Introduction

How do you set up, defend, and attack computer networks? This book is a gentle introduction to cyber operations for a reader with a working knowledge of Windows and Linux operating systems and basic TCP/IP networking. It is the result of more than 10 years of teaching a university capstone course in hands-on cyber security.

It begins by showing how to build a range of Windows and Linux workstations, including CentOS, Mint, OpenSuSE, and Ubuntu systems. These can be physical or virtual systems built with VMWare Workstation or VirtualBox. Kali Linux is introduced and Metasploit is used to attack the browsers on these systems. A range of attacks are demonstrated, including attacks against Internet Explorer, Firefox, Java, and Adobe Flash Player. These attacks all leave traces on the target and the network that can be found by a savvy defender, and these methods are demonstrated.

This interplay between set up, attack, and defense forms the core of the book. It continues through the process of setting up realistic networks with DNS servers and Windows Active Directory. These networks are then attacked, and techniques to escalate privileges from local user to domain user to domain administrator are developed. These attacks leave tracks in the system logs that can be traced by defenders familiar with Windows and Linux logs. Of course, networks are built to provide services to users, so the book continues with an introduction to common services, including SSH, FTP, Windows file sharing, and Remote Desktop. An attacker that has gained access to a system wants to retain that access, so persistence mechanisms and malware are introduced, then defensive techniques and methods to detect, analyze, and remove Metasploit persistence scripts.

Next are web servers, both IIS and Apache. These are configured, including using signed SSL/TLS certificates, attacked via a range of techniques, and defended with tools such as ModSecurity. Real networks do not use a flat network topology, so network firewalls based on IPFire are introduced to separate the network into components and filter traffic in and out of the network. Databases are included in the network, and intrusion detection systems used to defend the network. The book concludes with an introduction to PHP- and PHP-based web applications including WordPress, Joomla, and Zen Cart.

How to Read This Book

This book is designed for readers who are comfortable with Windows, Linux, and networking who want to learn more about the operational side of cyber security. It is meant to be read hand in hand with systems; indeed the only way to learn cyber operations is to lay hands on a keyboard and work. Set up the various systems described in the book, try out the attacks, and look for the traces left by the attacks. Initially you may want to follow the text closely, but as you gain proficiency it is better to use the text only as a guide and starting place for your own explorations.

About the Systems

The book covers systems as they were used between 2008 and 2013. These systems should be patched now, so showing how to attack them today poses little risk to currently deployed systems. Back in the day though, these systems were vulnerable to these exploits even though they were fully patched at the time. The defensive techniques discussed throughout the book retain their value and can be used to defend even current systems from new attacks.

This book makes extensive use of Metasploit, and it is important to respect the fact that Metasploit is a cutting-edge tool that remains under active development. The various modules that are used in the examples in the text may be have been modified since this book was written, and some examples may work differently or not at all. Even during the year it has taken me to write this book, some Metasploit modules were modified. Note also that some Metasploit modules can be, well, finicky. For example, while I was working with one exploit module, I discovered that it would fail on some Kali systems and succeed on an essentially identical Kali system. After some experimenting and digging through Wireshark captures, I discovered that the exploit worked for some IP addresses and failed for others. Apparently the exploit encoded the callback address incorrectly but only in some cases. As another example, in June 2015, an update to Kali prevented Metasploit from starting; it took about a week before the issue was resolved.1 However, these types of issues are normal and expected.

How This Book Is Structured

The book is divided into 18 chapters. When I use this material in my university capstone course, my students cover roughly one chapter each week. This book has more material than can be covered in a single semester course; I pick and choose the topics covered in class.

  • Chapter 1, "System Setup," describes the process of setting up a testing environment using either VMWare Workstation or VirtualBox, including configuring private and protected networking. Instructions on how to install systems from 2008–2013, including Linux (CentOS, Kali, Mint, OpenSuSE, and Ubuntu) and Windows (Windows 7, Windows 8, Windows Server 2008, 2008 R2, 2012, and 2012 R2) are provided. The installation includes a complete ecosystem with Firefox, Java, and Flash Player.
  • Chapter 2, "Basic Offense," covers the use of Metasploit on Kali to attack systems through the browser. This includes direct attacks against Internet Explorer and Firefox, as well as attacks against Java and Adobe Flash Player. Both Windows and Linux systems are targeted. Basic Metasploit and Meterpreter command are shown, and Armitage is introduced.
  • Chapter 3, "Operational Awareness," covers the use of Windows and Linux tools and examines users, processes, and network connections on a system; this is supplemented by the use of network sniffing tools such as tcpdump, Wireshark, and Network Miner. Together, these tools are then applied to detect the signs left by the attacks from Chapter 2.
  • Chapter 4, "DNS and BIND," introduces the setup and configuration of BIND DNS servers on both Windows and Linux systems. A simple DNS environment is built, with master and slave servers; the chapter includes advanced topics like forwarders and recursion. Common tools to query DNS servers like nslookup and dig are presented. DNS amplification attacks are a kind of distributed denial of service attack; these are demonstrated as well as methods to prevent a server from being used in such an attack.
  • Chapter 5, "Scanning the Network," describes NMap, and how it can be used for host detection and network scanning. NMap can also be used from within Metasploit, and can store scan results in the Metasploit database.
  • Chapter 6, "Active Directory," covers the process of configuring a Windows domain using Windows servers (2008, 2008 R2, 2012, and 2012 R2). Test domains are built with both Windows systems and Linux workstations using PowerBroker Open. Domain members are managed using a range of tools including PowerShell, psexec and Group Policy
  • Chapter 7, "Attacking the Domain," demonstrates how to move from a local unprivileged account on a domain member to gain SYSTEM access, then to an account on a domain controller, then to a domain administrator account. John the Ripper is used to attack password hashes, and Mimikatz is demonstrated. Privilege escalation in Linux systems is also demonstrated.
  • Chapter 8, "Logging," describes the logging systems on Linux and Windows. The traces left in the logs by the privilege escalation attacks in Chapter 7 are identified. Remote logging servers are created that integrate logs from multiple systems.
  • Chapter 9, "Network Services," begins with SSH and covers its installation, key generation, secure configuration, and use on Windows and Linux. A Man in the Middle attack against SSH protocol 1 is demonstrated. Methods to share files via FTP servers, Windows file shares, and Linux Samba file shares are shown. Remote Desktop on Windows is introduced.
  • Chapter 10, "Malware and Persistence," covers the creation of malware, including document-based and stand-alone malware. Persistence mechanisms, including Kerberos golden tickets and sticky keys attacks are demonstrated. Malware is analyzed with a range of tools, including Bokken and ProcDot. Techniques for detecting and removing Metasploit persistence scripts are demonstrated.
  • Chapter 11, "Apache and ModSecurity," covers the installation and configuration of Apache and ModSecurity on both Linux and Windows systems. A range of features are presented, including the use of per-user directories, directory aliases, CGI scripts, virtual hosts, and basic authentication. Servers are configured to use SSL/TLS, including self-signed certificates as well as the creation of a separate signing server.
  • Chapter 12, "IIS and ModSecurity," covers the installation and configuration of IIS and ModSecurity on Windows Servers, including SSL/TLS and access control mechanisms.
  • Chapter 13, "Web Attacks," begins by showing how to extract saved credentials from browsers. Man in the Middle attacks against SSL/TLS protected sites using Ettercap are demonstrated, including the use of sslstrip to prevent certificate warnings. Attacks against password protected web sites using Burp Suite and using custom tools are demonstrated, as well as defenses against these attacks. Common attacks against web servers, including Slowloris and Heartbleed are shown, along with appropriate countermeasures.
  • Chapter 14, "Firewalls," introduces network firewalls based on the IPFire distribution. These can be used in a real or a virtual network to create internal networks and a DMZ. Egress filtering and web proxies can make a network much more resistant to attack. Attacks through the firewall are presented, including the use of SSH proxies, proxychains, and Metasploit pivots as ways to route traffic to protected assets. Shellshock is used to attack the IPFire system itself.
  • Chapter 15, "MySQL and MariaDB," shows how to install and configure MySQL and MariaDB on both Windows and Linux. Common attacks are presented.
  • Chapter 16, "Snort," introduces the intrusion detection system Snort, including the use of Barnyard2 to store the resulting alerts in a MySQL/MariaDB database.
  • Chapter 17, "PHP," discusses PHP, including its installation on Linux and Windows; it also covers XAMPP. Attacks on PHP applications through common vectors like globally registered variables and remote include vulnerabilities are described and countermeasures discussed.
  • Chapter 18, "Web Applications," covers Snort Report, BASE, phpMyAdmin, Joomla, WordPress, and Zen Cart. Each application is installed, common attacks discussed, and defensive countermeasures described.

Contacting the Author

You can reach Mike O’Leary at [email protected]. If you are a student or a faculty member participating at a Collegiate Cyber Defense exercise and you find this book helpful, I would love to hear from you.

___________________

1See https://github.com/rapid7/metasploit-framework/issues/5553 or https://community.rapid7.com/thread/7388.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.46.58