From c1a122e1edf747676190ec6bbc4c999de609a034 Mon Sep 17 00:00:00 2001 From: anabasis Date: Sat, 22 Mar 2025 07:51:26 -0400 Subject: [PATCH 1/5] add trickanomicon --- trickanomicon-lite.html | 1365 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 1365 insertions(+) create mode 100644 trickanomicon-lite.html diff --git a/trickanomicon-lite.html b/trickanomicon-lite.html new file mode 100644 index 0000000..9335568 --- /dev/null +++ b/trickanomicon-lite.html @@ -0,0 +1,1365 @@ + + + + + + + Trickanomicon + + + + + + + + +
+

Trickanomicon

+
+ +

FreeBSD

+

Package Manager

+ +

Monitoring Services

+ +
#!/bin/sh
+
+my_example_service code
+
+ +

Checking Network Connections

+ +

Changing File Flags

+ +

System Configuration Files

+ +

The Kernel Securelevel

+ +

Linux Persistent Iptables Service

+

NOTE: Using systemd

+

1. Creating the Backup Script

+ +

2. Creating the Service

+ +

Linux Splunk Changes

+

Pre-Execution Script Changes

+

All changes pertain to the splunk.sh script (competition-resources/Splunk/splunk.sh)

+
    +
  1. Change INDEXER to the ip address of the splunk instance (receiver)
    2. +
  2. Changed PASS to a different password
    3. +
  3. Remove the else branch from the “if ! restart_splunk” (lines 126-128)
    4. +
+

Post script execution

+

Manually add source(s) to monitor:

+
    +
  1. Select a file (or entire directory) to monitor
    2. +
  2. Talk to a captain to obtain the index to use (most likely either “linux” or “windows”)
    3. +
  3. Change directory into the $SPLUNK_HOME/bin directory (most likely /opt/splunkforwarder)
    4. +
  4. Run a command like sudo ./splunk add monitor /path/to/thing/to/monitor -index <name of index>
    5. +
+

In the case where the chosen source is already being monitored (and you need to change something about how it is being monitored… e.g., changing the index):

+
    +
  1. Change directory into the $SPLUNK_HOME/bin directory
    2. +
  2. Run the command sudo ./splunk remove monitor /path/to/thing/to/monitor
    3. +
  3. Follow the previous set of steps to re-add the source as a monitor
    4. +
+

These commands edit the file at the path $SPLUNK_HOME/etc/apps/search/local/inputs.conf. Do what you will with this information. It should be noted that making manual changes usually requires a restart of the splunk daemon to take effect. To do this: sudo $SPLUNK_HOME/bin/splunk restart

+

Linux CCDC Basic Checklist

+

1. Network Scanning & Enumeration

+

Nmap Scanning

+ +

2. User & Password Management

+

Reset Passwords

+

(expects /etc/passwd copy with only accounts you want to reset the password for to be in the file)

+

Without saving passwords:

+
for user in $(cat ./users | awk -F: '{print $1}'); do echo "$user:m0Nk3y!m0Nk3y!" | sudo chpasswd; done
+

With saving passwords to a file:

+
for user in $(cat ./users | awk -F: '{print $1}'); do echo "$user:m0Nk3y!m0Nk3y!" | tee -a ./new_passwords | sudo chpasswd; done
+

Create a New User

+
useradd user -m -s /bin/bash -g sudo
+ +

Disable Accounts

+
usermod -L <user>
+

Enable Accounts

+
usermod -U <user>
+

3. SSH Security & Key Management

+

Rotate SSH Keys

+ +

Secure /etc/ssh/sshd_config

+ +

4. System & Service Management

+

System Logs

+ +

Systemctl Commands

+ +

5. Process & Cron Job Monitoring

+

Active Processes & Connections

+ +

Crontab & Scheduled Tasks

+ +

6. Security Hardening & Permissions

+

Remove SUID Binaries

+ +

Secure /etc/sudoers

+ +

7. Incident Response & Documentation

+

Kill Active Sessions

+ +

Backups

+ +

Documentation

+ +

Cisco Firepower Firewall

+

Note: The web interface and command line interface may be split on two different machines. Make sure that passwords are reset on both the web and command line interface.

+

Reset Passwords on the Web Interface

+
    +
  1. Log in to the web interface as a user with administrator access.
    2. +
  2. Navigate to System > Users, and click the edit icon (a pencil) for each user.
    3. +
  3. Enter the new password in the Password and Confirm Password fields.
    4. +
  4. Click Save. If prompted to restart the device, then restart.
    5. +
  5. Verify that the passwords were changed for all users.
    6. +
+

Reset Passwords on the Command Line Interface

+
    +
  1. Log in to the administrator account over SSH or with the console.
    2. +
  2. If you do not immediately boot into a Linux shell, enter the command expert to access the Linux shell.
    3. +
  3. At the shell prompt enter the command sudo passwd (the name of the user) to change passwords for all users.
    4. +
  4. Enter the command exit to exit the shell/interface.
    5. +
  5. Verify that the passwords were changed for all users.
    6. +
+

Keycloak

+

Installation

+ +
docker run -p 8080:8080 -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:26.1.3 start-dev
+ +

Accounts Setup

+
# start production server (need to provide TLS certs)
+bin/kc.sh start --bootstrap-admin-username admin --bootstrap-admin-password admin
+
+# start development server
+bin/kc.sh start-dev --bootstrap-admin-client-id tmpadm --bootstrap-admin-client-secret secret
+
+# create temporary admin user (done without server running)
+bin/kc.sh bootstrap-admin user # --username tmpadm --password:env PASS_VAR (optional)
+
+# create temporary service user
+bin/kc.sh bootstrap-admin service # --client-id tmpclient --client-secret:env=SECRET_VAR (optional)
+

Authentication & Usage of Keycloak

+ +

MariaDB and MySQL

+

MySQL Config File

+

When installed, the mysql service will automatically start and run upon system startup on port 3306. The config file is stored in /etc/mysql/mysql.conf.d/mysqld.cnf.

+

MariaDB Config File

+

When installed, the mysql service will automatically start and run upon system startup on port 3306. The config files are stored in /etc/mysql/my.cnf and /etc/mysql/mariadb.conf.d/50-server.cnf (this file contains Maria-DB server specific settings).

+

Securing the Services and Databases

+

The config file:

+ +

The service files:

+ +

Passwords:

+ +

Auditing Users:

+ +

Removing unwanted users:

+ +

Backing up the databases:

+ +

Restoring the databases:

+ +

MariaDB and MySQL Hardening

+
    +
  1. Log in to the mysql/mariadb console with sudo mysql -u root -p
    2. +
  2. Root’s password may be blank if it is not provided during the competition
    3. +
  3. If you can not log in, ensure the mysql service has properly started without logging errors (broken config file, networking error, etc.)
    4. +
  4. In MySQL, run USE mysql;
    5. +
  5. Change root user’s password +
      +
    • If you’re on MySQL, run ALTER USER ‘root’@‘localhost’ IDENTIFIED WITH mysql_native_password BY ‘’;
      • +
    • If you’re on MariaDB, run ALTER USER ‘root’@‘localhost’ IDENTIFIED BY ‘’;
      • +
    6. +
  6. Run FLUSH PRIVILEGES;
    7. +
  7. Verify/edit the appropriate config file +
      +
    • MySQL: /etc/mysql/mysql.conf.d/mysqld.cnf
      • +
    • MariaDB: /etc/mysql/my.cnf and /etc/mysql/mariadb.conf.d/50-server.cnf
      • +
    • Verify that user is set to mysql
      • +
    • Verify that the port is set correctly (3306 by default)
      • +
    • Verify that the bind-address is set correctly
      • +
    • Add the line local-infile = 0 somewhere underneath the [mysqld] section
      • +
    • Save changes and restart mysql with sudo systemctl restart mysql
      • +
    8. +
  8. Audit users +
      +
    • Log in to the mysql/mariadb console
      • +
    • run SELECT User, Host FROM mysql.user; to view all users and their host values
      • +
    • Make sure host values are either a valid IP address or localhost. No user should have a host value of %.
      • +
    • To change a user’s host value, run the command RENAME USER ‘(username)’@‘(current_host)’ TO ‘(username)’@‘(new_host)’; Then run FLUSH PRIVILEGES; to apply the changes.
      • +
    • Remove unneeded users with DROP USER (username);
      • +
    9. +
  9. Create backups +
      +
    • While the MySQL service is running, run sudo mysqldump –all-databases –routines -u root -p > (path to backup .sql file)
      • +
    • Create a copy of the config file: sudo cp (path to config file) (path to backup config file)
      • +
    • Create backups of the mysql service files used by systemctl +
        +
      • /lib/systemd/system/ and/or /etc/systemd/system/
        • +
      • +
    10. +
+

PostgreSQL Hardening

+
    +
  1. Log in to the PostgreSQL console with sudo psql
    2. +
  2. Root’s password may be blank if it is not provided during the competition
    3. +
  3. If you can not log in, ensure the PostgreSQL service has properly started without logging errors (broken config file, networking error, etc.)
    4. +
  4. Change root user’s password +
      +
    • In PostgreSQL, run ALTER USER root WITH PASSWORD ‘(new password)’;
      • +
    • Alternatively, use ***
      • +
    5. +
  5. Verify/edit the config files in /etc/postgresql/(version number)/main +
      +
    • pg_hba.conf +
        +
      • Client Authentication Config File
        • +
      • Controls which hosts can connect to the PostgreSQL server, how clients are authenticated, which users they can log in as, and which databases they can access
        • +
      • Remove all suspicious entries from the file
        • +
      • Check for out-of-place users and hosts
        • +
      • +
    • postgresql.conf +
        +
      • Main Config File for PostgreSQL
        • +
      • Important fields +
          +
        • listen_addresses: which IPs to listen on
          • +
        • port: should always be set to 5432
          • +
        • password_encryption
          • +
        • +
      • +
    6. +
  6. Audit users +
      +
    • Log in to the PostgreSQL console
      • +
    • Run \duS+ to view all users and their permissions
      • +
    • Remove unneeded users with DROP USER (username);
      • +
    7. +
  7. Create backups +
      +
    • While the PostgreSQL service is running, run sudo pg_dumpall > postgresql_dump
      • +
    • Create a copy of the config files: sudo cp -r /etc/postgresql/(version number)/main /path/to/backup/directory
      • +
    • Also a good idea to backup the files for the postgreSQL service for systemctl should those files be altered or deleted +
        +
      • Located in /lib/systemd/system/ and/or /etc/systemd/system/
        • +
      • +
    8. +
+

PostgreSQL

+

Config Files

+ +

The service files:

+ +

Passwords:

+ +

Auditing Users:

+ +

Removing unwanted users:

+ +

Backing up the databases:

+ +

Restoring the databases:

+ +

Salt

+

https://docs.saltproject.io/en/latest/topics/tutorials/walkthrough.html

+

Commands (Execution Modules)

+

Basics

+
# ping minions
+sudo salt '*' test.ping
+
+# list version
+sudo salt -v '*' test.version
+
+# install command
+sudo salt -v '*linux*' pkg.install vim
+
+# apply /srv/salt/test.sls
+sudo salt -v '*linux*' state.apply test
+
+# run commands (can use pipes, command substitution, etc.)
+sudo salt '*linux*' cmd.run 'uptime'
+
+# execute other code
+sudo salt '*' cmd.exec_code perl 'print("hello")'
+sudo salt '*' cmd.exec_code ruby 'puts "cheese"' args='["arg1", "arg2"]' env='{"FOO": "bar"}'
+

Copying Files

+
# put files into /srv/salt to use salt://
+sudo salt '*linux*' cp.get_file salt://files/reset_passwords.pl /tmp/reset_passwords.pl
+
+sudo salt '*linux*' cp.get_dir salt://files /tmp/files
+sudo salt '*win*' cp.get_dir salt://files C:/ # no \
+
+sudo salt-cp '*linux*' src dest # slower
+
+# push files from minion; /var/cache/salt/master/minions/minion-id/files
+sudo salt '*linux*' cp.push_dir /var/www/html/index.html
+sudo salt '*linux*' cp.push_dir /var/www/html
+

User Administration

+
# user management
+sudo salt 't*' user.add jp2
+
+# get users
+sudo salt '*' ps.get_users
+
+# add/remove user to group
+sudo salt '*' group.adduser group user 
+sudo salt '*' group.deluser group user
+
+# delete group
+sudo salt '*' group.delete group
+
+# get all group info
+sudo salt '*' group.getent
+
+# set group members (replaces users)
+sudo salt '*' group.members group 'user1,user2,user3'
+
+# set password
+sudo salt '*' shadow.gen_password 'password'
+sudo salt '*' shadow.set_password someuser 'hash'
+

System Info

+
# get disk partitons
+sudo salt '*' ps.disk_partitions
+
+# get running processes
+sudo salt '*' ps.status running
+sudo salt '*' ps.top
+sudo salt 'linux*' ps.aux '.*'
+sudo salt '*' ps.get_pid_list
+

Services & More

+
# crontabs!!! (list/add/remove)
+sudo salt '*' cron.ls user
+sudo salt '*' cron.set_job root '*' '*' '*' '*' '*' cmd
+sudo salt '*' cron.set_special root @hourly 'echo foobar'
+
+# install wordpress
+sudo salt '*' wordpress.install /var/www/html apache dwallace password123 dwallace@example.com "Daniel's Awesome Blog" https://blog.dwallace.com
+
+# mysql
+sudo salt '*' mysql.db_create 'dbname'
+sudo salt '*' mysql.db_remove 'dbname'
+sudo salt '*' mysql.query 'dbname' 'DELETE from users where id = 4 limit 1'
+
+# services
+sudo salt '*' service.get_all
+sudo salt '*' service.restart service
+sudo salt '*' service.start service
+sudo salt '*' service.stop service
+

Sample .sls File

+
network_utilities:
+  pkg.installed:
+    - pkgs:
+      - rsync
+      - curl
+
+nginx_pkg:
+  pkg.installed:
+    - name: nginx
+
+nginx_service:
+  service.running:
+    - name: nginx
+    - enable: True
+    - require:
+      - pkg: nginx_pkg
+

Firewall Rules

+

Minion Rules

+
sudo salt '*' iptables.build_rule match=conntrack connstate=RELATED,ESTABLISHED jump=ACCEPT
+
+sudo salt 't*' cmd.run 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'
+sudo salt 't*' cmd.run 'iptables -A OUTPUT -d 10.3.12.150 -p tcp --dport 4505 -j ACCEPT'
+sudo salt 't*' cmd.run 'iptables -A OUTPUT -d 10.3.12.150 -p tcp --dport 4506 -j ACCEPT'
+

Master Rules

+
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+sudo iptables -A INPUT -i lo -p tcp -m multiport --dports 4505:4506 -j ACCEPT # allow salt localhost comm
+sudo iptables -A INPUT -p tcp -m multiport --dports 4505:4506 -j ACCEPT # minion comm
+
+sudo iptables -A OUTPUT -p tcp -m iprange --dst-range 10.3.12.1-10.3.12.4 -j ACCEPT
+
+sudo iptables -A INPUT -i lo -p tcp -m multiport --dports 4505:4506 -j ACCEPT
+sudo iptables -A INPUT -p tcp -m multiport --dports 4505:4506 -j ACCEPT
+
+sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT # inbound
+sudo iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT # outbound
+

Wordpress

+

Source: https://www.wpbeginner.com/wordpress-security/

+

Checklist

+
    +
  1. Reset Password +
      +
    • Click on profile (top right)
      • +
    • Scroll down to “Set New Password”
      • +
    • Default user is admin
      • +
    2. +
  2. Check when wp-config.php was last edited +
      +
    • ls -lt /var/www/html/wp-config.php
      • +
    3. +
  3. Check for any file types of .php, .js, .exe +
      +
    • ls -la /var/www/html/wp-content/uploads
      • +
    4. +
  4. Verify Wordpress Database Information +
      +
    • First, begin a mysql session and select the wordpress database: +
        +
      • show databases;
        • +
      • use wordpress;
        • +
      • show tables;
        • +
      • +
    • Verify Default Wordpress Tables: +
        +
      • wp_commentmeta
        • +
      • wp_comments
        • +
      • wp_links
        • +
      • wp_options
        • +
      • wp_postmeta
        • +
      • wp_posts
        • +
      • wp_term_relationships
        • +
      • wp_term_taxonomy
        • +
      • wp_termmeta
        • +
      • wp_terms
        • +
      • wp_usermeta
        • +
      • wp_users
        • +
      • +
    • Things to look for: +
        +
      • select * from wp_options where option_name=‘active_plugins’;
        • +
      • select * from wp_options where option_name=‘cron’;
        • +
      • +
    5. +
  5. Plugins +
      +
    • Default plugins: +
        +
      • Akismet Anti-Spam
        • +
      • Hello Dolly
        • +
      • +
    6. +
  6. Updates +
      +
    • make sure you are on latest version of wordpress (can find this under the “Updates” section)
      • +
    • make sure plugins are up to date
      • +
    7. +
  7. Backups +
      +
    • take a backup of the entire /var/www/html directory +
        +
      • tar -czvf www-backup.tar.gz /var/www/html
        • +
      • +
    8. +
  8. Disable File editing +
      +
    • in wp-config.php add the following line +
        +
      • define( ‘DISALLOW_FILE_EDIT’, true );
        • +
      • +
    9. +
  9. Security Plugins +
      +
    • “Limit Login Attempts Reloaded” +
        +
      • Default settings: +
          +
        • 4 allowed retries
          • +
        • 20 minutes lockout
          • +
        • 4 lockouts increase lockout time to 24hrs
          • +
        • +
      • Can configure settings under “Settings” Tab by the plugins name
        • +
      • +
    10. +
+

Windows Notes

+

By: Aaron Sprouse and Dylan Harvey

+

Set TLS Settings for Downloading (any download + splunk)

+
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
+

Require Kerberos Preauth on all Accounts

+
Get-ADUSer -Filter 'DoesNotRequirePreAuth -eq $true ' | Set-ADAccountControl -doesnotrequirepreauth $false
+

Download Sysinternals

+
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/SysinternalsSuite.zip" -OutFile "C:\sysinternals.zip";
+Expand-Archive -Path "C:\sysinternals.zip" -DestinationPath "C:\sysinternals\"
+

Remove WMI Event Subscribers

+
Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer
+
+Get-WmiObject -Namespace root/subscription -Class __EventFilter
+
+Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding
+
+Get-WmiObject -Class __IntervalTimerInstruction
+
+<command> | Remove-WmiObject
+

Bins to Remove

+ +

Windows Splunk Changes

+
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
+

splunk.ps1

+ +

Once Installed

+

Check Config

+
C:\Program Files\SplunkUniversalForwarder\etc\system\local\ inputs.conf outputs.conf
+

Check Log

+
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\ splunkd.log
+

Restart the Service (logs may not send otherwise)

+
Restart-Service SplunkForwarder
+

inputs.conf

+
[default]
+host = ${HOSTNAME}
+
+[WinEventLog] 
+index = windows
+checkpointInterval = 5
+
+[WinEventLog://Security]
+disabled = 0
+index = windows
+
+[WinEventLog://Application]
+disabled = 0
+index = windows
+
+[WinEventLog://System]
+disabled = 0
+index = windows
+
+[WinEventLog://DNS Server]
+disabled = 0
+index = windows
+
+[WinEventLog://Directory Service]
+disabled = 0
+index = windows
+
+[WinEventLog://Windows Powershell]
+disabled = 0
+index = windows
+
+[WinEventLog://Microsoft-Windows-Sysmon/Operational]
+current_only = 0
+disabled = 0
+start_from = oldest
+index = windows
+renderXml = false
+
+[WinEventLog://Microsoft-Windows-Sysmon/Operational]
+current_only = 0
+disabled = 0
+start_from = oldest
+index = windows
+renderXml = false
+ + From 3abc709daaa9f6b47606d7f724c924a829abd5ce Mon Sep 17 00:00:00 2001 From: anabasis Date: Sat, 22 Mar 2025 07:59:41 -0400 Subject: [PATCH 2/5] update team --- contact.html | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/contact.html b/contact.html index a2f5a87..aeba060 100644 --- a/contact.html +++ b/contact.html @@ -46,11 +46,11 @@

Nick DiGennaro

- +
-

Mike Ni

+

Blake Boulanger

Secretary

-

mini@g.clemson.edu

+

bboulan@g.clemson.edu

@@ -63,6 +63,16 @@

Siddarth Thumsi

sthumsi@g.clemson.edu

+
+
+
+ +
+

Dylan Harvey

+

Social Media Manager

+

dharve3@g.clemson.edu

+
+
+ {% for officer in page.officers %} +
+
+
+ picture of {{ officer.name }} +
+

{{ officer.name }}

+

{{ officer.designation }}

+

{{ officer.email }}

+
+
+ {% endfor %}
-

Find us in the Watt Center

+

Find us in the Watt Family Innovation Center

- We meet weekly in the Watt center, see our calendar for times. + We meet weekly in the Watt Family Innovation Center, see our calendar for times.


- + + View Larger Map
From 28624f9d587bf99aba7206e6fb3b2d30352c2068 Mon Sep 17 00:00:00 2001 From: anabasis Date: Sat, 22 Mar 2025 08:06:04 -0400 Subject: [PATCH 4/5] update team3 --- contact.html | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/contact.html b/contact.html index 90969f1..8a67e2d 100644 --- a/contact.html +++ b/contact.html @@ -17,18 +17,14 @@ designation: Vice President email: ndigenn@clemson.edu picture: /images/team/nick_d.jpg - - name: Blake Boulanger + - name: Mike Ni designation: Secretary - email: bboulan@clemson.edu - picture: /images/team/bboulan.jpg + email: mini@clemson.edu + picture: /images/team/mike_n.jpg - name: Siddharth Thumsi designation: Treasurer email: sthumsi@clemson.edu picture: /images/team/sid_t.png - - name: Dylan Harvey - designation: Social Media Manager - email: dharve3@clemson.edu - picture: /images/team/dharve3.jpg ---