Navreet-100944088-Lab4.Detection of Attack by splunk
docx
keyboard_arrow_up
School
Durham College *
*We aren’t endorsed by this school
Course
1
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
13
Uploaded by ChefSnakePerson3105
Lab 4: Detection of Attack by Splunk (Individual Lab)
INFT 1202 – Fuad Mustapha Total Marks :40
Introduction to the Lab
This lab is in continuation of Lab 3(Configuration of Splunk Universal Forwarder). Part A: We will install openssh-server on our Splunk Forwarder Virtual Machine.
After installing this, we would attempt logging in using ssh from a Kali machine
using invalid and valid credentials. This Kali attack will be captured by our Splunk
Ubuntu Server and would be captured as logs in it.
©fuad.mustapha@durhamcollege.ca
Page 1 of 13
Lab 4: Detection of Attack by Splunk (Individual Lab)
INFT 1202 – Fuad Mustapha Total Marks :40
Pre-requisites of the lab The pre-requisites (recommended system requirement) are:
Lab 3 Virtual Machine.
Kali Virtual Machine (Attacker machine) with following specifications:
o
4 GHz dual core processor or better o
4 GB system memory
o
80 GB of free hard drive space
o
Internet access is helpful
Steps of the lab:
To get our VM up and running, we will need to execute the following steps:
Step 1:
Download a Kali Image and launch the VM.
Step 2:
Install openssh-server on second Ubuntu Universal Forwarder
machine.
Step 3:
Login to Kali and Password Spray our Ubuntu Universal Forwarder
machine (Victim Machine)- invalid Credentials (RED TEAM) Step 4:
Check the attack captured in first Ubuntu Splunk Server Machine.
Step 5:
Brute force attack on second Ubuntu Universal Forwarder machine
by Kali machine by using Hydra tool in Kali Linux- Successful attack Step
6:
Check the successful attack logs in your first Ubuntu Splunk server
machine
Step 7
: Answer few questions based on the scenario we saw.
©fuad.mustapha@durhamcollege.ca
Page 2 of 13
Lab 4: Detection of Attack by Splunk (Individual Lab)
INFT 1202 – Fuad Mustapha Total Marks :40
Execution of the lab(Attach Your Screenshots)
Step
1: Download a Kali Image and launch the VM.
a)
Let us download a kali image from kali.org, Use the link below to download
kali - https://kali.download/virtual-images/kali-2021.4a/kali-linux-2021.4a-
vmware-amd64.7z
Note
: If you have kali VM from other course, you can use that for this lab.
In that case, please make sure it has the necessary tools and configurations
required for the lab. It needs to be in the same network as our other two
Ubuntu machines.
b)
Unzip your downloaded kali image using 7zip or any other unzipping tool.
Go to VMware and click on file -> open. Navigate to your downloaded and
unzipped kali to open it and your Kali VM would be created.
Note:
This is a kali image downloaded from kali website and you do not
need to install it as it is already installed.
c)
Power it on, username:kali, password: kali
[Attach the screenshot]
©fuad.mustapha@durhamcollege.ca
Page 3 of 13
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Lab 4: Detection of Attack by Splunk (Individual Lab)
INFT 1202 – Fuad Mustapha Total Marks :40
Step
2: Install openssh-server on Splunk Forwarder
Virtual machine.
We would download and enable ssh on our Splunk Forwarder virtual machine
using the following commands
a)
First, we would run command to update our vm using sudo apt update b)
Next, we run the command to install a ssh server on our ubuntu machine
sudo apt install openssh-server
c)
Run the command sudo systemctl status ssh
to check the status of our ssh
server. The status should be green
showing running
[Attach the screenshot]
©fuad.mustapha@durhamcollege.ca
Page 4 of 13
Lab 4: Detection of Attack by Splunk (Individual Lab)
INFT 1202 – Fuad Mustapha Total Marks :40
d)
To make sure we enable ssh on ubuntu OS firewall just if the vm has one,
execute the command sudo ufw allow ssh e)
Check the IP address of your Ubuntu Universal Forwarder using ifconfig
f)
Use the command who
to check and confirm your username
on your
Ubuntu Splunk forwarder.
Step
3: Login to Kali and Password Spray our Ubuntu Universal Forwarder
machine (Victim Machine)- invalid Credentials (RED TEAM) Let’s have some fun. Let’s play the attacker here.
a)
Login to your Kali VM using username: kali and Password: Kali. Use the
command PS1='[`date "+%D"`] yourname@\h:\w\$ '
to set
up your name on the terminal. [Attach the screenshot]
©fuad.mustapha@durhamcollege.ca
Page 5 of 13
Lab 4: Detection of Attack by Splunk (Individual Lab)
INFT 1202 – Fuad Mustapha Total Marks :40
b)
Try to ssh with a wrong username as seen below using the username INFT1202 and command would be ssh INFT1202@your_ubuntu_UniversalForwarderIP.
[Attach the screenshot]
©fuad.mustapha@durhamcollege.ca
Page 6 of 13
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Lab 4: Detection of Attack by Splunk (Individual Lab)
INFT 1202 – Fuad Mustapha Total Marks :40
c)
As the Blue Team, on your Kali machine, run the command ifconfig
. This is
to confirm our Kali IP, as we would use this IP to check the logs in our first
Ubuntu Splunk Server.
Step 4: Check the attack captured in first Ubuntu Splunk Server Machine.
Next, let us detect the attempted potential access to our Ubuntu machine using a
wrong username.
a)
Go to the Search and Reporting in Splunk and run the following command:
index=* YourKaliIP
e.g., index=* 192.168.182.135 (my Kali VM). We
would see that Splunk shows an invalid user is trying to access our Ubuntu
virtual machine using ssh on port 22. [Attach the screenshot]
b)
You can see, everything got captured in Ubuntu Splunk Server from your
kali machine in /var/log/auth.log
©fuad.mustapha@durhamcollege.ca
Page 7 of 13
Lab 4: Detection of Attack by Splunk (Individual Lab)
INFT 1202 – Fuad Mustapha Total Marks :40
Good Job, now as the blue team member, we have detected an attacker is trying
to log into our Ubuntu Universal Forwarder using an unidentified credential. Step
5: Brute force attack on second Ubuntu Universal Forwarder machine by
Kali machine by using Hydra tool in Kali Linux- Successful attack a)
Go back to your Kali machine to play the attacker one more time and
assume we do not know the password of the Ubuntu Universal Forwarder
machine but know the username after doing some Open-Source
Intelligence. b)
Let’s create a wordlist using random passwords and add your Ubuntu
Universal Forwarder VM password
to the list (see password list below), in
this demo, my ubuntu password was very weak password which was
“
Password
”. To create password list, run the command on the terminal of
your kali machine. nano password.txt (This would open a nano editor
named password.txt)
c)
Create a custom Password list by copying and pasting this password list to
the opened editor and save it as password.txt
. Note
: Make sure you add your ubuntu password to the list. This is to make
our brute force faster.
PXyFaFexFxopg5k5
wfSTXaZyUTTfVrM9
YYh6nuqDJKgqSPtQ
E8XTUWQo9SMAJ7q6
GBLxJgQRgQiJ4DWC
iY1d1mcFM2KgZ7vr
MRfeALJUiUkAwWwp
nobCWwnNWcuKuzhz
©fuad.mustapha@durhamcollege.ca
Page 8 of 13
Lab 4: Detection of Attack by Splunk (Individual Lab)
INFT 1202 – Fuad Mustapha Total Marks :40
9JmqVSq1V3jtJHxT
Password
Vagrant
d)
When the nano editor opens in your command line, copy the password list,
and paste it to the editor and don’t forget to include your correct ubuntu
password to the editor (this would make our password spray faster)
e)
For nano editor
, press ctrl + x and the editor would ask if you wanted to
save. Type y(yes) to save our password list. f)
Hope you guys are having some fun, there is still more fun playing the
attacker here. Playing as the attacker and as stated earlier, we assume we
already know the username of the Ubuntu machine so make sure you
check the right username of your ubuntu machine by logging into your
Ubuntu Universal forwarder VM. Open the command terminal and execute
the command - who
[Attach the screenshot]
g)
After confirming the username of the Ubuntu Universal Forwarder VM, let’s
use
hydra
to password spray the ssh port of our Ubuntu machine using a
brute force method and the custom password list. Execute the hydra
command: hydra -l [username] -P [password list]
[victim machine IP] ssh
[Attach the screenshot]
©fuad.mustapha@durhamcollege.ca
Page 9 of 13
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Lab 4: Detection of Attack by Splunk (Individual Lab)
INFT 1202 – Fuad Mustapha Total Marks :40
Good Job, now we have gotten the victim’s password (our Ubuntu Universal
Forwarder VM) using the tool hydra to run a password spray.
h)
Playing the attacker, from our Kali VM, we would use the credentials to
login to our Ubuntu Universal Forwarder VM through SSH.
[Attach the
screenshot]
# ssh YourUsername@[UbuntuServerVMIP]
# ssh fuadnetw2200@192.168.80.140
©fuad.mustapha@durhamcollege.ca
Page 10 of 13
Lab 4: Detection of Attack by Splunk (Individual Lab)
INFT 1202 – Fuad Mustapha Total Marks :40
Good Job, playing the attacker, you have successfully gained access to the Ubuntu
Universal Forwarder VM.
Step
6: Check the successful attack logs in your first Ubuntu Splunk server
machine
a)
Check the successful attempt logs captured by Ubuntu Splunk
Server
[Attach the screenshot]
©fuad.mustapha@durhamcollege.ca
Page 11 of 13
Lab 4: Detection of Attack by Splunk (Individual Lab)
INFT 1202 – Fuad Mustapha Total Marks :40
b)
Screenshot confirming our Ubuntu username and we would see Splunk
detected the successful login from the attacker machine
Step
7: Answer few questions based on the scenario we saw.
Good Job, now we have successfully completed this lab. From the screenshot for
our detection, we need some important details to use for our investigation as
Security Analysts.
Answer the following questions based on your screenshots: (below are my
answers, you should get yours)
a)
What is the attacker IP detected by Splunk: 192.168.89.130
b)
Based on your screenshot, what port did Splunk detect: 54494
c)
What port was attacked (default ssh port): 4270
d)
What is the source type: linux_secure
e)
What is the log source: /
var/log/auth.log
Congratulations on finishing your investigation.
©fuad.mustapha@durhamcollege.ca
Page 12 of 13
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Lab 4: Detection of Attack by Splunk (Individual Lab)
INFT 1202 – Fuad Mustapha Total Marks :40
Things to Explore:
You are welcome to explore beyond the mandatory requirements if you wish. General submission requirements
Include an opening comment with your full name, date, and a short
description.
Marks distribution:
a)
15 Screenshots each 1 mark = 30 marks
b)
Video Demonstration = 5 marks
Do not alter the sequence of steps of this document. Do not delete the
words [Attach the screenshot] anywhere from the assignment. Keep the
numbering same. Paste the screenshots wherever it’s being asked- do not
use screenshots of professor’s from lab manual. They are for your
reference only and would be considered an academic integrity breach.
You should be not even submitting another student’s screenshot-
Academic Integrity alert.
Submit a video recording (sharing screen) briefly explaining the steps
taken to perform the lab and show each of the VM running. Execute the
commands in your VMs to show the domain and network configuration. If
the video recording stating the above requirements are not submitted,
you will be eligible to get marks out of 60% of Lab 4 marks.
©fuad.mustapha@durhamcollege.ca
Page 13 of 13