Cybersecurity · NAS Security Attack & Defense Lab · Analysis & Reporting

Analysis & Reporting

A concise wrap-up of the NAS Attack & Defense Labs—offense, detection, response, and lessons learned.

Overview

The NAS Attack & Defense Lab simulates real-world attack scenarios and corresponding defenses in a controlled environment. Across four labs, it demonstrates exploitation paths (brute force, privilege escalation, persistence) and blue-team playbooks (log analysis, process containment, hardening). The emphasis is on rapid detection, immediate response, and durable mitigation.

Lab Summaries

Lab 1 — SSH Brute Force Attack

  • Attack: Automated wordlist brute force targeting SSH.
  • Detection: Repeated failures in /var/log/auth.log tied to the attacker IP.
  • Defense: Verified pf enabled; blocked attacker IP via pf.conf and reloaded rules.

Lab 2 — Successful Brute Force Login

  • Attack: Valid credentials discovered; shell access obtained (then upgraded to Meterpreter).
  • Detection: Unauthorized login in auth logs; unusual processes and activity.
  • Defense: Reset password; disabled user login; disabled SSH password auth (keys only).

Lab 3 — Privilege Escalation

  • Attack: Misconfigured SUID on vim + proper TERM led to root shell via :!sh.
  • Detection: Logs show editor launching shells; ps aux reveals root-owned interactive shells.
  • Defense: Killed rogue processes; removed unnecessary SUID permissions.

Lab 4 — Persistence

  • Attack: Added attacker public key to authorized_keys for passwordless SSH re-entry.
  • Detection: Recent modification of authorized_keys; auth logs show key-based logins.
  • Defense: Removed unauthorized keys, reset passwords, terminated active sessions.

Key Takeaways

  1. Proactive defense matters: Immediate containment (firewall blocks, process kills) plus layered hardening (SSH keys-only, least privilege) stop escalation.
  2. Think like an attacker: Understanding offensive paths exposes weak configurations and guides practical defenses.
  3. Balanced skillset: Blending red/blue techniques yields better detections, faster response, and more resilient systems.

Conclusion

This project demonstrates end-to-end security practice: discovering weaknesses, exploiting them in a lab, detecting the activity through logs and telemetry, and applying durable mitigations. The workflows—brute force, privilege escalation, and persistence—mirror common intrusion chains and reinforce the value of continuous monitoring, strict access controls, and regular audits.

← Back to NAS Security Attack & Defense Lab