This repository contains a comprehensive forensic analysis report for the ENPM695 project. The objective of this project was to investigate a system suspected of being compromised by a hacker, identify vulnerabilities, locate hidden files, and retrieve crucial information. Using penetration testing and forensic techniques, the project assesses the security of the system and provides recommendations to mitigate identified risks.
The primary objectives of this forensic investigation were:
- Evaluate System Security: Identify running services and assess vulnerabilities in the system.
- Exploit System Weaknesses: Gain access to the system by exploiting identified vulnerabilities.
- Identify and Crack Passwords: Obtain credentials and crack passwords of key user accounts.
- Locate and Retrieve Hidden Files: Discover hidden files left by the hacker and decrypt them to uncover sensitive information.
- Threat Modeling and Analysis: Develop a threat model and analyze potential attack vectors.
The forensic analysis was conducted through the following steps:
- System Scanning: Used tools like
arpandnmapto detect IP addresses, open ports, and active services. - Service Exploitation: Gained access by exploiting vulnerable services (e.g., HTTP) to perform command injections and gather user data.
- Password Cracking: Used tools like
John the Ripperwith a custom wordlist for cracking user passwords. - Hidden File Extraction: Employed steganography tools to reveal hidden messages and decrypt important files left by the hacker.
- Privilege Escalation: Used LinPEAS for privilege escalation to obtain root access.
- Vulnerable Services: FTP, SSH, Telnet, and HTTP services were identified as open and susceptible to attacks.
- Password Cracking: Successfully cracked multiple user passwords, including credentials like
emaw:judgementandthanos:infinitystones. - Hidden Artifacts: Discovered six encrypted files, each representing "Infinity Stones," and decrypted them to reveal the hacker’s secrets.
- Hacker Identity: Identified the hacker as "thanos" based on logs and file analysis.
- Nmap: For network scanning and service identification.
- DirBuster: To identify hidden directories on the web server.
- Wireshark: To capture packets and detect potential credentials.
- John the Ripper: For password cracking.
- Steganography Tool: To uncover hidden data in images.
- LinPEAS: For privilege escalation assessment.
- Password Cracking: Required creation of a custom Marvel-themed wordlist to crack user passwords effectively.
- Privilege Escalation: Gaining root access involved using various tools and exploits for successful escalation.
- Implement Strong Password Policies: Enforce complex passwords and multi-factor authentication.
- Restrict Access to Sensitive Services: Limit public access to services like FTP, SSH, and Telnet to reduce attack vectors.
- Apply Regular System Patches: Ensure the system and all services are updated to minimize vulnerability risks.
- Enhanced Logging and Monitoring: Enable logging for all services and monitor them to detect unauthorized access attempts.
This investigation revealed significant vulnerabilities in the system’s security posture and identified critical data left by the hacker. By following the recommended security measures, the system can be better protected from future attacks.
For detailed findings and step-by-step analysis, please refer to the full report included in this repository.