Digital Forensics Technology and Practices: Project 1 – A Network Intrusion Talk about the purpose of the Project 1 Discuss Network Intrusions D

,

WEBVTT 1 00:00:00.750 –> 00:00:08.069 Jesse Varsalone: hi my name is Jesse Varsalone and I'm going to cover the first project for you, so you have a 2 00:00:09.540 –> 00:00:20.250 Jesse Varsalone: PowerPoint template available in your course and it's available right at the top of the course under project templates. 3 00:00:21.300 –> 00:00:33.240 Jesse Varsalone: i'm going to go through the technical aspects of the project, anything that I talk about in this video you are free to use as talking points in your PowerPoint bullets. 4 00:00:33.810 –> 00:00:54.690 Jesse Varsalone: Start off talk about the purpose of your project and discuss what a network intrusion is. Discuss critical events. So the first thing we're going to do is we're going to get our IP address of our Mars Linux system, so if you take a look at mine, 5 00:00:56.430 –> 00:01:02.190 Jesse Varsalone: here's my Linux IP I can get that here, and I can also get that. 6 00:01:04.170 –> 00:01:07.350 Jesse Varsalone: In Mars by typing ifconfig on the Kali Linux machine. 7 00:01:11.670 –> 00:01:12.840 Jesse Varsalone: In Kali, 8 00:01:16.950 –> 00:01:20.190 Jesse Varsalone: I'll go to applications, usual applications, 9 00:01:23.940 –> 00:01:25.920 Jesse Varsalone: system tools, mate terminal. 10 00:01:27.360 –> 00:01:29.130 Jesse Varsalone: And type ifconfig. 11 00:01:31.080 –> 00:01:39.090 Jesse Varsalone: And that IP that I had before matches the on on my MARS home page. Each student has different IP addresses that's the way AWS works. 12 00:01:40.500 –> 00:01:40.800 Jesse Varsalone: You can get the 13 00:01:42.660 –> 00:01:47.280 Jesse Varsalone: IP of your windows system on the MARS home 14 00:01:49.290 –> 00:01:53.490 Jesse Varsalone: screen, you can also right click on start, go up to run, and type 15 00:01:55.410 –> 00:01:59.580 Jesse Varsalone: CMD and click OK, and then type ipconfig. 16 00:02:00.720 –> 00:02:05.280 Jesse Varsalone: There's my Windows IP. So every student has different IP addresses on their Windows and Linux system. 17 00:02:06.840 –> 00:02:14.820 Jesse Varsalone: Next IIS needs of be installed which was done in 18 00:02:15.360 –> 00:02:32.070 Jesse Varsalone: in section two of lab three. I've already got that done, I will not go through that process again right now, but I will show you how you can verify, to make sure that you do have IIS running. There's actually a number of ways, you could do it. 19 00:02:33.330 –> 00:02:46.260 Jesse Varsalone: The way that is mentioned in the slide is to open Internet Explorer and type http://127.0.0.1 20 00:02:47.610 –> 00:02:51.180 Jesse Varsalone: Another way you could do it is to type netstat -an 21 00:02:57.660 –> 00:02:57.930 Jesse Varsalone: . 22 00:02:59.280 –> 00:02:59.820 Jesse Varsalone: . 23 00:03:01.410 –> 00:03:01.860 Jesse Varsalone: . 24 00:03:06.690 –> 00:03:07.860 Jesse Varsalone: So, here it is it's 25 00:03:09.900 –> 00:03:13.560 Jesse Varsalone: listening on port 80 so I have a web server. 26 00:03:14.970 –> 00:03:16.440 Jesse Varsalone: Okay, so. 27 00:03:17.580 –> 00:03:29.610 Jesse Varsalone: Make sure that's done now, we do need to do a security policy change this is so we can create the specific user with a certain uncomplex password. 28 00:03:31.110 –> 00:03:41.910 Jesse Varsalone: i'll close my website i'll type gpedit.msc. You could also do that in the run box. 29 00:03:43.320 –> 00:03:46.920 Jesse Varsalone: you're going to go to Windows settings, 30 00:03:50.670 –> 00:03:52.560 Jesse Varsalone: Security settings, 31 00:04:00.210 –> 00:04:03.120 Jesse Varsalone: Account policies, password policies. 32 00:04:06.210 –> 00:04:08.670 Jesse Varsalone: Double click on the policy that states Passwords must meet 33 00:04:10.740 –> 00:04:23.940 Jesse Varsalone: complexity requirements. You're going to disable that. That is done sometimes. Whether this actually is enabled by default depends if it's a server or a 34 00:04:25.470 –> 00:04:47.640 Jesse Varsalone: workstation operating system. That's done and then you can talk about you passwords and password complexity and how that's important to an organization in that slide. The next thing we're going to do is type net user yournameadmin yourname /add 35 00:04:48.870 –> 00:04:54.180 Jesse Varsalone: Your nameadmin, and your first name without spaces is the password. 36 00:05:03.150 –> 00:05:05.730 Jesse Varsalone: Okay, so I added yournameadmin. 37 00:05:07.290 –> 00:05:12.060 Jesse Varsalone: Then I add that account to the administrators group by typing net localgroup administrators yourname admin /add 38 00:05:15.480 –> 00:05:22.770 Jesse Varsalone: I've been using these net commands since windows nt (for a long time). 39 00:05:38.490 –> 00:05:38.970 Jesse Varsalone: If you type 40 00:05:41.010 –> 00:05:42.780 Jesse Varsalone: net localgroup administrators 41 00:05:43.830 –> 00:05:49.050 Jesse Varsalone: You can actually see the list of the administrators on that account on that system. 42 00:05:50.880 –> 00:05:53.760 Jesse Varsalone: Okay, the directions talk about Base64 encoding 43 00:05:54.900 –> 00:05:57.630 Jesse Varsalone: and the cyber chef website. 44 00:06:08.460 –> 00:06:12.990 Jesse Varsalone: Go the the site within MARS on your Windows system. 45 00:06:14.220 –> 00:06:15.210 Jesse Varsalone: it's a great site. 46 00:06:30.540 –> 00:06:30.930 Jesse Varsalone: OK. 47 00:06:33.840 –> 00:06:46.260 Jesse Varsalone: So now, this is has many different ways, you can encode and encrypt inputs, so what we're going to do is type our name. 48 00:06:48.600 –> 00:06:50.910 Jesse Varsalone: And then we're going to click to base 64. 49 00:06:51.990 –> 00:06:55.020 Jesse Varsalone: So that's the base 64 version of 50 00:06:56.910 –> 00:07:04.380 Jesse Varsalone: your name. You put your name, whether it's Tyrone or Tyesia, Sam, Jane or Sue. 51 00:07:05.760 –> 00:07:06.270 Jesse Varsalone: OK. 52 00:07:08.130 –> 00:07:12.630 Jesse Varsalone: So now i'm going to copy that Base64 encoded password to a text file. 53 00:07:13.710 –> 00:07:14.040 Jesse Varsalone: . 54 00:07:17.220 –> 00:07:19.470 Jesse Varsalone: So I can just 55 00:07:20.610 –> 00:07:29.070 Jesse Varsalone: Right click here go to run and type notepad. You can also just right click on the desktop create a new text document. 56 00:07:29.760 –> 00:07:46.110 Jesse Varsalone: Okay, so i'm going to save that until I get further directions. All right and you're going to show those screenshots in your PPT. Website miss configurations are common. So i'm gonna put a hidden directory in the website root folder. 57 00:07:47.790 –> 00:07:48.510 Jesse Varsalone: To do that, 58 00:07:49.710 –> 00:07:55.380 Jesse Varsalone: we need to be in the website directory, this is covered pretty significantly in the 59 00:07:56.640 –> 00:07:57.720 Jesse Varsalone: week 3 lab. 60 00:08:04.260 –> 00:08:14.070 Jesse Varsalone: type: cd c:inetpubwwwroot 61 00:08:16.170 –> 00:08:22.320 Jesse Varsalone: Now we need to make a directory called hidden by typing md hidden. 62 00:08:27.120 –> 00:08:32.730 Jesse Varsalone: Type cd hidden 63 00:08:33.780 –> 00:08:37.740 Jesse Varsalone: Now we're going to create a file called index.html. 64 00:08:39.510 –> 00:08:50.550 Jesse Varsalone: To do that, type echo > index.htm The next thing I want to do is type notepad index.html 65 00:08:51.600 –> 00:08:59.430 Jesse Varsalone: Now in here erase the contents of the file and add the yournameadmin account and the base64 encoded password. 66 00:09:00.690 –> 00:09:01.860 Jesse Varsalone: . 67 00:09:03.570 –> 00:09:05.370 Jesse Varsalone: . 68 00:09:07.620 –> 00:09:11.820 Jesse Varsalone: . 69 00:09:20.310 –> 00:09:30.090 Jesse Varsalone: So here's the idea, the scenario, you have in some cases, seen especially back in the day, people would have hidden directories or 70 00:09:30.870 –> 00:09:42.240 Jesse Varsalone: hidden areas where they had the creds because they were managing you know, maybe 50 websites or something, and they want to keep track of everything get there and get in fast. 71 00:09:42.750 –> 00:10:04.770 Jesse Varsalone: In this case, this directory is not accessible to anyone who goes to the site, they would have to kind of know where it is or the dig deeper and then the administrator's taking a further step of Base64 encoding the password that way, if someone were to stumble across this 72 00:10:05.970 –> 00:10:18.450 Jesse Varsalone: area they wouldn't have the password itself, they would have the base 64 encoded password. So that's kind of where it goes now let's see what happens from there. 73 00:10:20.880 –> 00:10:22.710 Jesse Varsalone: So you're going to 74 00:10:23.760 –> 00:10:28.230 Jesse Varsalone: take a screenshot. All right now we get to use a a tool 75 00:10:29.520 –> 00:10:46.890 Jesse Varsalone: called dirb which stands for directory buster. To do that it's going to be a little different for each of you i'm going to clear the screen here by typing clear and then i'm going to type dirb http:// and I need the IP of my Windows system. 76 00:10:48.060 –> 00:11:06.360 Jesse Varsalone: Just copy and paste it from the MARS home page. Everyone has a different IP Address. Don't use the one in the video. OK, so now, this is just done a transverse all the directories and look for a bunch of random 77 00:11:07.980 –> 00:11:11.940 Jesse Varsalone: directories and see if it gets any type of hits. 78 00:11:14.280 –> 00:11:21.480 Jesse Varsalone: And as you can see, it did get a hit there's actually larger word sets that you can use to search for additional directories. 79 00:11:21.930 –> 00:11:33.960 Jesse Varsalone: We are only covering it on a surface level. So you see an automated tool, a hacker might use to look for things on a website code 200 means that exists. I'm going to click open link and 80 00:11:35.160 –> 00:11:40.230 Jesse Varsalone: firefox will open some point. There you go, there is the 81 00:11:41.400 –> 00:11:42.750 Jesse Varsalone: information needed. 82 00:11:44.610 –> 00:11:56.550 Jesse Varsalone: The credentials were extracted. All right, and then you want to go have a summary and then some APA references related to all the things that happened. 83 00:11:57.720 –> 00:12:10.140 Jesse Varsalone: As to the next project, the hacker will get in with those credentials and start performing post exploitation tasks. And, in the 84 00:12:11.400 –> 00:12:18.540 Jesse Varsalone: final project, you will do the forensic analysis of looking at everything the hacker has done and how they got in. 85 00:12:20.310 –> 00:12:39.600 Jesse Varsalone: So, finally, for the end of this just make sure that that you hand in the deliverable of the PowerPoint for project one. Make sure you update all the slides with your relevant screenshots and relevant bullet points. Thank you.

,

Here is the scenario for Project 1:

A recently hired website administrator maintains and manages multiple websites across the country. Their reputation is good, and they are relatively inexpensive. Mercury USA, the small company you work for, just hired them. Their contract states that they may only access the Windows system through RDP (Remote Desktop Protocol – 3389). You are their Forensic Analyst for Mercury USA. Your IT specialist provided the website administrator with an account with administrative access so they can change and update their settings. The website administrator has many sites to maintain. As a shortcut, they added a hidden folder to the website. Within that folder there is a file where they stored their credentials so they can easily access the system. No one should be able to find this hidden folder and the file with the credentials, since it is not indexed. And, just as an extra precaution, the website administrator encoded the password with Base64 encoding on the off chance that someone with a lot of time on their hands would figure out the hidden URL. An attacker who regularly scans websites with directory buster, or dirb (a built in Kali Linux tool), finds the hidden URL and then decodes the base64 password.

Total

Score of Project 1 – A Network Intrusion,

/ 100

,

WEBVTT 1 00:00:00.750 –> 00:00:08.069 Jesse Varsalone: hi my name is Jesse Varsalone and I'm going to cover the first project for you, so you have a 2 00:00:09.540 –> 00:00:20.250 Jesse Varsalone: PowerPoint template available in your course and it's available right at the top of the course under project templates. 3 00:00:21.300 –> 00:00:33.240 Jesse Varsalone: i'm going to go through the technical aspects of the project, anything that I talk about in this video you are free to use as talking points in your PowerPoint bullets. 4 00:00:33.810 –> 00:00:54.690 Jesse Varsalone: Start off talk about the purpose of your project and discuss what a network intrusion is. Discuss critical events. So the first thing we're going to do is we're going to get our IP address of our Mars Linux system, so if you take a look at mine, 5 00:00:56.430 –> 00:01:02.190 Jesse Varsalone: here's my Linux IP I can get that here, and I can also get that. 6 00:01:04.170 –> 00:01:07.350 Jesse Varsalone: In Mars by typing ifconfig on the Kali Linux machine. 7 00:01:11.670 –> 00:01:12.840 Jesse Varsalone: In Kali, 8 00:01:16.950 –> 00:01:20.190 Jesse Varsalone: I'll go to applications, usual applications, 9 00:01:23.940 –> 00:01:25.920 Jesse Varsalone: system tools, mate terminal. 10 00:01:27.360 –> 00:01:29.130 Jesse Varsalone: And type ifconfig. 11 00:01:31.080 –> 00:01:39.090 Jesse Varsalone: And that IP that I had before matches the on on my MARS home page. Each student has different IP addresses that's the way AWS works. 12 00:01:40.500 –> 00:01:40.800 Jesse Varsalone: You can get the 13 00:01:42.660 –> 00:01:47.280 Jesse Varsalone: IP of your windows system on the MARS home 14 00:01:49.290 –> 00:01:53.490 Jesse Varsalone: screen, you can also right click on start, go up to run, and type 15 00:01:55.410 –> 00:01:59.580 Jesse Varsalone: CMD and click OK, and then type ipconfig. 16 00:02:00.720 –> 00:02:05.280 Jesse Varsalone: There's my Windows IP. So every student has different IP addresses on their Windows and Linux system. 17 00:02:06.840 –> 00:02:14.820 Jesse Varsalone: Next IIS needs of be installed which was done in 18 00:02:15.360 –> 00:02:32.070 Jesse Varsalone: in section two of lab three. I've already got that done, I will not go through that process again right now, but I will show you how you can verify, to make sure that you do have IIS running. There's actually a number of ways, you could do it. 19 00:02:33.330 –> 00:02:46.260 Jesse Varsalone: The way that is mentioned in the slide is to open Internet Explorer and type http://127.0.0.1 20 00:02:47.610 –> 00:02:51.180 Jesse Varsalone: Another way you could do it is to type netstat -an 21 00:02:57.660 –> 00:02:57.930 Jesse Varsalone: . 22 00:02:59.280 –> 00:02:59.820 Jesse Varsalone: . 23 00:03:01.410 –> 00:03:01.860 Jesse Varsalone: . 24 00:03:06.690 –> 00:03:07.860 Jesse Varsalone: So, here it is it's 25 00:03:09.900 –> 00:03:13.560 Jesse Varsalone: listening on port 80 so I have a web server. 26 00:03:14.970 –> 00:03:16.440 Jesse Varsalone: Okay, so. 27 00:03:17.580 –> 00:03:29.610 Jesse Varsalone: Make sure that's done now, we do need to do a security policy change this is so we can create the specific user with a certain uncomplex password. 28 00:03:31.110 –> 00:03:41.910 Jesse Varsalone: i'll close my website i'll type gpedit.msc. You could also do that in the run box. 29 00:03:43.320 –> 00:03:46.920 Jesse Varsalone: you're going to go to Windows settings, 30 00:03:50.670 –> 00:03:52.560 Jesse Varsalone: Security settings, 31 00:04:00.210 –> 00:04:03.120 Jesse Varsalone: Account policies, password policies. 32 00:04:06.210 –> 00:04:08.670 Jesse Varsalone: Double click on the policy that states Passwords must meet 33 00:04:10.740 –> 00:04:23.940 Jesse Varsalone: complexity requirements. You're going to disable that. That is done sometimes. Whether this actually is enabled by default depends if it's a server or a 34 00:04:25.470 –> 00:04:47.640 Jesse Varsalone: workstation operating system. That's done and then you can talk about you passwords and password complexity and how that's important to an organization in that slide. The next thing we're going to do is type net user yournameadmin yourname /add 35 00:04:48.870 –> 00:04:54.180 Jesse Varsalone: Your nameadmin, and your first name without spaces is the password. 36 00:05:03.150 –> 00:05:05.730 Jesse Varsalone: Okay, so I added yournameadmin. 37 00:05:07.290 –> 00:05:12.060 Jesse Varsalone: Then I add that account to the administrators group by typing net localgroup administrators yourname admin /add 38 00:05:15.480 –> 00:05:22.770 Jesse Varsalone: I've been using these net commands since windows nt (for a long time). 39 00:05:38.490 –> 00:05:38.970 Jesse Varsalone: If you type 40 00:05:41.010 –> 00:05:42.780 Jesse Varsalone: net localgroup administrators 41 00:05:43.830 –> 00:05:49.050 Jesse Varsalone: You can actually see the list of the administrators on that account on that system. 42 00:05:50.880 –> 00:05:53.760 Jesse Varsalone: Okay, the directions talk about Base64 encoding 43 00:05:54.900 –> 00:05:57.630 Jesse Varsalone: and the cyber chef website. 44 00:06:08.460 –> 00:06:12.990 Jesse Varsalone: Go the the site within MARS on your Windows system. 45 00:06:14.220 –> 00:06:15.210 Jesse Varsalone: it's a great site. 46 00:06:30.540 –> 00:06:30.930 Jesse Varsalone: OK. 47 00:06:33.840 –> 00:06:46.260 Jesse Varsalone: So now, this is has many different ways, you can encode and encrypt inputs, so what we're going to do is type our name. 48 00:06:48.600 –> 00:06:50.910 Jesse Varsalone: And then we're going to click to base 64. 49 00:06:51.990 –> 00:06:55.020 Jesse Varsalone: So that's the base 64 version of 50 00:06:56.910 –> 00:07:04.380 Jesse Varsalone: your name. You put your name, whether it's Tyrone or Tyesia, Sam, Jane or Sue. 51 00:07:05.760 –> 00:07:06.270 Jesse Varsalone: OK. 52 00:07:08.130 –> 00:07:12.630 Jesse Varsalone: So now i'm going to copy that Base64 encoded password to a text file. 53 00:07:13.710 –> 00:07:14.040 Jesse Varsalone: . 54 00:07:17.220 –> 00:07:19.470 Jesse Varsalone: So I can just 55 00:07:20.610 –> 00:07:29.070 Jesse Varsalone: Right click here go to run and type notepad. You can also just right click on the desktop create a new text document. 56 00:07:29.760 –> 00:07:46.110 Jesse Varsalone: Okay, so i'm going to save that until I get further directions. All right and you're going to show those screenshots in your PPT. Website miss configurations are common. So i'm gonna put a hidden directory in the website root folder. 57 00:07:47.790 –> 00:07:48.510 Jesse Varsalone: To do that, 58 00:07:49.710 –> 00:07:55.380 Jesse Varsalone: we need to be in the website directory, this is covered pretty significantly in the 59 00:07:56.640 –> 00:07:57.720 Jesse Varsalone: week 3 lab. 60 00:08:04.260 –> 00:08:14.070 Jesse Varsalone: type: cd c:inetpubwwwroot 61 00:08:16.170 –> 00:08:22.320 Jesse Varsalone: Now we need to make a directory called hidden by typing md hidden. 62 00:08:27.120 –> 00:08:32.730 Jesse Varsalone: Type cd hidden 63 00:08:33.780 –> 00:08:37.740 Jesse Varsalone: Now we're going to create a file called index.html. 64 00:08:39.510 –> 00:08:50.550 Jesse Varsalone: To do that, type echo > index.htm The next thing I want to do is type notepad index.html 65 00:08:51.600 –> 00:08:59.430 Jesse Varsalone: Now in here erase the contents of the file and add the yournameadmin account and the base64 encoded password. 66 00:09:00.690 –> 00:09:01.860 Jesse Varsalone: . 67 00:09:03.570 –> 00:09:05.370 Jesse Varsalone: . 68 00:09:07.620 –> 00:09:11.820 Jesse Varsalone: . 69 00:09:20.310 –> 00:09:30.090 Jesse Varsalone: So here's the idea, the scenario, you have in some cases, seen especially back in the day, people would have hidden directories or 70 00:09:30.870 –> 00:09:42.240 Jesse Varsalone: hidden areas where they had the creds because they were managing you know, maybe 50 websites or something, and they want to keep track of everything get there and get in fast. 71 00:09:42.750 –> 00:10:04.770 Jesse Varsalone: In this case, this directory is not accessible to anyone who goes to the site, they would have to kind of know where it is or the dig deeper and then the administrator's taking a further step of Base64 encoding the password that way, if someone were to stumble across this 72 00:10:05.970 –> 00:10:18.450 Jesse Varsalone: area they wouldn't have the password itself, they would have the base 64 encoded password. So that's kind of where it goes now let's see what happens from there. 73 00:10:20.880 –> 00:10:22.710 Jesse Varsalone: So you're going to 74 00:10:23.760 –> 00:10:28.230 Jesse Varsalone: take a screenshot. All right now we get to use a a tool 75 00:10:29.520 –> 00:10:46.890 Jesse Varsalone: called dirb which stands for directory buster. To do that it's going to be a little different for each of you i'm going to clear the screen here by typing clear and then i'm going to type dirb http:// and I need the IP of my Windows system. 76 00:10:48.060 –> 00:11:06.360 Jesse Varsalone: Just copy and paste it from the MARS home page. Everyone has a different IP Address. Don't use the one in the video. OK, so now, this is just done a transverse all the directories and look for a bunch of random 77 00:11:07.980 –> 00:11:11.940 Jesse Varsalone: directories and see if it gets any type of hits. 78 00:11:14.280 –> 00:11:21.480 Jesse Varsalone: And as you can see, it did get a hit there's actually larger word sets that you can use to search for additional directories. 79 00:11:21.930

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.