00- System Setup
Common elements
Each workstation in the classroom is already furnished with an array of systems for use in this class; they include
- Backtrack 5 R3
- CentOS 6.2 x64
- Mint 11
- Ubuntu 10.04 Desktop
- Ubuntu 10.04 Server
- Vista Business (SP2)
- Vista x64
- Windows 7
- Windows 7 (SP1) x64
- Windows 8
- Windows 8 x64
- Windows 2008
- Windows 2008 R2 x64
These images are also available on the lab file server, located at \\kestrel\labshare. Instructions on how to access the lab file server will be provided in class.
Other systems will be provided as the course progresses.
For your convenience, the provided systems all have a snapshot, taken at the start of class. Should your system prove problematic, you can always revert back to this snapshot, a later snapshot that you take, or download a new copy from the lab’s file server.
Moving versus Copying Virtual Machines
When a virtual machine is moved from one place to another in the file system, e.g. by copying it to a new directory, then VMWare will ask you the first time the system is then run if the system has been "moved" or "copied". In general, you want to select "copied" here. When a system is "moved", the system’s MAC address remains unchanged. In that case if the original is also still on the network then you end up with two systems trying to communicate with identical MAC addresses, and then bad things happen.
Authentication Credentials
All of the systems have the same set of default credentials:
- User: seldon
- Password: password1!
On the Windows systems, this is an administrator account. On the CentOS 6.2 system, the root password is the same: "password1!". The Ubuntu systems and the Mint system (as an Ubuntu derivative) do not have a root account.
The one exception is the Backtrack system; here we retain the defaults, where there is only the root user with password "toor".
Network Structure
The classroom network structure has been designed for the easy use of virtual machines as well as to separate out different network spaces for different purposes.
All of the physical systems (hosts) on the lab network take an address via DHCP in the 10.0.0.0/24 network, meaning that they live in the space 10.0.0.1 – 10.0.0.253. The gateway for that subnet is at 10.0.0.254. Systems with this address are considered out-of-bounds for offensive operations. Remember that other classes use this same lab, and we need to leave the room in a fully functional state when we leave.
Virtual machines that are started in the lab can ask for an address via DHCP; one will be assigned in the 10.0.1.0/24 network, and they will receive addresses in the 10.0.1.1 – 10.0.1.253 range. The gateway for this subnet is 10.0.1.254. Students may set up and use this address space freely. All systems set up in this subnet are considered in-play and fair targets during any exercise.
The instructor reserves the subnet 10.0.2.0/24; the gateway is 10.0.2.254. Systems that are part of exercise control will live on this subnetwork; this address space will also be used for demonstration purposes. No student system should be set up in this address space. During live exercises, systems set up on this subnet may or may not be in play; details will be provided with the instructions for the exercise.
Students will be in one of four teams; each team has its own subnet for addressing:
- Team A: 10.0.3.0/24, gateway 10.0.3.254
- Team B: 10.0.4.0/24, gateway 10.0.4.254
- Team C: 10.0.5.0/24, gateway 10.0.5.254
- Team D: 10.0.6.0/24, gateway 10.0.6.254
Students can use the addresses in their subnet however they feel; they can even set up a DHCP server that serves addresses in all or part of that range. Students should only use the address space that belong to their team. All systems on these subnets are in-play during live exercises.
Setting up CentOS 6.2
Start up your CentOS 6.2 system and log in. If you take a look at your network configuration, you might notice something unusual:
[seldon@localhost ~]$ su -
Password:
[root@localhost ~]# ifconfig -a
eth1 Link encap:Ethernet HWaddr 00:0C:29:E0:4A:11
inet addr:10.0.2.209 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee0:4a11/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:104 errors:0 dropped:0 overruns:0 frame:0
TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:24247 (23.6 KiB) TX bytes:6081 (5.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:480 (480.0 b) TX bytes:480 (480.0 b)
Notice that the first ethernet card is labelled eth1 rather than the usual eth0. Why? When the system was "copied" (not "moved") onto your system and started, VMWare assigned the system a new MAC address. Hurrah! This is what we wanted to happen. However, Linux treats this as if a new ethernet card was inserted into the machine. It keeps the configuration information for the old card, and calls the new one eth1. Though this works, in general it can cause some trouble later, so let’s tell Linux to forget about the older card.
The hardware is managed by a subsystem called udev, and the rules it uses are contained in the directory /etc/udev/rules.d. In that directory is a file, 70-persistent-net.rules; if you open it in a text editor you are presented with something like the following:
# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.
# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
ATTR{address}=="00:0c:29:57:45:91", ATTR{type}=="1", KERNEL=="eth*",
NAME="eth0"
# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
ATTR{address}=="00:0c:29:e0:4a:11", ATTR{type}=="1", KERNEL=="eth*",
NAME="eth1"
You can see that there are two network cards, one with MAC address 00:0c:29:57:45:91 and the second with address 00:0c:29:e0:4a:11 specified in this file. Further, looking back at the output of our ifconfig command, we see that the MAC address for eth1 matches.
Delete the line that refers to eth0 and the MAC address you no longer have (you can remove the comment as well). Update the second line so that the NAME is eth0 instead of eth1; then reboot.
I recommend that you reboot the system to ensure that the changes propagate correctly- it definitely makes subsequent configuration simpler if you reboot first.
There will be at least one other remnant on your system; if you use the graphical tool to modify your network settings, you will now see two options- "System eth0" and "Auto eth0"
If you edit the "System eth0" entry and check the MAC address, you will discover that it matches the MAC address that we have already removed. The "Auto eth0" entry has the correct MAC address, and can be used to configure the interface.
Why is there a difference? I just don’t know. Really, there should only be one eth0 entry. You can delete the "System eth0" if you want (this is what I did!) but this will cause us some minor trouble in a few steps. You can keep them both, though I don’t know if that will cause us trouble later.
To change the host name of the system, we edit the file /etc/sysconfig/network and modify the the HOSTNAME line. Be sure to enter the FQDN here; in my example, I will call the host "aurora" with parent domain "cosc.tu" giving me the file:
NETWORKING=yes HOSTNAME=aurora.cosc.tu
Documentation is available in usr/share/doc/initscripts-9.03.27/sysconfig.txt.
You also need to modify the entries in the file /etc/hosts; in particular you need to make sure that all of the aliases for 127.0.0.1 are appropriate. As an example, we can set that file to look like
127.0.0.1 localhost localhost.localdomain aurora aurora.cosc.tu ::1 localhost localhost.localdomain aurora aurora.cosc.tu
so that any of the four names "localhost", "localhost.localdomain", "aurora" and "aurora.cosc.tu" will refer to 127.0.0.1
At this point, you can reboot the machine. Mind you, this is not strictly necessary, as the changes can also be made live by using the hostname command. Note that changes made via the hostname comment only persist until a reboot when the configuration files are re-read. Nonetheless, I recommend rebooting (and checking that everything works as you expect) so that if something is amiss, you won’t have to wade through a large number of changes to the system to start debugging.
Now we want to modify the network settings for our interface. We can use the GUI, but we have seen that it got itself a little confused, so let’s look directly at the configuration files. The file we want is called /etc/sysconfig/network-script/ifcfg-eth0. What? It isn’t there? Remember that minor problem the GUI was going to cause- this is it. For whatever reason, getting rid of the spurious entry in the GUI removed this file. No matter, we can rebuild it. We have the technology.
DEVICE="eth0" ONBOOT="yes" BOOTPROTO="none" HWADDR="00:0C:29:3C:21:1E" NETMASK="255.255.255.0" IPADDR="10.0.2.2" GATEWAY="10.0.2.254" TYPE="Ethernet" USERCTL="no" IPV6INIT="no" PEERDNS="no" DNS1="10.0.2.100" DNS2="10.0.2.101" DOMAIN="cosc.tu"
The meaning of most of these lines is self-explanatory. Just be sure that you have the right MAC address in the HWADDR line, or the system will whine a bit.
We haven’t yet set up a proper DNS structure yet, so the primary and secondary DNS server addresses are just dummy values; we will need to change them as well.
The simplest way to manage the firewall on the CentOS system is to use the provided GUI tool. Simply select System → Administration → Firewall. For the most part, the tool is self-explanatory.
Setting up Ubuntu 10.04 Desktop
Ubuntu Desktop 10.04 also uses udev to manage devices, and will also retain vestiges of previous interfaces whenever the virtual machine is copied. The solution remains the same. Edit the file /etc/udev/rules.d/70-persistent-net.rules; remove the line corresponding to the MAC that is no longer present (see the output of ifconfig -a if you are not sure) and make sure that the NAME for the sole remaining interface is set to eth0; then re-boot.
Unlike our CentOS system, the Network Preferences GUI (System → Preferences → Network Connections) does not get quite so confused. Using that system to configure the IP address, gateway, and DNS server is straightforward:
To change the hostname, modify the file /etc/hostname to include the full name (FQDN) of the host. Modify /etc/hosts in the same fashion as we did for CentOS 6.2; you do not need to keep separate entries for 127.0.0.1 and 127.0.1.1.
Unlike CentOS, the firewall for Ubuntu is disabled by default; you can verify this by running
seldon@capella:~$ sudo ufw status [sudo] password for seldon: Status: inactive seldon@capella:~$
In general though, this is not a problem, as desktop machines are not usually meant to have open ports. By default, Ubuntu 10.04 is only listening on TCP 631, and then only on localhost (127.0.0.1 and ::1).
If you don’t know, TCP 631 is used by the print manager CUPS on a Linux system; you can verify that all is as it ought to be by running a netstat and getting the PID of the process that opened the port:
seldon@capella:~$ sudo netstat -nlptv
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
862/cupsd
tcp6 0 0 ::1:631 :::* LISTEN
862/cupsd
Ubuntu 10.04 does not have a graphical interface for the firewall in its default install; however one is available online.
To install it, you also need to install the menu package as well. Download both, and be sure to verify their MD5 hashes. Installation can be done via dpkg.
seldon@ubuntu:~$ md5sum ./menu_2.1.43ubuntu1_i386.deb e645e9719005931d541338f8d7539446 ./menu_2.1.43ubuntu1_i386.deb seldon@ubuntu:~$ md5sum ./gufw_10.04.5-all.deb fc7d54931414a2a1a3d46ca971c13837 ./gufw_10.04.5-all.deb seldon@ubuntu:~$ sudo dpkg -i ./menu_2.1.43ubuntu1_i386.deb [sudo] password for seldon: Selecting previously deselected package menu. (Reading database ... 124218 files and directories currently installed.) Unpacking menu (from ./menu_2.1.43ubuntu1_i386.deb) ... Setting up menu (2.1.43ubuntu1) ... Processing triggers for man-db ... Processing triggers for install-info ... Processing triggers for doc-base ... Processing 26 changed 1 added doc-base file(s)... Registering documents with scrollkeeper... Processing triggers for menu ... seldon@ubuntu:~$ sudo dpkg -i ./gufw_10.04.5-all.deb Selecting previously deselected package gufw. (Reading database ... 124396 files and directories currently installed.) Unpacking gufw (from ./gufw_10.04.5-all.deb) ... Setting up gufw (10.04.5-0ubuntu0.1) ... Processing triggers for desktop-file-utils ... Processing triggers for python-gmenu ... Rebuilding /usr/share/applications/desktop.en_US.utf8.cache... Processing triggers for hicolor-icon-theme ... Processing triggers for man-db ... Processing triggers for software-center ... Processing triggers for menu ... Processing triggers for python-support ... Processing triggers for python-central ...
Setting up Ubuntu 10.04 Server
Before we can get to setting up the server and its networking, we have a rather significant problem to overcome. For whatever reason, when Ubuntu 10.04 server is installed in a virtual machine, it chooses the wrong keyboard layout, one that disables or mismaps the various arrow keys. Since the server does not come with a GUI either, malfunctioning arrow keys make it extremely hard to navigate. Let’s fix the problem!
Log into the system, and then run
seldon@ubuntu:~$ sudo dpkg-reconfigure console-setup
This drops us to a setup program like the following
All we need to do is to select the right keyboard and go from there.
Yes, you in the back with your hand up? "How can we select the keyboard if the arrow keys don’t work?" Yeah, I had that problem too. Tap the "g" key; this will select the first entry that begins with "g"; fortunately this a generic 101 key keyboard, and one that will work fine for us. Then tap the Tab key to move the focus to "OK", then hit return to select it.
A number of further option screens will appear, but I found the default to be fine for each- just a Tab and a return. When all is complete, it will update a few files, and your arrow keys will function.
With that problem out of the way, we can turn to configuring the system’s networking. The file /etc/udev/rules.d/70-persistent-net.rules needs to be modified in the same fashion as for Ubuntu Desktop; again I recommend a re-boot.
To modify the networking setting for the system, the file /etc/network/interfaces must be modified. The comments and the material on the loopback interface can be retained, but the configuration for the eth0 should look something like the following
auto eth0 iface eth0 inet static address 10.0.2.4 netmask 255.255.255.0 gateway 10.0.2.254
We also need to specify the location of the DNS servers; they are in the file /etc/resolv.conf. Modify that file to that it looks something like
nameserver 10.0.2.100, 10.0.2.101 domain cosc.tu search cosc.tu
To change the hostname, modify the file /etc/hostname to include the full name (FQDN) of the host. Modify /etc/hosts in the same fashion as we did for CentOS 6.2; you do not need to keep separate entries for 127.0.0.1 and 127.0.1.1.
Like Ubuntu desktop, the firewall for Ubuntu server is disabled by default. However, by default it has no listening processes, not even the CUPS printing daemon on localhost that we saw for Ubuntu desktop.
Setting up Mint 11
One nice thing about Mint 11 is that we do not have the trouble we have seen with the udev subsystem; copying a Mint 11 VM does change the MAC address of the interface, but we do not need to manually reconfigure entries from /etc/udev/rules.d.
To set up networking, you can either use the graphical tool we used to set up Ubuntu Desktop (found by navigating Menu → Control Center → Network Connections), or use the command line and modify /etc/network/interfaces and /etc/resolv.conf as we did for Ubuntu server.
To change the hostname, modify the file /etc/hostname to include the full name (FQDN) of the host. Modify /etc/hosts in the same fashion as we did for before; you do not need to keep separate entries for 127.0.0.1 and 127.0.1.1
Setting up Windows Vista & Windows 7
When the system starts with the new MAC address, Windows will not know what type of network it is- Home, Work, or Public. We are going to be simulating various business scenarios, so in each case you should select "Work".
To set the networking, select the Start button → Control Panel → Network and Internet → View Network Status and Tasks. On Windows 7, select the Local Area Connection link, while in Vista select the View Status link. In either case, you end up with a dialog box like the following
Select properties, then select Internet Protocol Version 4 (IPv4), and press the properties button from the following dialog
Fill in the required address data in the usual fashion:
To set up the hostname for these Windows system, navigate to the Start button → Computer (right click) → Properties. You should end up with a dialog box roughly like the following (for Windows 7; the version for Vista is similar):
In the section labelled Computer name, domain, and workgroup settings, select the Change Settings link; you end with a dialog box like the following:
Select the Change button to be presented with a dialog box to allow you to change the host name. Note that the hostname is different than the FQDN. Suppose that I want the FQDN of my system to be rhea.cosc.tu; then the hostname is rhea, while the primary domain suffix is cosc.tu. The hostname is specified in the hostname box, but to set the primary domain suffix you need to select the More button and make your changes there. The net result looks something like the following (you can click on the picture to embiggen)
Changing the hostname does require a restart of the system.
All modern Windows systems come with an integrated firewall managed through the Control Panel. To configure it navigate Start → Control Panel → System and Security → Windows Firewall.
Windows 8
To set up our Windows 8 system, we need to find the Control Panel. From the Metro screen, right click, then select the "All apps" button. Scroll to the right, and then select "Control Panel".
Once you manage to locate the Control Panel, changing the network setting proceed as we did in Windows Vista and 7; navigate Network and Internet → Network and Sharing Center &rarr Ethernet → Properties.
Once the changes have been made, you will be on the Windows 8 Desktop; to get back to the Metro screen, press the Windows button on the keyboard.
To change the hostname, again right click on the Metro screen to select "All apps". Now right-click on "Computer" you will be presented with a context menu similar to the following:
Select Properties and you will drop to the Desktop with a dialog box similar to what we saw for Windows Vista and Windows 7; in the section labelled Computer name, domain, and workgroup settings, select the Change Settings link and make the required changes.
A restart is required.
The Windows 8 firewall is managed through the Control Panel as well in the same fashion as Windows Vista and 7.
Setting up Windows 2008 Server
The process of setting up networking and the system name is the same in both Windows 2008 and Windows 2008 R2.
When these systems first boot, you will be presented with the Initial Configuration Tasks dialog box:
Select the "Configure Networking" link. You will be shown all of the network connections on the system; at the start there should be just one, labelled "Local Area Connection". Right-click on it, and select properties; then select Internet Protocol 4 (IPv4) and select properties; you can then enter the IP address for the system as well as specify the DNS server the system should use.
To change the hostname of the system, return to the Initial Configuration and Tasks dialog box, and select the link "Provide computer name and domain". The system name and primary domain suffix are changed just as we did for other versions of Windows. A re-boot will be required.
On Windows Server systems, you can manage the firewall by navigating Start → Administrative Tools → Windows Firewall with Advanced Security rather that going through the Control Panel.
Setting up Backtrack 5 R3
Unlike the other systems provided, the Backtrack image has been modified from its stock configuration. It has been fully updated as of mid-January 2013, and Metasploit has been updated to include all of the latest attacks, including the Java Applet JMX Remote Code Execution vulnerability (CVE 2012-0422) affecting Java 7 through Update 10.
After logging into the Backtrack system, you can start the graphical user interface by running
root@bt:~# startx
from the command line.
Backtrack systems use the same udev system that is used by other Linux distributions, and suffers from the same change of interface name every time the system is copied.If you want to simply use DHCP for networking, then no changes need to be made to the system. If you want to give your Backtrack system a static address, then we can proceed as before.
Update the file /etc/udev/rules.d/70-persistent-net.rules as before, and re-boot. Go ahead and modify the appropriate section in /etc/network/interfaces; you can set it to something like the following:
auto eth0 iface eth0 inet static address 10.0.2.10 netmask 255.255.255.0 gateway 10.0.2.254
To specify the location of the DNS servers, update /etc/resolv.conf, and modify that file to that it looks something like
nameserver 10.0.2.100, 10.0.2.101 domain cosc.tu search cosc.tu
To change the hostname, modify the file /etc/hostname to include the full name (FQDN) of the host. Modify /etc/hosts in the same fashion as we did for CentOS 6.2; you do not need to keep separate entries for 127.0.0.1 and 127.0.1.1.
Darknet
- Best EDR Of The Market (BEOTM) – Endpoint Detection and Response Testing Tool
- AgentSmith HIDS – Host Based Intrusion Detection
- padre – Padding Oracle Attack Exploiter Tool
- Privacy Implications of Web 3.0 and Darknets
- DataSurgeon – Extract Sensitive Information (PII) From Logs
- Pwnagotchi – Maximize Crackable WPA Key Material For Bettercap
- HardCIDR – Network CIDR and Range Discovery Tool
- Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
- CFRipper – CloudFormation Security Scanning & Audit Tool
- CredNinja – Test Credential Validity of Dumped Credentials or Hashes
Windows Security
- An error has occurred; the feed is probably down. Try again later.
Security Focus Vulnerabilities
- An error has occurred; the feed is probably down. Try again later.
Security Bloggers Network
- An error has occurred; the feed is probably down. Try again later.
Krebs on Security
- Patch Tuesday, May 2024 Edition
- How Did Authorities Identify the Alleged Lockbit Boss?
- U.S. Charges Russian Man as Boss of LockBit Ransomware Group
- Why Your VPN May Not Be As Secure As It Claims
- Man Who Mass-Extorted Psychotherapy Patients Gets Six Years
- FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data
- Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme
- Who Stole 3.6M Tax Records from South Carolina?
- Crickets from Chirp Systems in Smart Lock Key Leak
- Why CISA is Warning CISOs About a Breach at Sisense
CyberOperations 