Preface: So I’m not fazed by much, and I feel ridiculous about being so dumbfounded by such a simple command, but I never knew how powerful the cat command in Linux actually is. (1982 technology… today!)
Here was my situation. I have to do a threat report based on outbound recursive DNS queries. I received their logs and was a bit daunted. 4.5 gb of raw logs and I don’t know how to code… shit.
This process includes the use of one script that is publicly available (https://github.com/opendns/domainstats) and one that is not, but you don’t need the one that is not (I just used it bc I’m impatient). I’m also well aware that this can all be automated by writing a program, but I don’t know how to do that so this is what I got.
Step 1: Figure out what the data looks like:
$ head query.log
Head is just a simple command to take at the first few lines of a file (IPs and domains have been fudged):
16-Mar-2015 11:30:34.710 client 4.3.2.1#59908: query: www.sample.com IN A -ED (1.2.3.4)
16-Mar-2015 11:30:34.721 client 3.2.1.4#62308: query: cdns.sample.com IN A -ED (1.2.3.4)
16-Mar-2015 11:30:34.721 client 2.3.4.1#39275: query: cdns.sample.com IN AAAA -ED (1.2.3.4)
16-Mar-2015 11:30:34.727 client 4.3.1.3#14105: query: smetrics.sample.com IN A -EDC (1.2.3.4)
16-Mar-2015 11:30:34.766 client 3.2.3.1#63125: query: glbden.sample.com IN AAAA -ED (1.2.3.4)
16-Mar-2015 11:30:34.768 client 4.3.2.1#6417: query: www.sample.com IN AAAA -EDC (1.2.3.4)
16-Mar-2015 11:30:34.771 client 2.3.4.2#6387: query: cdn.sample.com IN A -EDC (1.2.3.4)
16-Mar-2015 11:30:34.815 client 3.2.1.4#43451: query: sample.com IN A -E (1.2.3.4)
16-Mar-2015 11:30:34.815 client 3.2.4.2#51469: query: phxns02.sample.com IN A -EDC (1.2.3.4)
16-Mar-2015 11:30:34.820 client 4.2.4.2#52870: query: www.sample.com IN A -EDC (1.2.3.4)
So obviously this is way more info than I need, and if I were to try to throw this at our API it would barf, so it’s time to clean things up.
Step 2: To start sorting the data, I needed to figure out what part of the data I needed:
$ cat query.log | cut -d " " -f 1
(My very patient developer buddy explained to me what this actually means, so I shall do the same. I got as much as I could out of him before he asked me the question every non-coder bothering a real coder dreads: “have you ever used man pages before?”)
cat query.log – defines query.log as our sample set
| cut -d " " -f 1 – cut using a space as a delimiter, then -f 1 identifies field #1. Example: if i look at the sentence “I can’t code” f 1 is ‘I’, f 2 is ‘can’t’, and f 3 is ‘code’)
After examining my log fields, I found that f 6 gave me the piece of data in the log that I needed (the domain).
Step 3: I wrote a bash script (with help) to pull the part I needed out of the raw logs. There were 25 raw log files in each of the 4 log archives I received, so this took some doing:
$ for i in *; do cat $i|cut -d ' ' -f 6 >>$i.new ; done
I used this by running it in the folder where all the logs were. Here’s a breakdown of what this does (more so I don’t forget)
for i in *; – defines a variable i for everything in the folder (all the logs)
do cat $i – defines the sample set as the variable i
| cut -d ' ' -f 6 – same as step 2. Cuts out the domain from the logs
>>$i.new ; done – stores the domains only in <name of log file>.new
Step 4: move the new files into a new directory
$ mkdir justdns
$ mv *.new justdns
Step 5: I combined the separate log files into one:
$ cat *>query_total
Step 6: I removed dupes
$ cat query_total | sort -u>query_total_sorted.txt
Step 7: Moar Normalz
So I got to the end of step 6 and I there were still a ton of reverse lookups (*in-addr.arpa) in the logs that weren’t helping my cause at all. There were also some issues with upper/lower case, so I did some additional filtering:
$ cat query_total | grep -v "addr.arpa">>query_tsr.txt
$ cat query_total | tr '[:upper:]' '[:lower:]'>query_tsrc.txt
Step 8: Figure out what’s bad
I have two scripts: one that uses python and goes very fast but can’t query the API endpoint I want, and one written in Go that goes very slow that can. The python one, called miner.py takes a list of domains and runs a set of parameters that query the OpenDNS Investigate API. The 1st endpoint I’m using is one that simply gives me a +1, 0, or -1 (Good, Uncategorized, or Bad). Unfortunately, my ultimate goal is to find out the category as well (malware, botnet, etc) so this doesn’t completely solve my problem. But because the Go script is slow, and I don’t need to categorize stuff that isn’t actually malicious, it makes sense to run the miner script first and narrow things down:
$ ./miner.py --domains query_tsrc.txt --profile profiles/score.json --output query_tsrc_scored.json
Step 9: Pull the domains with a -1 score out of the json output.
$ grep "sgraph:infected\": -1," query_tsrc_s.json -B1 | grep "label" | cut -d "\"" -f4>>infected_queries.txt
Step 10: Run the Go script on the smaller list of domains:
$ ./domainstats -out cat_infected_queries.txt infected_queries.txt
now I have a list of domains that are categorized via the Investigate API. From here, I can go do some additional analysis on the high-risk, persistent stuff.
Time to revive the blog! This first project has nothing at all to do with security, but I guess it is a bit of a hack =].
The purpose of this project was to originally fix the jet engine I created when I upgraded the hard drive in my late 2009 mac mini. The late 2009 model in particular has a hard drive thermal sensor that is completely dependent on the internal sensor of the drive that comes with the computer, and if you replace the drive the fan starts spinning at 6000 RPM nonstop.
I have also confirmed this fix works with macbook pros and airs of the same era, I can’t imagine it wouldn’t work with any mac tho.
Difficulty: Moderate
Technologies used: Automator, Terminal (including text editor)
Articles exist elsewhere that tell you how to do this in pieces so I can’t take credit for most of it, but here’s a compilation.
Step 1:
Install smcfancontrol: http://www.eidac.de/
Step 2:
Open up automator, create a new application.
On the left, select “Utilities” and double click “Run Shell Script”
Paste this line of code in the box:
/Applications/smcFanControl.app/Contents/Resources/smc –k F0MX –w Zee0
After the ‘–w’ is the hex code for 3000. For whatever reason, for this to work you take the RPM you want, multiply it by 4, and go here to convert it :
http://www.binaryhexconverter.com/hex-to-decimal-converter
So for example, to get 3000 RPM, I put 12000 in the decimal value and that gave me “Zee0”. In my testing I found anything 4000 RPM or below is tolerable, but I just use my mini as a mediaserver and 3000 RPM is plenty for me.
Lastly, save it as something, ideally in your applications folder (i called mine fan_control).
Step 3:
Create a script to fire up your automator program (i use nano for this from terminal):
#! /bin/bash
open “/Applications/fan_control.app”
save it as “~/.wakeup” (this is the default location that sleepwatcher looks for sleep/wakeup scripts, you can also modify sleepwatcher to default to a different location if you want)
Make it executable:
Chmod 700 ~/.wakeup
Download sleepwatcher (you have some options here, I recommend brew. If you don’t already have it, from a terminal run:)
sudo ruby -e "$(curl –fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Then install sleepwatcher from terminal:
sudo brew install sleepwatcher
You can also just browse to the site and download the tarball:
http://www.bernhard-baehr.de/
Step 4:
Test out sleepwatcher, make sure it will do what you want. Run this:
/path/to/sleepwatcher –-verbose –-wakeup ~/.wakeup
Now put your machine to sleep and wake it back up. Don’t hear the deafening fan noise anymore? Your script is working! (hallelujah!)
Step 5:
Now that sleepwatcher is working, you need it to run in the background. Since I have multiple accounts on my mini and I want it to run all the time, I elected to install it as a system agent (you need admin rights to do this)
From terminal:
sudo ln -sfv /usr/local/Cellar/sleepwatcher/2.2/de.bernhard-baehr.sleepwatcher-20compatibility.plist /Library/LaunchAgents/
sudo launchctl /Library/LaunchAgents/de.bernhard-baehr.sleepwatcher-20compatibility.plist
That’s it! Welcome back to peace and quiet.
Over the past few months I have been extremely preoccupied with life… you know how that goes. When life happens typically the old MKII’s are the first ones to start gathering dust. But recently there has been such an influx of new hotness I felt compelled. This one is brought to you at 132 bpm, a mix of good stuff inspired by my recent Boston trip and as always, by LA. Composed in a near body bag of flu, this mix has everything from Electro to Progressive to Dubstep to Psy-Trance? But seriously, it’s quite palatable. Enjoy
Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.
Track Listing:
1. Nero x Zedd x Michael Canitrot x MAKJ vs. Sandro Silva x Quintino x LA Riots x J.O.B x Anjulie – Shotgun Warrior on the Floor (aylen mashups)
2. Jewelz & Scott Sparks – Flashbang (Original Mix)
3. Dank – Blow Me (FTampa Remix)
4. Alex Sin & MountBlood Feat. Anna Yvette – Bad For Me
5. HeavyWeight – Neverland Anthem 2012
6. Deadmau5 – There Might Be Coffee
7. Luke Aguero & Runaway New York – Feed The Children
8. Amtrac – Those Days
9. Stefano Noferini – Let The Bass (Original Mix)
10. MVTH – F*ck
11. 0SM ft. Alex G – Faultline
12. Martin Solveig, Madeon, Hard Rock Sofa, Marco V – Analogital Night Out (Aylen Mashup)
13. Holidayrain ft. Laura Brehm – Far Away
14. VM – Deep Vibrations (Astrix Remix)
15. Alex Kenji f. Federico Scavo – Get Funky (Original Mix)
16. Tiesto & Wolfgang Gartner feat. Luciana – We Own The Night (Original Mix)
17. Tiësto & Allure – Pair of Dice (Original Mix)
18. Showtek & Justin Prime – Cannonball (Original Mix)
19. Tuck Chesta – Squares
20. Beat 4 Minute – FLY
21. Botnek – Think I Feel It (Savage Skulls Remix)
22. PIXL – Pudding
23. MaDeN – Solitude
24. SirensCeol Feat. Krystal Love – The Way We Love
25. The Madison – Loving You
26. The Killers – Miss Atomic Bomb (Maor Levi Remix)
Apologies my friends, it’s been awhile. I’ve been busy working on this London project, doesn’t leave a whole lot of time to write.
Anyways, the majority of my strictly security projects can be found at community.rapid7.com, things like the test enviornment write-ups, vulnerable device listings etc. so if that’s what you’re after, there’s more than enough info up there.
Recently I’ve been working on something a little bit outside the security realm… but not too far. As many of us do, I have a fairly extensive media collection that I’ve collected over the years. Everything from mp3’s, avi’s, pictures, whatever. I also have more than one medium on which I would like to enjoy said media: different laptops, TVs, peripherals, gaming systems, stereos and such. I’ve tried, failed, and tried again to connect all my devices together, and after hundreds of dollars spent and bashing my head against the wall for nearly a year I’ve got something stable, secure, and fast. Today’s post is how I did it.
Setting up a portable, heterogeneous, stable, secure streaming network
The challenge:
I’m in a (potentially) temporary space with macbooks, laptops, USB external drives, a PS3, and a 3g mobile wifi modem for internet access. I need to figure out a way to connect all these devices for fast, stable streaming around the house with 2 separate TV’s while still having something that I can just pick up and move if need be. I also need to get the 3g mobile wifi dongle to divy out internet to my 10+ networked devices while it only has the capacity to handle 5 total connections at any given time. I also have a girlfriend who, though extremely intelligent, is not a geek like myself and needs to be able to enjoy using this.
The Equipment (purchased and existing):
– Regular W7 laptop w 1.5 tb USB attached (dual 2ghz, 4 gb RAM)
– Netgear WNR3400 dual-band wireless router
– 2 500 Mbps Powerline Adapters
– Ancient VAIO netbook (centrino 933 mhz, 512 mb RAM)
– Macbook Pro (dual 2ghz, 4 GB RAM)
– Playstation 3
– 2 TV’s in separate rooms (HD in the living room, CRT in the bedroom, I’ll explain why later)
– 2 IPhone 4’s
– Various portable speakers w/Iphone/Ipod connections
– Three (the company name is actually 3, not 3 devices) Huaiwei E585 mobile wifi HSPA modem
(keep in mind I didn’t start with this specific hardware, nor was it all by choice)
1. Set up the (internal) network:
This part was easy. I set up standard AES256 on both networks (dual band router) and set different subnets; one for me, one for guests. I always call my networks something violent and foreboding, so I called the main one honey badger. Nobody fucks with a honey badger =].
2. Set up my first 2 devices:
After a little research, I learned that a PS3 uses the DLNA protocol for sharing and communication (info here)
Based on this, I had a goal for my first connection to be set up like so:
((Laptop w/USB attached storage)) <–wireless–> ((Router)) <–wireless–> ((PS3))
Next up was figuring out how to serve up the information from the laptop/w/attached USB storage over the protocol the Playstation communicates on. After a bit more research, I came across this PS3 Media Server>, which is an open-source, Java UPnP DNLA server that can transcode video on the fly. Siiick.
I downloaded and installed it on the W7 laptop and started it up without any configuration. I then turned on the Playstation and… gadzooks! It saw the server! This worked fine for streaming music, but I noticed when the video resolution got anything higher than standard 480p, the video would start to chop. If I was trying to do anything else in addition to streaming on the network, the video would become instantly unwatchable.
I did a little research, and remembered that wireless traffic is spread-spectrum and has a tendency to hop frequencies, most likely causing my problem, especially if both devices were sending and receiving wireless traffic simultaneously. Easy fix: wire one of the devices. Since my router and laptop were in the same room, I wired those together. HUGE difference…. but still not perfect. Every once in awhile it would still just drop altogether.
Time for more research. Turns out HD streaming can require up to 30 Mbps, and though my wireless connection can hit those speeds for a time, it can also be as low as 7.8 Mbps at times, and sometimes even drop completely. So my amazing 54 mbps honey badger was essentially worthless for streaming, weak.
So what are my options? I can wire it all the way through… but that would involve a mile of Cat-5 and mounting over doors and across hardwood, nope. Wireless repeater? Expensive and fucking complicated! Plus there’s still a chance I run into those same issues.
After even MORE research, I decided on powerline adapters. Before this project I didn’t even know these things existed, but they’re awesome. Essentially I can run the data through my powerlines by plugging them into the wall, plus you can set up security on them. They weren’t exactly cheap either, but they’re small, stable, secure and no over-air glitches. Super swik.
So far, my setup is looking something like this:
Not that complicated for the amount of work and money it’s taken so far if I’m honest. The rest of the devices in my network don’t really NEED to stream mass amounts of HD video, so just being connected to honey badger would suffice.
Step 3: The internet
This part took me the longest to figure out. Even with the network working so well, streaming internally, I still had to connect to a separate AP for internet. There are tons of articles and DIY’s on how to share a wired connections, wireless connections, and even using USB dongles, but NOTHING about using this mifi. I tried everything to bridge it wireless to wired, but apparently the modem lacks the routing capability to get the data from one connection to another.
Yesterday I thought… what if I just plug the mifi into the USB port? Low and behold, a little pop-up asks me if I want to install the drivers, so I do. And… hot damn, I can bridge the connections. The only downside to that is it only really works in Windows (I’m sure it works in Linux as well but I just couldn’t be bothered at this point. If you figure it out, please post) which means I’m going to have to find ANOTHER Windows laptop, or cripple one of my macbooks (not happening).
So I decided to install XP PE on the crappy old VAIO netbook I wasn’t really using. I plugged the mifi into the one USB port it had, installed the drivers, downloaded and installed the NIC driver and bridged the connections. I then took a length of cat5 and plugged one end into the VAIO, the other into the WAN port on my router, and threw it in the closet. I then took out my Iphone, connected it to honey badger and boom… online. Uber swik.
So at long last, I now had my internal network streaming media and the mifi distributing internet to all of the devices on honey badger. The basics of the final product looks something like this:
I then have other devices with network shares on honey badger as well, sharing music and pictures, all accessible to everything. The CRT TV I referred to earlier is actually a Bang and Olufsen Beocenter One, and rather than let it just sit there I thought I might use it (it’s actually pretty cool if you ask me). To do this I just got a VGA – RCA adaptor and 3.5 mini to RCA jack for the W7 laptop and connected it to the old girl, and for CRT the picture ain’t half-bad.
I also use VLC Media Player for literally everything. And because it’s open source, there have been some great projects centered around it, my favourite being the Remote Control app for Iphone. It’s basically a touch screen management console for your VLC Media Player that works over wifi. There are a bunch, and they are all fairly similar, but I like VLC Amigo because of the playlist management capabilities.
The best part about this whole setup is the core of it I can just pick up and move at any point and set up anywhere else in the world. Next up: timers for everything.
Thanks for reading. Hopefully the next post won’t be a year later.
-m@
This one is actually semi-decent, though slightly sloppy as it was done start to finish in one take after a looong night in LA =] Nonetheless, I present you something that won’t make your ears bleed.
Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.
Track Listing:
1. Ross Ross Ross – Sebastian’s Edit Recreation
2. Jack Beats – Get Down
3. Congarock – Babylon )Uppermost Rework)
4. Altern 8 – Frequency
5. Nadastron – Pussy (Krafty Kuts Re-Rub)
6. Michael Jackson – Rock With You (Freemasons Remix)
7. Youth Speed Trouble – Cigarettes (Reset Trouble Remix)
8. Matt Gill – Nantengo
9. Streamrocker & Christopher S – Feel the Energy (Shoam & Gavriel Remix)
10. Swedish House Mafia – Silvia to Ibiza
11. Afrojack – Take Over Replica (Ale Mara & Juan P Bootleg)
12. Eiffel 65 – Blue (Jerry Rekonius Remix)
13. Pendulum – The Island Part 1
12. Swedish House Mafia – Leave the World Behind
13. Basement Jaxx – Where’s Your Head At (Klass Remix)
14. Learn to Recycle – 4 on the Floor
15. T-Rex – 20th Century Boy (Steve Andrews 2011 Rework)
16. The Others – Absolutely Flawless
17. Pance Party – Mumble
18. Chris Lake f. Laura V – Changes
19. Silvio Carrano & Sayan – Nafoura (Garden Dub)
20. Chemical Brothers – Swoon
21. Yves Larock & Tony Sylla f. Akil 0 Without Love (Hy2rogen & Fr3cky Remix)
22. Fremasons – Pacific
23. Max Graham – Dusky 2010 (Does She Know Yet)
24. DJ Tiesto – Carpe Noctum
25. Radiohead – Everything in it’s Right Place (Gigamesh Remix)
NCCDC was an awesome experience for all involved (even the blue teams). For those that don’t know, NCCDC is the National Collegiate Cyber Defense Competition. The competition is in its 6th year and has never been better. Everything ran incredibly smooth; the management team and setup folks were amazing. All in all, a very successful event, congratulations to the University of Washington on their big win. More detailed account to come.
One of the biggest challenges I run into doing evaluations with Metasploit Pro (or any Metasploit for that matter) is getting an exploit to run successfully. Though Pro is the most efficient way to run a penetration test, there are always still obstacles to getting a successful session.
One way to increase the odds of getting a session is to know the device you’re testing against is vulnerable, and the best way to make sure a device is vulnerable is to make it vulnerable, so here’s a quick and easy way HD taught me to do just that.
The challenge with vulnerability exploitation is there are only so many variables you can control. In order for a successful session to spawn all of these variables must be in the correct state. For example, different parameters will have to be modified on Metasploit if a host firewall or endpoint protection is enabled on the target. When I first set up the test environment I went for the gusto with a bunch of devices with tough vulns to exploit without any success. After hours of frustration I gave myself a reality check and eliminated as many variables as I could. Once I was able to get a successful session open I started introducing other variables into the equation. There were 2 reasons why this was a good idea: One, it boosted my confidence and two, it was as valid sanity check. Without eliminating the variables and actually executing a session, there wasn’t any proof that my network was set up for it.
The easiest way to make an XP machine vulnerable (with a reliable exploit) if you don’t have one available with SP2 is to enable the print spooler vulnerability (details here http://support.microsoft.com/kb/2347290). This exploit for this vulnerability is extremely reliable, so if you’re able to connect to the machine correctly and your variables are in check, you should be able to get a session.
Here’s the actual exploit: http://www.metasploit.com/modules/exploit/windows/smb/ms10_061_spoolss (keep in mind, this isn’t meant to be done on production devices)
Step 1: Open up the XP machine or VM and open up the “Printers and Faxes” menu.
Step 2: Add a local printer. Click next, choose “Local Printer Attached to this Computer”. Click Next.
Step 3: For “Use The Following Port” select “FILE: (Print to File)”. Click Next.
Step 4: Choose a printer type (doesn’t matter what type)
Step 5: Set the printer as a default printer.
Step 6: Share the printer, choose a share name and you’re done.
To exploit this vulnerability, you can run an automated exploitation (after a scan of course) under the “Excellent” category or you can run the individual module 67988 (the OSVDB number). Keep in mind, this exploit takes approximately 2 minutes to execute properly, so if you’re getting impatient, just give it a minute =].
If all your other variables are under control, you should get a Meterpreter session opened.
This was a great first step for me to get things rolling with not only my test environment, but with my understanding of exploitation, variables, and networks. Obviously I wouldn’t want to intentionally make something vulnerable while on an engagement for a client, but for a litness test, or purely for a sanity exercise, it helps out quite a bit.
Decided to do a dubstep mix this time. I will start by saying that this mix is awful, I would equate it to listening to 70 minutes of forced disembowelment. I can’t even listen to it all the way through and I made it. Shout out to @Slavetical for the title of the mix, though I’m sure he doesn’t want his name associated with it, nor would anyone for that matter.
God help anybody who decides to listen to this.
Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.
Track Listing:
1. Torqux & Twist – Hotline (Original Mix)
2. Banna Bomber & Dexx – Gorilla Funk Master
3. Bar 9 – Motion (Original Mix)
4. DJ SS – We Came to Entertain (Mark Instinct Remix)
5. Torqux & Twist – Heavy Rain (Original Mix)
6. Phear Phace – Indecent
7. Rusko – Cockney Thug (Caspa Remix)
8. Muse – Knights of Cydonia (Nostalgia Remix)
9. Giant – Herbert (Original Mix)
10. Genetix – Squid Attack
11. Downlink – Android
12. Zeds Dead – Dark Side Dub (Original Mix)
13. Bar 9 – Extort
14. Picto – Air Raid (Flux Pavilion Remix)
15. Wartech – The Rattlesnake
16. Akira Kiteshi – Pinball
17. Reso – Smash Yer Face In
18. The Rolling Stones – Gimmie Shelter (Zeds Dead Remix)
19. TC – Where’s My Money (Caspa Remix)
20 – Datsik & Flux Pavillion – Game Over (Original Mix)
Again, I am truly sorry. My next post will be better, I promise.
Skill Level: Novice – Expert
What you need:
– A decent box * Multiple Processors/Cores * Lots of RAM (4 GB or more) * Lots of HD space
– Some sort of virtualization software (VMWare, VirtualBox, Hypervisor)
– Pre-built Virtual Machines or installer ISO’s
– A Can-Do Attitude
Optional:
– A second box with 2 NIC’s (dedicated for Metasploit and assorted other tools)
One of the biggest challenges I’ve had in my time working on this stuff is finding systems to test against. Apparently using your neighbors is “frowned upon” for some reason, and hanging out in a Starbucks and pwning everyone on the public wifi is even worse. So what do we do? Build a test environment. The concept itself isn’t that tough, and there’s definitely easy ways and difficult ways to create these. For my vision, I wanted 2 machines: one with all my VM’s on it, the other with Metasploit and NeXpose on it. This isn’t necessary by any means, but for my particular use-case this Metasploit console will be very high-traffic and I wanted to make sure Metasploit has all the resources it needs.
Target Machine Specs:
– Intel Core 2 Quad @2.66 GHz
– 8 GB Crucial DDR3 RAM
– 500 GB WD HD
– Ubuntu 10.04 LTS 64 bit
– VMWare Workstation
Metasploit Box Specs:
AMD Quad Something, 1.8 GHz
8 GB DDR2 RAM (noname)
500 GB HD
Ubuntu 9.10 64 bit
There are a few reasons I chose this setup. The Core 2 Quad is hyper-threaded (can span tasks across several cores if necessary) which is ideal for VMware Workstation. For the amount of VM’s I wanted 4 GB of RAM simply wouldn’t be enough. This setup lets me run 6-8 VM’s at once, and will scale up or down based on the hardware you choose.
– Metasploitable (Link)
– Ultimate LAMP
– Windows XP SP3
– Windows 2003 Server R2
– RedHat 6.5
– Windows7 RC2
– Windows 2000 Advanced Server SP4
First up was defining my networks. When I built my environment I did this last, but in hindsight it would have been so much easier if I did it first (my loss of 5 hours worth of work, your gain =]). I gave a pretty basic overview of how to do this in my VPN Pivot post, and what I’ll do now is break it down into 2 options.
Option 1: The entire test environment installed on one machine (easy).
For limited resources this is the best way to do it, I have it set up this way on my laptop. All I really had to do was make sure all the machines were set up on the same virtual adapter and I was golden.
First I opened up my virtual network editor (Edit -> Virtual Network Editor) Once in that menu, In Linux I clicked Add Network… In Windows I just chose one from the list (VMNet1 is a good place to start) I switched the network config to Host Only and selected my subnet (I chose 192.168.187.0 but you can pick whatever you want so long as it’s a private range) and saved it. With this set up, I could now assign this virtual network to all the machines as I built them.
Option 2: The test environment is split between 2 machines: tools and targets (tricky).
This one took me a bit to figure out but I’ll try and make it as comprehensive as possible. What made this tricky for me is I didn’t want a bunch of uber vulnerable machines just chillin in my network so I had to keep them private, like in the single machine deployment. The problem with that is if there’s 2 machines involved, there needed to be a way to get the external machine to see the hidden vulnerable machines which is easier said than done. The first thing to notice is that the box I installed Metasploit Pro on has 2 NIC’s, this is for a reason. After fiddling with it for literally days, I learned that there really isn’t any way to give access from the 2nd machine to a “host only” network. To make it easier, I will refer to the Metasploit machine as box A and the machine with the target VM’s as box B. So here’s what I did:
- Set up box A so that access out is on eth0 and access to the box with box B is on eth1 (I only did this on Linux, setup will be different on windows). To do this:
- I first set up a dhcp server on box A for eth1 ONLY. If you don’t get this correct you can muck up your other interface, but don’t worry… it’s easy.
First, I got dhcp server
root@pro_server: apt-get install dhcp3-server
Next, I fired up my favourite text editor and edited the config so that it only runs on eth1
root@pro_server: vim /etc/dhcp3/dhcpd.conf
Find this line
INTERFACES=”eth0″
Replace with the following line
INTERFACES=”eth1″
Save and exit.
Next I made a backup copy of /etc/dhcp3/dhcpd.conf file
root@pro_server: cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.back
I edited the conf file: /etc/dhcp3/dhcpd.conf file using the following command
root@pro_server: vim /etc/dhcp3/dhcpd.conf file
From here, I just modified the file as I saw fit (you can check out my config here). One thing I wanted to make sure of was the subnet range on eth1 was different from that of eth0 (I chose 10.0.0.0/24). Then I modified my interfaces file:
root@pro_server: vim /etc/network/interfaces
The only thing that needs to be done here is to make the IP of Box A on eth1 static and in the 10.0.0.0/24 range (I chose 10.0.0.2). I saved that, and then ran:
root@pro_server: service dhcp3-server restart
- I Plugged a Cat5 in the eth1 port from Box A and connected it to the eth0 (should be the only one) port on Box B.
Now as a result, Box B was completely reliant on Box A for everything. You can also set up other services like Internet Connection Sharing and File Sharing if you’d like, it’s up to you how far you’d like to take it. This method is not necessary by any means, I just built mine this way because this setup was for a test-lab being used by a number of people and I wanted to make sure I would have enough resources.
When installing/building the actual VM’s you’re presented with a ton of options on ram, processor, network adaptors, etc. To figure this out, I just thought about what would be “period correct” for that operating system. That is, what would the minimum spec be to install it when it first came out? After talking to the Metasploit team and taking a look at their specs, I came up with these RAM numbers for my environment:
– Metasploitable: 256 mb (pre-built)
– Ultimate Lamp: 384 mb (pre-built)
– Windows XP SP3: 512 mb
– Windows 2003 Server R2: 512 mb
– RedHat 6.5: 256 mb
– Windows7 RC2: 768 mb
– Windows 2000 Advanced Server SP4: 256 mb
I also assigned a single core to each VM across the board (they’re not going to be doing much processing). Installing the OSes was actually pretty easy. Some of the installers were older and a bit tricky, but for the most part VMware Workstation just did it for me. I know for VirtualBox you may have to install manually, not sure about Hypervisor.
As I went along creating each VM, I also set up the network on each one individually. For Option 1 (the self-contained test environment) I simply assigned the Network setting to VMnet1 (the host-only network we created earlier).
Option 2 was totally different. Since Box A is the actual dhcp server in this scenario, I wanted to make sure all of the VM’s received IPs that would be on the same subnet as Box A. To do this, rather than assigning them each a host-only IP, I bridged the connections. This way, they are all sharing the connection as Box B and therefore can receive IPs from box A.
Now I was ready to run some tests to make sure everything worked. The first thing I did was fire up Metasploit, create a new project and fire off a Scan. Low and behold… Success!
Keep in mind folks, this is not always easy to build and it DEFINITELY took me a few tries to get it right. If you have any questions, feel free to comment or email me directly at matt (at) practicalpwnage.com.
Unfortunately I’m actually better at this stuff than what this site is dedicated to but whatever. Inspired by my recent trip in Austin…what a weekend. Enjoy!
Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.
Tracklist:
1. Camo & Krooked – Climax
2. Red Army – Drowned by Angels
3. B-Complex – Beautiful Lies
4. Netsky – I Refuse (Shock One Remix)
5. DC Breaks – Halo
6. Method One – In the Dark Hours
7. Airwalker – Big Sky
8. London Elektricity – Just One Second (Apex Remix)
9. Aaron Bond – Flux Capacitor
10. Sigma – Baltimore (instrumental)
11. Autumn – It’s Always About the Girl
12. Way Out West – The Gift (Logistics Remix)
13. KG – Love Today
14. Logistics – Together
15. Underworld – Scribble
