Cybersecurity Capstone: Red Team Analysis of Man in the Middle Attack's Evasion Against SOC Tools

This is just a showcase of the network design and tools used for my cybersecurity capstone, if you're interested in reading my paper and seeing the attacks, feel free to click on the link below :)

LogoGitHub - oza51413/Cybersecurity-Capstone: Red Team Analysis of Man in the Middle Attacks Against SOC ToolsGitHub
Link to the Capstone files

  • pdf of capstone

  • powerpoint slides

  • screenshots and python scripts

Note:

I know it's titled "Analysis of Man-In-The-Middle Dropbox Attacks evasion and effectiveness against SOC Tools" but i figured it should really be titled "Red Team Analysis of Man in the Middle Attack's Evasion Against SOC Tools", because that is what was really measured in this paper:

  • The attack's capability of evading SOC tool detection

  • The dropbox's capability of evading SOC tool detection

Background

Red team engagements are common for assessing an organization’s security posture as these engagements simulate a real world cyber attack, serving as a proactive approach to identifying vulnerabilities and weaknesses within an organization’s network.

Red teams also challenge an organization’s defenses in order to reveal potential areas of improvement. This is accomplished using a range of tactics, techniques, and procedures(TTPs) that replicate real world adversaries. Engagements of this nature often include Man in the Middle attack scenarios in an Active Directory environment.

In doing so, this serves as a measure of an organizations defense capabilities of their SOC and provide organizations and SOC teams with actionable insights into their network’s security weaknesses.

What inspired the idea for this cybersecurity capstone was Episode 40: No Parking of the podcast Darknet Diaries hosted by Jack Rhysider.

LogoNo Parking – Darknet Diaries

Tools:

  • Lenovo Thinkpad X250 with Kali Linux

    • Attack box attacking from an entirely different network

  • M1 MacBook Pro

    • where i would manage the Elastic Cloud alerts as attacks go on

  • VMware Player

    • Where the AD environment was running

  • Hak5's LAN Turtle

    • Drop box 1

    • calls back to VPS/C2

  • Raspberry Pi 4 Model B

    • Drop box 2

    • calls back to VPS/C2

    • I know...its a bit clunky, could have used a smaller battery pack, leave out the wifi adapter etc, smaller case maybe

  • Elastic Cloud

    • Where i would manage the SIEM and SOC tool integrations

      • Elastic Defend

      • Sysmon

      • OPNsense

      • Snort

  • Akamai Ubuntu VPS

    • C2 where i would ssh into from the attack box to gain access to the dropboxes

-Anakin Skywalker

Network Design

  • Two dropbox devices are configured to Autossh to a Virtual Private Server(VPS) once connected to an ethernet port or switch on the internal network, mapping port 22 on the dropbox to port 2222 on the VPS, this allows an attacker or red team operator to SSH into their VPS from a attack device

    on a different network.

  • Assumption 1: Someone got physical access

  • Assumption 2: the network in question doesn't have the following:

    • 802.1x

    • NAC solution

    • (I will try to implement these in future projects to see how they can be bypassed!)

/etc/proxychains.conf

  • this is necessary for option 2, where the attacker wants to route the traffic from his attack machine directly through the VPS and to the dropbox in the internal network

Option 1: Double SSH

  • option 1 consists of a double ssh to reach the dropbox in the internal network

  1. SSH from the attack machine to the VPS

root@kali:~# export VPS=<IP>
root@kali:~# ssh root@$VPS

  1. SSH from the VPS to the LAN Turtle

  • note: the same could be done with the Raspberry Pi 4

    • which is even better because the raspberry pi is loaded with tools that can be used

    • the interface on the lan turtle is limited to its built in modules

root@kali:~# ssh root@localhost -p2222

  1. Internal network CIDR

Option 2: Routing attack machine traffic through VPS to the dropbox

  • The alternative to using SSH twice on the attack machine is that the attacker or red team operator can route their attack machine traffic using a dynamic application-level port forwarding proxy such as SOCKS(Socket Secure) on the local machine and tunnel traffic through the:

    • first SSH connection, which is from the attacker machine to the VPS.

    • Then the second SSH connection, which is from the VPS to the dropbox device.

Proof of Concept: Nmap Scan from external attack machine through the VPS to the dropbox

  • Once the dropbox is in the internal network we can being our enumeration and scanning (either using option 1 or 2)

  • Note: There are some limitations when using option 2 as to what type of traffic can go through due to the SOCKS proxy(it's also slow)

  • Methodology

    • Find live hosts

    • Port Scan

    • Execute AD man in the middle attacks

    • Check if they were detected in Elastic Cloud

      • Compare attack detection coming from LAN turtle vs Raspberry Pi 4

  • Check out the paper on my Github repo for more!

Future Recommendations

  • Hak5's Cloud C2 usage

  • .1x and NAC implementation

  • Larger AD environment(much like Game of Active Directory GOAD)

  • Cellular module on LAN Turtle and Raspberry Pi, removes need to traverse out of the internal network, avoid detection altogether?

PreviousNCL Spring 2023NextCyber Capstone Part 2: The LAN Turtle

Last updated