truelyyours

6 - CySA+ Infrastructure Management

10 min read

Honeypots

Adversaries spend considerable time gathering information about targets and creating attack plans. Due to the detail in crafting attack vectors, it’s hard to detect and prevent them immediately. If attackers gain a foothold in the internal network, they look for unprotected devices or hosts to expand their privileges. Defenders use this behavior by setting up intentionally vulnerable, monitored systems called honeypots. These are isolated, block further attacks, and help analyze adversary behavior to improve security. Honeypots are grouped into two types based on their purpose:

● Research honeypots - are used to monitor and analyze the behavior of adversaries to identify attack patterns, trends, and most commonly exploited vulnerabilities.

● Production honeypots - are used to identify and isolate active threats in the network.

This lab exercise provides both the attacker’s and the defender’s perspective to a network that contains a production honeypot host.

Check the IP address of the honeypot machine using the following command: `ifconfig

Which honeypot protects the network in real time? Production honeypot

The attacker’s perspective

When first accessing a target network, attackers can use tools like Nmap to map out active hosts and open ports.

Navigate to the Ubuntu Cysa machine, open a new terminal and type the following command: `nmap 172.20.1.10 172.20.1.12

Host 172.20.1.1 is excluded because it represents your host device and is not part of the lab. Such conventional services are easily recognized and can quickly attract attention from adversaries, as many tools for their enumeration are readily available online.

How many ports are open on 172.20.1.12? 3

FTP

FTP servers are sometimes configured to allow anonymous authentication. This feature enables users to log in to the server without having valid username and password credentials. To check if anonymous authentication is allowed, open a terminal window and type ftp followed by the IP address of the target: ftp 172.20.1.12 anonymous

The 530 Sorry, Authentication failed. shows that these credentials are not valid credentials in this server. An attacker could then try to brute-force other usernames but would have no success since no other valid user is defined for this host. exit

After not managing to exploit FTP, the attacker would switch focus to the other open port. When port 80 is being used, the device is most likely hosting a website. Open a web browser and type the IP address of the host in the URL bar: `http://172.20.1.12

As with FTP, an attacker would run several tools against the server to understand the technology stack used to build this website. Obtaining this information would allow the adversary to select several possible attack vectors. However, since this website is a mock-up, it is very static and contains no input fields, cookies, session tokens, or any other path that could be used to send payloads to the server.

By the time adversaries conclude that there is no way to abuse this host, they will have generated enough logs to alert network defenders that there was an intrusion.

What is the default port number used for FTP communications? 21

The defender’s perspective

To view the logs generated by the attacker’s action, connect to the honeypot machine using SSH. Secure Shell uses port 22, however in this case, it is configured to run on port 2222. `ssh root@172.20.1.12 -p 2222

Type yes when asked if you want to continue connecting. When prompted for the password, type: `passw0rd!

The honeypot logs are located in /var/tmp and can be viewed using the following command: `cat /var/tmp/opencanary.log

The honeypot_logs.sh script is a custom bash script that continuously checks these logs and displays them on the terminal. To see the script, use the following command: `cat honeypot_logs.sh | tee ~/logs

What does the honeypot_logs.sh script do? It continously checks logs and displays them on the terminal

#!/bin/bash
while true; do
	while IFS= read -r line || [[ -n "$line" ]]; do
		echo "$line"
		echo ""
	done < "$1"
	sleep 4;
	clear;

Logs

The inner while loop of the script reads the logs and displays it line by line to the screen. The infinite loop repeats this process continuously. Run the script using the command shown below. `./honeypot_logs.sh /var/tmp/opencanary.log | tee ~/traffic

The logs show all traffic generated by the attacker container, including the attempt to authenticate to FTP using anonymous and the request to view the website:

This setup would require constant monitoring from the defending side to control all traffic generated to and from the honeypot host. Depending on the technology, purpose, and type of honeypot used, alerts can be integrated with existing infrastructure elements like SIEMs, IDS/IPSs, or be sent via emails. To exit the log, press CTRL + C at the same time.

Encryption

When encountering logs like those shown in the previous chapter, a system administrator or a blue-teamer would store them to continue proper investigation and analysis of the intrusion.

There are two essential aspects to consider in this case:

● Protecting the stored data with a password so that other users cannot change the content.

● Proving the integrity of the data in case the data needs to be transported.

Data at rest is data that is rarely accessed or modified. Examples include backups, records in databases, and documents stored in disks. `zip honeypot_logs.zip /var/tmp/opencanary.log

This example illustrates a way to secure logs and backups. It will provide an overview of encryption, safe password storage, and hashes. The first step will be to store the logs generated by the attacker in a file called backup_logs.zip.

One way to securely copy data from one host to another is by using scp. Secure copy (scp) uses SSH to transfer files. Close the connection with the honeypot machine or open a new terminal and run the following command: `scp -P 2222 root@172.20.1.12:/root/honeypot_logs.zip .

The password we will use is: `passw0rd!

What is the primary purpose of encryption at rest? To protect data from unauthorized access while it is stored.

Securing data at rest

Encryption is the process of converting readable/understandable information known as plaintext into cryptic bits of data known as ciphertext. These processes and the steps needed to create an undecipherable ciphertext are defined by encryption algorithms. One such algorithm is AES. Advanced Encryption Standard (AES) is a symmetric cipher used, among others, in wireless security, file encryption, and SSL/TLS.

Encryption of data at rest

To encrypt the backup_logs.zip file using OpenSSL, the following options will be used:

enc - stands for encrypt

-aes-256-cbc - is the algorithm used. In this case, we are using AES with a key length of 256 bits

-in - this option is followed by the name of the file that will be encrypted

-out - this option is used to specify the name of the file that will contain the encrypted content openssl enc -aes-256-cbc -pbkdf2 -in /home/ubuntu-user/honeypot_logs.zip -out /home/ubuntu-user/honeypot_logs.enc S@fePassword!

You will be prompted to provide a password. Make sure your passwords are always robust and combine different sets of characters.

You now have two versions of the same file on your device: the plaintext file (backup_logs.zip) and the encrypted file (backup_logs.enc). You may choose to delete the plaintext file.

Which command-line utility is used to generate private keys, encrypt, decrypt, create Certificate Signing Requests, generate certificates, and identify certificate information? openssl

Securing passwords with a password vault

When using password authentication, users often reuse the same credentials across multiple accounts or choose weak passwords for ease of remembering. Strong, random, and auto-generated passwords are difficult to brute-force but easy to forget. This issue led to the development of password vaults. A password vault is a program that helps users store, generate, and manage passwords. By encrypting the password storage, the vault allows users to access multiple passwords with a single master password. These vaults are commonly known as password managers.

Among various tools and versions, KeePass is a well-known option. KeePass is a free, open-source password manager that stores passwords in an encrypted database, accessible with one master key. The kpcli tool is a command-line utility for creating and editing KeePass entries and databases. To store the password for encrypting the honeypot_logs.zip file, open a terminal and type kpcli. kpcli

What is the primary purpose of KeePass? To generate and manage passwords in an encrypted database accessible with a master key

Kpcli

Type the following command to create a directory for storing passwords used for encryption: `mkdir backup_encryption

Navigate to the backup_encryption directory by typing: `cd backup_encryption/

To add a new entry in the backup_encryption directory, type: `new

When prompted for the title, type: `encrypted_honeypot_logs

Press Enter until you are prompted for the comments. Then enter the following:

This password was used to encrypt the zipped honeypot log file

Finish the entry by typing: .

Everything typed after “Password: ” will not be shown. This is a countermeasure to prevent accidental password disclosure in case the device’s screen is visible to other people.

To store the credentials just entered, write them to a KeePass database: `saveas /home/ubuntu-user/password_database.kdbx

When prompted for the master password, use: `S@fePassword!

The master password is the only password that needs to be remembered from now on.

Quit terminates kpcli and prompts back the terminal.

What command is used to store the credentials in a KeePass database? saveas

Securing data in motion

Since the honeypot log files will be further analyzed to extract information or will be shared with security teams, it is crucial to ensure that no data has been altered either accidentally during file transfer or purposely by an adversary or unauthorized party.

Hash functions provide a way to map a long string to a shorter fixed-length output string known as hash-value or digest. They became essential tools in cryptography to construct digital signatures, integrity verification, password protection, and public-key encryption.

To protect the integrity of the honeypot logs, we can generate a hash value for the honeypot_backup.enc file. `shasum /home/ubuntu-user/honeypot_logs.enc

What type of hash algorithm is used by the last command? SHA1

Integrity checks

You can decide whether you want to store the hash in the Keepass database or generate it each time before sending the file to a peer. To save it to Keepass, follow these steps:

● type kpcli in the terminal window to start using the Keepass program

● use the open command to load the password_database.kdbx file

● use cd to switch to the backup_encryption/ directory

● use ls to list all password entries

● use edit to modify the content of encrypted_honeypot_logs

● press the return key for each value that you do not want to modify

kpcli open /home/ubuntu-user/password_database.kdbx S@fePassword! cd backup_encryption/ ls edit 0 hash: . `y

you want to share the logs with another person, you should send the file and the hash value. The receiving end will download the data and run the (in this case) shasum command to generate their own hash. Applying the same hash function to a file will always generate the same result.

The receiving end will compare their own hash value with the one you delivered and if they both match, they will know the content of the file was not altered throughout transmission.

After executing the last set of commands, is the hash value the same? yes