OLeary - Cyber Operations

Any source code or other supplementary material referenced by the author in this book is available to readers on GitHub via the books product page, located at www.apress.com/9781484242933 . For more detailed information, please visit http://www.apress.com/source-code .

How do you set up, defend, and attack computer networks? This book is a gentle introduction to cyber operations for a reader with a working knowledge of Windows and Linux operating systems and basic TCP/IP networking. It is the result of more than 10 years of teaching a university capstone course in hands-on cyber security.

It begins by showing how to build a range of Windows and Linux workstations, including CentOS, Mint, OpenSuSE, and Ubuntu systems. These can be physical or virtual systems built with VMWare Workstation or VirtualBox. Kali Linux is introduced and Metasploit is used to attack these systems, including EternalBlue and attacks against Internet Explorer, Firefox, Java, and Adobe Flash Player. These attacks all leave traces on the target and the network that can be found by a savvy defender, and these methods are demonstrated.

This interplay between setup, attack, and defense forms the core of the book. It continues through the process of setting up realistic networks with DNS servers and Windows Active Directory. Windows systems can be managed remotely using SMB, RPC, and WinRM; WMI is introduced, including the use of WMI to monitor systems. The Windows domain is then attacked, and techniques to escalate privileges from local user to domain user to domain administrator are developed. Tools like Mimikatz, Responder, and John the Ripper are used to obtain credentials, and hashes are passed across the domain. Linux systems are attacked next, and Dirty COW is demonstrated. To detect these attacks, a defender can turn to system logs; the reader will learn how logs are stored on Windows and Linux and how they can be made to interoperate. Sysmon is introduced and PowerShell used to query these logs.

An attacker with access to a system generally wants to maintain access to that system; this can be done using malware. Common vectors for persistence are demonstrated, including the registry, WMI persistence, and Kerberos golden tickets. A defender aware of these techniques can block or detect these attacks. An administrator can use PowerShell to search the domain to detect persistence mechanisms, firewall rules can be deployed to reduce lateral movement, and LAPS can be deployed to protect local accounts.

Of course, networks are built to provide services to users, so the book continues with an introduction to common services, including SSH, FTP, Windows file sharing, and Remote Desktop. Next are web servers, both IIS and Apache. These are configured, including using signed SSL/TLS certificates, attacked via a range of techniques, and defended with tools like ModSecurity. Real networks do not use a flat network topology, so network firewalls based on IPFire are introduced to separate the network into components and filter traffic in and out of the network. Databases are included in the network, and intrusion detection systems used to defend the network. The book concludes with an introduction to PHP and PHP-based web applications including WordPress, Joomla! and phpMyAdmin.

The book covers systems as they were used between 2011 and 2017. These systems should be patched now, so showing how to attack them today poses little risk to currently deployed systems. Back in the day, though, these systems were vulnerable to these exploits even though they were fully patched at the time. The defensive techniques discussed throughout the book retain their value and can be used to defend current systems even from new attacks.

This book is designed for readers who are comfortable with Windows, Linux, and networking who want to learn the operational side of cyber security. It is meant to be read hand in hand with systems; indeed, the only way to learn cyber operations is to lay hands on a keyboard and work. Set up the various systems described in the book, try out the attacks, and look for the traces left by the attacks. Initially you may want to follow the text closely; but as you gain proficiency, it is better to use the text only as a guide and starting place for your own explorations.

I have taught a university capstone course in cyber security since 2004, and this book evolved from that course. It provides the reader a comprehensive introduction to hands-on cyber operations. It contains more material than can be comfortably covered in a semester, and yet, despite its size, it is far from exhaustive.

The book includes online supplementary material at https://www.apress.com/us/book/9781484242933 . There you can find additional notes for each chapter, along with exercises that can be used either by an intrepid individual reader or by someone teaching a course.

One problem with writing a book that includes computer output is that sometimes the screen output is wider than the page. Wherever possible, the text reproduces exactly what appears as the output from a command. However, when the output of a line is longer than the line on a page, I have taken the liberty of editing and formatting the result to make it easier for the reader. As an example, the raw output might look like the following.