Part 1: Exploiting Metasploitable 2 Estimated time of completion: 1-2 hours Scen
ID: 3688167 • Letter: P
Question
Part 1: Exploiting Metasploitable 2
Estimated time of completion: 1-2 hours
Scenario: An anti-virus application has revealed malicious content on a web application server (Metasploitable 2). It has since been rolled back to a previous state. Secure it by configuring it with Snort Intrusion Detection System.
Intrusion detection systems operate on both hosts as (HIDS) and on the network (NIDS).
In a networked environment it is important to monitor the traffic to and from host machines and network devices. This is done to implement policies such as the prevention of specific types of traffic. By doing this logs and records are also created and stored. In the event of a compromise the business is able to assess the traffic and gather evidence in what is known as incident response. Incident response both assesses the damage of the attack, assesses what mitigations can be made to prevent the attack from occurring again and gathers evidence to potentially locate the attacker and prosecute. Incident response would be very limited without logging tools such as Wireshark packet capture or Snort IDS. As such it is pertinent to employ tools of this nature onto the network at key locations.
Note: There are multiple correct answers for signatures. Discretion must be used to determine if the signatures chosen represent the best cases. That is, they present few false positives, and few false negatives.
Resource List:
Exploiting Metasploitable 2 Video Series
https://www.youtube.com/user/japtron/playlists
Additional Resources:
Metasploitable 2 Exploitability Guide
https://community.rapid7.com/docs/DOC-1875
Instructions: Conduct the following attacks shown in the Metasploitable 2 Video Series. For each attack have Metasploitable 2’s snort IDS active and monitor with Wireshark on Kali Linux. Once the exploit is successfully delivered stop both services and assess the network traffic.
Deliverables: For each exploit report in a well-documented format using screenshots and brief descriptions:
Identify a unique signature of the attack. Reference where this identifier was found.
Hint: This may also involve researching the exploit
Write a Snort rule to alert on this signature
Test the rule and show screenshots of if successfully alerting to the exploit.
#1 Exploit PHP CGI Argument Injection
https://www.youtube.com/watch?v=UMuOcK0OfX0&list=PLqqHkrcrifGwB1srk1ASOIVXtjuY2gUs3&index=3
#2 Exploit Java RMI Server – Java Code Injection
https://www.youtube.com/watch?v=gapn_pKPyos&index=5&list=PLqqHkrcrifGwB1srk1ASOIVXtjuY2gUs3
#3 Exploit DRuby Distributed Ruby Code Execution
https://www.youtube.com/watch?v=0OxvA66rIUo&index=4&list=PLqqHkrcrifGwB1srk1ASOIVXtjuY2gUs3
Part 2: Writing File Based Signatures
Estimated time of completion: 30 minutes
Scenario: Organizations may often wish to prevent or be alerted to specific types of files being sent over their network. This can be for the purpose of identifying potential exploits or malware entering into the network such as executables, DLL files or self-extracting archive files or to identifying potential exfiltration of company data in .zip or other archive/compressed files. File types can be identified by file signatures often referred to as Magic Numbers. These magic numbers can sometimes uniquely represent that file type and are often located near the beginning of the file but can be at an offset depending on the type of file. This is notably the case for archive, compressed or encrypted files.
Instructions: Research the following file’s magic numbers and their location in the file. Keep in mind that some file types may have multiple magic numbers based on what is done to that file such as compression type or degree or if the file is self-encrypted or converted to a self-extracting file, etc.
Deliverables: Write rules for each of the following file types, which specific an exacting location within the file that the magic number would be found such that the Snort IDS minimizes performance requirements and minimized false indicators.
#1 DLL File
#2 TAR File
#3 Zip File
#4 PKSFX (Self-extracting archive) File
Part 3: Writing Protocol Based Signatures
Estimated time of completion: 20 minutes
Scenario: Protocols similarly represent a threat to the network. Some more so than others. Examples of such would be remote desktop protocols or unauthorized encrypted traffic. These protocols may also allow attackers to conduct reconnaissance on the internal network if allowed to interact with specific systems.
Instructions: Research unique indicators that can be used to write rules for the following protocols. Some protocols may require more than just a port number to be appropriately identified or distinguished from other protocols over the network.
Deliverables: Write rules for each of the following protocols and reference these indicators.
Note: Some protocols may require multiple rules such as content based, protocol based or variations.
#1 SSH
#2 RDP
#3 SMB
Explanation / Answer
import java.io.BufferedReader;
import java.io.FileReader;
import java.util.HashMap;
import java.util.Set;
import javax.swing.*;
class AntivirusAlgoInJava {
int count = 0;
int size = 0;
int occur = 0;
HashMap<String, String> hashMap = new HashMap<String, String>();
void readPattern(String filename) throws Exception {
try
{
FileReader in = new FileReader(filename);
BufferedReader br = new BufferedReader(in);
String line;
int i = 0;
while ((line = br.readLine()) != null) {
hashMap.put(line.substring(0, line.indexOf("/")), line.substring(line.indexOf("/") + 1, line.length()));
++i;
}
size = i;
br.close();
}
catch(Exception e)
{
//System.out.println("Hello"+e);
}
}
void searchVirus(String file) throws Exception {
FileReader in = new FileReader(file);
BufferedReader br = new BufferedReader(in);
String line;
while ((line = br.readLine()) != null) {
Set keys = hashMap.keySet();
count++;
boolean containsKey = keys.contains(String.valueOf(count));
if (containsKey) {
String virus = hashMap.get(String.valueOf(count));
if (line.indexOf(virus) > -1) {
occur++;
}
}
}
br.close();
if (size == occur) {
JOptionPane.showMessageDialog(null, "Error", "Virus Detected ", JOptionPane.ERROR_MESSAGE);
}
else{
JOptionPane.showMessageDialog(null, "Clean File", "No Virus Found ", JOptionPane.INFORMATION_MESSAGE);
}
}
public static void main(String... s) {
try {
for (javax.swing.UIManager.LookAndFeelInfo info : javax.swing.UIManager.getInstalledLookAndFeels()) {
if ("Nimbus".equals(info.getName())) {
UIManager.setLookAndFeel(info.getClassName());
break;
}
}
} catch (Exception ex) {
}
try {
AntivirusAlgoInJava fr = new AntivirusAlgoInJava();
fr.readPattern("Virusdefinitions.txt");
fr.searchVirus("CORE JAVA.docx");
} catch (Exception e) {
e.printStackTrace();
}
}
}