forked from cliffe/SecGen
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path8_dead_analysis.xml
166 lines (140 loc) · 6.13 KB
/
8_dead_analysis.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>Dead analysis lab</name>
<author>Z. Cliffe Schreuders</author>
<description>
# Introduction
In this lab, you will delve into the world of digital forensics and offline analysis by examining a compromised system to uncover evidence of a security breach. This lab provides a hands-on experience with various forensic tools and techniques to investigate a compromised server. You will explore key theoretical concepts such as integrity management, log analysis, file recovery, and timeline reconstruction to piece together the events leading to the system compromise.
You will learn how to mount a disk image read-only, analyze file integrity using MD5 hashes, use Autopsy on Kali to examine file types and check for trojanized executables, conduct timeline analysis to reconstruct the sequence of events, and examine deleted files for hidden clues. You will also investigate log files, identify attempted SSH and Telnet logins, and recover email addresses used in communication. By the end of the lab, you will have gained valuable practical experience in forensic analysis and incident response, equipping you with skills to identify and understand security breaches in real-world scenarios.
This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.
</description>
<type>ctf-lab</type>
<type>hackerbot-lab</type>
<type>lab-sheet</type>
<difficulty>intermediate</difficulty>
<CyBOK KA="F" topic="Operating System Analysis">
<keyword>storage forensics</keyword>
<keyword>data recovery and file content carving</keyword>
<keyword>Timeline analysis</keyword>
</CyBOK>
<CyBOK KA="MAT" topic="Malware Detection">
<keyword>identifying the presence of malware</keyword>
</CyBOK>
<CyBOK KA="AAA" topic="Accountability">
<keyword>The fallibility of digital evidence to tampering</keyword>
</CyBOK>
<video>
<title>Dead System Analysis</title>
<by>Z. Cliffe Schreuders</by>
<url>https://youtu.be/3kiV0ZJWmMY</url>
<type>lecture-prerecorded</type>
<CyBOK KA="F" topic="Operating System Analysis">
<keyword>storage forensics</keyword>
<keyword>data recovery and file content carving</keyword>
<keyword>Timeline analysis</keyword>
</CyBOK>
<CyBOK KA="MAT" topic="Malware Detection">
<keyword>identifying the presence of malware</keyword>
</CyBOK>
<CyBOK KA="AAA" topic="Accountability">
<keyword>The fallibility of digital evidence to tampering</keyword>
</CyBOK>
</video>
<system>
<system_name>kali</system_name>
<base distro="Kali" name="MSF"/>
<input into_datastore="IP_addresses">
<value>172.16.0.2</value>
<value>172.16.0.3</value>
</input>
<input into_datastore="kali_account">
<value>{"username":"kali","password":"kali","super_user":"true","strings_to_leak":[],"leaked_filenames":[]}</value>
</input>
<utility module_path=".*/parameterised_accounts">
<input into="accounts">
<datastore>kali_account</datastore>
</input>
</utility>
<!-- an admin account used for hackerbot access to the desktop and also spoilers/administration of the challenge -->
<input into_datastore="spoiler_admin_pass">
<generator type="strong_password_generator"/>
</input>
<utility module_path=".*/metasploit_framework"/>
<utility module_path=".*/handy_cli_tools"/>
<utility module_path=".*/nmap"/>
<utility module_path=".*/autopsy"/>
<utility module_path=".*/dead_image"/>
<utility module_path=".*/iceweasel">
<input into="accounts">
<datastore>kali_account</datastore>
</input>
<input into="autostart">
<value>true</value>
</input>
<input into="start_page">
<datastore access="1">IP_addresses</datastore>
</input>
</utility>
<!-- TODO: get it to all run on Kali without the need for the desktop vm just to hold the evidence files -->
<!-- This does get HB and pidgin working, but HB doesn't have the creds to access any evidence files stored on the kali vm -->
<utility module_path=".*/pidgin">
<input into="server_ip">
<datastore access="1">IP_addresses</datastore>
</input>
<input into="accounts">
<datastore>kali_account</datastore>
</input>
</utility>
<vulnerability module_path=".*/ssh_root_login">
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
</vulnerability>
<network type="private_network" >
<input into="IP_address">
<datastore access="0">IP_addresses</datastore>
</input>
</network>
<build type="cleanup">
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
</build>
</system>
<system>
<system_name>hackerbot_server</system_name>
<base distro="Kali" name="MSF"/>
<service type="ircd"/>
<utility module_path=".*/metasploit_framework"/>
<utility module_path=".*/handy_cli_tools"/>
<utility module_path=".*/nmap"/>
<service type="httpd"/>
<utility module_path=".*/hackerbot">
<input into="hackerbot_configs" into_datastore="hackerbot_instructions">
<generator module_path=".*/dead_analysis_v2">
<input into="accounts">
<datastore>kali_account</datastore>
</input>
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
<input into="hackerbot_server_ip">
<datastore access="1">IP_addresses</datastore>
</input>
</generator>
</input>
</utility>
<network type="private_network" >
<input into="IP_address">
<datastore access="1">IP_addresses</datastore>
</input>
</network>
<build type="cleanup">
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
</build>
</system>
</scenario>