh from mgmt01 to DMZ"
   set firewall name LAN-to-DMZ rule 20 destination address '172.16.50.0/29'
   set firewall name LAN-to-DMZ rule 20 destination port '22'
   set firewall name LAN-to-DMZ rule 20 protocol 'tcp'
   set firewall name LAN-to-DMZ rule 20 source address '172.16.150.10'

LAN-to-WAN

   set firewall name LAN-to-WAN
   set firewall name LAN-to-WAN default-action 'drop'
   set firewall name LAN-to-WAN enable-default-log

   set firewall name LAN-to-WAN rule 1 action 'accept'

WAN-to-DMZ

   set firewall name WAN-to-DMZ
   set firewall name WAN-to-DMZ default-action 'drop'
   set firewall name WAN-to-DMZ enable-default-log

   set firewall name WAN-to-DMZ rule 1 action 'accept'
   set firewall name WAN-to-DMZ rule 1 state established 'enable'

   set firewall name WAN-to-DMZ rule 10 action 'accept'
   set firewall name WAN-to-DMZ rule 10 description 'Allow HTTP from WAN to DMZ'
   set firewall name WAN-to-DMZ rule 10 destination address '172.16.50.3'
   set firewall name WAN-to-DMZ rule 10 destination port '80'
   set firewall name WAN-to-DMZ rule 10 protocol 'tcp'

   set firewall name WAN-to-DMZ rule 20 action 'accept'
   set firewall name WAN-to-DMZ rule 20 description 'Allow SSH from WAN to DMZ'
   set firewall name WAN-to-DMZ rule 20 destination address '172.16.50.4'
   set firewall name WAN-to-DMZ rule 20 destination port '22'
   set firewall name WAN-to-DMZ rule 20 protocol 'tcp'

WAN-to-LAN

   set firewall name WAN-to-LAN default-action 'drop'
   set firewall name WAN-to-LAN enable-default-log

   set firewall name WAN-to-LAN rule 1 action 'accept'
   set firewall name WAN-to-LAN rule 1 state established 'enable'

Nginx Web Server https://github.com/jude-lindale/SEC-350-01/tree/main/assessment_config_files/nginx

Configure

  • Change the IP config in `sudo vim /etc/netplan/00-installer-config.yaml

Click here to see config file 00-installer-config.yaml

  • try netplan sudo netplan try
  • apply netplan sudo netplan apply
  • sudo hostnamectl set-hostname nginx-jude
  • create user adduser jude
  • give user sudo usermod -aG sudo jude

Install NGINX

  • create a hole in the firewall (fw01) so my jump box can connect to the internet:

     set firewall name DMZ-to-WAN rule 999 action accept
 set firewall name DMZ-to-WAN rule 999 source address 172.16.50.3

-install nginx:

    sudo apt update
    sudo apt install nginx -y

  • config html file nano /var/www/html/index.nginx-debian.html

  • config file here index.nginx-debian.html

  • Start Nginx:

    systemctl enable nginx
systemctl start nginx

  • Access webserver from mgmt01

  • edit Nginx config (may not need) sudo nano /etc/nginx/sites-enabled/default

  • file can be found here default

Wazuh Agent

  • MGMT scp wazuh-agent-4.3.10.deb [email protected]:

  • On NGINX

     sudo WAZUH_MAsudo WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_GROUP='linux' dpkg -i ./wazuh-agent-4.3.10.deb
 sudo systemctl daemon-reload
 sudo systemctl enable wazuh-agent
 sudo systemctl start wazuh-agent

Ubuntu DHCP Server https://github.com/jude-lindale/SEC-350-01/tree/main/assessment_config_files/dhcp

https://ubuntu.com/server/docs/network-dhcp

  • try netplan sudo netplan try

  • apply netplan sudo netplan apply

  • sudo hostnamectl set-hostname dhcp-jude

  • create user adduser jude

  • give user sudo usermod -aG sudo jude

  • install dhcp sudo apt update sudo apt install isc-dhcp-server -y

    cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.backup

FILE="/etc/dhcp/dhcpd.conf"
/bin/cat << EOM >$FILE
subnet 172.16.150.0 netmask 255.255.255.0 {
    option routers 172.16.150.2;
    option subnet-mask 255.255.255.0;
    option domain-name-servers 172.16.150.2;
    range 172.16.150.100 172.16.150.150;
    default-lease-time 3600;
    max-lease-time 14400;
}


systemctl enable dhcpd
systemctl start dhcpd
systemctl status dhcpd

  • Wazuh Agent Setup

MGMT

   scp wazuh-agent-4.3.10.deb [email protected]:

On NGINX

   sudo WAZUH_MAsudo WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_GROUP='linux' dpkg -i ./wazuh-agent-4.3.10.deb
   sudo systemctl daemon-reload
   sudo systemctl enable wazuh-agent
   sudo systemctl start wazuh-agent

SSH Keypairs Windows -> Linux

On Windows

  • User Config/Hostname:

    $Password = Read-Host -AsSecureString
New-LocalUser "jude" -Password $Password -FullName "jude" -Description "Hello me"
Add-LocalGroupMember -Group "Administrators" -Member "jude"

Rename-Computer -NewName "traveler-jude" -Restart

  • Network Config:

    • IPAddress 10.0.17.19
    • Subnetmask: 255.255.255.0
    • DefaultGateway 10.0.17.2
    • DNS server: 10.0.17.2

Powershell as Admin

  #Install OpenSSH , does not install if "ssh" folder exists
  if (!(Test-Path "C:\ProgramData\ssh\ssh_host_rsa_key")) {
  Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
  }

  # Start now and on startup
  Start-Service sshd
  Set-Service -Name sshd -StartupType Automatic

powershell as User

  # Generate Keys
  ssh-keygen.exe -f .\ssh-keys

On MGMT

   sftp $jude@$10.0.17.19:ssh-keys.pub
   scp ssh-keys.pub jude@$172.16.50.4:travel.pub

   ssh jude@$172.16.50.4

On Jump

   sudo -i
   cat /home/jude/travel.pub >> /home/jude-jump/.ssh/authorized_keys
⚠️ **GitHub.com Fallback** ⚠️