Archive

Archive for October, 2009

SuperMondays – Barcamp style

2009/10/26 Comments off

This months SuperMondays was a deviation from the usual format; rather than speaker followed by Q&A the event was run in a similar format to Barcamp. This meant that there were several simultaneous conversations ongoing at any one time with attendees floating between discussions and chipping in as appropriate.

SuperMondays Logo

For my part the first talk I attended was on cloud computing, which regular readers will know is something I’ve spent some time looking at recently. General consensus was that cloud may be the future, but no one was willing to place their critical data in the cloud just yet.

Second up was a discussion on encryption. This discussion started slowly, whilst there were several people present, most had some interest in encryption and had wanted to learn more from those more knowledgeable. Basic outcome: encryption is something you want to be doing for critical data.

Third and final discussion I got to was a comparison of open vs closed source development. In all honesty I was expecting an argument, with plenty of MS bashing all around. The discussion was remarkably calm and impartial, with a general consensus of ‘both have their place depending on circumstances’.

Some of the other talks included web development frameworks, a demo of Google Wave and a discussion of requirements for new start-ups.

Overall I think the event worked well with some interesting discussions but I do think I prefer the more traditional format. At least from the talks I attended I don’t think those new to a topic would have walked away with any usable information, likewise the ‘knowledgeable’ attendees likely didn’t hear anything to change their opinions or beliefs.

There were some interesting announcements, including that which can’t be discussed (hint: if you want the inside scoop, some stuff gets announce at SuperMondays events before getting released in public domain, shhh!).

  • SuperChristmas has now been organised in partnership with other local networking groups, December 17th for all those in need of additional festivities.
  • North East Blog Directory: as part of SuperMondays the group is compiling a list of local technical blogs.
  • SuperMondays Google Groups: The Google Groups section for SuperMondays is starting to pick up pace. If you want to keep upto date with the group, suggest a topic of generally discuss the event sign up and join in.

That’s all for this month, as usual thanks for a good night and see you all at the next one.

Andrew Waite

Advertisements
Categories: SuperMondays

Dissecting the Hack

2009/10/23 Comments off

When I first heard about Jayson’s book, Dissecting the Hack: The F0rb1dd3n Network I was really looking forward to getting my hands on a copy. Without going through the backstory, getting a copy could now be difficult.

The community response to the situation has been outstanding, I don’t think any other industry would pull together to completely re-write some of a books material with original content. A new security community has been created to facilitate taking Dissecting the Hack forward, so head over to the forums and help out if you can. (And don’t forget to say ‘Hi’ if you do)

Props to Jayson for keeping positive and still being productive throughout.

Andrew Waite

Categories: Uncategorized

Automated Malware & ESXi frustrations

I recently read Christian Wojner’s excellent paper on Mass Malware Analysis and it re-ignited my desire to build an automated environment to improve and speed up my current malware analysis capabilities. The paper details a step by step for duplicating Wojner’s environment, but I as I don’t have any spare equipment I’ve been looking for alternative routes.

Fortunately the paper also explains the theory, thought process and design of the system so that the reader can modify to suit their own requirements. To achieve this I’ve been trying replace the Xubuntu and Virtual Box host with my existing  ESXi environment detailed in previous posts.

With a bit of Googling the vSphere CLI became the obvious choice to replace the control component for the infected machine in the automated malware environment. vmware-cmd.pl provides the functionality to both stop/start virtual guests and to revert the guest to previous snapshots, exactly what is needed for the malware analysis environment. The commands to be utilised would be (– is a double dash):

vmware-cmd.pl –server <ESXi Host> –username <user> –password <pass> /path/to/guest.vmx getstate

vmware-cmd.pl –server <ESXi Host> –username <user> –password <pass> /path/to/guest.vmx start

vmware-cmd.pl –server <ESXi Host> –username <user> –password <pass> /path/to/guest.vmx stop

vmware-cmd.pl –server <ESXi Host> –username <user> –password <pass> /path/to/guest.vmx revertsnapshot

This should have been enough to adapt Wojner’s control scripts to use ESXi instead of Virtual box, but it appears that for the first time I’ve encountered a crippled feature not available in the VMware’s free offering. Running the stop/start/revert commands results in the below exception:

Fault:
SOAP Fault:
———–
Fault string: fault.RestrictedVersion.summary
Fault detail: RestrictedVersionFault

So that’s that, unless I happen to win the lottery (which I don’t play) or someone is able and willing to provide a full ESX license to a struggling researcher (which I don’t expect to happen) I’m back to looking for a replacement Wojner’s VirtualBox control process. On with the next…

Andrew Waite

Rapid7 Acquire Metasploit

2009/10/21 1 comment

I’d guess this won’t be breaking news to anyone as it was always going to generate a buzz once announced, but for anyone who has missed today’s revelations; Metasploit has been acquired by Rapid7 with HDM and Egypt joining the company.

Since the news broke the Metasploit IRC channel (#metasploit, on irc.freenode.net) has been alive with conversation and debate, some good wishes for the team’s future, and others concerned by the future of the project. One aspect that has been stated by all parties is that the Metasploit framework is to remain open source. The blog posting released by Rapid7 attempts to allay any fears or concerns that may be created by the news.

As no one can see the future it is impossible to determine if the move will be a boon or problem for the industry as a whole, or what lies in store for the future of the framework, I won’t try to comment, especially as those better placed than me seemed as in the dark as the rest of us.

Congratulations to HD Moore and the team; regardless of the future, the work they have put into the project has been of great assistance to the community, and provided freely at the expense of free time. Given past history I’ll trust that the project will continue to assist the community as it has previously.

Thank you for your efforts to this point.

Andrew Waite

Categories: InfoSec

Virtual lab network

2009/10/13 1 comment

The previous post on lab machines seemed to generate a high level of interest so I thought it may be worthwhile to expand further and share my lab’s network setup.

My recent exploration of the Vyatta platform’s capabilities has provided a simple method for segregating and connecting lab networks without requiring a hardware router. I currently split my network into three seperate subnets.

  • 10.0.0.0/24       – Physical network for none virtual machines
  • 192.168.1.0/24 – Primary lab subnet
  • 192.168.2.0/24 – Secondary lab subnet

InfoSanity's ESXi Lab environment

The primary lab subnet contains the majority of my victims. Helpfully the machines configured as part of Metasploit Unleashed and most of the machines released by Heorot.net (De-ICE level1 and Hackerdemia) both use the 192.168.1.0/24 subnet. To fit I’ve configured my custom machines to match. While providing additional targets, the custom machines in the primary lab double as my malware analysis environment (with the Vyatta appliance powered off to provide isolation).

My secondary lab subnet currently only contains the single publically available level 2 De-ICE machine. In the future I’m intending to expand the usage of the secondary lab by dual-homing one or more of the of the lab machines and demoing pivot and techniques to use one a compromised machine to attack otherwise inaccessible targets.

With the machines and environment detailed above and in the previous post I’ve managed to develop a highly versatile lab environment for both tool/exploit development and training/practice. Not bad for a total outlay of under £200 plus some time and effort.

Andrew Waite

Categories: Lab

Virtual lab machines

Since working through and reviewing Wilhelm’s ‘Professional Penetration Testing’ I’ve been trying to build up and improve my personal lab environment, still running ESXi and still running on my HP Proliant ML110 . Having just about got all of my target machines in place I thought this would be a good place to list the machines in my lab, and to share the sources for others looking for a test environment themselves.

ESXi Inventory listing

ESXi Inventory listing

Off the back of the Professional Penetration Testing book I include the machines created and maintained on Heorot.net;

  • The De-ICE LiveCDs – Example target machines, goal is to gain root access.
  • Hackerdemia – “The Hackerdemia Project is a LiveCD that provides both an instructional platform (in the form of a wiki) and an attack target to practice newly acquired skills.”
  • pWnOS – Target machine created by a member of Heorot.net forums, Bond00.

The recent release of Metasploit Unleashed has provided a new excellent source of information for anyone looking to learn the ins and outs of the Metasploit framework. The material provides a guide for setting up two targets used throughout the courseware:

  • An XP machine from NISTs FDCC project, with instructions for downgrading the security and running SQL Express
  • A Ubuntu 7.04 machine running Samba

From my own experimentation I also run:

  • Two XP machines (SP1 & SP2) – mainly used for malware analysis
  • A Debian 4.0 victim –  for working with Linux exploits and shellcode
  • BackTrack 4 – as an attack platform
  • LiveCD – Used for running additional liveCDs in the lab that aren’t permanent residence, often Samurai or Helix (before it went commercial)

For most testing I will run only a handful of the above machines at any one time, just whatever is necessary for a particular scenario. However I am able to run all the above at the same time to test scanning and information gathering tools, nmap, Nessus, etc.

If you’re looking to develop information security skills and get hands on experience using the relevant tools and techniques I’d fully suggest reading through the links above. The amount and quality of freely available information is outstanding, and as my kit proves it doesn’t take great hardware to take advantage.

Andrew Waite

<Update>If you’re running a Mac take a look at phenotyne’s post for getting similar environments working under Apple hardware</Update>

Categories: Lab

Vyatta: First Impressions

2009/10/08 Comments off

I’ve known about Vyatta for a while, but whilst the premise has always seemed appealing I’ve not had a reason to dig deeper. Vyatta propose to be ‘The open source alternative to Cisco’, which appeals as a nice fit into a low-cost training and development lab so tonight I decided to take a closer look.

I started by downloading Vyatta’s prebuilt VMware image, which can be downloaded here along with a Xen image and an ISO file for physical install. The VMware image is designed for workstation applications, but a quick run through my new friend in VMware Converter I quickly had the image transfered across to my ESXi based environment and booting without issue.

Vyatta provide a wealth of information in the documentation section (which requires registration, although it did not require the usual ‘activation’ email so dummy values may be enough). I haven’t had a chance to delve fully into the documentation and functionality but starting out has so far been simple enough: Logging onto the Vyatta device at the command-line requires the default user credentials of vyatta/vyatta. Once logged in you can start the configuration by entering ‘configure’

Once in configuration mode setting up interfaces is simple enough:

vyatta@vyatta# set interfaces ethernet eth0 description “WAN”

vyatta@vyatta# set interfaces ethernet eth0 address 192.168.1.254/24

vyatta@vyatta# save

vyatta@vyatta# commit

vyatta@vyatta# exit

Configuring different parts of the system are similarly simple, and with a bit of experience theVyatta systems seems intuitive enough and from basic testing performance is more that adequate, at least for my requirements. The time I’ve spent getting to grips with a new system has paid of so far, and for the time being I have a nice new addition to my lab environment. I’m hoping this system can provide some seperation between between between target/test systems and provide additional realism t my lab.

Andrew Waite

Categories: Lab, Tool-Kit, VMware