Group:
Simon Arndal, David Herreborg and Georgi Petrov
Status 08/11-2010
Today we have been looking into snort and its rules and more specific how to prevent against the earlier demonstrated metasploit.
Furthermore we have agreed about the scenario how this "intruder" should get out information such as "username and password" for the exploit attack with the target, Apache Tomcat Manager. This is now decided and will be a part of the last presentation.
The day after tomorrow, the 10th of November 2010, we will be doing the next demostration containing how to prevent the mentioned exploit.
As a start for this we used wireshark to sniff what packages there were sent from the intruder to the tomcat server machine.
Below a screenshot of the wireshark packages are shown
Timeline (PROGRESS):
Done so far:
--> 27/10-2010 <--
- Hardware requirements fullfilled (except one missing NIC)- Software required installed (open source programs used)
- pfSense installed (Router/firewall software)
- Apache and MySQL are up and running (Webserver and Database)
- phpMyAdmin installed and works (Graphical User Interface for the MySQL database)
- HSLAB HTTP Monitor Lite installed (Apache monitoring software)
- Set up HSLAB HTTP Monitor Lite.
- Done research about snort + snort together with pfSense.
- Presentation of work so far and basic idea. --> kl. 09:56
--> 28/10-2010 <--
- Network interface card has been inserted to the pfSense PC.
- Presentation of the progress and the setup of "Caps WebDesign" --> kl. 12:23
- Find another solution for monitoring the Apache server traffic internally (Simon)
- Make the Apache and MySQL more reliable (Simon)
--> 01/11-2010 <--- Add rules to the snort IPS system (Common task)
- Decide on whether pfSense is the right system for us to use (Common task)- Add a Network Interface Card to the pfSense machine (David)
- Install snort package for pfSense (Georgi)
- Setup Weblog Expert Lite (Software that replaces the HSLAB) and it is working.
--> 01/11-2010 <--
- We have chosen to move on with pfSense and Snort together.
- Get snort to work probberaly
-->02/11-2010<--
- Tested where the snort was placed in the setup. (before the firewall)
- Figured out how the blocked function operates (update time)
- Proved that the setup is now reliable
-->03/11-2010<--
- Demonstration of the progress 09:05
- Search for common server vulnerbilities
- Search for metasploits
- Find interesting metaspoilts
-->05/11-2010<--
- Installed the Apache Tomcat web server version 5.5
- Find out what is metasploit
- Found a metasploit and tested with succes
-->08/11-2010<--
- Become more familiar with the exploits and cary out more tests.
- Agree of a concept we want to use realted to the intruders social engineering part
- Test and detect with snort.
- Setup/Make a social engnieering concept for the "CapDesign".
- Set up a internal mail server as a part of the SE concept.
- Sent a fake-mail containing a link with bad stuff.
Demonstration:
- The 9th of November 2010
- About how to prevent against the exploit demonstrated last time (Apache Tomcat Manager... exploit)
The first thing I noticed was the amount of broken packages in wireshark. Apparently the exploit does do correct TCP checksums. That is odd.
SvarSlet