Step 1: Install the Metasploitable virtual machine on VMware as a host of the vulnerability to attack... Tab used to capture packets from outside And on the second tab we will use it t
Trang 1Int ernational School
Capstone Project 2
CMU-CS451
Testing Document
Version 1.0 Date: 28-5-2021
for Hai Dang Travel company
Submitted by
Hieu, Le Quang
Vu, Duong The Khai, Tran Dinh Hoang, Duong Ngoc
Approved by Assoc Prof Nguyen Gia Nhu
Proposal Document Review Panel Representative:
Name Signature Date
Capstone Project 2- Mentor:
Name Signature Date
Trang 2PROJECT INFORMATIO
Project acronym ML-IDS
Project Title Implement IDS system integrating machine learning for Hai
Dang Travel company
Lead Institution International School, Duy Tan University
Scrum Master /
Project Leader
& contact details
Vu, Duong The Email: thevudn16021999@gmail.com Tel: 0924037054
Hieu, Le Quang hieulw99@gmail.com 0905974123 Khai, Tran Dinh Khaitran9499@gmail.com 0707375015 Hoang, Duong
Ngoc
duonghoang159357@gmail.c
REVISION HISTORY
Trang 3Table of Contents
Table of Contents 3
1 Introduction 4
1.1 Purpose 4
1.2 Scope 4
2 Scenario deployment 4
2.1 Scenario 1: DDoS attack 7
2.2 Scenario 2: Brute Force Attack 9
2.3 Scenario 3: SQL Injection Attack 10
3 Conclusion 12
Table of Figures Figure 1 Setup Metasploitable 5
Figure 2 Metasploitable's UI 5
Figure 3 Run Firewall 6
Figure 4 Tab used to capture packets from outside 6
Figure 5 Tab used to analyze packets 6
Figure 6 DDoS attack tool 7
Figure 7 2nd tab sends results for 1st tab 8
Figure 8 Information recorded 8
Figure 9 Result on phone 8
Figure 10 Scan for Host 9
Figure 11 Hydra's scan result 10
Figure 12 Information recorded 10
Figure 13 SQL Injection attack with SQLmap 11
Figure 14 Sqlmap is attacking to Metasploitable 11
Figure 15 The result recorded 11
Figure 16 Result on phone 11
Trang 41 Introduction
1.1 Purpose
Testing document is a detailed document that describes the test strategy, objectives, schedule, estimation, deliverables, and resources required to perform testing for a system
Through this document, we will have a closer look at what the system can do and the shortcomings that need to be overcome through the detailed results
1.2 Scope
– Test all the functions of the system with three criteria following:
+ Accurate
+ Security
+ Performance
– Compare the results of the tests with the requirements in the requirements
document to assess the completeness of the system
2 Scenario deployment
An intrusion detection system that allows businesses to protect their networks from threats with increased network connectivity and the reliability of the information system It is becoming increasingly imperative that cybersecurity is questioning corporate network administrators whether to use system ids or not
Intrusion detection system (IDS) is the solution to solve the above problem The use of IDS will help the network of the business to operate normally and smoothly, avoiding the risk of data destruction by an attacker or on the internet
The most important features of IDS are:
+ Monitoring: Take control of network and suspicious activities
+ Warning: Report network status for system and administrator
+ Security: Use settings and configurations from administrator to take appropriate action against intruders and vandals
Step 1: Install the Metasploitable virtual machine on VMware as a host of the
vulnerability to attack
Trang 5Figure 1 Setup Metasploitable
Below is the result after the Metasploitable is successfully set up
Figure 2 Metasploitable's UI
Step 2: Start a Firewall with integrated IDS
Firewall will be assigned two ip addresses
+ Ip 10.0.2.2/24 will be used to connect to Metasploitable
+ Ip 192.168.20.129/24 will be used to connect to the Internet
Trang 6Figure 3 Run Firewall
After that, we will run the firewall on two Windows PowerShell tabs:
On the first tab we will run the command "Cicflowmeter -i ens35 -c out.csv -u http: // localhost: 8000 / predict" Let the Firewall receive the incoming packet via ens35 and send it to localhost
Figure 4 Tab used to capture packets from outside
And on the second tab we will use it to receive packets sent from the first tab to analyze whether the packet is dangerous and return the results to the first tab
Figure 5 Tab used to analyze packets
Trang 72.1 Scenario 1: DDoS attack
Scenario’s Purpose: This scenario requires the sniffer to react when there are too
many TCP_SYN packets sent to it (a SYN_Flood DDos attack is suspected) In this situation Sniffer will have to send a request to Machine Learning Model, asking it to
notify the administrator
Preparation: Download and install the DDoS attack support tool, here we use Low
Orbit Ion Cannon (LOIC) and run on a Linux environment
LOIC is an open-source network stress testing and denial-of-service attack application, written in C#
Step 1: Launch LOIC
Here enter the URL of the Metaploitable virtual machine's address
"http://10.0.2.197", the port you want to perform attack on is 80, the method you want
to do the attack is UDP and the threads is 100
Figure 6 DDoS attack tool
This tool will continuously send SYN packets to the targeted target causing the attack target to flood, with the aim of intercepting the services running on the target and causing the target to crash
Port 80 is the port commonly used by Hypertext Transfer Protocol (Http) to transfer data between Web servers to Web browsers and vice versa Or it can be understood that when you type an address into a Web browser, the Web browser will now send a request via Http protocol to the Web server Web server and will receive this request and return the result to the Web browser
Trang 8Step 2: Check the status of packets in Firewall
Figure 7 2nd tab sends results for 1st tab
The second tab analyzed the packets and sent them to the 1st
Figure 8 Information recorded
1st tab will record the information that has been analyzed in 2nd tab On the picture can see:
Packets are transmitted from addresses "10.0.2.1", 10.0.2.2 " through ports " 68 ","
51493 "," 51490 " to addresses " 255.255.255.255 "," 10.0.2.197 " through the ports " 67 "," 80 "," 3702 " etc
The right column shows the status of the packets that the IDS system has analyzed + Benign means that the packet is normal and nothing dangerous
+ Malicious means that the packet is considered dangerous
And the next number indicates the accuracy of that analyzed result
And also according to the same image, we can see that packets sent from address 10.0.2.1 to address 10.0.2.197 via port 80 were identified as malicious The above results are exactly what we have set in LOIC
Step 3: Check the phone
Figure 9 Result on phone
Here is a message to my phone sent from Twilio stating that something was wrong about flows 10.0.2.1 to 10.0.2.197
Trang 9Twilio is an American cloud communications platform as a service (CPaaS) company based in San Francisco, California Twilio allows software developers to programmatically make and receive phone calls, send and receive text messages, and perform other communication functions using its web service APIs
That proves that the IDS system can correctly emit the DDoS attack and send notifications back to the administrator so that appropriate actions can be taken to prevent that attack
2.2 Scenario 2: Brute Force Attack
Scenario’s Purpose: This scenario requires the evaluator to react when a series of
flows sent to the server in order to try and find the correct password In that situation Sniffer will have to send a request to Machine Learning Model, asking it to notify the administrator
Preparation: Download and install Nmap & Hydra on Linux
Nmap (Network Mapper) is a free and open-source network scanner created by
Gordon Lyon Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses
Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features Nmap can adapt to network conditions including latency and congestion during a scan
Hydra is a parallelized network logon cracker built in various operating systems
like Kali Linux, Parrot and other major penetration testing environments Hydra works
by using different approaches to perform brute-force attacks in order to guess the right username and password combination Hydra is commonly used by penetration testers together with a set of programmers’ like crunch, cupp etc., which are used to generate wordlists Hydra is then used to test the attacks using the wordlists that these programmers created
Step 1: We will use NMAP to scan port 22, which is the port of the SSH service In
this test, we will scan network 10.0.2.197, which is a Metasploitable address with the command "nmap 192.168.1.0 -p22"
Figure 10 Scan for Host
The result shows that ssh is open at address 10.0.2.197
Trang 10Step 2: Use Hydra to attack the scanned address
Figure 11 Hydra's scan result
The command is used is: "hydra -s 22 -l msfadmin -P /home/huy2/Desktop/Passlist.txt -t 16 10.0.2.197 ssh "
With "22" is port, "msfadmin" is the user name, "/home/huy2/Desktop/Passlist.txt"
is the path to the file that summarizes the password variables that we have gathered "," 10.0 2.197 "is the attacked address and" ssh "is the service that will be attack
The above image shows the metasploitable password "msfadmin" The password is exactly the same as the password set earlier
Step 3: Check the status of packets in Firewall
Figure 12 Information recorded
The results showed that the Firewall was able to catch the incoming attack packets, but was returned that packet Benign And on the phone, we didn't get any notifications The above proves that our system bypassed the risk of a Brute Force attack
2.3 Scenario 3: SQL Injection Attack
Scenario’s Purpose: In this scenario we will inject malicious code into the website
to be attacked, asking the Machine Learning Model to analyze the malicious code without relying on the request payload The Machine Learning Model then knows if there is danger or not to notify the administrator
Preparation: Download and install SQLmap
Sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections
Step 1: Open terminal and type the following command:
sqlmap –u “http://10.0.2.254/mutillidae/index.php?page=user-info.php” batch form
u: is the URL of the target
SQLMap will detect the target's vulnerability and give out information about the vulnerability
Trang 11Figure 13 SQL Injection attack with SQLmap
Figure 14 Sqlmap is attacking to Metasploitable
Step 2 : Check the status of packets in Firewall
Figure 15 The result recorded
According to the above image, we can see that packets sent from address 10.0.2.89
to address 10.0.2.254 via port 80 were identified as malicious with an estimated
accuracy of 70.39%
Step 3: Check the phone
Figure 16 Result on phone
Here is a message to my phone sent from Twilio stating that something was wrong about flows 10.0.2.89 to 10.0.2.254
The above results show that the IDS system can detect intrusion, but its accuracy is still not as high as DDoS and there is a possibility of missing dangerous flows
Trang 123 Conclusion
Through the three tests above, it can be seen clearly that the system can detect a DDoS attack with high accuracy and quickly, but the accuracy is not high when under the Sql injection attack But it was still acceptable, and for a Brute Force attack it was completely impossible to detect an intrusion
Demonstrates that the system still needs more training to be able to more accurately and accurately detect intrusions