College of Technological Innovation SEC 336: Information Security Technologies Lab Lab 2 Part a. Web application security Summer 2020 Outcome: Learn about Web Application Security using WebGoat. Objectives: the students will complete the following tasks: 1. Install and run WebGoat. 2. Complete SQL Injection (Introduction) lesson. Deliverables: One lab report per group that includes the following: 1. A cover page including: Course title, Lab #, Date, Names and IDs…etc. 2. Filled in answer sheets for all parts of the lab. Task 1: Install WebGoat Option1: Using Docker on MacOS 1. Download docker Desktop for MacOS here : https://hub.docker.com/editions/community/docker-ce-desktop-mac 2. Double-click Docker.dmg to open the installer, then drag the Docker icon to the Applications folder 3. Double-click Docker.app in the Applications folder to start Docker. 4. Open your terminal and run the following command: docker run -p 8080:8080 -p 9090:9090 -e TZ=GST webgoat/goatandwolf 5. Stop your internet connection while you are using WebGoat 6. Open your browser and open the web application using this URL http://127.0.0.1:8080/WebGoat 7. Please ensure to quit Docker Desktop" when you finish your work. Option2: Using Docker on Windows10 1. Requirements: a. Windows 10 64-bit: Pro, Enterprise, or Education (Build 15063 or later). b. Hyper-V and Containers Windows features must be enabled c. BIOS-level hardware virtualization support must be enabled in the BIOS settings 2. Download docker Desktop for MacOS here : https://hub.docker.com/editions/community/docker-ce-desktop-windows/ 3. Double-click on the downloaded file to open the installer 4. Start the Docker application. 5. Open your terminal and run the following command: sudo docker run -p 8080:8080 -p 9090:9090 -e TZ=GST webgoat/goatandwolf 6. Stop your internet connection while you are using WebGoat 7. Open your browser and open the web application using this URL http://127.0.0.1:8080/WebGoat 8. Please ensure to quit Docker Desktop" when you finish your work. Option3: Standalone on Windows Follow the below steps using the Windows host machine: - Open the following URL: https://www.oracle.com/technetwork/java/javase/downloads/jdk13-downloads- 5672538.html - Accept License agreement and Download jdk-13.0.2_windows-x64_bin.exe which is Java SE Development Kit for windows. - Run and install the downloaded file. Note where it was installed. - Open a web browser and go to the following URL: https://github.com/WebGoat/WebGoat/releases and download the latest release of WebGoat (for example: webgoat-sever-8.0.0.M26.jar). - Copy webgoat-server-8.0.0.M26.jar from the Downloads folder to the following folder: C:\Program Files\Java\jdk-13.0.2\bin - Open command prompt from the start menu and navigate to the bin folder using the following command: cd C:\Program Files\Java\jdk-13.0.2\bin - Stop your internet connection while you are using WebGoat - Run WebGoat by typing the following command: java -Dfile.encoding=UTF-8 -jar webgoat-server-8.0.0.M26.jar [--server.port=8080] [-- server.address=localhost] Start WebGoat - After running WebGoat in the terminal or command prompt, Open a web browser and navigate to the following URL: http://127.0.0.1:8080/WebGoat/ to start working on WebGoat - Register as a new user, remember your login credentials then use them to login. - At the left side you can see list of lessons that you can complete with the web goat. Click on introduction and answer the following questions: what is WebGoat? Task 2: Complete Injection Flaws > SQL Injection (Introduction) - After logging in to WebGoat. Browse the lessons that appears on the left side of the page. - Expand (A1) Injection and Click on SQL Injection (intro) under Injection Flaws. - Read step 1 and step 2. What is SQL? - What are the 3 main protection goals in information security? - At the bottom of the page in step 2, use an SQL query to retrieve the department of the employee Bob Franco. Provide a screenshot of the result of your query. - Proceed to step 3. What is DML? - In step 3, write a SQL query to change the department of Tobi Barnett to ‘Sales’. Provide a screenshot of the result of your query. Which of the protection goals is being compromised and why? - Proceed to step 4. How can an attacker use SQL Injection of DDL type? - In step 4, write a SQL query to modify the scheme by adding the column “phone” (varchar(20)) to the table “employees”. The SQL query will be as follows. Provide a screenshot of the result of your query. ALTER TABLE employees ADD phone varchar(20); - Proceed to step 5. Write a SQL query to grant the usergroup “UnauthorizedUser” the right to alter tables. The SQL query will be as follows. Provide a screenshot of the result of your query. GRANT ALTER TABLE TO UnauthorizedUser - Proceed to step 6. What is an SQL Injection? . list three example of what a hacker could supply to the input field to perform actions on the database that go further than just reading the data of a single user. - In step 6, provide the following input: - Read through steps 7,8. - Proceed to step 9, complete the SQL injection exercise by Selecting the options from the drop-down menu to produce the below query and provide a screenshot of the result. Explain Why does this injection work? SELECT * FROM user_data WHERE first_name= ‘john’ and last_name = ‘’ or ‘1’ = ‘1’ - Proceed to step 10, complete the Numeric SQL injection by entering values in the fields to produce the below query and provide a screenshot of the result. SELECT * FROM user_data WHERE Login_Count = 1 and userid=1 OR 1=1 - Proceed to step 11 and complete the String SQL injection exercise to compromise the confidentially of data by viewing internal information that you should not have access to. Provide a screenshot showing your input and the result. - Proceed to step 12, complete the String SQL injection exercise to compromise the integrity of data by concatenating strings to it. Enter the following values in the text inputs to retrieve the requested information. Provide a screenshot showing your input and the result. Explain why the below injection works and what was the result of it. - Employee Name = InsertYourNameHere - - Authentication TAN = 123'; UPDATE employees SET salary = 100000 WHERE auth_tan = '3SL99A - Proceed to step 13, complete the exercise to delete the access_log table to compromise the availability of data. Enter the following values in the text inputs to retrieve the requested information. Provide a screenshot of the result. Explain why the below injection works and what was the result of it. - Action_contains = InsertYourNameHere’; DROP table access_log; -- SEC 336: Information Security Technologies Lab Lab 2 Part b: IDS Summer 2020 Outcome: Introduction to using Snort as a network intrusion detection system Objectives: the students will: - Install Snort - Run Snort in sniffer mode - Run Snort in Packet logger mode - Run Snort as NIDS - Configure Snort Rules Deliverables: One lab report per group that includes the following: - A cover page including: Course title, Lab #, Date, Names and IDs…etc. - Filled in answer sheets for all parts of the lab. Install Snort Snort is an open-source, light weight, free Network Intrusion Detection system (NIDS) for Linux and Windows to detect emerging threats. It’s capable of performing real-time traffic analysis and packet logging on IP networks. Option1 Using Docker on MacOS • [Skip this step if Docker Desktop is already installed] Download docker Desktop for MacOS here : https://hub.docker.com/editions/community/docker-ce-desktop-mac • [Skip this step if Docker Desktop is already installed] Double-click Docker.dmg to open the installer, then drag the Docker icon to the Applications folder • Double-click Docker.app in the Applications folder to start Docker. • Open your terminal and run the following command: docker run -it --rm --net=host -- cap-add=NET_ADMIN linton/docker-snort /bin/bash • Please note that during the lab you should execute the commands that are under the keyword [Docker option] • Go to Task1 Option2 Using Virtual Machine Ubuntu or Kali Follow the below steps to install Snort on Kali VM: - Start Kali VM and open the terminal. - Install the Snort package with the below command. During installation, when prompted to enter the address range for your local network, write your Kali VM IP address from step 2 and add /24 at the end to cover the address range. for example: 10.0.2.15/24 sudo apt-get install snort - Please note that during the lab you should execute the commands that are under the keyword [VM option] Task 1 Snort is installed and ready to go! To test it, simply type the below command, provide a screenshot. sudo snort -V - Before configuring Snort, take a look at its help file using the below command sudo snort --help - From the help file, write down what do the following key switches mean - -c - -i - -v - -V - -x - -? Task 2: Run Snort in sniffer mode 1. To run Snort in sniffer mode, type: sudo snort -vde - leave Snort running, minimize the terminal and open a web browser in the Kali VM and navigate to any website. Switch back to the terminal and observe Snort output. - What is sniffer mode? Provide a screenshot. Press Ctrl + C to stop. Task 3: Run Snort in Packet logger mode - To run Snort in Packet logger mode, start by creating a directory named log by typing the following command: mkdir log - Start sniffer in packet logger mode using the below command: sudo snort -dev -l log - [Docker option] open a second terminal and run the command : - docker run -it --rm --net=host --cap-add=NET_ADMIN linton/docker-snort /bin/bash - ping google.com - [VM option] leave Snort running, minimize the terminal and open a web browser in the Kali VM and navigate to any website. - Switch back to the terminal and Press Ctrl + C to stop snort - Execute the below command to open the log directory and to see the log files that snort has generated. Provide a screenshot. cd log ls - What is packet logger mode? Task 4: Run Snort as NIDS 1. To run Snort as a NIDS, we need to configure Snort to include the configuration file and rules file. The configuration files will help configure different options in Snort. The Rules files are files that include signatures against which Snort is comparing all captured traffic. We will be writing some of these signatures in task 5. If some traffic pattern matches some signature, a Snort "alert" will be fired. The configuration file will be at /etc/snort/snort.conf, and that file will point to the Snort rules. We need to the -c switch and then the location of the configuration file. Type the below command to run snort and press Ctrl + c to stop it: [Docker Option] snort -c /etc/snort/etc/snort.conf [VM Option] sudo snort -c /etc/snort/snort.conf 2. Describe what is NIDS? And what does it stand for? 3. Why was the -c switch used? 4. Snort is a signature-based IDS, and it defines rules to detect the intrusions. All rules of Snort are stored under /etc/snort/rules directory. To navigate to the rules directory and then view a rule file, type the below commands: cd /etc/snort/rules ls cat local.rules 5. Provide a screenshot. 6. Like nearly every Linux application, Snort is configured using a configuration file that is a simple text file. Change the text in this file, save it, restart the application, and you have a new configuration. Let's open the Snort configuration file. Again, the configuration file is located at /etc/snort/snort.conf. sudo vi /etc/snort/snort.conf 7. Why is vi included in the command? What does it do? 8. Before we put Snort into production, let's test our new configuration. We can use the -T switch followed by the configuration file to test our Snort configuration. Provide a screenshot. [Docker option] sudo snort -T -c /etc/snort/etc/snort.conf [VM option] sudo snort -T -c /etc/snort/snort.conf Task 5: Configure Snort Rules 1. Open the configuration file again by typing the following command: [Docker option] sudo vi /etc/snort/etc/snort.conf [VM option] sudo vi /etc/snort/snort.conf 2. In the image below, notice the line in white text for local rules. These are rules that we can add to Snort's rule set in our customized configuration. To keep Snort from using any other rule set, simply comment the "include" part (add # at the beginning of the line) or delete the other rules. Notice that there are many legacy rule sets that are commented out, but can become active simply by removing the # before them. Make sure to comment or delete all rules except the “include $RULE_PATH/local.rules” statement 3. Before we put Snort into production, let's test our new configuration. We can use the -T switch followed by the configuration file to test our Snort configuration. Provide a screenshot. [Docker option] sudo vi /etc/snort/etc/snort.conf [VM option] sudo snort -T -c /etc/snort/snort.conf 4. Snort offers its users to write their own rules for generating logs of incoming and outgoing network packets. Users have to follow Snort rule format which is shown below. Syntax: Action Protocol Source IP Source Port -> Destination IP Destination Port (options) Example: alert ip any any -> any any (msg: “IP Packet detected”;) -Action: it informs Snort what kind of action to be performed when it discovers a packet that matches the rule description. There are five existing default job actions in Snort: alert, log, pass, activate, and dynamic. There are additional options such as: drop, reject, and sdrop. -Protocol: the specific protocol on which this rule will be applicable. -Source IP: describes the sender network interface from which traffic is coming -Source Port: describes the source port from which the traffic is coming -Destination operator (“->”,”<>”): it denotes the direction of traffic flow between the sender and receiver networks. -Destination IP: describes the destination network interface in which traffic is coming for establishing connection. -Destination Port: describes the destination port on which traffic is coming for establishing connection - Options field: msg: the msg keyword stand for “Message” that informs to snort that written argument should be printed in logs. 5. Follow those steps to create your own custom rules: a. open the local rules sudo vi /etc/snort/rules/local.rules b. type the following rule inside the local.rules file. This rule will generate an alert message for every captured IP packet. alert tcp any any -> any 80 (msg: “Http traffic detected”; sid:10000001; rev:001; ) 6. Explain the above rule. What does tcp stand for? What is the source IP address and the source port? 7. you can test file configuration by executing the following command (make sure to check what is your interface name and write it instead of eth0 ). Explain the command and the options used in the following command. [Docker option] • Open a second terminal and run the following the command: docker run -it --rm --net=host -- cap-add=NET_ADMIN linton/docker-snort /bin/bash • In the first terminal window, run the command: snort -A console -q -c /etc/snort/etc/snort.conf -i eth0 • In the second terminal window, run the command : nc -v www.google.com 80 [VM option] • Open your browser and connect yourself to www.google.com • sudo snort -A console -q -c /etc/snort/snort.conf -i eth0 8. Did the rule work? How can you tell? Can you list some examples of the packets detected by snort? Provide a screenshot of your rule and snort’s output. 9. Open the “local.rules” file by typing the following sudo vi /etc/snort/rules/local.rules 10. Delete the previous rule and add a new rule that detects any systems attempting to ping 8.8.4.4 server (ICMP packets). List your rule and explain it. What does ICMP stand for? Provide a screenshot of your rule. You can do the following to test your ICMP rule [Docker option] • Open one terminal and run the following the command: docker run -it --rm --net=host --cap- add=NET_ADMIN linton/docker-snort /bin/bash • Open second terminal and run the following the command: docker run -it --rm --net=host -- cap-add=NET_ADMIN linton/docker-snort /bin/bash • In the first terminal window, add the icmp rule and run the command: snort -A console -q -c /etc/snort/etc/snort.conf -i eth0 • In the second terminal window, run the command : ping 8.8.4.4 [VM option] • Open one terminal from your VM: add the icmp rule and run the command snort -A console -q -c /etc/snort/etc/snort.conf -i eth0 • Open a second terminal and run the command : sudo snort -A console -q -c /etc/snort/snort.conf -i eth0
Enter the password to open this PDF file:
-
-
-
-
-
-
-
-
-
-
-
-