This is just a showcase of the network design and tools used for my cybersecurity capstone, if you're interested in reading my paper and seeing the attacks, feel free to click on the link below :)
Last updated
pdf of capstone
powerpoint slides
screenshots and python scripts
I know it's titled "Analysis of Man-In-The-Middle Dropbox Attacks evasion and effectiveness against SOC Tools" but i figured it should really be titled "Red Team Analysis of Man in the Middle Attack's Evasion Against SOC Tools", because that is what was really measured in this paper:
The attack's capability of evading SOC tool detection
The dropbox's capability of evading SOC tool detection
Red team engagements are common for assessing an organizationβs security posture as these engagements simulate a real world cyber attack, serving as a proactive approach to identifying vulnerabilities and weaknesses within an organizationβs network.
Red teams also challenge an organizationβs defenses in order to reveal potential areas of improvement. This is accomplished using a range of tactics, techniques, and procedures(TTPs) that replicate real world adversaries. Engagements of this nature often include Man in the Middle attack scenarios in an Active Directory environment.
In doing so, this serves as a measure of an organizations defense capabilities of their SOC and provide organizations and SOC teams with actionable insights into their networkβs security weaknesses.
What inspired the idea for this cybersecurity capstone was Episode 40: No Parking of the podcast Darknet Diaries hosted by Jack Rhysider.
Lenovo Thinkpad X250 with Kali Linux
Attack box attacking from an entirely different network
M1 MacBook Pro
where i would manage the Elastic Cloud alerts as attacks go on
VMware Player
Where the AD environment was running
Hak5's LAN Turtle
Drop box 1
calls back to VPS/C2
Raspberry Pi 4 Model B
Drop box 2
calls back to VPS/C2
I know...its a bit clunky, could have used a smaller battery pack, leave out the wifi adapter etc, smaller case maybe
Elastic Cloud
Where i would manage the SIEM and SOC tool integrations
Elastic Defend
Sysmon
OPNsense
Snort
Akamai Ubuntu VPS
C2 where i would ssh into from the attack box to gain access to the dropboxes
Two dropbox devices are configured to Autossh to a Virtual Private Server(VPS) once connected to an ethernet port or switch on the internal network, mapping port 22 on the dropbox to port 2222 on the VPS, this allows an attacker or red team operator to SSH into their VPS from a attack device
on a different network.
Assumption 1: Someone got physical access
Assumption 2: the network in question doesn't have the following:
802.1x
NAC solution
(I will try to implement these in future projects to see how they can be bypassed!)
this is necessary for option 2, where the attacker wants to route the traffic from his attack machine directly through the VPS and to the dropbox in the internal network
option 1 consists of a double ssh to reach the dropbox in the internal network
SSH from the attack machine to the VPS
SSH from the VPS to the LAN Turtle
note: the same could be done with the Raspberry Pi 4
which is even better because the raspberry pi is loaded with tools that can be used
the interface on the lan turtle is limited to its built in modules
Internal network CIDR
The alternative to using SSH twice on the attack machine is that the attacker or red team operator can route their attack machine traffic using a dynamic application-level port forwarding proxy such as SOCKS(Socket Secure) on the local machine and tunnel traffic through the:
first SSH connection, which is from the attacker machine to the VPS.
Then the second SSH connection, which is from the VPS to the dropbox device.
Once the dropbox is in the internal network we can being our enumeration and scanning (either using option 1 or 2)
Note: There are some limitations when using option 2 as to what type of traffic can go through due to the SOCKS proxy(it's also slow)
Methodology
Find live hosts
Port Scan
Execute AD man in the middle attacks
Check if they were detected in Elastic Cloud
Compare attack detection coming from LAN turtle vs Raspberry Pi 4
Check out the paper on my Github repo for more!
Hak5's Cloud C2 usage
.1x and NAC implementation
Larger AD environment(much like Game of Active Directory GOAD)
Cellular module on LAN Turtle and Raspberry Pi, removes need to traverse out of the internal network, avoid detection altogether?
