.

Host OS for security PC

<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Thu Sep 09, 2010 7:22 am

Host OS for security PC

Hello guys,

I will have a new computer at work to use it to do external scanning (mainly web application). Also, I want to use it to expand my knowledge. I want to install few virtual machines on it (vulnerable ones) and try to exploit them. Basically it will be an intel q7 with 4 GB of RAM.
I was thinking that my host OS will be Backtrack 4 instead of Windows 7. The reason of choice is that it will ease al the scaning I will do (external net and VMs).

Do you think that this is a good ideea?
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Sep 09, 2010 7:40 am

Re: Host OS for security PC

Why don't you use a more general distro and tools to it as you need it? You might get more out of your learning experience if you roll your sleeves up and get your hands dirty.
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu Sep 09, 2010 8:26 am

Re: Host OS for security PC

alucian wrote:Hello guys,
I was thinking that my host OS will be Backtrack 4 instead of Windows 7. The reason of choice is that it will ease al the scaning I will do (external net and VMs).

Do you think that this is a good ideea?


I have a couple of questions regarding this because I'm either more ADHD prone than I thought, confused, or your explanation/choice is a little off.

1) What difference does it make what the host OS will be. You state "ease al the scaning I will do" What kind of scanning are we talking about here?

Windows runs:
NMAP (Network)
Wikto (Webserver)
netcat (Cygwin is your friend)

Linux runs:
Same as above just s':Wikto:Nikto:g'

How does using Linux ease all your scanning? Unless there is some particular "scanning" that can ONLY be done on Linux that I'm unaware of, I fail to miss the overall goal here. You can mix and match however you want and still retain the same results. My current lab machine for the moment (due to moodswings) consists of the following:

Windows Vista Host
Backtrack guest
Bitblaze guest (static malware analysis)
Debian (Exeros for those who've seen it on a video... It's a VoIP pentest customized distro I butchered together)
FreeBSD guest
Remnux guest (GREM coming next year)
SuSE guest (runs any CMS web based stuff I throw up)
TinyCore guest (mini butchered Backtrack like box I cobbled together fits nicely on a USB)
Debian guest (running my SIEM)
Windows 2003 Advanced, 2003 Enterprise, 7 Ultimate, 2008 server

Personally I don't see how ANY host makes a difference, you still have your virtualized guest to do whatever you want/need to do. Placement of "who's on first" does little as they ALL can accomplish the same things when you get down to it.

As for DVL, I choose to create and interact with labs that I create. This accomplishes more than just "fire and forget targetted" victims. By going through the motions of say getting Oracle's Beehive server up and running, I get to go through the motions as an administrator to understand how it's built, what it does, what makes it tick and how it interacts. Where it logs, WHAT does it log, HOW does it log and so on. Understanding this allows me to create a more granular attack canvas in which I can attack, watch and defend all in parallel.

For example, I'll create a simple goal and focus on it.

1) Windows server will run something from say PeopleSoft

a) Valuable insight is gained by going through the installation phase. I can throw on something like Snare on the Windows machine to write out to the SIEM to see how the attack would look. This helps me to understand not only how to defend against an attack, but how to tinker with variable to make me more covert. (Timing is everything)

b) There may be some tools ONLY available on Windows that I may choose to use.

c) I can fire up Wireshark or Omnipeek on the machine to see what the network stack looks like in the event I need to go back to say fuzzing, db hacking (SQL injection, etc.)

2) Linux machine will attack

a) Linux/BSD, doesn't matter to be quite honest. I can use them both equally and have metasploit running on FreeBSD and Windows as well to be honest, most of the times I won't need to even run metasploit unless I'm after a specific. Tools are tools are tools.


3) SIEM will store and correlate data while I'm attacking

a) SIEM is important to me (I use OSSIM for this by the way). In case I don't have a birds eye view 100% of the times, the information on my attack is recorded. I can go back into events and see what occurred in realtime as well. This again, allows me to defend, understand WHAT may trigger alarms. I can shoot Snare logs over to it and do some interesting stuff like "real world" intrusion prevention. This means, I can learn how to use another tool to defend against an attack: E.g. in brainlike-command-mode:

  Code:
if this_attack_occurs

   then login_to_machine_being_attacked && run_this_command_for_defense

   else run_and_study_more

fi


Lessons learned? A lot more than I would by solely aiming tools at a pre-defined, vulnerable machine. Nothing to really be learned at the end of the day that is applicable. I don't mean this in a harsh way, I'd rather spend more time focused on a semi-real-world test. DVL may be good for the beginners, but I honestly feel that it gives an up-and-coming pentester false assurance.

It really isn't ALL about tools as it is more of an understanding. Did you know that outside of "human errors" server misconfigurations are the second cause of a compromise. Sure we can say "duh... server misconfig is a human error" However, what are you going to do if you don't even know where the configs are? Because I went through the process of installing ProgramX on a machine, I'd know to look for say a variable named "connectedhost" in:

/path/to/ProgramX/include/programx.conf

This saves me a lot of time in the long run and ensures I can get in and out quickly without setting off alarms trying to figure out what processes are running, whether or not a targeted application allows for hooking (WinDBG/Olly are your friends here). I think there is more to be gained in creating your own environment. After a few months/weeks/years, depending on one's capacity to understand and remember, it becomes easier. Create a game plan to understand, not one to fire and forget random tools without understanding how they work as a whole.
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Thu Sep 09, 2010 6:17 pm

Re: Host OS for security PC

Thank you for the answers.

I will definitely create lab using sil's advices. My choice of Backtrack was because it takes less resources than Windows, and, also, it will be easier to use it (on a single monitor) to test the VMs. In the same time I am afraid that it will introduce new vulnerabilities  ???

Anyway, I really want to became a better security specialist, so doing hands-on testing seems to me a good way to go.

Again, thank you!
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Thu Sep 09, 2010 7:18 pm

Re: Host OS for security PC

Don't lose sight of what your primary role is meant to be.  Dropping backtrack onto the system as the main OS would be fine if you're going to be using for more of a penetration testing platform, but you stated in the opening paragraph that this system is meant to scan your organization's web apps.  This will often mean you'll be using commercial tools (appscan, hailstorm, etc) rather than open source tools, and those commercial tools generally do not play nicely with non-windows OSs.  They also can get a bit wonky if you run them out of VMs. Using windows as the host OS in this case will let you meet that need while also stacking VMs as needed for your personal development.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Fri Sep 10, 2010 10:35 am

Re: Host OS for security PC

For the begginig I will use open source tools, until I will convince them to buy a commercial one.
As you probably know, it is not so easy to convince management to buy another tool when you have one that sounds similar; for most of them Nessus and appscan are both vulnerability scanners, so why pay for the other one.

Worst is that we have appscan (at least this is waht they told me, because I am new in the company) but they only use once a year. The reason is that the scan made few databases to crash, and for them it is easier to avoid the scan.

Thanks!
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

mallaigh

User avatar

Jr. Member
Jr. Member

Posts: 65

Joined: Fri Jul 16, 2010 12:36 am

Post Fri Sep 10, 2010 11:42 am

Re: Host OS for security PC

alucian wrote:I will definitely create lab using sil's advices. My choice of Backtrack was because it takes less resources than Windows, and, also, it will be easier to use it (on a single monitor) to test the VMs. In the same time I am afraid that it will introduce new vulnerabilities  ???


I'm guessing you will need to run Windows for something, at least for documentation.  What is the difference if Windows sucks up some RAM running native or in a VM? 

If you are running Windows XP, there is a Virtual Desktop Manager (by MS) for having multiple desktops like you do in *nix.  http://www.microsoft.com/windowsxp/down ... rtoys.mspx

I know there are similar tools for Vista/7 too, I just don't have a recommendation for which to try.
Last edited by mallaigh on Fri Sep 10, 2010 11:59 am, edited 1 time in total.
<<

nixfreak

Newbie
Newbie

Posts: 3

Joined: Mon Feb 15, 2010 1:34 pm

Post Sun Mar 27, 2011 1:45 pm

Re: Host OS for security PC

Yeah I know it a old post but hopefully its helpful.

Always use some sort  *nix based distro for your host.
Now you could try for your host promox  http://pve.proxmox.com

which uses KVM (kernel virual machine)  which is based on Qemu so it will allow you to load any kind of OS including Windows accept for 95 because its DOS based.

then you could play and tinker with multiple OS's at the sametime and network them together and hack on them.

If you want a great OS to lean on try http://archlinux.org

My 2 cents.

Return to Hardware

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software