Setting up my own hack lab

[Preestar]

After watching some amazing hacking videos on security tube id like to set up my own lab and practice on.

My main system runs windows vista 32bit and I have virtual box installed but my question is do I just need to install windows onto the virutal box and then im good too go?

Which programs should I be downloadings? Ive seen alot of metaspolit and meterpreter being used although the “ls” doesnt seem to work like in the tutorial….

[impelse]

I suggest you to begin to install backtrack 5 in your virtualbox and 1 windows machine.

Here is a good site:

http://www.metasploit.com/learn-more/how-do-i-use-it/test-lab.jsp

[Triban]

Toss vista 😉  For a future upgrade go with a Windows 7 x64 and toss in more RAM.  That way you can run multiple VMs without worrying about skimping on the resources.  Some password bruteforcing is happy if it can get more RAM to run.  Backtrack 5 will have all the tools you may need to start.  Remember, you may not use all the tools or need all the tools and tools don’t make the hacker.  They just tend to make the job a bit easier. 

If you can, absolutely, toss in a Windows victim machine.  The majority of your networks are running mostly Windows so that is why you see more Windows exploits than any other.  Pick up the De-ice builds, they are linux builds with a vulnerabilities and challenges associated with them.  They are designed to start out easy and then get more difficult as you work through them.  Another nifty testing app is Web Goat, it turns your Windows XP system into a really vulnerable web site.  Metasploitable is another, it is a linux build created with exploits in mind from metasploit attackers. 

That should keep you busy for a bit 😀

[Preestar]

Thanks 3xban. I already have backtrack 5 on 1 virtual box and windows xp professional with SP3 on another with windows vista 32 on my main computer.

Now everything im doing is legal because it is on my own computer so please try to help me as much as you can I really do want to get into this.

I am following this tutorial http://www.securitytube.net/video/1175 and he is extremely good at explaining stuff. I got to part 3 and then decided that I want to give this a try.

So I get to the part where he downloads the exploit from a site I wont mention here. Although my exploit is different because the exploit he uses wont work on my XP professional with SP3

Here is the one I want to use, why? I have absolutely no idea but what the hell try and learn right? http://technet.microsoft.com/en-us/security/bulletin/ms11-071

So I open up metaspolit console just like he does, but I think he already has the code saved on his computer because he types in something like “search dcom.1” and it finds it.

When I type in “search ms11-071” it doesnt find it and I cant find the code for this exploit anywhere on the internet….

It’s quite difficult to follow along to his video to the T because metasploit has been updated sinse his video and some things have changed but I dont expect it to be simple although any help would be greatly appreciated.

[eccodom]

If you need to update your framework..

cd /pentest/exploits/framwork3/
svn update

msf > search ms11-071

no results

That exploit is has not been ported over to Metasploit yet. So a search turns up no results.  http://www.metasploit.com/modules/ it appears the latest is ms11-050.

[Preestar]

I’m making progress! im so close lol. I updated my msf just a little while ago and I thought let me just try and see if his exploit works on xp pro sp3 which ofcourse it never but it feels good to know im so close if I just had the correct exploit.

http://i51.tinypic.com/wclu86.jpg%5B/IMG

for the doubters who think im not using my own computer to test

p.s thnx eccodom ill try that one

**EDIT** sorry going abit of topic now I know but eccodom that exploit is quite different I have to set the server host IP and address and it exploits something to do with internet explorer. I need something very basic. Thanks anyway

[TheXero]

Preestar, if you can set up an XP unpatched machine and try attacking it.  Only way to properly learn in this is practice.

Once you have access you can all kinds of things.

Btw, where did you get that awesome logon screen for Win7 🙂

[Preestar]

Sorry me again….. I am looking through the microsoft website for vulnerabilities that suit my windows xp pro sp3 machine and there are loads and loads but none! not 1 single exploit is listed in the metasploit framework…

So I widen my search my typing in “search ms11, ms10, ms09” ect so it refines the search by the year and it lists lots of exploits but there for things like windows media player, .net framework, microsoft office and such.

I wish there was a way to search specifically for vulnerabilities with windows xp pro sp3  in metasploit…

[Triban]

Install old version of Adober reader and you will have something to exploit 😀

Edit:
Also you can check out http://www.exploit-db.com/ to search there for exploits, MS won’t always have the most updated list of security vulnerabilities.  The publish what they found or have proven to be a vulnerable and have a fix for it (sometimes).

And http://seclists.org/bugtraq/ can also help you.

[Preestar]

Thanks x3ban but I have checked those sites before. Basically to put it simply I am trying to find an exploit that will work for Windows XP professional sp3 as thats what my virtual box system is running its annoying because in metasploit you cant actually search for a list of exploits that work for xxx system you can only search for that specific exploit by name like MS11-xxx

Thanks anyway ill keep having a look around

[Triban]

Understandable, though if you think about it, there are very few times where you will find a plain jane install of XP w/ SP3 and have no other applications installed in a production environment.  Like I had mentioned, start tossing on unpatched office, SQL Express or Adobe Reader and work at exploiting those rather than attacking the workstation directly.

[Preestar]

So do you mean downloading these programs to my main computer and running exploits on them? I cant get into the xp on my virtual box without running an O/S exploit first?

I’ll have a look around see if I can get an unpatched software like you said but it may prove difficult

[Triban]

Nah install them on your virtual XP box, should be able to do that without a problem.  Why can’t you get into your XP box on your VM?  You installed it right?  Why don’t you have access to it?

[Preestar]

Yes ofcourse I have access to it, but dont I have to hack it from my other virtual box running linux or can I just log into the virtual box running xp and start exploiting stuff

[cd1zz]

Depends what you’re trying to test. If its a remote exploit, you’d do it remotely. If you’re testing a local privilege escalation exploit for example, you’d be local. There is a slew of options here depending on the case. If you just want to get your feet wet, look at the ms08-067 bug but make sure you don’t have a patch XP box since it was patched long ago. The metasploit module is pretty reliable and you can begin to familiarize yourself with the framework.

You should probably also pick up the latest metasploit book that just came out, its a great reference guide for beginners.

[Triban]

yeah you lost me.  Lets back track…

You have an XP SP3 VM that you want to exploit correct?

But you can’t find any modules in Metasploit that work right?

What is the patch status of your XP VM?  SP3 fixed a good amount of security holes, so review the dates.  Also some of those MS Security notices may require other services/applications to be fully exploited which is why I suggested installing a few other apps on the victim XP system.  Old versions of Adobe Reader, Java etc…

[Preestar]

Yes thats correct 3xban sorry if im confusing you. My victim pc is a windows cx professional with service pack 2. The reason being is because I couldnt find any iso’s that had no packs or just service pack 1 so I had to go with that one.

I am going onto the microsoft website and searching for exploits that work for windows x professional with sp3. Now on the microsoft wesbite it lists many exploits for that O/S but when I search for the same exploit on metasploit it isnt there, so how can I exploit this O/S if metasploit doesnt have any exploits?

If you can find me a good trusted download for windows xp that is totally unpatched that would be awesome!

I see some exploits for things like windows media player and adobe reader ect but I cant think why you would ever wanna exploit these programs? What can be acheived……

[cd1zz]

While metasploit is a great tool, it’s not the end all be all for exploitation. Here are some notes about what to do when there isn’t a metasploit module:

Just because Microsoft releases a security update, doesn’t mean there is publicly available exploit code. It simply means someone found a bug (either internally at MS or externally) and they’re patching it. Not all bugs are exploitable.

You’ll have to become very good at searching for public exploit code if you want to be good at this. Until you can discover your own bugs and write your own exploits, you’ll have to find publicly available exploit code, that is the key.

For starters and just to get you pointed in the right direction, run a vulnerability scan on your victim and get a list of all the patches the box is missing. If you’re using Nessus, make sure you use a credential scan so you get every patch its missing. From there, start searching the internet for exploit code. You can use securityfocus.com exploit-db.com packetstormsecurity.org and http://www.osvdb.org for a few examples.

[Preestar]

Great thanks for those links I shall look into that. One thing that puzzles me though is I have found exploit code on websites such as exploit-db but I dont know how to actually use it once I download it, Is there anyway to add the code to the metasploit module list?

[cd1zz]

What exploit are you looking at?

I think you might need to slow down and think bigger picture here. If you’re not really sure how to exploit the box, you’re probably not really sure how or why the exploit works. You really need to know, “Ok, I’ve found a vulnerable version of “X” software on my victim, and I know this because I’ve banner grabbed the service….and now I see some code that is a buffer overflow for this specific version…(do you know why buffer overflows are problematic?)…and because I know all that, I’m going to run the code to exploit the vulnerable service and get a shell….”

See where I’m going? If you want, provide the exploit-db link and I’ll give you some pointers.

[Triban]

Also many of the modules in metasploit have been added by the community.  Don’t focus on popping shell on everything, although that is what you want to try and get in most cases, it is not necessarily the keys you are looking for.  Popping shell on one system may be the first step in gaining a foothold in the environment as well as doing additional recon to discover your true target. 

The reason why one would want to exploit the applications is because the bug/exploit available for them will pop shell.  For instance metasploit has a number of modules for Adobe Reader.  Some will help you created a bogus PDF or web link that will exploit a bug in older versions of reader and allow the attacker to get a reverse shell using Metepreter. 

In most cases you will see MS say the bug “could” allow remote code execution.  This does not necessarily mean you will gain remote access, but you can use the exploit to drop code that will allow you remote access.

Like cd1zz says, sometimes you need to take a step back and look at things as a whole.  An excellent book to take a look at is Professional Penetration Testing.  It goes into a bit about some tools but what it ultimately provides is great insight on the pen testing process.  It also has a number of challenges that use WebGoat, De-Ice vms and Hackedermia. 

[Preestar]

Thanks to both of you. I’m definately going to have to take a step back and read some. I saw 1 video of 1 exploit and thought wow this is so easy ill just follow this video and success…. sadly that is not the case lol.

I dont know what a shell is, I dont know how they work, I dont know why buffer overflows work and I dont truely understand buffer overflow

Gunna go back to the basics which is reading, getting an understand of why this stuff works and how it works which should give me a much better understanding.

Thank you so much for all your help guys much appreciated.

[TheXero]

Preestar check out my PenTest video where I attack a client using an outdated version of Internet Explorer in order to compromise the machine and eventually the rest of the network.

~TheXero

[cd1zz]

That’s the idea Preestar. Go get a copy of counter hack reloaded and that will open your eyes. That was the first book I read that really put everything into perspective for me.

[Preestar]

Nice video TheXero clearly you remember all of the payloads, commands and their uses off by heart lol whereas I hae no idea what any of that stuff means. Therefor I need to do some reading.

[Triban]

It is a lot to take in, which is why you don’t typically see too many testers that don’t already have a strong background in some facet of IT.  I am nowhere near the level to be a full pen tester, but I know enough background due to my years configuring firewalls, sniffers, servers, workstations etc, to understand what I am looking at and how to defend against it.    And its tough when you want to play in the arena with tools like metasploit or create scripts to assist you with gaining shell access (Shell is basically command line access to a system).  But you sometimes need to step back and realize to be good at some of these fun projects, you need to fill up on some background requirements so they are useful.  If you want a good challenge, try to crack something without the use of a tool using only what you have.  Remember someone had written these tools to make their life easier and we all benefit immensely from it.

[Preestar]

I wouldnt know where to begin to crack something with no scripts or hacking programs ect

[Triban]

Which is what separates us from the pros.  You can use scripts, but you gotta write them yourself 😉

[hayabusa]

Yeah…  The ability to write scripts is important, and will come with time and experience.  Just make sure, as I’d noted in the one other thread, today, that you also spend time on the existing tools (NMAP comes to mind, but all tools in general,) learning how to use them, what they do “under the covers” (not just run this to get ‘xyz’ result,) and really get familiar with them.  Even the best still rely on existing tools, too.  The difference is in the level of understanding, around those tools.

Videos help.  Books help.  Professional networking helps (meeting like-minded IT-security pro’s, like those of us at EH-net, who will openly discuss with you, and teach you.)  Get yourself into a mindset that “This is what I want, so I will wholeheartedly pursue learning and growth.” 

You WILL reach new levels.  Just stay focused.

[YuckTheFankees]

Preestar,

Just like you said, I had to take a step back and actually take in how much it really takes to be a pentester. I had all the same questions, “what is a shell”, “buffer overflow wtf”, and etc..

I felt I learned a lot faster by watching video’s after I read the material. So you “kind of” know what they are talking about in the video.

[Author]

Posts