• Home

CST 640 Project 1

Here is the scenario for Project 1:

A recently hired website administrator maintains and manages multiple websites across the country. Their reputation is good, and they are relatively inexpensive. Mercury USA, the small company you work for, just hired them. Their contract states that they may only access the Windows system through RDP (Remote Desktop Protocol – 3389). You are their Forensic Analyst for Mercury USA. Your IT specialist provided the website administrator with an account with administrative access so they can change and update their settings. The website administrator has many sites to maintain. As a shortcut, they added a hidden folder to the website. Within that folder there is a file where they stored their credentials so they can easily access the system. No one should be able to find this hidden folder and the file with the credentials, since it is not indexed. And, just as an extra precaution, the website administrator encoded the password with Base64 encoding on the off chance that someone with a lot of time on their hands would figure out the hidden URL. An attacker who regularly scans websites with directory buster, or dirb (a built in Kali Linux tool), finds the hidden URL and then decodes the base64 password.

Evaluation Criteria

Exceeds Performance Requirements

30 points

Meets Performance Requirements

20 points

Does Not Meet Performance Requirements

0 points

Criterion Score

Screenshots Slides 3-13

In slides 3-11, student includes all of the screenshots of the initial configurations that will lead to a Network Intrusion. Names, and Date and Time Stamps that are reflective of this course. 

In slides 3-11, student includes most of the  screenshots of the initial configurations that will lead to a Network Intrusion. Names, and Date and Time Stamps that are reflective of this course. 

Student is missing most or all of the screenshots for slides 3-11 in this Project

Score of Screenshots Slides 3-13,

/ 30

Evaluation Criteria

Exceeds Performance Requirements

50 points

Meets Performance Requirements

40 points

Does Not Meet Performance Requirements

0 points

Criterion Score

Bullet Points in PowerPoint slides 3-11

In slides 3-11, student includes detailed and relevant explanations in their bullet points that show their understanding of the configurations and settings that will lead to to a Network Intrusion.

In slides 3-11, student includes explanations in their bullet points that show their understanding of the configurations and settings that will lead to to a Network Intrusion.

Student is missing most or all of the descriptions or bullet points for slides 3-11 in this Project

Score of Bullet Points in PowerPoint slides 3-11,

/ 50

Evaluation Criteria

Exceeds Performance Requirements

5 points

Meets Performance Requirements

4 points

Does Not Meet Performance Requirements

0 points

Criterion Score

Title Slide

Title Slide has all relevant information and graphic

Title Slide has all relevant information but is missing graphic

Title Slide is not present 

Score of Title Slide,

/ 5

Introduction Slide

Introduction Slide fully sets the stage for the materials covered in the slide deck 

Introduction Slide sets the stage for the materials covered in the slide deck, but lacks some detail   

 

Introduction Slide is not present

Score of Introduction Slide,

/ 5

Summary Slide

Summary Slide is comprehensive

Summary Slide is there but could be more comprehensive 

Summary Slide Slide is not present

Score of Summary Slide,

/ 5

Reference Slide

Reference Slide is there with at least 2 properly formatted APA references

Reference Slide is there with at least 1 properly formatted APA references

Reference Slide is not present

Score of Reference Slide,

/ 5

Total

Score of Project 1 – A Network Intrusion,

/ 100

CST 640 Project 1

WEBVTT

1
00:00:00.750 –> 00:00:08.069
Jesse Varsalone: hi my name is Jesse Varsalone and I’m going to cover the first project for you, so you have a

2
00:00:09.540 –> 00:00:20.250
Jesse Varsalone: PowerPoint template available in your course and it’s available right at the top of the course under project templates.

3
00:00:21.300 –> 00:00:33.240
Jesse Varsalone: i’m going to go through the technical aspects of the project, anything that I talk about in this video you are free to use as talking points in your PowerPoint bullets.

4
00:00:33.810 –> 00:00:54.690
Jesse Varsalone: Start off talk about the purpose of your project and discuss what a network intrusion is. Discuss critical events. So the first thing we’re going to do is we’re going to get our IP address of our Mars Linux system, so if you take a look at mine,

5
00:00:56.430 –> 00:01:02.190
Jesse Varsalone: here’s my Linux IP I can get that here, and I can also get that.

6
00:01:04.170 –> 00:01:07.350
Jesse Varsalone: In Mars by typing ifconfig on the Kali Linux machine.

7
00:01:11.670 –> 00:01:12.840
Jesse Varsalone: In Kali,

8
00:01:16.950 –> 00:01:20.190
Jesse Varsalone: I’ll go to applications, usual applications,

9
00:01:23.940 –> 00:01:25.920
Jesse Varsalone: system tools, mate terminal.

10
00:01:27.360 –> 00:01:29.130
Jesse Varsalone: And type ifconfig.

11
00:01:31.080 –> 00:01:39.090
Jesse Varsalone: And that IP that I had before matches the on on my MARS home page. Each student has different IP addresses that’s the way AWS works.

12
00:01:40.500 –> 00:01:40.800
Jesse Varsalone: You can get the

13
00:01:42.660 –> 00:01:47.280
Jesse Varsalone: IP of your windows system on the MARS home

14
00:01:49.290 –> 00:01:53.490
Jesse Varsalone: screen, you can also right click on start, go up to run, and type

15
00:01:55.410 –> 00:01:59.580
Jesse Varsalone: CMD and click OK, and then type ipconfig.

16
00:02:00.720 –> 00:02:05.280
Jesse Varsalone: There’s my Windows IP. So every student has different IP addresses on their Windows and Linux system.

17
00:02:06.840 –> 00:02:14.820
Jesse Varsalone: Next IIS needs of be installed which was done in

18
00:02:15.360 –> 00:02:32.070
Jesse Varsalone: in section two of lab three. I’ve already got that done, I will not go through that process again right now, but I will show you how you can verify, to make sure that you do have IIS running. There’s actually a number of ways, you could do it.

19
00:02:33.330 –> 00:02:46.260
Jesse Varsalone: The way that is mentioned in the slide is to open Internet Explorer and type http://127.0.0.1

20
00:02:47.610 –> 00:02:51.180
Jesse Varsalone: Another way you could do it is to type netstat -an

21
00:02:57.660 –> 00:02:57.930
Jesse Varsalone: .

22
00:02:59.280 –> 00:02:59.820
Jesse Varsalone: .

23
00:03:01.410 –> 00:03:01.860
Jesse Varsalone: .

24
00:03:06.690 –> 00:03:07.860
Jesse Varsalone: So, here it is it’s

25
00:03:09.900 –> 00:03:13.560
Jesse Varsalone: listening on port 80 so I have a web server.

26
00:03:14.970 –> 00:03:16.440
Jesse Varsalone: Okay, so.

27
00:03:17.580 –> 00:03:29.610
Jesse Varsalone: Make sure that’s done now, we do need to do a security policy change this is so we can create the specific user with a certain uncomplex password.

28
00:03:31.110 –> 00:03:41.910
Jesse Varsalone: i’ll close my website i’ll type gpedit.msc. You could also do that in the run box.

29
00:03:43.320 –> 00:03:46.920
Jesse Varsalone: you’re going to go to Windows settings,

30
00:03:50.670 –> 00:03:52.560
Jesse Varsalone: Security settings,

31
00:04:00.210 –> 00:04:03.120
Jesse Varsalone: Account policies, password policies.

32
00:04:06.210 –> 00:04:08.670
Jesse Varsalone: Double click on the policy that states Passwords must meet

33
00:04:10.740 –> 00:04:23.940
Jesse Varsalone: complexity requirements. You’re going to disable that. That is done sometimes. Whether this actually is enabled by default depends if it’s a server or a

34
00:04:25.470 –> 00:04:47.640
Jesse Varsalone: workstation operating system. That’s done and then you can talk about you passwords and password complexity and how that’s important to an organization in that slide. The next thing we’re going to do is type net user yournameadmin yourname /add

35
00:04:48.870 –> 00:04:54.180
Jesse Varsalone: Your nameadmin, and your first name without spaces is the password.

36
00:05:03.150 –> 00:05:05.730
Jesse Varsalone: Okay, so I added yournameadmin.

37
00:05:07.290 –> 00:05:12.060
Jesse Varsalone: Then I add that account to the administrators group by typing net localgroup administrators yourname admin /add

38
00:05:15.480 –> 00:05:22.770
Jesse Varsalone: I’ve been using these net commands since windows nt (for a long time).

39
00:05:38.490 –> 00:05:38.970
Jesse Varsalone: If you type

40
00:05:41.010 –> 00:05:42.780
Jesse Varsalone: net localgroup administrators

41
00:05:43.830 –> 00:05:49.050
Jesse Varsalone: You can actually see the list of the administrators on that account on that system.

42
00:05:50.880 –> 00:05:53.760
Jesse Varsalone: Okay, the directions talk about Base64 encoding

43
00:05:54.900 –> 00:05:57.630
Jesse Varsalone: and the cyber chef website.

44
00:06:08.460 –> 00:06:12.990
Jesse Varsalone: Go the the site within MARS on your Windows system.

45
00:06:14.220 –> 00:06:15.210
Jesse Varsalone: it’s a great site.

46
00:06:30.540 –> 00:06:30.930
Jesse Varsalone: OK.

47
00:06:33.840 –> 00:06:46.260
Jesse Varsalone: So now, this is has many different ways, you can encode and encrypt inputs, so what we’re going to do is type our name.

48
00:06:48.600 –> 00:06:50.910
Jesse Varsalone: And then we’re going to click to base 64.

49
00:06:51.990 –> 00:06:55.020
Jesse Varsalone: So that’s the base 64 version of

50
00:06:56.910 –> 00:07:04.380
Jesse Varsalone: your name. You put your name, whether it’s Tyrone or Tyesia, Sam, Jane or Sue.

51
00:07:05.760 –> 00:07:06.270
Jesse Varsalone: OK.

52
00:07:08.130 –> 00:07:12.630
Jesse Varsalone: So now i’m going to copy that Base64 encoded password to a text file.

53
00:07:13.710 –> 00:07:14.040
Jesse Varsalone: .

54
00:07:17.220 –> 00:07:19.470
Jesse Varsalone: So I can just

55
00:07:20.610 –> 00:07:29.070
Jesse Varsalone: Right click here go to run and type notepad. You can also just right click on the desktop create a new text document.

56
00:07:29.760 –> 00:07:46.110
Jesse Varsalone: Okay, so i’m going to save that until I get further directions. All right and you’re going to show those screenshots in your PPT. Website miss configurations are common. So i’m gonna put a hidden directory in the website root folder.

57
00:07:47.790 –> 00:07:48.510
Jesse Varsalone: To do that,

58
00:07:49.710 –> 00:07:55.380
Jesse Varsalone: we need to be in the website directory, this is covered pretty significantly in the

59
00:07:56.640 –> 00:07:57.720
Jesse Varsalone: week 3 lab.

60
00:08:04.260 –> 00:08:14.070
Jesse Varsalone: type: cd c:\inetpub\wwwroot

61
00:08:16.170 –> 00:08:22.320
Jesse Varsalone: Now we need to make a directory called hidden by typing md hidden.

62
00:08:27.120 –> 00:08:32.730
Jesse Varsalone: Type cd hidden

63
00:08:33.780 –> 00:08:37.740
Jesse Varsalone: Now we’re going to create a file called index.html.

64
00:08:39.510 –> 00:08:50.550
Jesse Varsalone: To do that, type echo > index.htm
The next thing I want to do is type notepad index.html

65
00:08:51.600 –> 00:08:59.430
Jesse Varsalone: Now in here erase the contents of the file and add the yournameadmin account and the base64 encoded password.

66
00:09:00.690 –> 00:09:01.860
Jesse Varsalone: .

67
00:09:03.570 –> 00:09:05.370
Jesse Varsalone: .

68
00:09:07.620 –> 00:09:11.820
Jesse Varsalone: .

69
00:09:20.310 –> 00:09:30.090
Jesse Varsalone: So here’s the idea, the scenario, you have in some cases, seen especially back in the day, people would have hidden directories or

70
00:09:30.870 –> 00:09:42.240
Jesse Varsalone: hidden areas where they had the creds because they were managing you know, maybe 50 websites or something, and they want to keep track of everything get there and get in fast.

71
00:09:42.750 –> 00:10:04.770
Jesse Varsalone: In this case, this directory is not accessible to anyone who goes to the site, they would have to kind of know where it is or the dig deeper and then the administrator’s taking a further step of Base64 encoding the password that way, if someone were to stumble across this

72
00:10:05.970 –> 00:10:18.450
Jesse Varsalone: area they wouldn’t have the password itself, they would have the base 64 encoded password. So that’s kind of where it goes now let’s see what happens from there.

73
00:10:20.880 –> 00:10:22.710
Jesse Varsalone: So you’re going to

74
00:10:23.760 –> 00:10:28.230
Jesse Varsalone: take a screenshot. All right now we get to use a a tool

75
00:10:29.520 –> 00:10:46.890
Jesse Varsalone: called dirb which stands for directory buster. To do that it’s going to be a little different for each of you i’m going to clear the screen here by typing clear and then i’m going to type dirb http:// and I need the IP of my Windows system.

76
00:10:48.060 –> 00:11:06.360
Jesse Varsalone: Just copy and paste it from the MARS home page. Everyone has a different IP Address. Don’t use the one in the video. OK, so now, this is just done a transverse all the directories and look for a bunch of random

77
00:11:07.980 –> 00:11:11.940
Jesse Varsalone: directories and see if it gets any type of hits.

78
00:11:14.280 –> 00:11:21.480
Jesse Varsalone: And as you can see, it did get a hit there’s actually larger word sets that you can use to search for additional directories.

79
00:11:21.930 –> 00:11:33.960
Jesse Varsalone: We are only covering it on a surface level. So you see an automated tool, a hacker might use to look for things on a website code 200 means that exists. I’m going to click open link and

80
00:11:35.160 –> 00:11:40.230
Jesse Varsalone: firefox will open some point. There you go, there is the

81
00:11:41.400 –> 00:11:42.750
Jesse Varsalone: information needed.

82
00:11:44.610 –> 00:11:56.550
Jesse Varsalone: The credentials were extracted. All right, and then you want to go have a summary and then some APA references related to all the things that happened.

83
00:11:57.720 –> 00:12:10.140
Jesse Varsalone: As to the next project, the hacker will get in with those credentials and start performing post exploitation tasks. And, in the

84
00:12:11.400 –> 00:12:18.540
Jesse Varsalone: final project, you will do the forensic analysis of looking at everything the hacker has done and how they got in.

85
00:12:20.310 –> 00:12:39.600
Jesse Varsalone: So, finally, for the end of this just make sure that that you hand in the deliverable of the PowerPoint for project one. Make sure you update all the slides with your relevant screenshots and relevant bullet points. Thank you.

CST 640 Project 1

WEBVTT

1
00:00:00.750 –> 00:00:08.069
Jesse Varsalone: hi my name is Jesse Varsalone and I’m going to cover the first project for you, so you have a

2
00:00:09.540 –> 00:00:20.250
Jesse Varsalone: PowerPoint template available in your course and it’s available right at the top of the course under project templates.

3
00:00:21.300 –> 00:00:33.240
Jesse Varsalone: i’m going to go through the technical aspects of the project, anything that I talk about in this video you are free to use as talking points in your PowerPoint bullets.

4
00:00:33.810 –> 00:00:54.690
Jesse Varsalone: Start off talk about the purpose of your project and discuss what a network intrusion is. Discuss critical events. So the first thing we’re going to do is we’re going to get our IP address of our Mars Linux system, so if you take a look at mine,

5
00:00:56.430 –> 00:01:02.190
Jesse Varsalone: here’s my Linux IP I can get that here, and I can also get that.

6
00:01:04.170 –> 00:01:07.350
Jesse Varsalone: In Mars by typing ifconfig on the Kali Linux machine.

7
00:01:11.670 –> 00:01:12.840
Jesse Varsalone: In Kali,

8
00:01:16.950 –> 00:01:20.190
Jesse Varsalone: I’ll go to applications, usual applications,

9
00:01:23.940 –> 00:01:25.920
Jesse Varsalone: system tools, mate terminal.

10
00:01:27.360 –> 00:01:29.130
Jesse Varsalone: And type ifconfig.

11
00:01:31.080 –> 00:01:39.090
Jesse Varsalone: And that IP that I had before matches the on on my MARS home page. Each student has different IP addresses that’s the way AWS works.

12
00:01:40.500 –> 00:01:40.800
Jesse Varsalone: You can get the

13
00:01:42.660 –> 00:01:47.280
Jesse Varsalone: IP of your windows system on the MARS home

14
00:01:49.290 –> 00:01:53.490
Jesse Varsalone: screen, you can also right click on start, go up to run, and type

15
00:01:55.410 –> 00:01:59.580
Jesse Varsalone: CMD and click OK, and then type ipconfig.

16
00:02:00.720 –> 00:02:05.280
Jesse Varsalone: There’s my Windows IP. So every student has different IP addresses on their Windows and Linux system.

17
00:02:06.840 –> 00:02:14.820
Jesse Varsalone: Next IIS needs of be installed which was done in

18
00:02:15.360 –> 00:02:32.070
Jesse Varsalone: in section two of lab three. I’ve already got that done, I will not go through that process again right now, but I will show you how you can verify, to make sure that you do have IIS running. There’s actually a number of ways, you could do it.

19
00:02:33.330 –> 00:02:46.260
Jesse Varsalone: The way that is mentioned in the slide is to open Internet Explorer and type http://127.0.0.1

20
00:02:47.610 –> 00:02:51.180
Jesse Varsalone: Another way you could do it is to type netstat -an

21
00:02:57.660 –> 00:02:57.930
Jesse Varsalone: .

22
00:02:59.280 –> 00:02:59.820
Jesse Varsalone: .

23
00:03:01.410 –> 00:03:01.860
Jesse Varsalone: .

24
00:03:06.690 –> 00:03:07.860
Jesse Varsalone: So, here it is it’s

25
00:03:09.900 –> 00:03:13.560
Jesse Varsalone: listening on port 80 so I have a web server.

26
00:03:14.970 –> 00:03:16.440
Jesse Varsalone: Okay, so.

27
00:03:17.580 –> 00:03:29.610
Jesse Varsalone: Make sure that’s done now, we do need to do a security policy change this is so we can create the specific user with a certain uncomplex password.

28
00:03:31.110 –> 00:03:41.910
Jesse Varsalone: i’ll close my website i’ll type gpedit.msc. You could also do that in the run box.

29
00:03:43.320 –> 00:03:46.920
Jesse Varsalone: you’re going to go to Windows settings,

30
00:03:50.670 –> 00:03:52.560
Jesse Varsalone: Security settings,

31
00:04:00.210 –> 00:04:03.120
Jesse Varsalone: Account policies, password policies.

32
00:04:06.210 –> 00:04:08.670
Jesse Varsalone: Double click on the policy that states Passwords must meet

33
00:04:10.740 –> 00:04:23.940
Jesse Varsalone: complexity requirements. You’re going to disable that. That is done sometimes. Whether this actually is enabled by default depends if it’s a server or a

34
00:04:25.470 –> 00:04:47.640
Jesse Varsalone: workstation operating system. That’s done and then you can talk about you passwords and password complexity and how that’s important to an organization in that slide. The next thing we’re going to do is type net user yournameadmin yourname /add

35
00:04:48.870 –> 00:04:54.180
Jesse Varsalone: Your nameadmin, and your first name without spaces is the password.

36
00:05:03.150 –> 00:05:05.730
Jesse Varsalone: Okay, so I added yournameadmin.

37
00:05:07.290 –> 00:05:12.060
Jesse Varsalone: Then I add that account to the administrators group by typing net localgroup administrators yourname admin /add

38
00:05:15.480 –> 00:05:22.770
Jesse Varsalone: I’ve been using these net commands since windows nt (for a long time).

39
00:05:38.490 –> 00:05:38.970
Jesse Varsalone: If you type

40
00:05:41.010 –> 00:05:42.780
Jesse Varsalone: net localgroup administrators

41
00:05:43.830 –> 00:05:49.050
Jesse Varsalone: You can actually see the list of the administrators on that account on that system.

42
00:05:50.880 –> 00:05:53.760
Jesse Varsalone: Okay, the directions talk about Base64 encoding

43
00:05:54.900 –> 00:05:57.630
Jesse Varsalone: and the cyber chef website.

44
00:06:08.460 –> 00:06:12.990
Jesse Varsalone: Go the the site within MARS on your Windows system.

45
00:06:14.220 –> 00:06:15.210
Jesse Varsalone: it’s a great site.

46
00:06:30.540 –> 00:06:30.930
Jesse Varsalone: OK.

47
00:06:33.840 –> 00:06:46.260
Jesse Varsalone: So now, this is has many different ways, you can encode and encrypt inputs, so what we’re going to do is type our name.

48
00:06:48.600 –> 00:06:50.910
Jesse Varsalone: And then we’re going to click to base 64.

49
00:06:51.990 –> 00:06:55.020
Jesse Varsalone: So that’s the base 64 version of

50
00:06:56.910 –> 00:07:04.380
Jesse Varsalone: your name. You put your name, whether it’s Tyrone or Tyesia, Sam, Jane or Sue.

51
00:07:05.760 –> 00:07:06.270
Jesse Varsalone: OK.

52
00:07:08.130 –> 00:07:12.630
Jesse Varsalone: So now i’m going to copy that Base64 encoded password to a text file.

53
00:07:13.710 –> 00:07:14.040
Jesse Varsalone: .

54
00:07:17.220 –> 00:07:19.470
Jesse Varsalone: So I can just

55
00:07:20.610 –> 00:07:29.070
Jesse Varsalone: Right click here go to run and type notepad. You can also just right click on the desktop create a new text document.

56
00:07:29.760 –> 00:07:46.110
Jesse Varsalone: Okay, so i’m going to save that until I get further directions. All right and you’re going to show those screenshots in your PPT. Website miss configurations are common. So i’m gonna put a hidden directory in the website root folder.

57
00:07:47.790 –> 00:07:48.510
Jesse Varsalone: To do that,

58
00:07:49.710 –> 00:07:55.380
Jesse Varsalone: we need to be in the website directory, this is covered pretty significantly in the

59
00:07:56.640 –> 00:07:57.720
Jesse Varsalone: week 3 lab.

60
00:08:04.260 –> 00:08:14.070
Jesse Varsalone: type: cd c:\inetpub\wwwroot

61
00:08:16.170 –> 00:08:22.320
Jesse Varsalone: Now we need to make a directory called hidden by typing md hidden.

62
00:08:27.120 –> 00:08:32.730
Jesse Varsalone: Type cd hidden

63
00:08:33.780 –> 00:08:37.740
Jesse Varsalone: Now we’re going to create a file called index.html.

64
00:08:39.510 –> 00:08:50.550
Jesse Varsalone: To do that, type echo > index.htm
The next thing I want to do is type notepad index.html

65
00:08:51.600 –> 00:08:59.430
Jesse Varsalone: Now in here erase the contents of the file and add the yournameadmin account and the base64 encoded password.

66
00:09:00.690 –> 00:09:01.860
Jesse Varsalone: .

67
00:09:03.570 –> 00:09:05.370
Jesse Varsalone: .

68
00:09:07.620 –> 00:09:11.820
Jesse Varsalone: .

69
00:09:20.310 –> 00:09:30.090
Jesse Varsalone: So here’s the idea, the scenario, you have in some cases, seen especially back in the day, people would have hidden directories or

70
00:09:30.870 –> 00:09:42.240
Jesse Varsalone: hidden areas where they had the creds because they were managing you know, maybe 50 websites or something, and they want to keep track of everything get there and get in fast.

71
00:09:42.750 –> 00:10:04.770
Jesse Varsalone: In this case, this directory is not accessible to anyone who goes to the site, they would have to kind of know where it is or the dig deeper and then the administrator’s taking a further step of Base64 encoding the password that way, if someone were to stumble across this

72
00:10:05.970 –> 00:10:18.450
Jesse Varsalone: area they wouldn’t have the password itself, they would have the base 64 encoded password. So that’s kind of where it goes now let’s see what happens from there.

73
00:10:20.880 –> 00:10:22.710
Jesse Varsalone: So you’re going to

74
00:10:23.760 –> 00:10:28.230
Jesse Varsalone: take a screenshot. All right now we get to use a a tool

75
00:10:29.520 –> 00:10:46.890
Jesse Varsalone: called dirb which stands for directory buster. To do that it’s going to be a little different for each of you i’m going to clear the screen here by typing clear and then i’m going to type dirb http:// and I need the IP of my Windows system.

76
00:10:48.060 –> 00:11:06.360
Jesse Varsalone: Just copy and paste it from the MARS home page. Everyone has a different IP Address. Don’t use the one in the video. OK, so now, this is just done a transverse all the directories and look for a bunch of random

77
00:11:07.980 –> 00:11:11.940
Jesse Varsalone: directories and see if it gets any type of hits.

78
00:11:14.280 –> 00:11:21.480
Jesse Varsalone: And as you can see, it did get a hit there’s actually larger word sets that you can use to search for additional directories.

79
00:11:21.930 –> 00:11:33.960
Jesse Varsalone: We are only covering it on a surface level. So you see an automated tool, a hacker might use to look for things on a website code 200 means that exists. I’m going to click open link and

80
00:11:35.160 –> 00:11:40.230
Jesse Varsalone: firefox will open some point. There you go, there is the

81
00:11:41.400 –> 00:11:42.750
Jesse Varsalone: information needed.

82
00:11:44.610 –> 00:11:56.550
Jesse Varsalone: The credentials were extracted. All right, and then you want to go have a summary and then some APA references related to all the things that happened.

83
00:11:57.720 –> 00:12:10.140
Jesse Varsalone: As to the next project, the hacker will get in with those credentials and start performing post exploitation tasks. And, in the

84
00:12:11.400 –> 00:12:18.540
Jesse Varsalone: final project, you will do the forensic analysis of looking at everything the hacker has done and how they got in.

85
00:12:20.310 –> 00:12:39.600
Jesse Varsalone: So, finally, for the end of this just make sure that that you hand in the deliverable of the PowerPoint for project one. Make sure you update all the slides with your relevant screenshots and relevant bullet points. Thank you.

CST 640 Project 1

Digital Forensics Technology and Practices:

Project 1 – A Network Intrusion

<Program><Section #>
<Student Name>
<Date>

<Insert Graphic Here>

1

Project 1 – Introduction

Talk about the purpose of the Project 1

Discuss Network Intrusions

Discuss any concerns or critical points related to this security incident

Erase all of the directions provided in this text box when you submit the project

MARS Linux System

Add a screenshot of your Linux IP

Discuss the Linux system that you are using in MARS

in a few bullet points …

Erase all of the directions provided in this text box

MARS Windows System

Add a screenshot of your Windows IP

Discuss the Windows system that you are using in MARS

in a few bullet points …

Erase all of the directions provided in this text box

IIS Setup

The directions for IIS Setup are in section2 of Lab 3

You should be good if you went through the lab. If not, go through section 2 of Lab 3.

Add a screenshot of your connection to 127.0.0.1 on the Windows system.

Discuss what IIS is and its function in a few bullet points …

Erase all of the directions provided in this text box when you submit the project

Security Policy Changes

Right Click on the start button and select Run

In the Run Box, type gpedit.msc and then click ok.

Expand Computer Configuration.

Expand Windows Settings

Expand Security Settings

Expand Account Policies

Under Password Policies, double click Password must meet complexity requirements.

Click the Disabled Radio button and then click ok. Close the Local Group Policy Editor.

Add the screenshot seen here. Do not use the example screenshot.

Finally, Discuss Password Policies and their benefit in a few bullet points.

Erase all of the directions within this PowerPoint Slide to add your bullet points.

Adding an Administrative Account

Run these commands on your system, replacing yourname with your first name

net user yournameadmin yourname /add

Post your screenshot(s) here

Discuss the net user command

net localgroup administrators yourname admin /add

Discuss the net localgroup command

Erase all of the directions provided in this text box when you submit the project

Base64 Lesson

Go to https://gchq.github.io/CyberChef/

Drag Base64 to the Recipe Column

Type yourname (your first name) and click bake

Provide a screenshot of the output

Briefly explain CyberChef and Base64

Erase all of the directions provided in this text box

Copy the Base 64 output into a text file on Windows

Website Misconfiguration

Right Click on the start button and select Run

In the Run Box, type cmd and then click ok.

Type cd c:\inetpub\wwwroot

mkdir hidden

cd hidden

echo > index.htm

notepad index.htm

In this file, type your username of yournameadmin, where yourname is yourname

In this file, paste your base64 encoded password of yourname

Add a screenshot of your index.htm file within the wwwroot folder

erase all of the directions provided in this text box

dirb attack on the Windows Server

Go to the Kali Machin

Open a Terminal

type dirb http://10.138.X.X, using the

IP address of your Windows machine

Post a Screenshot

erase all of the directions provided

Credentials Extracted

Right Click Open Link on the CODE: 200 Link

Notice the username and the password, encoded, in base 64 is exposed.

Erase all of the directions provided in this text box when you submit the project

Post a screenshot of the harvested credentials.

Explain how website misconfigurations can lead to security incidents

Summary

Talk about the Tools and Technologies used

Talk about what happened

Talk about how the attacked got in.

References

<APA Reference Citations>

CST 640 Project 1

Here is the scenario for Project 1:

A recently hired website administrator maintains and manages multiple websites across the country. Their reputation is good, and they are relatively inexpensive. Mercury USA, the small company you work for, just hired them. Their contract states that they may only access the Windows system through RDP (Remote Desktop Protocol – 3389). You are their Forensic Analyst for Mercury USA. Your IT specialist provided the website administrator with an account with administrative access so they can change and update their settings. The website administrator has many sites to maintain. As a shortcut, they added a hidden folder to the website. Within that folder there is a file where they stored their credentials so they can easily access the system. No one should be able to find this hidden folder and the file with the credentials, since it is not indexed. And, just as an extra precaution, the website administrator encoded the password with Base64 encoding on the off chance that someone with a lot of time on their hands would figure out the hidden URL. An attacker who regularly scans websites with directory buster, or dirb (a built in Kali Linux tool), finds the hidden URL and then decodes the base64 password.

Evaluation Criteria

Exceeds Performance Requirements

30 points

Meets Performance Requirements

20 points

Does Not Meet Performance Requirements

0 points

Criterion Score

Screenshots Slides 3-13

In slides 3-11, student includes all of the screenshots of the initial configurations that will lead to a Network Intrusion. Names, and Date and Time Stamps that are reflective of this course. 

In slides 3-11, student includes most of the  screenshots of the initial configurations that will lead to a Network Intrusion. Names, and Date and Time Stamps that are reflective of this course. 

Student is missing most or all of the screenshots for slides 3-11 in this Project

Score of Screenshots Slides 3-13,

/ 30

Evaluation Criteria

Exceeds Performance Requirements

50 points

Meets Performance Requirements

40 points

Does Not Meet Performance Requirements

0 points

Criterion Score

Bullet Points in PowerPoint slides 3-11

In slides 3-11, student includes detailed and relevant explanations in their bullet points that show their understanding of the configurations and settings that will lead to to a Network Intrusion.

In slides 3-11, student includes explanations in their bullet points that show their understanding of the configurations and settings that will lead to to a Network Intrusion.

Student is missing most or all of the descriptions or bullet points for slides 3-11 in this Project

Score of Bullet Points in PowerPoint slides 3-11,

/ 50

Evaluation Criteria

Exceeds Performance Requirements

5 points

Meets Performance Requirements

4 points

Does Not Meet Performance Requirements

0 points

Criterion Score

Title Slide

Title Slide has all relevant information and graphic

Title Slide has all relevant information but is missing graphic

Title Slide is not present 

Score of Title Slide,

/ 5

Introduction Slide

Introduction Slide fully sets the stage for the materials covered in the slide deck 

Introduction Slide sets the stage for the materials covered in the slide deck, but lacks some detail   

 

Introduction Slide is not present

Score of Introduction Slide,

/ 5

Summary Slide

Summary Slide is comprehensive

Summary Slide is there but could be more comprehensive 

Summary Slide Slide is not present

Score of Summary Slide,

/ 5

Reference Slide

Reference Slide is there with at least 2 properly formatted APA references

Reference Slide is there with at least 1 properly formatted APA references

Reference Slide is not present

Score of Reference Slide,

/ 5

Total

Score of Project 1 – A Network Intrusion,

/ 100