Forem: OULD AMARA Amine

How to turn your linux machine into a Router.

OULD AMARA Amine — Thu, 17 Feb 2022 23:16:16 +0000

Routing

Setting up a home lab

First things first, before setting up a network, always use a diagram, it helps you get your plan in order and not get lost along the way. So this is our diagram.

Explaining the diagram

So the first thing we're going to do is download and install oracle virtualbox which is what we're going to use to run our virtual machines on, after that's installed we're going to download a debian 9 iso. Next after we have everything downloaded we're going to create our first virtual machine that hosts our router machine. We're going to give this virtual machine three network adapters : One is going to be used to connect to the outside internet and the other two are going to be used to connect to the other two machines that are part of virtualbox' internal network.
After our virtual machine is created, we're going to install debian 9 on it and then we're going to assign IP addressing for the internal network, the external network will automatically get IP addressing from your home router so we don't have to worry about it. After we have IP addressing setup, we're going to install the other two "client" machines and connect them to the router, this way the two machines will be able to ping one another.

Downloading and installing required software and OS

Oracle virtual box

Note that the performance of your computer might be affected depending on what hardware do you have and how much you allocate to your virtual machines.

On windows

Head out to virtual box's download page and follow the installation instruction.

On linux

Just follow this guide by Oracle. If you have dependencies issues, check out this page by the virtualbox team.

On MacOS

Much like windows, you only need to visit virtual box's download page and select the OS X hosts option, then follow the installation instruction and you're done.

debian 9

We will download debian 9 in and iso format, Click this link to get it. Remember where you downloaded the ISO file, because you'll need to know that later.

Creating the virtual machines

So the next thing we're going to do is we're going to create our virtual machines. Open up virtualbox, I'm using Linux Ubuntu 20.04 so your interface might look slightly different if you're running it on Windows or MacOS.

We'll go to "new" and we're going to create the router debian 9 machine first, pick linux as the type and debian 64 as the version, also you should name it accordingly to remember which machine is which. just leave all the settings by default and simply click next, the settings should be so that you can use at least run three virtual machines at the same time depending on you computer's hardware, or you can tweak them as you please.Next, click on your newly created VM, go to Settings, Network, remember if we look at the diagram, we're creating our router right now so we want to have three NICs (Network Interface Controllers) we want one that's dedicated for the internet that's going to be running NAT and then we'll have two that are dedicated for the internal vmware network. So our third adapter is going to connect to our our house internet and be given an IP address automatically by your router's DHCP, so we want to add one two more adapters. But before that go, we will create two NAT networks (A NAT network is a type of internal network that allows outbound connections), go to "File", "Preferences", "Network" and add two nat networks by clicking the add button.
Back to configuring the router VM, left click it and go to Settings, Network, Adapter 1 and enable it, then simply select "NAT Network" and select the first one, do the same for adapter 2 with the other NAT Network.

Installing Debian 9 in our VM

the VM is configured but it's still empty, so next we are going to install Debian 9 on it. In order for the machine to detect the installation file, we will insert it in it's IDE storage controller, left click the machine, go to "Settings" and then "Storage", click on the "Empty" under "Controller : IDE" then on the blue disk next to the list for "Optical Drive" to choose a virtual optical drive, navigate to the debian 9 iso file you downloaded and select it and hit OK.
Now fire up the vm by double clicking it and you'll be faced with a classic debian installation. Read the official debian documentation if you're stuck at one of installation steps.

Cloning the VM twice to get the clients machines

To create the other two clients' machines, it's much faster to just clone the router machine, after the installation process has finished, go ahead and close the VM, in virtualbox right click and choose "Clone", Rename it something like "debian 9 right" and do the same for the left one. We will configure the networks for each one of them later.

Configure the network interfaces inside debian

Once inside the debian 9 Router VM, we will have to setup the two internal network interfaces. open a terminal and write "ip a", you'll see the loopback interface and below it the three adapters we attached to the machine,notice that the first two, enp0s3 and enp0s8 don't show much information, that because they are the NAT network ones and are not configured, let's fix that. Write this command to open up a text editor with the interfaces configuration file opened in it



sudo gedit /etc/network/interface

If you are unfamiliar with networking concepts such as IP addressing, i strongly advise you to read up on it, as i won't cover them in this guide, you should also learn more about debian network configuration and naming. Go ahead and copy the text below into that text editor.



auto enp0s3
iface enp0s3 inet static
    address 192.168.10.254
    netmask 255.255.255.0

auto enp0s8
iface enp0s8 inet static
    address 192.168.20.254
    netmask 255.255.255.0

Close the editor and restart the networking service by typing the following command :



sudo systemctl restart networking

Type "ip a" again and see that now they are configured. What we basically did here is that we configured the two network interfaces to connect two the other two clients machines, now we will configure each one of them to connect to the router using the gateway address.

Configuring the right debian 9 Client

Before starting the right machine, we have to change some settings since it's a cloned machine, it will have the same MAC address as our router's, and il will also have three network adapter and we only need one. right click the right machine and go to "Settings", "Network", disable adapters 2 and 3 and make adapter 1 attached to "NAT network" and as name the first one, now start the machine. you can run the "ip a" command to take a look
Just like we did for the router, open the interfaces file and write these lines :



auto enp0s3
iface enp0s3 inet static
    address 192.168.20.10
    netmask 255.255.255.0
    gateway 192.168.20.254

Don't forget to restart the networking service. now you can try to ping the router by typing "ping 192.168.20.254" in the terminal, and you do the same from the router and ping the right client with it's address 192.168.20.10

Configuring the left debian 9 Client

Same steps as the right client, only changes are in selecting "natnetwork1" instead of the first one, and add these lines to the interfaces file :



auto enp0s3
iface enp0s3 inet static
    address 192.168.10.10
    netmask 255.255.255.0
    gateway 192.168.10.254

Don't forget to restart the networking service. now you can try to ping the router by typing "ping 192.168.10.254" in the terminal, and you do the same from the router and ping the left client with it's address 192.168.10.10

Now from one client try to ping the other, from the left machine ping 192.168.10.254 and from the right machine ping the left machine with ping 192.168.20.254, not working? Go to the next step

Enabling and disabling routing in the router machine

Don't interrupt the two machines trying to ping each other, now go to the router machine and type the command



sudo more /proc/sys/net/ipv4/ip_forward

You'll get a 0, meaning forwarding packets on this machine is disabled. To enable it, execute this command :



sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Go back to the two client machines and you'll see that it's working, just like a light switch.

You now know how to configure interfaces on your debian machines and setup a router.

Security Information and Event Management (SIEM) using Microsoft Sentinel.

OULD AMARA Amine — Thu, 17 Feb 2022 23:00:10 +0000

What's a SIEM

SIEM stands for security information and event management and provides organizations with next-generation detection, analytics and response. SIEM software combines security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by applications and network hardware. SIEM software matches events against rules and analytics engines and indexes them for sub-second search to detect and analyze advanced threats using globally gathered intelligence. This gives security teams both insight into and a track record of the activities within their IT environment by providing data analysis, event correlation, aggregation, reporting and log management.
SIEM software can have a number of features and benefits, including:

Consolidation of multiple data points
Custom dashboards and alert workflow management
Integration with other products

How does a SIEM work ?

SIEM software works by collecting log and event data generated by an organizations applications, security devices and host systems and bringing it together into a single centralized platform. SIEM gathers data from antivirus events, firewall logs and other locations; it sorts this data into categories, for example: malware activity and failed and successful logins. When SIEM identifies a threat through network security monitoring, it generates an alert and defines a threat level based on predetermined rules. For example, someone trying to log into an account 10 times in 10 minutes is ok, while 100 times in 10 minutes might be flagged as an attempted attack. In this way it detects threats and creates security alerts. SIEM's custom dashboards and event management system improves investigative efficiency and reduces time wasted on false-positives.

Preview of technical steps

We're going to create a windows 10 virtual machine inside Azure and set it up as a honeypot (A honeypot is a network-attached system set up as a decoy to lure cyberattackers and to detect, deflect or study hacking attempts in order to gain unauthorized access to information systems. The same goes vice versa, in which a hacker tries to distract a, e.G. , Company with a mock-up hack, to proceed to the main hack, of which the, e.G. , company doesn’t know about.)
In order to do that, we will turn the external firewall off for the VM and we're going to turn the windows firewall off as well so our machine will be exposed to the internet and anyone can ping it from any country. Next we're going to create a log repository in azure called a "log analytics workspace" which will be used to ingest our logs from the virtual machine and then we're going to set up azure sentinel (Microsoft's cloud native SIEM) within azure which we're going to use to create a map that maps all the different attacker data so we can see from which country are the attacks coming.
We're also going to use PowerShell in this lab in order to get the country's latitude and longitude, we'll extract the IP addresses from the VM's windows event security log and send it to a third-party API which will derive the latitude and longitude send back the state and province of the incoming attacks to our virtual machine which we'll then use to create a custom log with geographic data in it to display it in a map inside azure.
One of the main features of a SIEM is to be able to create triggers and alerts when incidents occur, but this post will not cover that, I'll let you figure that out by yourself.
What we will do is extract failed logon data and ingest it into sentinel and map it on a world map so we can visualize where the attacks are coming from.

Create an A virtual machine in Azure

Before you start the lab, DO NOT FORGET or SKIP the VERY IMPORTANT NOTE at the end of the lab

To create the windows 10 VM in Azure, you'll have to sign up for an Azure subscription, it's free and you get 200 dollars worth of free credits, but you'll have to provide some credit card info.
After that, when you're on your account's homepage, search for "virtual machine" and click it, on the left you'll see a plus sign with "Create" written next to it, click it.

Under "Resource group" click "New", a resource group is basically a logical grouping of resources in azure that share the same lifespan, you can name it "honeypot" or something memorable like that, for the name of the vm, do the same, and set the image as Windows 10 pro. Other settings are fine, just enter a username and password and make sure to remember them, check the licensing checkbox and move to the networking tab.

Allow all in firewall

Under "NIC security group" which you can think of it as the equivalent of a firewall, choose Advanced and create a new one, under inbound rules you'll find a default rule, remove it and click "Add an inbound rule" which we will configure to allow all incoming connections into the VM. For "Destination port ranges" put a star(*), "Protocol" as Any, "Action" allow, "Priority" 100 and set the name whatever you want.
And like this, our VM is discoverable by any mean; SYN scans, TCP pings, ICMP pings and other techniques can now find the machine. Hit OK and then "Review + Create", it'll take some time so open another tab with azure in it.

Create analytics workspace

Next search for "Log Analytics Workspaces", here we will setup ingesting logs from the vm, ingest windows event logs and create our own custom log that contain geographic data.
Click "Create log analytics workspace", for the ressource group, select the one we just created, name it, and click "Review + Create" then "Create"

Enable gathering VM logs in Security center

Next, search for "Security center", this is where we enable the ability to gather logs from the virtual machine into the logs analytics workspace. On the left side panel, click "pricing and security" and then the log analytics workspace we just made, turn on "Servers" and turn of "SQL servers on machines" because we won't need them in this lab, hit save.
Next in the left panel click "Data Collection" and select "all events" and save.

Connect log analytics to VM

Go back to log analytics, select the workspace from the left side panel, under "workspace data sources" click "virtual machines" and simply click "connect".

Setup Azure Sentinel

Search for "Azure Sentinel" and hit create, here you can pick the analytics workspace you want to connect to, right click the one we just created and hit add.

Log into VM with remote access

In order to log in to your virtual machine, search for virtual machines, and click it. In the essentials section you can find the machine's IP address, copy it so that we can connect toit using remote desktop. Depending on the OS you're using, you should find a native software that allows you to connect remotely to a machine. If you're on windows 10, open the start menu and search for Remote Desktop, if not, i'll let you figure out a way to do it for practice. Enter the IP address you just copied and connect using the machine's credentials

Observing event viewer logs in analytics

Once on the VM, open up the event viewer by searching it in the start menu, on the left side panel select "Windows logs" and then "Security" and you'll be faced with all the security event on the VM. What we're interested in here is event ID 4625, which is the audit failure security event. If you go back to your computer and try to log in again into the VM only this time using incorrect credentials, it'll show up in the security logs and you can see the details of the failed logon, among them the IP address from which the person tried to connect to the VM, in this case your IP. We will use it later to determine the country this happened from.

Turn off windows firewall in VM

In order for our machine to be discoverable in the internet, let's turn off the firewall. For that, in the windows 10 virtual machine go to start and type "wf.msc", this will open windows defender firewall settings, click on "windows defender firewall properties" then turn everything off in "domain profile", "private profile" and "public profile".
You can try to ping the VM from your computer and it'll work.

Powershell script

This is a script that will export logs to a text file which will be used to map the incoming attacks, go ahead and copy it in Powershell ISE by going to the start menu and searching for it, hit save and name the .ps1 file.

# Get API key from here: https://ipgeolocation.io/
$API_KEY      = "d4600b4efdef42b39828f5155041a457"
$LOGFILE_NAME = "failed_rdp.log"
$LOGFILE_PATH = "C:\ProgramData\$($LOGFILE_NAME)"

# This filter will be used to filter failed RDP events from Windows Event Viewer
$XMLFilter = @'
<QueryList> 
   <Query Id="0" Path="Security">
         <Select Path="Security">
              *[System[(EventID='4625')]]
          </Select>
    </Query>
</QueryList> 
'@

<#
    This function creates a bunch of sample log files that will be used to train the
    Extract feature in Log Analytics workspace. If you don't have enough log files to
    "train" it, it will fail to extract certain fields for some reason -_-.
    We can avoid including these fake records on our map by filtering out all logs with
    a destination host of "samplehost"
#>
Function write-Sample-Log() {
    "latitude:47.91542,longitude:-120.60306,destinationhost:samplehost,username:fakeuser,sourcehost:24.16.97.222,state:Washington,country:United States,label:United States - 24.16.97.222,timestamp:2021-10-26 03:28:29" | Out-File $LOGFILE_PATH -Append -Encoding utf8
    "latitude:-22.90906,longitude:-47.06455,destinationhost:samplehost,username:lnwbaq,sourcehost:20.195.228.49,state:Sao Paulo,country:Brazil,label:Brazil - 20.195.228.49,timestamp:2021-10-26 05:46:20" | Out-File $LOGFILE_PATH -Append -Encoding utf8
    "latitude:52.37022,longitude:4.89517,destinationhost:samplehost,username:CSNYDER,sourcehost:89.248.165.74,state:North Holland,country:Netherlands,label:Netherlands - 89.248.165.74,timestamp:2021-10-26 06:12:56" | Out-File $LOGFILE_PATH -Append -Encoding utf8
    "latitude:40.71455,longitude:-74.00714,destinationhost:samplehost,username:ADMINISTRATOR,sourcehost:72.45.247.218,state:New York,country:United States,label:United States - 72.45.247.218,timestamp:2021-10-26 10:44:07" | Out-File $LOGFILE_PATH -Append -Encoding utf8
    "latitude:33.99762,longitude:-6.84737,destinationhost:samplehost,username:AZUREUSER,sourcehost:102.50.242.216,state:Rabat-Salé-Kénitra,country:Morocco,label:Morocco - 102.50.242.216,timestamp:2021-10-26 11:03:13" | Out-File $LOGFILE_PATH -Append -Encoding utf8
    "latitude:-5.32558,longitude:100.28595,destinationhost:samplehost,username:Test,sourcehost:42.1.62.34,state:Penang,country:Malaysia,label:Malaysia - 42.1.62.34,timestamp:2021-10-26 11:04:45" | Out-File $LOGFILE_PATH -Append -Encoding utf8
    "latitude:41.05722,longitude:28.84926,destinationhost:samplehost,username:AZUREUSER,sourcehost:176.235.196.111,state:Istanbul,country:Turkey,label:Turkey - 176.235.196.111,timestamp:2021-10-26 11:50:47" | Out-File $LOGFILE_PATH -Append -Encoding utf8
    "latitude:55.87925,longitude:37.54691,destinationhost:samplehost,username:Test,sourcehost:87.251.67.98,state:null,country:Russia,label:Russia - 87.251.67.98,timestamp:2021-10-26 12:13:45" | Out-File $LOGFILE_PATH -Append -Encoding utf8
    "latitude:52.37018,longitude:4.87324,destinationhost:samplehost,username:AZUREUSER,sourcehost:20.86.161.127,state:North Holland,country:Netherlands,label:Netherlands - 20.86.161.127,timestamp:2021-10-26 12:33:46" | Out-File $LOGFILE_PATH -Append -Encoding utf8
    "latitude:17.49163,longitude:-88.18704,destinationhost:samplehost,username:Test,sourcehost:45.227.254.8,state:null,country:Belize,label:Belize - 45.227.254.8,timestamp:2021-10-26 13:13:25" | Out-File $LOGFILE_PATH -Append -Encoding utf8
    "latitude:-55.88802,longitude:37.65136,destinationhost:samplehost,username:Test,sourcehost:94.232.47.130,state:Central Federal District,country:Russia,label:Russia - 94.232.47.130,timestamp:2021-10-26 14:25:33" | Out-File $LOGFILE_PATH -Append -Encoding utf8
}

# This block of code will create the log file if it doesn't already exist
if ((Test-Path $LOGFILE_PATH) -eq $false) {
    New-Item -ItemType File -Path $LOGFILE_PATH
    write-Sample-Log
}

# Infinite Loop that keeps checking the Event Viewer logs.
while ($true)
{

    Start-Sleep -Seconds 1
    # This retrieves events from Windows EVent Viewer based on the filter
    $events = Get-WinEvent -FilterXml $XMLFilter -ErrorAction SilentlyContinue
    if ($Error) {
        #Write-Host "No Failed Logons found. Re-run script when a login has failed."
    }

    # Step through each event collected, get geolocation
    #    for the IP Address, and add new events to the custom log
    foreach ($event in $events) {


        # $event.properties[19] is the source IP address of the failed logon
        # This if-statement will proceed if the IP address exists (>= 5 is arbitrary, just saying if it's not empty)
        if ($event.properties[19].Value.Length -ge 5) {

            # Pick out fields from the event. These will be inserted into our new custom log
            $timestamp = $event.TimeCreated
            $year = $event.TimeCreated.Year

            $month = $event.TimeCreated.Month
            if ("$($event.TimeCreated.Month)".Length -eq 1) {
                $month = "0$($event.TimeCreated.Month)"
            }

            $day = $event.TimeCreated.Day
            if ("$($event.TimeCreated.Day)".Length -eq 1) {
                $day = "0$($event.TimeCreated.Day)"
            }

            $hour = $event.TimeCreated.Hour
            if ("$($event.TimeCreated.Hour)".Length -eq 1) {
                $hour = "0$($event.TimeCreated.Hour)"
            }

            $minute = $event.TimeCreated.Minute
            if ("$($event.TimeCreated.Minute)".Length -eq 1) {
                $minute = "0$($event.TimeCreated.Minute)"
            }


            $second = $event.TimeCreated.Second
            if ("$($event.TimeCreated.Second)".Length -eq 1) {
                $second = "0$($event.TimeCreated.Second)"
            }

            $timestamp = "$($year)-$($month)-$($day) $($hour):$($minute):$($second)"
            $eventId = $event.Id
            $destinationHost = $event.MachineName# Workstation Name (Destination)
            $username = $event.properties[5].Value # Account Name (Attempted Logon)
            $sourceHost = $event.properties[11].Value # Workstation Name (Source)
            $sourceIp = $event.properties[19].Value # IP Address


            # Get the current contents of the Log file!
            $log_contents = Get-Content -Path $LOGFILE_PATH

            # Do not write to the log file if the log already exists.
            if (-Not ($log_contents -match "$($timestamp)") -or ($log_contents.Length -eq 0)) {

                # Announce the gathering of geolocation data and pause for a second as to not rate-limit the API
                #Write-Host "Getting Latitude and Longitude from IP Address and writing to log" -ForegroundColor Yellow -BackgroundColor Black
                Start-Sleep -Seconds 1

                # Make web request to the geolocation API
                # For more info: https://ipgeolocation.io/documentation/ip-geolocation-api.html
                $API_ENDPOINT = "https://api.ipgeolocation.io/ipgeo?apiKey=$($API_KEY)&ip=$($sourceIp)"
                $response = Invoke-WebRequest -UseBasicParsing -Uri $API_ENDPOINT

                # Pull Data from the API response, and store them in variables
                $responseData = $response.Content | ConvertFrom-Json
                $latitude = $responseData.latitude
                $longitude = $responseData.longitude
                $state_prov = $responseData.state_prov
                if ($state_prov -eq "") { $state_prov = "null" }
                $country = $responseData.country_name
                if ($country -eq "") {$country -eq "null"}

                # Write all gathered data to the custom log file. It will look something like this:
                #
                "latitude:$($latitude),longitude:$($longitude),destinationhost:$($destinationHost),username:$($username),sourcehost:$($sourceIp),state:$($state_prov), country:$($country),label:$($country) - $($sourceIp),timestamp:$($timestamp)" | Out-File $LOGFILE_PATH -Append -Encoding utf8

                Write-Host -BackgroundColor Black -ForegroundColor Magenta "latitude:$($latitude),longitude:$($longitude),destinationhost:$($destinationHost),username:$($username),sourcehost:$($sourceIp),state:$($state_prov),label:$($country) - $($sourceIp),timestamp:$($timestamp)"
            }
            else {
                # Entry already exists in custom log file. Do nothing, optionally, remove the # from the line below for output
                # Write-Host "Event already exists in the custom log. Skipping." -ForegroundColor Gray -BackgroundColor Black
            }
        }
    }
}

I won't explain the script in detail but you should definitely learn more about scripting languages such as powershell or bash because you'll often use them to automate tasks. What this script does is it basically runs in a loop and looks through the event log we visited earlier, grabs all the failed login events and specifically gets their IP and store it in the directory specified in the $LOGFILE_PATH variable. One thing you need to do in order for the script to work is go to ipgeolocation.io and get your own API key, you'll need to sign up to get one. Go back to the script and paste your own key $API_KEY value

Run script to get geo data from attackers

You can start the script, and notice down in the command line some text has popped up if you actually retried to connect with incorrect credentials, you can even go and take a look at the log file to see what's inside, you'll find some sample data followed by your failed login data

Create custom log in LAW to bring in our custom log

Next thing we're going to do is we're going to create a custom log inside of our log analytics workspace to bring our custom log with the geo data in it into our workspace.
Back to your machine, in azure look for "log analytics" click your workspace and then "custom logs" and the "add custom log", you'll see it's asking for a log file, but ours is in the virtual machine, there's a lot of ways you can send it to our machine but for now we will just copy it from the file directly. Go back to your VM and navigate to the folder where the log is, in the script it's in "C:\ProgramData\", you might have to toggle on "show hidden folders" in the windows file viewer because that directory is hidden. After copying it paste it in a notepad on your host machine and save it. Now you can add the file in azure, click next. On collection path write the path of the file "C:\ProgramData\failed_rdp.log" as we named it in the script and hit next, in details you can name the log and give it a description if you want, next and create.
To see if it's working, go back to your Log analytics workspace in azure and click "Logs", on the right you can write whatever you named the log and see if it gives you results under the request, if you get nothing, you might want to leave some time in order for the two machines to sync, but you can try and request other logs for example "SecurityEvent" and see the results coming in from the VM. After sometime, the failedrdp logs should should up when you ask to see them, you'll see the sample ones followed by your own failed login attempts, we will have to take the raw data column and extract the latitude and longitude and make them in their own columns.

Create custom fields/extract fields from raw custom

To do that, expand one of the logs, click the three dots above and click "Extract fields from 'what_you_named_the_log'". In raw data highlight the latitude value, you'll be prompted with a small panel where you can name it latitude and show numeric as field type, hit extract and you'll see some search results on the right, make sure the search is accurate and only the latitude values are highlighted. Hit save extraction and do the same for longitude, if you find that in the search results there something else highlighted other than the longitude, click on the pencil looking icon in the not accurate search result and hit "Modify this highlight" and highlight the longitude. Repeat this process because the extract algorithm is not always as accurate and needs help to identify the right values we want to extract. By now you know how to extract data from a raw data string, do the same for the destination host with the field type : text. Finish all the others until you find yourself with processed data instead of raw data, meaning all the fields are known to us and are well categorized and can be used in our analytics.

Testing extracts

Going back to the custom logs panel you can click the "custom fields" tab to see what we extracted. you can run the failed_rdp query again in the logs panel and see your data all neatly organized in columns. If not, go ahead and try another failed log, this tile it should work

Setup map in Sentinel with latitude longitude (or...

Go to azure sentinel, click on the one we setup earlier, if you go to overview, you can see some data about the incidents that occurred on our VM, feel free to analyze it. Go to "Workbooks" under "Threat manager" in the left panel of sentinel and hit "Add workbook". Click edit and remove the default widgets you'll find in this workbook by clicking the three dots beside each one, we'll need the space to setup our map. Next add a query, and type this one in :

FAILED_RDP_WITH_GEO_CL | summarize event_count=count() by sourcehost_CF, latitude_CF, longitude_CF, country_CF, label_CF, destinationhost_CF | where destinationhost_CF != "samplehost" | where sourcehost_CF != ""

Providing that you named the columns the same way when we formatted that raw data earlier, if not, make it just like yours. What this query does it it asks for the failed login attempts from the custom log we created excluding the sample ones we used to train the extract algorithm because they don't make sense to us. Now in "Visualization" choose "Map".
On the right side you'll find the settings for the map, for the location info we'll be using Latitude/Longitude, under it select the fields that correspond to both of them and size by the event_count.
Click apply and you should see your location popup on the map, we can further tweaks the settings to make the map more readable. Under metric settings, put "Metric label" as label_CF and "Metric value" as event_count. You can change the plot data to whatever suits you as this is just a suggestion. When you're done hit save and close and save your workbook and click "Done editing".

Witnessing the attacks

Note that you must leave the script in the VM under execution, since it's an infinite while loop it won't stop until you do it manually and if you do, the log file won't be updated and azure won't get new data.
You can leave your computer and the virutual machine for an hour or two and come back later to discover who's been trying to log into the vm from around the world. Analyze the data, see the different techniques the hackers used.

VERY IMPORTANT NOTE :

After finishing the lab, you should shutdown COMPLETELY the virtual machine in azure, do that by going to the machine's page in azure and click "Stop", verify the machine is deallocated by checking the "status : Stopped (deallocated)" under the Essentials menu. If you miss this, your 200 dollars will be depleted and you can't use them for future labs concerning azure.

Final thoughts

As soon as a machine is vulnerable on the internet, it's bound to get attacked. Hackers don't care if you're worth hacking or not, if you're a business or just an individual with unexploitable data in your machine like personal data in the form of bank account credentials, family photos or work documents they can encrypt and request money for, what tried to login to your vm are probably bots scouring the internet for vulnerable machine. If they can do it, they will. So if your login credentials are admin admin or similarly guessable words, consider improving your password policy. Read up on how to secure your systems and on layered security.
There are much better ways to do what we did here, but this basically is the gist of what a SIEM does; it aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. We didn't cover the alerts part, but you should definitely read up on it and try to implement it. Also, it's even better to understand what's happening behind the scene when it comes to which protocols were used to achieve this.
There are still a lot more features to Azure Sentinel, we only scratched the surface here, so head on to the official
documentation and experiment with this tool.

Credit where credit's due,

This post was inspired by Josh Madakor's youtube video, check out his youtube channel for cyber security related content.
Some lines from this article about the definition of a SIEM and how it works.

Vulnerability management using Nessus

OULD AMARA Amine — Mon, 14 Feb 2022 20:46:34 +0000

What is vulnerability management ?

It is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. This, implemented alongside with other security tactics, is vital for organizations to prioritize possible threats and minimizing their "attack surface."

Security vulnerabilities, in turn, refer to technological weaknesses that allow attackers to compromise a product and the information it holds. This process needs to be performed continuously in order to keep up with new systems being added to networks, changes that are made to systems, and the discovery of new vulnerabilities over time.

How does Nessus work ?

To learn how Nessus and other port-scanning security tools work, it is necessary to understand different services (such as a web server, SMTP server, FTP server, etc) are accessed on a remote server. Most high-level network traffic, such as email, web pages, etc reach a server via a high-level protocol that is transmitted reliably by a TCP stream. To keep different streams from interfering with each other, a computer divides its physical connection to the network into thousands of logical paths, called ports. So if you want to talk to a web server on a given machine, you would connect to port #80 (the standard HTTP port), but if you wanted to connect to an SMTP server on that same machine you would instead connect to port #25.

Each computer has thousands of ports, all of which may or may not have services (ie: a server for a specific high-level protocol) listening on them. Nessus works by testing each port on a computer, determining what service it is running, and then testing this service to make sure there are no vulnerabilities in it that could be used by a hacker to carry out a malicious attack. Nessus is called a "remote scanner" because it does not need to be installed on a computer for it to test that computer. Instead, you can install it on only one computer and test as many computers as you would like.

Downloading and installing required software and OS

Download and install Nessus essentials

In order to download Nessus essentials, follow this link to the download page, you'll have to create an account using your name and email, the you'll be redirected to another page where you can click Download to download the software. look for the most recent version that's compatible with your OS, in my case it this one:

After the download has finished, install it, then a web browser window will open with this URL "https://localhost:8834/", you may have to do some extra steps to allow it through the firewall if you're using linux.
Go ahead and click "Connect via SSL". Your browser will warn you that the connection is not private, just click on "Advanced" and "Proceed to ...", you'll have to wait a few minute for the configuration to finish.
After that, choose Nessus essentials, this is the free version of the product, click continue. Since you already received the activation code upon your first registration,you can click skip and enter the code directly without giving your name and email again. Next click continue, setup a username and a password, make sure you don't forget them and click submit. while it's installing, let's download and install our windows 10 client machine in virtualbox.

Oracle virtual box

Note that the performance of your computer might be affected depending on what hardware do you have and how much you allocate to your virtual machines.

On windows

Head out to virtual box's download page and follow the installation instruction.

On linux

Just follow this guide by Oracle. If you have dependencies issues, check out this page by the virtualbox team.

On MacOS

Much like windows, you only need to visit virtual box's download page and select the OS X hosts option, then follow the installation instruction and you're done.

Windows 10

Head to this page to get it. When you go there, click "Get started," and follow the instructions and prompts until you finally get to the download page. Choose your language and whether you want to download the 32-bit or 64-bit version. I downloaded the 64-bit version, because I installed it on a 64-bit machine. Remember where you downloaded the ISO file, because you'll need to know that later.

Creating the virtual machines

So the next thing we're going to do is we're going to create our virtual machine. Open up virtualbox, I'm using Linux Ubuntu 20.04 so your interface might look slightly different if you're running it on Windows or MacOS.

We'll go to "new" and we're going to create the Windows 10 computer first, pick windows 64-bit, you should name it accordingly to remember which machine is which. just leave all the settings by default and simply click next, the settings should be so that you can use at least run three virtual machines at the same time depending on you computer's hardware, or you can tweak them as you please.

Installing Windows 10 in our VM

Before launching the VM, left click it and go to "settings", "Network" and set "Attached to :" as "Bridged Adapter".
Double click the VM to start it, it's going to open up a window, this is where we're going to select the Windows 10 iso that we downloaded earlier, we'll click "choose a virtual optical disk file" (it's the little yellow folder next the the list), click Add and you'll browse to where you put the Windows 10 iso file and add it, choose it in your newly updated lists of optical drives and click OK. Start the virtual machine and it will prompt you to a classic Windows 10 installation, click next, choose custom install and click next.

Ensure connectivity with VM

In order for us to scan the virtual machine for vulnerabilities, we have to be connected. Open a command prompt on the windows 10 guest machine and type "ipconfig", there you can find the machine's IP address under IPv4 address. Go to back to your computer, open a command prompt and try to ping that address, it's will not work because the two computers are not connected.
In a real-life situation the two machines will be on the same network, we can recreate that either by installing another machine in which we install Nessus, then configure both machines in virtualbox to be in the same internal network, Or we can add a second network adapter to our windows 10 guest as host only and configure it.
For simplicity's sake, we will deactivate the windows 10 guest machine's firewall, but note that this is not done in real-life because it's a vulnerability in itself.
For that, in the windows 10 machine go to start and type "wf.msc", this will open windows defender firewall settings, click on "windows defender firewall properties" then turn every off in "domain profile", "private profile" and "public profile".

You can now retry to ping the guest machine and you'll see that it works, because we have allowed all incoming connections into our guest computer.

Create a new scan in Nessus

Nessus essentials should be ready by now, it's a web application so it's normal that you're using it in a web browser, go ahead and create a new scan by clicking "Create a new scan" and then choose "Basic network scan", name it and enter the windows 10 vm IP address in the "Targets" field then hit save.

There's a lot of other options you can choose from for performing scans, for example you can schedule scans to be performed each X amount of time or you can perform a scan using credentials which are the username and password of the targeted machine which will be a more in depth scan for registry and other things that require admin rights to read.

Inspecting the first scan (no credentials)

In the "My scans" panel, you'll find the scan you just created, click launch and wait for it to finish. After it's done, click it and you'll face a bunch of data, you can find scan details on the right and tabs on the top : Hosts shows you the targeted machine that have been scanned, Vulnerabilities tab contains the vulnerabilities your machine has each color coded according to the severity of the Vulnerability. Info means that it's not necessarily a vulnerability but it's something worth knowing, you'll also find a description and a solution for remediating each one.
You can go through each one and try to understand what it is about, you'll find some that say that Nessus wasn't able to fully scan for them because we didn't provide credentials, we'll do that in the next step.

Configuring VM for credentialed scans

In order to perform a scan with credentials, the targeted machine has to be in the same domain as the machine performing the scan, since it's not in our case, we are will have to make some tweaks on the windows 10 VM to allow our computer to perform a credentialed scan. As said before, in a real-life situation the two machines in the same organization will be the same network and in the same domain, so these tweaks won't be necessary.

We already configured the VM's network adapter as bridged, if not go ahead and do it, you'll have to shut down the vm first.
Open the start menu and look for "services.msc", find "Remote registry", double click and choose "Start type" as automatic and click Start.
From the start menu look for "Advanced sharing options" and turn on network discovery and file sharing. Next from the start menu look for "User account control settings" and turn it down to "never notify".
From the start menu look for "Registry Editor", on the left side panel navigate to "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" or simply paste it the directory input field. Right click on an empty space under all the other settings in this directory and choose NEW -> DWORD (32-bit) value and name it "LocalAccountTokenFilterPolicy", double click and set the value to 1. Restart the machine in order for the changes to apply.

First scan with credentials

Go back to Nessus, my scans, you can create a new scan or modify the previous one, check the previously created scan, go to "More" and "Configure". This time go to the "Credentials" tab and choose windows on the left side panel, set the authentication method as "Password", fill the username input field with the windows 10 VM account username, if you can't remember or find it simply go back to the VM, open a command line prompt and type "whoami". Fill the password, leave the other settings as default, hit save and launch the scan.

Inspecting the first scan (with credentials)

Right away you can see that a lot more critical vulnerabilities have been found comparing to the previous scan, you can compare the two by going to the "History" tab. The reason for that is when performing a scan without credentials we didn't scan any of filesystems, registry or running services. Dive into the results and other tabs, try to remediate some of these issues for a better understanding.

Remediating vulnerabilities

One of the easiest things you can do is, update your windows and deprecated software, go ahead and look for "Updates" in the start menu and install the latest updates. Next open up Microsoft Edge and go to Settings and more > Help and feedback > About Microsoft Edge (edge://settings/help). If the About page shows Microsoft Edge is up to date., you don't need to do anything. If the About page shows An update is available. Select Download and install to proceed.
Not all vulnerabilities are remediated with updates and patches, so you can try and remediate the other vulnerabilities by yourself for practice

Inspect scan results after remediating vulnerabilities

Running another scan on our machine, we can see that we have less high risk vulnerabilities, but still some of them need remediating manually.

Final thoughts

In this lab you've learned :

How to install a Windows 10 Virtual Machine on Oracle's Virtual Box.
How to install Nessus Essentials and run scans (with and without credentials)
Analyze the data and remediate some of the vulnerabilities found.

These are the basics of how vulnerability management works, but there's still a lot more for you to learn, read up on the subject and learn more about how it's done in detail, visit Teenable's documentation on Nessus and try to implement the other features that are available in Nessus Essentials.
You can also keep experimenting and install versions of software or OS like windows 7 or XP. Learn more about how vulnerability management is done in big organizations where you have to perform scans from a computer targeting computers and devices all withing the same domain, gain access to the other employees computers using their credentials and other advanced techniques for vulnerability management.
Also, make sure to automate updating software and OS in your organization so that you can only focus on the real issues that are harder to fix than simply launching an update. Machines are generally deployed with zero or the least amount of vulnerabilities, this is called a "secure build standard" making sure the device is secure before it goes into production.
Lastly, you'll also have to deal with humans and not only machines, getting everyone to coordinate and cooperate to face threats and how to respond when an incident occurs and how to prevent it from re-occurring can also be a part of the job.

Credit where credit's due,

This post was inspired by Josh Madakor's youtube video, check out his youtube channel for cyber security related content
Some lines from this article about the definition of vulnerability management.
Some lines from this article about how does Nessus work.

DNS, Active Directory and setting up a quick homelab using Oracle's VirtualBox.

OULD AMARA Amine — Sat, 12 Feb 2022 18:54:45 +0000

What is DNS

DNS is the backbone of your internet navigation ! Each website you gain access to via your favorite browser has an IP address, which is the address of the web sever hosting that website. Now, what if you had to memorize every website's IP address in order to access it ? That's where DNS comes in. DNS which stands for "Domain Name System", it is the hierarchical and decentralized naming system used to identify computers, services, and other resources reachable through the Internet or other Internet Protocol networks. In our previous example, what DNS does is provide a way to map names (a website you're seeking) to numbers (the address of the website), but how does that work exactly ?

How does DNS work ?

The information mapping a server's IP and it's corresponding domain name is stored in something we call a nameserver, which is a file that stores DNS records that says “this domain” maps to “this IP address”. Nameservers are distributed all around the world and instead of storing every domain name ever, they only store the locations of the top level domains (TLDs).

DNS Hierarchy

DNS uses a hierarchy to manage its distributed database system. The DNS hierarchy, also called the domain name space, is an inverted tree structure.
The DNS tree has a single domain at the top of the structure called the root domain. A period or dot (.) is the designation for the root domain. Below the root domain are the top-level domains that divide the DNS hierarchy into segments.
Listed below are the top-level DNS domains and the types of organizations that use them. Below the top-level domains, the domain name space is further divided into subdomains representing individual organizations.

Domains and Subdomains

A domain is a label of the DNS tree. Each node on the DNS tree represents a domain. Domains under the top-level domains represent individual organizations or entities. These domains can be further divided into subdomains to ease administration of an organization's host computers.
For example, "Company A" creates a domain called "companya.com" under the .com top-level domain. Company A has separate LANs for its locations in Chicago, Washington, and Providence. Therefore, the network administrator for Company A decides to create a separate subdomain for each division, as shown in Domains and Subdomains .

Any domain in a subtree is considered part of all domains above it. Therefore, chicago.companya.com is part of the companya.com domain, and both are part of the .com domain.

Domain Names

The domain name represents an entity's position within the structure of the DNS hierarchy. A domain name is simply a list of all domains in the path from the local domain to the root. Each label in the domain name is delimited by a period. For example, the domain name for the Providence domain within Company A is providence.companya.com, as shown in Domains and Subdomains and the list above.
Note that the domain names in the figure end in a period, representing the root domain. Domain names that end in a period for root are called fully qualified domain names (FQDNs).
Each computer that uses DNS is given a DNS hostname that represents the computer's position within the DNS hierarchy. Therefore, the hostname for host1 in Figure 2 is host1.washington.companya.com.
TLDs are the two or three character extensions like ".com" at the end of a domain name. Each TLD has its own set of nameservers that store the information for who is authoritative for storing the DNS records for that domain. The authoritative nameserver is typically the DNS provider or the DNS registrar (like GoDaddy that offers both DNS registration and hosting). And here, we can find the DNS record that maps example.com to the IP 127.66.122.88.

DNS queries

Let's suppose you have a computer and a printer connected to your domain which is called yourDomain.com, and your computer’s and your printer's addresses are yourComputer.yourDomain.com and yourPrinter.yourDomain.com respectively.
When you want to print something from your computer, which has something installed in it by default called a DNS client, you send what we call a DNS query to your server yourDomain.com. which has a DNS service with a nameserver that will resolve incoming DNS queries, it will then look for the printer in it's children hosts meaning the end devices that end with yourDomain.com, in this case it's yourPrinter.yourDomain.com, the printer will be found among them and the server will respond to your computer with the printer's IP, your computer then sends the documents directly to your printer using it's IP and the printer will receive the order and will print what's needed,pretty straightforward right ?

Recursive and Iterative queries

Now let's suppose you want to visit www.wikipedia.org, your DNS server won't have a clue what address is that because it has never seen it before and it is not in it's address book.
In that case, the DNS server will respond saying that it doesn't have that, but maybe, my parent has an answer to that query, the parent being the .com domain, it will in turn ask the root domain which will in turn ask the .org domain which will surely have www.wikipedia.org among it's children. This is called a recursive query.
The other type, you guessed it, iterative query basically is the DNS server firing queries to other DNS servers in order to find the IP address of a specific domain name it's looking for, this process is called DNS resolution. Once your local domain resolves the IP of www.wikipedia.org, it will cache it, storing it for future use so that the whole search cycle won't be required again.
Even your machine is capable of caching IP addresses and their corresponding domain name so that it doesn't even have to ask the DNS server but access the IP directly.

Active Directory

In computing, a directory is a file system cataloging structure which contains references to other computer files, and possibly other directories in an alphabetical or thematic sequence. On many computers, directories are known as folders, or drawers, analogous to a workbench or the traditional office filing cabinet. (Wikipedia)
So in a similar way active directory let's companies organize all their resources very easily at one place, resources being employees, servers, files, printers and many other things, basically everything will be organized, accessed and managed very easily and in a secure way.

Active directory logical architecture

Suppose your company has a domain called companyDomain.com, now this domain is based on three locations in the world, Europe, United states and Asia. Suppose an employee joins the sales team of the US region of your company, the employee will be tagged as an "object", which is the most basic entity of an active directory and it will have it's own set of attributes (employee ID, name, email address,...).
Now suppose there are 100 employees under said sales department, we will create and OU (Organizational Unit) which is a general purpose container that helps administrators manage objects. For example, if an admin wants to assign file directory access to all the 100 members of the sales team, they can simply give the access at the OU level at it will be propagated down the 100 employees.
If you understood the DNS part, you will know that the objects, OUs and the three domains located around the world will all fall under one particular domain which is yourcompany.com.
Domain name server and active directory go hand in hand and their functioning is quite interrelated, while AD holds information about resources in the network, it uses DNS to find and resolve distinguished names into IP addresses.

Below are some basic definitions of each element of the AD structure.

Objet

Object is the basic element of Active Directory in Microsoft Windows Server family that represents something on the network, such as a user, a group, a computer, an application, a printer, or a shared folder.

Domain

An Active Directory domain is a logical group of objects (users, computers, OUs and so on) that is managed by the same administrative team and is usually located on the same physical network.

OU

Organizational Unit (OU) is a container in the Active Directory domain that can contain different objects from the same AD domain: other containers, groups, user and computer accounts. An Active Directory OU is a simple administrative unit within a domain on which an administrator can link Group Policy objects and assign permissions to other users/groups.
There are two main tasks when using OU, besides storing Active Directory objects:

Delegation of management and administrative tasks within the domain to other administrators and users without granting them the domain administrator privileges;
Linking Group Policies (GPO) to all objects (users and computers) in this OU.

Tree

A domain is a logical grouping of network objects such as user, computers and network devices. A tree or domain tree is a collection of domains. Moreover, a tree follows a parent domain, child domain tree structure. When a domain is under a specific domain, that domain is called the child domain while the main domain is called the parent domain.
Objects in different domains within a domain tree can communicate with each other through trusts. The trusts can be two-way or one-way trusts. For example, assume two domains. If both domains can communicate with each other, it is a two-way trust. If only one domain can communicate with the other domain, it is called one-way trust. Furthermore, all domains in the domain tree share a contiguous namespace.

Forest

A forest is a collection of trees or domain trees which provides the highest level of security boundary. It is also a complete active directory instance. Moreover, objects within the same forest can communicate with each other. If an object in one forest needs to exchange information with an object in another forest, the two forests should have forest level trust.

Setting up a home lab

First things first, before setting up a network, always use a diagram, it helps you get your plan in order and not get lost along the way. So this is our diagram.

Explaining the diagram

So the first thing we're going to do is download and install oracle virtualbox which is what we're going to use to run our virtual machines on, after that's installed we're going to download a windows 10 iso and a server 2019 iso that we're going to use to install the two operating systems on two separate virtual machines.
Next after we have everything downloaded and installed we're going to create our first virtual machine that hosts our domain controller inside active directory. We're going to give this virtual machine two network adapters : One is going to be used to connect to the outside internet and the other one that's going to be used to connect to the virtual box private network that the clients are going to connect to.
After our virtual machine is created, we're going to install windows server 2019 on it and then we're going to assign IP addressing for the internal network, the external network will automatically get IP addressing from your home router so we don't have to worry about it. After we have IP addressing setup we're going to name the server and then we're going to install active directory and create our domain then we're going to configure NAT and routing so the clients on the private network can reach the internet through the domain controller.
Next we're going to set up a DHCP on the domain controller so when we create our windows 10 machine it can automatically get an IP address
Last thing we do on the domain controller before we create our client virtual machine is we're going to run a powershell script that will automatically create a thousand users in active directory, this is optional but you can surely learn a thing or two doing it.
After creating the users we're going to create another virtual machine and install windows 10 on it and that virtual machine will be connected to the private virtual box network, we're going to name that machine client1 and join it to the domain and then we're going to log into it with one of our domain accounts.

Downloading and installing required software and OS

Oracle virtual box

Note that the performance of your computer might be affected depending on what hardware do you have and how much you allocate to your virtual machines.

On windows

Head out to virtual box's download page and follow the installation instruction.

On linux

Just follow this guide by Oracle. If you have dependencies issues, check out this page by the virtualbox team.

On MacOS

Much like windows, you only need to visit virtual box's download page and select the OS X hosts option, then follow the installation instruction and you're done.

Windows 10

Windows server 2019

Same as with Windows 10,Head to this page and choose ISO file.

Creating the virtual machines

So the next thing we're going to do is we're going to create our virtual machines. Open up virtualbox, I'm using Linux Ubuntu 20.04 so your interface might look slightly different if you're running it on Windows or MacOS.

We'll go to "new" and we're going to create the server 2019 computer first, pick other windows 64-bit, also you should name it accordingly to remember which machine is which. just leave all the settings by default and simply click next, the settings should be so that you can use at least run three virtual machines at the same time depending on you computer's hardware, or you can tweak them as you please.Next, click on your newly created VM, go to Settings, Network, remember if we look at the diagram, we're creating our domain controller right now so we wanna have two NICs (Network Interface Controllers) we want one that's dedicated for the internet that's going to be running NAT and then we'll have one that's dedicated for the internal vmware network. So our first adapter is going to connect to our our house internet and be given an IP address automatically by your router's DHCP, so we want to add one more adapter, go to Settings, Network, Adapter 2 and enable it, then simply select " Internal Network " under the Attached to menu, you can name it something like "intnet", click okay and now our VM is pretty much configured

Installing Windows 2019 OS in our VM

the VM is configured but it's still empty, so next we are going to install Windows server 2019 on it. Double click it to start it, it's going to open up a window, this is where we're going to select the server 2019 iso that we downloaded earlier, we'll click "choose a virtual optical disk file" (it's the little yellow folder next the the list), click Add and you'll browse to where you put the server 2019 iso file and add it, choose it in your newly updated lists of optical drives and click OK. Start the virtual machine and it will prompt you to a classic Windows 10 window, go next and we'll say install and then we're going to select the one with desktop experience in order to have a GUI with our operating system, accept the license agreements, say custom install and click next. So server 2019 is installed, you will be prompt with the default administrator account so just give it a password and make sure to remember it. In order to log in you have to press [CONTROL] + [ALT] + [DELETE] keys to unlock, if you're having trouble logging in just go to input in the VM menus bar and choose keyboard -> Insert ctrl+alt+delete, log in with your password.

Setup server network adapters

Next let's set up our IP addressing, so remember if we look at our diagram, we have two NICs : one that's dedicated for our internet connection and then we have an internal one that's going to be used for our internal network, for the internal one we have to set it up manually.
Left click on the network looking icon down on windows taskbar then click network, change adapter options, you'll find two network interfaces, let's check out the first one. We'll go to status -> details and if you find the IP similar to 10.XX.XX.XX that should be the first NIC that we use to connect to the internet (default Virualbox IP addressing), so naturally the second will be our internal one, we will give it an IP address.
Right click on it, select properties and double click on Internet Protocol version 4 and select "use the following IP address". If you want to learn more about IP addressing, check out this link that basically explains it, for now we will proceed assuming you have the knowledge. Enter this IP 172.16.0.1 and then the mask 255.255.255.0, under "Preferred DNS server" enter 172.16.0.1 and click OK, we're not going to use a default gateway because the domain controller itself is going to serve as the default gateway since it has two NICs, one for the internet and one on the inside so this particular NIC is not going to use the default gateway, and then for the DNS server, when we install active directory it automatically installs DNS so this server is going to actually use itself as the DNS server that's why we entered the same IP address as the first one, alternatively, you can enter the loopback address 127.0.0.1 which will have point to the machine itself.

Install Active Directory Domain Services

Next thing we're going to do is we're going to install active directory domain services, go ahead and open Server Manger, click on Add roles and features, click Next, select Role-based and continue, this is where you pick the server where you want to install the thing that you're going to install which is active directory domain services, we only have one server so we're just going to select the server we're going to use and then we're going to choose "active directory domain services" in the list, click next to all the setup, and then install.

Promote Domain Controller

Now that it has been installed you'll notice there's this a little flag in the upper right menu of your server manager, go ahead and click that, we have to do our post deployment configuration, we installed the software for active directory domain services but we didn't actually create the domain yet so we'll click Promote this server to a domain controller. In the deployment operation we will select "Add a new forest" and you can name your domain something like "mydomain.com", next enter your password and confirm it, click next, there's no need to create a DNS delegation so just click next again and again until install, you'll be logged out so just log in again.

Create domain admin account

Now we're going to create our own dedicated domain admin account instead of using the built-in administrator account, so we can do that by going to "start" and then "administrative tools" and then "active directory users and computers". See mydomain.com on the right side panel, this is our newly created domain, let's create an organizational unit to put our admin account in. We'll name it something like _ADMIN and uncheck "Protect this container from accidental deletion". This will be annoying when you try to delete it later. Now that you have create a domain admin account, right click on it on the right panel and select New -> User and name it like whatever your name is and enter create a password. Uncheck "user must change password next login" and check "password never expires", this is a basic password policy but you should definitely use your own organization's policy for more security. you'll notice your account has appeared, but it's not an admin yet, so right click it and go to "properties" -> "Member of" -> "Add" and under "Enter the object names to select" write "Domain Admins" apply and exit. Go ahead and log out of the domain controller and instead of logging into the administrator , go to "Other User" and use your domain admin account you created, and now you you know how to create an admin account in Active directory.

Install and configure RAS/NAT (Remote Access Server/Network Address Translation)

The purpose of this is to allow our windows 10 client to be on our private virtual network but still be able to access the internet through the domain controller so we're going to install.
Remember how we installed Active Directory Domain Services ? Do the same only this time select "Remote Access" in the list of Roles, next select "Routing" (DirectAccess and VPN is automatically selected), click next to the other setup steps and install.

Selecting the interface to connect to the internet

After the installation is finished, go to "tools" in the server manager menus and then go to "routing and remote access", right click on your machine's name on the left panel and select "configure and enable routing and remote access", click next, select the second option which is NAT to allow internal clients to connect to the internet using one address .Next an you're supposed to be able to see your internal and external interface under "use this public interface to connect to the internet", go ahead and select the one we're using to connect to the internet, if you can't remember which one is which just go back to your network adapters settings and simply rename them accordingly, click next and then finish. Now your clients will have access to the internet.

Install and configure DHCP

Setting up a DHCP server on our domain controller is essential in order for your windows 10 clients to get an IP address that will let them get on the internet they're on this kind of private internal network just like in your office or school.
By now you know how to add roles and features on your domain controller, go ahead and select DHCP this time from the roles list and simply install it following the default settings.

Setting up the scope

From the tools menu, select DHCP so we can set up our scope, DHCP' purpose is to allow devices on the network like client computers to automatically get their IP addresses so looking back at our diagram we defined a scope that will give the IP addresses in this range 172.16.0.100 with this subnet mask 255.255.255.0
In the DHCP configuration tool, you'll find on the left side panel under your_machine_name.mydomain.com something called IPv4, right click it and select "new scope", click next and name the scope, for the range put 172.16.0.100 through 200 (put 172.16.0.200 in the second one) because that's the range we're going to use. Again,if you're unfamiliar with notions such as IP addressing and IPv4 i strongly advice that you learn more about them in order to gain a better understanding of what we are doing here. Under "configuration settings that propagate to DHCP clients" set the length as 24. Next if you want to add exlusion, meaning IP addresses that you don't want given to hosts, this is where you do it, otherwise click next. For the lease duration, it depends on your use cases, it basically means how long does your host keep his IP address and it won't change each time he connects until the lease has expired. Next, you'll be asked if you want to configure DHCP options, that means we want to tell the clients which server to use for DNS, which server to use for the gateway and we do want to configure those things because we want them to be able to get on the internet so we're going to say yes, you'll have to add an ip address for a router used by clients, following our diagram we see that we configured NAT on the domain controller and the domain controller has routing configured as well so one of its jobs is to forward traffic from the clients to the internet so because of this the clients are going to use the internal NIC of the domain controller as their default gateway/router so going back to our DHCP configuration we're just going to enter the domain controller's IP address here (172.16.0.1) and click add.
Next you'll be asked what do you want to use for your DNS server, again when you install active directory on the domain controller it automatically installs DNS and so because of that we're going to use the domain controller as our DNS server, so just click next. For WINS Servers, we don't really need that in our setup so just click next and say yes to activating the scope and finish. Last step, right click the DHCP server up and say authorize then right click one more time and say refresh and you'll notice that IPv4 has turned green and just like that DHCP is set up.

Adding users using a PowerShell script (Optional)

You can easily skip this step and only create one user in order to test our windows 10 client, but the purpose of using a script is to show you that you can add users programmatically faster and without using an interface, if you remember while installing our windows server 2019 VM we had the choice to install the server without an interface, the commands you'll see in this script are a small example of what you'll be working with if your AD server machine doesn't have an interface.

In order to create our clients and join them to the domain we're going to use a powershell script to create a whole bunch of users in active directory so we can have sample users and we don't have to manually create them.



# ----- Edit these Variables for your own Use Case ----- #
$PASSWORD_FOR_USERS   = "Password1"
$USER_FIRST_LAST_LIST = Get-Content .\names.txt
# ------------------------------------------------------ #

$password = ConvertTo-SecureString $PASSWORD_FOR_USERS -AsPlainText -Force
New-ADOrganizationalUnit -Name _USERS -ProtectedFromAccidentalDeletion $false

foreach ($n in $USER_FIRST_LAST_LIST) {
    $first = $n.Split(" ")[0].ToLower()
    $last = $n.Split(" ")[1].ToLower()
    $username = "$($first.Substring(0,1))$($last)".ToLower()
    Write-Host "Creating user: $($username)"

    New-AdUser -AccountPassword $password `
               -GivenName $first `
               -Surname $last `
               -DisplayName $username `
               -Name $username `
               -EmployeeID $username `
               -PasswordNeverExpires $true `
               -Path 
"ou=_USERS,$(([ADSI]`"").distinguishedName)" `
               -Enabled $true
}
```

###Breaking up the script 
Obviously, every user has his own unique password, but in this case and for simplicity's sake, we're gonna create the users in the list of names with one password, so we create a variable with it's value the shared password.

```powershell
$PASSWORD_FOR_USERS   = "Password1"
```

In order to get the names from our .txt file, we use the "Get-Content" command with as an argument the filepath of the .txt file containing the names, the commands gets the content of the file and store each line in an array, we'll store the array in a variable. 

```powershell
$USER_FIRST_LAST_LIST = Get-Content .\names.txt
```

The "ConvertTo-SecureString" cmdlet converts plain text to secure strings, we do this in order to use it for the function that sets the new user's password upon creation, the function in question requires a parameter of type "SecureString"



```powershell
$password = ConvertTo-SecureString $PASSWORD_FOR_USERS -AsPlainText -Force
```

This one is self explanatory, we are simply creating a new OU called _USERS and setting the protection from accidental deletion to false. 

```powershell
New-ADOrganizationalUnit -Name _USERS 
-ProtectedFromAccidentalDeletion $false
```



```powershell
foreach ($n in $USER_FIRST_LAST_LIST) {
    $first = $n.Split(" ")[0].ToLower()
    $last = $n.Split(" ")[1].ToLower()
    $username = "$($first.Substring(0,1))$($last)".ToLower()
    Write-Host "Creating user: $($username)"
```
Remember the parameters we set when we created a new user ? This is the exact same thing done with powershell commands. If you're having trouble understanding a line, simply search it on [microsoft's powershell documentation](docs.microsoft.com/en-us/powershell) for more details.

```powershell
New-AdUser -AccountPassword $password `
               -GivenName $first `
               -Surname $last `
               -DisplayName $username `
               -Name $username `
               -EmployeeID $username `
               -PasswordNeverExpires $true `
               -Path "ou=_USERS,$(([ADSI]`"").distinguishedName)" `
               -Enabled $true

Installing Windows 10 Client on a VM machine

By now, you should be able to install a new machine on a oracle's virtualbox machine, if you can't remember the exact steps, go back to the Windows server 2019 installation instructions and follow those steps again only this time, you won't need two NICs, just one configured as internal network in order to connect to our domain controller. You might be asked more simple user oriented questions during the installation concerning privacy and ads, you can configure them as you wish as it doesn't affect our lab. Also, when you're prompted with "Let's connect you to a network" during the installation, it's preferred that you choose "I don't have internet", we will add a network manually for a more real-life situation where you're not always adding users as a newly installed Windows 10 OS.
After the installation process is finished, open up a command line prompt by going to "Start" and look for "cmd", there's no need to open it as an admin. run the following command



ipconfig /all

look for the lines that specify the DHCP server, DNS, Default gateway and the machine's IPv4 IP address, notice that they all match our configuration for the domain controller,
you can even try to access the internet or simply ping 8.8.8.8 in the command line to see if packets are being forwarded. Additionally, try to ping mydomain.com which will work naturally because you are on the same network. If it works, this means that all is in order, if you have different results, make sure you didn't forget any of the steps in our AD domain controller configuration.
Now for adding the computer to the newly created domain, right click the start menu button on the bottom left of your windows 10 and choose "System", then look for "Rename this PC (advanced)" button, then you'll see "to rename this computer or change it's domain or workgroup, click change" go ahead and click change, you can change the computer's name into Client1to match our diagram if you want, but it's not necessary. Under "member of" click domain and type on the field "mydomain.com" and click OK. Here you can add a user previously created in the domain controller, remember you added your own name to the list of names we added using the powershell script? Simply enter your name and as password "password1" if you left it unchanged in the provided script. Click OK and congratulations you are a member of the active directory. If you want to checkout the changes that happened in the domain controller following adding a machine to the domain, you go to the server manager, Tools, DHCP, on the left side panel expand the scope list and double click on "Address leases", we can see in here that we have one lease from our client computer, so when we created our client computer and joined it to the network reached out to the DHCP server automatically and requested an address and then the DHCP server gave it an address and now we have this lease in here, when a client gets an IP, it'll show up in here.
Another thing to check out, go to "Windows Administration", "Active directory users and computers", on the left side panel click on "Computers", there you'll find the computer's name we just added to the domain, you can manage that user from this menu, for example, if you delete it, he won't be able to log in with his credentials.
Going back the Windows 10 client, in the log in interface, you'll find "Other user" has appeared in the bottom left corner of you screen, click it and you'll notice that it says "Sign in to : MYDOMAIN.COM", enter your credentials and you can log in. Actually, you can use any other user from the list of names we added but you can configure your domain controller to make sure a certain user only logs in from a certain computer, i'll let look for that.
When logged in, open a command line and write "whoami", you'll see "mydomain\username", this again means that you are a member of the domain.

Final thoughts

You have now learned :

How does DNS work.
HOW to created virtual machines and configure them in Oracle's Virtualbox.
How to setup Active Directory, create a domain controller, configure DNS and DHCP, create users and admins.
How to join a client computer to the Active Directory. You have mastered the basics of DNS and Active Directory, but there's much more to learn ! Active Directory is a powerful tool and we only scratch to surface, i very much advise you to learn more about it's many features and the protocols it uses. If you ran into any problem while doing this lab, you can troubleshoot either by looking at the documentation or looking in forums.

Credit where credit's due,

This post was inspired by Josh Madakor's youtube video, check out his youtube channel for cyber security related content.

Hashing Algorithms and creating a simple file integrity monitor (FIM)

OULD AMARA Amine — Thu, 13 Jan 2022 23:19:19 +0000

The CIA triad

which stands for : Confidentiality, Integrity and Availability. These are the three pillars of every security infrastructure and represent goals for security experts to ensure in their company. Here’s what each one means in simple terms :

Confidentiality is keeping the data confidential and not shown to people who are not supposed to see it. a simple example would be the data exchanged between a client and a server in an online store (passwords, credit card information, preferences ...)
Integrity is maintaining the consistency and trustworthiness of data, making sure it doesn’t change if it’s not supposed to and if it does, the user knows about it. This is what we will cover in this tutorial. We will build a simple FIM (File Integrity Monitor) using hashing algorithms to monitor data and keep tabs on changes made on it (writing) and implement a warning that is triggered when said changes happen so that the user may take the necessary precautions.
Availability is ensuring that systems remain online and available for those who need them.

Hashing Algorithms

Or a cryptographic hash function is an algorithm that takes an arbitrary amount of data input and produces a fixed-size output of enciphered text called a hash value, or just “hash.” That enciphered text can then be stored instead of the password itself, and later used to verify the user in the most basic cases.

Hashes are non-reversible. it is very hard to find the original password from the output or hash.
Diffusion, the slightest of changes to the input will produce an entirely different output, thus making it harder.
Determinism, a given input must always produce the same hash value
Collision resistance. It should be hard to find two different passwords that hash to the same enciphered text.
Non-predictable. The hash value should not be predictable from the input. There are many hashing algorithm, in this post, we will be using the sha256 hash function, which is still approved as a secure algorithm

FIM (File Integrity Monitor)

File Integrity Monitoring (FIM) is a security practice which consists of verifying the integrity of operating systems and application software files to determine if tampering or fraud has occurred by comparing them to a trusted "baseline." this is mainly done by using hashing algorithms.

Coding our basic FIM

In our application, the input will be the digital thumbprint of each file in the directory that we would like to monitor for changes, the outputted hashes will be stored in a file to be then later compared to a newly calculated hash; If they're equal, that means no changes have been made to the file, else there has been changes. We will also cover the cases where a file is deleted or a new file is created.
Here's a chart to help you understand the functioning of the scripts we are about to see

Now for the code, this step-by-step guide will be in bash (the Bourne Again SHell) which is a widely used shell scripting language for automating tasks, but you can also find the python or Powershell version on the github page



#User input 
echo -ne "would you like to\n   1) Collect a new .baseline\nOr\n    2) Proceed with the previously recorded one\n   [ 1 | 2 ] ? "
read ans

get the user's input, easy enough, right?



function calculate_file_hash(){
    filehash=$(sha256sum $1 | cut -d ' ' -f 1)
    filepath=$1
    path_and_hash=$filepath"|"$filehash
    echo $path_and_hash
}

here we created a function that calculates the file hash for the specified file directory in function call argument

First case scenario, Collecting the baseline



if [ "$ans" = "1" ];then
    if [[ -f ".baseline.txt" ]]; then 
        rm .baseline.txt
        >.baseline.txt 
        #hidden file starts with a . (in linux based systems) 
    else
        >.baseline.txt 
    fi


#filling in the .baseline.txt file with filepath|filehash pairs
    for entry in "$monitoring_dir"/*
    do
        res=$(calculate_file_hash "$entry")
        echo $res >> .baseline.txt
    done

in this part, the user decided to collect a new baseline, the old one will be deleted if it exists and we will store the file_path|file_hash pairs in the newly created baseline.txt file using the calculate_file_hash function



else
    declare -A path_hash_dict
    #creating a dictionary with filepath as key and filehash as value
    lines=$(cat .baseline.txt)
    for line in $lines 
    do
        path=$( echo "$line" | cut -d '|' -f1 )
        hash=$( echo "$line" | cut -d '|' -f2-)
        path_hash_dict[$path]=$hash
    done

Second case scenario, user wants to start monitoring the files, first we create a dictionary where each key is the file path and the value for this key is the file's hash, this is done for easy access to the data stored in the baseline.txt file



while true
    do
        sleep 1
        #checking if a file has been deleted 
        for key in "${!path_hash_dict[@]}"; do
            if [ ! -f "$key" ]; then
                echo -e "A file has been REMOVED ! FILE NAME :$key" 
            fi
        done


        for file in "$monitoring_dir"/*
        do
            hash=$(sha256sum $file | cut -d ' ' -f 1)
            if [ ! -v path_hash_dict[$file] ]; then
                echo -e "A file has been CREATED ! FILE NAME : $key"
            else
                if [ "$hash" = "${path_hash_dict[$file]}" ]; then
                   continue
                elif [ "$hash" != "${path_hash_dict[$file]}" ]; then
                    echo -e "A file has been CHANGED ! FILE NAME : $key"
                    ls -la $key

                fi
            fi
        done

    done

fi

Let the monitoring start ! In this infinite while loop, if a key in our dictionary doesn't correspond to a file's name in the monitored directory, it means it has been deleted
If a file's name is not among the keys in our dictionary, it means a new file has been created in the monitored directory
Lastly, we calculate the hash of each file and compare it to the hash stored in the dictionary, if they're different, this means the file has been modified.

Find the a more complete version of this script on Github. You can also find the python and Powershell versions there.

Credit where credit's due,

This post was inspired by Josh Madakor's youtube video, check out his youtube channel for cyber security related content
Some lines from this article about cryptographic hash functions