Beginning diagram of project
Final diagram of enterprise network
Summary of tasks
These tasks demonstrate my technical expertise in cybersecurity, network management, and system administration, along with my ability to follow industry standards for securing IT systems and infrastructures. My project-mates, professor, and graduate assistant signed off on the tasks to validate my contribution.
Networking
Routers
Set DHCP
Set DHCP
Load default config: (vyos)
configure
load /opt/vyatta/etc/config.boot.default
commit
Save (changes passwords to vyos/vyos and vyatta/vyatta)
Reboot and log into serial console for eth0/eth1
Set Interfaces:
configure
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description ‘OUTSIDE’
set interfaces ethernet eth1 address 172.31.1.1/24
set interfaces ethernet eth1 description ‘INSIDE’
commit
save
Set DHCP
Set DHCP
Set DHCP
set service dhcp-server shared-network-name LAN subnet 172.31.1.0/24
set service dhcp-server shared-network-name LAN subnet 172.31.1.0/24 default-router 172.31.1.1
set service dhcp-server shared-network-name LAN subnet 172.31.1.0/24 dns-server 172.31.1.1
set service dhcp-server shared-network-name LAN subnet 172.31.1.0/24 domain-name team1.net
set service dhcp-server shared-network-name LAN subnet 172.31.1.0/24 lease ‘86400’
set service dhcp-server shared-network-name LAN subnet 172.31.1.0/24 start 172.31.1.5 stop 172.31.1.250
commit
save
exit
reboot
Set DHCP
set service dhcp-server shared-network-name LAN subnet 172.31.1.0/24
set service dhcp-server shared-network-name LAN subnet 172.31.1.0/24 default-router 172.31.1.1
set service dhcp-server shared-network-name LAN subnet 172.31.1.0/24 dns-server 172.31.1.1
set service dhcp-server shared-network-name LAN subnet 172.31.1.0/24 domain-name team1.net
set service dhcp-server shared-network-name LAN subnet 172.31.1.0/24 lease ‘86400’
set service dhcp-server shared-network-name LAN subnet 172.31.1.0/24 start 172.31.1.5 stop 172.31.1.250
commit
save
exit
reboot
Kali Machine Configuration
sudo su
Nano /etc/network/interfaces
Deleted everything but loopback
add:
iface eth0 inet static
address 172.31.1.11
netmask 255.255.255.0
broadcast 172.31.1.255
gateway 172.31.1.1:
Ctrl + X > y > enter to save
ifconfig eth0 172.31.1.11
ifdown eth0
ifup eth0
Set static routes for WAN and LAN
Changed NAT source address rule to 0.0.0.0/24 in attempt to enable all IP addresses to see if that would allow internet to Kali machine (working from top down to find error in lack of internet)
Added static route from LAN to DMZ
set protocols static route 10.0.1.0/24 next-hop 192.168.6.2
set default route to firewall's LAN IP address so that all outbound traffic to networks not explicitly known by LAN router will go through firewall
set protocols static route 0.0.0.0/0 next-hop 192.168.6.2
Set NAT on WAN
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 172.31.0.1/24 (pfsense)
set nat source rule 100 translation address masquerade
Machine and Software Setup
Was tasked with updating the different machines to ensure the latest software and patches are installed.
RHEL Setup
Connected the Red Hat Enterprise Linux (RHEL) machine to the AD-DNS machine using commands: yum, vi /etc/hosts, and vi /etc/resolv.conf. I then checked the RHEL hostname and changed it to "redhatcli" using hostnamectl to make it easier to identify when identifying the machine once connected to Active Directory.
sudo su
yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients python3-policycoreutils
vi /etc/hosts
- add the AD machine (192.168.1.5 WIN-A2S94UIVODK.totters.net)
- press esc on keybord and save (:wq)
- vi /etc/resolv.conf
- add AD machine (WIN-A2S94UIVODK.totters.net 192.168.1.5)
- press esc on keyboard and save (:wq)
+ check rhel hostname (hostname is localhost.local)
+ change host name
- hostnamectl set-hostname <new hostname> (redhatcli)
+ join RHEL machine to AD
realm discover -v WIN-8P95FVH8U95.circuitcity.local
realm join --user=administrator WIN-8P95FVH8U95.circuitcity.local
realm list (this cmd validates AD was joined)
Wireshark installation
Installed Wireshark on the AD-DNS machine in preparation for the penetration test that would be conducted in the final week of the project.
Website
For the website I decided to install XAMPP and Wordpress as it was user-friendly for someone learning to configure a website. Wordpress hosts its own database so with the lack of available time, it was efficient as I no longer needed to create my own database thus rendering the RHEL DB machine unnecessary but still connected to Active Directory and Internet.
Installed additional plugins - Updraft Plus (backup database) and Order Minimum/Maximum to prevent overload of orders from crashing site.
Performed backup
Accessing Website through LAN
Firewall Rule Adjustment
Added firewall rule to Opt1 (DMZ) to allow traffic to port 80 (HTTP) from LAN to DMZ. Should NOT have access from DMZ to call LAN as DMZ is only an external face.
This rule can be more secure if specifying only DMZ address of 10.0.1.100 but would not let me input one address so have it configured to DMZ net
Added Firewall rule to WinWeb Server on Windows Defender Firewall to allow traffic to port 80 since it was blocking access. Created inbound rule and hardened security by only allowing machines that will be accessed by Orange team and enabling Administrators in local domain to access port 80 on DMZ.
Ticketing System
Added new user to Wordpress for Support Candy plugin for ticketing system from Orange team during penetration test week to ensure questions about products or issues with website/accounts can be handled.
- Ticket Notifications on Support Candy (Email Notifications Tab)
- Updated the ‘New ticket customer confirmation’ and ‘Close ticket customer notification’
Left the default for ‘New ticket staff notification’ and ‘Reply ticket notification’
Automate a task
Thought what would be most useful for our project when we would be busy handling tickets and monitoring our site for potential security threats. Updating machines is one thing alot of people put off so having a script automate this for us would ease some of the workload.
Windows Automated Script - Updates on Startup.
Applied script to Group Policy Management
https://www.nakivo.com/blog/automate-windows-updates-using-powershell-short-overview/
Resolved Difficulties
Locked out of System
One day before the penetration test, a teammate was attempting to secure the system by adding 2FA using a third-party authenticator application, Duo Mobile, that would prevent hackers from entering our system. Unfortunately, our virtual machines were not connected outside of our schools' network, so this locked us out of our admin server. After a momentary panic, I sought out resolution besides the suggested, "start over or fail" advice we had received but had no time for regardless.
Recovery
1. Check version of Windows before attacking action
2. Boot AD Machine into safe mode
3. From elevated command prompt run script:
regsvr32 /u "C:\Program Files\Duo Security\WindowsLogon\DuoCredProd.dll"
regsvr32 /u "C:\Program Files\Duo Security\WindowsLogon\DuoCredFilter.dll"
4. Restart machine to boot Windows back into standard mode