1 Building a Hacking Lab By James Shewmaker [email protected] Copyright 2009, James Shewmaker.
-
Upload
spencer-lewis -
Category
Documents
-
view
220 -
download
3
Transcript of 1 Building a Hacking Lab By James Shewmaker [email protected] Copyright 2009, James Shewmaker.
© 2009 James Shewmaker 2
Building a Hacking Lab
Introduction Purpose Tools Maintenance Case Study: SANS NetWars Conclusions
© 2009 James Shewmaker 3
Intro – What is a Hack Lab? Generally just a testing environment
Defense tools Offense tools Monitoring tools
Often simulates or reproduces a real environment Simulations are never perfect, why bother?
Hack isolation Easier to focus on the interesting details (less noise) Regression testing is more precise
Tools to monitor network, systems, and processes Internal tracing / logging External sniffing / logging
© 2009 James Shewmaker 4
Purpose
Different lab infrastructure for different needsTesting a production environment?Reproducible?Sustainable over time?
© 2009 James Shewmaker 5
Acquiring Resources (1)
Host Hardwarepricewatch.com / pricegrabber.comebay.com if you are carefulMy favorite is refurbished thinkpads from
geeks.comOr whatever you have laying around that is
reliable (mini-itx/shuttle PCs)
© 2009 James Shewmaker 6
Acquiring Resources (2)
Storage Refurb host drives are flaky/noisy/slow/bigger than
needed If you have ESX 3+, NFS 3 works (can use a NAS,
not a SAN) I like 4+ GB Compact Flash
Some are really drives with heads and platters Some laptops already have adapter “Microdrive” PCMCIA shows up as regular controller Small enough to hold OS, small backup, fast to re-
image
© 2009 James Shewmaker 7
Acquiring Resources (3)
Network HardwareUsed routers / switches / even hubsSame sources, look for CCNA study kits
resold on ebay.comUSB LAN adapters a big helpOr whatever you have lying around that’s
reliable (CISCO, dlink, etc.)
© 2009 James Shewmaker 8
Acquiring Resources (4)
Target Machines Simulate reality as much as possible If you have extra OS licenses, VMware
convert/import/ghost/truimage/dd your real machines linuxiso.org or distribution’s archives Microsoft provides various test images in vhd format
that can be legally converted Refurb PCs often come with OEM licenses
© 2009 James Shewmaker 9
Applications to Exploit
www.oldapps.com www.filehippo.com www.oldversion.com www.old-versions.net download.com et al usually redirect to the latest
instead Get in the habit of archiving what you download
in case it disappears
© 2009 James Shewmaker 10
Other Resource Issues
LAN – prefer superduper flat CAT5e Power –salvaged dual server cables Cooling –physical spacing and fans Keyboard/Video/Mouse–prefer USB NOISE - ? (let me know . . . ) Labeling –prefer label maker device
© 2009 James Shewmaker 11
Virtual vs. Real Hosts?
Virtual can be tricky with licensing Probably can’t import OEM licenses Some OS versions do not like virtualization
Virtual can add CPU/RAM/storage drain Virtual is great for running on random real
hardware and backups Free desktop virtualization maturing VMware Workstation 6 USB 2.0 lets you mix and
match real and virtual easily
© 2009 James Shewmaker 12
Potential Virtual Issues
Running out of resource breathing room The larger a virtual network gets, you end
up with a real infrastructure just to manage the virtual one
Quirks (ie, VMware has issues moving from AMD to Intel CPU on paused VMs)
Simulators tend to be stand-alone
© 2009 James Shewmaker 13
Operating the Lab (1)
Be able to monitor the hostsnmap + nmap2nagios + nagiosplace sniffers at choke points
trafshow or other flow tracking snort is great for custom packet signatures
Sensors can be virtualized, but create persistent storage so it survives snapshots
© 2009 James Shewmaker 14
Operating the Lab (2)
Syslog is your friendTweak apps to use SyslogHost console and service logsNetwork device logs
Get creativeWrote a FreeBSD rootkit -> SyslogHave you seen twitter.com/sanshacknet ?
© 2009 James Shewmaker 15
Where to Put the Lab?
Garages are tempting but problematic Office/closet/cube squatting seems to be the
easiest/cheapest Plenum areas are tempting but bad idea Space is another reason to use laptops or mini-
itx as hosts Complete air gap / no uplink?
At least use a separate subscriber line At least use an egress filter / traffic shaper
© 2009 James Shewmaker 16
Living with the Lab
Equipment juggling Shelves / racks are best Cheesy cable management
No undoable zip ties Nice to have random holes to mount random doodads (wall
warts, LAN couplers, USB things)
Salvage and scavenge to replace failing equipment from donors or upgrade leftovers
© 2009 James Shewmaker 17
Example Lab – NetWars
Developed on one laptop2008 T60P dual core 2.33 + 3 GBVMware Workstation 6.5 on Vista 32bit200 GB + 160 GBFreeBSD 7.0 (hosting 10 jails)Ubuntu 7.04XP Pro SP2TinyCore Linux (10 MB ISO!)
© 2009 James Shewmaker 18
Testing NetWars
T60p FAIL! Replaced with 3 laptops
VMplayer running each of the guestsIncluded second USB or PCMCIA NIC
Controlled host remotely via primary LAN Used vmnetcfg.exe for virtual->second NIC Used dlink 4 port 10/100 switching hub
© 2009 James Shewmaker 19
Putting NetWars at NOC
Goal is ESXi at SANS NOC Workstation 6.5 snapshots not compatible
with ESXiRemoved unnecessary virtual hardware then
clone then convertGlad I allocated entire virtual HD for speed in
the first place
© 2009 James Shewmaker 20
More Side Effects for ESXi
Nice management client for all VMs on the same serverThe usual—snapshots, console, etc.Resource pooling
We converted each host—we still needed to create the virtual switches and attach them to each host
Still needed to make the game “livable”
© 2009 James Shewmaker 21
Making the Game Run
VMware commands on the ESXi host to revert to snapshot every hour
Multiple layers of firewalls, one actually possible to attack in the game itself
TinyCore tweaked (now 30 MB) to connect to the game targets Players have to hack/reverse engineer/analyze
behavior to get to the rest of the game Connect point rotates (ever play FPS where
somebody squats at the spawn point?)
© 2009 James Shewmaker 22
Playing the Game
Beta, play for free if you email me what worked and what didn’t
bluenotch.com/SANS_CyberCO_CtF.iso Burn/Boot CD/USB or create VM guest Watch the game status from
twitter.com/sanshacknet Most fun: Eval IMPACT, install agent via ssh
© 2009 James Shewmaker 23
Case Study: SANS NetWars (1)
Information at http://sans.org/netwarsEntirely virtualized (but real OS targets)Download a 30 MB ISO to start
Based on TinyCore 2.0 http://www.tinycorelinux.com Break into the Image to play the real game
Offensive plus Defensive practiceAlso means most Denial of Service is legit
gameplay
© 2009 James Shewmaker 24
Case Study: SANS NetWars (2)
Each Round is an “event” Still finalizing technical targets
Jails to break out ofRandom load balanced “Thunderdome” King of
the Hill Classic Vulnerability scans and ExploitsSome Custom Apps & ExploitsTweets the scores
© 2009 James Shewmaker 25
Case Study: SANS NetWars (3)
• If you want to test the lab, use• http://bluenotch.com/SANS_netwars_v1.i
so• Just email me with your feedback please• Scores are tweeted at
http://twitter.com/sansnetwars• Round 1.5 begins before DEF CON• Register for future rounds
http://sans.org/netwars
© 2009 James Shewmaker 26
Other Lab Thoughts
OpenInfreno was a CtF framework, might still exist
Random Hacker CON games can be good practice
DEFCON CtF is too much work but prequals are fun
Consider reality vs. lab environment
© 2009 James Shewmaker 27
Conclusions
Sometimes salvage causes damage Virtualization
*might* save you money *might* cost you money
Never a one-size fits all Different equipment Different purpose Different process