SY110- Lab

Computer Network Defense

Learning Outcomes

After completing these activities you should be able to:

Articulate the risks associated with utilizing vulnerable software and describe potential risk management controls
Explain the purpose of logging in computer network defense and incident response/recovery
Disable vulnerable services
Describe the application of various security solutions (encryption, firewalls)
Describe the applicability of zero day exploits in a given risk environment
Utilize emerging cyber technologies to reinforce student learning

Overview

Over the last two labs, you performed reconnaissance against a target, then launched an attack against it, ultimately allowing you to steal information from your victim. In this lab, you will analyze your attack from a defensive perspective in order to protect against it. In keeping with our notional pen test scenario, part of your job is to debrief your findings to the victim, so they know how to protect against similar attacks in the future.

Resources

You primarily will utilize Blackboard and the vSphere Client for this lab. You may also wish to review previous course lessons, such as File Systems and Hierarchies, Operating System Shells and Permissions, and Hashing, Passwords, and Authentication.

You will review the screenshots below when directed in the lab.

Reviewing Security Logs

These screenshots were pulled from (1) a Wireshark capture of network traffic, (2) the /var/log/vsftpd.log file, which holds vsftpd logging information, and (3) the /var/log/auth.log file, which holds SSH logging information. Mouse over screenshots to enlarge or click to open in a new tab. NOTE: The target and Kali IP addresses may look slightly different from your group, but you should be able to recognize which machine is the target and which is the attacker based on steps you performed last week. It looks like this attacker created a user named motherb.

Wireshark Capture of Network Traffic

/var/log/vsftpd.log

/var/log/auth.log

Risk Management and Securing Services - Service #2: `SSH`

The screenshot below shows the default configuration for the target's SSH service, as given in the file /etc/ssh/sshd_config (many services place their configuration folder in the /etc directory).

Risk Management and Securing Services - Service #3: `TELNET`

From our active reconnaissance, we identified numerous services running on the target system; see nmap scan results below.

If you tried to connect to the target using telnet (the syntax would be telnet {target_IP}), you would have received the following welcome banner. Look very closely - it includes a username and password combination!