Simulate Intrusion Attack

Solved
mags
Here to help

Simulate Intrusion Attack

Hello Cisco Meraki Community,

 

We have a mix of MX67C, MX84 and MX100 deployed at our branch offices with Advance Security license. I wanted to test intrusion prevention by simulating an attack. Can anyone share the tools and applications they used? I would like to test one of the offices and safely simulate an attack. I would like to see how the alert looks like and the behavior of the MX. Any information is appreciated. Thank you.

1 Accepted Solution
Johnfnadez
Building a reputation

You could perform a test entering to notepad.pw MX will remark the Domain as DNS Malicious query. Its a fact but is a simple test just to know that MX is doing his job.
Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA

View solution in original post

24 Replies 24
BrechtSchamp
Kind of a big deal

I've used EICAR files to test AMP in the past:

http://2016.eicar.org/85-0-Download.html

 

But you may be looking for something to test the Snort IDS/IPS module?

mags
Here to help

Yes, I would like to test Snort IDS/IPS module. Thanks!
BrechtSchamp
Kind of a big deal

I'm sure there will be tools to help you in Kali and Metasploit, but I have no experience myself.

mags
Here to help

Me as well, I do not have any experience with Kali Linux. I am thinking maybe a simple free application to install in Windows 10 that can quickly and safely simulate an intrusion attack. I have to do in remotely since I am now working from home due to the pandemic.
Doug100
Here to help

Hi Kali is now available integrated into Windows 10

mags
Here to help

Thank you Doug100
Doug100
Here to help

Hi Kali is now available integrated into Windows

BlakeRichardson
Kind of a big deal
Kind of a big deal

@mags If you want to get this done and don't have time I suggest you approach a cyber security testing company, yes they are expensive however if you just want to test one or two simple functions I cannot imagine it being to bad cost wise. 

 

 

mags
Here to help

Hi BlakeRichardson,

 

That would be the last option I would like to take because it will be a lot more complicated to get third party involved. Thanks for your suggestion.  

Johnfnadez
Building a reputation

You could perform a test entering to notepad.pw MX will remark the Domain as DNS Malicious query. Its a fact but is a simple test just to know that MX is doing his job.
Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
PhilipDAth
Kind of a big deal
Kind of a big deal

Metaspolit Community edition is good - but be prepared for an uphill learning experience.

mags
Here to help

Hi PhilipDAth,

 

At the moment, I don't have much time to spare to learn Metasploit but I'll put that in the list of nice things to learn in the future. Thanks!

mags
Here to help

Hi Johnfnadez,

 

Is it just simply opening notepad.pw in a webrowser? I tried to do it but nothing comes up on the MX email alerting or Security Center. 

Johnfnadez
Building a reputation

Yes!

 

Look my MX 🙂 

 

Johnfnadez_0-1585949009944.png

 

Try to check you Policies in your group policies that you have assigned in your device or VLANs

 

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
Johnfnadez
Building a reputation

And also check your threat protection config.

Regards!
Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
route_map
Building a reputation

i just did a simple network scan using nmap on kali linux on one of my sites

shouldnt this type of scan be considered as intrution? nothing shows up in the event log and nothing under security center also

 

route_map_0-1585976587997.png

 

below is if i do a scan on my home mx but within the lan

 

route_map_1-1585976812870.png

in my mind i wouldnt want anyone whether external or internal to be able to run scans

 

PhilipDAth
Kind of a big deal
Kind of a big deal

You can't do anything to stop an nmap scan.  I guess you could say after you have seen so many syn packets from a specific host to block further syn packets, but it is pretty easy to get a false positive and block legit traffic.

 

nmap is a scanning tool.  It doesn't actually utilise a compromise to try and gain access or run code.

DHAnderson
Head in the Cloud

I entered notepad.pw in Chrome on my phone.

The website popped up and my security log on my MX shows that a suspicious .pw query was blocked.

If the DNS query was blocked, why could I get to the site?
Dave Anderson
mags
Here to help

That's strange and scary.
mags
Here to help

Hi Johnfnadez,

 

In Security & SD-WAN > Threat Protection, I have IDS/IPS mode intially set to detection and ruleset to connectivity. I changed it to prevention and security with the thought that it will capture the notepad.pw malicious DNS query but no joy. The client I am using for testing is not assigned to any Group Policy so I think default policies will apply. 

DHAnderson
Head in the Cloud

After changing the Threat Protection settings, did you make sure that the MX had updated it's settings?

Sometimes it takes a few minutes for the setting to apply, especially firewall and security rules. 

Dave Anderson
mags
Here to help

Hi DHAnderson,

 

I saw the alerts in Security Center this morning when I checked. I tested again and it is now showing as suspicious .pw DNS query.

mags
Here to help

Hi Johnfnadez,

 

I got the alerts now showing in Security Center. I thought there would be an email alert generated as well but there wasn't any. Thanks! 

DHAnderson
Head in the Cloud

To get the alerts, make sure that under Network-wide/Alerts that both Malware is blocked and Malware is downloaded are checked, and that there is a valid email address in Default recipients
Dave Anderson
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels