First Lab Victim

I’ve spent the last couple of hours installing my next victim machine for lab, thought I’d share the process if for nothing else it’ll be a useful reminder next time I delete the wrong file and need to re-do tonight’s work.
Target in this case is a Windows XP install, patched to service pack 2. I’m intending to use this VM for dual purposes, for exploit development (both MS native and third party apps) and for malware analysis. As a result I’m going to make extensive use of VMWare’s snapshotting capabilities, allowing me to have multiple states of essentially the same machine depending on what I’m working on at any point in time.
For resource allocation the VM has a 4GB HDD and 512MB of RAM, the RAM may get expanded depending on performance if I’m working on the VM (during malware analysis) rather than just exploiting it.
There is a NIC configured (not connected at power on) to the WAN network to allow access to the web for tool downloads etc. Permenant NIC has access to a ‘malicious’ ESXi vLAN which has not outside access. Once the OS was installed it was connected to the outside world to allow the OS to allow it to phone home and authenticate. At this point the VM was snapshotted to provide a ‘clean’ base incase I need to start from scratch without having to re-install.
Following this I changed the desktop wall paper, so I can tell if I’m in a VM or my real machine, hopefully should help prevent ‘accidents’. Basic tools were installed at this point, before I final generic snapshot:

I’m fully expecting this list of tools to expand as I gain experience, but for now this should provide a workable environment. Just need to go and exploit something now…
Andrew Waite

Satellite Hacking

Just read an interesting article on El Reg about Adam Laurie, who has supposedly been ‘hacking’ satellite feeds. Unless I’m missing something it appears to be more a case of sniffing unencrypted communication coming from and going to satellites, but it is interesting in any case.
One of the parts of the article I liked was the comment on the UK’s Privacy laws:

A resident in the UK, Laurie says he’s careful to obey the country’s privacy laws. While he is able to identify certain traffic as email, for instance, he doesn’t actually read the contents of the message. Still, he says it isn’t always easy to follow the letter of such laws because they prohibit people from receiving a message if they aren’t the intended recipient.

“It’s a bit of a quandary,” Laurie says. “You can’t tell you’re not supposed to see that data until after you see it. I can’t unsee what I’m not supposed to have seen.”
Whilst I’ll agree that some of the privacy laws are ‘strange’ the actions Laurie took was looking for traffic in which he wasn’t the intended recipient for any of it, as someone pointed out: if you’re concerned you might be breaking the law you can stop looking.
Andrew Waite

Lab environment

I’m currently in the process of getting my lab environment in place so I’ve got a safe (and secure) place to test all of my projects and thoughts. To assist I’ve been reading Michael Gregg’s “Build your own security lab“, it is a good resource and comes with some good tools (like a trial of Core Impact). However, it may not provide too much you didn’t already know if you’ve got some experience in the field.
For hardware I picked up an HP Proliant ML110 from Ebuyer at a great rate. I’ve since upgraded the RAM to 5GB (will max it to 8gig as needed and finances allow), this has become a great virtualised server running VMWare ESXi.
Going forward I intend to add in a Cisco switch (probably 2960) to segregate my lab network from my home net, whilst still mixing physical hardware with virtual.
Andrew Waite

Welcome…

Thought I better get around to christening this blog with the first post. I’m intending to use this as a place to log my projects and ‘interesting’ findings. Along the way I may even produce something useful to the wider world.
Hopefully you’ll find my wibblings useful, informative or just humorous. Let me know either way.
Andrew Waite