01/01/2021

Network Security Project

NOM :
 ETUDE THEORIQUE

1 - Introduction:
IT security is an umbrella term that applies to networks, the Internet, endpoints,
APIs, the cloud, applications, container security and more. It is about establishing
a set of security policies that work together to help you protect your digital data.
Not so long ago, IT security was only checked at the end of a development cycle.
The process was slow. Now companies are looking for ways to create an
integrated security program that they can adapt more easily and quickly. So
safety is built in at the design stage instead of being added later.

2 - What is computer security:

IT security protects the integrity of information
technology such as computer systems, networks
and data from attack, damage or unauthorized
access. To remain competitive in the context of
digital transformation, companies need to
understand how to adopt security solutions that
are built in at the design stage. The term "shift
security left" is used. In other words, it is
important to ensure that security is integrated
into the infrastructure and the product life cycle
as early as possible. In this way, it will be both
proactive and reactive.
Continuous security relies on a regular system of feedback and adaptation, which is
usually managed by means of automated checkpoints. Thanks to automation, feedback
is fast and efficient. It does not slow down the product life cycle. This method of safety
integration allows you to implement updates and incident responses quickly and
comprehensively in a constantly changing environment.
3 - Strengthen the security of Information systems:

Digital transformation often puts IT departments

in a difficult position. Your business must reduce
costs and innovate to remain competitive, but it
must also keep up with changing security and
regulatory compliance requirements in an
increasingly distributed and complex technology
environment. To achieve this, you need to adopt a
security program that includes a continuous
monitoring function. This will ensure that you are
always aware of all ongoing activities. You also
need a clearly defined plan to respond calmly and
effectively to the unexpected.
Continuous security must be based on an
automated remediation system to ensure that problems are resolved, quickly. When
security is integrated upstream and automated at every stage of the process, you have
security audit logs for changes that have been made in a way that balances business
objectives and risk management. Adopt new technologies more thoughtfully and use
security specialists to integrate them into your existing business structure in the easiest
and most effective way possible.

4 - Why network security:

Today, most organizations rely heavily on computer networks to share information
efficiently and productively within the defined network. Today, organizational computer
networks are very large, assuming that each staff member has a dedicated workstation.
A large company would have thousands of workstations and servers on the network.
It is likely that these workstations are not centrally managed or have appropriate
protection settings. Organizations may have a variety of operating systems, hardware,
software and protocols with different levels of cyber awareness among users.
Imagine that thousands of workstations on corporate networks are directly connected
to the Internet. This type of unsecured network becomes the target of an attack that
contains sensitive information and valuable data. Network security helps solve these
problems.

5 - What is network security:

Network security consists of policies and practices adopted to prevent and monitor
unauthorized access, tampering or denial of access to a computer network and network
resources.
The authorization of access to data in a network is handled by network security, which is
controlled by the network administrator or network security engineer.
Network security also covers transactions and communications between companies,
government agencies and individuals. Networks can be private, such as within the
company, or open to public access, and security is involved in both layers.
It secures the network and protects and monitors operations on the network.

Here are some of the different types of network security:

 Firewalls
 Email security
 Antivirus / Antimalware
 Network segmentation
 Access control
 Application security
 Data loss prevention
 Intrusion prevention detection
 Wireless security
 Web Security
 VPN
 Wireless Security
6 - Attacks, Services et Mechanisms:

 Attack: any action that compromises the security of information.

 Security Mechanisms: a mechanism that is designed to detect, prevent and

combat against a security attack.

 Security Service: a service that increases the security of the processing and
exchanges of data in a system. A security service uses one or more security
mechanisms.
7 - Aims of the attacks:

 Disruption: targets the availability of information

 Interception: aimed at the confidentiality of information

 Modification: aimed at the integrity of the information

 Fabrication: aims at the authenticity of information

 ETUDE PRATIQUE

1 - Setup the environment

Diagram of network:
VirtualBox:

VirtualBox Network Configuration:

 Part 1: Network Setup

 Task 1: Server setting

Setting IP address:

Installing apache2 and configure a default web page:

1. sudo apt-get install apache2

2. sudo service apache2 stop
3. cat <<EOF > /var/www/html/index.html
4. <!DOCTYPE html>
5. <html>
6. <head>
7. <title>Hello World!</title>
8. </head>
9. <body>
10. <h1>Hello World!</h1>
11. </body>
12. </html>
13. EOF

 Task 2: Attacker VM
Setting IP address:

Installing DDOS tool GoldenEye:

1. git clone https://github.com/jseidl/GoldenEye.git

2. cd GoldenEye
3. ./goldeneye.py 
  Task 3: Client

Setting IP address:

Adding the IP of webserver to hosts file:

 Part 2: Performing active attack (HTTP-GET flood
DDoS attack)

Introduction:
Goldeneye is a free and Open-source tool available on GitHub. We can perform a denial-of-
service attack using this tool. This tool allows a single machine to take down another machine’s
web server it uses perfectly legitimate HTTP traffic. It makes a full TCP connection and then
requires only a few hundred requests at long-term and regular intervals. As a result, the tool
doesn’t need to use a lot of traffic to exhaust the available connections on a server.
Uses of Goldeneye:

 Goldeneye uses perfectly legitimate HTTP traffic.

 Denial of service attack can be executed with the help of Goldeneye by generating heavy
traffic of botnets.
 Goldeneye sends multiple requests to the target as a result generates heavy traffic botnets.
 Goldeneye is an open-source tool, so you can download it from GitHub free of cost.
 Goldeneye can be used to perform ddos attacks on any webserver.

Options:
Scenario:

1. python3 goldeneye.py http://webserver -n -d

Logs on Serve Side:

1. tail -f /var/log/apache2/access.log

as we can see in screenshot below, the attacker is sending GET requests to our
webserver targeting random paths and using random agents

Client Side:
the connection is bit slow, but the client can access the webserver
The screenshot below shows the delay increase until we can’t reach anymore the
webserver

Part 3: Wireshark
Installing Wireshark and appending User to Group Wireshark:

1. apt install wireshark

2. usermod -aG wireshark user 

Client – Server Traffic:
We can see in the image the requests between the client 192.168.1.26 and the
webserver 192.168.1.2

Attacker – Server Traffic:

The red line is the request from attacker 192.168.1.53 sent to the webserver
192.168.1.2
 Part 4: Firewall

List of commands used in this part:

1. # Installing ulogd2 so we can use redirect dropped traffic to logs

2. sudo apt-get -y install ulogd2

3. # Show the existing rules in iptables

4. iptables -L -v -n --line-numbers

5. # flushing the existing rule if needed

6. iptables -F

7. # Block port http 80 on attacker – we used redirection to NFLOW (ulogd3) for logging
8. iptables -A INPUT -s 192.168.1.53 -p tcp --dport 80 -j NFLOG --nflog-prefix 'HTTP Block'
9. # Dropping the http traffic
10. iptables -A INPUT -s 192.168.1.53 -p tcp --destination-port 80 -j DROP

11. # Block port ssh 22 on attacker – we used redirection to NFLOW (ulogd3) for logging
12. iptables -A INPUT -s 192.168.1.53 -p tcp --destination-port 22 -j NFLOG --nflog-prefix 'SSH Block'
13. # Dropping the SSH traffic
14. iptables -A INPUT -s 192.168.1.53 -p tcp --destination-port 22 -j DROP

15. # Block telnet and ftp ports

16. iptables -A INPUT -p tcp -s 192.168.1.53 --match multiport --dports 21,23 -j NFLOG --nflog-prefix
'FTP and Telnet Block'
17. iptables -A INPUT -p tcp -s 192.168.1.53 --match multiport --dports 21,23 -j DROP

18. # Reading the log

19. tail -f /var/log/ulog/syslogemu.log
20.  

Creating Rules:
Now we will trigger these rules from attacker side

FTP Logs:

HTTP Logs:

SSH Logs:
Attacker Side:

we can’t connect anymore via SSH, FTP and HTTP ( DDOS tool crashes )
 Part 5: IDS

List of commands used in this part:

1. # Install snort
2. sudo apt-get install -y snort
3.
4. #optional to set network which will be using
5. cat "ipvar HOME_NET 192.168.1.0/24" >> /etc/snort/snort.conf

6. cat <<EOF > /etc/snort/rules/icmp_detection.conf

# Create a rule to detect ICMP (ping)

# rule_action proto src_addr src_port -> dst_addr dst_port (key:value) sid: snort rule id
rev:revision number

alert icmp any any -> 192.168.1.2 any ( msg:"ICMP Detected"; priority:1; sid:100001; )

EOF

7. # Validate the new created rule

8. snort -T -i enp0s3 -c /etc/snort/rules/icmp_detection.conf

9. # Activating the new created rule

10. snort -A console -q -i enp0s3 -c /etc/snort/rules/icmp_detection.conf 

Official website of the tool: https://www.snort.org/

Setting up the network interface – Snort:

1. # see all connected network interfaces

2. ifconfig
Find the default route:

3. /sbin/route -n
Setting IP address of the network:

Validate the rule:

Snort Logs ICMP:

the attack will ping the website, which will trigger this ICMP alert

Bonus:

Use Snorpy which a great tool to create rules for Snort: http://www.cyb3rs3c.net/
Advanced analysis:

if you want to conduct advanced analysis, Snort save the tcp traffic and log file in
/var/log/snort

Copy the files and change their permissions to your desktop:

1. sudo cp /var/log/snort/* ~/Desktop/lab

2. sudo chmod 666 ~/Desktop/lab

Use Wireshark to open tcpdump file :

Conclusion:
This project was a great opportunity to apply what we have learnt so far on
cybersecurity and understand how the attacker conducts their attacks in real world
scenarios.