Introduction to Penetration Testing Practice Seminar PA211 Advanced Topics of Cyber Security October 11, 2022 Ádám Ruman, Jan Vykopal PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz1 PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz2 Goals of this seminar ̶ Become acquainted with: ̶ System under test (target) in the pentesting sandbox. ̶ Your teammates. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz3 Pentesting Sandbox PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz4 Pentesting sandbox – Preparation 1. Run pa211_setup command – only on school computers (nymfe). 2. Clone a new repository with the target (pentesting sandbox): https://gitlab.fi.muni.cz/cybersec/pa211/pentesting.git 3. Change directory to pentesting. This directory contains Vagrantfile. 4. Run vagrant up. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz5 Pentesting sandbox – Description ̶ Two hosts in the same LAN 10.1.26.0/24. ̶ Kali Linux (attacker machine) is here for you (pentester). ̶ Server machine runs the target system. ̶ You can access the target (server) from Kali (attacker) via CLI (SSH) or GUI (VirtualBox) console. ̶ You can also access web applications at the target using SSH port forwarding (see next slide). PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz6 Pentesting sandbox – Local browser access 1. Set up port forwarding to be able to use your browser at the host to access the target: vagrant ssh server -- -ND 9050 Let it run in the background. 2. Set up Firefox at your host (nymfe) steps in README.md. If you cannot connect to Cursio, check you have set the SOCKS proxy in Firefox according to the screenshot in the README. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz7 Pentesting sandbox – Check the target app Verify that you can access the target at http://cursio.local using Firefox at your attacker or your local host. 1. Open GUI console and log in the Kali using kali as username and password. Open Firefox at Kali and visit Cursio. 2. Or, if you use local browser access: open Firefox at your local and visit Cursio. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz8 Pentesting sandbox – Check networking ̶ Kali Linux has IP 10.1.26.23. ̶ The target has IP 10.1.26.9. ̶ Check whether you can ping cursio.local from the attacker: vagrant ssh attacker ping cursio.local PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz9 Troubleshooting ̶ Destroy and (re)create a virtual machine: ̶ vagrant destroy -f ̶ vagrant up ̶ If Ansible provisioning fails, rerun tasks with: ̶ vagrant provision ̶ List open ports the on server: ̶ sudo netstat -tulpn PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz10 The target PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz11 Cursio application – I ̶ Cursio is a web portal for offering and searching various courses and freetime activities. ̶ Users can create and manage their user accounts, including changing their e-mail or password and editing their profile picture and user description. ̶ Registered users can create courses and sign up for courses created by other users. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz12 Cursio application – II ̶ Each course is classified by target age group, location, and general type. ̶ Courses are filtered by their categories or by using a full-text search feature. ̶ The front-end application with the API server provides the most significant attack surface of the sandbox. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz13 Scope of the pentest ̶ The server machine hosting Cursio. ̶ IP address 10.1.26.9 within the pentesting sandbox. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz14 Rules of engagement ̶ Each of you is provided with a testing instance (this will NOT happen in practice). ̶ Using social engineering is forbidden. ̶ If you break your sandbox, feel free to recreate it using vagrant destroy and vagrant up. ̶ Do not share your findings with other teams. ̶ Do not share the sandbox outside the class. ̶ Contact person: Ádám Ruman <469068@muni.cz> PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz15 Your task for today ̶ Familiarize yourselves with the pentesting sandbox. ̶ You are expected to interact with the application and observe various features, API calls, and user roles. ̶ Note the sandbox contains more targets than the web portal. ̶ Remember, you are a team. Work in a team, and share what you find with other team members. ̶ Next week: actual pentesting (using tools at Kali). PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz16 Recommendation for teamwork ̶ Create a shared document for your findings ̶ Establish a secure communication channel for your team: ̶ MS Teams, Keybase, … ̶ Agree on a time window for working outside the class (will be necessary next week) PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz17 How was it today? Please fill in an anonymous exit ticket: https://muni.cz/go/pa211-22-05 PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz18