Challenge 34 Systems Security Analyst Crash Course - korzynski/NICE-Challenge GitHub Wiki

Important Note: Certain elements of this challenge are randomized, so your environment may be different in a number of ways. Pay careful attention and consider this a rough guide, not step-by-step instructions.

Important Note #2: As of this writing, the virtual environment is about 5 years old and many of the servers are significantly out of date. As a result, some tools do not work as they probably are meant to and most websites will not accept connections from the insecure browsers. In many ways, this provides a realistic simulation of starting a new position in a small company that has neglected security for a long time, but it also significantly increases the difficulty. Keep that in mind and try not to get discouraged.

Tasks

Root Certificates

  • Optional step to update Windows desktops for web browsing

Dev-Web (172.16.21.11) Windows 2008 R2 running IIS 6.1

  • Update WordPress to at least 5.0 and PHP to at least 7.2
  • Ensure user enumeration is blocked
  • Verify site is accessible and authentication works at dev-www.daswebs.com

pfSense (172.16.30.2)

  • Update pfsense (don't uninstall any packages)

Snort (172.16.30.2)

  • Update pfSense before enabling Snort
  • identify attack in capture.pcap and write rule to detect and alert (on all interfaces)
  • ensure alerts written to pfSense system logs

Nessus

Identify and resolve all issues identified in Nessus.html on Security-Desk:

Unable to access vuln. details on tenable.com website probably due to outdated browser (SSL_VERSION_OR_CIPHER_MISMATCH)

  • Plugin ID 90317: The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all. Remove the weak ciphers.
  • Plugin ID 70658: The SSH server is configured to support Cipher Block Chaining (CBC) encryption. Disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.
  • Plugin ID 71049: The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak. Disable MD5 and 96-bit MAC algorithms.

Fileshare (172.16.30.32) FreeBSD

Apply access restrictions

  • Accounting: permit only Brimslock Stones
  • HR: permit only Sergio Chanel

Prod-Web (172.16.10.7) CentOS

  • Update Drupal to at least 8.6.x
  • Install Apache2 module ModSecurity
    • Implement OWASP core rule set (tar file in home directory on Prod-Web)
    • configure to intercept and block attacks
    • create rule to log auth attempts from 'admin' on Drupal site. Include text "admin sign in" when logged
  • implement suggested changes from Lynis scan (audit.log) on Security-Desk
    • change allow_url_fopen to off (disable PHP downloads)
    • Install Apache modsecurity
  • Configure WWW to use HTTPS
  • Use SSL to connect to MySQL instance on Database (172.16.20.4)

Domain-Controller (172.16.30.5) Windows Server 2008 R2

  • Run dictionary attack against AD instance using /usr/share/wordlists/rockyou.txt
  • flag compromised accounts to require password change
  • DO NOT FLAG uncompromised accounts

Root-Certs

This is not a necessary step, but it can prevent errors when attempting to browse the web from Windows desktops in the virtual environment. Due to the age of the installations, most machines do not trust the current Root Certificate Authorities and will not connect to secure websites. Installing a current browser and updating the trusted Root CAs will resolve this on Windows machines.

  • Install Chrome browser
  • Search for "windows urgent trusted root updates". The first link should be a Microsoft.com article with links to update the root certificate store.
  • Download and install the update for appropriate edition of Windows, then reboot.

Dev-Web

Upgrade PHP to at least 7.2

Web Platform Installer deprecated and no longer works. Web browser is IE8 and blocked by modern websites

  • Install Chrome
  • Upgrade PHP
    • Download PHP 7.3 VC15 x64 Non-Thread Safe from windows.php.net

    PHP documentation recommends "If you are using PHP as FastCGI with IIS you should use the Non-Thread Safe (NTS) versions of PHP"

    • Extract archive to C:\program files (x86)\PHP\v7.3\
    • Download and install Visual C++ 2017 redistributable (x64) required dependency
    • restart server
    • Launch IIS Manager and select server name
    • Select PHP Manager and click Register new PHP version
    • Navigate to php-cgi.exe in new folder
    • click Check phpinfo() to verify PHP version

now wordpress fails to launch. Multiple warnings in php-7.3.30_errors.log:
PHP Warning: Illegal string offset 'remember' in C:\inetpub\wwwroot\wp-includes\user.php on line 39
PHP Warning: Cannot assign an empty string to a string offset in C:\inetpub\wwwroot\wp-includes\user.php on line 39
PHP Warning: Illegal string offset 'user_login' in C:\inetpub\wwwroot\wp-includes\user.php on line 54\ PHP Fatal error: Uncaught Error: Cannot create references to/from string offsets in C:\inetpub\wwwroot\wp-includes\user.php:54

  • To resolve perform manual Wordpress upgrade, OR:
    • edit C:\inetpub\wwwroot\wp-includes\wp-login.php
    • find line 759 and change $user = wp_signon( '', $secure_cookie ); to $user = wp_signon( array(), $secure_cookie );

Upgrade WordPress to at least 5.0

  • Backup WordPress database (highly recommended)

    • From Dev-Web launch MySQL Workbench
    • connect to Daswebs_user
    • open Server > Export
    • select dasweb_site schema and select Export to self-contained file. Note file path c:\users\playerone\Documents\dumps\
    • click start export

  • Upgrade WordPress

    • Browse to wordpress.org and download the ZIP file containing the current wordpress version
    • Extract the archive to C:\inetpub\
    • Stop the Default site in IIS
    • Under C:\inetpub\ rename the original wwwroot folder to wwwroot.bak
    • Rename the newly extracted wordpress folder to wwwroot
    • in the new wwwroot folder delete the wp-content folder and copy the wp-content from wwwroot.bak
    • copy the wp-config.php file from wwwroot.bak to the new wwwroot folder
    • start the site in IIS
    • log into the admin interface, verify the email address and then launch the database update
    • verify WP version is at least 5.0
    • verify that WP is running on PHP 7.2 or higher
    • Tools > Site Health > Info > Server > PHP version
    • Resolve links returning 404 error
      • Navigate to Settings > Permalinks
      • Scroll down and Click Save Changes

Block user enumeration

  • Under Plugins > Add New Search, Install, and Activate Stop User Enumeration plugin

Verify site accessible and authentication works at dev-www.daswebs.com

  • From Security-Desk make sure you can access the website and log into the admin page

pfSense

Upgrade pfSense

  • Browse to 172.16.30.2 and log in
  • click the link to install the update
  • check the bo0x to perform a full backup and then Invoke Auto Upgrade
  • go make some tea while you wait

Snort

Note: this is one of the tasks that is randomized.
Reference: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node27.html
ensure pfSense has been upgraded before creating Snort rules

  • inspect capture.pcap to identify elements of a SYN flood:
    • high volume of SYN packets in short amount of time
    • each to a different destination port on the target
    • handy wireshark filter to discover SYN packets with no ACK: tcp.flags.syn == 1 && tcp.flags.ack == 0
  • In the pfSense web interface navigate to Services > Snort > Interfaces
    • Click Add
    • WAN is selected by default
    • Enable Send alerts to System Log
    • Click Save
    • Repeat for DMZ, OPT1 and OPT2 interfaces
  • write Snort rule to detect and alert of SYN flood on all interfaces
    • Under Snort Interfaces > WAN Rules, select Custom.rules and type the following:
      alert tcp any any -> any any (msg:"SYN Flood"; classtype:attempted-dos; flags: S; flow:not_established; detection_filter:track by_dst, count 50, seconds 1; sid:10001; rev:1;)

    trigger on 50 SYN packets to a single destination within 1 second with no connection established. Log as attempted DOS

    • Copy and paste in the custom rules for the other interfaces
    • Start snort on all interfaces
    • Check Snort > Alerts to verify rule is functioning

Nessus

Note: This task may be randomized
Reference: https://www.ssh.com/academy/ssh/sshd_config
Plugin ID 90317: The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all. Remove the weak ciphers.
Plugin ID 70658: The SSH server is configured to support Cipher Block Chaining (CBC) encryption. Disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.
Plugin ID 71049: The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak. Disable MD5 and 96-bit MAC algorithms.

  • SSH to the affected server
  • sudo nano /etc/ssh/sshd_config
  • Add the following lines near the top of the file:
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr
    MACs hmac-sha2-256,hmac-sha2-512
  • restart SSHD server
    sudo service ssh restart

Fileshare

This section is under construction. Do not follow these steps or you might PERMANENTLY break the file permissions.

Reference: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Reference: https://www.freebsd.org/cgi/man.cgi?query=smb.conf

Apply access restrictions

  • SSH to Fileshare (172.16.30.32)
  • sudo nano /usr/local/etc/smb.conf

Note that the Domain Controller is the password server Note that the Accounting and HR shares are configured with vfs objects = acl_xattr. This means they are using Windows NTFS4 ACL permissions

  • log into a windows computer
  • Click Start and type Computer Management
  • Select Action > Connect to another Computer
  • type the IP of the file server
  • Expand system tools > Shared Folders > Shares
  • Right click a share, select Properties > Security and then click Edit
  • Highlight the Everyone entry and click Remove
  • Click Add type the first part of a username and click Check Names
  • Click OK, enable Modify and click OK
  • BORK

Prod-Web

Update Drupal to at least 8.6.x

reference: https://www.drupal.org/docs/updating-drupal/updating-drupal-core-manually

  • If you already know the Drupal version to update to, you can skip to the next bullet titled "Update Drupal"
    • Otherwise, to locate the current version you will have to browse the Drupal website from a functional browser.
    • Browse to https://www.drupal.org/project/drupal/releases/ and record the version number you will upgrade to (but don't download it)
    • I recommend doing this from a computer outside of the virtual environment.
  • Update Drupal
    • Open a web browser to the Pro-Web website (172.16.10.7)
    • log into Drupal and go to Administration > Configuration > Development > Maintenance mode
    • check "Put site into maintenance mode"
    • Save
  • Delete the files from the top-level directory as well as the core and vendor directories, leaving the modules, profiles, sites, and themes directories
    • navigate to the drupal install folder
    • remove core and vendor directories: rm -rf core vendor
    • remove the files from the top-level directory: rm -f *.* .[a-z]*
  • get new Drupal files
    • return to your home directory and download an updated Drupal package: wget https://ftp.drupal.org/files/projects/drupal-x.y.z.tar.gz (using the version number you recorded earlier)
    • extract: tar zxf drupal-x.y.z.tar.gz
    • copy the replacement files and folders to the drupal folder:
      cd drupal-x.y.z
      cp -R core vendor /path/to/your/drupal/directory
      cp *.* .[a-z]* /path/to/your/drupal/directory
  • update the database tables

Install Apache2 module ModSecurity

Never got any of this to work. It just broke the site. YMMV

Reference: https://phoenixnap.com/kb/setup-configure-modsecurity-on-apache

  • sudo yum install mod_security mod_security_crs

Implement OWASP core rule set

  • extract the OWSAP rules in the home directory: tar xzvf ./modsec_crs.tar.gz
  • navigate into the extracted folder and move the OWASP rules to the modsecurity directory:
    cd owasp-modsecurity-crs-3.0.2
    sudo mv rules/ /etc/httpd/modsecurity.d/
    sudo chown -R root:root /etc/httpd/modsecurity.d/rules/
    sudo nano /etc/httpd/conf.d/mod_security.conf
  • under #ModSecurity Core Rules Set configuration, add:
    Include modsecurity.d/rules/*.conf
  • verify that SecRuleEngine is On
  • sudo service httpd restart

Create rule to log auth attempts from 'admin' on Drupal site. Include text "admin sign in" when logged

Not completed

Implement suggested changes from Lynis scan (audit.log) on Security-Desk

Not completed

  • change allow_url_fopen to off (disable PHP downloads)
  • create new php.ini file: sudo nano /var/www/html/drupal/php.ini
  • add allow_url_fopen = off
  • save
  • sudo service httpd restart

implement additional requests

Not completed

  • Configure WWW to use HTTPS
  • Use SSL to connect to MySQL instance on Database (172.16.20.4)

Domain-Controller

Note: This task may be randomized
Test all AD passwords against rockyou.txt wordlist and flag any accounts with compromised passwords to change on next login

The designers want you to use Kali tools to do this, but most of the offline password cracking tools on that workstation are non-functional. Maybe they intend us to do an online brute force, but this seems unlikely since we have admin access to the DC.

With a bit of elbow grease, this can be done in Windows instead.

Obtain AD database

Reference: https://www.dionach.com/en-us/blog/active-directory-password-auditing-part-1-dumping-the-hashes/

  • From domain controller open an admin shell
    C:\> ntdsutil
    ntdsutil: activate instance ntds
    ntdsutil: ifm
    ifm: create full c:\audit
    ifm: quit
    ntdsutil: quit
  • Navigate to c:\audit and collect the files named ntdis.dit and SYSTEM for use in the next step

Obtain password hashes

  • Download and install .NET Framework 4.6 Offline Installer (The web installer won't work)
  • Download and install NTDSAudit from https://github.com/Dionach/NtdsAudit/releases
  • run NtdsAudit.exe "ntds.dit" -s "SYSTEM" -p pwdump.txt --users-csv users.csv
  • this creates a file named pwdump.txt containing the NT password hashes

Crack the hashes

  • Download the Windows binary of John the Ripper from https://openwall.com/john
  • copy the rockyou.txt file from the Security-Desk machine
  • Extract the archive and run ./john.exe --format=nt pwdump.txt --wordlist=rockyou.txt to crack the hashes using rockyou.txt
  • If you rerun the command, john won't reprint hashes it has already cracked. To reprint, run ./john.exe --format=nt pwdump.txt --show

Flag the cracked accounts

Note the compromised account(s) might be different between instances

  • Log onto the Domain Controller and set the compromised accounts to require password change
  • DO NOT FLAG uncompromised accounts. This will permanetly trigger the integrity check to red