Version 1.0 Page 1 of 7 UnitITNET302A Advanced Network Security 1Assessment TypeResearch Project – IndividualAssessment Number1 Assessment NameWeightingEternalBlue30%Due Date/Time Week 7 – Online Moodle SubmissionAssessment DescriptionThis is an Individual Assessment.Technical research project on CVE-2017-0144, “EternalBlue”.Content and Structure:• Explain the 3 vulnerability components of CVE-2017-0144• Explain how the vulnerabilities are leveraged for exploitation• Perform a risk … Continue reading “Advanced Network Security | My Assignment Tutor”
Version 1.0 Page 1 of 7 UnitITNET302A Advanced Network Security 1Assessment TypeResearch Project – IndividualAssessment Number1 Assessment NameWeightingEternalBlue30%Due Date/Time Week 7 – Online Moodle SubmissionAssessment DescriptionThis is an Individual Assessment.Technical research project on CVE-2017-0144, “EternalBlue”.Content and Structure:• Explain the 3 vulnerability components of CVE-2017-0144• Explain how the vulnerabilities are leveraged for exploitation• Perform a risk analysis of EternalBlue• Provide a Proof-of-Concept EternalBlue exploitation• Analyse the domain impact based on the supplied attack scenario• Explain three immediate mitigation and/or remediation actions• Explain three prevention measures that can be taken to reduce future eventsDetailed SubmissionRequirementsOnline Moodle Submission via Turnitin.Special consideration Students whose ability to submit or attend an assessment item is affected bysickness, misadventure or other circumstances beyond their control, may be eligiblefor special consideration. No consideration is given when the condition or event isunrelated to the student’s performance in a component of the assessment, or whenit is considered not to be serious.Students applying for special consideration must submit the form within 3 days ofthe due date of the assessment item or exam.The form can be obtained from the TAFE website(https://courses.highered.tafensw.edu.au/mod/page/view.php?id=48) or on-campusP.4.32.The request form must be submitted to Admin Office. Supporting evidence shouldbe attached. For further information please refer to the Higher EducationAssessment Policy and associated Procedure available on(https://www.tafensw.edu.au/about/policies-procedures/higher-education).Version 1.0 Page 2 of 7BackgroundOn August 13th, 2016, the shadow brokers tweeted their sale page for an all-inclusive statesponsored cyber weapons toolkit developed by the Equation Group.No one bought.In response, on April 14th, 2017, the shadow brokers tweeted “…TheShadowBrokers rather beinggetting drunk with McAfee on a desert island with hot babes…” and released the exploits free ofcharge. One of these exploits, leveraging vulnerability CVE-2017-0144, has the name EternalBlue.ScenarioFiles’R’Us is a small company with 30 employees that earns its profits from hosting files for clients.Files’R’Us is all inclusive, offering hosting solutions across all file transfer protocols such as, FTP,HTTP, SMB, SFTP, SCP, WebDav and more. This hosting solution allows any customer to upload filesand any internet user to download files using any of the available file transfer protocols.In this scenario you work for Files’R’Us as a recently employed undergraduate. Your jobresponsibilities include customer service and managing the file servers through file transfers andconfiguration. This is a non-trivial task as you are in the Corporate Environment and the Windowsfileservers are segregated off in a DMZ that is only accessible via RDP using a domain account.Without the ability to use normal file transfer protocols, such as SMB, you are forced to use RDP.You have noticed you can RDP in and out of the DMZ speeding up this process. Reviewingdocumentation on this, you notice there is no company vulnerability patch management process.Version 1.0 Page 3 of 7TaskYour boss has recently learned that SMB is being targeted by the EternalBlue exploit and isconcerned about the company’s Windows file servers as they have SMB externally facing forcustomers and internet users. He has supplied you with a simplified company network diagram(below) and asked you, the network security student, to write a research paper addressing thefollowing concerns:➢ Why does the CVE-2017-0144 vulnerability occur (cover all 3 components)➢ How is CVE-2017-0144 leveraged to perform the EternalBlue exploit➢ Using a risk matrix, what risk does the EternalBlue exploit pose to Files’R’Us?(Include a risk rating with a brief justification)➢ Provide a Proof of Concept (PoC) EternalBlue exploitation against one of Files’R’Usmachines and, using your shell, print the flag on the tafe user’s Desktop.➢ Immediate mitigation and/or remediation actions(Files’R’Us has not been owned by Ransomware. Do not include scanning for Ransomware)➢ Prevention measures that can be taken to reduce/eliminate future events(Files’R’Us has not been owned by Ransomware. Do not include scanning for Ransomware)As part of the exploitation process, include screenshots of the following:➢ The assessment 1 subnet is 10.221.0.0/24➢ Network discovery of the Virtual Machine, including discovery of port 445 being open.➢ Vulnerability scanning for EternalBlue against the Virtual Machine➢ Exploitation being launched (use msf5, msf6 has a bug)➢ Successful shell acquired➢ Using the shell, printing the file contents of C:UserstafeDesktopflag.txtVersion 1.0 Page 4 of 7Domain ImpactAs a recent hire, you want to impress your boss by going above and beyond. You decide to useyour knowledge of the company’s business operations and network setup to determine, in theevent of a compromised DMZ, whether the Corporate environment can also be compromised.Knowing that RDP is the only allowed port (3389) between the DMZ and Corporate environment,EternalBlue cannot be used to attack the Corporate environment – however employees are stillusing RDP to access the DMZ.The question remains:If the DMZ is compromised and employees are still accessing it via RDP, can an attacker spread tothe corporate environment?Your boss is a stickler for details and a single sentence saying Yes or No will not suffice.In a paragraph, justify your Yes or No response. If you have chosen Yes, include a theoreticalexploitation path.An exploitation path is a quick summary of the steps taken to go from nothing toowned. You do not need to do a deep dive explanation, just theoretical conceptual steps.“I bruteforced __________ and owned everything” is not a valid responseFor example, a possible exploitation path to compromise a domain via phishing would be:1. Clone company’s Outlook web login page and host it on an attacker-controlled server2. Send phishing email asking company employees to log in, including a link to the attackercontrolled outlook web login page3. Capture employee credentials as they click the phishing link and try to log in4. Access the corporate network using employee credentials5. Using Wireshark, sniff HTTP traffic on port 80 to capture domain administrative credentials6. Once acquired, log into the domain controller and add a new domain administrative user.Version 1.0 Page 5 of 7Network DiagramNote: This diagram has been simplified to paint an easy to understand picture for you regarding the domainimpact question. It is missing some irrelevant details on purpose, for example – how the corporateenvironment access the internet.Version 1.0 Page 6 of 7TipsRansomware is not part of EternalBlue. EternalBlue does not need Ransomware, it does notinclude Ransomware and is fully functional without any Ransomware component. Ransomware isa post-exploitation choice by attackers to blackmail for money. If you include Ransomware in yourpaper, it is only relevant to the assess the risk section.Contextual Metaphor: If Ransomware is a falling rock, then EternalBlue is gravity. The rock relies on gravityto fall, but gravity will exist regardless of the rock. EternalBlue will exist regardless of Ransomware.I’ve listed an example paper structure below. This is by no means a “must follow” structure, feelfree to mix it up as you see fit as long as you cover all the deliverables.➢ Title page➢ Table of Contents➢ Introduction/Abstract➢ CVE-2017-0144 Writeupo Cover all 3 issues➢ EternalBlue Writeupo Explain how EternalBlue leverages CVE-2017-0144 to perform an exploit➢ Practical EternalBlue exploitation➢ Risk assessmento Include a risk matrix and the assigned risk rating you have chosen, with a briefjustification why.➢ Domain Impact assessment➢ Immediate remediation/mitigation actions➢ Future prevention policies (read the scenario carefully)➢ References/Figures/Spelling/GrammarVersion 1.0 Page 7 of 7Marking RubricEach component will be assessed on the following criteria:• Organisation and Structure• Knowledge/Understanding• Communication• Spelling and grammar• Figures/ReferencesThe associated marks for each component is as follows:Component Total Marks Title page1Table of Contents1Introduction3Discussion of first vulnerability8Discussion of second vulnerability8Discussion of third vulnerability8Explanation of how the vulnerabilities arecombined to form the EternalBlue exploit6EternalBlue exploitation10Risk Assessment10Domain impact assessment5Immediate mitigation/remediation advice9Future prevention policies9References and Figures5Spelling and Grammar2Total Marks85
