IMPORTANT:AttackDefense Labs is included with a Pentester Academy subscription! Upgrade Now to access over 1800+ Labs.

Already a Pentester Academy student? Your access will continue uninterrupted. Please use the same Google account to login here.

Not a Pentester Academy student? Try our Free Communitiy Labs

Kibana: Squid Log Analysis

log-analysis-proxy-logs | Level: Easy  | Total Lab Runs: 0 | Premium Lab

Lab Scoreboard

Lab Walkthrough Video:


Kibana and Elasticsearch setup is provided with logs of a Squid Proxy server. You have to analyze the logs using Kibana interface and answer the following questions:

  1. To figure out whether the squid proxy was configured without authentication or not, the attacker had used the nmap script ‘http-open-proxy’. Find the IP address of the attacker machine.
  2. An attacker was trying to identify the live hosts on the network accessible through the squid proxy. Find the IP address of the attacker machine.
  3. The attacker was sending requests to particular ports in order to identify live hosts on the network. How many ports were being scanned?. Provide the list of all ports.
  4. How many live hosts were detected in the scan performed by the attacker machine identified in the second question?
  5. An attacker had used a popular scanning tool on the webserver running on one of the machines. Find the IP address of the attacker machine.
  6. An attacker had logged in to the FTP server to retrieve a file. Find the FTP username used by the attacker to access the FTP server.
  7. An attacker machine had leveraged the open squid proxy to obtain an SSH session on one of the machines. Find the IP address of the SSH server.
  8. An attacker was performing a dictionary attack on the FTP server using hydra. Identify the IP address of the attacker machine.
  9. Upon detecting malicious activity, the squid proxy was configured with authentication. However, an attacker was able to perform a dictionary attack and found out the password of one of the users. Find out the username whose password was compromised.
  10. Find the approximate duration of the SSH session initiated by the attacker machine through the password-protected squid proxy. Provide the duration in seconds.


Verify:
1. To figure out whether the squid proxy was configured without authentication or not, the attacker had used the nmap script ‘http-open-proxy’. Find the IP address of the attacker machine.
 
2. An attacker was trying to identify the live hosts on the network accessible through the squid proxy. Find the IP address of the attacker machine.
 
3. The attacker was sending requests to particular ports in order to identify live hosts on the network. How many ports were being scanned?
 
4. How many live hosts were detected in the scan performed by the attacker machine identified in the second question?
 
5. An attacker had used a popular scanning tool on the web server running on one of the machines. Find the IP address of the attacker machine.
 
6. An attacker had logged in to the FTP server to retrieve a file. Find the FTP username used by the attacker to access the FTP server.
 
7. An attacker machine had leveraged the open squid proxy to obtain an SSH session on one of the machines. Find the IP address of the SSH server.
 
8. An attacker was performing a dictionary attack on the FTP server using hydra. Identify the IP address of the attacker machine.
 
9. Find out the username whose password was compromised
 
10. Find the approximate duration of the SSH session initiated by the attacker machine through the password-protected squid proxy. Provide the duration in seconds
 

The following activities are strictly prohibited on this website unless otherwise explicitly stated as allowed in the mission statement:

  • Using automated scanners
  • Using brute force attacks
  • Denial of Service attacks
  • Attacking other student machines in challenges where you might achieve a shell on the vulnerable system
  • Attacking the lab infrastructure

Users violating the above will be either temporarily or permanently banned from the website. 

If you are unsure about an activity, then please contact support to confirm that it is allowed on our website.

Technical Support for this Lab:

There is a reason we provide unlimited lab time: you can take as much time as you need to solve a lab. However, we realize that sometimes hints might be necessary to keep you motivated!

We currently provide technical support limited to:

  • Giving hints for a lab exercise
  • In rare circumstances, if you have totally given up (NO!!!) then tell you how to solve it. This will be limited to sharing the solution video or lab report
  • A lab exercise fails to load or has errors in it

If you need technical support, please email  attackdefense@pentesteracademy.com  clearly mention the name and link of the lab exercise and other essential details. The more descriptive you are, the faster we can help you. We will get back to you within 24 hours or less. 

For adminitrative queries, billing, enterprise accounts etc. please email feedback@binarysecuritysolutions.com