A&D of Network Security - Lab 14

tags: Practicum of A&D of NS NTU

Video

Class Description Lab Implementation

Background

• snort Rule :::spoiler Rule Screenshot
  • Format
  • Action
  • Option
  • Option - Payload :::

Lab

Lab 1: Packet sniffer Mode show出 sniff ICMP封包的結果

Payload:

$ sudo snort -vd -i eth0 -q

:::spoiler Result Screenshot :::

---

Lab 2: Attacker SSH爆破攻擊，利用 Snort偵測攻擊行為是否發生，show出偵測結果 ，並說明snort rule

Threat Model

• Attacker use SSH brute force attack and try to log in the victim snort
• Need to write rule to detect attacker’s SSH brute force attack

Lab Process

1. Set up environment - Host Only
   • In Kali-Linux 1(Attacker) - 192.168.56.129 :::spoiler Result Screenshot :::
   • In Kali-Linux 2(Victim) - 192.168.56.104 :::spoiler Result Screenshot :::
2. Write your rule and Test it in victim VM Payload:

    $ sudo vim /etc/snort/rules/local.rules
   
    # Insert rules below in this file
    alert tcp any any -> any 22 ( msg:"SSH Brute Force Attempt"; flow:established,to_server; content:"SSH"; nocase; offset:0; depth:4; detection_filter:track by_src, count 2, seconds 1; sid:1000001; rev:1;)
   
    # Test the rule if success
    $ sudo snort -T -c /etc/snort/snort.conf
    ...
    Snort successfully validated the configuration!
    Snort exiting
   

3. Check SSH Connection if turn on (From inactive to active)

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

   $ sudo systemctl status ssh ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: man:sshd(8) man:sshd_config(5) $ sudo systemctl start ssh $ sudo systemctl status ssh ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2023-05-30 05:04:10 EDT; 2s ago Docs: man:sshd(8) man:sshd_config(5) Process: 2670 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 2671 (sshd) Tasks: 1 (limit: 9466) Memory: 1.1M CPU: 15ms CGroup: /system.slice/ssh.service └─2671 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

4. Run snort in victim

    $ sudo snort -A console -q -c /etc/snort/snort.conf -i eth0
   

5. Activate Attacking in Attacker VM

    $ sudo hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.56.104 -t 4 ssh
   

6. Result Screenshot in Victim VM

---

Lab 3-1: 使用Nmap進行攻擊並使用 Wireshark側錄封包分析可能可以成為snort的規則

Threat Model

1. Nmap to the snort machine. (Any Nmap scan command is available)
2. Write your own Rules on the snort machine
3. Screenshot the output alert

Lab Process

1. Open Wireshark and Record the packets and choose any to record

    $ sudo wireshark
   

   

2. Try to attack in attacker VM

    $ sudo nmap sS 192.168.56.129
   

   :::spoiler Final Result Screenshot :::

---

Lab 3-2: 撰寫snort rule並偵測出攻擊，偵測的 lert需包含你的學號

From the result above, try to observe the common rules of these Red packets(unsuccessful packets) $\to$ The length of each packets are $0$

Thus, we can use it to construct the snort payload as below(just insert the payload to /etc/snort/rules/local.rules):

1	alert tcp any any -> any any (msg: "r11921a16: TCP Scan Alert"; sid:1000002;dsize:<5;)

Try to attack

In victim VM:

$ sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

In attacker VM:

$ sudo nmap sS 192.168.56.104

:::spoiler Final Result Screenshot :::