digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-22 19:58:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

lab updates

Browse Source
This commit is contained in:
Z. Cliffe Schreuders
2018-10-26 15:24:30 +01:00
parent a31fd69aba
commit d7207bfb56
2 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/generators/structured_content/hackerbot_config/ids/templates/lab.xml.erb
View File

@@ -125,7 +125,7 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
<prompt>Monitor the network traffic using Tcpdump or Wireshark, and look out for a string starting with "<%= $rand1 %>".</prompt>
<condition>
<output_matches>0</output_matches>
<output_matches>0|7</output_matches>
<message>Hope you found the flag! Moving on...</message>
<trigger_next_attack>true</trigger_next_attack>
</condition>

15
modules/generators/structured_content/hackerbot_config/ids/templates/tcpdump.md.erb
View File

@@ -100,17 +100,26 @@ We can also use tcpdump to do some simple monitoring of the network traffic to d
```bash
kdesudo wireshark &
```
And in another command tab:
```bash
sudo tcpdump -A -i eth1 | grep "GET"
```
> For this exercise you can ignore the warning about running Wireshark as root, or read online to learn to use setcap to grant Wireshark more specific privileges.
In Wireshark, choose the network interface card (such as eth1) then click the green start icon, to ==start monitoring traffic==. Generate some traffic and explore how to ==view it using Wireshark==.
In Wireshark, choose the network interface card (such as eth1) then click the start icon, to ==start monitoring traffic==. Generate some traffic and explore how to ==view it using Wireshark==.
You can also open the captured network traffic in Wireshark.
Open a web browser **on the desktop VM**, and visit [*http://<%= $web_server_ip %>*](http://<%= $web_server_ip %>), note that tcpdump captures *most* network content, and grep can be used to filter it down to lines that are interesting to us.
> If you don't see traffic generated from this, you may need to press Ctrl-F5 to force the browser not to use a local cache.
Note that making sense of this information using tcpdump and/or Wireshark is possible (and is a common sys-admin task), but the output is too noisy to be constantly and effectively monitored by a human to detect security incidents. Therefore we can use an IDS such as Snort to monitor and analyse the network traffic to detect activity that it is configured to alert.
==Right click on an HTTP request in Wireshark and "Follow", "TCP Stream".==
==Right click the same HTTP request in Wireshark and "Follow", "HTTP Stream".==
==In your log book explain the differences in output.==
Note that making sense of all this information using tcpdump and/or Wireshark is possible (and is a common sys-admin task), but the output is too noisy to be constantly and effectively monitored by a human to detect security incidents. Therefore we can use an IDS such as Snort to monitor and analyse the network traffic to detect activity that it is configured to alert.
Make sure tcpdump is stopped (Ctrl-C).