Overview

The NAS Attack & Defense Lab was designed to simulate real-world attack scenarios and corresponding defensive measures within a controlled environment. Through four distinct lab exercises, this project demonstrates my ability to analyze and exploit system vulnerabilities while also emphasizing the importance of proactive defense and mitigation strategies, particularly with immediate response upon detecting an incident. This dual focus underscores the necessity of understanding both offensive and defensive security practices to secure modern systems effectively.

Lab Summaries

Lab 1: SSH Brute Force Attack

• Attack: A brute force attack was conducted against the SSH service to simulate an attacker attempting to guess user credentials. The attack utilized a wordlist to automate login attempts.
• Detection: Evidence of the attack was found in authentication logs (/var/log/auth.log), showing repeated failed login attempts from the attacker’s IP address.
• Defensive Measures:
  • Verified pf was enabled and demonstrated blocking the attacker IP in the pf.conf configuration file

Lab 2: Successful Brute Force Login

• Attack: A successful brute force attack was demonstrated by gaining access to a user account after discovering valid credentials.
• Detection: Authentication logs revealed an unauthorized login event. Process monitoring identified unusual user activity following the compromise.
• Defensive Measures:
  • Immediately reset the account password upon detection and disabled user account login
  • Disabled password-based authentication for SSH

Lab 3: Privilege Escalation

• Attack: Privilege escalation was achieved by exploiting a vulnerable SUID binary (vim) and setting the TERM environment variable to xterm. This allowed the attacker to spawn a root shell.
• Detection: Logs revealed the execution of vim with elevated privileges and unusual processes spawned by non-root users. The exploitation was also identified via process monitoring (ps aux) and auditing recent SUID binary changes.
• Defensive Measures:
  • Identified processes related to the user account and terminated them immediatelhy
  • Removed unnecessary SUID permissions from binaries.

Lab 4: Persistence

• Attack: Persistence was established by adding an attacker’s public SSH key to the root user’s authorized_keys file, enabling passwordless SSH access.
• Detection: The unauthorized modification of the authorized_keys file was detected using the find command to locate recently modified files. SSH logs also revealed public key-based logins from the attacker’s machine.
• Defensive Measures:
  • Identified and manually inspected the unauthorized SSH key that was setup in ~/.ssh/authorized_keys for unauthorized key entries.
  • Removed the unauthorized entries from ~/.ssh/authorized_keys
  • Reset the user account password associated with the unauthorized key entries

Key Takeaways

1. Proactive Defense is Crucial: Each attack demonstrated the importance of implementing immediate response upon detecting these attacks and layered security measures, such as disabling SSH password-based authentication, malicious process termination, and network restrictions. Regular auditing of user activity, file modifications, and system configurations can detect and prevent many attacks.


2. Understanding the Attacker’s Perspective: By simulating attacks, this lab highlights how attackers exploit vulnerabilities, misconfigurations, and weak security practices. This knowledge is invaluable for developing effective defensive strategies.


3. Balance Between Offensive and Defensive Practices: The ability to execute and detect attacks showcases a well-rounded understanding of both red and blue team methodologies. Combining these perspectives ensures a more robust security posture.

Conclusion

The NAS Attack & Defense Lab demonstrates a comprehensive understanding of offensive and defensive cybersecurity practices. By exploring attack techniques such as brute force, privilege escalation, and persistence, this project provides practical insights into the risks facing modern systems. The corresponding defensive measures demonstrate the importance of immediate response upon detecting these attacks and reflects the importance of proactive monitoring, strict access controls, and regular audits in mitigating these threats.