.

Creating target servers in a lab

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Aug 26, 2010 8:07 am

Creating target servers in a lab

I am finaly starting my "Hacker Club" in an high school close to where I live. I met with the director and a teacher and everything as been approved!  :)

I would like to create a few targets for the students to practice. I will be using De-Ice Live CDs, OWASP broken web apps, etc for the "teaching" part, but I would really much create my own targets for when it will come to CTF and other challenges and competitions among them.

This is all volunteer work and I do this for the kids and for me to learn how to set up labs and stuff like that.

We have access to a computer room. Each student will have his own PC. They will also be able to bring a laptop if they want. VMPlayer is already installed and we will add Backtrack. In addition, because it is a "Cisco" class, they have 2 networks and many routers, switches, etc.

I would like to create VM images for them to bring home and practice against (instead of live targets...). BTW, this post isn't about ethics or things like that. Don't worry, they will sign a waver and I will put A LOT on emphasis on what they should and shouldn't do...

I want to create easy targets, but not too easy at the same time...  :P

So what would you recommend?

1) Which Linux distro to start with?

Probably a mix of different ones, including one or two windows box in the class.


2) How should I approach it?

I thought of having targets:

a) Built for specific purposes, like a DNS server, a web server, a mail server, etc.
b) But I could also create only one target with many services installed...
c) Or having a little DMZ (in the class only, hard to replicate for them at home)


3) How can I juge the target complexity?

I don't want them to be to easy or to hard... Maybe mutiple ways of getting in?


It is fairly easy to set up a server. But I think it is difficult to set a whole lab with just the appropriate level of complexity...

So any thoughts?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu Aug 26, 2010 8:44 am

Re: Creating target servers in a lab

I think the good folk @ Heorot would be able to get you going on a framework. But I'll chime in on how I would set it up on a different scale/methodology

Divide and Conquer
3 Windows guests (2003, XP, 2007)
3 Nix guests (CentOS, FreeBSD, OpenSolaris)

The three Windows hosts would represent a semi real world environment in the sense that many businesses have 2003 Server for servers (duh!/doh!), XP as a typical desktop and some with 07 as a desktop.

The desktops can be used with non-admin accounts whereas the students could study client side attacks to escalate. The servers would run IIS with a "known to be exploitable" CMS system on them.

On the Nix side of things, the harsh reality of going with CentOS is that RHEL is used heavily on corporate environments. If you can get your hands on older versions of RHEL say RHEL9, then you'd be good to go. Same rules apply. Configure a couple of applications that are vulnerable. Say a Linux server running a vulnerable version of Hylafax locally, an exploitable version of Nagios or Cacti. Maybe even Joomla or Wordpress. For the kernel, I'd head over to exploit-db and look up "local escalation" +kernel +Linux and place a vulnerable kernel on. Users would have low privileges and need to work their way up the food chain. Same goes for Solaris.

On the FreeBSD side of things, I'd block all but ONE machine from connecting to it and have FreeBSD doing something (say NFS, etc.) where a machine needed to connect to the FreeBSD machine. The only way in would be to compromise either a Linux or Windows box and work your way in to a non-privileged account on FreeBSD and work your way up as well.

This is the compromise phase right... Twist... I'd have them document what steps and procedures as well as tools they used and pair them up... Once someone passes their goals. They'd now have to mop up the vulnerabilities, defend the box and either swap off with another student to see if they've locked down the box good enough or if they've failed and not understood the attacks.

Analogy
If you've ever watched a cooking show, you'd see that chefs are mess makers. Sure they cook great meals, but the goal of a chef is to create a tasty masterpiece. He doesn't care to clean up his mess. After all that's what he has assistants for.

On the flip side of this, rarely does one become a chef without going through the assistant phase of mopping the floor, gathering all the ingredients, etc., it's a learning process.

My distorted thought process
By making them not only compromise but yet lock down the machines, they'd need to familiarize themselves with "events" and "logging." I'd have them watch in parallel events in Windows and logs in Nix. This will allow them to understand what is going on when they attack. It can enable to see what a vigilant admin/engineer would see as an attacker was trying to work their way in. In doing so, they learn what to look for as well as gain an understanding of how to try to be more covert in their actions. At the same time they learn "the art of the compromise", they'd learn a little about incident response and forensics (to a minute degree).

After all is said and done, they should be able to effectively get an account, document and explain HOW they got the account. Document and explain what they tried (if they did) to make themselves more covert. Document and explain steps THEY would take to defend the castle.

However, this approach is sort of like I guess the OSCP on steroids maybe. Think about it. Compromise + Defend are like oil and water. Likely to overwhelm your students.

Extra points
Compromise a machine with NO DOWNLOADED TOOLS. Use whatever you make available to them on a separate clean Nix machine. No NMAP, no use of metasploit, no automated Wikto/Nikto/etc scanner. Just hardcore terminal action ;)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Aug 26, 2010 8:51 am

Re: Creating target servers in a lab

Setup something that mimics an enterprise network and use multiple targets (absolutely - make them pivot). Use both Windows and *nix and have infrastructure services (DNS/DHCP), SNMP, database, mail, web,  and FTP servers, etc.

CentOS is essentially non-branded RHEL, so that will probably be closest to what you'll see in most corporate environments. I think it's a waste of time to obsess over things like that. Linux distros are far more similar than they are different. You can get Apache or whatever else running on anything from CentOS to Ubuntu. Just pick something and go with it. Use a mix; make them work.

You should make the "flags" be pieces of information. Don't give them points simply for compromising a machine. What did they do with it once owned it? Did they go through a user's home directory and see that there's a text file with appears to be a password in the same directory as a Truecrypt file?

Don't make everything easily accessible. Connect the database server directly, and only, to the web server. Make them retrieve database information via the vulnerable web app or by compromising the web server in some other way.

It's your project, be creative! I'd say the closer you can design a real (small-scale) enterprise network, the more beneficial and interesting it'll be. If you don't have a lot of experience doing something like that, it'll be a good experience for you too.

Edit: Bah, beat by sil! Oh well, I think I had a unique idea or two in there. No regrets! :D

Edit 2: That's a good idea to make them lock it down as well. You could do a red-team/blue-team exercise and have one team be on offense and another be on defense.
Last edited by dynamik on Thu Aug 26, 2010 8:55 am, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu Aug 26, 2010 8:58 am

Re: Creating target servers in a lab

dynamik wrote:Edit: Bah, beat by sil! Oh well, I think I had a unique idea or two in there. No regrets! :D


pfft... I have a curl script posting for me!!! ;)

@dynamik... Just ordered a few days back:

Information Security Governance (Brotby)
http://www.wiley.com/WileyCDA/WileyTitl ... tents.html

Balanced Scorecard Step-by-Step: Maximizing Performance and Maintaining
Results by Paul R. Niven
http://search.barnesandnoble.com/Balanc ... 0471780496

Going to give that a break though for now and get back to it in June 2011. Going to focus on malware studies for GREM and maybe to a dual GREM / CREA (IACRB).
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Aug 26, 2010 9:34 am

Re: Creating target servers in a lab

Many great ideas!!

I particularly liked:

The desktops can be used with non-admin accounts whereas the students could study client side attacks to escalate. The servers would run IIS with a "known to be exploitable" CMS system on them.


I'd have them document what steps and procedures as well as tools they used and pair them up... Once someone passes their goals. They'd now have to mop up the vulnerabilities, defend the box and either swap off with another student to see if they've locked down the box good enough or if they've failed and not understood the attacks.


By making them not only compromise but yet lock down the machines, they'd need to familiarize themselves with "events" and "logging." I'd have them watch in parallel events in Windows and logs in Nix. This will allow them to understand what is going on when they attack.


document and explain HOW they got the account


You should make the "flags" be pieces of information. Don't give them points simply for compromising a machine. What did they do with it once owned it? Did they go through a user's home directory and see that there's a text file with appears to be a password in the same directory as a Truecrypt file?


Don't make everything easily accessible. Connect the database server directly, and only, to the web server. Make them retrieve database information via the vulnerable web app or by compromising the web server in some other way.



I will implement these ideas!!

As dynamik mentioned:
If you don't have a lot of experience doing something like that, it'll be a good experience for you too.


This will indeed be a very good experience for me. This is the #2 reason why I am doing this (after helping teens learning how to do this properly: in a lab!!!).

I intent in learning a lot from this experience. As you know from other posts, I may not be the most experienced at this, but I love it and I am very motivated!!!  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Aug 26, 2010 9:40 am

Re: Creating target servers in a lab

In addition, half of the students won't know what UDP is...

So I will start slowly and I will make sure I can keep them interested by having them have "little successes" early on. But I want them to UNDERSTAND what they are doing. Not just type "exploit"...

What would be easy and fun things to do first? Sniffing passwords with ettercap? Crack a WEP key (we have a few wireless routers)? Use Metasploit?

I think I should alternate between 1) easy and cool and 2) harder and useful things...
Last edited by caissyd on Thu Aug 26, 2010 9:55 am, edited 1 time in total.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software