Linux Attack and Response Lab
In this lab, you will get to be the attacker and then you will be able to see what the artifacts are left on the victim machine running Windows server. As the attacker, you will first exploit the remote system. After attacking the victim machine, you will analyze web logs and perform incident response on the compromised host.
Outcomes
Exploit Java to attack a remote system
Collect volatile data.
View logs.
| Key Term | Description |
|---|---|
Incident Response | Incident Response (IR) is a life cycle that includes preparation, detection and analysis, containment eradication and recovery, and post-incident activity. |
Kali Linux | Kali Linux is a Linux distribution created for digital forensics and penetration testing. |
Metasploit | Metasploit is a penetration testing framework which comes preloaded with Kali Linux. Kali Linux along with Metasploit provides tools for penetration testers to improve security assessments and awareness. |
Meterpreter | Meterpreter is a Metasploit attack payload that provides an interactive shell to the victim machine using Metasploit. |
This lab uses Kali and Metasploit to exploit a vulnerable Windows box.
Meterpreter is a Metasploit payload that provides an interactive shell to the victim machine using Metasploit.
The goal of this lab is to set up a fake website that appears to the victim as valid. Using a Metasploit exploit, the social engineering toolkit helps you as the attacker to compromise a machine running Linux. The first step is to get a web server (Kali attack machine) running with the Java applet website. As the victim, the user will browse the vulnerable web site that is running a Java applet. The user enables the applet, and the malware is loaded onto the machine. Once the exploit is complete, the attacker has access to the Linux’s victim machine and can navigate the machine remotely and steal information off the Linux machine.
The Java 7 applet remote code execution exploit allows malware to disable the security manager in Java which allows arbitrary Java code to be executed. In this lab, you will be using the Java 7 applet exploit to take control of a remote computer using Meterpreter.
Unfortunately, security breaches are becoming commonplace in the industry because of the lack of proper protections and controls in place to stop attacks from happening. Today, it often feels like it is a matter of when and not if a company will experience a compromise. As a system administrator, it is critically important to have an incident response plan in place, so the organization knows how to react and collect artifacts when a breach occurs.
Incident Response Life Cycle
Preparation
Preparation is the first step in the IR life cycle to make sure that the organization is prepared to handle an incident through the creation of an IR plan. This plan provides information on the roles of the individuals on the IR team, the processes and procedures to be used in case of an incident, the forensic tools to be used, and other details needed to respond to an incident. Part of preparation is to prevent incidents in the first place by doing risk assessment and putting the appropriate controls in place.
Detection and Analysis
The next part of the cycle is the detection and analysis stage. In this lab, you used logs to detect and analyzed logs for the potential intrusion and signs of an incident. From the logs, you were able to determine that an attack occurred though the successful logins and what the hackers used to get in.
Containment Eradication and Recovery
Part of the containment eradication and recovery, you need to gather information about the systems through an incident response report. In this lab, you created a report that contained the following information: collecting the volatile data from the machine which includes the date, time, open ports, IP address configuration, network connection state, the list of tasks running on the machine, information about logged users, and list of users on the system into an incident response report. Once you have determined you have an incident, the system administrator needs to isolate the system from use to allow investigators to research the breach.
Post-Incident Activity
After the containment eradication and recovery were complete, the next step is to determine the lessons learned and put the appropriate controls in place to prevent another incident occurring.
Last updated
