Dela Harlley Cybersecurity Portfolio

Executive Summary

During penetration testing of the target system, I discovered an exposed MySQL database service with weak authentication controls. This lab demonstrates direct database enumeration techniques and data extraction methodologies that led to complete compromise of sensitive data.

Target Discovery

• Service: MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
• Port: 3306/tcp (open)
• Authentication: Passwordless root access
• Risk Level: CRITICAL

Enumeration Process

1. Nmap Service Discovery:

2. MySQL Client Installation:

3. Direct Database Connection:

Database Exploration

Database Discovery:

Data Extraction

Table Enumeration:

Flag Extraction:

Mitigation Strategies

• Implement strong authentication (passwords + key-based auth)
• Network segmentation to limit database exposure
• Configure firewall rules to restrict database access
• Regular security audits and penetration testing
• Principle of least privilege for database users

Campaign Overview

This authorized penetration test demonstrates a sophisticated multi-stage phishing campaign targeting C-level executives using the Social Engineering Toolkit (SET). The attack chain combines reconnaissance, social engineering, macro-enabled payload delivery, and command & control infrastructure to achieve persistent remote access.

Phase 1: Target Reconnaissance and Profiling

OSINT Gathering Process:

• LinkedIn Intelligence: Identified 12 C-suite executives across target organization
• Company Website Analysis: Extracted organizational structure and recent announcements
• SEC Filing Review: Analyzed 10-K and proxy statements for executive details
• Social Media Profiling: Gathered personal interests and communication patterns

Target Selection Criteria:

• Access to confidential financial and strategic information
• Authority to authorize policy changes and emergency procedures
• Regular interaction with external legal and compliance entities
• Historical patterns of urgent email responsiveness

Phase 2: Social Engineering Toolkit (SET) Configuration

SET Installation and Setup:

Campaign Theme Selection:

Based on reconnaissance, I identified recent regulatory changes in financial reporting requirements that would create urgency for immediate executive response. The Sarbanes-Oxley Act amendments and new SEC cybersecurity disclosure rules provided perfect pretext for urgent compliance action.

Phase 3: Email Template Development

Subject Line Engineering:

Email Content Strategy:

Phase 4: Malicious Document Creation

Macro-Enabled Document Development:

VBA Macro Code Structure:

PowerShell Payload (payload.ps1):

Phase 5: Command & Control Infrastructure

C2 Server Setup:

Payload Hosting:

Phase 6: Email Spoofing and Unicode Techniques

Unicode Spoofing Implementation:

SMTP Configuration:

Phase 7: Campaign Execution and Results

Email Delivery Statistics:

Successful Compromise Details:

Phase 8: Post-Exploitation Capabilities

Access Gained:

• Remote shell access to CFO workstation
• Network reconnaissance from inside corporate LAN
• Access to Outlook emails and financial documents
• Ability to capture additional credentials via keylogging
• Potential lateral movement to additional high-value targets

Defense Evasion Techniques Employed

• Email Security Bypass: Unicode domain spoofing avoided reputation filters
• Social Engineering: Regulatory compliance theme created urgency
• AV Evasion: PowerShell download cradle avoided signature detection
• Persistence: Registry run key maintained access across reboots
• Process Hiding: Payload masqueraded as legitimate svchost.exe

Recommended Countermeasures

• Email Security: Implement DMARC, SPF, and DKIM authentication
• User Training: Regular phishing simulation and security awareness
• Endpoint Protection: Advanced threat detection with behavioral analysis
• Macro Controls: Disable macros from internet sources by default
• Network Segmentation: Limit executive system network access
• Unicode Filtering: Implement homograph attack detection

Technical Skills Demonstrated

• Advanced OSINT gathering and target profiling
• Social Engineering Toolkit (SET) framework proficiency
• VBA macro development and Office exploitation
• PowerShell scripting and fileless attack techniques
• Metasploit payload generation and C2 infrastructure
• Unicode spoofing and homograph attack implementation
• End-to-end attack chain orchestration and persistence

Project Overview

This lab demonstrates the complete deployment of a T-Pot honeypot infrastructure on Amazon Web Services. T-Pot is a multi-honeypot platform that combines multiple honeypot technologies to capture and analyze attack patterns, providing valuable threat intelligence for security research.

AWS Environment Setup

Initial AWS Configuration:

• Logged into AWS account with MFA authentication
• Configured Identity and Access Management (IAM) policies
• Selected appropriate AWS region for reduced latency
• Navigated to EC2 service for instance deployment

EC2 Instance Configuration:

• AMI: Ubuntu Server 16.04
• Instance Type: t2.medium (recommended for full T-Pot functionality)
• Storage: 50GB (minimum for log retention)
• Region: Selected based on geographical proximity

Security Group Configuration

Initial Security Settings:

Post-Installation Security Rules:

SSH Key Pair Management

Key Generation Process:

• Created new key pair during instance launch
• Downloaded private key PEM file to secure location
• Applied proper permissions to key file

Instance Connection and Setup

Initial SSH Connection:

System Preparation:

T-Pot Installation Process

Installation Commands:

Installation Options Selected:

• Username: ubuntu
• Installation Type: Option 4 - T-Pot's FULL INSTALLATION
• Web Access Password: myPassw0rd (configured during setup)

T-Pot Installation Types

Post-Installation Configuration

System Reboot Message:

Access Methods:

• SSH Access: Port 64295 (instead of default port 22)
• Web Dashboard: Port 64297 (HTTPS)
• Honeypot Services: Ports 22, 80, 443 (now honeypots)

Web Interface Access

Security Considerations

• Port Separation: Administrative ports isolated from honeypot ports
• Access Control: SSH and web access restricted to specific IP addresses
• Monitoring: Continuous logging of all honeypot interactions
• Isolation: Honeypot environment contained within AWS security groups

Operational Results

Within minutes of deployment, the honeypot infrastructure began capturing attack traffic from automated scanners and botnet activities. The T-Pot dashboard provides real-time visualization of:

• Attack source geolocation mapping
• Service-specific attack patterns
• Malware payload collection and analysis
• Threat actor behavioral profiling

Skills Demonstrated

• AWS EC2 instance deployment and management
• Security group configuration and network access control
• Linux system administration and SSH key management
• Honeypot deployment and configuration
• Threat intelligence collection methodologies
• Security monitoring and incident detection

Challenge Overview

This CTF challenge involves analyzing a .pcap file to extract JPEG frames from a network stream. By identifying the correct stream and viewing frames in sequence, we uncover a hidden flag revealed across multiple surveillance camera images.

Step 1: Initial Wireshark Analysis

Key observations from the packet capture:

• Multiple TCP streams between surveillance camera and viewer
• HTTP traffic indicating web-based camera interface
• Large data payloads suggesting media content

Step 2: Protocol Hierarchy Analysis

Step 3: Flag Discovery

Technical Skills Demonstrated

• Network traffic analysis and packet inspection
• Protocol analysis (TCP, HTTP, multipart MIME)
• Binary data parsing and JPEG format understanding
• Scripting for automated data extraction
• Digital forensics methodology and evidence reconstruction

Conclusion

This multifaceted challenge combined deep packet inspection with media file reconstruction, showcasing the intersection of network forensics and digital evidence recovery in real-world security investigations.

Lab Overview

I built this comprehensive home lab to simulate a realistic enterprise network environment using VirtualBox virtualization. My setup includes 5 virtual machines that I configured to represent WAN/LAN separation with firewall protection.

Network Architecture I Designed

My Network Topology:

• WAN Segment: 192.168.1.0/24 - Kali Linux (Attacker)
• Firewall: pfSense/OPNsense - Dual-Homed
• LAN Segment: 10.0.1.0/24 - Protected Network
• Internal Machines: Metasploitable2, Kali Linux, Windows 10

My Machine Specifications

1. My WAN Attacker Machine (Kali Linux)

• OS: I installed Kali Linux 2024.1 (latest version)
• RAM: I allocated 4GB (found 2GB minimum works too)
• Storage: I created a 40GB dynamic disk
• Network: I configured NAT adapter + Host-Only (192.168.1.0/24)
• Purpose: I use this for external penetration testing simulations

2. My Firewall Machine (pfSense)

• OS: I deployed pfSense Community Edition 2.7.x
• RAM: I allocated 2GB (1GB minimum works)
• Storage: I set up a 20GB dynamic disk
• Network: I configured dual-homed (WAN: 192.168.1.x, LAN: 10.0.1.1)
• Purpose: I use this for network segmentation and traffic monitoring

3. My Metasploitable 2 Target

• OS: I downloaded Ubuntu 8.04 with intentional vulnerabilities
• RAM: I allocated 1GB (sufficient for this target)
• Storage: I created a 15GB dynamic disk
• Network: I isolated this on Internal-Only (10.0.1.10)
• Purpose: I practice Linux exploitation techniques on this machine

4. My Internal Kali Machine

• OS: I installed Kali Linux 2024.1 (same as my WAN attacker)
• RAM: I allocated 4GB for optimal performance
• Storage: I set up a 40GB dynamic disk
• Network: I placed this on Internal-Only (10.0.1.20)
• Purpose: I use this to simulate lateral movement scenarios

5. My Windows 10 Target

• OS: I installed Windows 10 Pro (evaluation license)
• RAM: I allocated 8GB (4GB minimum works)
• Storage: I created a 60GB dynamic disk
• Network: I configured Internal-Only (10.0.1.30)
• Purpose: I practice Windows exploitation and persistence techniques

What I've Learned

• I gained hands-on experience with network segmentation and firewall configuration
• I understand multi-tier network architecture security implications
• I developed practical skills in penetration testing methodology
• I gained experience across multiple operating systems and vulnerabilities
• I improved my network traffic analysis and intrusion detection skills

My Alert Triage Workflow

During my SOC shift, I processed 47 SIEM alerts across multiple threat vectors. This writeup documents my analysis methodology and findings from a particularly busy day that included phishing campaigns, suspicious downloads, and firewall blocks.

Alert Queue Overview

Case 1: Phishing Email Campaign Analysis

Alert: Suspicious Email Pattern Detected

My Investigation Process:

I received an alert for 8 emails from sender: finance-update@microsooft[.]com

Subject: "URGENT: Verify Account Credentials" - sent to accounting department

My Analysis Steps:

1. I checked the sender domain - obvious typosquatting (microsooft vs microsoft)
2. I analyzed email headers - originated from 185.220.101.182 (TOR exit node)
3. I examined the embedded link: hxxps://micro-update[.]tk/login
4. I checked our email gateway logs for delivery status

My Findings and User Impact Assessment

• ✓ Email was malicious - confirmed phishing attempt
• ✓ 6/8 emails were quarantined by our email security
• ✗ 2 emails reached users: [email protected], [email protected]

User Interaction Analysis:

I checked web proxy logs for the malicious URL pattern:

My Incident Response Actions

Immediate Actions I Took:

1. I isolated john.doe workstation from network (EDR remote isolation)
2. I forced password reset for john.doe across all systems
3. I blocked malicious domains at DNS and web proxy level
4. I created threat hunting rules for similar IoCs
5. I escalated to incident response team for forensic imaging

Documentation I Created:

• Incident ticket INC-2024-11-15-001 with full timeline
• IoC list shared with threat intelligence team

My Analysis Tools and Data Sources

• Splunk SIEM - primary alert aggregation and correlation
• CrowdStrike EDR - endpoint telemetry and isolation capabilities
• Proofpoint Email Security - email flow and quarantine analysis
• Palo Alto Firewall - network traffic blocking and logging
• VirusTotal API - malware analysis and threat intelligence
• MISP Platform - IoC correlation and threat hunting

My Key Lessons Learned

This incident chain demonstrated the importance of correlating alerts across multiple security tools. The phishing email that bypassed initial controls led to credential compromise and attempted malware installation. My systematic triage approach helped identify the connection between seemingly separate events.