Hello, I’m Elnur Badalov, a passionate Cyber Security Enthusiast dedicated to exploring the depths of cybersecurity, understanding its complexities, and sharing knowledge with others. My journey in this field is driven by a relentless quest for learning, an unwavering commitment to practice, and a desire to educate and inspire those around me.
This Lab represents not just a project, but a milestone in my journey. As my first self-constructed lab, it embodies the culmination of countless hours of research, experimentation, and a deep-seated passion for cybersecurity. I’ve designed this lab to provide a comprehensive, hands-on learning experience, and I sincerely hope it serves as a valuable resource for all who engage with it.
Beyond this project, I am continuously involved in various facets of cybersecurity, constantly seeking to expand my knowledge and skills. I believe in the power of community and collaboration in the ever-evolving world of cyber defense, and I am eager to connect with like-minded individuals and professionals in the field.
For more insights into my projects, professional background, and ongoing endeavors in cybersecurity, feel free to connect with me on LinkedIn. Your thoughts, feedback, and collaboration are always welcome.
LinkedIn: Elnur Badalov
I extend myheartfelt thanks to Telman Yusifov for his pivotal contribution, whose expertise and dedication have significantly enriched and propelled this project to success.
This Lab is a specialized virtual environment designed for the purpose of cybersecurity training and education. In today’s digital landscape, the importance of understanding and defending against cyber threats is paramount. This lab provides a practical, hands-on approach to learning various aspects of cybersecurity, including but not limited to penetration testing, network security, intrusion detection, and response strategies.
Purpose
The primary purpose of the this Lab is to facilitate a comprehensive understanding and application of cybersecurity concepts and practices. This lab environment allows users to:
1. Provide a hands-on approach to learning offensive and defensive cybersecurity techniques using tools like Metasploitable, Kali Linux, and Ubuntu.
2. Serve as an educational platform for aspiring cybersecurity professionals.
3. Create a safe, controlled environment for experimentation.
4. Enhance technical skills in network security and ethical hacking.
Scope
The scope of the Lab encompasses:
1. Virtualization and Network Setup: Utilizing VMware for the creation and management of virtual machines, each hosting different operating systems (Metasploitable, Kali Linux, and Ubuntu) and configured in a host-only network to ensure isolation and safety.
2. Tool Implementation and Configuration: Including Snort for intrusion detection.
3. Target Audience: The lab is intended for educational purposes, targeting students, cybersecurity beginners, and professionals who wish to enhance their practical knowledge in the field.
4. Learning Objectives: Focusing on providing hands-on experience in identifying vulnerabilities, conducting penetration tests, monitoring network traffic, and implementing defensive strategies.
5. Resource Constraints: Designed to be efficient and functional within the constraints of 8GB RAM, ensuring accessibility for users with limited hardware resources.
Hardware Requirements
RAM: 8 GB of RAM.
Storage: 30GB+
Operating Systems
1. Metasploitable: This will act as the victim machine. Metasploitable is intentionally vulnerable to provide a training environment for security testing.
https://sourceforge.net/projects/metasploitable/files/latest/download
2. Kali Linux: This will be used as the attacker machine. Kali Linux comes with numerous pre-installed penetration testing tools.
https://www.kali.org/get-kali/
3. Ubuntu: This will serve as the defense machine, where you’ll monitor the network and implement security measures.
https://ubuntu.com/download/desktop
Software Requirements
- Virtualization Software: VMWare.
- NIDS&NIPS: Snort https://www.snort.org/downloads#snort3-downloads
In my environment I have this network:
Kali — 192.168.152.128/24
Metasploitable — 192.168.152.129/24
Ubuntu — 192.168.152.130/24
Note: My Kali did not receive its IP from virtual DHCP. If you have such problem too, then:
> ip addr show eth0
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:0c:29:14:1d:0c brd ff:ff:ff:ff:ff:ff
> sudo ip link set eth0 up
> sudo dhclient eth0
> ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:14:1d:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.152.128/24 brd 192.168.152.255 scope global dynamic eth0
valid_lft 1659sec preferred_lft 1659sec
inet6 fe80::20c:29ff:fe14:1d0c/64 scope link proto kernel_ll
valid_lft forever preferred_lft foreverbSetting Up Attacker Machine — Kali
- Download VMWare version for Kali. https://www.kali.org/get-kali/
- Unpack
- Open file with `.wmx` extension
Setting Up Victim Machine — Metasploitable
- Download https://sourceforge.net/projects/metasploitable/files/latest/download
- Unzip
- Open file with `.wmx` extension
Setting Up Monitoring and Detection Machine — Ubuntu
1. Download iso https://ubuntu.com/download/desktop
2. Create a new Virtual Machine on VMWare
3.
4.
5. choose ubuntu’s iso
6.
7.
8.
9.
10.
(then click next again 2 times)
11.
(then again)
12. Finish
13. Power On. Installation will be opened.
14. Choose keyboard. (US)
15.
16.
17.
18. Choose Location
19.
20.
Snort is an open-source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS) that is used for detecting and preventing network intrusions. It analyzes network traffic to identify malicious activity, logs packets, and can perform real-time traffic analysis and packet logging.
Setting Up Snort
sudo apt-get install snort -y2. Write there interface (you can learn it simply by running `ip a`.
3. Network
4.
sudo ip link set ens33 promisc on5.
vim /etc/snort/snort.conf6. change any to your ip range (mine is 192.168.152.0/24 )
7. Check the rules and other configurations
snort -T -i ens33 -c /etc/snort/snort.confYou can see that snort is using prewritten rules:
You can disable them by commenting these lines out:
All rules besides $RULE_PATH/local.rules
Now Snort is setup. Next thing to do is to write rules and detect them.
Writing the First rule
You can write them manually into `/etc/snort/rules/local.rules`. Or, in this website http://snorpy.cyb3rs3c.net/. Or, ChatGPT.
Some notations here:
- choose action type
- choose protocol
- source ip/port
- destination ip/port
- id (every snort rule should have different id)
- revision number. Normally after each update of the rule this number increases by one
- Message you want to leave there
- Resulting rule. Copy it.
alert icmp any any -> any any ( msg:"Someone is pinging"; sid:10000; rev:1; )
alert icmp any any -> $HOME_NET any ( msg:"Someone is pinging"; sid:10001; rev:1; )Write the rules into /etc/snort/rules/local.rules file:
This command will show alerts in real time:
snort -q -l /var/log/snort/ -i ens33 -A console -c /etc/snort/snort.confPing to somewhere and get the alert. You also can try to ping from Kali to Metasploitable.
Example of its application in unauthorized ssh connections
alert tcp any any -> $HOME_NET 22 (msg:"Possible SSH Brute Force Attack"; flags:S; threshold:type both, track by_src, count 5,
seconds 60; sid:10002; rev:1;)Explanation of the rule components:
- alert tcp any any -> $HOME_NET 22: This part specifies that the rule is looking for TCP traffic from any source IP and port, going to any IP within your defined `HOME_NET` on port 22 (the default SSH port).
- msg:”Possible SSH Brute Force Attack”: The message that will be logged when this rule is triggered.
- flags:S: This looks for packets with the SYN flag set, which are used to initiate TCP connections.
- threshold:type both, track by_src, count 5, seconds 60: This is a threshold condition. It tracks by source IP, and the rule triggers if there are 5 connection attempts (SYN packets) within 60 seconds.
- sid:10002; rev:1: Every Snort rule needs a unique SID (Snort ID), and a revision number.
Moreover, add this rule too. This is for checking single TCP connection:
alert tcp any any -> $HOME_NET any (msg:"TCP Connection Attempt Detected"; flags:S; sid:10003; rev:1;)Write it to the file and run the command.
Then, run Metasploitable and Kali.
Check the rule TCP Connection Attempt Detected:
You can see that we tried to connect to Metasploitable from Kali.
Now let’s check Possible SSH Brute Force Attack.
Drop
Let’s now write a drop rule for getting rid of unwanted FTP connection.
drop tcp any any -> $HOME_NET 21 (msg:"Possible FTP Brute Force Attack"; flags:S; threshold:type both, track by_src, count 5, seconds 20; sid:10004; rev:1;)Run ftp brute force with hydra in Kali:
hydra -l "root" -P /usr/share/wordlists/rockyou.txt ftp://192.168.152.129Extract IPs that get detected:
snort -q -l /var/log/snort/ -i ens33 -A console -c /etc/snort/snort.conf | grep "Possible FTP Brute Force Attack" | awk '{print $13}' | awk -F ":" '{print $1}' >> drops.txtExample of Snort’s Application in Detecting XSS
alert tcp any any -> [Metasploitable_IP] 80 (msg:"XSS is Detected"; flow:to_server,established; content:"<script>"; http_uri; sid:10005; rev:1;)Add the rule to /etc/snort/rules/local.rules.
Open deliberately vulnerable web application: http://192.168.152.129/dvwa/vulnerabilities/xss_r/ in my case. Write there the payload: <script>alert(1)</script>.
Press Enter and get:
You will get the alert:
Write the alerts into log file.
snort -q -l /var/log/snort/ -i ens33 -A console -c /etc/snort/snort.conf > /var/log/snort/alerts.txtChange directory to the place where logs are stored and open python server here.
cd /var/log/snort
python3 -m http.serverWrite this simple nodeJS application into app.js.
// Import the Express module to create a web server
const express = require('express');
// Import the Axios module for making HTTP requests
const axios = require('axios');
// Create an instance of an Express application
const app = express();
// Define the port number on which the server will listen
const port = 3000;
// URL of the API from which log data will be fetched. <blue_machine_ip>:<python_server_port>/log.file
const api = 'http://192.168.152.130:8000/alerts.txt' // Define a function to convert log entries into HTML format
const getLogsHtml = (logs) => {
return logs.map(log =>
// Create an HTML structure for each log entry
`<div class="log-entry">
<span class="timestamp">${log.timestamp}</span>
<p>${log.alert}</p>
</div>`
).join('');
};
// Define a route for the root ('/') URL
app.get('/', async (req, res) => {
try {
// Fetch log data from the API using Axios
const response = await axios.get(api);
// Split the data by new line and create an array of log entries
const logEntries = response.data.split('\n');
// Process each log entry and split it into timestamp and alert parts
const formattedLogs = logEntries.map(entry => {
const parts = entry.split(' ');
return { timestamp: parts[0], alert: parts.slice(1).join(' ') };
});
// Convert the log entries into HTML format
const logsHtml = getLogsHtml(formattedLogs);
// HTML template for the page
const htmlTemplate = '<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>Log Viewer</title><style>body { font-family: Arial, sans-serif; margin: 0; padding: 20px; background-color: #f4f4f4; } .log-entry { background-color: #fff; border: 1px solid #ddd; padding: 10px; margin-bottom: 10px; border-radius: 4px; } .timestamp { color: #888; }</style></head><body><h1>Log Entries</h1><div id="log-container"><!-- Log entries will be inserted here --></div></body></html>';
// Insert the log entries HTML into the template
const finalHtml = htmlTemplate.replace('<!-- Log entries will be inserted here -->', logsHtml);
// Send the final HTML as the response
res.send(finalHtml);
} catch (error) {
// Handle any errors by sending a 500 error response
res.status(500).send('Error fetching logs');
}
});
// Start the server and listen on the specified port
app.listen(port, () => {
console.log(`Server running on http://localhost:${port}`);
});
Install required packages and run the web app:
npm i express axios
node app.jsThis code demonstrates a comprehensive setup for logging, serving, and displaying log data using a combination of Snort, Python, and Node.js. First, it configures Snort to write alerts to a log file and then starts a Python HTTP server in the directory where these logs are stored. Next, it outlines a Node.js application using Express and Axios to fetch and display these logs in a web browser, with a focus on converting log entries into an HTML format for easy viewing. Finally, it provides commands to install the necessary Node.js packages and run the web application, completing the end-to-end process of log management and visualization.
You will have simple real-time Dashboard to see alerts. You may customize it for getting it more styled and add additional functionality to see other logs and actions.
This comprehensive training environment equips users with essential skills to tackle real-world cybersecurity challenges, bridging the gap between theoretical knowledge and practical application. By simulating attacks and defenses in a controlled setting, it prepares individuals for the dynamic and evolving landscape of cyber threats. This lab not only marks a significant milestone in my journey but also serves as a platform for continuous learning and collaboration in the cybersecurity community. I encourage all participants to leverage these experiences, share insights, and contribute to the collective resilience in the face of digital threats.
