Overview Lab Tools¶
links: SPA TOC - Lab - Index
Lab 1¶
Syslog
- Standard for message logging, allows forward event notifications across networks
- Default port: UDP 514
- Priority: PRI = Facility x 8 + Severity
- There are tools available for sending from Windows Clients
- Configuration for remote write
- Configuration of server to listen correctly, create firewall rules
- Configuration of client to send to correct IP (UDP or TCP), create firewall rules, create rules (e.g. if logs from sshd, save to
/var/log/sshd.log
)
Logrotate
- system utility that manages the automatic rotation and compression of log files
- Use: create config files under
/etc/logrotate.d/
Logwatch
- Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require.
- Use:
logwatch --service syslog-manual --detail High
LogAnalyzer
- This is a web interface to syslog and other network event data. It provides easy browsing, analysis, and reporting of log data, which is often critical for system auditing and troubleshooting.
- Use: download loganalyzer copy to apache directory, run script, add user, restart apache, browse logs on webinterface
Remote systemd-journald
- Configuration for remote write:
- install package
systemd-journal-remote
on client and server - create necessary firewall rules on hosts
- create certificates on client and server (e.g. with certbot)
- server: configure journal-remote system daemon to use correct certificates
- client: create user for daemon with rights to the certificates, configure journal-remote system daemon with
- install package
tcpdump
- Command-line packet analyzer
- lab exercice: install
vsftp
, do ftp login, capture password with tcpdump - Use with capture filter:
tcpdump -i eth0 -w dhcp.pcap port 67 or port 68
nmap
- Nmap is a free network security scanner. Allows network-wide ping sweep, port, OS detection scans
- Use:
nmap -sn 192.168.1.0/24
: ping scan of network (disable port scan)nmap -O -v
: OS detectionnmap -sS --open
: TCP SYN scannmap -sT --open
: TCP connect scannmap -sU --open --top-ports=100
: UDP scannmap -6 -sn
: ipv6 scan
OpenVAS
- OpenVAS (Open Vulnerability Assessment System) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
- Pendant to Nessus but open-source
- Part of the Greenbone Security manager (GSM)
- Use:
- enable systemd service
gsad
,gvmd
,ospd-openvas
(necessary daemons for web interface, scanner, etc.) greenbone-feed-sync
: synchronize the vulnerability data feeds provided by Greenbonegvm-start
: start webserver, connect with browser to given localhost portrunuser -u _gvm -- gvmd --get-get-scanners
: ?
- enable systemd service
Lab 2¶
SNMP
- find open SNMP ports:
nmap -sU --script snmp-brute 192.168.1.0/24 --script-args snmp-brute.communitiesdb=public
- snmpwalk:
snmpwalk -v2c -c public 192.168.1.20
- With snmpwalk, different attributes of the device can be find out (e.g. which routing protocols a router has configured, what MAC/IP pairs the device has cached, ...)
Arpspoof
- Arpspoof is a tool for network auditing and testing. It performs ARP spoofing, which involves sending fake ARP messages to an Ethernet network, generally for the purpose of associating the attacker's MAC address with the IP address of another host (such as the default gateway).
- ip forwarding must be active
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo arpspoof -i eth0 -t 192.168.1.21 -r 192.168.1.40
:- target host is
192.168.1.21
-r
stands for "poisen both hosts (host and target)"192.168.1.40
is the ip to spoof- summary: the attackers host send ARP replies to the host at
192.168.1.21
, making it believe that the attacker's machine is the device with IP192.168.1.40
. The attack is bidirectional, redirecting traffic form both targets to the attacker's machine
- target host is
Arpwatch
- Arpwatch is a network monitoring tool that tracks changes in Ethernet MAC addresses on a network and maintains a database of known MAC to IP address mappings. It is useful for detecting ARP spoofing or unauthorized network changes.
- can send emails based on events of an interface
softflowd
- Softflowd is a flow-based network traffic analyzer and exporter. It tracks network traffic and exports flow data in formats compatible with tools like SiLK and flow-tools, often used for network traffic accounting and monitoring.
- Use: configure softflowd-config to send packages to a specific ip:
options='-v 9 -n 192.168.1.220:2055'
nfcapd/nfdump
- Nfcapd is part of the NFDUMP toolset and is responsible for collecting network flows (like NetFlow data). Nfdump is used to process and analyze the collected flow data, supporting various NetFlow versions.
- Use:
- listen on port
2055
(add firewall rules) - Process Multiple Capture Files:
nfdump -r file1.nfcap -r file2.nfcap
- Filter Flows:
nfdump -r file.nfcap -A src-ip,10.0.0.1
- Top N Packets:
nfdump -r file.nfcap -o "fmt:%sS packets:%pkt" -s pkt
- listen on port
Lab 3¶
nftables
- create stateless and stateful rules
- Exercise Scanners:
- create a ruleset in table:
set SCANNERS { type ..., size ..., flags ... }
- create new stateful rules which jumps to a user defined chain:
ct state invalid,new tcp dport { 21, 23, 25, 80, 443, 587, 993, 995 } jump PSCAN
- chain
PSCAN
: create rule withlimit rate over 60/minute add @SCANNERS { ip saddr } counter log prefix
- create rules in
INPUT
chain:ip saddr @SCANNERS counter drop
- summary: The nftable rules create a dynamic set named
SCANNERS
to identify and block IP addresses exhibiting port scanning behavior on specific TCP and UDP ports. Traffic from these IPs is dropped, and excessive connection attempts to unused ports trigger logging and addition of the source IP to theSCANNERS
set for further mitigation.
- create a ruleset in table:
- Exercise NAT:
- add new ip address:
ip address add 192.168.70.1/24 dev ens224
- enable ip forwarding:
vim /etc/sysctl.conf (Set net.ipv4.ip_forward=1)
- create table:
nft add table ip nat
- create chain:
nft add chain ip nat POSTROUTING { type nat hook postrouting priority 100 \; }
- create rule:
nft add rule ip nat POSTROUTING oifname "ens224" ip saddr 192.168.70.0/24 masquerade
- summary: When packets are sent from the
192.168.70.0/24
network via theens224
interface, themasquerade
action is applied. This implements Source Network Address Translation (SNAT), effectively masking the original IP addresses of the devices in the192.168.70.0/24
network. Instead, these packets appear to originate from the router's IP address,192.168.70.1
.
- add new ip address:
- Exercise Squid
- create rules in mangle table/ PREROUTING chain
tcp sport 80 socket transparent 1 socket wildcard 0 meta mark set 1 counter accept
: mark and accept response packetip saddr 192.168.1.0/24 tcp dport 80 tproxy ip to :3129 meta mark set 1 counter
: redirect matching packets to local Squid port
- create rules in filter table/ INPUT chain
ip saddr 192.168.1.0/24 tcp dport { 80, 3128, 3129 } ct state new counter accept
: allow incoming access to Squid proxy
- create rule in filter table/ OUTPUT chain
- default policy accept
- create rules in mangle table/ PREROUTING chain
- Exercise Firewall forward
- create rules in filter table/ FORWARD chain
ip saddr 192.168.1.0/24 ct state new accept
: allow NEW outgoing connections from our netip daddr 192.168.1.14 udp sport 1024-65535 udp dport 53 ct state new accept
: allow incoming DNS queries over udp to our nameserverip daddr 192.168.1.15 tcp sport 1024-65535 tcp dport { 80, 443 } ct state new counter accept
: allow incoming http connections to our webserver
- create rule in filter table/ OUTPUT chain
- default policy accept
- Summary: The host will forward traffic based on the routing table (e.g. the DNS/Web traffic). It must be configured as "default gateway" by the clients. It cannot be a non-transparent proxy since the destination IP must be on the host for that (and we would not be in the FORWARD chain!).
- create rules in filter table/ FORWARD chain
snort
- Snort is an open-source network intrusion detection system (NIDS) and intrusion prevention system (IPS). It performs real-time traffic analysis and packet logging on IP networks for the detection of network threats and anomalies.
- Use: configure
snort.conf
, set up network variables etc, download and manage snort rules, run snort in test mode to ensure it's correctly configured
suricata
- Suricata is a high-performance Network IDS, IPS, and Network Security Monitoring engine. It is open-source and capable of real-time intrusion detection, inline intrusion prevention, network security monitoring, and offline pcap
- Use: configure
suricata.yaml
, set up network variables etc. download and manage suricata rulsets, run suricata to verify setup
squid
- Squid is a caching and forwarding HTTP web proxy. It has a variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS, and other network lookups for a group of people sharing network resources.
links: SPA TOC - Lab - Index