Insufficient Logging and Monitoring Lab

00:00

Hey, everyone, welcome back to the core. So in this video, where to go through are insufficient logging and monitoring lab again, The labs in this course I want to stress a very fundamental in nature there just to show you some different types of attacks that militias actor could do to help you understand better about the security side of things. In this video, we're to be doing the logging of monitoring lab. Now,

00:20

there are step by step guides for these labs were found in the resource section of the course. To be sure, toe

00:25

go there and download those. You could follow along step by step. I have the lap step by step guide here on the screen. I'm not gonna use it. I'll just talk you through this lab s so I'll go ahead, minimize that now.

00:36

And the other thing I want to point out is just like the other lab in this course. You want to make sure that as you go through the lab on the right side here, be sure to check these boxes so you can get credit for the lab. You notice when I check a box, it gives me some credit on the task bar here. Very important if you want to get credit for the lab.

00:53

So let's go ahead and get started here. We're gonna log into R. Kelly Lennox with the user name of student and a password of student as well. I take a moment of soda. Lucky in.

01:00

Once you log into Callie, we're just gonna launch a terminal window. The way we do that is on the left side here, this little black box. Just go ahead and click on that. And that. A launch? A terminal window for you.

01:10

So in this particular lab, there's a logging request that's been saved in a file called log in dot text. So we're just gonna take a look that file real quick. So we really use a command called Cat,

01:19

and we're just gonna type in the file name, so log in dot Txt and his Princess Presa entered a keyboard and you'll be able to see the information in that file.

01:29

All right, the next thing we're going to do is we're gonna do a brute force attack with a tool called Hydra, so THC, hydra. We're going to use that to do an attack against the log in page. So I'm gonna pause the video briefly. Why? A type in the long command again? You have that commanding two step by step guide. You can go ahead, pause a video and type it along,

01:48

and then also

01:49

on the right side of your screen. You in these instructions, you'll also find that same command. So it's right down in here. So I'm gonna go ahead and type that in, and we'll come back in the video once I've typed the entire command in.

02:00

All right, So we typed in that long command there and again, Just double check yourself. Make sure you didn't have any typing errors at all, But it should be Hydra space dash and lower case F space stash. Lower case L space Admin Space Dash Capital P on, then a long command that wraps up in quotation marks.

02:19

So once you type that in, you can go ahead and press enter into keyboard. It may take a minute or two to actually go ahead in return the password, but it should return a password to you.

02:29

All right, so once it is completed, you'll see that we have found our passwords. You'll see here the password. We've grabbed his admin pass. So next we're to go ahead and launch. Firefox will do that by just clicking this orange icon at the top left on the left side. Here.

02:44

All right. Once we've launched Firefox, you're just gonna select this view log option.

02:49

And so in the log file, we're just gonna take a look and see if we notice anything that might indicate the password attack that we just did. So we just captured that admin passwords. We're gonna see if we see anything that might stand out to us as we're reviewing this log information.

03:04

So we see we could see here quickly that Hey, there were some failed log in attempts here,

03:08

and we could also, if we keep scrolling down, we could see additional failed log in attempts, and then we'll eventually see the actual successful attempt. So you see here that we successfully were able to log in

03:20

as the admin.

03:22

So if you look at the step by step guide that's provided with this particular lab, of course, one of the questions are in this area is gonna be Do you actually see any evidence of that password attack? We did.

03:32

And so the answer there is, Yes. We do see evidence that someone

03:37

or in an or some entities tried to log in and they had several failed log in attempts, but then they had a successful one. All right. The other question in in the step by step guide is what other information do you see? So you notice for some I p addresses here along with some date and time stamps? It's just the host. I peed names,

03:54

eso that might give us an indication of where this attack came from. We can also see when the attack occurred. Now, keeping in mind that this I p address here could be office skated so it may not be the actual Attackers i p address. In fact, in the fast majority of cases, it's not going to be. But we do get some basic log information here.

04:15

Now, the last question on the step by step guide is

04:18

Is this enough? Is this enough logging that we're doing? And the answer is no. Right. And yes, this is a lab environment, but this is not enough information to see everything. That's going on with this particular tap. So we got some good information here, but it's not everything that we could possibly get.

04:35

So in this lab, we just went through in number one. We took a look at a file that existed to see the structure and the format of how the page was designed in Mattila Day. And then

04:47

what we did is we ran a command through Hydra. So TFC Hydro, which is a password cracking tool, and we went ahead and cracked the password. We were able to get that admin password and log in. And then we came here and took a look at the log file itself were able to see those attempts to log in as well. It's a successful attempt.

05:06

And then we can also track some additional information