Grey
Hat
Group
Article Updated: 3/8/2022
Brain - Kali
Team 7
— Brian (Kali) —
Kali
- changed passwd
- nmap -sP to find systems / check if they are up
- nmap —top-ports 100 to see how we are doing at closing ports
- X forwarded through putty using xming (windows sucks)
- firefox to look at website from outside
- firefox to look at nessus
- started to install nagios, wrote it off as too much work
- installed nessus
- ran nessus scans about lunch time both days
- curl to verify that website was still up
- iptables to block all incoming except ssh
- checked vulns found by nessus scans, verified they were fixed if possible (xp EOL lol)
- checked (kali) users / ports for unauthorized access
Web:
- set up user accounts
- locked unnecessary accounts
- checked listening ports and logins
- checked required services
- iptables rules to block all other ports
- iptables rules to limit traffic from any one ip
Email:
- set up user accounts
- locked unnecessary accounts (oops, don’t lock mail users)
- checked listening ports and logins
- checked required services
- iptables rules to block all other ports
- iptables rules to limit traffic from any one ip
Vyatta:
- tried to set up user accounts, failed
- changed default user password
- identified services
- not permitted to do any firewall rules due to ROE (lame)
- kicked red team
- shut down telnet
- identified suspicious traffic to web interface
- shut down web interface
- reconfigured lighttpd to listen only on internal interface
- restarted web interface (shut it off later as it was still being attacked)
Workstation:
- turn on windows firewall (ensuring rdp was open, because virtualfail)
- install malwarebytes and scan (52 evil things found, and removed)
- windows update (security updates only)
Injects:
- Suggested “local chat” client options
- Set up bahamut ircd on email server
- Set up honeypot (artillery on ubuntu server) in virtualbox inside workstation vm (horrible)
What I didn’t (hindsight and all that):
- script scans of inside and outside network to find new hosts
- check for ssh keys (DOH!)
- script log watchers to find intrusions
- install tripwire (or something) to help find intrusions
- find a difinitive way to determine if backdoors exist (they used callbacks, not listeners)
- script config file watchers to find intrusions
- massive packet monitoring to find intrusions (red team suggests this)
- find a way to really lock down windows xp
- script monitoring of services (like nagios, but without the overhead)