TechNet Systems Cybersecurity Lab: Investigating and Securing Systems

(Ficticious Organization)

Lab

In this lab, I tackled key cybersecurity tasks to address a simulated system breach:

• Process Monitoring: Investigated active processes to identify unauthorized or malicious activity.
  
• Password Auditing: Used John the Ripper to assess user password strength and uncover vulnerabilities.
  
• Access Control: Secured system access by revoking unauthorized sudo privileges.
  
• User and Group Cleanup: Audited and updated user/group configurations to ensure proper access controls.
  
• File Security: Hardened critical system file permissions to prevent unauthorized access.
  
• Legacy Service Removal: Identified and removed insecure services (FTP, Telnet, etc.) to eliminate vulnerabilities.
  

Inventory of Active System Processes

I first executed a script file to compromise the system. Then, I ran the top command to generate a comprehensive list of all active processes. I carefully analyzed this list to identify any processes that appeared unfamiliar or suspicious. By comparing them against known safe processes and reviewing resource usage, I pinpointed potential anomalies that required further investigation or immediate action.

Copying the Shadow Password File

I carefully copied the /etc/shadow file using secure file management commands such as cp, ensuring that appropriate permissions were maintained to prevent exposure of sensitive data. With the necessary root or administrative privileges, I accessed and copied the file securely. After executing the command, I verified the file’s integrity and confirmed its successful transfer to a secure location for further analysis.

Editing the Shadow Copy File to Retain Only System Users

I edited the shadow_copy file using the nano text editor, carefully reviewing each line to identify and remove any unnecessary or irrelevant entries that did not pertain to actual system users. I ensured that only legitimate system users remained, eliminating any obsolete accounts or test entries to maintain accuracy and security.

Running the Shadow File Through a Password Cracker

I used the john program to crack the passwords stored in the shadow_copy file. By leveraging a suitable wordlist and optimized cracking techniques, I systematically attempted to reveal user credentials. Once the process was complete, I reviewed the results to identify any successfully cracked passwords for further analysis.

Checking Sudo Access of Users with Weak Passwords

I used the sudo -lU command to check which users had sudo privileges. By cross-referencing this information with previously cracked passwords, I identified accounts with weak credentials that also had elevated access. These high-risk accounts were flagged for immediate action, and I documented my findings to support the revocation of their sudo privileges.

Removing Sudo Access from Users in the Sudoers File

I used visudo to securely edit the /etc/sudoers file, ensuring that any modifications would not introduce syntax errors. I carefully searched for user-specific entries granting sudo access and removed or commented out those associated with weak passwords. After making the necessary changes, I saved and exited the file, then verified the updates to confirm that unauthorized users no longer had elevated privileges.

Removing Less Access from Users in the Sudoers File

I used the visudo command to securely edit the /etc/sudoers file, ensuring that any modifications were syntax-checked to prevent misconfigurations. I carefully reviewed the file for user-specific or group-specific entries that granted unnecessary or unauthorized access. Identifying such entries, I either commented them out or removed them entirely to restrict unauthorized privilege escalation. After making the changes, I verified the updates to confirm that only authorized users retained appropriate sudo access.

Confirming Changes to the Sudoers File

After editing the /etc/sudoers file, I ran a syntax check using the visudo command to ensure that no errors were introduced, preventing potential misconfigurations that could lock out administrative access. I then manually reviewed the file to verify that only authorized users retained the necessary privileges. Finally, I confirmed the applied changes by checking user privileges with sudo -l for relevant accounts, ensuring that unauthorized access had been successfully revoked.

Checking IDs for Every User on the System

I ran the id 'user' command to retrieve detailed user information, including UID (User ID) and GID (Group ID). By systematically reviewing each entry, I ensured that administrative accounts had the correct assignments and that no unauthorized users possessed elevated privileges. Any discrepancies were flagged for further investigation and corrective action.

Checking Groups Users Belong to on the System

I ran the groups command for individual users to review all group memberships on the system. This allowed me to cross-check the groups each user belonged to and identify any unauthorized or suspicious group assignments. I paid special attention to privileged groups such as sudo or admin to ensure that only authorized accounts were included.

Removing Jack from the Sudo Group

I used the usermod -G command to remove Jack from the sudo group. After executing the command, I verified the change by running groups jack to confirm that Jack was no longer a member of the sudo group.

Removing Unauthorized Users and Groups from the System

I used the deluser and delgroup commands to remove unauthorized users and groups, ensuring that their associated files were also deleted to maintain system integrity.

Adding Users to the Appropriate Group

I created any missing groups using the addgroup command. Then, I used the usermod command to add users to their designated groups. Specifically, I ensured that users like Adam, Billy, Sally, and Max were members of the developers group and their own primary groups only.

Setting File Permissions

Guided by best practices, I adjusted file permissions for key system files to enhance their security using the chmod command. After applying these changes, I ran ls -l to verify the updated permissions and documented the adjustments for future reference.

Checking for Vulnerabilities

I used vulnerability assessment tools, including systemctl, to scan the system for misconfigurations, outdated software, and potential security gaps. After completing the scans, I reviewed the output for any identified vulnerabilities or warnings.

Stopping Vulnerable Services

After identifying vulnerable or unnecessary services during the audit, I took immediate steps to stop them. Using the systemctl stop command, I halted any flagged services.

Disabling Vulnerable Services

After stopping the flagged services, I disabled them to ensure they remained inactive. This was accomplished using the systemctl disable command.

Removing Vulnerable Services from the System

After stopping and disabling the flagged services, I uninstalled them using the package management tools available on the system. This ensured that any unnecessary or vulnerable software was completely removed from the system.