Course categories
Skip courses
Courses
The objective of this cybersecurity exercise is to demonstrate advanced evasion techniques against Intrusion Detection Systems (IDS) and firewalls using the Nmap tool. Participants will learn how to utilize advanced scanning options to bypass network security measures and avoid detection by employing techniques such as packet fragmentation, IP address spoofing, and more.
Scenario: As cybersecurity analysts, you are tasked with assessing the effectiveness of your organization's network defenses against sophisticated attack techniques. Your objective is to conduct a series of Nmap scans utilizing evasion techniques to probe for weaknesses in the IDS and firewall systems. By simulating real-world attack scenarios, you will identify potential gaps in the network security posture and recommend strategies for improvement.
Tools/Resources Required:
- Nmap tool (installed in the testing environment)
- Access to a network with IDS/firewall protection
The objective of this cybersecurity exercise is to perform host discovery and port scanning using various protocols and techniques with the Nmap tool. Participants will scan the network to identify active hosts using ARP, UDP, ICMP ECHO, etc. Additionally, they will conduct port scans using TCP connect, Xmas, ACK flag probe, etc, followed by an analysis of the findings.
Scenario: As a cybersecurity analyst in Uniwa Cyber Range, you have been tasked with conducting host discovery and port scanning to assess the security posture of the network. Using Nmap, you will perform different types of scans to identify active hosts and open ports/services. The exercise aims to enhance your understanding of network reconnaissance techniques and their security implications.
Tools/Resources Required:
- Nmap tool (pre-installed in Uniwa Cyber Range environment)
- Access to the network to be scanned
Exercise Steps:
-
Host Discovery: a. Perform a host discovery scan using ARP protocol with Nmap to identify active hosts on the network. b. Conduct a UDP packet scan to discover active hosts that may not respond to ARP requests. c. Use ICMP ECHO scan to detect active hosts by sending ICMP echo requests. d. Perform a TCP-ACK scanning to discover hosts that may not respond to ICMP or ARP. e. Execute an ICMP Address Mask Ping Scan to discover active hosts using ICMP address mask requests. f. Analyze the results of each scan to identify the discovered hosts and their status.
-
Port Scanning: a. Perform a TCP connect/full open scan to identify open ports and services on the discovered hosts. b. Conduct a stealth scan/TCP half-open to perform port scanning without establishing a full connection. c. Execute an Xmas scan to probe for open ports by setting specific TCP flags. d. Perform a TCP Maimon scan to detect open ports by exploiting the behavior of certain TCP stacks. e. Execute an ACK flag probe scan to identify filtered ports by sending ACK packets. f. Conduct a UDP scan to identify open UDP ports and associated services. g. Perform an SCTP COOKIE ECHO Scan to identify open SCTP ports. h. Analyze the findings from each port scan to identify open ports, services, and potential vulnerabilities.
-
Analysis and Reporting: a. Compare the results of different host discovery techniques to identify any inconsistencies or discrepancies. b. Analyze the findings from port scanning to identify potential security risks, such as open ports/services that could be exploited by attackers. c. Document the discovered hosts, open ports/services, and any anomalies observed during the scans. d. Provide recommendations for improving network security based on the analysis and findings.
Conclusion: This cybersecurity exercise provides participants with practical experience in host discovery and port scanning using Nmap, covering various protocols and scanning techniques. By analyzing the findings, participants can gain insights into the network's security posture and potential vulnerabilities, enabling them to implement appropriate measures to enhance security and mitigate risks.
https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/
not keeping logs in website
misconfigure or monitor logs
ailure to keep sufficient records in these areas could subsequently lead to slower incident responses, thereby accentuating the potential damages of breaches.
Unfortunately, this is an extremely common issue and one that often does not come to attention unless the company experiences an incident and is unable to triage or diagnose it.
https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
Weak username/password: There is a default username/password combination of admin/admin.
https://www.horangi.com/blog/the-cost-of-cyber-attacks-to-businesses
https://owasp.org/Top10/A04_2021-Insecure_Design/
wackopicko
Logic Flaw: A coupon can be applied multiple times reducing the price of an order to zero. The coupon in the initial data is SUPERYOU21.
Title: Cybersecurity Exercise: Analyzing Malicious Network Traffic with Zeek, Rita, and Tshark in Docker Container
Objective:
The objective of this cybersecurity exercise is to verify the availability and functionality of Zeek, Rita, and Tshark within a Docker environment. Additionally, participants will analyze a provided pcap file to accomplish tasks such as displaying capture duration, finding the SHA256 hash of the pcap file, detecting malicious Command and Control (C2) beacons using Rita, identifying HTTPS ICEDID C2 traffic, and recognizing COBALT STRIKE traffic.
Scenario:
As a cybersecurity analyst, you have access to a Docker container equipped with Zeek, Rita, and Tshark. Your task is to assess the functionality of these tools within the Docker environment and analyze a pcap file containing suspicious network traffic. The exercise involves verifying tool availability, performing basic pcap file analysis, and detecting various types of malicious activities.
Tools/Resources Required:
1. Docker container with Zeek, Rita, and Tshark installed
2. Pre-recorded pcap file containing network traffic
Exercise Steps:
1. Docker Environment Verification:
a. Launch the Docker container containing Zeek, Rita, and Tshark.
b. Access the command line interface (CLI) within the Docker container.
c. Verify the availability and functionality of Zeek, Rita, and Tshark within the Docker environment.
2. Display Capture Duration and Timestamps:
a. Use Tshark to display the capture duration (in seconds), start time, and end time of the provided pcap file.
b. Record the duration of the network traffic capture and note the timestamps indicating the start and end times.
3. Find SHA256 Hash of Pcap File:
a. Calculate the SHA256 hash of the pcap file using a cryptographic hash function within the Docker container.
b. Record the generated SHA256 hash for future reference and verification.
4. Detect Malicious C2 Beacons with Rita:
a. Utilize Rita within the Docker container to analyze the pcap file for malicious Command and Control (C2) beacons.
b. Review Rita alerts and anomalies to identify any suspicious C2 beacon activity.
c. Document findings related to detected malicious C2 beacons.
5. Identify HTTPS ICEDID C2 Traffic:
a. Use Tshark within the Docker container to filter and identify HTTPS ICEDID C2 traffic within the pcap file.
b. Analyze packet payloads and headers to confirm the presence of ICEDID C2 communication.
c. Document any instances of HTTPS ICEDID C2 traffic detected in the pcap file.
6. Recognize COBALT STRIKE Traffic:
a. Utilize Zeek within the Docker container to identify and extract COBALT STRIKE traffic signatures from the pcap file.
b. Analyze Zeek logs for indications of COBALT STRIKE activity, such as beaconing or payload delivery.
c. Document instances of COBALT STRIKE traffic observed during the analysis.
Conclusion:
This cybersecurity exercise provides participants with an opportunity to verify the functionality of Zeek, Rita, and Tshark within a Docker container and analyze malicious network traffic. By completing tasks such as displaying capture duration, finding the SHA256 hash of the pcap file, and detecting various types of malicious activities, participants can enhance their skills in network traffic analysis and threat detection within a controlled environment.
Trivy - Trivy is a simple and comprehensive vulnerability/misconfiguration scanner for containers and other artifacts. It enables users to identify vulnerabilities in container images and their dependencies quickly and efficiently. Trivy focuses on providing fast scans and accurate results, making it an essential tool for DevOps teams, security professionals, and developers seeking to maintain the security of their containerized applications.
Key features of Trivy include:
1. Container Image Scanning: Trivy scans container images to identify vulnerabilities present in the operating system packages, libraries, and application dependencies included within the image.
2. Extensive Vulnerability Database: Trivy leverages multiple vulnerability databases, including the National Vulnerability Database (NVD), as well as other public vulnerability feeds, to provide comprehensive coverage of known vulnerabilities.
3. Fast and Lightweight: Trivy is designed for speed and efficiency, enabling fast scans of container images without compromising on accuracy. It is lightweight and optimized for use in CI/CD pipelines and automated workflows.
4. Simple Integration: Trivy can be easily integrated into existing DevOps toolchains, container build processes, and CI/CD pipelines. It supports various integration options, including command-line usage, Docker image scanning, and Kubernetes integration.
5. Support for Multiple Container Registries: Trivy supports scanning container images from various container registries, including Docker Hub, Amazon ECR, Google Container Registry, and private registries.
6. Flexible Output Formats: Trivy provides flexible output formats, allowing users to customize the presentation of scan results to suit their needs. It supports JSON, table, and text formats, making it easy to integrate with other tools and systems.
Overall, Trivy is a powerful and user-friendly vulnerability scanner that helps organizations identify and remediate security vulnerabilities in containerized environments efficiently. Its speed, accuracy, and ease of integration make it a valuable tool for ensuring the security of containerized applications throughout the software development lifecycle.
A vulnerability scanner for container images and filesystems.
grype - Grype is an open-source vulnerability scanner designed to identify security vulnerabilities in container images and filesystems. It helps developers and security professionals detect vulnerabilities in their containerized environments, enabling them to mitigate risks and maintain a secure infrastructure.