Pregame - The Setup
Before we can start attacking Secure Universal Cyber Kittens, Inc. (SUCK), we need to build ourt testinglab to test our attacks, develop our attacking machines, and understand how our exploits work. Practiceand testing are invaluable when it comes to running a full scale attack. You don’t want to be theaverage Joe on a test using untested exploits which inadvertently takes down a critical system, getting you identified and tossed out of the company.
Building A Lab
It might be hard to build a full lab with all the applications, operating systems, and network appliances but you need to make sure you have the core components. These include basic Linux servers and Windows systems.
Since Microsoft Windows operating systems aren’t free, you may have to purchase some software. If you are a student, you can generally get free software through your school. You can also check Microsoft DreamSpark (https://www.dreamspark.com/) to see if you qualify. I think with a default .edu email address you can get Windows 2012 and other software for free.
Building Out A Domain
Practicing on a Microsoft Active Directory (AD) environment is good; however, one of the best ways to learn is to build one yourself. Knowing how and why things work on an AD environment will help you later on in life. I have put together condensed step-by-step instructions on how to set up an AD domain controller that should get you up and running. For those who have never built a DC and client before, I highly recommend you do this first. Before you can really understand what you are attacking, you need to understand how it works.
In the example provided below, I will install a Windows Domain Environment using Windows 2012 R12, Windows 8 and Windows 7. In this book, I wanted to focus on the newer operating systems. However, if you are looking to test older exploits, you may want to consider installing Windows XP SP2. Check out my Active Directory installation guide here: http://www.thehackerplaybook.com/Windows_Domain.htm
Building Out Additional Servers
Below are the vulnerable virtual machines I recommend. Many of the labs in this book will use these two frameworks for testing. For your own practice, you should look at the other test servers mentioned at the end of this book.
Metasploitable2
This is a great vulnerable Ubuntu Linux virtual machine that intentionally contains common vulnerabilities. This is great for testing security tools, such as Metasploit, and demonstrating common attacks. It is relatively easy to set up as you just need to download the virtual machine (VM) and boot it in a Virtual Platform.
● http://sourceforge.net/projects/metasploitable/files/Metasploitable2
OWASPBWA (OWASP Broken Web Applications Project)
While Metasploitable2 focuses on services, OWASPBWA is a great collection of vulnerable web applications. This is one of the most complete vulnerable web application collections in a single VM. This VM will be used for many of the web examples throughout the book. As with Metasploitable2, just download the vulnerable VM and boot it up.
● http://sourceforge.net/projects/owaspbwa/files/
Practice
Penetration testing is like any other profession and needs to be second nature. Every test is completely different and you need to be able to adapt with the changing environment. Without adequate practice, trying multiple different tools, and exploiting systems using different payloads, you won’t be able to adapt if you ever run into a brick wall.
Building Your Penetration Testing Box
In The Hacker Playbook One book, I received some comments on why I have you build and install the tools instead of creating one script to automate it all. The main reason I have my readers manually go through these steps is because these are extremely important tools and this will help you remember what is available in your own arsenal. Kali Linux, for example, has tons of tools and is well-organized, but if you don’t know the tool is installed or you haven’t played around with the individual attacks, then it won’t really be helpful in that dire need situation.
Setting Up A Penetration Testing Box
If you set up your box from the first book, you can breeze over this section. As you know, I always like bringing two different laptops to an engagement. The first is a Windows box and the second is either an OS X or Linux host. The reason I bring two laptops is because I have been on penetration tests where, on very specific networks, the OS X host would not connect to the network. Instead of spending hours trying to figure out why, I just started all of my attacks and scanning from my Windows host and fixed the OS X issue during any free time. I cannot tell you the countless times having two laptops has saved me.
It doesn’t matter if you run Windows, OS X, or some Linux flavor on your base system, but there are a few musts. First, you need to install a Virtual Machine (VM) platform. You can use Virtual Box (https://www.virtualbox.org) or VMWare Player (https://my.vmware.com/web/vmware/downloads) or any others of your choice. Both are free on Windows and only Virtual Box on OS X is free. I would highly recommend getting the commercial versions for your VM platform as they have a wealth of extra features, such as encryption, snapshots, and much better VM management.
Since we are going to install most of our tools on our VMs, the most important step is to keep your base system clean. Try not to even browse personal sites on the base image. This way, your base system is always clean and you won’t ever bring malware onto a client site (I have seen this many times before), or have unknown vulnerable services listening. After configuring my hosts, I snapshot the virtual machine at the clean and configured state. This way, for any future tests, all I need to do is revert back to the baseline image, patch and update tools, and add any additional tools I need. Trust me, this tactic is a lifesaver. I can't count the number of past assessments where I spent way too much time setting up a tool that should have already been installed.
Hardware
Penetration Testing Laptop
For your basic penetration laptop requirements, they haven’t changed much from the previous book.
Basic recommendations:
● Laptop with at least 8GB of RAM
● 500GB hard drive (solid state is highly recommended)
● Intel Quad Core i7 Processor
Password Cracking Desktop
This is completely optional, but with the number of tests where I have compromised hashes, faster password cracking equipment was required. Although, you could purchase some crazy rig with 8GPUs that runs on a Celeron processor, I have built a multi-purpose box with plenty of space and amazing password cracking power. Later in the book, I will go over the actual specs and tools I built out for password cracking and the reasons why I went this route.
Password Cracking/Multi-purpose Hacking Box
● Case: CORSAIR Vengeance C70
● Video Card: SAPPHIRE 100360SR Radeon R9 295x2 8GB GDDR5
● Hard Drive: SAMSUNG 840 EVO MZ-7TE500BW 2.5" 500GB SATA III TLC
Internal SSD
● Power Supply: SILVERSTONE ST1500 1500W ATX
● RAM: CORSAIR Vengeance Pro 16GB (2 x 8GB) 240-Pin DDR3 SDRAM DDR3
1600
● CPU: CORE I7 4790K 4.0G
● Motherboard: ASUS MAXIMUS VII FORMULA
● CPU Cooler: Cooler Master Hyper 212 EV
This is definitely overkill for just password cracking, since the only thing that really matters are the GPUs; but, again, I still wanted to use this as an additional system in my arsenal.
Open Source Versus Commercial Software
In this book, I thought it would be beneficial to include a comparison of open source and commercial software. Although not everyone has the funds to purchase commercial software, it is very important to know what is available and what an attacker might use. Both as a defender and someone who runs offensive plays, having the right tools can definitely make the difference. In this book, I will show you several different commercial software tools that I find very useful, which can assist in various types of offensive situations. With every commercial software, I will try to provide an open source companion, but it may not always be available.
Commercial Software in The Hacker Playbook 2
● Burp Suite Pro
● Canvas
● Cobalt Strike
● Core Impact
● Nessus
● Nexpose
Comments
Post a Comment