arrow_back

Palo Alto Networks VM-Series Advanced Threat Detection

Join Sign in

Palo Alto Networks VM-Series Advanced Threat Detection

1 hour 30 minutes 1 Credit

This lab was developed with our partner, Palo Alto Networks. Your personal information may be shared with Palo Alto Networks, the lab sponsor, if you have opted in to receive product updates, announcements, and offers in your Account Profile.

GSP748

Google Cloud selp-paced labs logo

Overview

In this lab you will use the Palo Alto Networks VM-Series deployed as an Intrusion Detection System (IDS) in Google Cloud.

Google Cloud Packet Mirroring clones the network packets of specific instances in your Virtual Private Cloud (VPC) network and forwards that cloned network packet to the VM-Series for examination. Packet Mirroring captures all ingress and egress traffic and packet data, such as payloads and headers.

IDS is a primary use case for Packet Mirroring in Google Cloud. You can use the VM-Series as an IDS to analyze mirrored traffic to detect all threats or anomalies, and provide an additional layer of security protections. Additionally, you can inspect the full traffic flow to detect application performance issues.

What you'll do

  • Review Google Cloud Packet Mirroring setup for VM-Series
  • Monitor the malicious activities at the VM-Series
  • Browse to a juice-shop web page
  • Perform SQL Injection attacks at the juice-shop website
  • Exploit a Jenkins instance from a Linux instance
  • Test two more security features of VM-Series
  • Antivirus - Download a test virus file from an Linux instance
  • URL Filtering - access a hacking website from a Linux instance

Topology:

58f11b18d9d49438.png

The VM-Series firewall, Google Cloud VPC Packet Mirroring, Jenkins Server, Juice Shop web server and Kali Linux server will be pre configured for you.

Setup and and requirements

If you are running your own VPN, please shut it down prior to starting this lab to avoid generating an error.

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab---remember, once you start, you cannot pause a lab.
Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud Console

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

    • The Open Google Console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab

  2. Click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.

  3. If necessary, copy the Username from the Lab Details panel and paste it into the Sign in dialog. Click Next.

  4. Copy the Password from the Lab Details panel and paste it into the Welcome dialog. Click Next.

    Important: You must use the credentials from the left panel. Do not use your Google Cloud Skills Boost credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

  5. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left. Navigation menu icon

Browse Juice Shop

OWASP (OWASP Foundation, the Open Source Foundation for Application Security) Juice Shop is probably the most modern and sophisticated insecure web application. It can be used in security training, awareness demos, CTFs and as a guinea pig for security tools. Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten, along with many other security flaws found in real-world applications.

  1. In the Cloud Console, go to Navigation menu > Compute Engine.
  2. Copy the External IP address is found in the Console under Compute Engine > juice-shop.

ec328c003e0c04a2.png

  1. Open a new browser tab and navigate to http://<External IP>, replacing <External IP> with the External IP of Juice-shop. It can take up to 5 minutes for the Juice-shop website to come up. Click Dismiss if required.

ea58d4e8277aeb3f.png

  1. Click on Account > Login > Not yet a customer? and enter some fake details.

62d5e8951a9425eb.png

  1. Use any (real or fake) email to create an account, just remember the email and password you used! When you're finishsed click Register.

c6d2bc9e1c1bccec.png

Now log in with the credentials you just created.

  1. Go ahead to buy some juice! Then click the Your basket (basket like icon), then Checkout.

93e4b0585d0dcc4e.png

  1. Click Add New Address then fill out the form. When you're done, click Submit.

82ec3d6f6ea2ee5d.png

  1. Click into the circle to select the address you just created then click Continue.

4b805587f26cf27f.png

  1. Choose your Delivery Speed, then click Continue.

  2. Click Add New Card and enter some fake credit card information. Click Submit.

b177e1edac59bbe3.png

  1. Click into the circle to select the card you just entered, then click Continue.

  2. Click Place your order and pay.

ca1711fc7af8d765.png

Review Configuration of the VM-Series

  1. The External IP address is found in the Console under Compute Engine > VM Instances > VM-Series-xxx. Click on the name and scroll down to the Network interfaces.

739e2a0aa0e28c6e.png

  1. You will see nic1 is assigned to the management VPC. Copy to use the External IP provided to access the VM-Series.

a3afb658d86e4549.png

  1. Open a new browser tab and navigate to https://<External IP>, replacing <External IP> with the External IP of VM Series. Note it can take up to 10 minutes for the firewall to spin up.

If the message "Your connection is not private" opens, click Advanced, and then Proceed to <IP address> (unsafe):

1604b882a2e66dc9.png

This opens the VM Series management console.

  1. Log in to VM Series management console using the following credentials:

Username:

paloalto

Password:

Pal0Alt0@123

8d5df2806a9fbc81.png

  1. For Welcome window, click Close.

welcome.png

  1. For Telemetry Data Collection, click Remind me later.

telemetry_data_collection.png

  1. Once you login to the firewall, you will see the dashboard:

77a9eb68b516edad.png

Get your IP address

Open another browser tab and go to whatismyip.com to find the IP address of your laptop. Leave this tab open, you'll need it throughout this lab.

Review the web browsing activities in Traffic log

On the PA-VM dashboard, click the Monitor tab. Click on Traffic in the left panel.

Add a filter addr.src in {*your IP address*} into the search field to only see the traffic from your laptop, then press Enter.

ad73b6e6a357cf96.png

You should now see the web browsing traffic to the Juice shop (Destination 192.168.11.2 at port 80).

5539d77a43b4c7a3.png

Attack the Juice Shop

Juice Shop has built-in challenges for security professionals to practice. You earn a score once you solve a challenge. For example, you earn a score by discovering the hidden scoreboard.Go to http://{*external IP of Juice Shop*}/#/score-board

Click on Dismiss for Welcome to OWASP Juice Shop! prompt.

30b90bff43442bcf.png

Using SQL Injection to obtain administrator's credentials is one of the challenges. Uses this challenge to observe an attack in the VM Series Firewall logs.

Login as administrator via SQL Injection

You don't have the username and password of the administrator user, so you will login as admin via SQL Injection.

  1. Logout from juice shop.

122e0f161a46fa81.png

  1. Login back in using the following credentials

Username:

'or 1=1--

Password:

.

a5b53085bf5a0089.png

Click on Account and verify you are logged in as administrator.

77740de4eb160ea8.png

Review the attack in VM Series Firewall logs

  1. On the PA-VM dashboard, click the Monitor tab then click Threat in the left panel.
  2. Add a filter addr.src in {*your IP address*} into the search field to only see the threat from your laptop, then press Enter.

In the Threat ID/Name column, notice the log the entry Suspicious HTTP Evasion Found. The Source Address matches the IP of your laptop, and the Destination Address matches the IP of the Juice Shop.

973c770a0f80ba6.png

Click on magnifying glass in the left column to review the log details.

13d4aea815a826e8.png

Observe random attacks to Juice Shop and Jenkins

Juice Shop has a vast number of intended vulnerabilities. Jenkins server is an older version with known vulnerabilities as well. Once they are exposed on the internet, they become attractive targets for hackers. As the Juice Shop and Jenkins runs for a while you will likely see high severity attacks occurring.

Still on the Threat page, use the filter below to see if high severity attacks have occurred.

( severity neq informational )

You may not see any logs for severities higher than Low at this point in the lab.

3529a2bb8364ca92.png

But when there are issues, you'll see them marked clearly:

58526fec1e5e3177.png

About Jenkins

Jenkins is an open source automation server written in Java. Jenkins is the most popular open source CI/CD tool on the market today. Jenkins allows developers to automatically build, integrate, and test code as soon as they commit it to the source repository. This allows developers to catch bugs quickly and ultimately deploy much faster.

Jenkins is the oldest player in the industry, its vulnerabilities have been a popular target for hackers.

Bad actors generally follow a well-known sequence of steps when attempting to infiltrate a network. This starts with identifying what is on the network and what vulnerabilities are associated with deployed assets.

It completes with a successful exploit followed by network persistence.

The bad guys have to get every step correct, while the defender only has to prevent one step in the chain to be successful. Defenders have a number of tools available at the environment, network, and host level, some of which are enumerated here.

Not all tools are applicable in all circumstances, but knowing what is available can help you make informed decisions based upon risk.

Exploit Jenkins

  1. Return to the Cloud Console, Compute Engine > VM instances.
  2. Copy the Jenkins Server external IP address.
Note: you may need to disconnect from your Corporate VPN.

jenkins.png

  1. Open a new browser tab and go to http://{external IP Address of jenkins server}:8080. You will see the Jenkins page open.

f0895fa71b562fbd.png

Next you will return to the Cloud Console and SSH into the Kali Linux server.

Note: If you are not able to access the Jenkins website, restart your instance.

Check the Jenkins instance checkbox, then click the Stop button at the top of the screen.

panw-jenkins2.png

Then click the Start / Resume button.

panw-jenkins1.png

Next you will return to the Cloud Console and SSH into the Kali Linux server.

Activate Cloud Shell

From Cloud Console, click the Activate Cloud Shell icon in the upper right corner.

e36dfb7740cda486.png

Click Continue to access Cloud Shell

8aee0207ba01dcdf.png

Obtain the external IP Address of instance kali, the Kali Linux Server.

ecf51fe3f8b756fc.png

Run the following to ssh to Kali Linux server.

ssh kali@{external IP Address of kali server}

Type yes to connect.

Enter the password:

kali

(Output)

64f9d3ef592f1599.png

Launch the attack scripts

Run the scripts from the kali shell to start the exploit to the jenkins server:

msfconsole -r jenkins.rc

(Output)

e3e3fe0d0eb244fa.png

f57ae555148e726b.png

Enter the command to access the shell of Jenkins server:

python -c 'import pty; pty.spawn("/bin/bash")'

(Output)

44a453e3e6433aba.png

Now you are at the shell of the Jenkins server.

Issue a few commands to check the file system:

cd .. ls

(Output)

b5095990a2e174f6.png

Check which account you're using:

whoami

9ed86414340c6c51.png

Examine the session established by the exploit:

netstat -an

(Output)

26073966f972330.png

Review the processes associated with the exploit:

ps -ef ps -aux

(Output)

ea35443486c035d7.png

You have the access to the etc/passwd file:

head /etc/passwd

(Output)

2c409ccbb5f7f730.png

Type "exit" and "exit" to exit from Jenkins server root prompt. You'll be returned to the kali prompt.

ad63ea46a97ca1d8.png

Review VM Series firewall logs

On the PA-VM dashboard, click the Monitor tab. Click on Traffic in the left panel.

Add this filter to review all the traffic to jenkins and kali, then press Enter:

( addr.dst in 192.168.11.3 ) or ( addr.dst in 192.168.11.4 )

(output)

27909dd1068e41e6.png

Click Check my progress to verify the objective. Review VM Series firewall logs

Review the attack in threat log

Still on the PA-VM dashboard, click on Threat in the left panel and add this filter that will display the destination, jenkins or kali instance, and the severity is not informational:

(( addr.dst in 192.168.11.3 ) or ( addr.dst in 192.168.11.4 ) ) and ( severity neq informational )

Notice in log the entry of Shell Command Access, Severity is critical.

cb9130407e01211a.png

Click on the magnifying glass sign in the left column of the first entry to review the log details.

656abdc35414e9ec.png

Click on the magnifying glass sign in the left column of the second entry to review the log details.

9d4c0779ca8a7a4b.png

Test VM Series Security Feature:

URL Filtering

Palo Alto Networks URL Filtering allows you to monitor and control the sites users can access, to prevent phishing attacks by controlling the sites to which users can submit valid corporate credentials, and to enforce safe search for search engines

In Cloud Shell you should still be at the kali prompt (kali@kali:~$ ). Access a test hacking website by issue the command:

curl http://urlfiltering.paloaltonetworks.com/test-malware

On the PA-VM dashboard, click on Traffic in the left panel and add this filter to see the traffic from the kali instance, then press Enter:

( addr.src in 192.168.11.3 )

You see web browsing traffic initiated from kali instance.

1486cc43cfad5d4f.png

Click Check my progress to verify the objective. Test VM Series Security Feature

Now check if accessing the hacking website triggers any URLFiltering logs.

On the PA-VM dashboard, click on URLfiltering in the left panel. You'll see that the website is categorized as hacking.

panw-pa-vm.png

Click on magnifying glass sign on left to review the log details.

Congratulations

You have performed SQL Inject attacks on a juice-shop web service, exploited a Jenkins Server from a Linux instance, and gained the root access. This demonstrated a hacker's ability to move around inside the cloud and exploit other cloud instances. You have also tested the URLFiltering security feature. This demonstrated the risk that could be caused by an authenticated user.

VM Series firewall was deployed as an IDS system that has visibility to the network traffic as well as the malicious activities, through VPC Packet Mirroring. You have reviewed the network traffic log, threat log, and URLFiltering log. You have observed the network traffic and the threat events caused by the attacks. With VM-series and Packet Mirroring, you have full visibility to the malicious activities. In the real world, security teams would be able to implement prevention and remediation based on the detection of the malicious activities by VM-Series.

PaloAltoNetworks_125x135.png

Finish Your Quest

This self-paced lab is part of the Qwiklabs Public Cloud Security by Palo Alto Networks Quest. A Quest is a series of related labs that form a learning path. Completing this Quest earns you the badge above, to recognize your achievement. You can make your badge (or badges) public and link to them in your online resume or social media account. Enroll in this Quest and get immediate completion credit if you've taken this lab. See other available Qwiklabs Quests.

Take Your Next Lab

Continue your quest with the next lab in the series, Palo Alto Networks: VM-Series AutoScale in Google Cloud.

Next Steps / Learn More

Google Cloud Training & Certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated: August 30, 2021
Lab Last Tested: January 20, 2021

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.