Grey Hat Group

Brain - Kali

Team 7

— Brian (Kali) —

Kali

• changed passwd
• nmap -sP to find systems / check if they are up
• nmap —top-ports 100 to see how we are doing at closing ports
• X forwarded through putty using xming (windows sucks)
• firefox to look at website from outside
• firefox to look at nessus
• started to install nagios, wrote it off as too much work
• installed nessus
• ran nessus scans about lunch time both days
• curl to verify that website was still up
• iptables to block all incoming except ssh
• checked vulns found by nessus scans, verified they were fixed if possible (xp EOL lol)
• checked (kali) users / ports for unauthorized access

Web:

• set up user accounts
• locked unnecessary accounts
• checked listening ports and logins
• checked required services
• iptables rules to block all other ports
• iptables rules to limit traffic from any one ip

Email:

• set up user accounts
• locked unnecessary accounts (oops, don’t lock mail users)
• checked listening ports and logins
• checked required services
• iptables rules to block all other ports
• iptables rules to limit traffic from any one ip

Vyatta:

• tried to set up user accounts, failed
• changed default user password
• identified services
• not permitted to do any firewall rules due to ROE (lame)
• kicked red team
• shut down telnet
• identified suspicious traffic to web interface
• shut down web interface
• reconfigured lighttpd to listen only on internal interface
• restarted web interface (shut it off later as it was still being attacked)

Workstation:

• turn on windows firewall (ensuring rdp was open, because virtualfail)
• install malwarebytes and scan (52 evil things found, and removed)
• windows update (security updates only)

Injects:

• Suggested “local chat” client options
• Set up bahamut ircd on email server
• Set up honeypot (artillery on ubuntu server) in virtualbox inside workstation vm (horrible)

What I didn’t (hindsight and all that):

• script scans of inside and outside network to find new hosts
• check for ssh keys (DOH!)
• script log watchers to find intrusions
• install tripwire (or something) to help find intrusions
• find a difinitive way to determine if backdoors exist (they used callbacks, not listeners)
• script config file watchers to find intrusions
• massive packet monitoring to find intrusions (red team suggests this)
• find a way to really lock down windows xp
• script monitoring of services (like nagios, but without the overhead)