Building a Pen Test Lab – Hardware for Hacking at Home on the Cheap

[Editor’s Note: Jeff McJunkin shares some insight into building a good virtualization infrastructure for practicing your pen test skills, evaluating tools, and just plain becoming a better penetration tester, all without breaking the bank.  Nice!  –Ed.]

By Jeff McJunkin

Practical, hands-on experience is a good thing, right? As good as it is though, it doesn’t excuse accidentally taking down your employer’s production environment while doing some testing.

While NetWars (obligatory plug for my new employer) is great for getting this experience, it doesn’t fit every situation. For example, if one of your servers crashed while being scanned by Nessus, you might want to isolate exactly which plugin is causing the crash, while avoiding future production outages.

Having a home lab with a trial version of the software creates a safe environment for otherwise disruptive testing and facilitates fast learning. It’s hard to beat not only learning the attacks, but observing the artifacts those attacks leave behind, defending against them, and creating signatures to detect further attempts!

In this post, we’ll discuss several hardware options for home labs at different price points. Since many employers don’t have test labs, it often falls on the employee to keep up-to-date on the latest operating systems, software, and offensive/defensive techniques.

Depending on interest, we might do a follow-up post with a comparison of different virtualization software. Because many people already have some experience with it, though, VMware products are tough to beat. For dedicated machines, people often use VMware vSphere Hypervisor (ESXi), which is free.

Depending on your price point, there are a few approaches.

Price point: $0 – Re-Use Existing Hardware

At this price point, of course, you’ll need to re-use existing hardware. Depending on the horsepower behind your personal computers, though, this might be enough. The main bottlenecks for virtual machines are, in order, memory, hard disk, and then CPU. With 8GB of RAM, you should be able to run 2-3 VM’s in VMware Workstation / Player, which is sufficient for many labs. With 16GB, you’ll be able to run enough VM’s that your new bottleneck will be a single hard drive, if that’s what you have. Replacing it with an SSD (such as the Samsung model recommended below) will allow you to scale to 5-7 simultaneous VM’s, though hosted virtualization platforms (Type 2) tend to be less efficient than a bare-metal (Type 1) hypervisor such as ESXi or Xen.

Price point: ~$300 – HP N54L G7

Though you won’t be able to get a system capable of running more than a couple of VM’s at this price point, by getting the N54L you’ll have a system you can upgrade over time. The rig I’ve linked to below comes with a 250GB hard drive and 2GB of RAM. Though not listed as compatible, there are many 16GB (2x8GB) memory kits that are compatible, including the link listed below.

When combined with a local SSD and several spinning disks (from the Storage section), the N54L can run quite a few VM’s simultaneously, and should meet the needs of almost all virtual labs.

Amazon link: HP N54L G7

Amazon link: Kingston 16GB (2x8GB) memory kit

Price point: $600+ – Build Your Own

At this price point you can build an increasingly powerful home server. The trick in building your own virtualization host from scratch is normally finding a combination that works with the limited hardware compatibility of ESXi, but luckily this recommendation is well-vetted.

The advantage of this build compared to the N54L is the long-term upgradeability and increased capacity (32GB memory, six 3.5″ drives and two 2.5″ drives, more PCI-e slots, etc.).

You’ll need to add some local storage from the below section or elsewhere, but these parts get you a working installation. You can re-use existing drives if you have them available, of course, which further reduces your initial costs.

Amazon link: Antec Three Hundred Two Case

Amazon link: Rosewill CAPSTONE-550 Power Supply

Amazon link: ASRock 970 EXTREME3 Motherboard

Amazon link: AMD FX-8320 Processor

Amazon link: Kingston Hyper-X 16GB Memory Kit (2x8GB) (The motherboard supports two of these kits, but you can buy one at first if you need to spend the money elsewhere)

Amazon link: SanDisk Cruzer Fit 16GB USB drive (you’ll install ESXi on a USB drive so other drives can be fully utilized for VM’s)

Storage

Depending on your needs and budget, there are a lot of options for VM storage. Though you may need to stick with spinning drives at first for cost reasons, I’d recommend purchasing a solid-state drive as soon as you can. Prices have been coming down, and $500 for one terabyte of SSD should fulfill nearly all VM storage requirements.

Amazon link: Samsung 840 Series 1TB SSD (smaller sizes available)

Amazon link: Western Digital Red 4TB Hard Drive (smaller sizes available)

Amazon link: Icy Dock EZConvert 2.5″ to 3.5″ Drive Tray (for putting an SSD into the N54L – the Antec case can fit two SSD’s without this adapter)

Webcast: Jeff recorded a SANS Webcast about Building your Own Home Lab. Available now on YouTube: https://youtu.be/uzqwoufhwyk

-Jeff McJunkin
Counter Hack
SANS Instructor

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Security ADD – Offense, Defense, Or What?

[Editor’s Note: In this post, the unparalleled Seth Misenar tackles the question of whether it’s OK for a security professional to walk the line between offense and defense, or whether someone should take the plunge on one of these two sides. He lays bare his very soul as he debates the options before us all.]

By Seth Misenar

I was recently asked by Ed Skoudis and Mike Poor to serve on a panel discussion at SANS Security West 2014.  The panel topic is Offense Informs Defense, and is kind of a face off wherein SANS Pen Test instructors shoot out a bunch of new techniques and SANS Cyber Defense instructors discuss practical ways of handling the onslaught.

Sounds fun, so I immediately confirmed.  Only later did it occur to me, that I wasn’t sure which side I was supposed to rep.  Hmm…my security ADD seems to rear its ugly head again.

I often joke with students that I appear to suffer a bit from an undiagnosed case of ADD because I seem to flit from topic to topic within security.  One month I’m all about hardcore NSM practices, the next I’m focused on playing with weaponizing XSS and CSRF vulnerabilities, and the next… something completely different.  I routinely get a bit distracted and only later realize that I have refocused my time and efforts.  SQUIRREL!  See… I did it again.  This shifting seems normal to me, but is at odds with what most professionals do at my point in their careers?

So now, back to the question about the panel: which side am I supposed to rep, offense or defense?  Got it, I will just check the schedule for  http://www.sans.org/event/sans-security-west-2014  to see which curriculum I am teaching under at that conference, and I’ll “bet” that guy.  No joy. I’m teaching 504 which actually makes matters worse since that course logically seems to fit under Pen Test, Cyber Defense, and Digital Forensics too.  No obvious answer there… where to go from here?

Maybe I am just a generalist?  That doesn’t sound very desirable, even though most folks that I meet who work in security are expected to be some kind of generalist.  An often-quoted phrase comes to mind, “Jack of All Trades Master of None”.  Am I forsaking my true potential in offense OR defense, because I choose offense AND defense?  While it doesn’t seem to have been a career-limiting move, I could certainly have sharper offensive or defensive skills if I neglected the other side of the coin, or could I?

Then I come back to the Skoudis mantra, “Offense Informs Defense.”

I honestly think, and maybe this is simply rationalizing my own inherent behavior, that cyber/information security is better served as a whole by having both the single-minded, laser beam focused, offensive OR defensive experts as well as the security ADD encumb^H^H^H^H^H^Hmpowered offense AND defense professionals.  Those of us who play on both sides can help synthesize and match offense to practical defenses, and can also think of new ways around the defenses we deployed.  I don’t mean to take anything away from those who have chosen to focus on one side such as our panel leads Ed (offense) and Mike (defense).  But, those of us with InfoSec ADD are an important piece of the puzzle in constructing effective enterprise security programs.

Anyway, that is how I will justify answering for both the offensive and defensive curricula on the panel, if Ed and Mike let me get away with it.

So, feel free to point to this blog entry next time you start feeling a little disloyal to Pen Testing by moonlighting in Cyber Defense (or by taking <shameless plug> the soon-to-be-released SANS SEC511: Continuous Monitoring and Security Operations 😉 ) even though you are, by trade, a penetration tester.  Or, if you are a Cyber Defense person, point your boss this way when you feel like you are stepping out of line by taking a hand in helping your organization with its next penetration test.

Remember Defense Informs Offense Informs Defense after all.

Come check out the panel on 5/11/2014 if you happen to be at SANS Security West, and then stick around for Eric Conrad and me giving our Continuous Ownage: Why You Need Continuous Monitoring talk.

-Seth Misenar
@sethmisenar

Mission Impossible? Thwarting Cheating in an Advanced Pen Test Class CtF: The SANS SEC660 Experience

[Editor’s Note: SANS course on advanced pen testing (SEC660) teaches a lot of great, in-depth topics, including exploit development, network manipulation (NAC bypass, Scapy packet crafting, man-in-the-middle attacks, and more), and Python for pen testers with tons of hands-on exercises.  The whole class culminates in a full-day, intense capture the flag event, where the winners earn a 660 challenge coin  (which includes a cool cipher, natch).

But, when you teach a bunch of skills like that and hold a CtF on the last day, sometimes, a few students get a little too  rambunctious in applying their new-found skills.  At the risk of being indelicate, I’ll come out and say it — they try to cheat.  By using their Python skills along with their MiTM capabilities, they try to snarf flags from other teams attempting to send them to the score server.  What’s an enterprising course author to do?  Well, Steve Sims has some clever things up his sleeve, turning the tables on such shenanigans using the concepts taught in the course with a little Python magic of his own.  

I recommend you read through Steve Sims’ script to see how he uses Python with Scapy to call Nmap, call the underlying OS, formulate HTTP requests, and more.  Check it out! –Ed.]

By Stephen Sims

Here is a short blog article about an attack that students were attempting to pull off in some of the Capture the Flag (CtF) events as part of SANS SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking.  To thwart their attempts,  I wrote a python script.  In this article, I’d like to review the skills and techniques students use to try to undermine the CtF, and tell you my technical approach to address it in class.

The Source

During Day 1 of class, which is focused mostly on network attacks, we spend a lot of time looking at various ways to pull off a Man-in-the-Middle (MitM) attack, and then what you can accomplish by having that position. We cover techniques such as attacking SSL, routers, switches, and Network Access Control (NAC) solutions. During Day 3 of class, we spend a lot of time on Python, and various Python-based tools such as Scapy (by Philippe Biondi) and the Sulley Fuzzing Framework (by Pedram Amini / Aaron Portnoy  / Ryan Sears).

The Attack

Armed with this information taught in class, every so often a CtF team attempts to steal key submissions from other teams. Now, one could certainly argue that there is technically no cheating in a CtF; however, this does not mean it should be really easy to pull the attack off. To score in the SEC660 CtF, SHA-1 hashes, which act as keys, are submitted into the scoring system by each team. If a hash/key matches a challenge, points are awarded to the team. Regardless of whether SSL or simple HTTP is being used as the transport protocol to the scoring server, the aforementioned teams were attempting to, and sometimes successfully, performing ARP cache poisoning and SSL stripping. This would allow the teams performing the attack to potentially read valid key submissions from other teams and get the points without completing the challenge.  Ouch.

The Solution

The script you are about to read was written in about 90 minutes during a live CtF, so please forgive the stylistic issues and cut corners, such as not putting in the full paths to binaries when using the system() function. One of the solutions I designed to thwart this type of attack, and note that I am only sharing just one of them, was to create a script that would make a lot of noise on the wire. The script is not well-commented (again with the quick turnaround during the game), but it’s easy to read as it’s in Python. I decided to use Scapy together with Python to do the following:

  • Scan the student subnets to look for inactive IP addresses within the valid range assigned during class, using Nmap. This way it doesn’t stand out as an IP address that is obviously part of the script.
  • Use one of these addresses very briefly and also use a random MAC address in the VMware OUI range.
  • Automatically configure my interface with these addresses and perform a valid TCP_HTTP session to the scoring server.
  • Submit a pseudo-random SHA-1 hash as a key submission and use a pseudo-random PHP session ID.
  • Loop through this script until terminated.

The bottom line here is that my script injects false flags into the network, so anyone looking to steal a flag will likely get a non-valid flag delivered by my script.  Instead of stealing a valid flag from a legitimate student, they will have stolen a false flag from my script, netting them  NOTHING, except some wasted time.

Getting an automated script like this working with Scapy, that shows no errors when sniffing with a tool like Wireshark, can sometimes be challenging.  There are multiple ways to get it working. Feel free to read through the script and use it to improve your Scapy skills, or even better, improve it and send it to me at stephen@deadlisting.com. I will totally buy you a beer! Don’t forget to change the interface listed in the script if necessary.

–Stephen Sims

p.s. Josh Wright, Jake Williams, and I will be teaching SEC 660 using SANS on-line training system, vLive, from March 4 through April 17.  No travel is required, as you can take the class from the comfort of your home or office.  We meet twice a week, and we’ll be sharing our best tips and tricks for advanced pen testing.  Details are here: http://www.sans.org/vlive/details/sec660-04mar2014-joshua-wright.

from scapy.all import *
from time import sleep
from hashlib import sha1
from random import random, sample, randint
import string
from os import system
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
conf.verb=0
os.system("clear")
print "\nPlease stand by while NMAP results are collected... This could take a minute...\n"
f = os.popen("nmap -n -PA -p0 10.10.75,76,77,78.1-254 | grep 'scan report for'") #Grab IP Addr from student range
z = []

for lines in f:
    y = lines.split("\n") #Split \n from extra possible host addr's shorter than 3 digits.
    x = [] # Empty list
    x.append(y[0]) #Append the IP addr from y, and ignore the possible \n's
    r = y[0] #Assign the list element (IP ADDR) from y to r
    z.append(r[21:33]) #Grab only the IP ADDR from the NMAP scan results

print "Collected %d IP Addresses... Standby..." % len(z)
while True:
    print "Spoofing process started..."
    sp = RandNum(1025,65535) #Random number for ephemeral port assignment.
    char_set = string.ascii_lowercase + string.digits #Random string for PHPSESSID
    w = ''.join("10.10."+str(randint(75,78))+"."+str(randint(1,254)))

    for x in z:
        if w == x:
                w = ''.join("10.10."+str(randint(75,78))+"."+str(randint(1,254)))

    system("ifconfig eth1 down") #You may have to change interface number...
    sleep(.5)
    system("ifconfig eth1 hw ether " + str(RandMAC("00:0c:29:*:*:*")))
    sleep(.5)
    system("ifconfig eth1 " + w + " " + "netmask 255.255.0.0")
    sleep(.5)
    system("ifconfig eth1 up")
    sleep(.1)
    system("iptables -A OUTPUT -p tcp --destination-port 80 --tcp-flags RST RST -s " + str(w) + " -d 10.10.10.100 -j DROP")
    sleep(1)
    ah = os.popen("ifconfig eth1 | grep 00:0c:29") #Grab IP Addr
    for lines in ah:
            x = lines.split("\n")
            y = []
            y.append(x[0])
            ah = x[0]
            ah = ah[-19:]
            print "Using MAC Address: " + ah

    p = IP(src=w,dst="10.10.10.100") #Random IP from student subnets.
    saveip = p[IP].src
    print "Saved IP IS: " + str(saveip)
    key = sha1(str(random())).hexdigest()
    print "Using key: " + key
    myseq = 1000
    q= TCP(sport=sp, dport=80, flags="S", seq=myseq)
    SYNACK = sr1(p/q)
    sleep(.1)

    SPORT2=SYNACK.dport
    my_seq = myseq+1
    my_ack = SYNACK.seq+1
    ACK = TCP(sport=SPORT2, dport = 80, flags="A", seq=my_seq, ack=my_ack)
    derp = send(p/ACK)

    ACK = TCP(sport=SPORT2, dport = 80, flags="PA", seq=my_seq, ack=my_ack)
    b = ''.join(sample(char_set,26)) #Joining 26 random chars from char_set for SESSID.
    spoof = "HTTP/1.1 Host: 10.10.10.100"+\
    "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) "+\
    "Gecko/2009102814 Ubuntu/8.10 (intrepid) Firefox/3.0.15"+\
    "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"+\
    "Accept-Language: en-us,en;q=0.5"+\
    "Accept-Encoding: gzip,deflate"+\
    "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7"+\
    "Keep-Alive: 300"+\
    "Connection: keep-alive"+\
    "Referer: http://10.10.10.100/board.php"+\
    "Cookie: PHPSESSID="

    r = "GET /checkscore.php?key=" + key + spoof + b

    getReq = sr1(p/ACK/r)

    my_seq = myseq+507
    ACK = TCP(sport=SPORT2, dport = 80, flags="FA", seq=my_seq, ack=my_ack)
    derp = sr1(p/ACK)
    ACK = TCP(sport=SPORT2, dport = 80, flags="A", seq=my_seq+1, ack=my_ack+1)

    derp = send(p/ACK)
    print "Successfully spoofed packet, no errors..."
    sleep(3)
    os.system("clear")

Pen-Test-A-Go-Go: Integrating Mobile and Network Attacks for In-Depth Pwnage

Josh Wright and I presented a webcast a few months back that is chock full of useful pen testing techniques from the mobile and network arenas. Based on the new SANS course, SEC561: Intense Hands-on Skill Development for Pen Testers, this webcast covers numerous useful techniques, such as:

  • Exploiting and automating data harvesting from iOS devices
  • Extracting stored secrets from iTunes backups
  • Effective Anti Virus evasion with Veil
  • Windows host compromise and privilege escalation, along with UAC bypass

The slides below cover all the tools and techniques for doing all that great stuff, and more.

The SANS SEC 561 course is 80% hands-on skill development, showing how security personnel such as penetration testers, vulnerability assessment personnel, and auditors can leverage in-depth techniques to get powerful results in every one of their projects. This innovative course uses the SANS NetWars system to help hammer home lessons in a fun and interactive way to foster in-depth knowledge and capability development.

Take a look at the webcast slides by clicking on the title slide below.  Or, if you’d like to hear the sonorous voice of Mr. Josh Wright himself (along with me), click here for the full webcast:  https://www.sans.org/webcasts/pen-test-a-go-go-integrating-mobile-network-attacks-in-depth-pwnage-97007

Have fun!

–Ed Skoudis

p.s.: If you want to build your skills to get ready for SEC561, you should definitely check out my SANS SEC560 course on Network Pen Testing.  I’m really looking forward to teaching 560 in March in Baltimore, April in Orlando, and May/June online via vLive.  For the follow-on course, SEC561, SANS will offer it next in Orlando in April.  You should check ’em both out.