simple attack to be executed through kali linux and protected by Azure WAF and Sentinel
This instruction is intended to be used in a hackathon exercise which there is an Azure environment with a kali linux attacking three resources: a web app, a windows 10 VM and a windows 2019 server VM.
This specific attack goes straight to the Web App. We are also going to see what happen when this attack goes against two layers of protection: WAF and Sentinel.
- An Azure environment with the resources required to execute the attack and the security layers: Kali linux VM, Application GW with WAF enabled and Microsoft Sentinel setup.
DISCLAIMER: This instruction doesn't include how to set up the environment. You may want to review this LINK.
This first scan for web vulnerabilities will go directly to a web app address. In the case of this exercise that is part of a hackathon exercise, we will scan this address:
But in your own test, you should have something like this : http://owaspdirect-.azurewebsites.net (in case you follow the ARM Template recommended through this ** LINK **.
If you are not using the ARM Template provided in this link, you just need to consider your Web App URL, whatever it is.
So, let's go! To run the "web vulnerability scan", we will connect to Kali Linux and run Nikto, a command line web application vulnerability scanning tool. It comes with Kali Linux, so you don't have to install it.
Once you open the Terminal with Nikto tool, you will start the scan in the Web App address with that command:
- nikto -h http://owaspdirect-.azurewebsites.net
in case you want to save the output, you may used that command:
- nikto -h <http://owaspdirect-.azurewebsites.net> -Save ./fileoutput.htm
On the second attack we used the IP address (or URL) from Application Gateway that has a WAF enabled. In this time, the Web App application sits behind the Application Gateway and the WAF.
We will repeat the same command above, however with Application Gateway IP Address. Remember that Web App is behind Application Gateway, so, for the end user, it is like accesing the Web App normally.
- nikto -h 52.249.xxx.xxx
in case you want to save the output, you may used that command:
- nikto -h 52.249.xxx.xxx -Save ./fileoutput.htm
NOTE: It is out of scope in this article, the instructions to set up Application Gateway and WAF. You may check this LINK to check how to set up both Application Gateway and the WAF.
When we compare both outputs from Nikto, you may notice that through Application Gateway with WAF we got much less errors and vulnerability scanned and found.
- in the left image you may see 4 errors and 123 issues, possibly vulnerabilities found.
- in the right image, by using WAF, it was found 0 errors and 3 items reported only as possibly vulnerabilities.
Microsoft Sentinel is a very important piece on Cybersecurity posture. It provide you lots of resources to monitor and automated some actions regarding what is going on in your entire environment. It is out of scope of this article to provide details about how to set up and use Microsoft Sentinel, but this section is only to remind you that Sentinel is a great resource to complement your Security posture.
Microsoft Sentinel offers to you:
- more than a hundred of connectors to ingest logs and alerts to be analysed and correlate
- hundreds of analytic queries to be used to inquiry your logs and provide you insights through Workbooks and Alerts that generate incidents that you use it to investigate what is going on in your environment
- another cool stuff is the automation, you may use all logs and alerts to be analyzed and then build automated actions based against those alerts
For this specific threat exercise, we only use some workbooks that bring some cool information about the threats captured from WAF during the Web Vulnerability scan done by Nikto through Kali Linux.
You can do much more with Microsoft Sentinel. You may see more about it in this LINK.