Virtual lab network

The previous post on lab machines seemed to generate a high level of interest so I thought it may be worthwhile to expand further and share my lab’s network setup.
My recent exploration of the Vyatta platform’s capabilities has provided a simple method for segregating and connecting lab networks without requiring a hardware router. I currently split my network into three seperate subnets.

  • 10.0.0.0/24       – Physical network for none virtual machines
  • 192.168.1.0/24 – Primary lab subnet
  • 192.168.2.0/24 – Secondary lab subnet

InfoSanity's ESXi Lab environment

The primary lab subnet contains the majority of my victims. Helpfully the machines configured as part of Metasploit Unleashed and most of the machines released by Heorot.net (De-ICE level1 and Hackerdemia) both use the 192.168.1.0/24 subnet. To fit I’ve configured my custom machines to match. While providing additional targets, the custom machines in the primary lab double as my malware analysis environment (with the Vyatta appliance powered off to provide isolation).
My secondary lab subnet currently only contains the single publically available level 2 De-ICE machine. In the future I’m intending to expand the usage of the secondary lab by dual-homing one or more of the of the lab machines and demoing pivot and techniques to use one a compromised machine to attack otherwise inaccessible targets.
With the machines and environment detailed above and in the previous post I’ve managed to develop a highly versatile lab environment for both tool/exploit development and training/practice. Not bad for a total outlay of under £200 plus some time and effort.
Andrew Waite

Virtual lab machines

Since working through and reviewing Wilhelm’s ‘Professional Penetration Testing’ I’ve been trying to build up and improve my personal lab environment, still running ESXi and still running on my HP Proliant ML110 . Having just about got all of my target machines in place I thought this would be a good place to list the machines in my lab, and to share the sources for others looking for a test environment themselves.

ESXi Inventory listing
ESXi Inventory listing

Off the back of the Professional Penetration Testing book I include the machines created and maintained on Heorot.net;

  • The De-ICE LiveCDs – Example target machines, goal is to gain root access.
  • Hackerdemia – “The Hackerdemia Project is a LiveCD that provides both an instructional platform (in the form of a wiki) and an attack target to practice newly acquired skills.”
  • pWnOS – Target machine created by a member of Heorot.net forums, Bond00.

The recent release of Metasploit Unleashed has provided a new excellent source of information for anyone looking to learn the ins and outs of the Metasploit framework. The material provides a guide for setting up two targets used throughout the courseware:

  • An XP machine from NISTs FDCC project, with instructions for downgrading the security and running SQL Express
  • A Ubuntu 7.04 machine running Samba

From my own experimentation I also run:

  • Two XP machines (SP1 & SP2) – mainly used for malware analysis
  • A Debian 4.0 victim –  for working with Linux exploits and shellcode
  • BackTrack 4 – as an attack platform
  • LiveCD – Used for running additional liveCDs in the lab that aren’t permanent residence, often Samurai or Helix (before it went commercial)

For most testing I will run only a handful of the above machines at any one time, just whatever is necessary for a particular scenario. However I am able to run all the above at the same time to test scanning and information gathering tools, nmap, Nessus, etc.
If you’re looking to develop information security skills and get hands on experience using the relevant tools and techniques I’d fully suggest reading through the links above. The amount and quality of freely available information is outstanding, and as my kit proves it doesn’t take great hardware to take advantage.
Andrew Waite
<Update>If you’re running a Mac take a look at phenotyne’s post for getting similar environments working under Apple hardware</Update>

Vyatta: First Impressions

I’ve known about Vyatta for a while, but whilst the premise has always seemed appealing I’ve not had a reason to dig deeper. Vyatta propose to be ‘The open source alternative to Cisco’, which appeals as a nice fit into a low-cost training and development lab so tonight I decided to take a closer look.
I started by downloading Vyatta’s prebuilt VMware image, which can be downloaded here along with a Xen image and an ISO file for physical install. The VMware image is designed for workstation applications, but a quick run through my new friend in VMware Converter I quickly had the image transfered across to my ESXi based environment and booting without issue.
Vyatta provide a wealth of information in the documentation section (which requires registration, although it did not require the usual ‘activation’ email so dummy values may be enough). I haven’t had a chance to delve fully into the documentation and functionality but starting out has so far been simple enough: Logging onto the Vyatta device at the command-line requires the default user credentials of vyatta/vyatta. Once logged in you can start the configuration by entering ‘configure’
Once in configuration mode setting up interfaces is simple enough:

vyatta@vyatta# set interfaces ethernet eth0 description “WAN”
vyatta@vyatta# set interfaces ethernet eth0 address 192.168.1.254/24
vyatta@vyatta# save
vyatta@vyatta# commit
vyatta@vyatta# exit

Configuring different parts of the system are similarly simple, and with a bit of experience theVyatta systems seems intuitive enough and from basic testing performance is more that adequate, at least for my requirements. The time I’ve spent getting to grips with a new system has paid of so far, and for the time being I have a nice new addition to my lab environment. I’m hoping this system can provide some seperation between between between target/test systems and provide additional realism t my lab.
Andrew Waite

Machine migration with vmware converter

For anyone that has had to migrate machines to a virtual environment VMware’s Converter will likely be nothing new. It allows a straight forward way to migrate an existing server (both physical and most common virtual environments) to VMware’s Infrastracture, Server or Workstation product suites.
Whilst this is hugely useful in a real-world environment for p2v or v2v migration strategies it doesn’t have too much use in a lab environment as you would typically build your environment and servers once and then test away. But I’ve recently found another use, with a few simple clicks I can now easily transfer a virtual server/servers from my ESXi lab environment to my laptop to continue working away from the office, and without the need for maintaining parallel victim machines within each of my virtual environments.
The transfer process does take some time, image below shows the start of the transfer of a 20GB machine from my laptop to ESXi server of local 100Mbps network. However don’t be too put off initially, original estimated run time is nearly four hours, when in actuality it completed in a little over one. Good for fire and forget transfers whilst you make dinner.

VMware converter
VMware converter

Some people I’ve discussed the tool with have anecdotal stories of having issues and failures with VMware Converter, I haven’t encountered any problems with my usage but your mileage may vary depending on scenario. At the very least is should be simpler than my previous method utilising DD.
Andrew Waite

Review: Professional Penetration Testing (for EH-net)

I was recently asked by Don over at EH-Net if I would be interested in reviewing a new book by Thomas Wilhelm of Heorot.net: ‘Professional Penetration Testing: Creating and operating a formal hacking lab’. Naturally I jumped at the opportunity.
I don’t want to discuss the book in too much detail here, as you can read the full review at Ethical Hacker here, but the book is a great addition to my home library. Don also worked his magic to convince the publisher to release a chapter from the book free of charge, chapter four covers the initial setup and configuration of hack lab environment, and can be downloaded from the review.
Hope the review is of use to someone out there, thanks to Thomas for writing the book in the first place and to Don for hooking me up with the review.
Andrew Waite

AV killing with powershell

A colleague recently introduced me to scripting with Powershell. After seeing a couple of examples of it’s strength for handling legitimate administration tasks my devious side came into play and I started imaging havok in my head.
As a starting project for getting to grips with Powershell basics I thought I’d try a proof of concept to replicate Meterpreter’s ability to disable AV and other defence mechanisms within the getcountermeasure function. I love meterpreter, but sometimes you need to work with more primitive native tools, as Powershell is starting to be included by default within Windows systems it is now one of the ‘primitive’ tools. My theory was that this should give me a bit of a challange, without jumping in at the deep end.
Well I was wrong, I guess showing the strength of Powershell this proved not to be a challange at all. The code below reads a list of unwanted processes from a text file, and kills the processes. All in four lines of code (I’m told this could be shortened at the expense of readability)

#read list of AV processes to kill
$avprocs = Get-Content AVprocs.txt
#kill all unwanted processes
foreach( $procname in $avprocs)
{
Stop-Process -name $procname
}
#simples…..

The next time you pop a Windows box don’t dispare, there’s more power available than just batch scripts 😀
Andrew Waite
P.S. Before anyone shouts about aiding skiddies, the above code could have some great legitimate uses as well; from automatically cleaning up infected systems to aiding productivity by adding doom.exe to the list of processes 😉
The possibilities are endless, both good and bad.

Real world social engineering attempt

Coincidently with my current interest in social engineering practices I believe I recently encountered a real world attempt aimed in my direction. Late Saturday evening received a call claiming to be from the local police department in reference to a speeding ticket.

Something immediately seemed of as caller asked ‘who am I speaking?’ rather than ‘can I speak to X?’. The caller then proceeded to request a meeting at my house for an interview, asking both when we’d be available and ‘what is your address?’, despite the fact the caller had supposedly sent the ticket information in the post.

At this point the call was terminated at this end as confidence was fairly high that the caller wasn’t genuine and the caller recieved no information beyond the fact that a human was available to answer the phone. I’m also confident that I won’t see a ticket in the post this week (unless by strange coincidence).

Best guess is that this may have been recon for a potential burglary (What is your address? When will you be home?) or  potential pre-text for an on site visit (‘policeman’ turns up for interview and needs to use ‘bathroom’). The incident has been reported to the authorities and, with the exception of being advised to lock all windows and doors when not home (obviously don’t know I’m already overly paranoid), the incident won’t be taken any further at this time.

Hopefully nothing further will come as a result of this incident but has left me spooked nonetheless. Information security seems to be all fun and games, until you encounter some of the theory in the real-world, away from prior-permission and contracts.

Andrew Waite

Social-Engineer.org

Social-Engineering has always been an interest of mine, whilst I’m not too good deceiving people in person, the potential of [spear-]phishing and physical media drops is too appealing to ignore. Recently there has been a good step forward in the maturity of the field with the opening of social-engineer.org.
If you’re not willing to take my word for the quality of the site, and it’s potential for future resources check out the list contributors in the ‘Team’ section. Some members of the S-E.org team also discuss the project on episode 34 of Exotic Liability.
The resources section of the site already has some high quality video tutorials showing some basic social engineering vectors including the Social Engineer Toolkit (SET) which forms part of the S-E.org framework. SET promises to make the creation and implementation of social engineer attack vectors simpler and easier to control.
I’m expecting some useful resources to be generated and released by this project, definitely one to check back with periodically.
Andrew Waite

http://social-engineer.org/

Python Whois class

After too long away from the project I have been trying to implement some additional functionality to my submissions2stats script for parsing Nepenthes log files. Something that I’ve had in mind for a while is utilising Whois data to better analyse the source of the malware submissions.

I had assumed that this would be relatively simple, after all the ability to port any required functionality is an integral part of geek humour. This wasn’t to be the case this time as I was unable to find anything this time around (although I didn’t discover giskismet until after I’d wrote my kistmet2gmapstatic scripts). To cover the functionality I have written a short python class that queries a 3rd party whois service for a provided IP address and provides metods to access the returned data.

The script can be accessed here. Hopefully others will find this of some use. Example output from the script’s .out() method targetting www.bcc.co.uk:

Whois information for 212.58.253.67
Origin:           AS2818
Inetnum:       212.58.224.0 – 212.58.255.255
Netname:      UK-BBC-991005
descr:              BBC
Country:        GB

N.B. Text is tab delimeted in actual usage

I’ve started adding the class’ functionality into my submissions2stats script. So far things are progressing well and hopefully I should be able to have an updated script available shortly.

Andrew Waite

Review: Ecommerce, subversion & git @ SuperMondays

Tuesday night provided an interesting evening, and for more than just the somewhat non-geeky location at the Side Cinema. As usual I’ve been beaten to the punch for a review of the event; the offical review, and videos of the presentations can be found at supermondays.org.
David Coxon provided the opening presentation, discussing his project to create an ecommerce shop for the Baltic gallery. As I’d expected of David the talk was interesting, and given the time and budget available the outcome of the project is impressive. The full presentation can be seen here and slides here. David can provide a better insight into the project than I can, so I’ll just say nice work.
The second aspect of the night was a (surprisingly) lively debate on source control systems. Paul Callaghan started by outlining the problem with the ‘traditional’ method of version control with naming schemes for files and folders, before introducing a better system with the use of Git, a distributed version control system. Alex Kavanagh added an alternative solution, in the more commonplace Suberversion/SVN.
From what I could take from the discussions Subversion is more commonly favoured in the business world as it provides a centralised repository, allowing for better management (access control, backups etc.) but Git provides some (arguably) better features and is ‘cooler’ (apparently).
If you work on any project that creates a significant volume of code or documentation you should definitely consider a revision control system of some description. In my case I’m looking at Git for my next project, from Paul’s demo it seems like an easy learning curve into a new working paradigm.
Finally David Livingstone from the University of Northumbria’s School of Computing, Engineering and Information Sciences introduced the Raquel Database System. Raquel is being built as an alternative to existing database technologies, the developers are currently looking for additional testers and project members, if you have any interest in the project contact David at the university.
The night ended, as usual, at the bar. Again as usual this provided many interesting discussions with other group members, if you haven’t already been, or have been to a previous event but not recently, get yourself down to the next SuperMondays event.
Andrew Waite