diff --git a/modules/encoders/csv/inputs_to_csv/inputs_to_csv.pp b/modules/encoders/csv/inputs_to_csv/inputs_to_csv.pp new file mode 100644 index 000000000..e69de29bb diff --git a/modules/encoders/csv/inputs_to_csv/manifests/.no_puppet b/modules/encoders/csv/inputs_to_csv/manifests/.no_puppet new file mode 100644 index 000000000..e69de29bb diff --git a/modules/encoders/csv/inputs_to_csv/secgen_local/local.rb b/modules/encoders/csv/inputs_to_csv/secgen_local/local.rb new file mode 100644 index 000000000..06cc40325 --- /dev/null +++ b/modules/encoders/csv/inputs_to_csv/secgen_local/local.rb @@ -0,0 +1,35 @@ +#!/usr/bin/ruby +require 'base64' +require_relative '../../../../../lib/objects/local_string_encoder.rb' +class CSVEncoder < StringEncoder + def initialize + super + self.module_name = 'CSV Encoder' + end + + def encode_all() + require 'csv' + require 'json' + + csv_string = CSV.generate do |csv| + strings_to_encode.each do |string_to_encode, count| + row = [] + header = [] + JSON.parse(string_to_encode).each do |hash| + header << hash[0] + row << hash[1] + end + if count == 0 + csv << header + end + csv << row + + end + + end + + self.outputs << csv_string + end +end + +CSVEncoder.new.run diff --git a/modules/encoders/csv/inputs_to_csv/secgen_metadata.xml b/modules/encoders/csv/inputs_to_csv/secgen_metadata.xml new file mode 100644 index 000000000..41ca1c406 --- /dev/null +++ b/modules/encoders/csv/inputs_to_csv/secgen_metadata.xml @@ -0,0 +1,19 @@ + + + + CSV Encoder + Z. Cliffe Schreuders + MIT + Converts all of the inputs into a single CSV output. Accepts one layer of JSON hashes. For example, outputs from person generator. + + csv + linux + windows + + strings_to_encode + + csv + + \ No newline at end of file diff --git a/modules/generators/content/credit_card/secgen_metadata.xml b/modules/generators/content/credit_card/secgen_metadata.xml index 0e4e1fcdb..c25e3bff5 100644 --- a/modules/generators/content/credit_card/secgen_metadata.xml +++ b/modules/generators/content/credit_card/secgen_metadata.xml @@ -3,12 +3,13 @@ - Industry Generator + Credit Card Number Generator Thomas Shaw MIT - Industry generator using the Forgery ruby gem. + Credit Card Number Generator generator using the Credy ruby gem. - credit_card + credit_card_generator + personal_sensitive local_calculation linux windows diff --git a/modules/generators/content/national_insurance_number/manifests/.no_puppet b/modules/generators/content/national_insurance_number/manifests/.no_puppet new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/content/national_insurance_number/national_insurance_number.pp b/modules/generators/content/national_insurance_number/national_insurance_number.pp new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/content/national_insurance_number/secgen_local/local.rb b/modules/generators/content/national_insurance_number/secgen_local/local.rb new file mode 100644 index 000000000..d0e6a9a54 --- /dev/null +++ b/modules/generators/content/national_insurance_number/secgen_local/local.rb @@ -0,0 +1,17 @@ +#!/usr/bin/ruby +require_relative '../../../../../lib/objects/local_string_generator.rb' + +class NINGenerator < StringGenerator + def initialize + super + self.module_name = 'National Insurance Number Generator' + end + + def generate + nino = "QQ"<<(10..99).to_a.sample(3)*''<<("A".."D").to_a.sample + + self.outputs << nino + end +end + +NINGenerator.new.run \ No newline at end of file diff --git a/modules/generators/content/national_insurance_number/secgen_metadata.xml b/modules/generators/content/national_insurance_number/secgen_metadata.xml new file mode 100644 index 000000000..db22043db --- /dev/null +++ b/modules/generators/content/national_insurance_number/secgen_metadata.xml @@ -0,0 +1,20 @@ + + + + National Insurance Number + Z. Cliffe Schreuders + MIT + Generates a UK NIN (National Insurance Number). + + national_insurance_number_generator + sensitive_personal + local_calculation + linux + windows + + https://codereview.stackexchange.com/questions/9464/national-insurance-number-generator + + sensitive_personal + \ No newline at end of file diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/ids_exfiltration.pp b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/ids_exfiltration.pp new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/manifests/.no_puppet b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/manifests/.no_puppet new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/secgen_local/local.rb b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/secgen_local/local.rb new file mode 100644 index 000000000..13b90d2fd --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/secgen_local/local.rb @@ -0,0 +1,45 @@ +#!/usr/bin/ruby +require_relative '../../../../../../lib/objects/local_hackerbot_config_generator.rb' + +class IDS < HackerbotConfigGenerator + + attr_accessor :web_server_ip + attr_accessor :ids_server_ip + attr_accessor :hackerbot_server_ip + + def initialize + super + self.module_name = 'Hackerbot Config Generator IDS' + self.title = 'IDS' + + self.local_dir = File.expand_path('../../',__FILE__) + self.templates_path = "#{self.local_dir}/templates/" + self.config_template_path = "#{self.local_dir}/templates/lab.xml.erb" + self.html_template_path = "#{self.local_dir}/templates/labsheet.html.erb" + + self.web_server_ip = [] + self.ids_server_ip = [] + self.hackerbot_server_ip = [] + end + + def get_options_array + super + [['--web_server_ip', GetoptLong::REQUIRED_ARGUMENT], + ['--ids_server_ip', GetoptLong::REQUIRED_ARGUMENT], + ['--hackerbot_server_ip', GetoptLong::REQUIRED_ARGUMENT]] + end + + def process_options(opt, arg) + super + case opt + when '--web_server_ip' + self.web_server_ip << arg; + when '--ids_server_ip' + self.ids_server_ip << arg; + when '--hackerbot_server_ip' + self.ids_server_ip << arg; + end + end + +end + +IDS.new.run \ No newline at end of file diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/secgen_metadata.xml b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/secgen_metadata.xml new file mode 100644 index 000000000..b8ca2b4ee --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/secgen_metadata.xml @@ -0,0 +1,52 @@ + + + + Hackerbot config for a IDS rules lab + Z. Cliffe Schreuders + GPLv3 + Generates a config file for a hackerbot for a IDS lab. + Topics covered: Writing Snort rules. + + hackerbot_config + linux + + accounts + flags + root_password + web_server_ip + ids_server_ip + hackerbot_server_ip + + + + + + + vagrant + + + + + + + + + + + + + + + + + + + + puppet + + + hackerbot + + \ No newline at end of file diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/shared/labsheet.html.erb b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/shared/labsheet.html.erb new file mode 100644 index 000000000..72dab611a --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/shared/labsheet.html.erb @@ -0,0 +1,29 @@ + + + <%= self.title %> + + + + + +
+ + <%= self.html_rendered %> + +
+ + + diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/shared/license.md.erb b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/shared/license.md.erb new file mode 100644 index 000000000..8e89ace31 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/shared/license.md.erb @@ -0,0 +1,4 @@ +## License +This lab by [*Z. Cliffe Schreuders*](http://z.cliffe.schreuders.org) at Leeds Beckett University is licensed under a [*Creative Commons Attribution-ShareAlike 3.0 Unported License*](http://creativecommons.org/licenses/by-sa/3.0/deed.en_GB). + +Included software source code is also licensed under the GNU General Public License, either version 3 of the License, or (at your option) any later version. diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/DLP.md b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/DLP.md new file mode 100644 index 000000000..69184bd8d --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/DLP.md @@ -0,0 +1,93 @@ +## Introduction + +This week's lab consists of problem based tasks. You should be able to complete all tasks using VMs on oVirt but may wish to use a prepared VM with OpenDPL pre-installed for task A3. + +This week's lab is entirely problem-based. + +## Data loss prevention (DLP) + +Data loss prevention (DLP) involves monitoring network activity that indicates that sensitive information is being exfiltrated or handled incorrectly. Some DLP systems monitor local systems and data at rest (for example, HIDS), while others are focused on network traffic and data in motion (NIDS). Using DLP software can help to detect insecure processes in an organisation, such as storing sensitive data in unplanned or insecure places. It can also help to mitigate insider threat, and data exfiltration to remote attackers. A report by Bnet shows that 45 percent of employees take data when they change jobs, and data leakage and organisational doxing has become more frequent (for example, the Sony Pictures compromise). + +Note that there is a variety of DLP solutions available, and the most robust enterprise solutions provide network monitoring (data in motion), file system monitoring (data at rest), and some DLP systems will also monitor local file transfers (for example, copying files to USB) to block exfiltration using local storage devices. + +In order to be effective, an organisation must identify sensitive data in their organisation that should be monitored. + +## Snort exfiltration detection (data in motion) + +### Text-based exfiltration detection + +Choose a file representing data you are going to detect and protect. For example, you may choose to use a document you previously created (such as an assignment you have completed in the past). + +Write a Snort rule that detects the transfer of the contents of this file. + +Transfer the file via (unencrypted) FTP, and show that your above rule detects the file transfer. + +Transfer the file via (unencrypted) HTTP, and show that your above rule detects the file transfer. + +Hint: you can include your sensitive data directly in a Snort rule. This is very closely related to the IDS Lab, which will be a helpful resource. Consider using the metadata:service tag in your rule. + +It is fine to monitor all ports, so long as your rule(s) detect transfer via FTP and HTTP. + + + +**Label it or save it as "DLP-A1".** + +#### Hash-based exfiltration detection + +Assuming the data you are protecting is sensitive, you likely don't want your Snort rules to contain direct copies of all your most sensitive data. For this reason, Snort rules can contain hashes to match against. + +Write a Snort rule that detects the transfer of the contents of your file, based on hashes, so that the Snort rule does not contain any plain text of your document. + +Hint: consider using the protected\_content keyword in your rule. + +Transfer the file via (unencrypted) FTP, and show that your rule detects the file transfer. + + + +**Label it or save it as "DLP-A2".** + +### OpenDLP (data at rest) + +[*OpenDLP*](https://code.google.com/p/opendlp/) is designed to detect sensitive data at rest. Although the project looks to be somewhat inactive, the software is functional and performs tasks similar to various commercial offerings, and is worth exploring to gain an understanding of what is available. + +OpenDLP can be run as an agent (on the system you are scanning) or agentless to perform a credentialed scan over the network. Provided with credentials, it can scan Windows file shares. + +It can scan directories for files containing matches to regular expressions. It comes with a number of pre-canned regexp, to detect USA social security numbers (SSN), credit card details, and so on. You can configure your own rules to scan for specific sensitive data. + +Note that tools such as this can also be helpful in security audits and penetration tests, to identify potentially sensitive documents that are available on systems being scanned. + +Use OpenDLP to scan a system, and show that it can be used to detect potentially sensitive data (such as your above document). + +Hint: this may involve downloading and running the OpenDLP VM, generating a profile, providing credentials, then running a scan. + +**Take screenshots of your use of OpenDLP to detect sensitive data, preferably your own file above, as evidence that you have completed this part of the task. ** + +**Label it or save it as "DLP-A3".** + +### Squid Proxy SSL Bump (encrypted data in motion) + +Encryption is an incredibly powerful tool for protecting confidentiality of data in transit, and is critical for enabling secure communication and individual privacy on the Internet. However, in a corporate environment it is often justified for an organisation to monitor network communications, for DLP reasons. + +Many organisations configure security products to forcefully intercept and inspect secure connections. One of the most common ways of achieving this is for the organisation to create their own Certificate Authority (CA), adding that certificate to each client system (such as every desktop system in the organisation), and basically performing automated man in the middle (MITM) attacks against all those systems. + +The general approach is that every client request (for example, a browser requesting access to a Website) is intercepted, and the interceptor signs its communication to the client using the organisation's CA (which the client is forced to trust, if they want to access the Internet), and forwards requests and responses to and from the actual target servers on the Internet. Thereby the organisation can inspect the traffic from the interception point. + +Configure Squid to intercept and MITM all Web access so that even encrypted Websites, such as Facebook, can be monitored. + +Related resources: + +- [*http://wiki.squid-cache.org/Features/MimicSslServerCert*](http://wiki.squid-cache.org/Features/MimicSslServerCert) + +- [*http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/*](http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/) + +Hint: this will involve setting up Squid proxy on a VM, pointing a Web browser at Squid, checking that you can access the internet via the Squid proxy. Then setting up Squid to intercept HTTPS connections using SSL Bump/MimicSslServerCert. This won't be quick, you will need to create a new CA with Public and Private keys, then configure Squid to use these for interception. The CA public key can be imported into the Web browser to remove the untrusted connection warnings. + +**Take screenshots of Squid being configured and used to intercept HTTPS, as evidence that you have completed this part of the task. ** + +**Label it or save it as "DLP-A4".** + +Write a description of the security advantages and disadvantages to intercepting HTTPS (one page max). + +**A description of the security advantages and disadvantages to intercepting HTTPS. ** + +**Label it or save it as "DLP-A5".** diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/dlp.md.erb b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/dlp.md.erb new file mode 100644 index 000000000..f95415fad --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/dlp.md.erb @@ -0,0 +1,23 @@ +## Data loss prevention (DLP) + +Data loss prevention (DLP) involves monitoring network activity that indicates that sensitive information is being exfiltrated or handled incorrectly. Some DLP systems monitor local systems and data at rest (for example, HIDS), while others are focused on network traffic and data in motion (NIDS). Using DLP software can help to detect insecure processes in an organisation, such as storing sensitive data in unplanned or insecure places. It can also help to mitigate insider threat, and data exfiltration to remote attackers. A report by Bnet shows that 45 percent of employees take data when they change jobs, and data leakage and organisational doxing has become more frequent (for example, the Sony Pictures compromise). + +Note that there is a variety of DLP solutions available, and the most robust enterprise solutions provide network monitoring (data in motion), file system monitoring (data at rest), and some DLP systems will also monitor local file transfers (for example, copying files to USB) to block exfiltration using local storage devices. + +In order to be effective, an organisation must identify sensitive data in their organisation that should be monitored. + +## Snort exfiltration detection (data in motion) + +### Text-based exfiltration detection + +Hint: you can include your sensitive data directly in a Snort rule. This is very closely related to the IDS rules lab, which will be a helpful resource. Consider using the metadata:service tag in your rule. + +It is fine to monitor all ports, so long as your rule(s) detect transfer of the file. + +#### Hash-based exfiltration detection + +Assuming the data you are protecting is sensitive, you likely don't want your Snort rules to contain direct copies of all your most sensitive data. For this reason, Snort rules can contain hashes to match against. + +It is possible to write Snort rules that detect the transfer of the contents of your files, based on hashes, so that the Snort rule does not contain any plain text of your document. + +Hint: consider using the protected\_content keyword in your rule. diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/intro.md.erb b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/intro.md.erb new file mode 100644 index 000000000..a13c9fbe8 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/intro.md.erb @@ -0,0 +1,86 @@ +# Data Loss Prevention and Exfiltration Detection + +This week's lab is entirely problem-based. + +## Getting started +### VMs in this lab + +==Start these VMs== (if you haven't already): + +- hackerbot_server (leave it running, you don't log into this) +- ids_server (IP address: <%= $ids_server_ip %>) +- web_server (IP address: <%= $web_server_ip %>, leave it running, you don't log into this) +- desktop + +All of these VMs need to be running to complete the lab. + +**Ensure the ids_server VM is allowed promiscuous mode.** If you are completing this lab on Leeds Beckett oVirt infrastructure, this should be sorted. Otherwise, if you have used SecGen to spin up VMs, you need to ensure your VMs have permission to monitor networks using promiscuous mode. On the Leeds Beckett oVirt infrastructure we have snoop networks, which mirror all the traffic between systems. On Virtualbox, you would need to go to Advanced network settings for the host-only network on the ids_server and enable promiscious mode. + +### Your login details for the "desktop" and "ids_server" VMs +User: <%= $main_user %> +Password: tiaspbiqe2r (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember) + +You won't login to the hackerbot_server or web_server, but all the VMs need to be running to complete the lab. + +### For marks in the module +1. **You need to submit flags**. Note that the flags and the challenges in your VMs are different to other's in the class. Flags will be revealed to you as you complete challenges throughout the module. Flags look like this: ==flag{*somethingrandom*}==. Follow the link on the module page to submit your flags. +2. **You need to document the work and your solutions in a workbook**. This needs to include screenshots (including the flags) of how you solved each Hackerbot challenge and a writeup describing your solution to each challenge, and answering any "Workbook Questions". The workbook will be submitted later in the semester. + +## Hackerbot! +![small-right](images/skullandusb.svg) + +This exercise involves interacting with Hackerbot, a chatbot who will task you to monitor the network and will attack your systems. If you satisfy Hackerbot by completing the challenges, she will reveal flags to you. + +Work through the below exercises, completing the Hackerbot challenges as noted. + +--- +## Getting Snort up and running + +**On the ids_server VM:** + +==Change Snort's output== to something more readable: + +```bash +sudo vi /etc/snort/snort.conf +``` +> (Remember: editing using vi involves pressing "i" to insert/edit text, then *Esc*, + +> ":wq" to write changes and quit) + +==Add the following lines:== +`output alert_fast` + +`include $RULE_PATH/my.rules` + +==Create a new rules file:== + +```bash +sudo touch /etc/snort/rules/my.rules +``` + +Let us edit the rules file without sudo: + +```bash +sudo chown <%= $main_user %> /etc/snort/rules/my.rules +``` + +==Change Snort's interface== to the interface with IP address <%= $ids_server_ip %> (likely eth1), and set the local network to your IP address range (or "any"): + +```bash +sudo vi /etc/snort/snort.debian.conf +``` +> If you are not sure which interface to use, list the interfaces with `ifconfig` or `ip a s` +> Set the interface and HOME network range, and exit vi (Esc, ":wq"). + +==Restart Snort:== + +```bash +sudo service snort stop +sudo service snort start +``` +> Using "reload" or "restart" may not update the interface. + +Snort should now be running, monitoring network traffic for activity. + +It can be helpful to monitor network traffic while writing IDS rules. You can start Wireshark with `kdesudo wireshark &` + diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/lab.xml.erb b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/lab.xml.erb new file mode 100644 index 000000000..514621806 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/lab.xml.erb @@ -0,0 +1,292 @@ +<% + require 'json' + require 'securerandom' + require 'digest/sha1' + require 'fileutils' + require 'erb' + + if self.accounts.empty? + abort('Sorry, you need to provide an account') + end + + $first_account = JSON.parse(self.accounts.first) + $second_account = JSON.parse(self.accounts[1]) + + $files = [] + $log_files = [] + if $second_account.key?("leaked_filenames") && $second_account['leaked_filenames'].size > 0 + $files = $second_account['leaked_filenames'] + $log_files = $second_account['leaked_filenames'].grep(/log/) + end + + if $files.empty? + $files = ['myfile', 'afile', 'filee', 'thefile'] + end + if $log_files.empty? + $log_files = ['log', 'thelog', 'logs', 'frogonalog'] + end + + $main_user = $first_account['username'].to_s + $main_user_pass = $first_account['password'].to_s + $second_user = $second_account['username'].to_s + $example_file = "/home/#{$second_user}/#{$files.sample}" + $example_dir = "/home/#{$second_user}/personal_secrets/" + + $web_server_ip = self.web_server_ip.first + $ids_server_ip = self.ids_server_ip.first + $hackerbot_server_ip = self.hackerbot_server_ip.first + $root_password = self.root_password + $flags = self.flags + + REQUIRED_FLAGS = 10 + while $flags.length < REQUIRED_FLAGS + $flags << "flag{#{SecureRandom.hex}}" + Print.err "Warning: Not enough flags provided to hackerbot_config generator, some flags won't be tracked/marked!" + end + + def get_binding + binding + end +%> + + + + + + Hackerbot + + config/AIML + + + + false + + + + + Hey there! I need you to make sure our trade secrets and sensitive data are safe. We need to keep track of when the files are on the network, and keep track of copies of the files. If you work with me I'll provide you with some flags. + + + When you are ready, simply say 'ready'. + 'Ready'? + Ok, I'll do what I can to move things along... + Moving things along to the next one... + Ok, I'll do what I can to back things up... + Ok, backing up. + Ok, skipping it along. + Let me see what I can do to goto that attack. + That was the last one for now. You can rest easy, until next time... (End.) + That was the last one. Game over? + You are back to the beginning! + This is where it all began. + Doing my thing... + Here we go... + ... + .... + Let me know when you are 'ready', if you want to move on say 'next', or 'previous' and I'll move things along. + Say 'ready', 'next', or 'previous'. + + + I am waiting for you to say 'ready', 'next', 'previous', 'list', 'goto *X*', or 'answer *X*' + Say "The answer is *X*". + There is no question to answer + Correct + Incorrect + That's not possible. + Wouldn't you like to know. + + + Oh no. Failed to get shell... You need to let us in. + + + + DLP + <%= ERB.new(File.read self.templates_path + 'intro.md.erb').result(self.get_binding) %> +
+<%= File.read self.templates_path + 'resources.md.erb' %> + +<%= File.read self.templates_path + 'license.md.erb' %> + +Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%= Time.new.to_s %>) +
+ + true + + + + +<% $rand_alert0 = SecureRandom.hex(3) %> + + + + sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_before; stat1=$?; AAAAA > /dev/null; stat2=$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; stat3=$?; echo --$stat1$stat2$stat3; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 + false + + + You need to monitor our super sensitive list of clients. You have a copy in /home/<%= $main_user %>/trade_secrets/clients.csv Use one or more Snort rules to detect unencrypted transport of the file. The alert must include the message "<%= $rand_alert0 %>". + + + Find the flag + Hope you caught that. + + + + 1 + :( Failed to contact the web server (<%= $web_server_ip %>) + + + :( Something was not right... + + + <%= ERB.new(File.read self.templates_path + 'dlp.md.erb').result(self.get_binding) %> + + + +<% $rand_port = rand(65535) + $rand_alert1 = SecureRandom.hex(3) %> + sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_before; stat1=$?; nmap -sT -p <%= $rand_port - 1 %>-<%= $rand_port + 1 %> <%= $web_server_ip %> > /dev/null; stat2=$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; stat3=$?; echo --$stat1$stat2$stat3; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 + false + + + Create a Snort rule that detects any TCP connection attempt to TCP port <%= $rand_port %> to <%= $web_server_ip %>. The alert must include the message "<%= $rand_alert1 %>". + + + ^--1 + :( Failed to scp to your system. + + + ^--01 + :( Failed to scan your system. + + + ^--[01][01]1 + :( Failed to scp to your system (the second time). + + + ^--00.*<%= $rand_alert1 %>.*<%= $rand_alert1 %> + :( Almost. The alert did fire, but it fired more than once! + + + <%= $rand_alert1 %> + :) Well done! <%= $flags.pop %>. + + + + :( Your rule didn't get triggered (or didn't include the right message). + + + + + +<% $rand_content1 = SecureRandom.hex(3) + $rand_alert2 = SecureRandom.hex(3) %> + sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_before; stat1=$?; (sleep 1; echo "USER <%= $rand_content1 %>"; sleep 2; killall -9 nc ) | nc <%= $web_server_ip %> 110 > /dev/null; (sleep 1; echo "user test"; echo "pass test"; echo "stat"; echo "quit"; sleep 2; killall -9 nc ) | nc <%= $web_server_ip %> 110 > /dev/null; stat2=$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; stat3=$?; echo --$stat1$stat2$stat3; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 + false + + + Create a Snort rule that detects any packet with the contents "<%= $rand_content1 %>" to <%= $web_server_ip %>. The alert must include the message "<%= $rand_alert2 %>". + + + ^--1 + :( Failed to scp to your system. + + + ^--0.*<%= $rand_alert2 %>.*<%= $rand_alert2 %> + :( Almost, but your rule triggered too many times. Are you inspecting the content of the connection? + + + ^--0.*<%= $rand_alert2 %> + :) Well done! <%= $flags.pop %>. + + + + :( Your rule didn't get triggered (or didn't include the right message). + + + + +<%= ERB.new(File.read self.templates_path + 'random_service_ids_rule.xml.erb').result(self.get_binding) %> +<%= ERB.new(File.read self.templates_path + 'random_service_ids_rule.xml.erb').result(self.get_binding) %> +<%= ERB.new(File.read self.templates_path + 'random_service_ids_rule.xml.erb').result(self.get_binding) %> + + + +<% $rand_alert4 = SecureRandom.hex(3) + $flag1 = $flags.pop + $flag2 = $flags.pop + $flag3 = $flags.pop +%> + sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_before; stat1=$?; nmap -sT -p 110 <%= $web_server_ip %> > /dev/null; (sleep 1; echo "USER <%= $main_user %>"; echo "PASS <%= $main_user_pass %>"; echo "STAT"; echo "QUIT"; sleep 2; killall -9 nc ) | nc <%= $web_server_ip %> 110; (sleep 1; echo "user test"; echo "pass test"; echo "stat"; echo "quit"; sleep 2; killall -9 nc ) | nc <%= $web_server_ip %> 110; stat2=$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; stat3=$?; echo --$stat1$stat2$stat3; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 + false + + + Create a Snort rule that detects any unencrypted POP3 email *user authentication attempt* (someone trying to log in), to a mail server on <%= $web_server_ip %>. The alert must include the message "<%= $rand_alert4 %>". Up to three flags will be awarded, based on the quality of the rule. + + + ^--1 + :( Failed to scp to your system. + + + ^--0.*<%= $rand_alert4 %>.*<%= $rand_alert4 %>.*<%= $rand_alert4 %> + :( Almost, but your rule triggered too many times. Are you inspecting the content of the connection? + + + ^--0.*<%= $rand_alert4 %>.*Classification.*User.*<%= $rand_alert4 %> + :-D Well done! ALL THREE FLAGS!: <%= $flag1 %>, <%= $flag2 %>, <%= $flag3 %>. + + + + ^--0.*<%= $rand_alert4 %>.*<%= $rand_alert4 %> + 8-) Well done! Two flags: <%= $flag1 %>, <%= $flag2 %>. Could be further improved with a classification. + + + + ^--0.*<%= $rand_alert4 %> + :) Well done! <%= $flag1 %>. The alert did get triggered, but it fired only under some conditions. Is your rule caps sensitive? More flags are to be had from a better rule ;-) + + + + :( Your rule didn't get triggered (or didn't include the right message). + + + + +<% $rand_alert5 = SecureRandom.hex(3) %> + sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_before; stat1=$?; curl <%= $web_server_ip %> >/dev/null; curl <%= $web_server_ip %>/contact.html >/dev/null; stat2=$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; stat3=$?; echo --$stat1$stat2$stat3; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 + false + + + Create a Snort rule that detects access to http://<%= $web_server_ip %> but NOT http://<%= $web_server_ip %>/contact.html. The alert must include the message "<%= $rand_alert5 %>". + + + ^--1 + :( Failed to scp to your system. + + + ^--01 + :( Failed to test your system. + + + ^--[01][01]1 + :( Failed to scp to your system (the second time). + + + ^--00.*<%= $rand_alert5 %>.*<%= $rand_alert5 %> + :( Almost, but your rule triggered too many times. Are you inspecting the content of the connection? + + + + ^--00.*<%= $rand_alert5 %> + :) Well done! <%= $flags.pop %>. + + + + :( Your rule didn't get triggered (or didn't include the right message). + + + + diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/labsheet.html.erb b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/labsheet.html.erb new file mode 100644 index 000000000..3166f3520 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/labsheet.html.erb @@ -0,0 +1,121 @@ + + + <%= self.title %> + + + + + +
+ <%= self.html_TOC_rendered %> +
+ +
+ <%= self.html_rendered %> +
+ + + diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/license.md.erb b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/license.md.erb new file mode 100644 index 000000000..c11478e8e --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/license.md.erb @@ -0,0 +1,6 @@ +## License +This lab by [*Z. Cliffe Schreuders*](http://z.cliffe.schreuders.org) at Leeds Beckett University is licensed under a [*Creative Commons Attribution-ShareAlike 3.0 Unported License*](http://creativecommons.org/licenses/by-sa/3.0/deed.en_GB). + +Included software source code is also licensed under the GNU General Public License, either version 3 of the License, or (at your option) any later version. + +![small](images/leedsbeckett-logo.png) diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/random_service_ids_rule.xml.erb b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/random_service_ids_rule.xml.erb new file mode 100644 index 000000000..75d590e25 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/random_service_ids_rule.xml.erb @@ -0,0 +1,31 @@ + +<% $services = {'FTP'=>'20','Telnet'=>'23','SMTP'=>'25','HTTP'=>'80','POP3'=>'110','IMAP'=>'143','SNMP'=>'161','LDAP'=>'389','HTTPS'=>'443','LDAPS'=>'636'} + $rand_service1 = $services.keys.sample + $rand_alert3 = SecureRandom.hex(3) %> + sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_before; stat1=$?; nmap -sT -p 1000,<%= $services[$rand_service1] %> <%= $web_server_ip %> > /dev/null; stat2=$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; stat3=$?; echo --$stat1$stat2$stat3; diff -u /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 + false + + + Create a Snort rule that detects any TCP connection attempt to <%= $rand_service1 %> (just the connection attempt, does not require content inspection) on <%= $web_server_ip %>. The alert must include the message "<%= $rand_alert3 %>". + + + ^--1 + :( Failed to scp to your system. + + + ^--01 + :( Failed to scan your system. + + + ^--[01][01]1 + :( Failed to scp to your system (the second time). + + + <%= $rand_alert3 %> + :) Well done! <%= $flags.pop %>. + + + + :( Your rule didn't get triggered (or didn't include the right message). + + diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/resources.md.erb b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/resources.md.erb new file mode 100644 index 000000000..df3e1a25f --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/resources.md.erb @@ -0,0 +1,3 @@ +## Resources + +Martin Roesch (n.d.) **Chapter 2:** Writing Snort Rules - How to Write Snort Rules and Keep Your Sanity. In: *Snort Users Manual*. Available from: <[*http://www.snort.org.br/documentacao/SnortUsersManual.pdf*](http://www.snort.org.br/documentacao/SnortUsersManual.pdf)> \ No newline at end of file diff --git a/modules/generators/structured_content/person/secgen_local/local.rb b/modules/generators/structured_content/person/secgen_local/local.rb index dca48e5ac..20a5d94e8 100644 --- a/modules/generators/structured_content/person/secgen_local/local.rb +++ b/modules/generators/structured_content/person/secgen_local/local.rb @@ -10,6 +10,8 @@ class PersonHashBuilder < StringEncoder attr_accessor :username attr_accessor :password attr_accessor :account + attr_accessor :credit_card + attr_accessor :national_insurance_number def initialize super @@ -20,6 +22,8 @@ class PersonHashBuilder < StringEncoder self.email_address = '' self.username = '' self.password = '' + self.credit_card = '' + self.national_insurance_number = '' self.account = [] end @@ -29,6 +33,8 @@ class PersonHashBuilder < StringEncoder person_hash['address'] = self.address person_hash['phone_number'] = self.phone_number person_hash['email_address'] = self.email_address + person_hash['credit_card'] = self.credit_card + person_hash['national_insurance_number'] = self.national_insurance_number if self.account != [] account = JSON.parse(self.account[0]) @@ -49,6 +55,8 @@ class PersonHashBuilder < StringEncoder ['--email_address', GetoptLong::REQUIRED_ARGUMENT], ['--username', GetoptLong::REQUIRED_ARGUMENT], ['--password', GetoptLong::REQUIRED_ARGUMENT], + ['--credit_card', GetoptLong::REQUIRED_ARGUMENT], + ['--national_insurance_number', GetoptLong::REQUIRED_ARGUMENT], ['--account', GetoptLong::OPTIONAL_ARGUMENT]] end @@ -67,6 +75,10 @@ class PersonHashBuilder < StringEncoder self.username << arg; when '--password' self.password << arg; + when '--credit_card' + self.credit_card << arg; + when '--national_insurance_number' + self.national_insurance_number << arg; when '--account' self.account << arg; end @@ -79,6 +91,8 @@ class PersonHashBuilder < StringEncoder 'email_address: ' + self.email_address.to_s + print_string_padding + 'username: ' + self.username.to_s + print_string_padding + 'password: ' + self.password.to_s + print_string_padding + + 'credit_card: ' + self.credit_card.to_s + print_string_padding + + 'national_insurance_number: ' + self.national_insurance_number.to_s + print_string_padding + 'account: ' + self.account.to_s end end diff --git a/modules/generators/structured_content/person/secgen_metadata.xml b/modules/generators/structured_content/person/secgen_metadata.xml index 2025d78f2..99d40fc67 100644 --- a/modules/generators/structured_content/person/secgen_metadata.xml +++ b/modules/generators/structured_content/person/secgen_metadata.xml @@ -41,6 +41,12 @@ + + + + + + person diff --git a/scenarios/labs/8_exfiltration_detection.xml b/scenarios/labs/8_exfiltration_detection.xml new file mode 100644 index 000000000..aa2c63c95 --- /dev/null +++ b/scenarios/labs/8_exfiltration_detection.xml @@ -0,0 +1,199 @@ + + + + + + desktop + + + + + 172.16.0.2 + 172.16.0.3 + 172.16.0.4 + + + + + + + + + mythical_creatures + + + + + tiaspbiqe2r + + + true + + + trade_secrets/code.pl + personal_secrets/private + trade_secrets/clients.csv + + + no warnings; `$=`;$_=\%!;($_)=/(.)/;$==++$|;($.,$/,$,,$\,$",$;,$^,$#,$~,$*,$:,@%)=($!=~/(.)(.).(.)(.)(.)(.)..(.)(.)(.)..(.)......(.)/,$"),$=++;$.++;$.++;$_++;$_++;($_,$\,$,)=($~.$"."$;$/$%[$?]$_$\$,$:$%[$?]",$"&$~,$#,);$,++;$,++;$^|=$";`$_$\$,$/$:$;$~$*$%[$?]$.$~$*${#}$%[$?]$;$\$"$^$~$*.>&$=` + + + + + + + + + + + + + + + + + + mythical_creatures + + + + + test + + + false + + + + + + + + + + + + + mythical_creatures + + + + + test + + + false + + + + + + + + + + + + + + + + + + accounts + + + + + + accounts + + + accounts + + + true + + + + + + + + accounts + + + true + + + IP_addresses + + + + + + IP_addresses + + + accounts + + + + + + hackerbot_access_root_password + + + + + + IP_addresses + + + + + + hackerbot_server + + + + + + + + + + + + + + + accounts + + + hackerbot_access_root_password + + + + IP_addresses + + + + + + + + IP_addresses + + + + + + + + + + +