00- System Setup

Common elements

Each workstation in the classroom is already furnished with an array of systems for use in this class; they include

  • Backtrack 5 R3
  • CentOS 6.2 x64
  • Mint 11
  • Ubuntu 10.04 Desktop
  • Ubuntu 10.04 Server
  • Vista Business (SP2)
  • Vista x64
  • Windows 7
  • Windows 7 (SP1) x64
  • Windows 8
  • Windows 8 x64
  • Windows 2008
  • Windows 2008 R2 x64

These images are also available on the lab file server, located at \\kestrel\labshare. Instructions on how to access the lab file server will be provided in class.

Other systems will be provided as the course progresses.

For your convenience, the provided systems all have a snapshot, taken at the start of class. Should your system prove problematic, you can always revert back to this snapshot, a later snapshot that you take, or download a new copy from the lab’s file server.

Moving versus Copying Virtual Machines

When a virtual machine is moved from one place to another in the file system, e.g. by copying it to a new directory, then VMWare will ask you the first time the system is then run if the system has been "moved" or "copied". In general, you want to select "copied" here. When a system is "moved", the system’s MAC address remains unchanged. In that case if the original is also still on the network then you end up with two systems trying to communicate with identical MAC addresses, and then bad things happen.

Authentication Credentials

All of the systems have the same set of default credentials:

  • User: seldon
  • Password: password1!

On the Windows systems, this is an administrator account. On the CentOS 6.2 system, the root password is the same: "password1!". The Ubuntu systems and the Mint system (as an Ubuntu derivative) do not have a root account.

The one exception is the Backtrack system; here we retain the defaults, where there is only the root user with password "toor".

Network Structure

The classroom network structure has been designed for the easy use of virtual machines as well as to separate out different network spaces for different purposes.

All of the physical systems (hosts) on the lab network take an address via DHCP in the 10.0.0.0/24 network, meaning that they live in the space 10.0.0.1 – 10.0.0.253. The gateway for that subnet is at 10.0.0.254. Systems with this address are considered out-of-bounds for offensive operations. Remember that other classes use this same lab, and we need to leave the room in a fully functional state when we leave.

Virtual machines that are started in the lab can ask for an address via DHCP; one will be assigned in the 10.0.1.0/24 network, and they will receive addresses in the 10.0.1.1 – 10.0.1.253 range. The gateway for this subnet is 10.0.1.254. Students may set up and use this address space freely. All systems set up in this subnet are considered in-play and fair targets during any exercise.

The instructor reserves the subnet 10.0.2.0/24; the gateway is 10.0.2.254. Systems that are part of exercise control will live on this subnetwork; this address space will also be used for demonstration purposes. No student system should be set up in this address space. During live exercises, systems set up on this subnet may or may not be in play; details will be provided with the instructions for the exercise.

Students will be in one of four teams; each team has its own subnet for addressing:

  • Team A: 10.0.3.0/24, gateway 10.0.3.254
  • Team B: 10.0.4.0/24, gateway 10.0.4.254
  • Team C: 10.0.5.0/24, gateway 10.0.5.254
  • Team D: 10.0.6.0/24, gateway 10.0.6.254

Students can use the addresses in their subnet however they feel; they can even set up a DHCP server that serves addresses in all or part of that range. Students should only use the address space that belong to their team. All systems on these subnets are in-play during live exercises.

Setting up CentOS 6.2

Start up your CentOS 6.2 system and log in. If you take a look at your network configuration, you might notice something unusual:

[seldon@localhost ~]$ su -
Password: 
[root@localhost ~]# ifconfig -a
eth1      Link encap:Ethernet  HWaddr 00:0C:29:E0:4A:11  
          inet addr:10.0.2.209  Bcast:10.0.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fee0:4a11/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:104 errors:0 dropped:0 overruns:0 frame:0
          TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:24247 (23.6 KiB)  TX bytes:6081 (5.9 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:480 (480.0 b)  TX bytes:480 (480.0 b)

Notice that the first ethernet card is labelled eth1 rather than the usual eth0. Why? When the system was "copied" (not "moved") onto your system and started, VMWare assigned the system a new MAC address. Hurrah! This is what we wanted to happen. However, Linux treats this as if a new ethernet card was inserted into the machine. It keeps the configuration information for the old card, and calls the new one eth1. Though this works, in general it can cause some trouble later, so let’s tell Linux to forget about the older card.

The hardware is managed by a subsystem called udev, and the rules it uses are contained in the directory /etc/udev/rules.d. In that directory is a file, 70-persistent-net.rules; if you open it in a text editor you are presented with something like the following:

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.

# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", 
ATTR{address}=="00:0c:29:57:45:91", ATTR{type}=="1", KERNEL=="eth*", 
NAME="eth0"

# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", 
ATTR{address}=="00:0c:29:e0:4a:11", ATTR{type}=="1", KERNEL=="eth*", 
NAME="eth1"

You can see that there are two network cards, one with MAC address 00:0c:29:57:45:91 and the second with address 00:0c:29:e0:4a:11 specified in this file. Further, looking back at the output of our ifconfig command, we see that the MAC address for eth1 matches.

Delete the line that refers to eth0 and the MAC address you no longer have (you can remove the comment as well). Update the second line so that the NAME is eth0 instead of eth1; then reboot.
I recommend that you reboot the system to ensure that the changes propagate correctly- it definitely makes subsequent configuration simpler if you reboot first.

There will be at least one other remnant on your system; if you use the graphical tool to modify your network settings, you will now see two options- "System eth0" and "Auto eth0"

Screenshot-Network Connections

If you edit the "System eth0" entry and check the MAC address, you will discover that it matches the MAC address that we have already removed. The "Auto eth0" entry has the correct MAC address, and can be used to configure the interface.

Why is there a difference? I just don’t know. Really, there should only be one eth0 entry. You can delete the "System eth0" if you want (this is what I did!) but this will cause us some minor trouble in a few steps. You can keep them both, though I don’t know if that will cause us trouble later.

To change the host name of the system, we edit the file /etc/sysconfig/network and modify the the HOSTNAME line. Be sure to enter the FQDN here; in my example, I will call the host "aurora" with parent domain "cosc.tu" giving me the file:

NETWORKING=yes
HOSTNAME=aurora.cosc.tu

Documentation is available in usr/share/doc/initscripts-9.03.27/sysconfig.txt.

You also need to modify the entries in the file /etc/hosts; in particular you need to make sure that all of the aliases for 127.0.0.1 are appropriate. As an example, we can set that file to look like

127.0.0.1   localhost localhost.localdomain aurora aurora.cosc.tu
::1         localhost localhost.localdomain aurora aurora.cosc.tu 

so that any of the four names "localhost", "localhost.localdomain", "aurora" and "aurora.cosc.tu" will refer to 127.0.0.1

At this point, you can reboot the machine. Mind you, this is not strictly necessary, as the changes can also be made live by using the hostname command. Note that changes made via the hostname comment only persist until a reboot when the configuration files are re-read. Nonetheless, I recommend rebooting (and checking that everything works as you expect) so that if something is amiss, you won’t have to wade through a large number of changes to the system to start debugging.

Now we want to modify the network settings for our interface. We can use the GUI, but we have seen that it got itself a little confused, so let’s look directly at the configuration files. The file we want is called /etc/sysconfig/network-script/ifcfg-eth0. What? It isn’t there? Remember that minor problem the GUI was going to cause- this is it. For whatever reason, getting rid of the spurious entry in the GUI removed this file. No matter, we can rebuild it. We have the technology.

DEVICE="eth0"
ONBOOT="yes"
BOOTPROTO="none"
HWADDR="00:0C:29:3C:21:1E"
NETMASK="255.255.255.0"
IPADDR="10.0.2.2"
GATEWAY="10.0.2.254"
TYPE="Ethernet"
USERCTL="no"
IPV6INIT="no"
PEERDNS="no"
DNS1="10.0.2.100"
DNS2="10.0.2.101"
DOMAIN="cosc.tu"

The meaning of most of these lines is self-explanatory. Just be sure that you have the right MAC address in the HWADDR line, or the system will whine a bit.

We haven’t yet set up a proper DNS structure yet, so the primary and secondary DNS server addresses are just dummy values; we will need to change them as well.

The simplest way to manage the firewall on the CentOS system is to use the provided GUI tool. Simply select System → Administration → Firewall. For the most part, the tool is self-explanatory.
Screenshot-Firewall Configuration

Setting up Ubuntu 10.04 Desktop

Ubuntu Desktop 10.04 also uses udev to manage devices, and will also retain vestiges of previous interfaces whenever the virtual machine is copied. The solution remains the same. Edit the file /etc/udev/rules.d/70-persistent-net.rules; remove the line corresponding to the MAC that is no longer present (see the output of ifconfig -a if you are not sure) and make sure that the NAME for the sole remaining interface is set to eth0; then re-boot.

Unlike our CentOS system, the Network Preferences GUI (System → Preferences → Network Connections) does not get quite so confused. Using that system to configure the IP address, gateway, and DNS server is straightforward:
Screenshot

To change the hostname, modify the file /etc/hostname to include the full name (FQDN) of the host. Modify /etc/hosts in the same fashion as we did for CentOS 6.2; you do not need to keep separate entries for 127.0.0.1 and 127.0.1.1.

Unlike CentOS, the firewall for Ubuntu is disabled by default; you can verify this by running

 seldon@capella:~$ sudo ufw status
[sudo] password for seldon: 
Status: inactive
seldon@capella:~$ 

In general though, this is not a problem, as desktop machines are not usually meant to have open ports. By default, Ubuntu 10.04 is only listening on TCP 631, and then only on localhost (127.0.0.1 and ::1).

If you don’t know, TCP 631 is used by the print manager CUPS on a Linux system; you can verify that all is as it ought to be by running a netstat and getting the PID of the process that opened the port:

seldon@capella:~$ sudo netstat -nlptv
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
       PID/Program name
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
      862/cupsd       
tcp6       0      0 ::1:631                 :::*                    LISTEN
      862/cupsd       

Ubuntu 10.04 does not have a graphical interface for the firewall in its default install; however one is available online.

To install it, you also need to install the menu package as well. Download both, and be sure to verify their MD5 hashes. Installation can be done via dpkg.

seldon@ubuntu:~$ md5sum ./menu_2.1.43ubuntu1_i386.deb 
e645e9719005931d541338f8d7539446  ./menu_2.1.43ubuntu1_i386.deb

seldon@ubuntu:~$ md5sum ./gufw_10.04.5-all.deb 
fc7d54931414a2a1a3d46ca971c13837  ./gufw_10.04.5-all.deb

seldon@ubuntu:~$ sudo dpkg -i ./menu_2.1.43ubuntu1_i386.deb 
[sudo] password for seldon: 
Selecting previously deselected package menu.
(Reading database ... 124218 files and directories currently installed.)
Unpacking menu (from ./menu_2.1.43ubuntu1_i386.deb) ...
Setting up menu (2.1.43ubuntu1) ...
Processing triggers for man-db ...
Processing triggers for install-info ...
Processing triggers for doc-base ...
Processing 26 changed 1 added doc-base file(s)...
Registering documents with scrollkeeper...
Processing triggers for menu ...

seldon@ubuntu:~$ sudo dpkg -i ./gufw_10.04.5-all.deb 
Selecting previously deselected package gufw.
(Reading database ... 124396 files and directories currently installed.)
Unpacking gufw (from ./gufw_10.04.5-all.deb) ...
Setting up gufw (10.04.5-0ubuntu0.1) ...
Processing triggers for desktop-file-utils ...
Processing triggers for python-gmenu ...
Rebuilding /usr/share/applications/desktop.en_US.utf8.cache...
Processing triggers for hicolor-icon-theme ...
Processing triggers for man-db ...
Processing triggers for software-center ...
Processing triggers for menu ...
Processing triggers for python-support ...
Processing triggers for python-central ...

Setting up Ubuntu 10.04 Server

Before we can get to setting up the server and its networking, we have a rather significant problem to overcome. For whatever reason, when Ubuntu 10.04 server is installed in a virtual machine, it chooses the wrong keyboard layout, one that disables or mismaps the various arrow keys. Since the server does not come with a GUI either, malfunctioning arrow keys make it extremely hard to navigate. Let’s fix the problem!

Log into the system, and then run

seldon@ubuntu:~$ sudo dpkg-reconfigure console-setup

This drops us to a setup program like the following
Ubuntu 10.04 Server- Hesperus-2013-01-20-16-25-08
All we need to do is to select the right keyboard and go from there.

Yes, you in the back with your hand up? "How can we select the keyboard if the arrow keys don’t work?" Yeah, I had that problem too. Tap the "g" key; this will select the first entry that begins with "g"; fortunately this a generic 101 key keyboard, and one that will work fine for us. Then tap the Tab key to move the focus to "OK", then hit return to select it.

A number of further option screens will appear, but I found the default to be fine for each- just a Tab and a return. When all is complete, it will update a few files, and your arrow keys will function.

With that problem out of the way, we can turn to configuring the system’s networking. The file /etc/udev/rules.d/70-persistent-net.rules needs to be modified in the same fashion as for Ubuntu Desktop; again I recommend a re-boot.

To modify the networking setting for the system, the file /etc/network/interfaces must be modified. The comments and the material on the loopback interface can be retained, but the configuration for the eth0 should look something like the following

auto eth0
iface eth0 inet static
address 10.0.2.4
netmask 255.255.255.0
gateway 10.0.2.254

We also need to specify the location of the DNS servers; they are in the file /etc/resolv.conf. Modify that file to that it looks something like

nameserver 10.0.2.100, 10.0.2.101
domain cosc.tu
search cosc.tu

To change the hostname, modify the file /etc/hostname to include the full name (FQDN) of the host. Modify /etc/hosts in the same fashion as we did for CentOS 6.2; you do not need to keep separate entries for 127.0.0.1 and 127.0.1.1.

Like Ubuntu desktop, the firewall for Ubuntu server is disabled by default. However, by default it has no listening processes, not even the CUPS printing daemon on localhost that we saw for Ubuntu desktop.

Setting up Mint 11

One nice thing about Mint 11 is that we do not have the trouble we have seen with the udev subsystem; copying a Mint 11 VM does change the MAC address of the interface, but we do not need to manually reconfigure entries from /etc/udev/rules.d.

To set up networking, you can either use the graphical tool we used to set up Ubuntu Desktop (found by navigating Menu → Control Center → Network Connections), or use the command line and modify /etc/network/interfaces and /etc/resolv.conf as we did for Ubuntu server.

To change the hostname, modify the file /etc/hostname to include the full name (FQDN) of the host. Modify /etc/hosts in the same fashion as we did for before; you do not need to keep separate entries for 127.0.0.1 and 127.0.1.1

Setting up Windows Vista & Windows 7

When the system starts with the new MAC address, Windows will not know what type of network it is- Home, Work, or Public. We are going to be simulating various business scenarios, so in each case you should select "Work".

To set the networking, select the Start button → Control Panel → Network and Internet → View Network Status and Tasks. On Windows 7, select the Local Area Connection link, while in Vista select the View Status link. In either case, you end up with a dialog box like the following
Netstat

Select properties, then select Internet Protocol Version 4 (IPv4), and press the properties button from the following dialog
IP Properties

Fill in the required address data in the usual fashion:
IP Address

To set up the hostname for these Windows system, navigate to the Start button → Computer (right click) → Properties. You should end up with a dialog box roughly like the following (for Windows 7; the version for Vista is similar):

Computer Properties

In the section labelled Computer name, domain, and workgroup settings, select the Change Settings link; you end with a dialog box like the following:
Windows Name 1

Select the Change button to be presented with a dialog box to allow you to change the host name. Note that the hostname is different than the FQDN. Suppose that I want the FQDN of my system to be rhea.cosc.tu; then the hostname is rhea, while the primary domain suffix is cosc.tu. The hostname is specified in the hostname box, but to set the primary domain suffix you need to select the More button and make your changes there. The net result looks something like the following (you can click on the picture to embiggen)
Name Change

Changing the hostname does require a restart of the system.

All modern Windows systems come with an integrated firewall managed through the Control Panel. To configure it navigate Start → Control Panel → System and Security → Windows Firewall.

Windows 8

To set up our Windows 8 system, we need to find the Control Panel. From the Metro screen, right click, then select the "All apps" button. Scroll to the right, and then select "Control Panel".
Start Menu

Once you manage to locate the Control Panel, changing the network setting proceed as we did in Windows Vista and 7; navigate Network and Internet → Network and Sharing Center &rarr Ethernet → Properties.

Once the changes have been made, you will be on the Windows 8 Desktop; to get back to the Metro screen, press the Windows button on the keyboard.

To change the hostname, again right click on the Metro screen to select "All apps". Now right-click on "Computer" you will be presented with a context menu similar to the following:
Computer Properties 2
Select Properties and you will drop to the Desktop with a dialog box similar to what we saw for Windows Vista and Windows 7; in the section labelled Computer name, domain, and workgroup settings, select the Change Settings link and make the required changes.
Win8 Hostname

A restart is required.

The Windows 8 firewall is managed through the Control Panel as well in the same fashion as Windows Vista and 7.

Setting up Windows 2008 Server

The process of setting up networking and the system name is the same in both Windows 2008 and Windows 2008 R2.

When these systems first boot, you will be presented with the Initial Configuration Tasks dialog box:
WinBoot

Select the "Configure Networking" link. You will be shown all of the network connections on the system; at the start there should be just one, labelled "Local Area Connection". Right-click on it, and select properties; then select Internet Protocol 4 (IPv4) and select properties; you can then enter the IP address for the system as well as specify the DNS server the system should use.
NetSetUp

To change the hostname of the system, return to the Initial Configuration and Tasks dialog box, and select the link "Provide computer name and domain". The system name and primary domain suffix are changed just as we did for other versions of Windows. A re-boot will be required.

On Windows Server systems, you can manage the firewall by navigating Start → Administrative Tools → Windows Firewall with Advanced Security rather that going through the Control Panel.

Setting up Backtrack 5 R3

Unlike the other systems provided, the Backtrack image has been modified from its stock configuration. It has been fully updated as of mid-January 2013, and Metasploit has been updated to include all of the latest attacks, including the Java Applet JMX Remote Code Execution vulnerability (CVE 2012-0422) affecting Java 7 through Update 10.

After logging into the Backtrack system, you can start the graphical user interface by running

root@bt:~# startx

from the command line.

Backtrack systems use the same udev system that is used by other Linux distributions, and suffers from the same change of interface name every time the system is copied.If you want to simply use DHCP for networking, then no changes need to be made to the system. If you want to give your Backtrack system a static address, then we can proceed as before.

Update the file /etc/udev/rules.d/70-persistent-net.rules as before, and re-boot. Go ahead and modify the appropriate section in /etc/network/interfaces; you can set it to something like the following:

auto eth0
iface eth0 inet static
address 10.0.2.10
netmask 255.255.255.0
gateway 10.0.2.254

To specify the location of the DNS servers, update /etc/resolv.conf, and modify that file to that it looks something like

nameserver 10.0.2.100, 10.0.2.101
domain cosc.tu
search cosc.tu

To change the hostname, modify the file /etc/hostname to include the full name (FQDN) of the host. Modify /etc/hosts in the same fashion as we did for CentOS 6.2; you do not need to keep separate entries for 127.0.0.1 and 127.0.1.1.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: