Video of exploit attack performed:
Video of the exploit discovered by host-based :
Video of PHP e-mail trick site:
onsdag den 17. november 2010
fredag den 12. november 2010
Project ITS (IDS/IPS Setup) 10
Group:
Simon Arndal, David Herreborg and Georgi Petrov
Status 12/11-2010
Today it has been a bumpy ride through one dead end after the other. We tried to get php running on the tomcat 5.5 web server and changed, moved and inserted directory and files, modified any little possible thing. Uninstalled and re-installed again to get it working. Unfortunately we had to come up with an alternative solution in the end. The last and final presentation/demonstration will be delivered today with a system working in many ways. Maybe not all together but separate parts of it will work individually.
F Secure is antivirus software which has been installed on tomcat 5.5 machine. The reason why we chose this specific approach is because of the troubles we encountered with snort and its rules. Actually this piece of software is very aggressive and able to detect the exploit very fast and block it. Therefore this is a alternative to the complex snort, which we not so far has been able to find any rule which can actually prevent the exploit.
Timeline (PROGRESS):
Done so far:
--> 27/10-2010 <--
- Hardware requirements fullfilled (except one missing NIC)- Software required installed (open source programs used)
- pfSense installed (Router/firewall software)
- Apache and MySQL are up and running (Webserver and Database)
- phpMyAdmin installed and works (Graphical User Interface for the MySQL database)
- HSLAB HTTP Monitor Lite installed (Apache monitoring software)
- Set up HSLAB HTTP Monitor Lite.
- Done research about snort + snort together with pfSense.
- Presentation of work so far and basic idea. --> kl. 09:56
--> 28/10-2010 <--
- Network interface card has been inserted to the pfSense PC.
- Presentation of the progress and the setup of "Caps WebDesign" --> kl. 12:23
- Find another solution for monitoring the Apache server traffic internally (Simon)
- Make the Apache and MySQL more reliable (Simon)
--> 01/11-2010 <--- Add rules to the snort IPS system (Common task)
- Decide on whether pfSense is the right system for us to use (Common task)- Add a Network Interface Card to the pfSense machine (David)
- Install snort package for pfSense (Georgi)
- Setup Weblog Expert Lite (Software that replaces the HSLAB) and it is working.
--> 01/11-2010 <--
- We have chosen to move on with pfSense and Snort together.
- Get snort to work probberaly
-->02/11-2010<--
- Tested where the snort was placed in the setup. (before the firewall)
- Figured out how the blocked function operates (update time)
- Proved that the setup is now reliable
-->03/11-2010<--
- Demonstration of the progress 09:05
- Search for common server vulnerbilities
- Search for metasploits
- Find interesting metaspoilts
-->05/11-2010<--
- Installed the Apache Tomcat web server version 5.5
- Find out what is metasploit
- Found a metasploit and tested with succes
-->08/11-2010<--
- Become more familiar with the exploits and cary out more tests.
- Agree of a concept we want to use realted to the intruders social engineering part
-->10/11-2010<--
- Encountered troubles with snort and its rules setup
- Decided on a alternative prevention technique involving the software FSecure
- Installed FSecure software on Apache Tomcat Machine
- Did capturing of the different stages of the system
- Decided on the social engineering concept
- Set up a internal mail server
- Tested mail server with a PHP trick script containing a mail formular
- Went through a shit load of toturials and tried to get php running on the tomcat webserver.
- Installed F secure on the tomcat machine
- Prepared demonstration
- adjusted the "CapDesign" concept
- Try different methods of using the Apache Tomcat exploit (eg. retrieve data)
- Prepare the final demonstration (The Director's Cut)
Demonstration:
- The 12th of November 2010
- Final result of the project. A guided journey through our well-done project containing both good and bad stories.
onsdag den 10. november 2010
Project ITS (IDS/IPS Setup) 9
Group:
Simon Arndal, David Herreborg and Georgi Petrov
Status 10/11-2010
Timeline (PROGRESS):
Done so far:
--> 27/10-2010 <--
- Hardware requirements fullfilled (except one missing NIC)- Software required installed (open source programs used)
- pfSense installed (Router/firewall software)
- Apache and MySQL are up and running (Webserver and Database)
- phpMyAdmin installed and works (Graphical User Interface for the MySQL database)
- HSLAB HTTP Monitor Lite installed (Apache monitoring software)
- Set up HSLAB HTTP Monitor Lite.
- Done research about snort + snort together with pfSense.
- Presentation of work so far and basic idea. --> kl. 09:56
--> 28/10-2010 <--
- Network interface card has been inserted to the pfSense PC.
- Presentation of the progress and the setup of "Caps WebDesign" --> kl. 12:23
- Find another solution for monitoring the Apache server traffic internally (Simon)
- Make the Apache and MySQL more reliable (Simon)
--> 01/11-2010 <--- Add rules to the snort IPS system (Common task)
- Decide on whether pfSense is the right system for us to use (Common task)- Add a Network Interface Card to the pfSense machine (David)
- Install snort package for pfSense (Georgi)
- Setup Weblog Expert Lite (Software that replaces the HSLAB) and it is working.
--> 01/11-2010 <--
- We have chosen to move on with pfSense and Snort together.
- Get snort to work probberaly
-->02/11-2010<--
- Tested where the snort was placed in the setup. (before the firewall)
- Figured out how the blocked function operates (update time)
- Proved that the setup is now reliable
-->03/11-2010<--
- Demonstration of the progress 09:05
- Search for common server vulnerbilities
- Search for metasploits
- Find interesting metaspoilts
-->05/11-2010<--
- Installed the Apache Tomcat web server version 5.5
- Find out what is metasploit
- Found a metasploit and tested with succes
-->08/11-2010<--
- Become more familiar with the exploits and cary out more tests.
- Agree of a concept we want to use realted to the intruders social engineering part
-->10/11-2010<--
- Encountered troubles with snort and its rules setup
- Decided on a alternative prevention technique involving the software FSecure
- Installed FSecure software on Apache Tomcat Machine
- Did capturing of the different stages of the system
- Decided on the social engineering concept
- Set up a internal mail server
- Tested mail server with a PHP trick script containing a mail formular
- Try different methods of using the Apache Tomcat exploit (eg. retrieve data)
- Prepare the final demonstration (The Director's Cut)
Demonstration:
- The 12th of November 2010
- Final result of the project. A guided journey through our well-done project containing both good and bad stories.
mandag den 8. november 2010
Project ITS (IDS/IPS Setup) 8
Group:
Simon Arndal, David Herreborg and Georgi Petrov
Status 08/11-2010
Today we have been looking into snort and its rules and more specific how to prevent against the earlier demonstrated metasploit.
Furthermore we have agreed about the scenario how this "intruder" should get out information such as "username and password" for the exploit attack with the target, Apache Tomcat Manager. This is now decided and will be a part of the last presentation.
The day after tomorrow, the 10th of November 2010, we will be doing the next demostration containing how to prevent the mentioned exploit.
As a start for this we used wireshark to sniff what packages there were sent from the intruder to the tomcat server machine.
Below a screenshot of the wireshark packages are shown
Timeline (PROGRESS):
Done so far:
--> 27/10-2010 <--
- Hardware requirements fullfilled (except one missing NIC)- Software required installed (open source programs used)
- pfSense installed (Router/firewall software)
- Apache and MySQL are up and running (Webserver and Database)
- phpMyAdmin installed and works (Graphical User Interface for the MySQL database)
- HSLAB HTTP Monitor Lite installed (Apache monitoring software)
- Set up HSLAB HTTP Monitor Lite.
- Done research about snort + snort together with pfSense.
- Presentation of work so far and basic idea. --> kl. 09:56
--> 28/10-2010 <--
- Network interface card has been inserted to the pfSense PC.
- Presentation of the progress and the setup of "Caps WebDesign" --> kl. 12:23
- Find another solution for monitoring the Apache server traffic internally (Simon)
- Make the Apache and MySQL more reliable (Simon)
--> 01/11-2010 <--- Add rules to the snort IPS system (Common task)
- Decide on whether pfSense is the right system for us to use (Common task)- Add a Network Interface Card to the pfSense machine (David)
- Install snort package for pfSense (Georgi)
- Setup Weblog Expert Lite (Software that replaces the HSLAB) and it is working.
--> 01/11-2010 <--
- We have chosen to move on with pfSense and Snort together.
- Get snort to work probberaly
-->02/11-2010<--
- Tested where the snort was placed in the setup. (before the firewall)
- Figured out how the blocked function operates (update time)
- Proved that the setup is now reliable
-->03/11-2010<--
- Demonstration of the progress 09:05
- Search for common server vulnerbilities
- Search for metasploits
- Find interesting metaspoilts
-->05/11-2010<--
- Installed the Apache Tomcat web server version 5.5
- Find out what is metasploit
- Found a metasploit and tested with succes
-->08/11-2010<--
- Become more familiar with the exploits and cary out more tests.
- Agree of a concept we want to use realted to the intruders social engineering part
- Test and detect with snort.
- Setup/Make a social engnieering concept for the "CapDesign".
- Set up a internal mail server as a part of the SE concept.
- Sent a fake-mail containing a link with bad stuff.
Demonstration:
- The 9th of November 2010
- About how to prevent against the exploit demonstrated last time (Apache Tomcat Manager... exploit)
fredag den 5. november 2010
Project ITS (IDS/IPS setup) 7
Group:
Simon Arndal, David Herreborg and Georgi Petrov
Status 2/11-2010
Today we have been looking into metasploit and the different possibilities to do some exploits against the Apache web server. Apache Tomcat server 5.5 have been downloaded and installed together with java virtual environment that was required for the web server to run.
Testing the metasploit.
A couple of tests was preformed with the metasploit we found to be interesting. We were able to open a shell on the web server machine and excute commands directly on the PC. During the demonstration we made the webserver shutdown. To put it breifly, we now own the machine.
Below a screenshot of the metasploit used.
Timeline (PROGRESS)
Done so far:
--> 27/10-2010 <--
- Hardware requirements fullfilled (except one missing NIC)
- Software required installed (open source programs used)
- pfSense installed (Router/firewall software)
- Apache and MySQL are up and running (Webserver and Database)
- phpMyAdmin installed and works (Graphical User Interface for the MySQL database)
- HSLAB HTTP Monitor Lite installed (Apache monitoring software)
- Set up HSLAB HTTP Monitor Lite.
- Done research about snort + snort together with pfSense.
- Presentation of work so far and basic idea. --> kl. 09:56
--> 28/10-2010 <--
- Network interface card has been inserted to the pfSense PC.
- Presentation of the progress and the setup of "Caps WebDesign" --> kl. 12:23
--> 01/11-2010 <--
- Add rules to the snort IPS system (Common task)
- Find another solution for monitoring the Apache server traffic internally (Simon)
- Make the Apache and MySQL more reliable (Simon)
- Add a Network Interface Card to the pfSense machine (David)
- Install snort package for pfSense (Georgi)
- Install snort package for pfSense (Georgi)
- Setup Weblog Expert Lite (Software that replaces the HSLAB) and it is working.
--> 01/11-2010 <--
- Add rules to the snort IPS system (Common task)
- Decide on whether pfSense is the right system for us to use (Common task)
- We have chosen to move on with pfSense and Snort together.
- Get snort to work probberaly-->02/11-2010--<
- Tested where the snort was placed in the setup. (before the firewall)
- Figured out how the blocked function operates (update time)
- Proved that the setup is now reliable
-->03/11-2010--<
- Demonstration of the progress 09:05
- Search for metasploits
-->05/11-2010--<
- Installed the Apache Tomcat web server version 5.5
- Found a metasploit and tested with succes
- Demonstration was performed using the metasploit
What to do: (new tasks: output in green) for the 5th of November 2010
- Become more familiar with the exploits and cary out more tests.
- Setup/Make a social engnieering concept for the "CapDesign".
- Test and detect with snort.
- Find out what rules should be added to snort for alerting and blocking apache-webserver intrusion. (Gerogi)
- Search for common server vulnerbilities (Georgi,Simon)
- Find out what is metasploit (Common task)
- Find interesting metaspoilts (Common task)
What to do (future events):
- Demonstration 9/11-2010
- Do penetration testing with metasploit. (Common task)
onsdag den 3. november 2010
Project ITS (IDS/IPS Setup) 6
Group:
Simon Arndal, David Herreborg and Georgi Petrov
Status 3/11-2010
A presentation of the system (working for now) were performed. And what is working now is that we have the pfSense machine running as a gateway and DHCP server. It has two interfaces (wan and lan -> red and green interfaces). Externally we have an "intruder" pc and internally we have a pc running windows (containing apache and mysql server, which are going to be compromised later on).
Additionally we have a network administrator on the green interface. Both the server pc and the admin pc is hooked up to a router, which configuration has been modified to be operating as a switch internally.
Below a block diagram of the lastest working system is shown
Timeline (PROGRESS)
Done so far:
-->02/11-2010--<
- Tested where the snort was placed in the setup. (before the firewall)
- Figured out how the blocked function operates (update time)
- Proved that the setup is now reliable
-->03/11-2010--<
- Presentation of the progress --> kl. 09:05
- Search of Metasploits
What to do: (new tasks: output in green) for the 2nd of November 2010
Simon Arndal, David Herreborg and Georgi Petrov
Status 3/11-2010
A presentation of the system (working for now) were performed. And what is working now is that we have the pfSense machine running as a gateway and DHCP server. It has two interfaces (wan and lan -> red and green interfaces). Externally we have an "intruder" pc and internally we have a pc running windows (containing apache and mysql server, which are going to be compromised later on).
Additionally we have a network administrator on the green interface. Both the server pc and the admin pc is hooked up to a router, which configuration has been modified to be operating as a switch internally.
Below a block diagram of the lastest working system is shown
As well the lessons today were used to start up report writing and searching for metasploits, which is what we will focus at in the upcomming lessons.
Furthermore the content of the demonstration friday were discussed and agreed.Timeline (PROGRESS)
--> 27/10-2010 <--
- Hardware requirements fullfilled (except one missing NIC)
- Software required installed (open source programs used)
- pfSense installed (Router/firewall software)
- Apache and MySQL are up and running (Webserver and Database)
- phpMyAdmin installed and works (Graphical User Interface for the MySQL database)
- HSLAB HTTP Monitor Lite installed (Apache monitoring software)
- Set up HSLAB HTTP Monitor Lite.
- Done research about snort + snort together with pfSense.
- Presentation of work so far and basic idea. --> kl. 09:56
--> 28/10-2010 <--
- Network interface card has been inserted to the pfSense PC.
- Presentation of the progress and the setup of "Caps WebDesign" --> kl. 12:23
--> 01/11-2010 <--- Add rules to the snort IPS system (Common task)
- Find another solution for monitoring the Apache server traffic internally (Simon)
- Make the Apache and MySQL more reliable (Simon)
- Add a Network Interface Card to the pfSense machine (David)
- Install snort package for pfSense (Georgi)
- Install snort package for pfSense (Georgi)
- Setup Weblog Expert Lite (Software that replaces the HSLAB) and it is working.
--> 01/11-2010 <--
- Decide on whether pfSense is the right system for us to use (Common task)
- We have chosen to move on with pfSense and Snort together.
- Get snort to work probberaly-->02/11-2010--<
- Tested where the snort was placed in the setup. (before the firewall)
- Figured out how the blocked function operates (update time)
- Proved that the setup is now reliable
-->03/11-2010--<
- Presentation of the progress --> kl. 09:05
- Search of Metasploits
- Find out what rules should be added to snort for alerting and blocking apache-webserver intrusion. (Gerogi)
- Search for common server vulnerbilities (Georgi,Simon)
- Find out what is metasploit (Common task)
- Find interesting metaspoilts (Common task)
What to do (future events):
- Do penetration testing with metasploit. (Common task)
- Write on the report
Presentation(s):
Upcomming presentation: 5th of November 2010
About: Metasploit v. 0.1
tirsdag den 2. november 2010
Project ITS (IDS/IPS Setup) 5
Group:
Simon Arndal, David Herreborg and Georgi Petrov
Status 2/11-2010
Today we were suposed to do a presentation and an demostration of the work and progress so far. Unfortunately we ran in to some small problems which actually made the P and D worthless. We found that Snort actually is located before the firewall. Clearing the block list and alerts, made it posible to continueing testing without rebooting. (a problem we were wondering how to fix).
Testing with ping.
Simplyfing the setup by deleting IDS interface in the snort interface. Eventually it does not change anything in the performance it still blocks and alerts.
Discovered that there exsist a "time gap" of the updating of blocked list. This means that it will take up to ten minutes before the "pinger" will be blocked after it apears on the block list in the web GUI.
Timer func. in snort (blocked-list)
Furthermore we will prepare the demonstration decided for tomorrow the 03/11-2010.
Timeline (PROGRESS)
Done so far:
-->02/11-2010--<
- Tested where the snort was placed in the setup. (before the firewall)
- Figured out how the blocked function operates (update time)
- Proved that the setup is now reliable
What to do: (new tasks: output in green) for the 2nd of November 2010
Simon Arndal, David Herreborg and Georgi Petrov
Status 2/11-2010
Today we were suposed to do a presentation and an demostration of the work and progress so far. Unfortunately we ran in to some small problems which actually made the P and D worthless. We found that Snort actually is located before the firewall. Clearing the block list and alerts, made it posible to continueing testing without rebooting. (a problem we were wondering how to fix).
Testing with ping.
Simplyfing the setup by deleting IDS interface in the snort interface. Eventually it does not change anything in the performance it still blocks and alerts.
Discovered that there exsist a "time gap" of the updating of blocked list. This means that it will take up to ten minutes before the "pinger" will be blocked after it apears on the block list in the web GUI.
Timer func. in snort (blocked-list)
Furthermore we will prepare the demonstration decided for tomorrow the 03/11-2010.
Timeline (PROGRESS)
Done so far:
--> 27/10-2010 <--
- Hardware requirements fullfilled (except one missing NIC)
- Software required installed (open source programs used)
- pfSense installed (Router/firewall software)
- Apache and MySQL are up and running (Webserver and Database)
- phpMyAdmin installed and works (Graphical User Interface for the MySQL database)
- HSLAB HTTP Monitor Lite installed (Apache monitoring software)
- Set up HSLAB HTTP Monitor Lite.
- Done research about snort + snort together with pfSense.
- Presentation of work so far and basic idea. --> kl. 09:56
--> 28/10-2010 <--
- Network interface card has been inserted to the pfSense PC.
- Presentation of the progress and the setup of "Caps WebDesign" --> kl. 12:23
--> 01/11-2010 <--- Add rules to the snort IPS system (Common task)
- Find another solution for monitoring the Apache server traffic internally (Simon)
- Make the Apache and MySQL more reliable (Simon)
- Add a Network Interface Card to the pfSense machine (David)
- Install snort package for pfSense (Georgi)
- Install snort package for pfSense (Georgi)
- Setup Weblog Expert Lite (Software that replaces the HSLAB) and it is working.
--> 01/11-2010 <--
- Decide on whether pfSense is the right system for us to use (Common task)
- We have chosen to move on with pfSense and Snort together.
- Get snort to work probberaly-->02/11-2010--<
- Tested where the snort was placed in the setup. (before the firewall)
- Figured out how the blocked function operates (update time)
- Proved that the setup is now reliable
What to do: (new tasks: output in green) for the 2nd of November 2010
- Find out what rules should be added to snort for alerting and blocking apache-webserver intrusion. (Gerogi)
- Search for common server vulnerbilities (Georgi,Simon)
- Find out what is metasploit (Common task)
- Find interesting metaspoilts (Common task)
What to do (future events):
- Demonstration 3/11-2010
- Do penetration testing with metasploit. (Common task)
mandag den 1. november 2010
Project ITS (IDS/IPS setup) 4
Group:
Simon Arndal, David Herreborg and Georgi Petrov
Status 1/11-2010
Today we focus on testing the snort setup and try to make "some" alerts appear in the "Alerts"-section.
Furthermore we will prepare a demonstration the 03/11-2010.
Done today:
The setup is the same as the earlier, but with small differences in the areares of how snort works now.
There have been added another snort interface on the WAN-side with the "Block"-option disabled.
This basically means that we have added an IDS system, which alerts instead of just blocking.
The troubles we have had untill now was that the "Block"-option have been enabled from the start. This enabling turns the snort interface into an IPS, which doesn't alert, but only blocks.
Screenshot of the new snort interface setup:
Screenshot of the alerts:
Screenshot of the alerts:
Timeline (PROGRESS)
Done so far:
--> 27/10-2010 <--
- Hardware requirements fullfilled (except one missing NIC)
- Software required installed (open source programs used)
- pfSense installed (Router/firewall software)
- Apache and MySQL are up and running (Webserver and Database)
- phpMyAdmin installed and works (Graphical User Interface for the MySQL database)
- HSLAB HTTP Monitor Lite installed (Apache monitoring software)
- Set up HSLAB HTTP Monitor Lite.
- Done research about snort + snort together with pfSense.
- Presentation of work so far and basic idea. --> kl. 09:56
--> 28/10-2010 <--
- Network interface card has been inserted to the pfSense PC.
- Presentation of the progress and the setup of "Caps WebDesign" --> kl. 12:23
--> 01/11-2010 <--
- Add rules to the snort IPS system (Common task)
- Find another solution for monitoring the Apache server traffic internally (Simon)
- Make the Apache and MySQL more reliable (Simon)
- Add a Network Interface Card to the pfSense machine (David)
- Install snort package for pfSense (Georgi)
- Install snort package for pfSense (Georgi)
- Setup Weblog Expert Lite (Software that replaces the HSLAB) and it is working.
--> 01/11-2010 <--
- Decide on whether pfSense is the right system for us to use (Common task)
- We have chosen to move on with pfSense and Snort together.
- Get snort to work probberalyWhat to do: (new tasks: output in green) for the 2nd of November 2010
- Find out what rules should be added to snort for alerting and blocking apache-webserver intrusion. (Gerogi)
- Search for common server vulnerbilities (Georgi,Simon)
- Find out what is metasploit (Common task)
- Find interesting metaspoilts (Common task)
What to do (future events):
- Do penetration testing with metasploit. (Common task)
Abonner på:
Opslag (Atom)