Kingdom of Saudi Arabia

Technical and Vocational Training ‫المملكة العربية السعودية‬

Corporation
College of Telecom & Information ‫والمهن‬
‫ي‬ ‫التقن‬
‫المؤسسة العامة للتدريب ي‬
Department of Computer &
‫كلية االتصاالت والمعلومات بالرياض قسم‬
Information
‫الحاسب والمعلومات‬

Cybersecurity lab for Detection & Monitoring

Final Project Report

Bachelor Cybersecurity

SUBMITTED BY
Sulaiman Al-Thaqib
Abdullah Al-Shehri
Naif Al-Abdullah

SUPERVISED BY
Eng. Khalaf Alsulaiman
Eng. Ahmed Alfezi

Date: 24-07-2024
TABLE OF CONTENTS

TABLE OF CONTENTS ..................................................................................................... 2

ACKNOWLEDGMENTS .................................................................................................... 3
ABSTRACT ......................................................................................................................... 4
CHAPTER 1. INTRODUCTION .................................................................................... 5
1.1 Aim & Objectives......................................................................................... 5
1.2 Materials ...................................................................................................... 5
1.2.1 software ............................................................................................ 5
1.2.2 hardware ........................................................................................... 5
CHAPTER 2. BACKGROUND...................................................................................... 6
CHAPTER 3. PRESENT WORK ................................................................................... 7
3.1 Installation of EVE-NG................................................................................ 7
3.2 Firewall Configuration ................................................................................. 8
3.3 Wazuh Configuration ................................................................................... 8
3.4 Windows Server Setup ................................................................................. 8
.Chapter 4 RESULTS AND DISCUSSION................................................................... 9
4.1 Offensive Team: ........................................................................................... 9
4.1.1 Scan port................................................................................................... 9
4.1.2 Exploit Vulnerability .............................................................................. 10
4.1.2.1 Metasploit ...................................................................................... 10
4.2.2.2 R-Desktop ...................................................................................... 11
4.1.3 Connecting to the Target ............................................................................... 12
4.2 Defensive Team ......................................................................................... 14
4.2.1 Monitoring.............................................................................................. 14
CHAPTER 5. CONCLUSION AND FUTURE WORK ............................................... 21
5.1 CONCLUSION ............................................................................................................. 21
5.2 FUTURE WORK .......................................................................................................... 21
5.3 ISSUES AND TROUBLESHOOTING ......................................................................... 21
REFERENCES ................................................................................................................... 21

2
ACKNOWLEDGMENTS

I would like to place on record my deep sense of gratitude to Eng. Ahmed Altalhi Head
of Computer & Information Department, for his generous guidance, help and useful
suggestions.

I express my sincere gratitude to Eng. Khalaf Alsulaiman and Ahmed Alfezi, for their
stimulating guidance, continuous encouragement and supervision throughout the course
of present work.

3
ABSTRACT

The Detection Lab project is an initiative that aims to help graduates of the Cybersecurity
major prepare themselves in the work environment by creating a virtual environment that
contains a set of common tools and techniques in the field of information security.

4
CHAPTER 1. INTRODUCTION

1.1 Aim & Objectives

The goal of this project is to introduce recently graduated students to the
labor market and its environment. This project particularly serves jobs
in the field of information security.
1.2 Materials
1.2.1 software

EVE-NG: A network emulation platform used to build and simulate

virtual networks.
Wazuh: An open-source security monitoring platform for threat
detection, integrity monitoring, and incident response.
Windows Server 2012 R2: Utilized as a Domain Controller (DC) and
web server.
Linux Ubuntu: Employed as the SIEM (Security Information and
Event Management) system.
Windows 7: Used as a personal computer (PC) within the virtual
environment.
Opnsense: Deployed as the firewall solution to protect the network.
1.2.2 hardware

CPU: Allocate a total of 8 cores for virtualization.

RAM: 16 GB of RAM was allocated for the EVE-NG server.

Storage: Utilized 100 GB of storage space for the EVE-NG server.

5
CHAPTER 2. BACKGROUND

With the rapid advancement of technology, cybersecurity has become

increasingly critical. The Detection Lab project aims to provide a virtual
educational environment using EVE-NG to assist cybersecurity graduates in
acquiring practical skills. The project includes the use of Wazuh for threat
detection and Opnsense firewall for enhanced security. This hands-on
approach helps bridge theoretical knowledge with practical application,
paving the way for cybersecurity graduates to tackle real-world challenges in
the field of information security.

6
CHAPTER 3. PRESENT WORK

3.1 Installation of EVE-NG

The installation and configuration of EVE-NG were executed seamlessly

within the virtual environment. Following the installation process,
appropriate resources were allocated to EVE-NG to ensure optimal
performance and scalability.

7
3.2 Firewall Configuration

The Opnsense firewall was meticulously configured within the virtual

environment to regulate traffic flow effectively.

3.3 Wazuh Configuration

Wazuh Server was established and meticulously configured within the virtual
environment. Subsequently, Wazuh agents were deployed on all designated systems. This
comprehensive setup allows for centralized collection and analysis of security data,
bolstering security monitoring capabilities and facilitating swift responses to potential
threats.

3.4 Windows Server Setup

Windows Server 2012 was installed and configured within the virtual
environment. Additionally, it was tailored to establishing a policy for
password and to guarantee that a user change it every 30 Days.

8
CHAPTER 4. RESULTS AND DISCUSSION

To test and evaluate the project, we divided the team into two: the Red Team and the
Blue Team.
4.1 Offensive Team:
4.1.1 Scan port
The offensive Team conducted a scan on the target device to discover the ports that
could be penetrated using the NMAP tool.
After the scan, it was recommended to utilize the ports shown in the image:

The specified RDP port can be exploited for the attack using the RDP (R-Desktop tool).

R-Desktop is an open source client for Windows NT/2000 Terminal Server and Windows
Server 2003/2008. Capable of natively speaking its Remote Desktop Protocol (RDP) to
present the user’s Windows desktop. Unlike Citrix ICA, no server extensions are required

9
4.1.2 Exploit Vulnerability

4.1.2.2Scan the network

As observed, we need to scan all port on this network to confirm which device we target it we used in this
step Nmap tool.

10
In this section, we will attempt to make sure that the windows server is up by using Metasploit.

After we launch Metasploit tool and knows the IP address, we need to know the Username and password to access the
device and modify.

First, we start to do Payload to exploit the device and take the hash password.

11
And after that we used apache2 to put it in fake website that’s give the target that is original file.

After that we go back to Metasploit to setup the payload to push good environment for this attack

*And now the user downloads the payload and run it. *

12
Here, we already extract the hash password and we’ll comparison it with passwords wordlist.

The target machine's address was set to 10.10.1.11, followed by executing the attack.
Subsequently, information regarding the target machine. This information can now be
utilized to penetrate the target system and execute necessary commands.

After extract the hash password we’ll comparison it with password wordlist
“Rockyou.txt”, and the password showing below.

4.1.2.2R-Desktop

The attack was attempted using a tool called R-Desktop.

Successfully accessed the server via Remote Desktop Protocol (RDP) on address
10.10.1.11:3389. The username "administrator" and password "Test123" were used

13
4.1.3 Connecting to the Target

After obtaining the username and password, we can now connect using R-Desktop.

Upon connecting to the device, the attacker created a user account for themselves and
added it to the domain administrators group.

14
15
4.2 Blue Team

In the Blue Team, where we'll monitor the operations performed by the Red Team.

4.2.1 Monitoring

The main interface of Wazuh.

The main interface of OPNsense

16
The attacker was detected by Wazuh using NMAP tool

17
The exploits were detected by the attacker and blocked by the firewall.

18
 The RDP brute-force attack was executed by the attacker, and they successfully obtained
the password.

And discover the attacker wants to steal the hash password and get in.

19
The compromised user account was used to gain access via RDP (Windows Server )

20
21
22
CHAPTER 5. CONCLUSION AND FUTURE WORK

5.1CONCLUSION

The Detection Lab project is an initiative that aims to help graduates of the Cybersecurity
major prepare themselves in the work environment by creating a virtual environment that
contains a set of common tools and techniques in the field of information security.

5.2 FUTURE WORK

1. Sandbox Implementation: Incorporating a sandbox environment into the

lab infrastructure would provide a safe space for testing and analyzing
potentially malicious software and behavior.
2. Deployment of a Syslog Server: Integrating a syslog server into the
environment would enable centralized logging and analysis of security-
related events, enhancing monitoring capabilities and threat detection.
3. Activation of FIM Feature in Wazuh: Enabling the File Integrity Monitoring
(FIM) feature in Wazuh to verify file integrity and continuously monitor
changes.

5.3 ISSUES AND TROUBLESHOOTING

1. We found an issue in eve version when we uploaded Opnsense image, and we fixed it.
2. We found issue with wazuh when we install it on Ubuntu. The reason of issue is
ubuntu version is old, and we fix it.
3. We faced an issue with devices connection, and we fix it
4.

REFERENCES

1. (Introducing VMware Cross-Cloud Services, 2024)

2. EVE-NG Ltd. (2024, July 21). Home -. https://www.eve-ng.net/
3. Enterprise Open Source and Linux | Ubuntu. (n.d.). Ubuntu. https://ubuntu.com/
4. FileZilla - The free FTP solution. (n.d.). https://filezilla-project.org/
5. Wazuh. (2024, January 17). Wazuh. Open Source SIEM. Wazuh. https://wazuh.com/
6. OPNsense® a true open-source security platform and more - OPNsense® is a true open-source
firewall and more. (2024, July 3).

23