Building Your Own Hack Lab
Network Security is considered a self taught dark art like lock picking. Just like lock picking, if you want to be good at it go purchase a lock and start picking. Going to your neighbors pad and trying to pick their lock is frowned upon in most court systems. The same with network security, if you want to be good at it build your own lab and start practicing. It is very important to hone your skills on your own gear and never ever on the Internet with someone else’s stuff.
I have always liked astronomy. I read every book I could find in our small school about the stars and planets. At night, I would go outside and just look up in amazement at the incredible vastness of Space. I really did not know what I was looking at until I purchased a telescope some 30 years later. Book knowledge could only get me so far. Once I had practical experience with a scope that knowledge was took to the next level and became a passion.
Many times in the field today, I bump into folks that could really stomp the tators out of anyone with their command of network security knowledge, but ask them to show you what they are talking about on the console and they will change the subject quicker then I change our phone number when my mother in law finds it out…which reminds me, I need to call the phone company. We call these folks “paper tigers” and that is certainly something you do not want tattooed on your arm next to the tribal USB key entangled in Cat6a cables ink.
The point of this paper is for you to avoid the mistakes I have made in building out my own hack labs. Looking back, my life’s quote seems to be; if anything is worth doing, it is worth over doing! I did not say overachieving, I said over doing. For example; playing video games is worth doing; purchasing 10 commercial grade upright video games and turning my basement into an 80’s style arcade is overdoing. When I started building out my hack labs, much like today, there was no guidelines or advice, so in my typical fashion, I overdid them and made them to big and complex they just ended up in a ton of frustration at the start and a pile of cash wasted. No need for you to make those mistakes and have to explain all the stuff to your wife, save that argument for your future boat or sports car.
Before we get started, please remember the hack labs are islands. Do not connect them to any other network or to the Internet. Pen Testing can get out of control fast especially with newer methods and tools. Protect yourself from future trouble down the road and never ever physically connect a hack lab to another network. There are basically three types of base hack labs to increase you pen testing skills:
– Simplex Hack Lab. This is the best one to get started on. Simplicity is the key here, you are just trying to get used to the tools and their behavior. This lab starts with the basics:
– Pen Testing machine. Installed with your hacking tools to get started with. I recommend a starting out with a port scanner like SuperScan for Windows, NMAP for Linux then understand the results and options for the scanner before moving on to other methods of enumeration.
– Network Switch. If can swing it, get a Cisco switch. Now I work for Cisco and I am not trying to turn this into a marketing paper. Cisco has the majority of switches out there; understanding behavior thru a Cisco switch just makes statistical sense. Not required of course, just a recommendation.
– Target to hack. This is your server installed with only one operating system. Use an OS you know to get started. Laptops are more portable for road demos but laptop or desktop does not matter. Use server software though and not workstation software. Install default services at first, then test and now start adding a service at a time and retest each time. You can observe the difference in behavior of your scanner results.
There is nothing rookie or Noob about this lab. I use a simplex lab for quick testing, taking on the road for demos or writing/testing code. There are a ton of config options you can do with this type of lab. Just when you think you squeezed everything out of this lab, add a VLAN to the switch or plug in a Wireless Access Point and the game changes again.
– Virtual Hack Lab. Flexibility is king with this type of hack lab. This is designed for testing multiple target operating systems with little hardware. Many folks make the mistake of starting out with this lab first and get discouraged. This lab is more of a specialty testing lab. It requires the hardware from above in the simplex hack lab plus the addition of virtualization software. I recommend using open source software when available. For my virtual machines (VM’s as we decided to call it at the last Star Trek convention) I like Xen but that requires Linux to be the host, so if you are not cool with Linux just yet, then VirtualBox works great with Windows or Linux as the host system. Microsoft also offers VirtualPC however, in my experience the Linux drivers are not that good so what’s the point. Virtual Hack Labs are good for understanding the behavior of different operating systems with minimal hardware investment. I caution folks about using this type of lab for testing bots or viruses since the behavior is massively different on a VM then on a hard installed machine.
– Real World Hack Lab. This is the Jedi Trails of all hack labs. Normally my Real World Hack Labs are large and left in place in a rack. With this lab I introduce ready made targets to practice on or custom configured loads to attack. This is the lab I use to test the techniques hackers are using today on the Internet. At a minimum, this lab should include the following:
– Pen Testing machine or two
– Internet (simulated) facing firewall
– Screening router
– Perimeter firewall
– Choke router
– 3 + servers target
– Wireless Access Point
– Client workstation target
This lab is always in flux based upon what you are testing. You do not need high end gear to test the methods. If you work for a company that is willing to man up the cash for this gear, bonus round time!! Do not let it stop your learning if they will not cut loose on the cash. This can be done very low cost to still achieve excellent results. My Real World Lab for years looked like this:
– Pen Testing machine or two: One running BackTrack, One running Windows
– Internet (simulated) facing firewall: 2 NICs on a low end desktop running Astaro
– Screening router: 2 NICs on a low end desktop running Zebra
– Perimeter firewall: FreeBSD running IPtables/IPchains
– Choke router: 2 NICs on a low end desktop running Zebra
– 3 + servers target: LiveCD OS’s
– Wireless Access Point: Laptop with a prism AP card running FakeAP (for noise) and a low end AP I purchased off of eBay.
– Client workstation target: My kids machine they use to surf www.techwisetv.com
I used all old gear in this lab that I picked up for mega cheap or retired from my general home use. I have even used a couple old Xbox’s for Linux servers and they worked great! This system worked and still works great for my hack lab.
To really get the best use out of any of these models we need to have some good target simulation packages to test against. Not many folks just starting out are Web Designers, DBA’s or Active Coders and configuring your own targets is almost like taking a Econ final with the answer key setting right next to you, although, man that would have been sweet, plus it takes so much time…Enter ready made target sims; Huzzah!! I use two different target sims; Foundstone has sims know as the “hackme” series. They include simulated banks, bookstores, travel, etc. They are great really just require the .Net Framework and Windows 2K. Plus check out their Windows security tools while you are there. They are second to none. My favorite target sims are the LiveCD distributions. They are available on an excellent Pen Testing Specialty Site http://heorot.net/livecds/ The thing I like about these sims best is that the are complete including the OS. No need to even redo a system, these are bootable images that you can place in the CDROM, bootup and your are ready to start pen testing. They have many images plus a ton of resources. I highly recommend this site and its resources. You should use both target sims in your hack lab. The Foundstone HackMe sims are Windows based whereas the LiveCD sims are Linux (slax) based. You have to shout out Slackware (slax) when it is used or the Linux crowd will keep losing your Star Trek Convention reservations.
After you have been practicing for a while surf on over to the Open Source Security Testing Methodology Manual (OSSTMM) site and read up on their recommended methods for Pen Testing. Do not do this before you practice your pen testing because it is wrote to the pen test crowd so hands on experience is assumed. The OSSTMM is very well received in the security industry so knowing it can really help your career. Truthfully though, the Information Systems Security Assessment Framework; Penetration Testing Framework (whew…)You know the ISSAF PTF (all these acronyms remind me of the movie Dodgeball…) is a much more practical document. I speak the OSSTMM but I use the ISSAF PTF. The United States Government also wrote a fairly good pen test guide NIST SP 800-42 not bad for government work!
Keep it simple when starting out and build on a piece at a time. You will be amazed at how fast your knowledge will grow in security in just a month. You know if you are cut out for security by how much time you spend just thinking about ways you compromise your hack lab. Documentation is important to the learning process and giving back to the community as a whole. When I test something cool in the lab, I twitter (jimmyray_purser) it out to my followers so they can be aware or even double check my findings and I write papers like this one.
Looks like it is time for me to head outside and point my scope skyward. With a box of Popeye’s chicken in one hand, a star chart in the other, I’ll be looking at the stars but no doubt thinking about cross site scripting…
Jimmy Ray Purser
Trivia File Transfer Protocol
Before the Boston Tea Party, the British actually lowered tea taxes, not raised them.