Blog 12: Lab 14

In this I am going to use a software application used in website security testing/teaching called Damn Vulnerable Web App (DVWA) which I read it is a dynamic website (the content of each page is pulled out of a MySQL database using the server side scripting language PHP) with deliberately open vulnerabilities to teach web developers/students about the threats to web applications.

Exercise 1: Installing XAMPP

I am going to install the local web server XAMPP on my server VM. But before I do that I  removed the network adapter of the client VM and added a new network adapter making sure that it used the VMXNET3 adapter type. However after creating this new network adapter (and starting up then logging into the Server VM) I could not log into my client with the CLASSROOM\Administrator account. I tried restarting the VMs and reverting all my VMs to the ‘Final snapshot’ snapshot. However I still could not log into the client with this account. So I decided to log into the client VM using the local admin account CLIENT\Admin and re-adding the client VM to the classroom.local domain.

To do this on the client I went to  File Explorer-‘Computer’ tab-System Properties

image 1.PNG

Then I selected “Change” button in the dialog window that appeared. And then ticked on the Workgroup radio button and wrote in the name “workgroup” clicked “OK” and a window appears asking for the client to be restarted which I did.

Then when I logged back into the client VM with the CLIENT\Administrator account I went back to the Computer Name/Domain Changes window and selected the ‘Domain’ radiobutton and wrote in the name ‘classroom.local’ (as you can see in the below screenshot) and then clicked “ok”.

image 2.PNG

When the restart window appeared I selected to restart the Client VM and I found I could then log in with the account CLASSROOM\Administrator account. So now I have set up my client VM so I can log in with the classroom.local account I can install XAMPP on the server VM. I am familiar with using XAMPP from my WEB601 class.

I logged into the server VM with the account CLASSROOM\Administrator and then in  Server Manager I went to Tools->Services.

image 1.PNG

Then I right clicked on World Wide Web Publishing Service and selected ‘Properties’

image 2.PNG

In the resulting dialog box I disabled World Wide Web Publishing Service (by selecting Disabled from the drop-down box for Startup type) and stopped the service (by selecting the ‘Stop’ button. Then clicked ‘Ok’

image 3.PNG

Then I went to the Change User Account Control settings from the start menu. I then changed the UAC setting so I am never notified about changes to my server.

image 4.PNG

Then in the c:\GTSLABS folder I clicked on the xampp installer file.

image 5.PNG

A warning dialog box about the User Account Control appeared and I clicked “ok”.

 

 

image 6.PNG

I then went through the installation process and unticked the XAMPP components FileZilla FTP Server, Mercury Mail Server, Tomcat.

image 7.PNG

I then went through the rest of the installation process (keeping the default installation folder), and then when the XAMPP Control Panel appeared I started the Apache and MySQL servers and I know these services are now running because Apache and MySQL are highlighted green.

I could see that Apache uses port 80, and 443 whereas MySQL uses port 3306

image 12.PNG

 

Exercise 2: Installing DVWA

I will now PHP and MySQL files of the DVWA on the XAMPP server so I can access the DVWA from the client.

I will then configure the Windows Firewall allowing the hosts in my virtual network access the XAMPP server.

I extracted all the contents of the DVWA-1.0.8 folder from inside my c:\GTSLABS folder to the selected of c:\xampp\htdocs.

image 14.PNG

Then in the c:\xampp\htdocs folder I renamed the ‘DVWA-1.0.8’ folder to be named ‘DVWA’.

image 16.PNG

Then I opened the config.inc.php file inside the c:\xamp\htdocs\dvwa\config folder.

image 18.PNG

When a message appeared asking me to choose a app to open this file I selected Notepad.

image 19.PNG

And I found the line setting the default password of the DVWA to p@ssw0rd.

iage 20.PNG

And I deleted the password so there is now no password in order to access the DVWA.

image 21.PNG

I now have to create a new firewall inbound rule to allow hosts in the network to access the DVWA.

To do this I went to Windows Firewall with Advanced Security->Inbound Rules and clicked to add a new rule. I specified to set the rule on a port (as the below screenshot shows)

image 22.PNG

The port numbers I am going to let through the Windows Firewall are the Apache and MySQL ports 80, 443, and 3306. This will allow the client VM to be able to access the web files stored in the htdocs folder (the folder which by default contains the web folders in xampp) in xampp, which in this case is the DVWS files.

image 23.PNG

To ensure that these ports were allowing inbound traffic to the DVWS I made sure that ‘Allow the connection’ was set

image 24.PNG

I also made sure that this firewall inbound rule was applied to the domain (all computers connected to the classroom.local domain), private, and public networks because the DVWS is supposed to simulate a vulnerable website, but even so it must still be open to hosts outside of the classroom.local network and so I must open these ports to the public network as well.

image 25.PNG

I gave the firewall rule the name XAMPP.

image 26.PNG

So now I have a new inbound firewall rule called XAMPP

image 27.PNG

I opened up a Run dialog and wrote in the URL ‘http://server/dvwa’

image 28.PNG

The login page of the DVWA appeared except no database has been set up. To set the MySQL database up I clicked on the ‘here’ link.

image 29.PNG

I then had to add the http://server website to my list of trusted websites in Internet Explorer.

image 30.PNG

After doing so I was able to create a database by clicking on the ‘Create/Reset Database’ button, and as you can see in the below screenshot a MySQL database with users, and guestbook table has been created and filled.

image 33.PNG

I then logged into the DVWA website with the username ‘admin’ and the password ‘password’

image 34.PNG

In the DVWA Security webpage I changed the vulnerability of the DVWA to ‘low’ which I submitted. This will make it easier for me to simulate an attack on the DVWA web application.

image 35.PNG

Exercise 3: Exploiting a command execution vulnerability

I will now use the DVWA command execution vulnerability to make the server hosting the DVWA to perform a random command.

I clicked on the ‘Command Execution’ button in the DVWA website.

image 36.PNG

Then I typed in the name ‘server’ to the IP address box and submitted this in order to get the DVWA command execution to ping the server VM it is running on. I noted that the approximate size of the packets is 32 bytes.

image 38.PNG

Then I wrote ‘-l 800 server’ into the IP address box and submitted this command and I noticed that the packets were substantially larger than when I just typed ‘server’ into the IP address box. The packets for the ‘-l 800 server’ command were 800 bytes.

mage 39.PNG

I then typed in ‘/?’ and this displayed a list of possible commands I can enter into the IP address box in the DVWS command execution page. These commands are also commands I can perform in the Command Processor. Many of the commands were regarding the ping syntax extensions for example ping -t which will not just ping four times but will continue to to ping the host until you stop it by typing Cntrl+C buttons.

image 40.PNG

Then I entered the command ‘server | dir’ this showed the contents of the exec directory inside the c:\XAMPP\htdocs\dvwa\vulnerabilities folder. The reason why these files were shown is because the command execution page I am working on currently is the index.php file of the c:\XAMPP\htdics\dvwa\vulnerabilites folder of the server and so when I write in dir it shows the folders of the in the server around this web file.

 

Exercise 4: Exploiting a SQL injection vulnerability

Having worked with PHP and MySQL in WEB602 this will be an interesting task to see how at risk web applications are to SQL injection.

I clicked on the ‘SQL Injection’ button in DVWS.

image 42.PNG

Into the UserID text input box I submitted the number ‘2’, and a single user record from the user MySQL database appeared that of the user Gordon Brown who has the UserID of 2.

image 43.PNG

When I submitted the word ‘hello’ into the UserID textbox no data from the database was returned, as the below screenshot shows.

image 44.PNG

When I submitted a single quote symbol a error message appeared stating “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ””’ at line 1″. This tells us that the DVWS application is working by submitting a SELECT database query and the value entered into the UserID box is the condition that SQL is searching for a match for in the database.

image 45.PNG

When I submitted ” 1′ or ‘1’=’1″ into the UserID all of the users in the user table (including the admin account) were displayed with their first and last names visible.

image 46.PNG

Exercise 5: Exploiting a Cross site scripting vulnerability

I will now make the DVWS website perform a script that is not part of the PHP script it was originally built with.

I clicked on the ‘XSS Reflected’ button

mage 47.PNG

I then typed my name into the ‘What is your name’ text input box and submitted my name. The test displayed was ‘Hello alex’; I am now making the DVWM application do something it was not created to do, display hello message to me when I am not even listed in the users table.

image 51.PNG

Then I submitted the following text:

alert(‘Hello World!’)

And a Message from the webpage popped up, again I am adding this code to the DVWS application which is causing this web application to perform an action it was not built to do, in this case display a hello world message box.

image 50.PNG

I have now finished this lab. I have found it an interesting lab, especially seeing what a SQL injection can do to a website and how you can also use Cross Site Scripting Vulnerability to make a website do something it was not built to do in its original code.

I will now revert my VMs.

Advertisements

Blog 11: Lab 13 HTTP and HTTPS

In this lab I will be looking at HTTP and HTTPS transfers, this will be interesting for several reasons. Firstly when logging into a website I always look to see if the website using HTTPS (this is visible in the website URL) which means it encrypting my data using the SSL/TLS cryptography protocols before it is sent to the web server to check my credentials against the database to authenticate me.

All websites where logging in or sensitive data is displayed should use HTTPS however I always check just in case, and after Mark showed us how to view the encryption certificate especially on online banking websites I must admit I have viewed this several times when banking recently.

The second reason I am going to find this an interesting lab is because in class we have talked about how easy it is for website administrators to get open source encryption certificates for their site so it uses SSL/TLS encryption which although still vulnerable to attack at least the data transfers are not in plain text or encoded very simply.

An example of an open source organization distributing free encryption certificates is Lets Encrypt.com (https://letsencrypt.org/).

So it will be interesting to see just how vulnerable HTTP is compared to HTTPS.

Exercise 1: Sniffing HTTP

In this exercise I will use the packet capture tool Wireshark to capture packets sent between the client and server VM during a HTTP session.

I logged into my SERVER VM with the CLASSROOM\Administrator account. I then started Server Manager and selected Tools->Internet Information Services (IIS) Manager

image 1.PNG

I clicked on the SERVER  (CLASSROOM\Administrator) option and selected “no” to the Microsoft Web Platform dialog box.

image 2.PNG

I double clicked on the Authentication icon and right clicked on Anonymous Authentication and disabled it.

image 3.PNG

Then I right clicked on Basic Authentication and enabled it.

image 4.PNG

So now I have set authentication so the user must write in their username and password.

image 5.PNG

Then I logged into the client with the local administrator account, CLIENT\Admin.

image 6.PNG

I started up Wireshark and started capturing.

image 7.PNG

Then I started up a Run dialog and I wrote in the address “http://server.classroom.local”.

image 8.PNG

After pressing “Enter” all I got was Internet Explorer appearing with the message “This page can’t be displayed”

image 9.PNG

So I decided to restart both the client and the server VM. However when I tried writing in the address http://server.classroom.local into the client VM run dialog I just kept getting the same error message.

So I wanted to see if it was because the CLIENT\Admin account is using the network (limited) network so I logged into the client VM with the CLASSROOM\Administrator account and used the run dialog writing in ‘http://server.classroom.local’. But as the below screenshot shows I still got the same error.

image 11.PNG

I looked at the network connection of the client and even though I logged in with the CLASSROOM\Administrator account and it showed that the client VM was only connected to the ‘Network (limited)’ network. So I decided to revert my client to the ‘Final Snapshot’ snapshot I had used in previous labs rather than use the ‘connected client snapshot’ I had started this lab with.

So in the VSphere client I right clicked on the client VM and powered it off, and then I selected Snapshot Manager and selected the ‘Final Snapshot’ (as you can see in the below screenshot) and then I reverted by clicking ‘Go to’.

image 12.PNG

Then I right clicked on the client and selected ‘Edit settings” and I removed the network adapter with the adapter type E1000E and added a new network adapter selecting VMXNET3 as the adapter type.

image 13.PNG

After adding this new network adapter I powered up the client VM and logged in with the account CLASSROOM\Administrator and I checked the network connections icon in the task bar and saw that the client was connected to the classroom.local network. I then opened the run dialog and entered ‘http://server.classroom.local’ and the authentication window appeared just as specified in the lab guide.

The below screenshot shows how the client VM is connected to the classroom.local network and when the url http://server.classroom.local is entered the authentication window appears rather than a ‘This page can’t be displayed’ error message as I had previously.

I then signed out of the CLASSROOM\Administrator account and signed back into the client VM as the local administrator CLIENT\Admin.

Then after opening the run command and entering in ‘http://server.classroom.local’ authentication window appeared as it had when I was logged in as domain administrator and so I can now continue with the rest of this lab now that the page is loading correctly.

image 15.PNG

I went ahead and started Wireshark again and tried to click to Start capture but the button was greyed out.

image 16.PNG

But after restarting the client VM Wireshark showed the Ethernet0 3 interface and the Start Capture button was no longer greyed out.

image 17.PNG

After starting the capture I opened the run command and wrote in ‘http://server.classroom.local. Into the authentication dialog I wrote the username ‘Administrator’ and the password specified in the lab guide. I made sure the “remember my credentials” checkbox was not ticked.

image 19.PNG

The Internet Information Services webpage appeared.

image 20.PNG

I then closed the browser, and stopped the Wireshark capture. I observed the three way TCP handshake SYN, ACK, SYN

mage 21.PNG

Then the host (my client VM) sends a HTTP GET request to request the http://server.classroom.local webpage.

image 22.PNG

Then the server responds with a 401 Unauthorised because I have disabled anonymous authentication in the Internet Information Services (IIS) Manager in my Server VM.

image 23.PNG

Then further down below several server ARP requests I saw the GET /HTTP /1.1  packet which contains the user credentials (circled in red in the below screenshot) in plaintext 9they are displayed in plaintext because Wireshark has decoded them from a encoding method called Base64) form for anyone using Wireshark to read.

image 24.PNG

Exercise 2: Securing HTTP

I am now going to secure this authentication by implementing a server side certificate so the login credentials are encrypted between the client and the server.

The certificate will be available for the client to inspect and so determine if it is trustworthy.

In the IIS Manager of the server VM I clicked on the SERVER (CLASSROOM\Administrator). Then I double clicked on the Server Certificates icon.

image 25.PNG

I selected the ‘Create Self-Signed certificate’ link.

image 26.PNG

Then I entered the friendly name of the certificate to be ‘server.classroom.local’. The friendly name is the file name of the certificate request.

image 27.PNG

After creating this self signed certificate I navigated to Sites->Default web site. Under the Actions panel I selected ‘Bindings’.

image 29.PNG

In the bindings window I selected ‘Add’ and I added a a site binding specifying the type to be ‘https’ and the SSL certificate to be ‘server.classroom.local’ (i.e. the self signed certificate I just created.

image 30.PNG

So now there is two site bindings; http and a https.

image 31.PNG

I closed the site bindings window, however I need to ensure that the user will use the https connection because at the moment they can choose to log in using the un-encrypted http.

So to enforce the use of https connection I go to SSL settings in the IIS Manager

image 32.PNG

I checked the ‘Require SSL’ box and then selected the Apply button in the Actions pane.

image 33.PNG

I can see that this enforcement of the use of https has been successfully implemented because a message appeared after I applied the SSL Setting stating ‘The changes have been successfully saved’.

image 34.PNG

Then I returned to the client and I started a new capture in Wireshark discarding the previous captured packets.

image 35.PNG

Then I started up a run dialog and wrote in ‘http://server.classroom.local’

image 36.PNG

The Internet Information Services page appeared without me having to authenticate first.

image 37.PNG

I then pressed F5 to refresh the page. Now the error ‘403-Forbidden:Access is denied’ is displayed. In normal circumstances a redirect to the https page would be performed rather than just displaying a forbidden message.

image 38.PNG

I then wrote into the address bar ‘https://server.classroom.local’ however unlike the lab guide I did not get a warning about the certificate instead I recieved the same error 403 I had before when I loaded the http://server.classroom.local webpage.

image 39.PNG

I tried writing in this https link multiple times but continued to get the same error. However after a few minutes the certificate warning did appear.

image 40.PNG

I selected the ‘Continue to this website (not recommended)’ a authentication window appeared and I wrote in the username ‘Administrator’ and the password ‘Pa$$w0rd’, and after submitting these credentials the Internet Information Services webpage appeared.

image 42.PNG

Interestingly I noticed that there was a warning icon in the address bar so I clicked on it and it showed that the client did not trust the certificate used in the SSL encryption.

image 43.PNG

I then stopped the Wireshark capture and scrolled through the captured packets, I found where the SSL/TLS session was established which was the TLSv1.2 which was a client key exchange (highlighted in the below screenshot).

image 44.PNG

I couldn’t see any HTTP packets all there was was a TJS application data packet which had encrypted contents (circled in the below screenshot) and so it is not readable, compared to the http packets which contained the decoded username and password of the authenticating user.

mage 45.PNG

Therefore I have found using Wireshark that https is far more secure than http because the SSL/TLS cryptographic protocols make the packet data encrypted and therefore not displayed as plaintext to the wireshark user.

I have now finished the lab and will revert all of my VMs.

 

Blog 10: Lab 12 Data leakage prevention

I have had a read about what Data Leakage Prevention is on the Tech Target website, effectively it is the implementation of software to control what users inside a network can do with data. For example the network administrator can deny permission for a user to print, or send sensitive data which if the data got into the wrong hands could put the organization at risk.

The way sensitive data is identified as requiring data leakage prevention is through business rules, and this backs up what Mark has taught us that security is people, policy and procedure as well as the actual technology to implement the security. This is because procedural controls have to be put on the data ensuring least privilege to the people as security threats to a network can come from outside or inside an organization.

In this lab I will be installing and playing around with data leakage prevention systems.

Exercise 1: Installing rights management services

I logged into my server VM with the CLASSROOM\Administrator account. I started up Server Manager and went to Active Directory Users and Computers.

image 1.PNG

I then created a new user by expanding the classroom.local option and right clicking on the Users folder and selecting New->User.

image 2.PNG

I created a user with the username, first name and full name of ADRMS

image 3.PNG

I then gave this user the password provided in the lab guide. I have also made the setting that they don’t have to change their password on the next login.

image 4.PNG

After creating the user “ADRMS” with the provided password, I right clicked on this user in the Users folder of Active Directory Users and Computers and added this user to the Domain Admins group, as the below screenshot shows.

image 5.PNG

I clicked ‘OK’ to confirm this addition of ADRMS to the group.

image 6.PNG

Then back in Server Manager I clicked Manage->Add role and features link.

image 7.PNG

In the installation wizard I kept the default options, and on the select destination server I made sure the SERVER.classroom.local server was selected (which it was by default).

image 8.PNG

In the ‘Select Server roles’ page I selected the Active Directory Rights Management Services checkbox. An ‘Add roles and features’ wizard appeared for Active Directory Rights Management Services and I made sure the Include management tools (if applicable) checkbox was selected before clicking the “Add features” button.

image 9.PNG

Then I just clicked ‘Next’ through the rest of the installation wizard until confirming the installation and Active Directory Rights Management Services service being installed.

image 10.PNG

After the installation was finished I clicked on the AD RMS node on the Server Manager. A message was displayed saying ‘Configuration required for Active Directory Rights Management Services at SERVER’ I clicked on the ‘More’ link beside this message.

image 11.PNG

In the ‘All servers task details’ window that appeared I clicked on the action link ‘Perform additional configuration’

image 12.PNG

In the resulting configuration wizard I selected the default options for the first two pages. When it came to selecting a Configuration database I selected the ‘Use Windows Internal Database on this server’ radio-button.

image 13.PNG

On the Service Account page I specified the service account to be that of the ADRMS user, by writing in the username ADRMS and the associated password.

image 14.PNG

I kept the default Cryptographic mode and cluster key storage option. Whilst in the Cluster key password I wrote in the password ‘Pa$$w0rd’. I am only using this password because it specifies to do so in the lab guide in a real world scenario a easily predictable password like this would not be used and I would instead use a pass phrase as we have discussed in class.

image 15.PNG

For the cluster address I selected ‘Use an unencrypted connection (http://)’ and wrote in the fully qualified domain name of ‘server.classroom.local’.

image 16.PNG

I didn’t have to enter ‘SERVER’ as the server license name as it was already written by default, then all I had to do was click the ‘Next’ button through the remaining pages of the wizard before checking the installation selections (see the below screenshot) and finally installing the Active Directory Rights Management Services configuration on this server .

image 17.PNG

After seeing that the AD RMS configuration has been successfully installed I restarted the server VM.

image 18.PNG

Exercise 2: Exploring DLP Options

I will now configure a typical policy template controlling what users are able to do with data.

I logged into the restarted server with the CLASSROOM\Administrator account, then I went to Tools->Active Directory Rights Management Services.

image 19.PNG

I then expanded the ‘server.classroom.local’ option, in the Rights Policy Templates I selected the ‘Create distributed rights policy template’ option.

image 20.PNG

I gave my distributed rights policy template the name of ‘classroom’ and description ‘Default policy’

image 21.PNG

Then I specified the user group entitled to access data protected using this template to be editors@classroom.local and I gave this user group all permissions except full control.

mage 22.PNG

Then I added another user group by clicking on the ‘Add’ button. I wrote the email address of the user group ‘reviewers@classroom.local’ and only gave them permissions to view and print.

image 23.PNG

So now I have set up a template (which can be applied to data) giving permissions on the data to one group to view, edit, save, print and export the content whilst the other group can only view and print the content. Determining which group specific users would be in would come down to policies and procedures based on business rules so that the user gets least privileges to perform their job.

I set the content expiration to expire after 1 year.

image 24.PNG

Then I clicked ‘Next’ and then ‘Finish’ this created the template. So I have now created a distributed rights policy template with the name classroom.

image 25.PNG

I have now finished the lab and will revert all my VMs.

Before starting this lab I created a new snapshot of the client VM which I named ‘connected client snapshot’. The reason I created a new snapshot which I will now revert to is when I used to revert to the ‘Final snapshot’ snapshot in the client VM the network adapter was set to adapter type=E1000E, however I need it to have the adapter type=VMXNET3 for the client to be able to connect to the classroom.local network which in turn will let me log into the client with the CLASSROOM\Administrator account and will make the server and rogue pingable from the client.

So to save myself time from having to remove and then add a new network adapter at the end of each lab I have made a new snapshot with the client having the adapter type=VMXNET 3.

So I will revert to the ‘connected client snapshot’ in my client VM, and the ‘final snapshot’ snapshot in the rogue and server VMs.

I found this an interesting lab from the point of view of how organizations can protect their data from threats from inside the organization, and how the concept of least privilege is implemented with Data leakage prevention services like Active Directory Rights Management Services.

 

 

 

 

Blog 9: Lab 10 Attacks against DHCP and DNS

In this lab I will be performing an attack against the server services DNS and DHCP. I will create a rogue DHCP server so I can reconfigure the DNS settings on the clients.

 

Exercise 1: Setting up the scenario

In this exercise I will create the situation where the server VM is a busy network server providing the DNS, DHCP, and web host services. Due to the server being on a busy network all the clients will receive dynamic IP addresses with short lease times.

I logged into the server VM with the account CLASSROOM\Administrator and went to Tools->DHCP

image  1.PNG

I then expanded the server.classroom.local option and went to IPv4. I right clicked and went to the properties of Scope [10.1.0.1] Classroom scope node.

image 2.PNG

I set the lease duration for DHCP clients to 0 days and 1 hour as you can see in the below screenshot.

mage 3.PNG

Then in the Advanced tab I set the subnet delay to 100.

image 4.PNG

Then I copied the wwwroot folder from c:\GTSLABS to c:inetpub folder.

image 5.PNG

 

Exercise 2: Preparing the attack

Now I have recreated the scenario that my server VM is a busy network server having to give out dynamic IP addresses every hour due to the demand for IP addresses from clients, I will now connect to the website make a copy of it and use a rogue DHCP and DNS server to direct network traffic to this new copied site.

I started up my Rogue and logged in with the local Admin account.

image 6.PNG

I created a new folder inside the c:\GTSLABS directory in the rogue VM and I named this new folder ‘website’

image 7.PNG

Then I went to the website hosted by my server, to do this I wrote into the search bar of Internet Explorer http://server.classroom.local

image 8.PNG

I then saved this webpage by going to the tools button on Internet Explorer and clicking “Save As”. I saved the webpage as file type ‘Webpage, complete (*.htm;*.html)’, with the file name “default.htm” and I saved this file into c:\GTSLABS\website. As the below screenshot shows.

image 9].PNG

Then in the File Explorer I went to c:\GTSLABS\website and I opened the default.htm file in notepad.

image 10.PNG

The below screenshot shows the header 1 (underlined) of the webpage before I changed it

image 11.PNG

And now I have changed the header 1 of the webpage to “The fake Book Company website”. Obviously I would not write this if I was trying to direct traffic to a fake copy of a real life website however I wanted to make it clearly visible for this lab that this is the modified site.

Then I saved the default.htm file.

image 12.PNG

I opened Network and Sharing Center. I clicked on the ethernet connector link and selected the “Properties” button.

image 13.PNG

I changed the IPv4 settings. I gave the rogue VM a static IP address of 10.1.0.10, subnet mask of 255.255.255.0, preferred DNS server of 10.1.0.10 and unticked “Validate settings upon exit” checkbox.

image 14.PNG

Then I clicked “OK” to implement these changes. Then I clicked “OK” in the Ethernet properties as well.

Then I typed into the start menu Windows Features and opened “Turn Windows features on and off”, I ticked the Internet Information Services checkbox which resulted in a square dot rather than a tick.

image 15.PNG

After clicking the “Ok” button the Internet Information Services was installed.

image 16.PNG

Then I typed ‘iis’ into the start menu and selected the Internet Information Services (IIS) Manager icon. In the IIS Manager I navigated to ROGUE (ROGUE\Admin)->Sites->Default web site

image 17.PNG

I then browsed the physical path to ‘c:\GTSLABS\website’ then clicked “ok” to confirm the location of my modified website.

imaeg 19.PNG

Then in the File Explorer I navigated to c:\GTSLABS and ran the DualServerInstallerV7.12

In the User Account Control dialog box that appeared I clicked the “Yes” option.

image 20.PNG

I completed the rest of the Dual Server Installer keeping the default settings. Then after was installed I used the File Explorer to find the DualServer configuration file in c:\GTSLABS

image 21.PNG

And copy it int the c:\DualServer folder. A DualServer configuration file  already existed in the c:\DualServer however I choose to replace that file with this new DualServer configuration file by clicking “Replace the file in the destination” in the Replace or skip files dialog box.

image 22.PNG

I read in the lab guide that the DualServer.ini file in this c:\DualServer directory contains the settings used for the exploit I will be performing later in this lab.

I then went to the Start menu and typed in ‘Services’ and selected the View local services icon. I scrolled down to the Dual DHCP DNS Service and rick clicked on it and clicked “Start”

image 23.PNG

So I can now see that the Dual DHCP DNS Service is running.

image 24.PNG

 

Exercise 3: Falling for the attack

I am now going to log into the client VM and see if after setting up a short IP address lease time it has been caught by the exploit. If the client has maintained its previously used IP address I will have to force the client to forget its previous IP address.

I logged into the client VM with the account CLASSROOM\Administrator.

I then opened up the Network and Sharing Center. I clicked on the Ethernet link and viewed the details of this Ethernet connection.

I identified that the final octet of the IPv4 address was less than 128 (in my case it was 64) so the Dual DHCP DNS Service on the rogue has handed the client VM a IP address.

I know this because the DHCP service on my Server VM was configured to hand out dynamic IP addresses starting at 10.1.0.128 therefore as my clients IPv4 address is less than 10.1.0.128 its IP address is not from the networks authorized DHCP server but from the rogue DHCP server on my rogue VM.

image 25.PNG

I now opened Internet Explorer and wrote in the address http://server.classroom.local.  I could see the heading 1 I wrote “The fake Book Company website”. Thus the modified site I created on the rogue VM appeared.

image 26.PNG

The reason this modified site appeared is because the Dual DHCP DNS service on the Rogue VM handed my client VM a new dynamic IP address 10.1.0.64. So the client VM goes the rogue for doman name resolution. So when I write in the URL http://server.classsroom.local the rogue can direct me to its default site which I set the physical address to be c:\GTSLABS\website, and so the default.htm file inside this c:\GTSLABS\website folder will be loaded.

I have now finished this lab. It was an interesting lab to see how website redirection can occur inside a network and shows the level of risk places with public wifi networks are at for example libraries where someone could set up a dualserver DNS SHCP service on their computer and a web host server and direct the traffic to their copied version of a genuine website.

I will now revert my VMs.

 

Blog 8 Lab 9: Telnet and FTP

In this lab I will be looking at two unsecure protocols Telnet and FTP.

I logged into the server with the account CLASSROOM\Administrator. I went to Server Manager and selected to Add a new role or feature. I ensured theSERVER.classroom.local was selected to install the role or feature onto.

The role or feature I choose to install was FTP Server in the Web Server (IIS) server role.

image 1.PNG

For the feature I selected Telnet Server to install (as the below screenshot shows).

image 2.PNG

After finishing the installation I closed the wizard.

image 3.PNG

Then I went to Tools->Services and then I scrolled down until I found Telnet and then I right clicked on it and selected Properties.

image 4.PNG

I set the startup type of Telnet to manual (as the below screenshot shows).

image 5.PNG

I then right clicked on Telnet again and selected “Start”.

iamge 6.PNG

I then copied and pasted the ftproot folder in c:\GTSLABS to c:\inetpub

image 7.PNG

Then in the Server Manager I went to Tools->Internet Information Services (IIS) Manager. I enabled basic authentication for FTS Authentication.

image 9.PNG

I then added a new FTP site with FTS site name: server.classroom.local and the physical path of C:\inetpub\ftproot

image 10.PNG

I selected “no SSL”

mage 11.PNG

In the Authentication and Authorization window I selected Authorization access to all users, and gave all users read and write permissions.

image 12.PNG

I then opened Windows Firewall with Advanced Security, opened up Windows Firewall with Advanced Security on Local Computer and I allowed inbound connections.

image 13.PNG

Exercise 2: Examining Telnet traffic

 

I signed into the client VM with the CLASSROOM\Administrator account, and turned on the Telnet client in the “Turn windows features on or off”.

mage 14.PNG

I then started up Wireshark but I found that it would not start capturing because there was no interface for it to start capturing on (the start capture button was greyed out). This was strange because it was on the classroom.local network. Then I came to the conclusion this was the same issue I had with the previous lab on the one occasion I could get the client CM to connect to the VPN that Wireshark would stop capturing because it stated (even when I refreshed the interfaces) that there was no interface to capture on.

So I decided to experiment; I restarted the client and then noticing the client was still on the classroom.local network I started up Wireshark and this time I was able to start capturing. So it seems I must restart the client VM between if I have made a change on the server because I had allowed permissions for basic authentication for FTP Authentication on the server but had not restarted the client before trying to scan the classroom.local network.

So I must remember to restart the client after changes made to the server.

Back to this exercise I opened up the command prompt and wrote in:

telnet server.classroom.local

A welcome message appeared and I note that the escape character sequence is ‘ctrl+]’

image 15.PNG

To the continue message I typed ‘n’. After a long wait Then a  login prompt appeared and I wrote in administrator, and the password specified in the lab guide.

image 16.PNG

I then wrote in the command ‘dir’ and I could see all the folders of C:\Users\Administrator in the server. This shows I can execute commands and connect to the server.

image 17.PNG

I then typed in ctrl+] to escape and then quit to quit Microsoft Telnet client.

Then I stopped the capture of packets in Wireshark and entered in the filter of “telnet” a long list of Telnet data packets appeared and I scrolled through them. I had to scrolled through and click on the packets reading the contents, until I found the packet ending with the text ‘login:’ (as the below screenshot shows).

mage 19.PNG

I then went through and noted the final text character in the packet data pane of the next 26 packets.

image 20.PNG

The final characters of these next 26 packets spelt out:

.a.d.m.i.n.i.s.t.r.a.t.o.r..

In other words through going through and reading the final characters of these 26 packets after the packet containing the text ‘login’ I have learnt the users username “administrator’.

Now lets see if the password is as easily readable. In the packet number 930 (which was immediately after the packet containing  the last character I wrote down above) the text ‘password:’ was written. See the below screenshot.

image 21.PNG

Then from the packet containing the text ‘password:’ I wrote down the last character in the next 8 packets which spelt out:

Pa$$w0rd

I found it interesting there were no packets containing full stops as the final character like there was for the packets containing the username ‘administrator’.

All the remaining  packets had the final character in the packet data pane being a full stop except two packets which had significantly longer contents.

packet 960 had a content length of 610 compared to all the other surrounding packets which had a length of around 60.

image 22.PNG

Whilst packet 994 had a length of 1205 and it is this packet which is of particular interest because it shows the contents of the server displayed after I wrote in the command prompt command dir.

As the below screenshot shows the ‘download’, ‘Favourites’, and ‘Pictures’ folders are visible.

image 23.PNG

So from examining telnet traffic I have learnt both the username and password are visible and readeable to someone packet capturing on the network just by reading the last character of packets.

As well as command responses such as the folders from the dir command.

 

Exercise 3: Examining FTP traffic

I am very interested to see how secure FTP traffic is because in our web classes we have used the FTP programs WinSCP, and in my personal web design work I have used the FTP program FileZilla. These two programs are used to transfer HTML, CSS, and PHP files from my local machine to the web server. Therefore after having used FTP extensively it will be interesting to see what level of risk my web work was at.

In wireshark on the client VM I started capturing packets again and didn’t save the previous capture as that is no longer necessary.

I then opened a run command and typed in ftp://server

A Internet Explorer login window appeared except it showed the error message “This page can’t be displayed” as the below screenshot shows.

image 35.PNG

But then I went back to my server VM and I noticed that I never clicked the “OK” button on the Windows Firewall with Advanced Security on Local Computer window. So the changes I made allowing inbound connections were not implemented, so I clicked the “ok” button and then tried writing into the Internet Explorer “ftp://server”

This time the login box appeared. I entered the same username and password I used when logging in the Telnet.

image 26.PNG

The FTP root of the server appeared and I clicked on the Contact.rtf link.

image 27.PNG

I opened this Contact.rtf file and I could read the contents.

image 28.PNG

I then stopped Wireshark from capturing packets and I wrote in the filter “ftp”. I went through the captured packets and looked for packets where the info field started with “Request:USER”. The first two Request:USER packets were anonymous where Internet Explorer has tried to authenticate.

The first packet with the info field “Request:USER Administrator” had the username Administrator both in the info field and in the data packet pane (underlined in the below screenshot)

mage 30.PNG

The packet immediately after this Request: USER Administrator packet had the info field Response: 331 Password required.

Whilst the packet after that had the info field “Request: PASS Pa$$w0rd” and in data packet pane I saw the password was also written.

image 36.PNG

So I noticed that using FTP the packet info field starts lists the password so the password is even more easily visible than with Telnet where I had to at least click on the packet the see the contents in the data packet pane; and the username and password were not displayed in a single packet but instead one character in each packet. So FTP looks to be even more unsecure than telnet, from a security by obscurity point of view.

I then entered in ‘ftp-data’ into the filter box of wireshark and now only two packets are displayed.

image 37.PNG

Clicking on the first if these two packets I saw it contained the contents of the FTP root of the server which I had viewed by authenticating on the ftp://server. I know that this is the contents of the FTP root of the server because I could see the Dish_Of_Food.jpg file which is underlined in the below screenshot.

image 38.PNG

Whilst the second packet seemed to contain information to be displayed as I could make out the message “Getting in touch with us couldn’t be easier, you can contact us using any of the methods listed below” (which is pointed out in the below screenshot).

image 39.PNG

I have now finished this lab, I was very surprised at how unsecure telnet and FTP are and so I found this a very interesting lab. I will now revert my VMs.

 

 

 

 

Blog 7: Lab 8 Configuring a VPN

A VPN (Virtual Private Network) allows devices in two different physical locations to be networked together. For example a laptop in one physical location such as Nelson can communicate with a desktop in a network in a different physical location such as Sydney as though they were all part of the same network. A VPN is like a tunnel through the internet because the data transmitted is encrypted and so if the data is intercepted it is unintelligible.

In this lab I will be using a VPN software. I am already using the Sophos VPN to perform this lab from home.

Exercise 1: Installing a network adapter

Because the lab guide outlines how to add a second network adapter to your VMs using the Hyper-V Manager which we are no using in the SEC601 class I had to follow a different method for adding a second network adapter.

So I went to VSphere client and I right clicked on the Server VM and I went to “Edit settings” and I added another Ethernet adapter making sure to select the VMXNET 3 adapter type (which is the adapter type that the existing server, rogue and client VMs are using)

image 2.PNG

So now I have two network adapters on the server VM.

 

Exercise 2: Examining Unsecured Traffic

This exercise is going to look at how unsecured traffic (traffic in plaintext form) is at risk.

After logging into the server VM, I went to the Network and Sharing Center. I was interested to see if the second network adapter was visible. I saw that I am connected to the classroom.local domain (which is because I logged in as the CLASSROOM\Administrator) but the interesting thing is I can see I have two connections Ethernet0 and Ethernet1 (this is because the server VM has two network adapters).

image 4.PNG

So now I can continue with the rest of this exercise. I navigated to the c:\GTSLABS and created a new folder named SECRET and into this new folder I made a text file named CONFIDENTIAL.

image 5.PNG

Into the CONFIDENTIAL text file I wrote in “The password is CONFIDENTIAL!”. Then I went to share this file, so I started up Server Manager and clicked on File and Storage Services in the dashboard. I then selected Shares option, and I created a new share.

I selected the file to share as c:\GTSLABS\secret

image 6.PNG

I specified the name of the share as secret$

image 7

I unticked the ‘allow the caching of share’ checkbox to make sure the shared folder was not cached. And kept the default settings for the rest of the New Share wizard. So now I have a new share named secret$

image 8.PNG

I then logged into my client VM using the CLASSROOM\Administrator account. And then I started capture in Wireshark.

image 9.PNG

I then opened the Run dialog  and I wrote in command \\SERVER but I noticed that the secret$ share did not appear, only the netlogon and sysvol shares appeared (as you can see in the below screenshot)

image 10.PNG

However when I wrote into the search bar of the File Explorer \\SERVER\secret$ this share opened up and I could see the confidential text file, which I was able to read.

image 11.PNG

After closing this text file and the file explorer, I stopped the capture of the Wireshark and looked through all the packets I had captured and after some scrolling up the packet list I found the NetShareEnumAll Response packet. This packet is how the server communicates it share list to the client VMs.

image 13.PNG

I then double clicked on this NetShareEnumAll Response and scrolled down through the packet data frame and noticed that the secret$ share did appear (it is underlined in the below screenshot).

image 14.PNG

I right clicked on this packet however there was no Expand All option to view all fields.

I then looked for the Create Response File: ; Find Response; packet. The only matching packet I could find was named slightly differently, it was named:

Create Response File: Find Response;Find Response. I scrolled down in the packet data frame and I saw that as mentioned by the lab guide I could see the Confidential.txt file in the data (this is circled in blue in the screenshot below). This Create Response File:Find Response is what the server uses to communicate the list of files in a shared folder to the client.

image 15.PNG

I then searched for 2 packets a Read Request and the Read Response sent immediately afterwards. The Read Request was requesting confidential.txt file and the Read Response was sending the contents of the confidential.txt file to the client. In the below screenshot I can see the Read Request packet is explicitly listed as asking for the File: CONFIDENTIAL.txt (highlighted in red below). Whilst the Read Response packet is directly below.

image 16.PNG

I had a look at the packet data frame of the Read Response packet sending the contents of the Confidential.txt file back to the client; and I noticed the contents of this file are visible on Wireframe (circled in red in the below screenshot). So in unsecured traffic such as the  transfer of the shared file to the client  from the server the data contained in the shared file is visible and readable on a readily available protocol analyzer like Wireshark.

image 17.PNG

 Exercise 3: Configuring a VPN

I am going to configure my server VM to acts as VPN gateway.

In the Server VM I went to Server Manager->Add Role and Features

image 18.PNG

And then in the Add role and features window I kept the Role based or feature based installation option selected, and in the Server selection window I ensured that the SERVER.classroom.local was selected.

image 19.PNG

In the Server Roles I selected Remote Access before clicking “next”

image 20.PNG

And in the Role Services screen I selected the “DirectAcess and VPN (RAS)?” option, I  ensured the “Include management tolls (if applicable)” was selected, before clicking “Add Features”

image 21.PNG

After the installation I went to Tools->Routing and Remote Access

image 23.PNG

And in the Routing and Remote Access tool I right clicked on SERVER(local) and selected Configure ad Enable Routing and Remote Access

image 24.PNG

I ensured in the Remote Access window I selected VPN, this is setting my Server VM as the VPN gateway (VPN Server). In the VPN Connection I selected the Ethernet adapter configured with the IP address 10.1.0.1(which is highlighted in the below screenshot)).

image 26.PNG

I set the VPN to use a specified range of IP addresses from a pool of addresses between 172.16.0.1 to 172.16.0.10

image 27.PNG

After ensuring the option “No, use Routing and Remote Access to authenticate connection requests” before finishing the configuration of the VPN. A warning appeared stating the Remote Access Service cannot enable the Routing and Remote Access as the Windows Firewall is blocking the routing and remote access port.

image 28.PNG

I closed this warning and went to Windows Firewall with Advanced Security, I clicked on Inbound Rules and scrolled down until I found the Routing and Remote Access (GRE-In), (L2TP-In), (PPTP-In) rules.

image 29.PNG

And then I right clicked on each and  selected “Enable Rule”, so now all three of these rules are enabled as you can see below.

image 31.PNG

Now I have enabled the rules allowing the routing and remote access port to be opened in the firewall I have to set permissions allowing the users to join the VPN. To do this I went back to Server Manager->Tools->Active Directory Users and Computers.

I double clicked on Administrator and in the Dial-in tab I selected “Allow access” for the Network Access Permission.

image 32.PNG

 Exercise 4: Joining a VPN

I will connect to the VPN from the client VM.

I signed into my client with the CLASSROOM\Administrator account. I right clicked on Network icon and opened the Network and Sharing Center. I selected “Set up a new connection or network” link and clicked to connected to a workplace.

image 33.PNG

I selected “Use my Internet Connection (VPN)” and choose to set up a internet connection later. Then I entered the internet address of 10.1.0.1 (which is the IP address of my server (which is now acting as the VPN gateway/server)).

image 34.PNG

After creating this connection to the workplace the Networks available bar appeared and I can see I can now connect to either the Network (limited) connection or the VPN connection.

mage 35.PNG

I tried to connect twice writing in the username and password supplied in the lab guide, however on both occasions I got the following error after a long wait trying to connect to 10.1.0.1

image 37

I tried logging back into the server VM but this made no difference. So I tried restarting both the client and the server VMs. However this still threw the same error.

So I came to the conclusion I must have somehow misconfigured the VPN connection even though I felt that I had followed the lab guide exactly. So I started the lab again, I reverted all my VMs (even the rogue which I haven’t used in this lab yet) just to be safe.

I went through and removed and then re-added the network adapter of the client VM because in the snapshot “Final snapshot” which was taken immediately after Mark rebuilt my VMs successfully the network adapter is not set as VMXNET 3.

After that I added another network adapter to the server VM (so now it has two network adapters). And then I went through the lab until I needed to log into the client as CLASSROOM\Administrator in order to set up the VPN connection however when I logged in with this account I found that the error thrown was “There are currently no logon servers available to service this logon request”. So the troubleshooting I went through to try to fix this problem was:

  1. Log into the client VM as local admin and set a static IP address of 10.1.0.132 with subnet mask 255.255.255.0 and default gateway of 10.1.0.1. Then I restarted the client VM and tried to log in with the CLASSROOM\Administrator account however I got the same error.
  2. Set the client VM back to having automatically assigned IP address (dynamic IP address) then restarting. I had heard from other students that setting the VM to have static IP address then making it automatic again had worked for them. However I still got the same error.
  3. Turn the client VM off and remove and then add the network adapter again before trying to log in with the CLASSROOM\Administrator account and again I got the same error

 

Then finally I reverted all my VMs to the “final snapshot” and removed and added the network adapter of the client VM and logged into the server and then started up the client. I thought that perhaps having two network adapters on the server VM was causing the problem of the client not being able to log in with the classroom.local network. This seemed to be the last possibility from my troubleshooting process of elimination. So I logged into the client VM with the account CLASSROOM\Administrator and I found that I was able to log in with this account.

So I could now join the client VM to the VPN. When going to the Network and Sharing Center I noticed that my client is now connected to the ‘classroom.local’ network rather than the ‘network’ network I had previously.

image 38.PNG

After going through the “Set up a new connection or network” wizard I clicked on the VPN connection and signed in with the username CLASSROOM\Administrator, and this time I was able to successfully connect to the VPN (as the circled connection in the below screenshot shows)

image 39.PNG

After connecting, I had to follow the guides steps and disconnect from the VPN again.

 

Exercise 5: Examining VPN Traffic

In this exercise I will connect to the server through the VPN and use Wireshark to see if I can see what information is visible when it is accessed via a VPN.

I started up Wireshark in the client VM but the Start capture button was greyed out which means there is no interface for Wireshark to scan. However I found that this was because the server had locked so after logging back into the server, I got the Wireshark to start capturing.

image 40.PNG

I then went to the VPN Connection and connected to it. However as the below screenshot shows I got an error message from the Wireshark saying the network adapter the cpature was being done on is no longer running because I am changing to connecting to the VPN.

image 41.PNG

I also found that I got the same VPN error I thought that I had solved earlier.

image 42.PNG

So I went through and started the lab again twice, but I got error 868 each time (see the below screenshot). I tried troubleshooting by doing all the steps I had completed earlier to connect to the VPN but again I could not connect to the VPN.

image 43.PNG

I continued trying to restart or revert all my VMs and follow through the lab, however I still got either error 868 or error 800. I heard from Scott he got around the problem by reconnecting to the VPN from the client after the error 800 was displayed however I tried this three times and I could not get it to work.

So I will move onto the next lab and come back to this one at the end to see if I can get around this problem.

I have gone through and reverted my VMs so I can start work on lab 9.

After working on and completing labs 9, 10, 12, and 13 I came back to lab 8 and decided to go through it again except this time I decided to add the second Ethernet adapter to the server on a different switch, this is what I read Aaron had done in his blog which worked for him. Every other time I had attempted this lab I made sure the second Ethernet adapter was using the same switch as the first network adapter of the server which was switch 2762.

This time I made the second network adapter use switch 2763 (as you can see in the below screenshot).

image 50.PNG

Then I went through the lab again and tried to connect to the VPN from the client, and this time after authenticating I was successfully connected, rather than receiving the error 800 or error 868.

image 44.PNG

Therefore the problem was that I had always created the second network adapter to use the same switch as the first network adapter. I am now able to continue the lab. I started Wireshark now I am connected to the VPN. Then I opened the run dialog and wrote in \\172.16.0.1

Then in the resulting File Explorer I wrote in \\172.16.0.1\secret$

image 52.PNG

The configuration file appeared

image 46.PNG

I was able to read this file through the share I had created.

image 47.PNG

Then I went to Wireshark and stopped the capture. To filter all of the packets in Wireshark I wrote in pptp or ppp or gre and clicked “apply”. I browsed through the PPTP, PPP and GRE packets and as the below screenshot shows the contents of them is unreadable.

image 49.PNG

I then cleared this packet filter I applied, and scrolled down through the packets and I did not notice any SMB packets, which were the packets used when I scanned accessing the CONFIDENTIAL file before implementing the VPN, and it was the SMB packets which had the contents of the shared file displayed in plaintext.

And as stated above the PPP and GRE packets only contained unintelligible data in the packet data pane. Below is a PPP packet with the packet data pane showing encrypted data.

image 53.PNG

Whilst below is a GRE packet again unintelligible data in the packet data pane.

image 54.PNG

This has been an interesting lab from a troubleshooting point of view, and I will now revert my VMs ready to complete my final lab which is lab 14.

Blog 6 Lab 7: Password Sniffing

A password sniffing application captures packets containing passwords and then tries to determine what they are. This is opposed to a packet sniffing application such as Wireshark which will capture all packets being transmitted.

Exercise 1: Keyloggers

Keylogging software is software that records the keys that the user has typed into their computer. This can be useful for determining their password as  it removes the necessity of using a password sniffing application and having to use dictionary or Brute Force attacks to decrypt the users password.

I started up my client VM, signing in with the username CLASSROOM/Administrator. At first I got the error message saying “No logon services available” I had had this error before because the Server VM was not on and signed into, however in this instance the server is on and logged into. So I logged in as CLIENT\local and then tried pinging the server (10.1.0.1) and the rogue (10.1.0.131) and I noticed that both gave the “Destination host not avaliable” response.

I then thought I would have a look at what is in the arp cache so I wrote in the command: arp -a

This showed the servers IP address: 10.1.0.1

So I found it interesting that the servers IP address was in the ARP cache but was not available, this will most likely be because the servers IP address was found through ARP requests when the client had been connected to the classroom.local network in the past and had been stored in the ARP cache. But now the client cannot connect to the server.

To fix this problem I shut down my Rogue and reset it to the “Final snapshot” snapshot this was taken in the final reset Mark did of all my VMs when there was connectivity existing between all of them. I then started up the client and logged in but again no connectivity.

So then I tried adding the Ethernet adapter again making sure it uses the VMXNET3 adapter type.

image 1.PNG

I then started up and logged into the client and I was able to log in with the CLASSROOM\Administrator account therefore my client was part of the classroom/local network and so was able to ping the server and rogue successfully.

I was now able to start this lab. I browsed to c:\GTSLABS and ran ActualSpy application.

image 2.PNG

I selected the default settings and installed ActualSpy. I then double clicked on the desktop icon to start the ActualSpy application, however Windows Defender prevented me from running the application by throwing an error message. I then clicked on the “Windows Defender detected malware” message in the top right hand side of my screen and this brought up Windows Defender, because I have to run this software to perform this lab I unticked “Turn on real time protection (recommended)” checkbox.

image 3.PNG

I then had to reinstall ActualSpy because when I double clicked on the desktop icon it said this shortcut has been deleted. After reinstalling it I was able to run it.

image 4.PNG

I went to Settings and noted that the hotkey combination for opening ActualSpy is Ctr+shift+Alt+F8. I then checked the “Start at system loading” checkbox and all the checkboxes under the “Hiding” title.

image 5.PNG

In the Logs tab I noticed that keystrokes, screenshots, run/closed applications, clipboard, documents sent to private, file and directory changes, startup/shutdown are all PC activities that are saved by ActualSpy when run.

image 6.PNG

I then clicked the “Apply” button and started the ActualSpy monitoring hiding the ActualSpy application so no users would realize they are being monitored (it was not visible in the taskbar as a running application(as you can see in the below screenshot)).

image 7.PNG

I then signed out and back in as CLIENT\Admin account. I could not see ActualSpy running in the taskbar but I had idenitified that when I started hiding it when I was logged in as CLASSROOM\Administrator.

So I then stared Task Manager, ActualSpy was not shown in the running apps (which is shown by default if a user does not click on the “More details” link of the Task manager. However I clicked on this link and I could see the suspicious activity of the ActualSpy icon (a silhouette of a man wearing a hat) shown but the name ActualSpy was not beside the icon instead the name System (32 bit) was displayed. So unless you recognized the icon you would not realize you are being monitored.

image 8.PNG

I then opened a Run dialog and wrote in:

\\server.classroom.local

This threw a credential window for me to enter in my credentials, because I am not logged in as a domain user but instead as the local machines admin.

image 9.PNG

I entered in the username Administrator and the appropriate password.

I then created a text document in the client VM naming it Test and writing some content into this file (as you can see below). The creating extra files is to see if I can identify the username and password that I used when I logged in as Administrator from the other keystroke events recorded by ActualSpy.

image 10.PNG

I then signed out of the client VM as the CLIENT\local account and signed back in with the CLASSROOM\Administrator account.

I wrote in the shortcut: ctrl+ shift+alt+F8 and this brought up ActualSpy. Looking at the keystroke tab I could see all of the keystrokes I used to sign in as domain user to access the classroom.local server (see the screenshot below); The username is underlined in blue “Administrator” whilst the password is underlined in red (Note: between the first 2 characters and the next 4 characters there is a shift key where I used the shift key to make a $ symbol).

image 11.PNG

Below is a close up of the username and password identified by ActualSpy.

image 12.PNG

I then had a look at the other tabs in ActualSpy I noticed that in the Applications tab it showed that I had accessed the “Notepad” application on a file named “Untitled” and then I opened up the task manager after hiding the ActualSpy application  to see if I could see it was visible.

image 14.PNG

Whilst in the Screenshots tab I saw that I had taken 9 screenshots whilst ActualSpy was monitoring the client. I also noticed that in the Application and Screenshots the records each showed the username I was using at the time I performed the action.

So for example when I ran the Task Manager I was logged in with the local machines Admin. Whereas when I viewed the GTSLABS folder I was logged in as the CLASSROOM/Administrator. As the below screenshot shows the Admin and Administrator usernames are defined.

image 15.PNG

I then closed ActualSpy and signed out of the client VM.

Exercise 2: Cain and Abel

Cain and Abel is a password sniffing program created by Windows.

I signed into the Server VM. I went to Tools->Internet Information Services (IIS) Manager. I then expanded Server (CLASSROOM\Administrator)->Sites and selected Default Web sites.

image 16.PNG

I double clicked on Authentication and disabled the Anonymous Authentication option and enabled Basic Authentication.

 

image 18.PNG

I then logged into my Client VM with the CLASSROOM/Administrator username and after going to the Network and Sharing Center I changed the IPv4 Settings of the Ethernet adapter making it have a static IPv4 address of 10.1.0.10, with subnet mask of 255.255.255.0 and default gateway+ Preferred DNS Server of 10.1.0.1

image 19.PNG

The reason why I set the Client to have a static IP address is because Cain the sniffer feature of Cain and Abel application requires a static IP address on the ethernet adapter of the device it is sniffing.

I installed Cain and Abel application by going to c:\GTSLABS folder. and running ca_setup

image 20.PNG

I did not click to install the WinPcap Packet sniffing. After installing Cain and Abel I started it, when I clicked on the desktop shortcut a Windows Firewall warning appeared (as you can see below)

image 21.PNG

I went to Start->Windows Firewall->Turn Windows Firewall on or off link, and I selected all three Turn off Windows Firewall (not recommended) radiobuttons.

image 22.PNG

And then clicked “OK” this has disabled the Firewall, so now Cain and Abel will be able to run.

Now I ran Cain again and I noticed that there was no Windows Firewall warning now the application opened straight away. I clicked on the “Start sniffer” button and I noticed that there was no adapter listed in the adapter box. And then I thought  that I had not restarted the client since setting a static IP address and that is probably why there is no adapter showing to Cain. So I restarted the client and then started Cain and this time the adapter was visible (as you can see in the below screenshot).

image 23.PNG

I checked the Adapter and IP address all of which were correct (below is a close up of the IP addresses identified by Cain)

image 24.PNG

I had a look at the tabs showing what Cain can do. I was interested looking at the ARP (Arp Poison Routing) tab as you can select to use a real IP address and MAC address or spoofed Ip and MAC address. As we had learned about ARP Poisoning in class recently it was interesting to see Cain could do this.

image 25.PNG

I then closed this Configuration Dialog  window and then I clicked on the “Start sniffing” button and clicked the “OK” button on the Warning window that appeared.

image 26.PNG

I then opened up Internet Explorer and wrote in the URL http://server.classroom.local and then I logged in with the account CLASSROOM\Administrator making sure I did not log in saving credentials.

I then went to the Internet options dialog and selected the “Delete Browsing history on Exit” checkbox and clicked “Delete” and then in the window that appeared I ticked all of the option boxes then clicked “Delete”

image 27.PNG

Exercise 3: Cracking Windows Passwords

I switched back to my Server VM and in the Internet Information Services (IIS) Manager tool I went to the Authentication options of the default site in the SERVER (CLASSROOM\Administrator) and I disabled the Basic Authentication and enabled Windows Authentication (as the below screenshot shows).

image 28.PNG

 

I then switched back to my client and opened Internet Explorer and wrote in the URL http://server.classroom.local and I wrote in the username CLASSROOM\Administrator. I initially forgot and tried writing in the NMIT Moodle credentials, but realized and wrote in the classroom.local credentials.

Then I closed the browser and went back to Cain and went to the Sniffer tab and then the password option down the bottom of the Cain window. I then went to the HTTP option and I saw 3 entries.

image 30.PNG

All of these three passwords are decoded and reable because these passwords were written in when Basic Authentication was enabled on the server VM.

I then went to the MSKerb5-PreAuth option and saw 2 credential records (show in the below screenshot) which are from the two login occurrences I did when Windows Authentication was enabled and Basic Authentication was disabled.

image 31.PNG

I then right clicked on one of the MSKerb5-PreAuth records and selected the “Send to Cracker” option. Then I went to the Cracker tab and selected kerb5 PreAuth Hashes option in the left hand box. I could see the record I sent to the cracker.

image 32.PNG

I then right clicked on this Administrator account record and selected the Brute Force Attack option.

image 33.PNG

After starting the Brute Force Attack I noted that the attacks time remaining value was around 1.1854e+012 years

image 34.PNG

Because the time for a plain Brute force attack is so long, I stopped this brute force attack. I then I ticked the Custom radiobutton and wrote in “pPaAsSwWoOrRD05$@” and I set the min and max password length to 8. Then I started this custom brute force attack and I noticed the time remaining is now around 8.5-9 hours (the time remaining value constantly changed) which is far less than it was with a plain predefined brute force attack as I had attempted before.

image 35.PNG

I then stopped this custom brute force attack and exited. Then I clicked on the LM & NTLM Hashes option in the cracker tab. Clicking the “Add to List” button I imported hashes from the local system.

The hashes from the local system includes the Admin account.

image 36.PNG

I then right clicked on the Admin account and selected Brute-Force attack->NTLM Hashes

image 37.PNG

I noted that when I started the brute force attack on this NTLM hash the time remaining is now 3.3876e+010 years, so this is slightly shorter than the time it takes to perform a brute force attack with predefined charset on  a Kerb5 PreAuth Hash.

image 38.PNG

After a few minutes I stopped the brute force attack. And then I right clicked on the Admin account again and this time I selected Cryptanalysis Attack->NTLM Hahes->via RainbowTables (RainbowCrack). I had a look at the cryptanalysis window. Cryptanalysis attack uses a database of hashes called a Rainbow table to see if there’s a match with the hash; if there is a match then the password is decodedable.

image 40.PNG

This lab does not require us to run the cryptanalysis attack on the NTLM hash, so I just exited it. I have now completed this lab 7, so I will now revert my VMs.