Fortinet Lab: Security & Performance Testing

Today's cyber threat landscape is constantly evolving, requiring organizations to continually assess their cybersecurity posture to ensure it remains effective. FortiTester runs a robust set of security tests, such as agent-based MITRE ATT&CK simulations, DDoS and fuzzing attacks, CVE-based intrusions including SCADA targets, malware strike packs, and much more. These are regularly refreshed to reflect the latest cyber campaigns seen by Fortinet’s FortiGuard Labs. Being able to simulate attacks is crucial to identify gaps in security controls and to validate the people and processes on which the enterprise depends.

Whether assessing your next-generation firewall (NGFW), load balancers, or web infrastructure to identify pressure points and bottlenecks, FortiTester offers a variety of tests including RFC2544/3511, iMIX, HTTP/HTTPS/HTTP2, as well as SSL VPN for FortiGate devices. Network performance tests can also be used for the public cloud to validate cloud architecture and performance.


In this workshop, participants will start by configuring the network template. The template settings are used to populate the network settings for the test case configuration to use in your testing. You will also learn how to perform security testing including Malware, IPS, DDoS, and Web attacks against your environment that is deployed with FortiWeb, FortiGate, and FortiClient. Furthermore, you will learn how to perform MITRE ATT&CK post-exploitation, against an endpoint using FortiTester.

Topology

Background

Many test cases you may want to run will have the same basic network setup. To simplify configuration, you can create a network configuration template and then use it when you initially configure test case settings. The template settings are used to populate the network settings for the new test case configuration.

The network configuration template specifies the IP address type, DUT (Device Under Test) working mode, client/server port settings, subnet settings, port binding, and VLAN settings, etc. You can only import template settings if the IP address type and DUT working mode you select in the new test case popup dialog box match the settings in the network configuration template. In this section you will be configuring FortiTester network template.

In this lab you will be configuring the FortiTester network template specifically NAT mode, you will be using this template for security testing use cases, the template is built based on the FortiTester virtual appliance network adapter settings configured in the lab.

Tasks

 

1. From the Lab Activity main menu, click FortiTester then click HTTPS to access and use the following credentials.
   • Username: admin     password: Fortinet1!


2. Click Security.
   
   
   
   
   
   
   
3. Click Objects > Networks.
   
   
4. Click Create New.
   
   
5. Set DUT Working Mode to Network Address Translation (NAT).
   
   
   
    

   

   
   
6. Click Ok.
   
   
7. Set Name to NAT


8. Under Network Settings CLIENT, set port1 IP Address or Range to 172.16.99.152.
   
   
9. Set Netmask to 24.
   
   
10. Set Gateway to 172.16.99.254.
    
    
11. Set Peer Network to 10.10.30.8/29.
    
    
    
    
12. Remove the second subnet settings by clicking on the X icon.
    
    
    
    
13. Set Server port2 IP Address or Range to 10.10.30.13.
    
    
14. Set Netmask to 29.
    
    
15. Set Gateway to 10.10.30.14.
    
    
16. Set Peer Network to 172.16.99.0/24.
    
    
    
    
    
    
    
    
17. Double-check your network template and make sure it looks exactly like the screenshot below otherwise none of the security testing use cases will work.
    
    
    
    
    
18. Click Save.

 

Security Testing

Malware Attack

FortiTester can perform malware attacks for security testing purposes, malware cases can send files with HTTP/FTP/SMTP/IMAP/POP3/SMB protocols. Malware strike packs which are provided and refreshed regularly by FortiGuard updates or user malware groups can be used in security testing. In this lab you will be uploading a custom malware file using the user malware group, to use it for malware security testing against the FortiGate, test FortiClient Malware Prevention by trying to download malware from the FortiTester strike pack and finally view the malware strike packs.

Tasks

Upload User Malware Group

 

1. From the Lab Activity main menu, click Jumpbox then click RDP to access, open Firefox or Chrome, and access FortiTester using the bookmarked page.
   
   
2. On FortiTester. Click on Security.
   
   
3. Click Objects > User Malware Group.
   
   
4. Click Create New.
   
   
   
   
   
   
   
   
   
   
5. Set Name to UserMalwareGroup1.
   
   
6. Click Add.
   
   
7. Under Files, click Browse.
   
   
8. On the Downloads folder, click on the eicar_com.zip file, and click open.
   
   
9. Upload the file by clicking on the up arrow key as shown.
   
   
   
   
   
   
10. Close the browser

 

Perform Malware Attack

 

1. Go back to the FortiTester browser tab opened from the lab activity menu. Click Malware > Malware.
   
   
   
   
   
   
2. Click Create New.
   
   
3. Set DUT Working Mode to Network Address Translation (NAT). 
   
   
4. Set Network Config to NAT which was created in the Network Template previously.
   
   
5. Set Protocol to FTP.
   
   
6. Click OK.
   
   
   
   
   
   
   
   
   
7. Under Specifics, click Action, set User Malware Group to UserMalwareGroup1 and leave the rest of the settings to default.
   
   
   
   
   
   
   
   
   
8. Click Start.
   
   Note: Please wait a few minutes for the attack to start if it takes longer than 5 minutes, click stop to stop the attack then click Return to re-start the attack.
   
   
9. You will notice that the Running Result is Success with a green circle next to it, and the status of the attack is Block and it has been blocked by the FortiGate Edge device.
   
   
   
   
   
   
   
   
   
10. Click the home icon on the top right corner.
    
    
    
    
    
    
11. From the Lab Activity main menu, click FGT-EDGE, click HTTPS to access, and log in using the following credentials:
    
    Username: admin   password: Fortinet1!
    
    
12. Click Log & Report > Security Events.
    
    
13. Double-click Antivirus to view the logs.
    
    
    
    

 

FortiClient Protection

 

1. From the Lab Activity main menu, click Alice, and click RDP to access.
   
   
2. Open Chrome and browse to following link by copying it and pasting into the browser http://web.archive.org/web/20020106023748if_/www.0190-dialer.com/dialers/5-4-40-117.exe
   
   
3. FortiClient will deny access to this executable file.
   
   
   
   
   Note: The link you browsed to was from the Malware Strike Pack available on FortiTester, the pack is updated often so you might not find this link on the search menu.
   
   
   
   
   
4. Close the browser

 

View FortiGuard Malware Strike Packs

 

1. On FortiTester Security Testing, click Objects > FGD Malware Group.
   
   
2. Click Available Malware.
   
   
   
   
3. You can view FortiGuard Malware Definitions. 
   
   
   
   
   
   
   

IPS AttackSecurity Testing

FortiTester can perform IPS attacks to test your environment intrusion prevention system, you can test security systems by replaying a predefined FortiGuard security signature or a customized set of attack traffic that you can upload. The predefined FortiGuard intrusion definitions cover 100s of types of attacks. In this lab you will be performing an IPS attack against FortiGate, using a predefined FortiGuard intrusion group list.

Tasks

Create FortiGuard Intrusion Group

 

1. On FortiTester Security Testing.
   
   
2. Click Objects > FGD Intrusion Group.
   
   
3. Click Create New.
   
   
4. Set Name to FGDIntrusionGroup1.
   
   
5. Click ADD.
   
   
6. Click CreateNew.
   
   
7. Click Type search and select Buffer Error.
   
   
8. Click Search
   
   
   
   
   
   
   
   
   
9. Select ALLMediaServer_Mediaserver_SEH_Buffer_Overflow.
   
   Note: Please make sure you select the IPS attack mentioned above if you select a different one it might pass as it depends on FortiGate IPS configuration and it’s set to block ALLMediaServer_Mediaserver_SEH_Buffer_Overflow.
   
   
   
   
   
   
10. Click Save.

 

Perform IPS Attack

 

1. Click IPS > Attack.
   
   
   
   
   
   
   
   
2. Click Create New.
   
   
3. Set DUT Working Mode to Network Address Translation (NAT).
   
   
4. Set Network Config to NAT.
   
   
5. Click OK.
   
   
6. Under Specifics, click Action. 
   
   
7. Set FGD Intrusion Group to FGDIntrusionGroup1.
   
   
   
   
8. Disable FGD Free Package
   
   
   
   
   
   
   
   
   
9. Click Start
10. Wait until you see Running Result is Success with a green circle next to it, you will notice ALLMediaServer_Mediaserver_SEH_Buffer_Overflow status is PacketLost as it has been dropped by FortiGate.
    
    
11. Click the home icon on the top right corner.
    
    
    
    
    
    
    
12. On FGT-EDGE, click Log & Report > Security Events.
    
    
13. Double-click Intrusion Prevention to view the log.
    
    
    
    
    
    
    

 

DDOS AttackSecurity Testing

FortiTester can test the devices under test (DUT) ability to handle different types of DDOS attack tests (single packet flood, TCP session flood, HTTP session flood, DDoS concurrent session flood, and UDP packet). In this lab, you will perform a single packet flood DDoS test against the FortiGate.

Tasks

Modify Network Template

 

1. On FortiTester Security Testing, click Objects > Networks.
    
2. Double Click NAT.
   
   
3. Set IP Address or Range for Client port1 to 172.16.99.152-172.16.99.160.
   
   
4. Click Save.

 

DDOS Attack

 

1. On FortiTester Security Testing, click DDOS > Singe Packet Flood.
   
   
2. Click Create New.
   
   
   
   
   
   
   
3. Set DUT Working Mode to Network Address Translation (NAT).
   
   
4. Set Network Config to NAT.
   
   
   
5. Click OK.
   
   
6. Set Steady Duration to 2 Minutes.
   
   
7. Set the Number of Samples to 20.
   
   
   
   
   
   
   
   
   
8. Click Start. 
   
   
9. Wait for two minutes, you will see Running Result is Success with a green circle next to it, you can view statistics of the DDos attack after it finishes.
   
   
   
   
   
   
   
   
   
10. Click the home icon on the top right corner.
    
    
    
    
11. On FGT-EDGE, click Log & Report > Security Events.
    
    
12. Double-click Anomaly to view cleared DDoS sessions.
    
    
    
    
    
    
    

 

Web AttackSecurity Testing

The Web Protection security test simulates sending web application attacks expected to be detected by the security DUT. In this lab you will view SQL injection and XSS attacks that have been performed on the FortiWeb appliance, using web protection signatures available from FortiGuard. Also, you will view FortiWeb logs blocking those attacks. 


Note: Please note due to having FortiTester VM adapter settings fixed in the lab you will not be doing live testing against FortiWeb. 

Tasks

View Web Protection Group

 

1. On FortiTester Security Testing, click Objects > Web Protection Group.
    
2. Double-click WebProtectionGroup1. The group contains SQL injection and XSS signatures.
   
   
   
   
   
   
   

 Attack

View Web Attack

 

1. Click Web Protection > Web Protection.
   
   
2. Click Result in the existing attack performed. 
   
   
   
   
   
   
   
   
   
3. In the results, you will see attacks blocked by FortiWeb
   
   
   
   
   
   
   
4. Click Close.
   
   
5. From the Lab Activity main menu, click FortiWeb then HTTPS to access it using the following credentials:
   
   Username: admin     Password: Fortinet1!
   
   
6. Click Log&Report > Log Access > Attack to view FortiWeb logs.

How to use FortiTester MITRE ATT&CKSMITRE ATT&CK

Background

 

FortiAgent is a Windows service that facilitates communication between the FortiTester and the RATs. The FortiAgent program should be installed on every target host that is taking part in the adversary emulation operation. Remote Access Tool (RAT) performs adversary actions on infected hosts and copies itself over the whole network to increase its foothold. RAT in real-world scenarios is malware designed to allow an attacker to remotely control an infected computer. Once the RAT is running on a compromised system, the attacker can send commands to it and receive data back in response. In this lab, you will be downloading FortiAgent & RAT on Bob's user machine which is part of the Acmecorp domain, and run a MITRE attack against the user machine specifically dumping credentials, and viewing the attack results.

Note: In this lab exercise you will be working on FortiTester from Bob's machine.

Tasks

Download FortiAgent & RAT from FortiTester

 

1. From the Lab Activity main menu, click Bob, and click RDP to access.
   
   
2. Open Chrome and browse to FortiTester using the browser bookmarked page.
   
   
3. Log in using the following credentials:
   
   Username: admin      Password: Fortinet1!
   
   
4. Click ATT&CK.
   
   
   
   
   
   
5. Click Maintenance > Resources.
   
   
6. Download fortiagent.exe and conf.yml files for Windows by clicking on the download icons under FortiAgent and confg.yml columns.
   
   
7. Download CraterMain.exe for Wind/8/Win8.1/Win10 by clicking on the download icon under the RAT column.
   
   
8. Launch CraterMain.exe from the browser download tab at the bottom or the download folder.
   
   
   
   
   
   
   
   
   
9. Right-click Command Prompt on the desktop and click Run as administrator.
   
   Note: Please open the Command Prompt only using the icon on the desktop. 
   
   
10. Type fortiagent.exe --startup auto install.
    
    
11. Type fortiagent.exe start.
    
    
12. On the FortiTester opened from Bob machine, click ATT&CK Cases > Domains.
    
    
13. Click Create New.
    
    
14. Set Domain to acmecorp.
    
    
15. Click Ok.
    
    
16. Click Hosts.
    
    
17. Click Create New
    
    
18. Set Name to Bob and Domain to acmecorp.
    
    
19. Click Ok.
    
    
20. Click Create New and select Host win2016-bob.
    
    
21. Click OK.

 

Launch MITRE ATT&CK

 

1. Click ATT&CK Cases > Abilities.
   
   
2. Double click Credential_Dumping. 
   
   
3. You will see two abilities being used get_computer and get_creds.
   
   
4.  Click Adversaries
   
   
5. Click Create New
   
   
6. Set Name to Credential_Dumping.
   
   
7. Set Ability Group to Credential_Dumping.
   
   
   
   
   
   
   
   
   
8. Click Save.
   
   
9. Click ATT&CK Cases.
   
   
10. Click Create New. 
    
    
11. Set Adversary to Credential_Dumping.
    
    
12. Set Hosts to Bob. 
    
    
13. Set Start Host to win2016-bob.
    
    
14. Set Start Method to Bootstrap RAT.
    
    
15. Set Starting User to System.
    
    
    
    
    
    
16. Disable Enable Windows Defender.
    
    
17. Disable Enable Windows Firewall.
    
    
    
    
    
    
    
    
    
18. Click Start.
    
    
19. Upon having a successful attack, FortiTester will be Enumerating all computers in domain and Running mimikatz to dump credentials on win2016-bob.acmecorp.net. 
    
    
    
    
    
    
    
    
20. Click Enumerating all computers in domain to view results.
    
    
    
    
    
    
    
    
    
21. Click Running mimikatz to dump credentials on win2016-bob.acmecorp.net to view results.