EH-Net

Hi everyone,

A friend of mine (actually, a co-worker) want to play a little game with me: we both want to set up a web server at home and try to hack each other. Since we are both web app developers, we think it would be a good exercise for us to learn both the defense and the attack of such servers.

We will install a VPN so we can do our stuff without alerting/disturbing anyone else. However, we plan to secure our servers as much as we can so having them face the internet (instead of using a VPN) wouldn't be a big worry for us.

Finally, we will give each other written permissions before we start doing anything.

My question is: If we wouldn't use a VPN and our server would be serving web pages on the internet, could our scans, brute force attacks, etc disturb other people?

Here I think more of our respective ISP (and possibly others?). What could we do to mitigate the risk of getting into troubles instead of using the VPN? Maybe it doesn't make any difference?

I want to add that I will use a VPN regardless of the answers and we both have no malicious intention whatsoever. We want to compete, that's all!!  ;D

this seems like a fun game! good luck and you better win, cause i will be cheering for you ;)

if you direct your scans/attacks directly at the system of your friend, you dont have to worry about disturbing other people. this happens all the time on the internet by other people. think of automated zombies scanning for other victims, black hats scanning full domains for vulnerable systems, script kiddies who dont know what there doing, and dont forget windows machines that generate wierd traffic just for no reason at all. This blends in with what is called "internet static" that doesnt disturb anyone and is just "there".

if you just focus on the machine at hand, and not anything ISP related (like DNS poisoning), you will be fine...

My only note would be that IF you bypass the VPN route, I wouldn't be doing your port scanning, etc, on the open network.  When done over VPN, it's all tunneled across the single port / connection of the VPN, whereas, if you port scan, openly, on your internet connection, many ISP's will disconnect you, and possibly terminate your service.  I know my home ISP has strict policies, forbidding port scanning, etc, and WILL close out my service if I perform those activities from home.  (Thus, the VPN to keep it looking "legit", when I test things from home.)

So I guess you are both right. If my ISP doesn't care about me scanning servers, then I would be fine.

I will read their policies if I do scan servers in the future.

Is Hayabusa the only one warned or blocked by their ISP?

My ISP acts a little different. If I run NMAP against my work's firewall (usually after I make big changes to it), AT&T move the box out from behind the firewall, and leaves it wide open to everything. I've only had the one box, so I don't know if they do it to the whole network. I do know that the TV, DVR and surfing the web don't work right when they do it.

Their status message says there is a firewall behind their firewall. Please fix or set up a dmz.

I was going to warn you against this as well. Some ISPs prohibit this completely while others will sell you a premium service where those types of activities are acceptable. I'd definitely check with your ISP before doing anything.

i have done a couple of pentests from my home, and havent got into any trouble with my ISP. so it depends on the ISP. i'm sure there is an answer to this in the FAQ of your current ISP. i know mine is too busy capping newsgroup bandwith from the leechers so they are forgetting about us ;D

Hey that sounds really fun!! and cool! I need to get me a hacking buddy!!

Enjoy the game duuuude, lets us know of your battles, defeats if there are any and your victories!! Enjoy!!

With some ISPs, you never know what they are blocking at any given moment.  This tends to throw off your results. 

My ISP is apparently too busy to block anything. I haven't heard a single instance of them blocking someone or some scan because it looked malicious. Neither have I seen any mention of blocking malicious scans in their policy and FAQ. So I guess I'm free to do whatever pleases me.

@hitmonkey

We did a similar thing to help a friend practice pentesting.
He started getting a lot of hostile scans on those web services, which ending up being quite annoying and chewed up bandwidth.

In the end we set up a VPN from where he could SSH into a local machine running BT4. From there he could attack the systems in peace and quiet.

Thanks guys,

Ketchup, I didn't think of ISP blocking stuff, but it makes so much sense... I am still learning a lot!!! :'(

I will be very busy for another month or so (I am finishing OSCP...), but we should create a little game among some us. This could be a great way of learning, making contact and have fun!

i think there are more people on this board interesting in starting such a showdown (atleast i am). maybe its an idea to team up with other member and start a EH.net wide game?

Some problems I see with doing that (not that it wouldn't be fun).

1) you'd have to create a EH DMZ (where the vpn terminates and only allowing access to the hack boxes).

2) you have to trust the people you give access too.

3) having a large enough pipe to support the traffic (I'm running an ftp server for a martial arts school from home).

@chrisj: I was thinking of using SSL certificates at both ends of the VPN connection for dual authentication. This way, I will know who is connected. But this only work amongst friends. A nickname in a forum isn't really a person you can trust...

Also, the goal is to have a very secure box. So even if it were wide open to the internet, it wouldn't be to bad (at least, for this box). But you are right, a VPN ending in a DMZ would be better.

Aww... you can trust me. My forum nick is my real name (well part of it). :)

First Name Last Initial.  ;)  (also the first "corporate login" name I ever had).

Even my real name is not difficult to find if you're on twitter  ;)

You can totally trust me  8)

One of the things I'm thinking about, is the events that happened during the Off-Sec game. People changing passwords when they got in.

Hey, no offense guys! I would definitively play the game with you guys. I trust you guys for what you have written on this forum. But, you know, security "best practices" isn't about signing certificates for people you have met on an "hacker" forum...  ;)

when you think of it that way, its a good initiative somebody makes the connections (in this case mentor/student) for you...