Learn by Directing AI
All materials

CLAUDE.md

P4: Network Exploitation + Metasploit + First Threat Models

Client

Marie-Claire Desrosiers, Executive Director, Reseau Sante du Nord -- a network of 6 community health clinics across northern Haiti. 80 staff. Funded by international donors. The biggest donor requires a security assessment before renewing funding.

Engagement

Security assessment of the clinic network's shared EHR system. The assessment covers network service exploitation (SSH, FTP), web application testing (SQL injection, XSS), passive reconnaissance with multi-source correlation, STRIDE threat modelling, Sigma detection rules, CVSS-scored remediation, and a donor-facing assessment report.

Lab Environment

Docker Compose multi-service stack:

  • ehr-web (port 80): Flask EHR application with SQL injection in /search and stored XSS in /records
  • ssh-server (port 22): OpenSSH with weak credentials (frantz/clinique2024)
  • ftp-server (port 21): vsftpd with anonymous access enabled, patient data CSVs exposed
  • vpn-sim: VPN configuration simulator with shared pre-shared key across all 6 clinics
  • grafana (port 3000): Grafana 10.4.x with Loki data source
  • loki (port 3100): Loki 2.9.x log aggregation
  • alloy (port 12345): Grafana Alloy 1.0.x -- initially collects only EHR web logs

Start with: docker compose up -d Verify with: docker compose ps -- all 7 services should be healthy/running.

Engagement Phases

  1. Brief and Environment -- Set up lab, understand Marie-Claire's situation, read scope document
  2. Passive Reconnaissance and Threat Modelling -- DNS recon, multi-source correlation, STRIDE threat model, ATT&CK TTP selection
  3. Network Service Exploitation -- Metasploit framework, FTP anonymous access, SSH brute-force with Hydra, web application exploitation with sqlmap
  4. SIEM Configuration and Detection Rules -- Modify Alloy to collect SSH/FTP logs, design Loki labels, write 3 Sigma rules from scratch, create Grafana security dashboard
  5. Remediation and Fix Selection -- CVSS scoring, fix selection judgment (key-only auth vs password complexity), verify fixes by re-running exploits
  6. Assessment Report -- Executive summary for Marie-Claire and donor, separated network/web findings, CVSS scores, remediation status, detection capabilities

Key Materials

  • scope-document.md -- Authorized targets and rules of engagement
  • threat-model-template.md -- STRIDE template for the student to fill
  • ttp-selection-template.md -- ATT&CK technique selection template
  • report-template.md -- Extended report template with CVSS guide
  • alloy-config.river -- Alloy config (initially EHR only -- student adds SSH/FTP)
  • docker-compose.yml -- Lab environment definition

Verification Targets

  • All 7 Docker services running and healthy
  • Threat model has system-specific threats (not generic STRIDE)
  • At least one network and one web exploitation documented
  • 3 Sigma rules fire on attack data, not on normal traffic
  • All exploits fail after remediation
  • All services still operational post-remediation
  • Report has CVSS scores and accessible executive summary

Commit Convention

Commit after each engagement phase with a descriptive message:

  • "Phase 1: lab environment setup and scope review"
  • "Phase 2: passive recon and STRIDE threat model"
  • "Phase 3: network and web exploitation"
  • "Phase 4: SIEM configuration and detection rules"
  • "Phase 5: remediation with fix verification"
  • "Phase 6: assessment report and project close"