Penetration testing has been the point of this course. Performing a live penetration test against a production network from time to time can result in the discovery of security holes. Those security holes discovered during a penetration test might allow an attacker to gain unauthorized access to an organizations data, and use that data for their own purposes. Any exposure of sensitive corporate information could cost an organization a large sum of money, or the ability to business at all through reputation of law. For that reason penetration testers and security consultants make “the big bucks.” However, in order to become a successful security practitioner we need to start somewhere.
In lab seven, we will be building on the results of all previous labs. With that in mind, the point of lab seven is three fold. The first point to secure a target machine against attack, second to actually attack ad adversary’s machine, and third to gather and report forensic data after a successful attack.
Breaking Blue: Automated Red Teaming Using Evolvable Simulations by Stephen Upton, Sarah Johnson, and Mary McDonald
In this article the authors talk about automated red teaming. The military defense community has used the red teaming technique with great success. The authors talk about automating this process using evolutionary algorithms and agent-based simulations. The system runs millions of simulations by which the system will learn thwart, evade, or exploit gaps against the blue team. The authors developed a test scenario with evolutionary algorithms. They used a simple mutation operator and tournament selection and ran the algorithm for 25 generations giving result of only a 100,000 runs. According to the authors this was enough volume of data.
Cyberattacks: A lab-Based Introduction to Computer Security by Amanda M. Holland-Minkley
This article is how the department of Information Technology Leadership at a liberal arts college answered the needed to teach information security to entry level and non-technology students. The department created a new course called Cyberattacks which would attract several types of students. According to the author the class has become such a success in the two times that the course was offered. Several students have continued taking classes within the department and some have even changed majors. Author goes into detail about the setup of the laboratory and the labs the students do throughout the course of the class.
Defense Against the Dark Arts by Mark Bailey, Clark Coleman, Jack Davidson
This article is similar to the previous article, Cyberattacks; a computer science department is struggling to keep attendance enrollment up. According to the article enrollment in there computer science department was at a decrease and they were looking at a way to reconnect with students. There solution, similar to the previous article, was to show students techniques for defending against viruses. They too give the class an attractive name, Defense Against the Dark Arts. After this installment, the department, also saw an improvement among attendance. In the two class that were offered, each class was filled with students. The authors reported back that the two classes were a success with students.
Protocol Preventing Blackbox Tests of Mobile Agents by Fritz Hohl and Kurt Rothermel
In this article the author talks about developing a protocol to preventing blackbox tests against mobile agents. The protocol proposed, “uses registries, i.e. services on other, trusted nodes”(p.1). The input data can also be hashed to be used as “some kind of challenge which ensures enough freshness of messages between an agent and a registry”. From the point of view of the attacker, the agent has “input and output of the blackbox can be observed by the attacker, and it is possible to execute the agent” (p.2). The auto defines the blackbox characteristics of mobile agents that can be protected. The author mentions that executing the testing techniques server times with different input parameters can be done sequentially or in parallel.
Investigating Sophisticated Security Breaches by Eoghan Casey
In this article the author talks about investigating cyber crimes require “out-of-the-box forensic. (p.49)” The author goes on to talk about how computer security professionals and digital investigators should and can work together. When an investigation is underway a team of information security professionals should be doing digital investigating. The team should have a wide range of skills such as “information security, digital forensics, penetration testing, reverse engineering, programming, and behavioral profiling (p.50)”. Investigations are often quickly paced and can cross several law enforcement jurisdictions.
There were four main parts to the completion of lab seven. First, we created a penetration hardened target machine. We secured the machine using the NIST security checklist for Windows Server 2003, as our target machine was Windows Server 2003 this seemed appropriate. We specifically applied the patch settings specified by NIST and updated the system to the latest patch level. We changed the administrator account name to “youwillnevergetin” and the password to “M@ryh@d@little”. We turned up all of the security logging provided by Windows Server 2003. We disabled all settings and services related to NetBIOS, computer browser, and the remote registry. Finally we enabled the Windows firewall with only one exception, remote desktop protocol (RDP) on port 55581 instead of the typical 3389. However, accessing our system via RDP required more than just connecting on the correct port. The firewall rule also only allowed access from a specific IP address. In order to obtain RDP access to our machine one would first need to RDP to the specific machine with IP address specified in the firewall rule. Then they would have to start another RDP session to our target machine on the port specified. We also enabled wire shark on one of our Windows XP machines with a capture filter of our target machine’s IP address to observe possible attack. We performed these steps to insure that our attacking team team one would not be able to penetrate our target machine. This was done using virtual machines running on VMware workstation inside Citrix Presentation Server on the subnet 18.104.22.168/24. We then emailed our adversary (team one) our target machine’s IP address of 22.214.171.124. The window for which we had to protect was from 7/22/2009 5pm until 7/25/2009 11pm, all times in central daylight time.
The second part of the lab was to create an exploit plan against our chosen target machine. Team three was chosen for us, by the professor, as our primary adversary. Full knowing the extent to which team three would go to protect their systems a plan was formed. That plan was actually very simple; our exploit plan for team three was based on layer eight of the OSI reference model. Due to the nature of our exploit plan, I am forbidden from discussing in any further detail. This was performed outside of the VMware / Citrix environment and on 7/22/2009. The third part of the lab was actually attack our adversary. Based on our exploit plan, we first placed a packet capture with a filter of team three’s IP address (126.96.36.199) in motion. We were able to gain access to team three’s systems on the first attempt, using our layer eight exploit. We attempted to place the required file detailing our successful exploit on the root of team’s C: drive, but failed. In an attempt to scare team three we placed an empty text file with our team name on the desktop of the user we broke into their systems with, and later deleted it. This was achieved on 7/23/2009, multiple times, and on team three’s target virtual machine. This task was performed as a result of our exploit plan per the direction of the lab design. Once we had completed our plan against team three, we discovered that team one had lax security measures in place on their target machine, and we exploited it. There was no plan in place, as we did not intend to do so in the beginning. However, on 7/24/2009, we successfully placed the required text file at the root of team one’s target C: drive. This was accomplished using Metasploit, and was performed because team one was our attacking team.
The fourth and final part of the lab was a forensic analysis of our target system. There exists a declaration of “no joy” by team one, lack of a text file at the root of our C: drive from any team, and the captured packets for our target machine. Based on these three items, all came out after the attack windows, on 7/26/2009 at 12pm CDT, we did not need to perform a forensic analysis.
We were not able to completely exploit team three’s target machine because they changed the access rights on the root of their C: drive from the default to read only for the user we gained access with. We found that team three attempted to obfuscate their chosen operation system by installing SSH on windows XP SP3 and calling the user who had access to SSH “not_root.” We discovered that the administrator account was renamed to “the_big_one.” We found that based on the lab there was no requirement to neither attack just our chosen team, or to not gang up on any team. With that in mind, team five and team two were able to exploit team one’s target machine on the first attempt using Metaploit and the MS04_007 killbill and MS04_011 lsass exploits. This was accomplished after an NMAP scan revealed default open ports of 137, 139, and 445 on team one’s target machine. We received team one’s target IP address of 188.8.131.52 from team five. The exploit was achieved on 7/24/2009. We also found that the packet capture placed on team three’s machine provided next to no information, but the one we placed on our target machine was useful in determining a lack of successful attack. We did not find any text file on the root of the C: drive detailing a successful attack by any team, including team one. This meant that we did not need to perform a forensic analysis as we were successful in defending our target machine from attack.
We had two issues with the lab. First, on 7/24/2009 we cried foul against team three. While they discovered the attack we performed against them, and shut down their system for one hour, they changed their account passwords in that offline hour. This was a clear violation of the rules of the lab. However, the professor’s judgment on the incident resulted in no sanctions against team three. Team two takes issue in that the point of the lab, in team two’s opinion, is to show both how penetration testing works and how digital forensics factors in by monitoring and documenting suspicious activity. By changing their passwords and taking the system offline team three defeats that purpose. A MUCH more intelligent thing to do would have been to turn up all manner of logging BEFORE the exercise began. Not to change account passwords. If team three had done this, team two would never have known, they would not have scared off their attacker, we would not be here now, and their results would be that much more interesting. As the professor always states, failure is an option. In information security it is not a question if we get attacked, but when and what we do then. In real life contacting the authorities (aka the professor) would result in your systems being taken offline until the investigation was complete. That renders you unable to conduct business, and therefore out of a job. While that is a valid course of action, I question team three’s choice as running away rather than dealing with the problem.
Second, The IP address provided by team one to team five was 184.108.40.206, which when attacked was a Windows machine the root of the machine being c:. However, team one is reporting no files found in /root/. This presents an issue in that they either sent out the wrong IP address, they did not disable DHCP, or they placed a “root” on c: (c:root) and indeed there is no file there. If any of the above are tue
Performing a penetration test against an adversary can be a very rewarding if not scary process. The thrill of actually breaking the security measure put in place in a capture the flag style approach can be very extreme high. However once you realize what you achieved happens every day and can cost the company you work for their ability to do business, coming off that high is a traumatic experience. Using the tools and techniques presented to us in this course. Performing a live penetration test on lab systems was a really amazing conclusion to the course. By realizing that layer eight is more than just an idea, but a very real exploitable layer of the OSI model, we truly realize that people are the weakest link. Enacting a good employee training program, and combining it with a progressive technological and policy based approach to information security, we can rest a little easier knowing that we’ve applied the concepts in this course to real life stakes, and have done so successfully.
Bailey, M., Coleman, C,. & Davidson, J. (2008) Defense Against the Dark Arts (pp.315-319)
Casey E. (2006) Investigating Sophisticated Security Breaches (pp. 48-55)
Fritz, H., & Rothermel, K.(1999) A Protocol Preventing Blackbox Tests of Mobile Agents (pp. 1-12)
Holland-Minkley, A. (2006) Cyberattacks: A Lab-Based Introduction to Computer Secuirty (p.39-45)
Johnson, S., McDonald, M,. & Upton, S. (2004) Breaking Blue:Automated Red Teaming Using
, GECCO (pp. 1-3 )