Final Report

Executive Summary

For this capstone project, our team was tasked to find and fix the vulnerabilities and harden the security of the server and website of the restaurant Akwaaba. Once the issues were fixed, the final task was to attack the server of another team while defending our own.

The project was broken up into three different phases:

1. Milestone 1 – Scanning for vulnerabilities, updating the server, and researching fixes

2. Milestone 2 – Fixing vulnerabilities, improving security, and preparing for attack

3. Attack phase – Attacking an opposing team and defending our server

Milestone 1 was the beginning of the project. The group began with breaking up the work amongst the group members and tackling different parts of the project. There was the server, WordPress, vulnerability scanning, and penetration testing. The group was able to find multiple vulnerabilities during the scanning that was conducted. The server was also registered with Red Hat Enterprise Linux (RHEL) which helped us update the server. Penetration testing was completed by downloading tools and doing research to harden the current state of the server and website.

Milestone 2 was the middle of the project, and the group continued with their assigned roles and tackled remaining issues to harden the server and website. WordPress was given a complete overhaul in terms of plugins, theme, and security. The team also faced a few issues regarding tools that were used that could be used for the attack phase.

The attack phase was the final part of the project and would prove to show off the fruits of the group’s efforts from the first two milestones. The attack phase began on October 26th. The group was able to breach the target team’s server and website due to the default passwords not being changed. The group was then able to take down the website within a few hours of the first day. Throughout the remainder of the attack phase, the group monitored both websites.

Overall, the group considers the project a success due to our efforts to secure our server and website, prevent attacks, and takedown of the target website.

Background

Cybersecurity team two was given a webserver and website for the company Akwaaba. We were tasked to update, secure, and monitor the server and website. The site runs on a Linux based RedHat Enterprise server. Running Linux 8.6 on the web server along with the website using Apache, PHP, MySQL, and JavaScript. We were given the responsibilities to fix all vulnerabilities, keep the server up to date, and help maintain the site with uptime being the priority. Having a website down loses business and the shareholders cannot have that.

Project Outcomes and Achievements Summary

Assessment of project outcomes

We are very satisfied with the result of this project. We were able to strengthen an initially lacking website and server and were able to successfully defend our application against attacks and take down the opposing team’s site with relative ease. While working on this project since the beginning of the semester, we were also able to develop plenty of cybersecurity skills that could be used to further our career by having us experience a real-life example of securing a web application.

With each objective set before starting work on each milestone, we were able to work towards them to complete them, sometimes before that phase was officially scheduled to start. Milestone 1 focused on setting up our website, finding vulnerabilities, and then planning the fixes that would improve the site. During that time, we also began implementing measures to defend against weaknesses.

Milestone 2 focused on continuing to find and fix vulnerabilities and updating server applications. At this time, we were still unsure how to enable HTTPs, and we did not update MariaDB as the project instructions stated not to change the version. Nevertheless, we were confident that our system was still secure despite the roadblocks.

Our objectives for Milestone 3 included defending our website and attempting to bring down the opposing team’s website. Fortunately, we were able to bring down their site on the first day of the attack phase yet our own was never disrupted. We spent the remaining time of the attack phase monitoring both sites while continuing to document our progress. In addition, we successfully added a self-signed SSL certificate to the website and enabled HTTPs.

Technical summary of the solutions

We all worked together and divided up the work for everyone to specialize in a certain area of the project, but we still were available to help each other. This was able to lighten the workload and have everyone focus on specific tasks and not overload by doing too many things at once. We all downloaded and installed a Kali Linux to conduct our work when it came to scanning and fixing vulnerabilities and to be ready for the attack phase. Throughout the project everyone conducted research for their specific roles, especially when coming across any issues.

Based off the instructions, the group updated one thing at a time. This allowed us to see what we were working with and what would need to be adjusted as anything that was not updated could pose a risk to our project.

We registered the console with Red Hat Enterprise. We also made major changes to the WordPress website by changing the template, removing vulnerable plugins, and taking off comments as they posed a threat to security. We all downloaded Kali Linux to have multiple tools to conduct vulnerability scans and to be able to attack during the attack phase of the project.

The biggest technical features we added to the system were updating what already existed to a more improved form. For example, we updated PHP and Apache and implemented Wordfence on the website to improve our defenses. There were some limits on what we could do with HTTPS and updating MariaDB, but we were confident on the areas we had already changed.

Our team spent a significant amount of time working on our reports, logs, and other documentation. In addition, the capstone website was expanded to include additional information from the project, such as server logs, vulnerability scans, tool information, and more.

Project planning and management summary

Overview

At the beginning of the project, Jordan (our team leader) asked everyone what they wanted to focus on during the project. From there, tasks were divided amongst the group based on those choices and what would be best for the team. Each team member was trusted to work on their tasks without needing to be micromanaged. If someone requested help, everyone always stepped up to make sure everything got done. Communication was key to ensure that our group stayed on track during the semester.

Project process

Milestone 1

The main objective of the first milestone was to scan our server for vulnerabilities and plan how we would fix them. It was a challenge at first as we had to learn new tools while we figured out the best way to work as a team. As most of us are working adults, it was initially difficult to fairly balance the workload. However, by the end of the milestone we had hit our stride and began working better as a team. We made great progress during the first milestone, even completing some of milestone two ahead of schedule.

Milestone 2

The main objective of the second milestone was to fix all the vulnerabilities we found in the first, as well as implement additional security measures to harden the security of the server and website. Most of the challenges we faced during this milestone were due to the limitations imposed by the private server. There were some tools we had to abandon, the self-signed SSL certificate was not secure, and there were no server email capabilities. However, we feel we did an excellent job in completing the main objectives of this milestone.

Attack phase

The main objective of the attack phase was to attempt to breach and take down a competitor’s server while protecting our own against attack. The biggest challenge we faced during this phase was the lack of a challenge. Because our competitor forgot to change their initial passwords, we breached their server within thirty minutes of getting their IP and took it down completely by the end of the first day. While we could have taken over the website and left the server online, the goal was to take down the target. However, as the attack phase was to last two and a half weeks, we had expected them to recover their server which would have given us the opportunity to test other methods of attack. Instead, we used our own server for further testing after the attack phase was completed.

Team contribution summary:

Jordan White – As the team lead for the project, Jordan made sure we had a great line of communication through Discord all semester. He made sure all our schedules aligned with team meetings and distributed work to each member based on what they wanted to do and what would be best for the project. There were two meetings each week to go over what was required. Jordan’s biggest contribution to the project was registering the server to Red Hat so our team could start working on the server. Once that was completed, he spent the semester making sure the server had the correct updates and monitored services to allow us to always keep track of the server status.

Hector Gomez – Throughout the project, Hector was looking for and testing/using various vulnerability scanners to see what vulnerabilities could be found as he wanted to use different scanners from the rest of the team. He did this as a “second opinion” to see if the scanners he used would help find vulnerabilities that our original scanners could have missed. He also contributed to adding information to our reports, weekly logs, and help on the Milestone presentations.

Jenny Owens – In addition to documenting the project through our reports, logs, and presentations, Jenny contributed to the project by administrating the WordPress website, finding, and fixing its vulnerabilities, and increasing its security. She also created and shared all documents that were used throughout the semester, successfully enabled two-factor authorization, and set up a self-signed SSL certificate. Jenny designed and maintained the capstone project website and stepped in as the team copy editor, editing and formatting all documents behind the team.

Aaron Scott – During the first phase of this project, Aaron mainly focused on finding vulnerability scanners and recognizing website weaknesses that the team could fix later. This included scanners such as Nitko, Skipfish, Uniscan, etc. The findings from these tools allowed us to prepare the website against vulnerabilities such as SQL & X Header injection techniques. Vulnerability scanning continued onto the second phase, along with manual testing to see if the website was susceptible to SQL injection. While the third phase generally lightened the workload overall, continuous website monitoring was done to prepare for any action needed. Aaron also helped put information in weekly reports, milestones, and project presentations towards completion throughout the capstone.

Caleb Woodman – During the entirety of the project, Caleb was tasked with the research and implementation of vulnerability scanning and penetration testing on our server as well as the target. During Milestone 1 and 2, he researched tools and scanned our server for vulnerabilities that could be exploited on the opposing teams web server, as well as other non-technical methods that could be used (i.e. social engineering). In addition, he implemented some of these methods of attack for the attack phase and assisted the team with the take-down of our target during Milestone 3. Caleb also contributed to the milestone reports, weekly reports, and presentations.

Workload summary:

Voice-chat or Teams meetings - 20 hours (5%)

Monitoring - 20 hours (5%)

Project Planning - 22 hours (6%)

Penetration testing - 30 hours (8%)

Attacking our target - 30 hours (8%)

Documentation - 121 hours (33%)

Research and fixing vulnerabilities - 130 hours (35%)

At the beginning of the semester, it was estimated that the workload of this project would be 350-400 hours. Our team logged over 373 hours. We had 130.5 hours during Milestone 1, 131 hours during Milestone 2, and 111.5 hours during the final phase. Most of our hours went to research, fixing vulnerabilities, or working on our documentation (reports and PowerPoint presentations).

Team reflection on project experience

Project success factors

The most important parts of the project that contributed to our success were:

Communication – In addition to our weekly meetings, our team communicated daily in our Discord chat. This allowed us to always keep everyone on the same page and was a boon to our success.

Documentation – Our thorough documentation of the whole project through our reports, logs, and presentations contributed tremendously to this project. The professor complimented our first milestone presentation video, and we received high marks on our first two sets of deliverables. We also received a bonus point for Milestone 2.

Delegation – Everyone had their own roles and responsibilities, which ensured that no one stepped on each other’s toes and that work got done in a timely manner. In addition, everyone assisted elsewhere when required.

Team collaboration and communication experiences

The group worked very well together, there was constant communication among the group, and everyone was always comfortable asking questions or for help. We all made sure to stay on the same page and notified the group if there was ever a time when one of us would be busy. We were able to schedule group meetings and milestone presentations without any major issues.

When it came to scheduling weekly meetings, we all shared what our usual schedules were during the first week the group was created and settled on what days and times would work best for us to meet. We agreed that meeting twice a week (Tuesdays and Thursdays) at 8 pm was the best time for everyone. We have all attended every meeting and discussed what needed to be worked on, what we’ve completed so far, and what issues we have run into throughout the project. The team has always been great regarding communication and meetings.

Discord was the method of communication that was decided as our tool of communication. It is a website/app that allows for communication using text, calls, and video chat. This was the perfect tool for us to have since it’s available to use through web browsers, PC, and mobile devices. This allowed our group members to be easy to reach for communication. SharePoint is the software we used when it came to collaboration in terms of Word documents for milestone reports, weekly logs, and presentations. Overall, both Discord and SharePoint provided ease of use for communication and collaboration for the team.

Challenges

One challenge earlier on in the capstone was working with everyone’s schedules. We each have our own responsibilities and commitments outside of this project, so we had to keep that in mind when working together. Eventually, we got a feel for each other’s schedules and were able to all assist and pitch in when needed.

Another challenge during milestones 1 & 2 was setting up the backups. To do this, we had to reach out to the KSU ITS help desk for assistance. Unfortunately, the process wasn’t as efficient as we liked, as it would take some time for the backup requests to be completed. To combat this, we requested backups in advance so they would be completed when required.

During the attack phase, the quick takedown of the target server was a challenge as we were unable to complete additional scans and test other attack methods. To combat this, we attempted to bring down our server after the phase concluded.

Areas to improve

During our first two presentations, Professor Privitera appeared genuinely impressed with our progress and did not remark on any areas to improve or weaknesses. In addition, we received high marks on both reports. We did lose a few points on the first report as we did not include in-text citations, but we made sure to add them to future reports and fixed the first. During our final presentation, he mentioned that it was possible to get SSL working on the server. Afterward, we spent some time researching and successfully installed a self-signed certificate.

Appendix

Files included in Final Project Package:

• w01ct2_1_finalreport.pdf - Final report

• w01ct2_2_finalpresentation.mp4 - Final presentation (Video)

• w01ct2_3_finalpresentation.ppt - Final presentation (PowerPoint)

• w01ct2_4_finalpresentation.pdf - Final presentation (PDF)

• w01ct2_5_projectplan.pdf - Updated project plan

• w01ct2_projectpackage.ZIP

Contents of ZIP:

Milestone 1 /

• w01ct2_milestone1report.pdf – Milestone 1 report

• w01ct2_milestone1presentation.mp4 – Milestone 1 presentation (Video)

• w01ct2_milestone1presentation.ppt – Milestone 1 presentation (PowerPoint)

• w01ct2_milestone1presentation.pdf – Milestone 1 presentation (PDF)

Milestone 2 /

• w01ct2_milestone2report.pdf – Milestone 2 report

• w01ct2_milestone2presentation.mp4 – Milestone 2 presentation (Video)

• w01ct2_milestone2presentation.ppt – Milestone 2 presentation (PowerPoint)

• w01ct2_milestone2presentation.pdf – Milestone 2 presentation (PDF)

Attack Phase /

• w01ct2_attackreport.pdf – Attack phase report

• w01ct2_attackpresentation.mp4 – Attack phase presentation (Video)

• w01ct2_attackpresentation.ppt – Attack phase presentation (PowerPoint)

• w01ct2_attackpresentation.pdf – Attack phase presentation (PDF)

Department/Final Presentation /

• w01ct2_deptpresentation_links.pdf – Links to website/presentation

• w01ct2_deptpresentation.mp4 – Department presentation (Video)

• w01ct2_deptpresentation.ppt – Department presentation (PowerPoint)

• w01ct2_deptpresentation.pdf – Department presentation (PDF)

Additional Documents /

• w01ct2_ganttchart.xlsx - Final Gantt chart

• w01ct2_weeklylogs.pdf – All weekly log files

C-Day /

• w01_cybersecurityteam2_c-dayposter.pdf – C-Day Poster (PDF)

• w01_cybersecurityteam2_c-dayposter.ppt – C-Day Poster (PPT)