BOOK THIS SPACE FOR AD
ARTICLE ADHello everyone, in this Article I will demonstrate my Siem home lab project. In this project, we will simulate an attack on a website and will analyze the logs in Splunk.
For the tools, here I use my laptop with Windows 10 installed which will be used to host the website and my smartphone which will be used to attack (you can also use a virtual machine to install another OS on your laptop, but because my laptop is not strong enough to run it, so I use two different devices).
Okay, for the tools in windows, I use:
1. XAMPP, as a web server
2. Ngrok, so that localhost can be accessed publicly
3. Splunk, as Siem tool for analyzing logs
4. Mutillidae, a vulnerable website made by OWASP
Meanwhile, the tools on my smartphone are:
1. Termux, as a terminal to run hacking tools
2. FFUF, a tool for brute forcing 3.
I will also use the cyber kill chain framework during both the offense and defense phases.
Okay, let’s get started on the lab!
Please download Mutillidae from the following link:
https://github.com/webpwnized/mutillidae
Extract the file and save it in the C:\xampp\htdocs folder.
Open the XAMPP controller, then run Apache and MySQL.
Then visit the page localhost:80/mutillidae
You can visit the Splunk website to download it and get a 60-day free trial. Please install it according to the instructions provided.
https://www.splunk.com/en_us/download.html
Once installed, we will now monitor the XAMPP log file, so that every time traffic arrives, Splunk will display the entire contents of the log file in real-time.
On the home page, click add data > monitor.
Next, click the files & directories panel. Then select the C:\xampp\apache\logs\access.log file then select continuously monitor.
Then create a new index, here I give the name “soc-lab”. Then click next to finish.
Search with index=”soc-lab”. splunk should display the current data.
You can download Ngrok and configure it via the link below:
https://ngrok.com/download
Once Ngrok is installed, run the following command to start Ngrok:
ngrok.exe http 80
Visit http://localhost:4040 to view the traffic monitoring page.
Next, visit the URL on the traffic monitoring page using a smartphone.
The cyber kill chain is a set of steps that an attacker will go through when conducting a cyber attack. This framework was created by an aerospace company called Lockheed Martin in 2011. The cyber kill chain consists of 7 phases, namely:
ReconnaissanceIn this phase, the attacker will gather information about the target such as collecting employee emails to perform social engineering, port scanning, searching for subdomains, etc.
In this case, we will perform directory brute forcing, which is sending repeated requests using a list of directories to find vulnerable directories. For example, directories containing credentials, admin login pages, etc.
Simply open Termux on your smartphone and run the command:
ffuf -w leaky-paths.txt -u <Ngrok URL> -o dir.txt -mc 200
If you don’t have FFUF installed, please install it here:
The above command will only log URLs with status code 200 into the dir.txt file based on the wordlist in the leaky-paths.txt file. From this, i I managed to get the endpoint:
phpinfo.php
index.php/admin
login.php
index.php?redirect=//evil.com
2. Weaponization
In this phase, the attacker will create or download weapons to exploit the system. The weapon used can be malware, web shell, etc. In this case, we will not install malware but will exploit the Local File Inclusion (LFI) vulnerability to obtain database credentials and then steal the data.
3. Delivery
In this phase, attackers will deliver their weapons such as through phishing emails, exploiting public assets, etc. In this case we will exploit the mutillidae website.
4. Exploitation
In this phase, the weapon that has been delivered will exploit vulnerabilities on the compromised system. For example, by opening malicious Excel files, exploiting web vulnerabilities, etc.
Please click OWASP 2017 panel > injection (other) > command injection > DNS lookup. This page serves to find the IP address of the domain we are looking for. For example, we will look up the IP address of Facebook but at the same time run the “dir” command to display the contents of the directory. So the results are like this:
But when I run the command “cat ../../passwords.txt” to display the credentials, the results do not appear. For that we have to look for other vulnerabilities.
Next I exploited the Local File Inclusion (LFI) vulnerability by giving the value “../../passwords.txt” in the page parameter. So that it displays credentials like the following:
5. Installation
In this phase, the attacker will usually install additional tools, other malware into the system, privilege escalation, maintain persistence, etc. In this case, I demonstrated it by utilizing command injection vulnerability to write into a file (because there is no way I can install malware into my own laptop 😀 ).
For that, I visited the DNS lookup page again and entered the command:
facebook.com & echo “This is not malware” > mal.txt
6. Command And Control
In this phase, the attacker will command and control the system remotely through the infiltrated malware.
7. Actions On Objectives
In this phase, attackers will carry out their goals. For example, stealing data, encrypting data to ask for ransom, destroying the system, etc. Since our goal is to steal data from the database, we can directly visit the /phpmyadmin page and enter the credentials from the passwords.txt file.
We have discussed and practiced the cyber kill chain phases. Now, it’s time for us to eradicate this attack.
Incident response (IR) is a set of steps taken when facing a cyber attack. In this case, we will use the NIST framework. Here are the phases of incident response according to the NIST framework:
PreparationThis phase involves preparing for threats such as installing Siem, configuring Firewall/IDS/IPS, training and preparing personnel, etc. We have already done this by setting up Splunk.
2. Detection
When an attack occurs, the analyst will usually receive an alert from the SIEM. Next, the Analyst must look for indicators of compromise (IOC) as evidence that we are actually under attack. In this case, I again used the cyber kill chain to trace the attacker’s trail.
Every attacker who conducts active reconnaissance on a system will definitely generate a lot of traffic. They will use various tools which will send large traffic in a short time.
If we look at the “clientip” field, we can see that IP address ::1 generates up to 3,660 traffic. To validate our assumption, click on the IP to add it as a search keyword.
If we look at the “user_agent” field, we can see that the highest user agent is “Fuzz Faster U Fool”. And if you look at the “status” field, it produces a lot of 404 status codes. It looks like the attacker has brute force directories on our website..
To find out what directories the attacker successfully accessed, let’s add the status=200 field and the FFUF user_agent to the search.
Remove the user_agent and status keywords. Then we look at the uri field. It looks like the attacker is playing around with the /mutillidae/index.php?page=dns-lookup.php page. You can also add this uri to the search to find out what commands the attacker has run.
Next, we can search for LFI vulnerabilities with the following keyword “../*” which will search for ../ characters in logs.
If we look at the uri field, we can see that the attacker accessed /mutillidae/index.php?page=../../passwords.txt.
If we add the uri to the search, we can see that the status is 200 and produces a large response length in the “bytes” field. This indicates that the attacker successfully exploited the LFI.
3. Containment, eradication, recovery
In this phase, the infected device will be isolated (containment) for example by diverting the traffic heading here to another device. After that, we can perform cleanup (eradication) such as removing the tools used by the attacker, removing malicious processes, etc. Next is to restore the state of the device as it was before it was compromised (recovery).
4. Post-incident activity
In this phase, the organization learns lessons from the cyber incident. Such as training personnel to be more cautious of phishing, adding discovered IOCs to the block list, etc.
That’s the documentation of my SIEM home lab. Through this project, we learned about using Splunk as a SIEM, how to monitor logs, and understand attacker steps using the cyber kill chain framework and incident response.
Thank you for taking the time to read my article.
Let's connect with me: