Uncategorized Archives - Page 3 of 3 - Cobalt Strike Research and Development

PSA: A Safety Lesson about Team Servers

Here’s a fun anecdote for you. I usually run a Cobalt Strike team server the CCDC events and other exercises I go to. No problem. I have a virtual machine I use as the team server. There are no sensitive files on it and fortunately, it’s a virtual machine.  I don’t care what happens to it.

At the end of the National CCDC event, our team captain announced that if we have access, we’re wrong… burn it! So, in a maniacal way, all of us jumped on sessions and destroyed system after system. All well and good, this is standard operating procedure for most exercise red teams… at the very end of an event.

In our maniacal zeal to take these actions, we sometimes make mistakes, it happens.

Anyways, let me relay a little factoid.

The Metasploit Framework has a console. Any input the console does not understand is immediately passed to the operating system, for your convenience. This input is run and its output is presented to you, the user. In classes, I’ve seen many people think they have shell when they type whoami in a Metasploit Console and learn that they’re root. They’re root, but it’s on their own system.

So, in the zeal at the end of the National CCDC event, someone issued an rm -rf / command to my team server. I lost data that would later become a large generated report I could provide to the teams (next year!). I’m not too worried about that. I wanted to speak to the safety lesson, one I discovered later.

I told VMWare to share folders with my host operating system. Fortunately, I was sharing just a dropbox folder with several tools that I keep around. I have  a backup of all this stuff, no big deal.

These folders were gone!

burned

If I had shared my home folder… oh boy!  That was a close call, pretty funny since no harm came of it. Pretty scary otherwise.

If you’re going to host infrastructure for an event, do it on a separate server. If you’re crazy enough to use your laptop, like I am, make sure there’s isolation between your virtual machine and your operating system.

ūüôā

Praise for CCDC

Over on r/netsec there’s a discussion debating the merits and realism of the Collegiate Cyber Defense Competition.

I’ve volunteered at the North East Collegiate Cyber Defense competition since 2008. I’ve also participated with several CCDC regional events since 2010 and I was on the National CCDC red team last year. I’ve seen more of CCDC than most. I believe in it as an event or else I wouldn’t put so much time into it.

CCDC is a cyber defense competition league. Student teams qualify to participate in a regional event. The winners of these regional events move on to a national event with the winner taking bragging rights.

Each region organizes itself. Some regions mirror the National CCDC rules very closely. Others, do not. Right now, regional events are not happening. They do not start until March. The reflection happening on reddit is about two events that happened over the weekend: a qualifier event and a practice event organized by students at Capitol College.

The qualifier events are simple filters to invite the most prepared teams to the regional event. They’re usually throw aways and many times the qualifiers are no reflection of the rules or organization of the regional.

As for the student run practice events, these are a clue that something special is happening. Student run practice events means students organized an event, reached out to their professional security community, invited people in, and they asked for a lesson.

Why does this matter? We’ll get to that in a moment…

There are many opinions on CCDC’s rules, restrictions, and artificialities. As someone who participates, I see the rules shift year-to-year to make a more engaging game. No organizer wants students sitting bored or idle throughout the event. Everyone’s hair should be on fire.

No two students take the same thing out of CCDC. The team captains have to deal with people issues. They have to motivate their fellow students to take time away from video games and parties to sit down and drill through checklists.

The teams that win assign roles. They have to. One smart person doing everything won’t win a CCDC event for you. Too much is happening. Some students will become Cisco IOS whizzes. Others will learn how to administer and perform intrusion response on UNIX systems. Some Windows. Students from the winning teams will understand the value of staging a secure configuration and migrating production stuff to it with minimal downtime.

The red vs. blue battle aside, students must also write policy and effectively communicate with judges, who act as executive leadership. This is a big part of their score. There’s a lot that happens in a CCDC weekend event.

The teams that will win their regional events are probably spending 10-30 hours each week, practicing as a team, right now.

The success of CCDC isn’t in its rules or how closely it mirrors sitting on a NOC floor for 12 hours with nothing happening. The success of CCDC is in what it motivates the students to do, on their own time, to prepare themselves to enter our field as peers. Last weekend’s student run practice event is an example of this.

Since 2008, I’ve seen the student teams get better by leaps and bounds. I’ve never been part of a regional red team that had access on all teams at the end of an event. Please don’t let the chest thumping of some red team volunteers lead you to believe that students are lost and engaged in an unfair game. Most student teams are well prepared and I’m in awe of them each year.

I run into these students at conferences. We have a good laugh about CCDC. For them and for me as a volunteer, it’s one of the high points of our year.

CCDC works. Students learn leadership, teamwork, and they’re motivated to pick up skills. CCDC is a good thing for our professional community

My plug for RIT SPARSA’s ISTS

CCDC season is coming. CCDC is the Collegiate Cyber Defense Competition. In 10 regions, universities organize teams to come and defend a network. I highly recommend participating if you have the opportunity to do so. CCDC is well-known, so I’d like to take a moment to plug another event that’s happening around the same time. The Information Security Talent Search (also known as ISTS).

ISTS is run by the Security Practices and Research Student Association at the Rochester Institute of Technology. I believe this will be its 11th year. ISTS is like CCDC in many ways. Students show up for a two-day event where they must defend systems while deflecting attacks from a professional red team. There’s one twist. Student networks also include systems equipped with BackTrack Linux and they’re expected to attack each other for points and delight.

ists

I gave the keynote talk and played on the red team at the 2012 ISTS event. I think you should play in ISTS. Don’t let the phrase “student run” fool you. ISTS is as professional as any exercise I’ve participated in. In the case of some events, it’s actually better run.

I saw many things at ISTS that surprised me. The team from RPI came to the event armed with a new agent. They made the competition into one big botnet. More impressively, this custom agent could migrate processes, log keystrokes, and do a lot of other meterpreter-like things. As I build these capabilities into my own Beacon, I appreciate how much work these students put into the event. It’s pretty impressive what these students come up with.

Another twist to ISTS, they do a very good job to keep all teams engaged throughout the competition. You get points for defending your system and attacking, sure. But there are also style points for doing things like creating a botnet or demonstrating a clever hack to a judge. Much to my chagrin, points would have been awarded to anyone who managed to hack one of the red team members. As the red team were the only folks using personal laptops and we didn’t know about this provision–we weren’t too amused. The judges quickly amended this when it was brought up (we were supposed to be told). Otherwise, it was all good.

I’m writing this blog post for a reason though. The 2013 ISTS event is March 22-24 at the Rochester Institute of Technology. It’s for students. You do not need a faculty mentor. If you’re a group of five friends who wants to go hack for the weekend, you can sign up. It’s $100 to do so, but well worth it. The event is limited to 10 teams this year, so I highly recommend that you sign up, right now.

I lost my voice before speaking at DEFCON… and went on anyways

Thanks to my open source work, I have a lot of opportunities to speak. In 2011, I gave 30 talks between conferences, professional groups, and invitations to private organizations. This week, much of my industry has collectively gone on vacation to Las Vegas for¬†BlackHat USA, BSides Las Vegas, and of course… DEFCON.

I was fortunate to have an opportunity to speak or demonstrate my work at all three events. Wednesday I spoke at the BlackHat arsenal. This event involves standing at a pod in the hallway and speaking over the noise of the conference for one hour. It’s one of my favorite events because it’s focused on demonstrations and I get a chance to interact with everyone in the audience.

Arsenal

Thursday was a mad rush. I spent the morning at the BSides conference. I gave my talk, hung around to answer questions, hopped a cab, and found myself back at¬†Caesar’s¬†Palace to demonstrate Armitage again at¬†BlackHat.

For me, the big show was DEFCON though. This is where I would release the results of my 7-month DARPA effort, Cortana. And, despite the many times I’ve had the opportunity to share my work, something happened that I have never experienced before a talk: I lost my voice.

Thursday night, while I practiced my talk, my voice stopped working. It went to a very harsh whisper and my throat felt sore. I decided to stop practicing and focus on testing my live demonstrations instead.

I woke up at 7:30am Friday morning and I couldn’t speak.

Seriously.

My talk was at noon. I first paid the $6/bottle minibar fee and drank every bottle of water I could find in my room.  I then tried putting a hot towel on my neck.

No voice.

I walked to the Walgreens Pharmacy. I used my phone and pointing to communicate with the pharmacist. She wasn’t too enthusiastic. She told me to take some ibuprofen and suck on cough drops.

As I checked out, I used gestures to communicate with the cashier. She switched to American Sign Language to communicate with me. I don’t know American Sign Language beyond hello. I smiled and left.

At this point, it’s time to head to the Rio. I’m at a loss for options. I thought about emailing the lead speaker¬†liaison¬†and asking to switch my time or give my spot back to an alternate. I couldn’t get behind that option mentally. I had no idea what I would do at this point, but I knew I would make the show go on.

Downstairs, I’m waiting in line for a taxi cab. I exchange several glances with the guy behind me. Finally, he asks if I’m headed to the same place and asks if I want to share a cab. I gesture yes. Thankfully… I was saved the trouble of finding a way to communicate with the driver.

Once we were in the car, I pulled out my laptop and wrote a message explaining my strange behavior at the moment.

I justified continuing to “speak” despite having no voice. I figured at the very least… I had live demonstrations and possibly, I could croak out parts of my talk by keeping the microphone really close.

We get to the hotel and pay the cab. I go to the speaker registration area. I think there is something truly ironic about registering at the speaker registration area with no voice. Again, I used my laptop to communicate with the DEFCON staff.

At this time, it’s 11:15am. I’m on at noon. I have no voice beyond a very harsh sounding whisper that I dare not use for fear of losing even that.

I go to the speaker ready room. The staff manning the room does the usual, “can I help you?” I pull out my laptop and communicate through a text editor. They laugh and send me to the next room to sit with the other speakers. Several folks from the EFF were discussing their Q&A panel that would happen at the same time. The room also had buzz as General Alexander was in our same suite. The tight security kept us planted at our table.

I used the text-to-speech feature on my Macintosh to converse with my fellow speakers. It was funny to type a thought, press enter, and watch for reactions. After a few rounds of this, I felt like I was participating somewhat in the conversation.

I converted my presentation to PDF. I knew, at worse, I could maybe try using the text to speech feature to communicate some things verbally. Having a PDF would allow me to keep my slides up and a terminal for typing text at the same time. I still had no idea what I would do, but a plan was forming.

My DEFCON speaker goon, Bushy, introduced himself and I explained my situation in a text editor. The speaker goon’s role is to make get speaker’s where they’re going, help them watch the clock, and make sure everything goes smooth.¬†I attempted to speak, close to Bushy’s ear, to test my voice and indicate that I still had something left. Sadly… I didn’t. My voice was still a terribly hoarse whisper.

We then started the trek to the Penn and Teller theater where I would deliver my presentation.

Bushy asked if I tried hot tea with honey yet. I had tried a few things, but not the hot tea. I signed that I had not. We went to Starbucks where there was an incredibly long line. Bushy jumps right to the front and states “I’ll pay for all of your drinks if you just order a hot tea”. He immediately followed it up with “I have a speaker here who is on in 10 minutes and he lost his voice”. The nice couple at the front of the line immediately put the order in and they refused anyone’s offer to compensate them for the tea.

I added three packets of honey to the tea and drank such a big initial swig that I… burnt my tongue. Desperate times call for desperate measures?

We then proceed to the Penn and Teller theater. As we walk, hotel security keeps stopping me and explaining that I can’t carry a drink. Each time, I had to look back and get Bushy’s attention to intervene on my behalf. I didn’t have the voice to explain myself after all.

The final guard, right before the theater, shook his head and laughed when he learned about the situation.

We then enter the Penn and Teller theater. This theater has two levels and seats about 1,500 people. I don’t know if it was configured differently for DEFCON. This part’s a blur to me. I do know that I approached a real stage, saw the sophisticated lighting gear around me, and as I looked at the tiered seating to my left and right… the theater was nearly full.

I’ve never spoken at DEFCON before and I did not know what to expect. I didn’t expect I would see such a full room or find myself escorted to such a prominent stage. I felt like a musician who was expected to perform… but couldn’t.

I see friends in the audience who try to greet me. From stage, I point to my voice and make a motion with my hands to indicate that I had no voice. They got the message and I could see the “Oh… my…” look in their face.

I wasn’t nervous at this point but I still had no idea what would happen.

I setup my laptop and opened a text editor. I wrote:

“Life is an adventure. Here I am speaking to ~1,000 of you. We’re going to have fun today, but you should know… I lost my voice”

Some people noticed it and I could immediately here the “haha, oh my” reaction.

I kept drinking my tea and honey.

Bushy introduces me and states that this is the first time in DEFCON history a speaker has… not had their voice.

By this time, I knew I could croak some things. At worse, I could let everyone read my slides and make a short comment about each. This would still get the content across.

I brought the microphone close and found I could croak enough to speak. My tempo was slow at first. As I kept going (and drinking my tea) my voice slowly came back. It never came back all the way, but it was 100x better than I expected.

Defcon 2012
I was able to deliver the entire 50 minute lecture as I intended to. My demonstrations worked. And I had a great experience.

Thank you Bushy for saving the day for me. You went above and beyond as a speaker goon and while I had no idea what I would do, I thank you for helping me get up to the stage where everything worked out.

This is one speaking experience that I will never forget.

Coming to Vegas: My Picks and Schedule

And, like most folks in the security industry, I’m getting ready to head to Las Vegas for the week. I’ll arrive in Sin City on Monday, 23 July 12.

I’m armed with Cobalt Strike comic fliers, business cards, and boring sell sheets. I also have a pile of Armitage stickers to give away.

In this (long) blog post, I recommend a few talks and provide my schedule. If you’d like to meet for a meal or a beverage, I’m definitely open to this. Contact me and we’ll discuss a way to sync up.

My Picks

Hacking into Smartphones

On Wednesday and Thursday at 11:45am in the BlackHat USA Arsenal,¬†Georgia Weidman will demo¬†her¬†Smartphone Penetration Testing framework. This is not a tool for “hacking from” smartphones. It’s a tool set for¬†hacking into smartphones. I highly recommend attending one of these demo sessions. I’m demoing Armitage at the same time, but if you go see Georgia twice, I’ll give you twice as many stickers.

Ambush

At BSides Las Vegas on Wednesday at 11am, Matt Weeks will reveal a new defensive technology called Ambush to the world. We’ve had a few discussions about this technology.¬†As usual, Matt is up to something incredibly novel.

This presentation will demonstrate the ability to configure signatures on everything from the highest to the lowest level API’s, catching whole classes of malware. It can prevent exploitation of certain vulnerabilities and identify shellcode, keylogging, remote control, and HTTPS-encrypted communications regardless of code obfuscation. Pentesters, red teams, and malware authors used to worry about getting caught while writing to disk. Now, no action is safe. The implementation, the Ambush Host Intrusion Prevention System, will be released open-source.

SNSCAT: Social Media Sites as Covert Command and Control

I’m really excited about this. My friends Dan Gunter and Solomon Sonya will reveal SNSCat at BlackHat USA¬†at 2:15pm on Thursday.

“SNSCat provides a simple to use post-penetration data exfiltration/infiltration and C2 (Command and Control) platform using images and documents on social media sites (Facebook, Google Apps, twitter, imgur, etc).”

“will introduce our tool and show how one can easily move files in and out of a network using social media sites. We will next demonstrate how one can use SNSCat along with the implants we have created to establish full command and control between the controller and the listening agents.”

Grab thy Hashes

And, finally my friends Jon Claudius and Ryan Reynolds will present a survey of how different tools extract password hashes on Windows. The twist–most of them do it in a semi-broken way. They’ve analyzed the problem and they’re revealing fixes for key tools that penetration testers take advantage of.

This is extremely important. I feel like a lot of tools released at conferences are one-time things that will never see an update later on. It makes working with them frustrating as the work may be novel, make a great demo, but if it doesn’t work a year from now–what’s the benefit? It’s great to see someone looking at what we use every day, figuring out what’s wrong, and contributing back in a way that will benefit a lot of people immediately.

This talk is happening at 11am on Saturday at DEFCON.

My Schedule

Tuesday, 24 July 12

I’m hanging out at the Adaptive Penetration Testing course taught at BlackHat USA by the Veris Group LLC.

Wednesday, 25 July 12 (BlackHat USA)

I will demo Armitage in the BlackHat Arsenal at 11:45am. My goal during the demo is to explain Armitage to those who haven’t seen it and capture some of the cool tricks few people know about. For example, Ctrl+T takes a screenshot of the current tab and saves it to a preset place.

Thursday, 26 July 12. Morning (BSides Las Vegas)

At 10am, I will present¬†Force Multipliers for Red Team Operations. Each year, in March and April, I spend most of these two months on the road hacking in several exercises. I treat these events as a¬†laboratory¬†for trying out ideas and making observations about how hackers work together. I will break down what I learned from this year’s season with a focus on how we organized ourselves, what worked, and offer ideas of what I’d like to see next.

Thursday, 26 July 12. Afternoon (BlackHat USA)

I’m back at BlackHat at 11:45am demoing in the Arsenal again. If you missed me on Wednesday, come by on Thursday and get a sticker. I really dig these kiosk style demos. It’s easier to connect with you and have a dialog.

Friday, 27 July 12 (DEFCON)

At noon on Friday, I’m presenting Cortana: Rise of the Automated Red Team. During this talk, I will reveal the fully scriptable version of Armitage and its stand-alone interpreter Cortana. You’ll learn how to add bots to your red team or add new features to Armitage.¬†This project was a big effort to put together and I was very fortunate that DARPA’s Cyber Fast Track program helped make it possible.

Here’s a Hak5 segment from last year where I first talked about this next iteration for Armitage:

I also noticed that I’m speaking opposite of General Alexander from US Cyber Command and the NSA. I guarantee I will give far more live demos than he will. That said, I wish I wasn’t speaking at noon, I’d love to see his talk too.

Saturday, 28 July 12 and Sunday 29 July 12 (DEFCON)

I’m at DEFCON all weekend and I fly out Monday morning.

DARPA’s Cyber Fast Track: My Experience

Last week, I received a grant from DARPA through the Cyber Fast Track program. I consider this a big milestone in my personal career. If you’re an independent researcher or entrepreneur, bent on making your ideas real, then this program is for you.

This blog post will give you my experience applying and getting funded by this program. I’ve chosen a question and answer format because I had a ton of questions when I applied. I hope answering these questions encourages you to take advantage of this amazing opportunity.

Before we begin, please remember: none of this is the official word of DARPA. This blog post merely reflects my understanding. Also, if you arrived here with a Google search, my last name is Mudge, but I am not the Program Manager Mudge at DARPA.

What is Cyber Fast Track?

Cyber Fast Track is a DARPA program to fund us, the hacker community. Here’s the description from the Cyber Fast Track page:

The Defense Advanced Research Projects Agency’s¬†Cyber Fast Track¬†program is aimed at improving Cyber Security. This program will rely on the skills of small organizations, boutiques, hacker spaces and maker labs to address cyber security issues.

According to DARPA program manager, Peiter “Mudge” Zatko, instead of engaging in traditional programs that don’t produce results for years, we envision results within months by harnessing teams or individuals on the back of short, fixed-price DARPA contracts.

If you’re an individual who is trying to advance the security community through independent research, DARPA wants to hear from you. You don’t have to work for a big defense contractor, you don’t have to work for anyone. I applied as an individual with no formal organization behind me.

What is the process?

If you want to apply, I recommend reading the research announcement at FedBizOpps. This will give you all the details on the program.

Next, go to the Cyber Fast Track resources page and get the proposal template. I started my proposal without the template. This was a mistake. The template makes writing the proposal much easier. Plus, it’s better to give DARPA what they expect.

The technical meat of your proposal is 10-15 pages. I pushed the upper end of this. It took me about four days spread out over two weeks to create a proposal I was happy with.

Submitting the proposal is easy. I created an encrypted ZIP file with the proposal. I uploaded the proposal ZIP to a website. And I emailed the password to open the ZIP file to DARPA. The details on how to do this are in the research announcement.

I submitted my proposal on Friday, 21 Oct 11. I received a phone call of acceptance on Thursday, 3 Nov 11. I had a signed contract on Friday, 4 Nov 11. This is a mind blowingly fast turn-around to fund a program.

Do I need an LLC, DBA, C Corp, S Corp, LLP, or GmbH?

Nope. You can apply as an individual. I put down Raphael Mudge as my company.

Do I need a lawyer?

The contract is one page. My contract listed the milestones I proposed, the dates I said I would deliver them by, and the price I proposed for each milestone. Since I applied as an individual, I also had to affirm that I am an independent contractor, not an employee, and that I am responsible for all taxes on what I receive.

If you’ve dealt with contracts, you may know the pain of reading a “we own your first child” clause, raising the point, and cringing as some sleaze asserts “it’s boiler-plate, all contracts have it” while breathing their lunch cocktails in your face. There is none of that here. This is the simplest contract I have signed.

Who gets the rights to my work?

You keep all commercial rights. The Cyber Fast Track FAQ has a thorough answer to this question.

What does DARPA get?

DARPA recognizes that big contributions may come from fringe thinkers doing what they love without constraints. This program allows those who are motivated to pursue their wacky vision. Your project may not change the world, but with hundreds of these, something big is bound to happen. It’s kind of like the Y Combinator model for defense contracts. Or in short–they’re spending their money to advance the state of the art.

How much do I ask for?

This depends. How long will your effort take? I recommend that you figure out what you want to do, list several milestones, and then estimate how long each milestone will take.

Now you should have some number of hours. Make sure your time estimate is realistic. Cyber Fast Track contracts are firm-fixed price. You’re on the hook to deliver what you propose in the amount of time you claim.

Your next task is to figure out an hourly bill rate. Your bill rate must fit the government accepted rate for someone at your career level. In my last position, I worked as a Senior Security Engineer.

I used Google to search for “Senior Security Engineer” hourly rate site:gsaadvantage.gov. This yielded price lists for various defense contractors. Pick one that works for you and multiply that by the number of hours you estimated. Now you know how much to ask for.

Optionally, find someone who consults for the government or owns a defense contracting company and ask them for advice. I followed both of these approaches and they each yielded the same numbers.

Do I need a security clearance, CAGE code, or a DUNS number?

No.

What should I apply with?

The research announcement has the DARPA answer on what they’re looking for. Short answer though, they’re looking for interesting security research. Apply with what you’re interested in. Don’t worry about what the government wants or what they need. Take your thread of research, explain why it’s valuable, who it’s valuable to, and explain what’s new in your approach.

I also recommend scoping your idea as tightly as possible. I used to review proposals when I worked as a researcher and I never backed a proposal that was all over the place. The proposal reviewer should understand the problem you’re solving and your plan to solve it after they read the first paragraphs of your executive summary.

Ideally, the reviewer should understand your project from the title alone. This isn’t always possible, but do your best.

Keep in mind that Cyber Fast Track does not fund improvements to existing technologies. I have a research interest in red team organization and tactics. Armitage is my current vehicle to explore this research interest. I cut a stand-alone project out of my long-term road map. I emphasized the research questions this stand-alone project would address and this became my proposal.

What are my chances of getting funded?

DARPA has seen 30 proposals and funded 8 so far. A ~25% acceptance rate. This is better than some conferences I’ve applied to. Network World has these numbers and the titles of the current efforts.

How do I stack the odds in my favor?

Make your proposal easy to read. If your proposal is poorly written, you will torture your reviewer(s). Good proposals are short and they inform the reader.

  • Use bullets when listing several ideas. This will make them stand out.
  • Write in the active voice.
  • Use simple words over complex ones

I recommend that you visit plainlanguage.gov for Plain English writing tips. I also wrote a writing style checker that may help you. If you want to read a book, try Bill Stott’s Write to the Point. It’s my favorite book on writing.

Where to go from here

Cyber Fast Track takes away all the friction for valid ideas to receive funding. This is the first time in my career I have seen something like this. If it fits you, take advantage of it!

If you’re in New York City on November 9, go to the Cyber Fast Track Town Hall at NYU Poly. Watch the Cyber Fast Track Events page for future events.

My VirtualBox Penetration Testing Lab

Last week I taught an Advanced Threat Tactics course at the Lonestar Application Security conference. I like to provide ample hands-on opportunities in my courses. The students retain much more this way. I decided to use the class proceeds to build a killer virtual machine server for my students to hack on.

Requirements

My requirements were as follows:

  • Run a lot of virtual machines at once (this is not a very specific requirement)
  • Headless. I live in a Washington, DC apartment. I do not want to waste room providing a keyboard, monitor, and mouse to administer it. I do not want to travel with these items either.
  • Travel friendly. I used this server to teach a class. It needed to travel with me.
  • MacOS X friendly. I am not a Windows user.

Hardware

I initially built my server to run VMWare ESXi. I built my server using parts from newegg.com. I read that newegg.com has a terrible record with dead on arrival hard drives, so I bought these from staples.com.

Here’s the part list:

  • Case: Shuttle SH67H3 [ $240 ]
  • Network Card: Intel EXPI9301CTBLK 10/100/1000Mbps PCI-Express Network Adapter [ $30 ]
  • RAM: CORSAIR XMS3 16GB (4 x 4GB) [ $100 ]
  • Processor: Intel Core i7-2600 Sandy Bridge 3.4Ghz (3.7GhZ Turbo Boost) Quad-Core [ $300 ]
  • Hard drive: Two 1TB Seagate Barracuda disks, 7200 RPM with 32MB cache [ $140 ] *

Total cost? $810

  • I picked up two hard drives to allow a RAID-1 configuration

Software

The operating systems problem is an easy one. I own an MSDN subscription. This gives me access to all of Microsoft’s operating systems going back to Windows 3.x and DOS. Missing is Windows 95, 98, and 2000. I believe this is because of a court ruling related to their crippled Java many years ago. I’ve had MSDN since June and I am extremely happy with it.

VMWare ESXi

The virtual machine software was not such an easy story. I tried VMWare ESXi first. It doesn’t need a host operating system, meaning more system resources go to powering my virtual machines. I own VMWare Fusion for MacOS X and I love it. VMWare ESXi seems like the natural choice.

I installed VMWare ESXi, a process that was not without its trials. At some point it no longer recognized my USB keyboard. I found plugging my keyboard into a port in the back of the system allowed the install process to execute smoothly. I quickly learned that the best way to manage ESXi is through the vSphere client. vSphere is only available for Windows. This immediately went against my MacOS X friendly requirement.

Also, I did not know what functionality was missing from VMWare ESXi/vSphere without their paid package. I quickly learned that the missing functionality included the ability to quickly clone virtual machines. For someone setting up a penetration testing lab, this feature is a must. Many people on Twitter came to the rescue with an assortment of hacks to get around this limitation. I don’t like hacks for simple things like cloning a virtual machine.

Also, using vSphere in a Windows virtual machine was painfully slow for me. VMWare ESXi is out for me.

VMWare Workstation

Because I’m already familiar with VMWare Fusion and Workstation for Windows, I opted to try VMWare Workstation. I installed Ubuntu 10.04LTS. I tried export the user interface using X windows and I tried interacting with it through VNC. Even on my local network, both options were too slow. VMWare Workstation quickly failed the test for me.

VirtualBox

The last option I tried was Oracle’s VirtualBox. I should have tried it first. I installed VirtualBox on Ubuntu 10.04LTS server. I didn’t install X windows at all. The entire install was done while logged in remotely from Terminal.app on MacOS X. I then set up phpVirtualBox to administer the system. phpVirtualBox is fantastic. I can easily configure, make linked clones of, snapshot/restore, and start/stop my virtual machines.

Through phpVirtualBox it’s also trivial to create multiple “host-only” networks and assign them to your virtual machines. This is great for creating isolated enclaves bridged only by a dual-homed virtual machine I set up.

VirtualBox also has an RDP server built-in. phpVirtualBox exposes a flash RDP client to allow me to interact with the virtual machines in my browser. The VirtualBox Guest Additions also fixed wonky mouse issues for me.

In the end I went with VirtualBox and phpVirtualBox as my headless virtual machine solution of choice.

One tip: when running VirtualBox, make sure the kvm-intel and kvm-amd kernel modules are not loaded. These modules conflict with VirtualBox and your VMs will not start. Just because they don’t exist on one boot doesn’t mean you won’t see them later. I was bit by this. Save yourself from my pain.

Conclusion

So, with my hardware in place I set up a penetration testing lab. I had a Windows 2008 domain controller, several Windows 2003 servers, several Windows XP and Windows 7 workstations, and a garden variety of Linux boxes for various purposes. I’ve had up to 15 virtual machines running simultaneously and can go higher. This lab passed my “run lots of virtual machines test”.

Using my browser and phpVirtualBox I was able to administer every aspect of the virtual machine creation and configuration process. This system passed the headless requirement.

This box fit into my carry on luggage and TSA let me through the checkpoint with it no problem. At BWI two or three personnel looked at it¬†quizzically, but they let it through. I was quite happy as I didn’t want to check it for fear of what that might do to the system.¬†¬†So this system passed the travel requirement too.

And, thanks to the headless admin through a browser, this system is definitely MacOS X user friendly as well.

Setting up a penetration testing lab is a good way to hone your system administration skills. It’s also a lot of fun and makes a great place to experiment with different attack techniques at a greater scale.

If you have any questions, leave them in the comments.