SEC320-Project-F23
pptx
keyboard_arrow_up
School
Seneca College *
*We aren’t endorsed by this school
Course
320
Subject
Information Systems
Date
Dec 6, 2023
Type
pptx
Pages
15
Uploaded by AmbassadorUniverseWasp29
Incident Response Project
Overview:
In this Project the students will conduct an attack and perform Incident Response activities to detect and analyze the attack. Requirements:
1.
Kali Linux VM (Attacker)
2.
Windows 10 VM (Victim)
3.
OSSIM VM Activities
Step 1: Preparing the lab environment
4.
Create two virtual machines including a Windows 10 VM and a Kali Linux VM and ensure that they can ping each other. 5.
Install XAMPP on Windows 10 VM. Ensure that the web server and MySQL server can be started, and they are working properly.
6.
Inside the Windows 10 VM, install Damn Vulnerable Web Application (DVWA). Ensure that DVWA is up and running.
For detailed instructions visit: https://github.com/ethicalhack3r/DVWA
Video of installation: https://youtu.be/cak2lQvBRAo
7.
Disable Firewall in Windows 10 VM so the attack in the next step will receive more results.
Step 2: Attack
Using the built-in tools in Kali Linux (e.g. Nmap, OpenVAS), perform any attack on the DVWA.
Step 3: Monitoring and Detection Install and Configure OSSIM VM to monitor the Victim machine (windows 10 VM)
•
It can be with Wireshark monitoring
OR
Use only Wireshark to monitor the Internet traffic into the Victim’s machine (Receive a 50% deduction in this step)
Step 4: Countermeasures
Provide a list of controls and countermeasures to mitigate the discovered vulnerabilities.
Submission
Prepare and submit the report according to the submission standard.
Final Project Information
Key Details of the Final Project
1.
Introduction
2.
Students will use their own VMWare environment (Group of 3 to 4 students)
3.
Use their Kali Workstations to launch attacks on the victim machine
4.
Capture the traffic and evidences on Kali (e.g., Wireshark) and OSSIM machines
5.
Submit a Final Report with the details of the Attack as per the enclosed Project Template.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Final Project Information
Objective:
Launch attacks against Victim VM (Window 10 VM) Discover/Identify attacks
Part 1: -
1. Start your topology and verify the hostname and IP addresses of your machines.
2. Login- in the Kali machine, Test the tools you intend to use. 3. Check Attacker’s VM
4. Ping Victim’s VM
(Take screenshots for your proposal)
5. Attacking workstation reconfiguration
Change IP, fake IP, etc 6. Launch a total of 8 attacks from the list provided at the end. 7. List down the steps followed for each attack including the script and the output using the screenshots.
Final Project Information
Collect evidence (e.g., logs, pcap,etc.) of the attack and explain them.
Create an Indicator of Attack / Compromise table.
List down the methodology of the attack using a flowchart. Write professional report (launched/identified attacks) based on submitted evidences
Complete summary attack table Identify attacks
Collect evidence using screenshots
Submit: evidences (detection and attacks) and attack names
Summary attack table Attack Name
Detected or
Launched (formula)
Indicator 1
Indicator 2
Indicator 3
Indicator 4
Possible tool
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Tools
hping
nmap
netcat
python
Fragroute
Concealing an attack
IP Fragmentation
Metasploit
Wireshark/tcpdump/tshark
snortspoof.pl
.
.
.
Any other tool
List A: Attacks I.
TCP Port: SYN Scan
II.
TCP Port: FIN Scan
III.
TCP Port: TCP connect
IV.
TCP Port: XAMS
V.
TCP Port: NULL
VI.
TCP Port: ACK
VII.
TCP Port: Idle scan
VIII.
UDP Port Scan
IX.
Active OS Fingerprinting
X.
Nmap ICMP Ping
XI.
(D)DoS: SYN Floods
List B: Attacks
I.
Source routing
II.
DHCP Spoofing
III.
DNS Spoofing
IV.
IP Spoofing
V.
Windows Messenger Pop-Up Spam
VI.
PGPNet connection
VII.
Linux Shellcode
VIII.
DNS Cache-Poisoning
IX.
WEB-PHP Setup.php
X.
Arp-scan
XI.
Password cracking (brute force)
XII.
Slammer Worm
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Marking schema
To pass (D)
Topology is up and running
Executed at least 2 correct attacks [explained + evidence]
Reported detected at least 2 correct attacks [explained, identified + evidence, screenshots of network traffic
]
Professional report (
Figures/captions, page numbers, table of contents, summary attack table
, etc
)
If you use only Wireshark you will deduct 50% of the monitoring step
Marking schema
C
Topology is up and running
Reported executed 4 attacks [explained + evidence,
screenshots of network traffic
]
Reported detected all except 2 attacks [explained, identified + evidence, screenshots of network traffic
]
Professional report (
Figures/captions, page numbers, table of contents, summary attack table, etc
)
C+
Hide your tracks
Environment configured correctly
If you use only Wireshark you will deduct 50% of the monitoring step
Marking schema
B/B+
Topology is up and running
Executed at least 6 correct attacks [explained + evidence]
Reported detected all except 6 attacks [explained, identified + evidence, screenshots of network traffic
]
Professional report (
Figures/captions, page numbers, table of contents, summary attack table, etc
)
Hide your tracks
Environment configured correctly If you use only Wireshark you will deduct 50% of the monitoring step
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Marking schema
A/A+
Topology is up and running
Executed all 8 correct attacks [explained + evidence]
Reported detected 8 attacks [explained, identified + evidence, screenshots of network traffic
]
Professional report (
Figures/captions, page numbers, table of contents, summary attack table, etc
)
Hide your tracks
Environment configured correctly
If you use only Wireshark you will deduct 50% of the monitoring step
Marking schema
F
Summary attack tables are not correct/improper
The report is not professional and missing many parts of the reports at least for 2 attacks.
15
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help