LEARNING BY PRACTICING HACK & DETECT Leveraging the Cyber Kill Chain for Practical Hacking and its Detection via Network Forensics AUTHOR: NIK ALLEYNE www.securitynik.com 2018-11-11 Nik’s approach to viewing both the attacker and defender’s side of the compromise is an amazing way to correlate the causes and consequences of every action in an attack. This not only helps the reader learn, but is entertaining and will cause readers to flip all around the book to make sure they catch every detail. TYLER HUDAK Information Security By showing both the offensive and defensive sides of an attack, Nik helps each side better understand how the other operates. JOE SCHOTTMAN SANS Advisory Board Member Hack and Detect provides a window into a modern day attack from an advanced persistent threat in an easy to follow story format. Nik walks through the cyber kill chain from both an offensive perspective, showing tools and tricks an attacker would leverage, and a defensive perspective, highlighting the breadcrumbs which are left behind. By following along step by step with virtual machines the reader is able to obtain a greater understanding of how the attacks work in the real world and gain valuable insight into defending against them. DANIEL MCAULEY Manager Infrastructure and Technology Group LEARNING BY PRACTICING Hack & Detect Leveraging the Cyber Kill Chain for Practical Hacking and its Detection via Network Forensics Published by n3Security Inc. 3982 Hazelridge Rd Mississauga, ON Canada L5N 674 www.n3security.com www.securitynik.com Copyright © 2018 by n3Security Inc., Mississauga, Ontario, Canada. Published in Canada 978-1-7753830-0-0 978-1-7753830-1-7 (eBook) 9781731254450 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means: electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted via written permission from n3security Inc. and/or Nik Alleyne. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. Additionally, this book is solely for learning, practicing and entertainment and thus none of the guidance in this book may be used for any illegal activities. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that internet websites listed in this work may have changed or disappeared between when this work was written and when it is read. Importantly, the author is henceforth absolved of all wrongdoing, whether intentional, unintentional, construed or misunderstood on the part of the reader. It is further assumed that the reader has read this Disclaimer and assumes all responsibility for any repercussions which may result from the information and data contained herein. All trademarks are the property of their respective owners. n3Security Inc. is not associated with any product or vendor mentioned in this book. About the Author Nik Alleyne is currently a Senior Manager, Cybersecurity at a Managed Security Services Provider (MSSP), transitioning between roles. In his most recent role, he was responsible for three teams supporting various security technologies including: IDS/IPS, Anti-malware tools, proxies, firewalls, SIEM, etc. As the manager of the Cybersecurity team, Nik was responsible for building it from a one-person team, to a team of 17. He was also responsible for recruiting, retaining and developing the talent on the teams. Nik is also a SANS Instructor, teaching both the SEC503: Intrusion Detection In-Depth and SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling courses while also making the time to actively write on his blog at https://www.securitynik.com. He also has done multiple speaking engagements such as Toronto’s SecTor, SANS @Night, Canada International Cybersecurity Conference, ISC2 Toronto Chapter, The High Technology Crimes Investigation Association (HTCIA) Ottawa Chapter along with the inaugural SANS Blue Team Summit. His academic credentials include an MSc Cybersecurity Forensics, BSc Computer Science, along with PG Cert (Hons) specialization in VoIP and Wireless Broadband. He currently holds (and or held) a large number of industry certifications including CISSP, (2x) CCNP, GIAC’s GCIA, GCIH and GCFA. Table Of Contents Introduction Acknowledgment The Setup Reconnaissance Passive Reconnaissance Active Reconnaissance Analysis of Reconnaissance Activity Analyzing the internet facing server apache logs Packet Analysis of the internet facing server Log Analysis of the internet facing server Additional Packet Analysis of Reconnaissance Activity Additional Log Analysis of Reconnaissance Activity Report on First Day’s Activities Weaponization Packaged and Ready for …. … Delivery … Exploitation … Installation Analysis of public facing host Log analysis of internet facing sever Packet Analysis of compromise Linux Server Implementing Mitigation Measures