How to set up a software hacking lab - PDF download

by admin Email

I have had many nice comments on the article series on how to set up a software hacking lab. By popular demand I have grouped the articles in a document (.pdf). You can download the the document here.

 

I have made some small changes to the text and fixed several spelling errors. I also added a table of contents for ease of use.

 

Happy hacking :-)

Using a BIOS password as security

by admin Email

What is it?

A BIOS password will make sure you need to enter a password when you make changes to the BIOS settings.

 

The most basic BIOS password will prevent people from making changes to your BIOS settings. In the BIOS you can define the boot order of hardware. In practice this means you tell the computer that you want him to look for bootable data in a certain order (e.g. Floppy -> DVD -> HDD). After your computer is first installed you probably want to only allow it to boot from you hard disk and disallow to boot from USB or DVD. Removing these from the boot order will also speed up the boot process of your computer since he will not be checking these devices for bootable media.

 

Normally you will not have a need to boot regularly from DVD or USB since you could just as well install these operating systems on virtual systems. Once your PC has been properly set up the only reason to boot from other media would be in case of restoring a failing computer (e.g. Windows Rescue Disks) or if your computer has a failing hard disk. When this is the case you just go to the BIOS settings, change the boot order to include DVD or USB, enter the password and reboot.

 

Preventing changes to the boot order and removing DVD and USB (and floppy or anything else than hard disk) from the boot order will make sure your computer boots the OS as you have it installed and not something else. An attacker would need physical access in order to put some kind of media in your computer (e.g. A DVD disk).

 

There are some BIOS manufacturers that also allow putting a password in the BIOS that is needed or simply booting the computer, you need to enter this password every time you boot the computer no matter what media you boot it from. You could compare this to the login screen you might have to log into the OS after booting.

 

When do I need this?

I would advice to set a BIOS password for all laptops. Laptops are designed to be carried and are often left alone (e.g. In your hotel room) in places where you have little control over the people that have access. I would also advice to do it on all computers that are in public places or places where there is little or no control on who has access or where lots of people have access (e.g. workplaces).

 

I see less need to put a BIOS password for servers that are in a data center, usually data centers have good access control and as we will see there are many ways to defeat the BIOS password. If an attacker is in your data center he can do far worse things then boot a DVD, he could simply steal your server :-)

 

Ways to defeat BIOS passwords?

There are many ways to defeat a BIOS password:

  • remove the CMOS battery to clear the password

  • reset the jumpers for the BIOS to clear the password

  • try one of the master BIOS passwords to bypass the user placed BIIOS password

  • use a BIOS password cracking utility

 

As you notice all these actions will require physical access to the computer and in case of removing the battery or using the jumpers on the motherboard to clear the password the attacker would even need to open you computer. You cannot update a BIOS remotely on normal computer hardware, you can on some servers but to my knowledge that requires extra hardware to be installed on said server. Most of these actions also take time (the exception being the master or generic passwords that manufacturers put in as back doors)

 

Conclusion

A BIOS password is a good investment since it takes very little time or knowledge to set up and it might stop an attacker since he will need a certain amount of time to get past the BIOS password (opening the computer or looking at the manufacturer and then trying possible master passwords takes time).

 

Also if the BIOS password is cleared it will be visible to you that an attack on your system has happened and you can take appropriate action.

 

If your BIOS allows you to set a password that is required for booting the computer I would certainly use that option, it will take an extra step to log in (you need to enter the password) but it does add an extra hurdle and more time for an attacker to gain access to your computer.

 

I firmly believe security should be layered and there should always be more than one level of protection on each functionality of you computer therefore a BIOS password will always be a good investment. The fastest possible way I see an attacker getting passed this security measure would include him knowing you use a BIOS password, a first investigation on what the manufacturer of your BIOS is, a search for the manufacturer master password(s) (it is possible that there are none for your BIOS) and then he needs physical access to your computer to (re-)boot, change the BIOS settings (using the password), reboot from other media, do his evil stuff, reboot and change the BIOS settings back to the original settings, reboot and put the computer back in the state is was when he found it (probably powered down). I think this would take 10 minutes at the least.

 

I cannot tell you how to set your BIOS password since there are so many different BIOS manufacturers and versions out there but it should not be hard, just do some research before you start or have a second computer at hand to google when starting since of course you cannot use a browser while in the BIOS.

 

Further reading

How to secure computers - introduction to security

by admin Email

Goal

I will create a series of articles in which I will try to explain how to secure computers. You read it correct: computers. This could mean an article on a windows desktop or a unix server and anything in between.

 

Since not every article will be of interested to you I created a category "securing computers" with a number of sub categories (linux, windows, personal computer(PC), server ...). That way you should be able to retrieve the articles of interest to you without having to scan through all of them.

 

Simplicity

Each article will be written in such a way that every level of experience might learn from it. Of course if you are a specialist in configuring firewalls you might not learn anything from an article on how to configure firewalls but then again I doubt such a person would be reading the article to start with, people with this level of knowledge will be reading more specialized blogs :-)

 

Updates & Patching

I'm not going to re-iterate this anymore after this paragraph. There is a reason why software updates are published ... I would strongly advise you to keep not only your OS but all software on your systems up to date (also called ?patching the software?). For most OS this can be done in an automated way (e.g. Windows update process) but for some software you will need to install those patches yourself once they become available (e.g. The recent patch for Apache web server for fixing the ?range? issue).

 

There is a difference between updating (installing updates and patches) and upgrading (going to the next version of a piece of software).

 

Upgrading your OS (i.e. Going to the next version) is also possible for certain OS. I would not upgrade the first moment a newer version of the OS comes out unless you are sure this fixes some ?burning? issue you currently experience. It is better to first read some reviews about the latest version and the problems encountered and then make an informed decision. (e.g. You might not like the GNOME 3 as default installed in the latest Fedora 15 and might decide to stick with Fedora 14 for the moment). When it comes to upgrading software you might need to make the same considerations since a release of the software package might differ in use a lot from the previous one (a good example being MS Office when they introduced the ?ribbon?, that completely changed the menu structure people were used to)

 

Structure of the articles

Each article will not only clearly define what the threat is we are defending against but also how serious you have to take this threat (e.g. Putting a bios password on your desktop at home will only help against people that have physical access to said desktop, if you consider this threat low because you have sufficient physical security in place (such as good locks on windows and doors) you might not want to bother with this. I will also give an estimate at the implementation time of the solution and whether it really adds security or not

 

Security through obscurity

When we want to secure a computer there are a number of things we can do. Some of these things add real security (e.g. a properly configured firewall) and some just make it harder on a villain to access your computer. This can be done by obscuring information such as the not displaying the version of PHP running on a web server or not displaying you are using PHP at all. You could even add misinformation such as displaying you use PHP when you are actually using Ruby on rails. This does not add any real security BUT it does add a cost for someone trying to gain access on your machine.

 

This might be important when dealing with script kiddies (they will not be able to gain access since they are not running the correct scripts against your server) or to defer criminals, after all a criminal is driven by an economic gain he could achieve (e.g. Stealing credit card numbers from your server to sell) and if the cost of achieving this (because it takes to much time) is higher than the estimated gain then the criminal will look for another target. This is also true in physical security (e.g. your home), you do not need to be impenetrable but just be more expensive to gain access then other targets close by that are of equal value.

 

One exception to this rule is a determined person. In case you manage to piss off one or many person(s) that have the technical knowledge to gain access on your system and they are pissed off enough not be bothered by the time it takes to gain access then basically you are f*cked since it will be very difficult to keep such a person out. After all the time you can spend on securing your computer is probably less than what they will spend on trying to break in, also you need to plug each security hole and they have to find only one ...

How to set up a software hacking lab - part 3 - networking

by admin Email

This is the final article in the series on how to set up a software hacking lab.

 

Setting up internal networking in virtual box

Now that we have a number of virtual machines installed we need to set up our environment. Some distributions set their own IP address (e.g. De-ICE) and in some distributions the network is default turned off (e.g. Backtrack). In case you use a virtual machines like the Samurai WTF and use the attack and target programs in that distribution itself you do not need to set up a network.

 

The targets you have installed yourself such as BadStore.net however need to be attacked from another virtual machine (or from the host machine but I advise against that). Since this is a vulnerable application we want to make sure the outside world has no access to it. In virtual box this can be done using 'internal networking'. When a virtual machine is set to internal networking it cannot make connections to the outside world, this adds a layer of security to our host. Internal networking will work using an internal DHCP server to assign IP addresses to your virtual machines.

 

Setting up internal networking in virtual box is a two step process, first you need to enable the option and assign a range of IP addresses that can be used by the virtual machines. This needs to be done on your hosting system.

 

Open up a terminal window (in windows it should work in a DOS box but I have no experience with this) and type this command:

 

VBoxManage dhcpserver add --netname intnet --ip 10.10.10.100 --netmask 255.255.255.0 --lowerip 10.1010.101 --upperip 10.10.10.254 --enable

 

This will enable the virtual box server to assign IP addresses to virtual machines, the IP addresses will be between 10.10.10.101 and 10.10.10.254. For more information on setting up the DHCP server within virtual box have a look at the official website.

You can use almost any range of IP addresses but I suggest to stick to the numbers suggest in the RFC 1918 - Address Allocation for Private Internets.

 

Now we can assign the internal network to our virtual boxes, this is quite easy, in the Virtual Box Manager go to the settings of the virtual box you want to run (in my example I'm setting up a BlackBuntu and BadStore.net) and in the network section you just select 'Internal Network'. I left the default name since I used it in the previous step (in the ?netname parameter).

Virtual Box Network Settings

 

Now we open BadStore.net and Blackbuntu and wait until both have booted. I included a screen shot showing the BlackBuntu virtual machine. It has a terminal where I ran the ifconfig command to see the IP address of my BlackBuntu, I did a ping to 10.13.13.105 to see if the BadStore.net was up and I opened a web browser and navigated to the BadStore.net web page.

 

BlackBuntu networked

 

Hacking can start from here :-)

 

Moving data

Sometimes you may want to move data between virtual machines. You can use the build in virtual box options using shared folders for this but I think it is better to use tools you might actually need in real live. To move data between the different virtual machines in an internal network you can use the scp (secure copy) command, to log in to a virtual machine you can use the ssh command (in case it is a Linux box).

 

Using these commands will help you a lot since these are things you might often need to use in real live, keeping these commands in memory can save you a lot of time.

 

Update the virtual machines

When you are in internal networking mode in a virtual machine it cannot reach the outside world, this also means it cannot get updates (e.g. for the operating system). It can be useful to put the virtual machine back to NAT from time to time and update the OS or get updates for tools you might use. This is again quite easy, go to the settings of the desired virtual machine and switch the network settings back to NAT, do the updates and then shut down the virtual machine, change the settings back to internal networking and you're done. In theory this can be done without restarting the virtual machine by using the network options (at the bottom right of the virtual machine screen) but I have noticed this does not work for all distributions and when you switch back to internal networking the IP address is not always refreshed.

 

Now that we have connected the different virtual machines together the software hacking lab is set up.

Why start counting at 0 (zero)

by admin Email

I got the question recently why I start counting article series at number zero instead of one. This is actually a very good question. I have several reasons to start counting at zero:

I have been a developer for more than 10 years.

In a lot of programming languages counting a series (e.g. an array) starts at zero meaning the first element is at position zero. Such programming languages are called 'zero-based'. There are other programming languages that are actually one-based (the older visual basic, up til version 6 I believe) but since I do not use any of those counting from zero comes naturally to me.

It is a natural way of counting things

If you are born you are not one year old, in fact you are zero years old, we do not express ourselves like that (maybe because zero has a negative connotation in many cases) but rather we would say we are one month old.

 

It is a psychological thing

Before you start doing something (like building a hacking lab) you must first decide to start. In recent studies the fact that you decide to start (and actually do the start) is considered as half the work. In these studies it is claimed that a difficult problem or a huge work can be best tackled by just starting on it. Do not get me wrong, this does not mean that there is no need for some kind of thought process such as design. In fact the act of deciding that you start creating a design for something is what I consider step zero. Deciding to do something shows some form of commitment and is thus quite an important step in tackling a problem or doing a huge amount of work.



I hope this explanation gives you some insight into why I always start counting at zero and not at one and why while reading my blog you might NOT want to skip the articles that are numbered zero :-)

How to set up a software hacking lab - part 2 - attack tools

by admin Email

Prerequisites

This is the third installment and we are nearing the finish line, actually we are halfway. The next article will explain you how to actually use your hacking lab and I guess that is the article everyone is waiting for.

 

Attack tool selection

I use the same classification for attacker tools that I used for the targets:

  1. complete distribution: this is a complete OS and all software needed is already installed on it

  2. software: these are tools that we need to install on an operating system

  3. custom build: these are the programs you have written or customized yourself

 

The three categories are ordered by ease of install, the complete distribution being the easiest to install in a virtualbox.

 

Distributions

When it comes to distributions with attack tools things get rather easy, there are a couple of well known ones that should provide you with all the tools you need. Whenever one of these does not have the right tool (or perhaps the latest version of a tool) you could install the tool itself in one of your vanilla virtual boxes (more on that later).

 

For the sake of completeness I will repeat the distributions that were already mentioned as targets:

 

OWASP Live CD

There are also a lot tools such as the Zed Attack Proxy on this distribution.

Get it here.

 

Samurai WTF framework

This distribution has very good attack tools that are also included in the Backtrack distribution and is meant to learn to hack web applications.

Get it here.

 

These are some of the most well known attack tool distributions:

 

Backtrack

Perhaps the most well know. There are tons of tutorials and videos on how to use the tools in this distribution and Backtrack is also used in courses (such as the Offensive Security course) that are well respected. All these things make me believe that you should at least have a virtual machine with Backtrack and use it from time to time. Backtrack is not the easiest distribution to start working with.

Get it here.

 

BlackBuntu

Blackbuntu is distribution for penetration testing which was specially designed for security training students and practitioners of information security. It features regular updates and it is based on Ubuntu.

I like the fact that there are regular automated updates.

Get it here.

 

Operator

This distribution is based on Knoppix and has a strong focus on network related security and tools.

Get it here.

 

There are many other security distributions, however more important than the distribution is the tools that are in it. I think that Backtrack has quite a good collection and any tool missing on there could easily be installed on another virtual box or in your Backtrack distribution. I keep a few of the other distributions to use when a tool that I need does not work from the first try in backtrack.

 

Software

There is a huge amount of tools and scripts written by security researchers and the like. Many of these do not appear on the security distributions. Once you start testing a web application more thoroughly you will need some of these specialized tools. Lets say you want to make sure your blog is secure, you have set up in a virtual machine a copy of your blog software (lets say using WordPress) on a similar server that your hosting is using. You have used all kinds of tools and automated scanners from the distributions but you want to take things a step further. In that case you will want to run ALL scripts/scanner that look for all kinds of problems on your blog. There are several of these to be found (through google of course) and many of these might not be on any distribution since they are very specialized. These are the tools you will install yourself in a separate virtual machine or add them to one of the distributions.

 

Take into consideration that installing them on (or adding them to) a distribution also means that you will need to re-install these when a new version of the distribution is released. On the other hand, if you do add it to the distribution yourself then all your attack tools are neatly stored in one virtual machine.

 

Personally I keep a ASCII text file with the extra tools I install, what version they are and on what virtual machine I installed them. If you put this list on Dropbox or (a private) Github then you will always have them ready.

 

Custom Build

Whenever you write your own test scripts and/or tools you should consider where to put them. I advise against putting them on your host machine. You probably want to put all of them in virtual machines AND keep the code on Dropbox or (a private) Github. Of course software you create at your workplace might not actually belong to you, so make sure you are not doing anything illegal ;-)

 

Another thing to think about is the use of those scripts/ tools. Perhaps you are not the only one that is interested in them and as such it might be good to open source them and give back to the community that we are all part of by using these open source tools. The same goes for improvements and/or change you make in any of the open source tools, the authors are usually very interested in how you use their tools and how they can improve them for you so why not help them out.

 

Virtualbox settings

When you decide on the amount of HDD space you will assign to the virtual machines, take into account that they might grow with each update and extra tool installed, also some of the tools will generate rather large amounts of data. I advise for each attack virtual machine to have a dynamic storage of at least 20 Gb.

 

You will also need some 'vanilla' installs of for example an Ubuntu system where you can develop your own scripts and tools. Since you are developing these yourself you should know better then me what kind of specs you need so I give you my specs as a reference:

  • Xubuntu (less resources needed than Ubuntu)

  • Dynamic HD storage of 15 Gb

  • 2 Gb RAM

  • 2 CPU's

     

I have several of these such as one with ruby 1.8.7 and another with ruby 1.9.2, it is possible to run these side by side but I prefer to spend time in testing web applications and writing test tools instead of tweaking my system to run several version of ruby, perl, python, PHP etc ... This is just a matter of making a conscious decision to spend as much time as possible on adding to my skill set as a security tester.

How to set up a software hacking lab - part 1 - targets

by admin Email

Prerequisites

OK, last installment we set up our hosting environment. For the sake of keeping this article simple I will presume you are using virtualbox to run virtual machines, any other visualization software should work but the options might be called differently or not exist at all.

This article turned out to be rather long so bear with me, after all if it was easy to learn how to be a security tester or penetration tester everyone would do it ;-)

 

Target selection

Now it is time time look for some targets to install in our hacking lab. I will categorize the targets into three different types:

 

  1. complete distribution: this is a complete OS and all software needed is already installed on it

  2. software: these are targets that are programs that we need to install on an operating system

  3. custom build: these are the programs you have written or customized yourself

 

The three categories are ordered by ease of install, the complete distribution being the easiest to install in a virtualbox.

 

Distributions

Depending on exactly hat you want to try out you will need to have different targets. I have compiled a small list of available distributions and what they can be used for, there is no need to install all of them right now, just install one that interests you to start with.

 

To install any of these distributions you should follow the install guides on their respective websites, it would be pointless to repeat all of them here. They will all follow the same basic flow:

 

  1. create a new virtual machine

  2. boot with the CD

  3. install

  4. remove install media from boot list

  5. done :-)

 

You could of course run the live CD's in a virtual machine and simply boot from the CD as you start your virtual machine, then you do not even need to install the OS on the virtual machine and you can save yourself some disk space on your HD should that be needed.

 

In case you are using virtualbox and you get stuck or cannot install any of these distributions then you should re-read the install instructions, if you are really unable to solve the problem, leave me a comment and I will try to see if I can solve your problem.

 

De-ICE

Several CD's with real life scenario's. Register on the forum http://forums.heorot.net/ How to use and test against the target is also explained in the forums just BUT do not read to much since it will ruin the experience if you see the answers!

 

Metasploitable

This one must be downloaded using a torrent so grab a copy here.

 

OWASP Live CD

The target here is WebGoat, a great beginner target. There are also a lot of tutorials and documentation available on this distribution. This CD also has a lot of attacker tools on it so if you just install this one you are ready to go ...

Get it here.

 

OWASP BWA

OWASP Broken Web Applications provides an image with several vulnerable web applications to test against.

Get it here.

 

Samurai WTF framework

Another CD with both targets and attacker tools. This distributions has several targets and is meant to learn to hack web applications.

Get it here.

 

Moth

Another distribution that is targeting web applications. The applications are protected by PHP IDS and/or mod_security so you can vary the difficulty of the excercises.

Get it here.

 

LAMPSecurity

This virtual image is designed to teach linux,apache,php,mysql security and has several targets.

Get it here.

 

BadStore

Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. The implementation was done with Perl.

Get it here.

 

Hackxor

The web application on this distribution tries to be more realistic and difficult then for example WebGoat.

Get it here.

 

Software

There is a huge amount of targets that can be found on the net. Since I'm myself primarily involved in testing web applications I can provide a list of good targets for that purpose. This list is by no means exhaustive and some searches on google will certainly provide you with more targets to test on.

 

Some of these web applications are already installed on one of the distributions mentioned before. I added also an indication of what programming languages are used so you can install something that is close to the application you want/need to test against in real live.

 

 

There are many others, if you have suggestions, please feel free to add them to the comments, I will personally try them as soon as I have time.

 

Custom Build

If you are setting this lab up within a company then probably you want to test your companies web applications. You can either test this on a test server of your company but this could possible disrupt the server and other applications installed on it if you do aggressive attacks against the web application or the web server. You could set up a virtual machine with he application installed in there. Since all these applications are custom build I cannot tell you how to install them.

 

Another thing you might want to do is test software from vendors or open source applications. I'm personally planning to test my blog software (I mean the software I use for blogging, I did not write that myself) so I will need to set up a machine with a standard web server and install the package on that. As soon as I get around to that I will post a detailed description on how that worked out and I will add the tests I did and my conclusions. I will use the same machine to make changes in the blog settings and for example the .htaccess file and check if how that stops certain attacks.

 

On-line resources

There is also a plethora of online web applications that you can run tests against. Although these are valid targets I did not consider them in this series of articles because:

 

  1. the are not under your control

  2. you need to be online to run tests against them

 

Both these points make the online test application invalid test subjects in a hacking lab. A lot of these web applications are used to test automated scanners so a valid comparison can be made for these products. This subject is very interesting but I will not go deeper into it in this article as it is quite long already :-)

 

Virtualbox settings

I create virtual machines in virtual box using dynamic storage, this can save a lot of disk space. If you use fixed space then the virtual machine will take up that amount of space even if it is not used within the virtual machine. With dynamic storage you have to be a bit careful not to add huge amounts of data to several virtual machines as they could grow beyond the capacity of your HD. In my experience using virtual machines for testing this has never happened since we never add a lot of data anyway.

 

For each virtual machine I allocate between 1024 and 2048 Mb of RAM and 15 Gb of dynamic storage. Since I have an 8 core machine I also allocate 2 CPU's to most virtual machines. Allocation of RAM and CPU can be changed later on so if you do brute force password cracking you can temporary allocate more RAM and/or CPU's to that virtual machine.

How to set up a software hacking lab - part 0

by admin Email

This is the first in a series of articles on how to set up a software hacking lab. In this first article I will detail the goals and means to reach top goals. The hacking lab we are setting up is all about software, it does not lend itself for hardware hacking.

As a personal goal I have set myself to become a (software) security tester. I wanted to start this without investing a huge amount of cash just in case I discover that this is not something I want to do ... This also means I will not start buying a lot of books and/or courses. I think I can get a basic level of knowledge using the information available on the internet. As soon as I decide that this is the 'thing' I want as a further career, I will of course need to do some investments but that is a point still far in the future.

 

Goals

What do we want to achieve with a software hacking lab?

In my case I wanted a place to train my skills and to eventually discover vulnerabilities in software. There were other considerations such as securing this lab from the outside world.

In order of importance this is the list of requirements I set for my hacking lab:

  1. Multiple systems to work from (as an attacker)

  2. Multiple targets to attack ranging from easy to hard

  3. The lab should be safe from attacks from the outside world

  4. It should be easy to maintain (both in updating systems as in adding/removing them

The choice of systems to attack and to work from will be discussed in subsequent articles. Since we will be hosting a multitude of vulnerable systems we want to make sure that we do not open things up to the outside world, after all we do not want to be hacked ourselves :-) Also we want to easily add and remove systems from our lab.

When we look at all these requirements we can clearly see that installing a number of servers hosting all these systems in my living room or study would not be the most practical solution not to mention the difficulty of selling this top my wife ;-)

We can however also go the virtual route and have all systems hosted on a powerful computer using multiple virtual machines. As luck has it I have a rather powerful laptop (Intel i7, 380 Gb HD and 8Gb of RAM) that I can use for this.

As an added benefit to using virtual systems we add some security to our lab, as long as the vulnerable systems are not running they cannot be hacked. It will be a matter of discipline to disconnect myself from all networks before starting these vulnerable systems.

 

Hacking lab setup

Now that we have decided to go with virtual machines we need to decide on the hardware and software for our host of the hacking lab.

Since we will be hosting A LOT of virtual systems we want each system and the hosting system to use no more resources then needed. We want to have as much of processing power and memory available for the hacking processes. This is needed mostly in case of doing brute force hacking.

For my hosting system I decided to use Fedora 15. This is not the most lean of Linux distributions but it was already installed on my laptop and I did not want to re-install it. On my laptop I will be running a number of virtual systems so I will need some kind of software that makes this happen. I had some good experiences with Virtual Box from Oracle so I decided to stick with this.

It does not really matter what you use as a hosting system or what software you use for the virtual systems. If you have more experience with other software it is best to stick with that, after all our goal was to set up and maintain a hacking lab and not to learn new ways of hosting virtual systems. You could use Windows or Mac as a hosting system and use Virtual Machine or other software for the virtual systems. In the end this does not matter as long as you can install any software you want on the virtual systems.

I personally use open source software where I can and I will use free (as in gratis) where I can. There is just one exception, I will need to have at least one system that runs a Microsoft Windows version since as a software hacker I will want to try to use my ricks against any possible target. Also you probably want to use and IIS (Internet Information Server) as a web server to host .net web applications as targets. Since I do not own a copy of Windows at this moment this will not be included in my original lab setup. The same goes for Mac OS X since I do not own a Mac nor any Mac OS X license.

I know that it is possible to run a Max OS X on a virtual system (often referred to as a 'hackintosh system'), I also think this is an interesting thing to do, at this moment I have no plans to go and buy a Mac OS X license. If ever I get such a license, the setting up of the 'hackintosh' system will certainly be good ground for an article on this blog :-)

 

Use open source software

Although I'm not a fan of Windows and/or Mac OS, I also do not condone the stealing of software. It is a personal choice to use open source where possible. I will not install any pirate version of software, if I really do not want to pay for something like Windows then I will simply not use it in my lab even if this limits my choices of systems that I can use and train my skills on.

 

Conclusion

To conclude this article, we have a setup for our hosting system that meets the requirements. In the next articles I will detail the systems that will be installed and the software used in my hacking lab.

Here are some of the things I will be able to do using my lab:

  • scan and attack web applications

  • scan and attack supporting servers (such as web servers)

  • scan and attack different operating systems

  • test new tools as they are released by security researchers

  • test and use security related distributions (such as Backtrack)

  • use many different versions of a piece of software and familiarize myself with them

This will enable me to position myself in my company or on the job market as a security tester with already a certain knowledge.

I hope this has tickled your interest enough to follow the other articles in this series of 'How to set up a software hacking lab'. In any case, if there are any questions and/or comments do not hesitate to use the comment function at the bottom of this blogpost.

 

Further reading

URLCrazy: is someone spying on your company?

by admin Email

Introduction.

This post was inspired after reading this article in PC World.  I wanted to find a way to discover if anyone was spying on a company by abusing the fact someone might send a mail to a company while making a typo in the domain name. Luckily for me Andrew Horton @ MorningStar Security has written a tool that we can (ab-)use for this.

 

The tool is URLCrazy. This tool will generate a number of domain names that are typos for a base domain name. For each of these generated typo domain names the tool will try to find the A record and the MX records.

 

Using the tool.

I used the 0.4 version of the tool. My test machine was an Ubuntu 11.04 with Ruby 1.8.7 installed.

 

When using the tool to investigate the domain 'example.com' the tool comes up with these results:

URLCrazy

 

Investigating the results.

The first column "Typo Type" shows what kind of alteration was performed on the base domain name. For the purpose of discovering spies we can disregard this column.

The second column "Typo" is the domain name with the typo.

The third column "Pop" shows how popular this domain name is using google. For the purpose of discovering spies we can disregard this column.

The fourth column "DNS-A" shows the IP address of the domain (if it has one).

The fifth column "DNS-MX" shows the name of any mail servers found serving that domain.

The sixth column "Extn" shows the top level domain for this domain (in some cases the second level is also present such as .co.nz).

 

We are interested not in squatters sitting on a domain that looks like ours but rather in domains spying on us by catching email meant for us. In order for this to happen the typo domain should have at least an IP address, after all domains without an IP address cannot receive any emails. This means we can disregard any domains without an IP from the output. Some squatters actually have IP addresses for their squatted domains so for all other entries we need to weed them out.

 

There are two ways of doing this:

  • surf to the domain and look at it, if it is from a squatter then this will be indicated on the website (usually mentioning the domain is for sale)
  • use the WHOIS service (either through a website or using the command line) to see who registered the domain, in some cases this is not visible but the output will direct you to a website where this data can be requested

 

Of course it is possible that the typo domain is an actual website used by a honorable person/company. This we can also investigate by surfing to the website and having a look around. Now things are getting more difficult. It is possible that a spy sets up a valid looking domain with a nice website.

 

There are some things we can investigate:

  • look through the whois data for the registrant
  • google the registrant
  • if the website is suppoed to be from a company, look in official databases for the data for that company (e.g. the TVA number, accounting records)
  • if the company publishes an address then you can have a look using googlemaps or if you know anyone living close by, have them go and take a look

 

Basically you want to go through the steps detailed in the "information gathering" phase of a penetration test.

So far all the investigation and the data gathered was obtained legally and ethically. If you are convinced a certain domain is used for spying you should take the data gathered so far to an official instance and file some kind of complaint.

 

Further reading.

<< 1 2 3