IPS (Intrusion Policy) with FMC - Lab || (Hacking Attack included)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello and welcome to doctor networks my name is Amanda Starr and today we're gonna be working on a lab on intrusion prevention system y FM C and our FTD is gonna be the Machine the machine we're gonna be managing and this is where we're gonna be running the IPS services on but first our gonna be doing a little bit of hacking hacking in terms that I have a Kali Linux box over here in the in the outside zone and I have the most vulnerable system in another planet right now is the Windows XP and I'm gonna be using Windows XP I'm gonna first of all gonna hack Windows XP I'm going to show you how that hack happens and then I'm gonna show you what happens when I have an IPS in between them primarily having a line of defense between the windows XP box and the hacker so let's begin so first I'll just to familiarize you with the topology right now here is our Kali Linux there it is we have an SSH session to the Kali Linux and just to show you what the interfaces look like we have Isaac and I have config Ethernet 0 this is gonna be the interface or this is the data interface and this is the interface that we just showed you in our topology here it is here's that interface okay Windows XP is also connected I have a remote desktop towards it and please ignore this 19 series that I have I actually have two next on every each and every device I have because one is for the management part okay so this is the windows box and just a note here that Windows XP and our support is on April 8 2014 I have no idea why is it showing me this message right now but the thing is Windows XP is out of support out end of sale end of life that is because it is so vulnerable because we don't have any security updates any more of it similar the case with Reno's salmon so if you are on middle salmon I would recommend you to upgrade your windows so let's go towards our Kali Linux bar so we're gonna be using MF s console to save some time I already have the attack over here and scripted so we're just gonna be using an SMP based attack that is on port 443 the same port you use for file sharing on Windows boxes and we're just gonna be a you know like first of all just open up MF s console MF s console well what's wrong with that MA MSF console sorry MSF console MSF console sorry about that I'm not a hacker okay first of all I'm a script kiddie really we are all script kiddies if we come to that because we just run scripts that already exist on and on the internet so we don't have we don't actually write codes and everything so we're not a hackers we're just you know testers you're testing out whatever are the one er abilities on a system and for this system obviously it's highly one rule to add any attack we have so let's just change these IP addresses first of all you have to set some parameters whenever you're doing an exploit first of all the exploit I'm gonna be using is this one it's a it's an SMB exploit and then I have some set commands that these are the parameters you have to specify in in any attack first of all the our host means remote host so remote host is let me check that our remote house is a 192 168 triple to not 1 double to so we're gonna change this to 192 168 triple to that one doubles you and then we're gonna have 192 168 this is me the El host means localhost it's gonna be 192 168 that triple one oh sorry the triple one that 1 2 3 this is gonna be me and the payload that I'm gonna be setting is a reverse TCP that means that when I hack it when i hack the Windows XP it's gonna have a reverse connection to me and I'll be listening on a specific port and in this case it will be double for double for which is a default by the way okay let's just copy and paste and save some time yeah there it is cool okay I'll just hit exploit and let it run I feel like a hacker when I were do this it's just so exciting if I get the Metatrader symbol that means it's hacked to get the shell of the Windows XP I'll just type in shell and I'm inside Windows XP to show you I'll be just hitting a loop just creating a folder right now I'll just hit control D CD and go to C Drive and this is the exact hot wait a second where's the path oh there it is this is the exact path this is the desktop of my user this is my Windows PC as you can see I can see a lot of software some Wireshark Google Chrome some folders here I'm gonna be creating a folder now on this specific desktop no no it requires me is not it's not recognized oh sorry sorry sorry sorry Oh what is it it's a little buggy man you have hacked it so I'm inside of the desktop so I'm gonna be mkd are it's just like Linux I'm gonna make directly I'm gonna make a directory and make a folder action so it will be called hacked so that basically means the operation is completed now let's check it out Oh lovely look at that you have been hacked so I have a hack folder and you can go inside the folder now so this is it this is how you actually hack up windows that is so much more nerble like Windows XP now we're gonna be using FMC to actually and deploy the IPS services and see what happens perverts behold the new FMC 6.6 this is the latest and greatest version as of right now it's 27th of April 2020 so let me show you it's pretty neat now 1 2 3 4 logging in it has a beautiful new GUI if you want to go towards it cisco has that GUI installed pre-installed actually you can switch between the older GUI and the newer one and it's very much bug free now it's pretty much good the developers of cisco doing a very good job so here's the light team as we go through I'll be just showing you the team how is it how it is it's just gonna take a second to switch over to the new team or a minute any second now yeah there it is so this is the team exactly the same team I'm just gonna be going through the same this team for you convinced and I'm gonna be switching over to the previous team again so just to give you a looking for you everything is the same so I go into policies and I'll be going to intrusion so I'm gonna make an intrusion policy and let me create an intrusion policy there by default there are no intrusion policies so I'm gonna be saying okay doctor networks DN IPs so afterwards I specified the name there's a base policy rule which have some specific signature signature sets that are enabled like I'll show you this maximum detection has around about 37 thousand signatures that are enabled to detect and drop in between and around about 180 signatures that only generate an error generation event so it depends on your deployment if you're very if you have a very risky server that is resides on your network and you want to protect it on a maximum level so you all would obviously go with a maximum detection because it has the most number of IPS signatures enabled but it all depends on your actually deployment and your server how much it is it has secured I mean security like in does it has any antivirus running on it and is it really wonderful and it is is it so much I mean crucial for your environment even if it goes down you don't have any backup for that those kind of things or maybe you can't afford it to go down so you go for maximum detection over that so we're gonna be using maximum detection right now so I'll just go and create and edit the policy now it's gonna take a little bit while as it always does in FMC's so mmm so let's wait that's what I can do or I could file a fast forward this let's see okay the bottom line is I had to cut the video because it was taking a lot of time to load so here's that our name and here's our base policy that we selected and oh sorry I just missed communicated to you it's not 37 thousand it is 31 thousand signatures are enabled for drop and generate events and one is 182 that got done right one at eighty rules almost that only generate even they don't drop the packet so now I have these policy layers as in that the maximum detection is the one that I just selected it has some specific rules that are already enabled so 31,000 rules are enabled in here and as you can see there are a lot of rules that you see that are of this X this is the basic rule state meaning what will happen with the packet if an attack has been you know like detected that is you know like the vulnerability scan attempt attack has been detected what's gonna happen with the session or the packet Oh out of breath so it's gonna drop the packet so maybe I want something to you know not drop the packet I want some some specific detect that vulnerability scan to pass so I could just go in and change the rules from my changes I could go in and say you know this rule Deena's request a temporal I want you to only maybe I want you to disable that or maybe I just want you to generate even still do anything with the packet man or the session we just want you to generate some errands that'll be cool we'll be looking at that but not right now actually I'm just gonna be showing you what happens with that our attack that we just generated and hack that we know XP so we'll just leave this rule let it be and go to devices now device management now we have an a virtual fpd six point six again this is the latest and greatest right now and oh not into devices sorry about that into policies and access control I was just trying to show you that what FTD I have so trying to be cool here so edit and there are no rules as you can see only a network discovery rule is in place so I'm gonna be adding a rule and saying IPS row now I'm gonna leave everything at the default don't do this in the production environment please you have to specify in each each and every zone networks everything should be there for optimal performance for the inspection part I'm gonna be going in and saying you know what I'm gonna be using the intrusion policy of the end IPS and obviously logging I'm gonna log at the beginning and there's our rule everything is on any don't do this on production please not this at least this any any part this is really bad so I'll just save this and in this new FMC the deployment part has a deployment history port as they're separated and the deployment part this is the main part so I'm going to deployment I'm selecting the after DS show me what Chinese were there this AI basically shows your hide unmodified policies to all the policies that weren't modified in this are gonna be showing up so they're showing up no needed so I'm gonna be deploying this now so there it is now I'm a fast forward does this video but I want to show you this cool notification bar that they have in this new team look at that it kind of slides from the right to the left and it's really this goes like fades away so smoothly I just see I'm just seeing it and then feeling enlightened but it'll take some time so I'm a forward this video okay that deployment has been completed and my hat if I cut this video now let's go back again towards our Linux box that was hacking it typing an MSF and MSF not MF s I'm sorry about that MSF console and medicals flight is running and we're gonna be to save time not I'm gonna just copy and paste attack that I just had already excluding the MSF console now I'm inside I'm gonna use this SMB attack again and let's see what happened exploit boom by now we should have hacked it the first thing this attack does is exact is actually does a scan to to see if SMB version one is running or not on the system because it's quite onerous now this is not happening okay so with login fail as we Kishin expired because the session did timeout or something so let's go towards our fmz and see what we can analyze from the logs and here in the intrusion events what do we see now this is gonna be neat hopefully y'all look at that isn't this beautiful I couldn't hack the Windows XP and you could see that this was an attempt to detect SMB version one after the temp it basically does another attack and possibly another attack so it basically does three or four attacks to actually get the Windows XP s reversed CCP session and execute the exploit accurately so the first thing it does is obviously doesn't SMB version one Curie if it's on or not so this is our line of defense over here now as I specified over here this is our line of defense right now and it's working accurately this is how IPS really works so if I hope this has been a very good information formative lecture for you guys and thank you for watching

Info

Channel: Doctor Networks

Views: 4,312

Rating: 4.8644066 out of 5

Keywords: FMC, FTD, FMC 6.6, FTD 6.6, Intrusion in FMC, windows XP hack, hack, IPS, Cisco IPS, Cisco IPS FTD, SFR IPS, ASA IPS, ASA, Cisco FTD, Cisco FMC intrusion, FMC IPS, FMC intrusion

Id: NYoIukJBM_Y

Channel Id: undefined

Length: 16min 32sec (992 seconds)

Published: Mon Apr 27 2020