Ethical Hacking Series: 0x02 – Building Your Own Hacking

Lab

JaxHax MakerspaceTravis Phillips

About Me● Member of Jax Hax since it opened.● Specializes in Ethical Hacking, IT Security,

and penetration testing.● Formerly a programmer.● Enjoys electronics, Linux, embedded

systems, anything hackery-ish, small physical projects from time to time to keep hands-on skills honed, puzzles, Open Source everything, and lock picking.

● Easy to find. Big dude dressed in black or grey. Seek me out anytime you are here.

Intended Audience● This is intended as an intro class as part

of a series of classes. ● This is a class that is for people who are

interested in security and require proof it's working!

● This class covers the basics of building a lab so that you will have a safe environment to play in.

– DON'T BE AFRAID TO STOP ME TO ASK QUESTIONS!

– The only stupid question is the question never asked.

So Why Do I Need a Hacking Lab?

● Keeps vulnerable software off your real machine.

● A lab provides you a controlled environment for your testing.

● You'll have physical access to the machines for troubleshooting.

So Why Do I Need a Hacking Lab?● I'm teaching you things

that if conducted on machines you don't own, it's illegal! Hacking machines you do own however is legal!

● Not providing a lab setup is like giving a kid a BB gun without targets and cutting him loose in the outside; It can only end badly!

Things to Consider When Building A Hacking Lab

● Web Attacks

● Mobile Devices

● Malware Research

● Reverse Engineering

● Wireless

● Crypto

● Network Exploits– DoS

– MitM

● Software Exploits– Linux

– Windows

– Mac

● What sort of hacking research are you looking to do?

What Resources Do You Have On Hand?

● Any old bare metal boxes laying around?● Is your rig beefy?

– Plenty of memory and CPU for VMs?

● Any networking equipment laying around?– Old ISP modems are usually great!

● Wifi and a 4 port switch are usually built-in● Usually provide DHCP, Firewall, and DNS.

● Dumb network hubs are AWESOME!!!● A USB drive you can dedicate to the Lab

What to consider when buying equipment?

● Networking equipment can usually be mid tier SOHO gear.

– Although port mirroring/spanning can help when it comes to sniffing.

● Machines can usually be home use grade.– Keep architecture in mind!

● x64 can run x86 and x64 OSs but not the other way around!

● If you want to test against ARM architectures I would suggest an ODROID or Raspberry Pi

Raspberry Pi & ODROID

● $35● 700 Mhz CPU● 512 MB RAM● HDMI+RCA● GPIO Pins

● $65● 1.7 Ghz quad

core CPU● 2 GB RAM● HDMI

What to consider when buying equipment?

● Get a beefy rig if you are planning on doing crypto or password cracking heavily.

● Beefy rigs also make running VMs easier.● Hard drives are cheap so if you're planning

on VMs, get large drives!● Beefy rigs do also permit themselves to act

as servers as well.● Make your lab easy to reconfigure for

various test.

Network Considerations● Is internet required? More importantly,

should it be present?– Depends on what your researching!

Can be present for:● Local machine exploits

● Remote machine exploits on LAN

● Crypto

● MITM Attacks

● Mobile Devices

Probably don't want it around when:

● Web Attacks

● Malware Research

● Reverse Engineering

● DoS Attacks

● Testing "In the wild" Hacking Tools

Network Considerations

● Build your lab so that internet can be connected and disconnected easily on an as needed basis.

● Keep your home LAN and Hacking Lab isolated from each other if possible.

● VMware and VirtualBox both have network settings that also contain Host Only communications.

Virtual Machines● VMs are great for

hacking labs!● Tons of vulnerable

hacking VMs already pre-built and ready to download.

● Easy to manage● Portable - Take your lab

with you on your laptop if it has the horse power!

VM vs Bare Metal

● VMs are great but bare metal has its perks too!

– DoS attacks against VMs come full circle. You're attacking yourself basically and this affects the results.

– Network isn't bridged through drivers on your box. This bridging sometimes affects MITM and network based attacks.

– Dedicated hardware relieves your machine of heavy lifting such as crypto analysis

VM vs Bare Metal● Another bare metal machine is not your box

like a VM.– Keep this in mind with Malware research

– Some malware has been seen to use exploits to escape VMs and infect the host OS.

– Some malware (a lot of malware actually) won't run if it detects the OS is in a VM.

● Anti-virus researchers used to use VMs for reverse engineering malware.

● Security researchers used VMs as honeypots.

VM vs Bare Metal

● If special hardware is needed for the attack then bare metal generally will give you less issues.

– E.g. Wifi packet injection, software defined radio, video cards.

● Remember the network traffic has to pass through the host OS network stack.

● Windows network stack can break things from time to time since it doesn't allow raw sockets.

OS For Attacker Machine(s)● Kali is a great choice if your new to hacking

or just don't have time to roll your own attack machine.

– Kali is a Linux (Debian) based distro gear towards pentesting.

– Loaded with tons of tools already to go!

● Use Linux and roll your own toolkits on to it.– Takes more time but you get exactly what

you want.

– Configured to your specs with nothing extra

OS For Attacker Machine(s)

● One Windows machine for hacking● Windows isn't ideal for hacking but not a

bad idea to practice with.● Also requires expensive licenses.● Pivoting will sometimes require you to

launch your attacks off of a windows box.● Personally, I just use one of the windows

victim boxes in my lab for this purpose.

OS For Victim Machines

● Older versions of either Linux or Windows work great.

– Turn off automatic updates to keep them vulnerable.

– Many of these are missing modern exploit prevention methods which makes learning easier at the start.

● Can be disabled on a lot of Linux systems.

● A few more modern OS to provide real world challenges and compare changes against exploits

Victim VMs for example● Metasploitable2

– Old Ubuntu Server loaded with vulnerable software and mis-configurations.

● Web security dojo– Loaded with a few vulnerable web hacking

labs and the tools needed to exploit them.

● De-Ice Vms– Hacking cases setup as part of a wargame

● Check out vulnhub.com & pentesterlab.com for tons more!

Finding Vulnerable Software and Services for Victims

● Vulnerable learning VMs can come with vulnerabilities in the OS and software wise.

● Linux developers like to use SVN or GIT which keeps all changes to software, you can pull any revision from it.

● Some vendors leave old vulnerable version of software for download

– example: windows tftpd32 from tftpd32.jounin.net

● Older version contain known buffer overflows.

Finding Vulnerable Software and Services for Victims

● A lot of vendors don't do this though...● So for them you can check out oldversion.com● Lots of old vulnerable software available here:

– Browsers

– Flash

– Java

– Media Players

Configuration of the Victim Machines

● Try to make it either a learning lab or a real world case study lab.

● make them have different levels of security● weak to strong passwords● some user follow bad practices (storing

passwords in text files) to paranoid encrypted files.

Configuration of the Victim Machines

● Should be configured so some machines are just defaults.

– No anti-virus.

– Host Firewall on by default.

– Think like an end user, do as little as possible to make changes.

Configuration of the Victim Machines

● Others should have relax "Corporate LAN settings"

– Host based firewalls off

– remote admin (RDP, SMB/NETBIOS, VNC, SSH) might be enabled.

– Anti-virus solution likely present on workstations, possibly on servers.

Configuration of the Victim Machines

● Others might be servers with any of the following:

– Paranoid admins (lock it down with defense in depth)

– Lazy admins or devs (open up things for debugging purposes)

– New admins (take all the defaults.)

Managing Machines in the Lab

● Once configured the way you want, You will want to make a backup for reference and restore if needed

● For VMs you can use snapshots– Also not a bad idea to just keep a copy of

the image files backed up so you can just restore it.

● For bare metal you can use disk cloning– Clonezilla can make a backup image of

the drive.

Managing Machines in the Lab

● For Raspberry Pi and ODROID:– Uses SD cards

– You can use the linux tool 'dd' to make a raw dump of the SD card to an image file.

– You can also just restore it using 'dd' as well.

Example Labs (Memory Corruption Bug Lab)

Example Labs (Malware Lab)

Example Labs (Reversing Lab VM)

Example Labs (Reversing Lab)

Example Labs (Mobile Lab)

Example Labs (Mobile Physical Lab)

Example Labs (Web Hacking Lab)

Example Labs (Pivoting Lab)

Example Labs (Wifi Labs)

Notice Anything With Those Examples?

● Two common themes we saw were: – A standalone machine running VMs

– An air gap network.

● These two are very well rounded lab configurations.

● I'd recommend a VM lab first and then the air gap second unless you are doing malware research.

Hacking Outside the Lab Legally

● There are hacking sites and challenges that you can play on legally outside your lab.

● The two major ones you will see are wargame sites and CTFs

Wargames

● Wargames are sites hackers setup to allow hackers to hone their skills. Here are a few:

– https://www.hackthissite.org/

– http://www.bright-shadows.net/

– http://www.wechall.net/

– http://www.thisislegal.com/

– http://overthewire.org/

– http://www.net-force.nl/

CTFs (Capture The Flag)

● Capture The Flag games are contest where hackers work alone or in teams. The goal is to capture flags in the challenges and gain the most points

● There are usually 3 types of CTFs– Jeopardy

– Network Based

– Red vs Blue Team

CTFs (Capture The Flag)● A board of challenges, usually file based

hacking (Forensics, Memory Corruption, Reverse Engineering). Beating these challenges will give you a flag to redeem for points.

● Network based – These give the players a network and try to hack boxes on the network that will give them a flag to redeem; or they will have a control file you put your name in on the server and a scorebot will credit points to that team every 10 minutes or so. You have to fight to protect it.

CTFs (Capture The Flag)

● Red vs Blue Team – This is a game where players are broken up into two teams. The blue team is required to defend the network while providing services that are required. The blue team gets a head start before the red team is allow to attack the network.

CTFs

● Events that come– Most security conferences will host one.

– CSAW

– Raytheon SI host the “Ghost in the Shellcode” CTF.

● Can't Wait to Start?– http://repo.shell-storm.org/CTF/

● This guy has a major archive of the challenges from several CTFs

Recap

● A hacking lab makes life easier and is simple to setup. No excuse for failure to set one up.

● Safe place to conduct your experiments.● If your in IT, you probably have most of this

equipment.● Make your lab flexible!

Questions?

Next Month – FREE IT Sec Conference!

● November 15th is the 1st ever B-Sides Jax Information Security Conference!

● Free and open to public, but please RSVP!

● http://bsidesjax.org/

Next Presentations

● Introduction to Base Numbering Systems and ASCII.

● Common Networking Protocols, Sniffing, and The Joys of RFCs

● Using OSINT (Open Source Intelligence) For Footprinting and Passive Recon

● Scanning For Host and Services

Thanks For

Coming Out!