1 Building a Hacking Lab By James Shewmaker [email protected] Copyright 2009, James Shewmaker.

1

Building a Hacking Lab

By James [email protected]

Copyright 2009, James Shewmaker

© 2009 James Shewmaker 2

Building a Hacking Lab

Introduction Purpose Tools Maintenance Case Study: SANS NetWars Conclusions


Intro – What is a Hack Lab? Generally just a testing environment

Defense tools Offense tools Monitoring tools

Often simulates or reproduces a real environment Simulations are never perfect, why bother?

Hack isolation Easier to focus on the interesting details (less noise) Regression testing is more precise

Tools to monitor network, systems, and processes Internal tracing / logging External sniffing / logging


Purpose

Different lab infrastructure for different needsTesting a production environment?Reproducible?Sustainable over time?


Acquiring Resources (1)

Host Hardwarepricewatch.com / pricegrabber.comebay.com if you are carefulMy favorite is refurbished thinkpads from

geeks.comOr whatever you have laying around that is

reliable (mini-itx/shuttle PCs)



Storage Refurb host drives are flaky/noisy/slow/bigger than

needed If you have ESX 3+, NFS 3 works (can use a NAS,

not a SAN) I like 4+ GB Compact Flash

Some are really drives with heads and platters Some laptops already have adapter “Microdrive” PCMCIA shows up as regular controller Small enough to hold OS, small backup, fast to re-

image



Network HardwareUsed routers / switches / even hubsSame sources, look for CCNA study kits

resold on ebay.comUSB LAN adapters a big helpOr whatever you have lying around that’s

reliable (CISCO, dlink, etc.)



Target Machines Simulate reality as much as possible If you have extra OS licenses, VMware

convert/import/ghost/truimage/dd your real machines linuxiso.org or distribution’s archives Microsoft provides various test images in vhd format

that can be legally converted Refurb PCs often come with OEM licenses


Applications to Exploit

www.oldapps.com www.filehippo.com www.oldversion.com www.old-versions.net download.com et al usually redirect to the latest

instead Get in the habit of archiving what you download

in case it disappears


Other Resource Issues

LAN – prefer superduper flat CAT5e Power –salvaged dual server cables Cooling –physical spacing and fans Keyboard/Video/Mouse–prefer USB NOISE - ? (let me know . . . ) Labeling –prefer label maker device


Virtual vs. Real Hosts?

Virtual can be tricky with licensing Probably can’t import OEM licenses Some OS versions do not like virtualization

Virtual can add CPU/RAM/storage drain Virtual is great for running on random real

hardware and backups Free desktop virtualization maturing VMware Workstation 6 USB 2.0 lets you mix and

match real and virtual easily


Potential Virtual Issues

Running out of resource breathing room The larger a virtual network gets, you end

up with a real infrastructure just to manage the virtual one

Quirks (ie, VMware has issues moving from AMD to Intel CPU on paused VMs)

Simulators tend to be stand-alone


Operating the Lab (1)

Be able to monitor the hostsnmap + nmap2nagios + nagiosplace sniffers at choke points

trafshow or other flow tracking snort is great for custom packet signatures

Sensors can be virtualized, but create persistent storage so it survives snapshots


Operating the Lab (2)

Syslog is your friendTweak apps to use SyslogHost console and service logsNetwork device logs

Get creativeWrote a FreeBSD rootkit -> SyslogHave you seen twitter.com/sanshacknet ?


Where to Put the Lab?

Garages are tempting but problematic Office/closet/cube squatting seems to be the

easiest/cheapest Plenum areas are tempting but bad idea Space is another reason to use laptops or mini-

itx as hosts Complete air gap / no uplink?

At least use a separate subscriber line At least use an egress filter / traffic shaper


Living with the Lab

Equipment juggling Shelves / racks are best Cheesy cable management

No undoable zip ties Nice to have random holes to mount random doodads (wall

warts, LAN couplers, USB things)

Salvage and scavenge to replace failing equipment from donors or upgrade leftovers


Example Lab – NetWars

Developed on one laptop2008 T60P dual core 2.33 + 3 GBVMware Workstation 6.5 on Vista 32bit200 GB + 160 GBFreeBSD 7.0 (hosting 10 jails)Ubuntu 7.04XP Pro SP2TinyCore Linux (10 MB ISO!)


Testing NetWars

T60p FAIL! Replaced with 3 laptops

VMplayer running each of the guestsIncluded second USB or PCMCIA NIC

Controlled host remotely via primary LAN Used vmnetcfg.exe for virtual->second NIC Used dlink 4 port 10/100 switching hub


Putting NetWars at NOC

Goal is ESXi at SANS NOC Workstation 6.5 snapshots not compatible

with ESXiRemoved unnecessary virtual hardware then

clone then convertGlad I allocated entire virtual HD for speed in

the first place


More Side Effects for ESXi

Nice management client for all VMs on the same serverThe usual—snapshots, console, etc.Resource pooling

We converted each host—we still needed to create the virtual switches and attach them to each host

Still needed to make the game “livable”


Making the Game Run

VMware commands on the ESXi host to revert to snapshot every hour

Multiple layers of firewalls, one actually possible to attack in the game itself

TinyCore tweaked (now 30 MB) to connect to the game targets Players have to hack/reverse engineer/analyze

behavior to get to the rest of the game Connect point rotates (ever play FPS where

somebody squats at the spawn point?)


Playing the Game

Beta, play for free if you email me what worked and what didn’t

bluenotch.com/SANS_CyberCO_CtF.iso Burn/Boot CD/USB or create VM guest Watch the game status from

twitter.com/sanshacknet Most fun: Eval IMPACT, install agent via ssh


Case Study: SANS NetWars (1)

Information at http://sans.org/netwarsEntirely virtualized (but real OS targets)Download a 30 MB ISO to start

Based on TinyCore 2.0 http://www.tinycorelinux.com Break into the Image to play the real game

Offensive plus Defensive practiceAlso means most Denial of Service is legit

gameplay



Each Round is an “event” Still finalizing technical targets

Jails to break out ofRandom load balanced “Thunderdome” King of

the Hill Classic Vulnerability scans and ExploitsSome Custom Apps & ExploitsTweets the scores



• If you want to test the lab, use• http://bluenotch.com/SANS_netwars_v1.i

so• Just email me with your feedback please• Scores are tweeted at

http://twitter.com/sansnetwars• Round 1.5 begins before DEF CON• Register for future rounds

http://sans.org/netwars


Other Lab Thoughts

OpenInfreno was a CtF framework, might still exist

Random Hacker CON games can be good practice

DEFCON CtF is too much work but prequals are fun

Consider reality vs. lab environment


Conclusions

Sometimes salvage causes damage Virtualization

*might* save you money *might* cost you money

Never a one-size fits all Different equipment Different purpose Different process

1 Building a Hacking Lab By James Shewmaker [email protected] Copyright 2009, James Shewmaker.

Documents

Transcript of 1 Building a Hacking Lab By James Shewmaker [email protected] Copyright 2009, James Shewmaker.