Summary: Creating a LAN consisting of Windows Server 2019, Windows 10 and Kali Linux. Performing DoS on Windows 10 machine using Kali Linux and detecting the attacking with SIEM, Splunk configured on Windows Server 2019 system.
Splunk - Splunk is a Security Information and Event Management(SIEM) tool that simplifies the task of collecting and managing massive volumes of machine-generated data and searching for information within it. Using Splunk we can detect an attack and create an alert to prevent future attacks.
pfsesne Firewall - This is open source and free firewall which will be used for managing traffic, DHCP leasing.
Windows 10 - This will be the target machine, Splunk Unviversal Forwarder will be installed on this machine which will forward logs to central server.
Windows Server 2019 - This will be the machine where Splunk Enterprise will be installed and all logs from the target machine will be forwarded to this machine.
Kali Linux - Kali Linux is platform that is made for penetration trsting which I will be using to attack.
Hydra - Hydra on Kali Linux will be used to perform a simple brute force attack to identify the target machine's username and password.
Splunk can be used to monitor all types of activity on the host machines as well as remote machines. Here's an example of adding the logs we want to be analyzed by Splunk and viewing the system's logs on Splunk:
Splunk shows detailed description of every log. On the screenshot above,
LogName=Security - Security logs show Login attempts, object access, and file deletion.
EventCode=4634 - This event code is generated when a user is logged off. In this case I let the machine running and it went on sleep mode hence logging out the user(me) therefore generating an event code 4636.
ComputerName - From which machine the logs came from and the domain the machine belongs to.
Splunk has feature where it will monitor for specific situation and generate alerts.
For example,let's do a port scan against my Windows 10 (10.0.0.230) machine from my Kali Linux (10.0.0.61) machine
The logs for the port scan can be see on Splunk on the host machine, Windows 10 (10.0.0.230)
Creating an alert for the port scan done by Linux machine:
Conducting the port scan once again and alert is triggered:
Splunk Forwarder will be the tool that will forward the logs from a machine to a central log aggregating machine, usually a server.
The Splunk Forwarder setup will require us to indicate the source (logs) which it should be forwarding and enter the receiver's IP as well as the port at which the receiver will be accepting the logs.
Very important to configure the receiving port on the server's Splunk which will be our central repository.
After downloading pfsense firewall. Set up the firewall with the number of interfaces required depending on the number of systems it will be connected to.
Configure adapter em1 with an IP and set it up for DHCP leasing. Confiure rest of the adapters with an IP except one adapter which will act as a span port.
Installed Kali Linux on another machine which will be the attack machine and can be used to finish setting up the pfsense firewall.
Enter the firewall's IP in the browser and we will directed to the firewall's login page.
I will be adding to this lab from time to time.