Sunday, August 15, 2010

On the way back home

The trip is over and was definitely a success, sitting in BWI airport about to catch the first thing smoking back to Seattle via Air Tran. Time to fly home for another month until its time to head back to Maryland to do a ECSA/LPT training course.

Tuesday, August 10, 2010

NoVA Hackers

I had the pleasure of attending a meeting last night.  Its these kind of events that make me wish that I lived on this side of the country sometimes.  The format is mostly 'lightning talks' but they were very informative and the atmosphere was relaxed.  The second best part to me was the talk about the recent DefCon CTF event and how some NoVA members participated (they didn't come in last by the way! ;)).  They shared their trials and tribulations preparing for the event, qualifying and subsequently competing.  Really nice stuff, I hope that they post their slide deck online.

The best part was being able to see CG and get caught up with him a bit, its been too long.  Hopefully we will be able to do dinner or something like that before I head back to Seattle on Sunday.

May Your Skill Prevail.

Training Tornado Dying Down

Three weeks of training across the United States (Washington State to Maryland, Maryland to Hawaii, Hawaii to Maryland and Maryland to Seattle) is coming to a close.  I'm spending the last week hanging out with a very close friend (surrogate younger brother!).  It turns out that I'll be returning to Greenbelt, Maryland next month to do an ECSA\LPT 5 day boot camp in a month.

Over the last month I have learned that it truly pays to account for 'variable change' especially when delivering custom content and that I'm not nearly as infallible as I thought. ;)  Its best not to put all of your eggs in one basket and works more smoothly when you distribute them in layered fashion to prepare for the inevitable snag in your game plan.   Its all part of a never ending learning process though and I plan on using what I've learned to improve the things that do. 

Until next time.

Tuesday, July 13, 2010

Lab - o - Matic!

Have you been wondering where I have been hiding all this time?  Well, providing labs for four classes and two info-sec workshops will make time for blog posting sparse. 

IS 315 Risk Management and Intrusion Detection: Wireshark Labs to cover the basics and core protocols (TCP,UDP, IP, ICMP, ARP, etc.) and special projects to build a Snort IDS and discuss sensor placement and risk management concerning the deployment.  Plans are to author snort signatures towards the end of the quarter if time permits.

IS 418 Securing Linux Platforms and Applications:  Some basic labs to brush up on Linux accounts and permissions did an IPTables to review firewalling.  Building on all this teaching SELinux...we have been covering the basics and tacking a few of the concepts, particularly MCS  and MLS models.

IS 316 Firewalls & VPNs: Started with IPTables and BASH shell scripting around that to automate the process.  Currently working on Packet Filtering and using OpenSSH Layer 3 VPNs.  Will graduate to pfSense (firewall, proxy and VPN) and possibly using the Cisco ASA as a firewall/VPN platform.

IS 413 Auditing E-Commerce and  Network System Implementation: The students have already had policy and auditing courses including another one the evening before.  We are using WebGoat and Damn Vulnerable Web App to learn about many of the web application risks that are out there.  Towards the end of the quarter we will investigate the audit trails and discuss writing strong policy around these issues.

On a Training Run

Headed to Greenbelt MD for a week to teach a CEH class, then over to Honolulu HI for a week to teach a CEH class then back to Greenbelt for a  week long CHFI class.  I suppose after that I will be allowed to return home! ;)

Sunday, June 13, 2010

Back to Business

Unfortunately my two week hiatus that is also known as a vacation is coming to a close.  As I will be back to providing training, I'm sure that I will be posting relevant material here.  Do I sound excited to be going back to work? No?  Really?

Updated Design Template

This should be pretty self explanatory and I hope that everyone likes it better than the previous ones.

Thursday, May 20, 2010

Metasploitable == Virtualbox

Last night I put together a Metasploitable Virtualbox appliance.  It includes the readme.txt provided by the MSF team as well as the .mf file has been deleted (all these manifest files ever do it make it take 5 times longer to import appliances and they fail half of the time).

You can scoop up the appliance at:

MD5: fa7d8304af40e1127dd690ad0159b5dc  metasploitable.tar.gz
SHA1:  1080f8389c1115cbdca1ce6cd5e910d4201e0bc8  metasploitable.tar.gz
RIPEMD160: b0c089861ca727439abc650de7bbb74243aa4b56  metasploitable.tar.gz


Wednesday, May 19, 2010

RootWars - Day Three

Well, it would appear that we have a winner! Team One was able to obtain root access again and Team Two decided to just stay in a holding pattern until we wrapped things up for the evening. Understandably there was a great deal of frustration coming from Team Two. As time progresses it is my hope that the frustration resides and they can look back on it as a positive learning experience and that after a debriefing next week and an exchange of whitepapers both teams will have learned more about information security on Linux platforms. Among the skills displayed were some custom shell scripts, knowledge of shutting down unnecessary services, examination of backdoor source code as well as traditional talents such port scanning, netcat manipulation, etc.

All in all it was a good learning experience, I'll have to figure out ways in the future to make it different and exciting for disparate skill levels. Until next time.

May Your Skill Prevail.


Looks like the guys over at Metasploit have a new addition to the family....Metasploitable. An Ubnutu Linux based distribution with built in vulnerabilities so that one can test the Metasploit Framework and learn how to use some of its functionality.

Many thanks for the creation of another useful and valuable tool!

May Your Skill Prevail.

Thursday, May 13, 2010

RootWars - Day Two

Well, yesterday was an eventful day. Team 1 was able to obtain root within 15 minutes using one of the backdoors enabled in the default RootWars VM image. They were successful in locking Team 2 out of their system. Team 2 had to reboot the image in single user mode and make some adjustments to prepare themselves for week 3. There are two lessons that I truly hoped the students walked away with:

Incident Handling skills are crucial. All of the hacking and penetration testing skills are glamorous and sexy but if you cannot defend you will be hacked. If you cannot identify that an intruder is on your system, then you are defenseless at that point. And if you cannot remove the intruder from your system efficiently then you are subject to his whims and mercy (or lack thereof).

Be aggressive. Not just in your offense, but in your defense as well. You cannot avail yourself of all of the backdoors, Trojans and rootkits against your opponent in a RootWars scenario until you have aggressively searched for, found and eradicated them from your own. Then you can leverage that knowledge in attacks against your adversary. This is truly a case where your best offense is a good defense.

I shared quite a few tips with Team 2 and a few with Team 1 in an effort to even things up a bit and also make sure that the frustration levels involved remain tolerable.

All in all the exercise is proceeding well. Team 1 will need to work on sportsmanship conduct as we proceed but I have addressed that with them personally. This exercise is supposed to be fun and a learning experience for everyone involved. I look forward to week 3 and hope that all of the students do as well. Until next time.

May Your Skill Prevail.

Monday, May 10, 2010

Upgraded Virutalbox Servers to Ubuntu 10.04 LTS

I took a gamble at 2:00am and upgraded a pair of Ubuntu Virtualbox servers in the office. For the most part the upgrade went smoothly. I like the new color scheme and the aesthetic changes made.

As far as Virtualbox is concerned, even with dkms installed it failed to build the new kernel modules properly. This can be done fairly quickly and painlessly as root:

# /etc/init.d/vboxdrv setup

If all goes well this will purge previous kernel modules and build new ones based on the 10.04 kernel sources.

The Windows guest additions seem to have an issue with wanting to always be in full screen mode, I'll have a look at that tomorrow and when I figure it out I'll post the results here.

Sunday, May 9, 2010

Mobile Security Training Lab 1.0

During my tenure at ITT providing classroom labs and a bi-weekly security workshop I found the distinct need to be able to easily provide a security-training environment that could provide the following elements:

  1. Separation: The school lab computers are connected to the corporate network. This is less than ideal for working with information security topics.
  2. Monitoring: I wanted monitoring platforms for two reasons, first to be able to monitor the network activity of students, secondly to teach them how to monitoring using open source monitoring tools and platforms.
  3. Portability: I’m there 4 times a week so I need to be able to pick up my environment and take it home with me every evening so I can make needed adjustments, perform upgrades, etc.
  4. Resiliency: I require an environment that can take a licking and be restarted to keep ticking. Virtualization really fits the bill here.
Lets address the solutions in the same order so that we can keep them straight.

  • Separation: We needed to be able to have our own network to work on, four times a week. Clearwire really does the job for this scenario. It’s inexpensive ($55/month for a standard modem and a USB modem), it has a decent connection speed and is quick to setup/teardown. This is been teamed with a Linksys WRT150N running DD-WRT. This runs WPA (I have students with older laptops so I had to back off of WPA2) with a key that I rotate every so often.
  • Monitoring: Since I own the network I am free to utilize whatever monitoring tools and techniques that are at my disposal. I attempted to use HeX Live in as a Virtualbox appliance but had trouble with the virtualized interfaces being able to sniff traffic all the time. Over the last week I have opted to use Securix-NSM. It works right out of the box and supports sguil servers, which make me very happy (I prefer sguil over BASE). In addition to these live CDs converted into Virtualbox appliances I will occasionally utilize tcpdump or tshark for a quick and dirty pcap grab and analyze the output in Wireshark.
  • Portability: This one is huge. I need to be able to work on labs while I am away from the college and then run them (or disseminate them) while I’m there. Laptops running Virtualbox to the rescue! I must admit, before recent training tenure I was a VMWare fanboy. I have definitely flip flopped in that regard, I have only retained VMWare Fusion on my MacBook Pro because I like the Windows VM integration tools. So three laptops get the job done (yes, I could carry less but I use three for work anyway).
  • Resiliency: Another big one for me, it’s not so much when we are working on Wireshark or tcpdump labs or writing snort signatures. But when we are using Metasploit, or exploits from other sources its nice to just roll back to a snapshot of a virtual machine and spin it back up again. This wouldn’t be complete without a peek into the actual environment. I am using the following Virtualbox appliances that I created for various purposes:
Network Penetration Testing

BackTrack 4
Final Pentoo 2009.0

Web Application Penetration Testing


VOIP Security Assessments


Digital Forensics

Helix 1.9

Network Security Monitoring

While in bridged networking mode I have been unable to get any virtual adapters to sniff properly except PCnet-FAST III. You could also put your environment in Virtualbox’s “Internal Networking” which behaves as a hub as opposed to a switch.

HeX Live 2.0
Securix-NSM OSSIM 2.2.1
OpenIDS 2


You will need to configure multiple virtual adapters for these to function as created. See the point above considering the sniffing interfaces.

Honeywall Roo 1.4

pfSense 1.2.3

Hacking Challenges

The first three images are bootable, so you don’t need to create a big hard disk for them. I created a “small” 1GB disk for each of them, and have the VMs configured to mount their respective ISOs on boot. pWnOS is a VMware appliance and will require importing and tweaking to work correctly in Virtualbox. 100 110
Damn Vulnerable Linux 1.5
pWnOS 1.0

Vulnerable Hosts

Windows 2000 SP1 (Professional, Server, Advanced Server)
Windows 2003 SP0
Windows XP SP2
Ubuntu Server 7.04

Generic Hosts

Opensolaris 2009.06
Windows 7 Ultimate


Custom Redhat 9 appliance

All of the appliances are on all 3 laptops affording me maximum flexibility in developing configurations and scenarios for the students to learn from. The remaining issues that didn’t make the master list as distinct topics; time and cost. It took awhile to put together these appliances in Virtualbox but it was time well spent. Now, regardless of where I deliver training I can focus on that rather than what unpredictable elements another environment might bring.

That leaves us with cost. Most of these were developed with Open Source software so the only licenses that came into play were the Windows ones. I have all of the W2K OSes from the MS Select Program a long, long, long time ago. I used one of the licenses from IRON::Guard for Windows XP SP2 and Windows 7 respectively. So, for very little cost I have a kick ass portable training environment I can take anywhere. I hope that this write up helps someone cut some corners off of their development time to put together a mobile lab or give them inspiration to improve upon my humble offerings. Till next time.

May Your Skill Prevail.

Thursday, May 6, 2010

RootWars Elements

The Goal:

To provide a robust yet portable (I picked up this lab from home and moved it to the school and back today and have every Saturday for the last 12 weeks) RootWars training solution for students of varying skill levels and security disciplines.

The Tools:

Linksys WRT150N - DD-WRT firmware - Allows participants to connect via WPA encrypted wireless for convenience. Syslog forwarding to Bastion host, also provides static DHCP addresses to laptops.

Clearwire modem – Portable Internet – Allows for relatively fast Internet access in a portable form factor.

Main computer – Quad Core Intel, 4GB RAM, 500GB HD, Opensolaris 2009.06, Virtualbox 3.1.6

The Island -Bastion host - running over sshd, centralized logging over syslog, Stratum 3 NTP time server, IRC server (with SSL enabled) with Eggdrop bot (persistent channels and ease of administration). Runs tcpdump full content data capture as a backup to the NSM VM.

Rootwars VMs – Redhat 9 Virtualbox appliances. Running to keep track of all commands issued as root. Incident Handling included with 9 backdoors, 4 trojans and 2 rootkits. Syslog sent to Bastion host, NTP time synced with Bastion host.

Securix-NSM VM – Running sguild server with ntop, also provides full content data capture using tshark running in ring buffer mode.

Macbook Pro laptop – OSX 10.5.8 - Connected to projector, acting as operator of IRC channels via screen sessions, running sguil client and X11 forwarded wireshark session from NSM VM.

Dell D600 laptop – Back|Track 4 Final - Runs regular nmap and other scans against RW VMs to verify that required services are up and running. Acts as an NFS and SMB server for attached students to download files and utilities from.

Samsung N110 laptop – Windows XP SP3 - The Jack of all trades, authoring MS Word docs (Rules of Conduct, Survival Guide and Kickoff documents), moving files around via WinSCP, acting as an FTP server for Virtualbox images, pcap files and more.

The Time:

All in all this was a lot of the sum of approximately 151 hours over 10 days from concept to project deployment. Not for the faint of heart but definitely worth it.

I hope this is helpful for anyone considering a similar endeavor.

May Your Skill Prevail.

Wednesday, May 5, 2010

Rootwars - Day One

Today was the Rootwars kickoff at ITT Tukwila 026.

The Rootwars is running over a 4 hour class period for 3 weeks in succession. This week was getting everyone logged into the bastion host properly, up and running on IRC and working on getting their virtual machine into a more defensible state (it has numerous backdoors, trojans and rootkits installed right out of the box).

The students were all very engaged, I practically had to kick them out of the classroom! For the most part they are making sound security decisions although they should have universally made a more conscious effort to locate the incident response elements of this challenge rather than worrying about network facing services and user accounts quite so much.

I can feel the frustration that stems from stepping out of your comfort zone and launching yourself into the unknown. Its the painful part of growing and expanding your horizons.

All and all it was a smashing success, it practically ran itself which allowed me to make myself more available to answer questions and provide encouragement. Until next time.

May Your Skill Prevail.

Cloning a HD image in Virtualbox 3.1.6

To create multiple appliances for the upcoming RootWars I needed to replicate the base image. VBoxManage to the rescue!

cd /export/home/sp00k/.VirtualBox/HardDisks

VBoxManage clonehd —format VMDK RH9.vmdk IGSrootwars1.vmdk

It assigns a new UUID which is the important part when launching duplicate images. This took about 5 minutes per image to complete.

X11 forwarding after running su

I needed to forward a Wireshark session over X11 as the root user. The training virtual machine in question doesn't allow remote logins via SSH.

This authentication mechanism works on a encrypted bit of data identifying the user. We can easily replicate this and allow root to forward sessions over X11 when escalating privileges from another user.

sp00k@carapace ~ $ xauth list $DISPLAY
MIT-MAGIC-COOKIE-1 aee3eb981908d182d190f65ae01e9665

sp00k@carapace ~ $ su

carapace sp00k # xauth add carapace/unix:10 MIT-MAGIC-COOKIE-1 aee3eb981908d182d190f65ae01e9665
xauth: creating new authority file /root/.Xauthority

And just like that success, as long as everything is setup correctly for X11 forwarding initially this should work.

Nvidia NFORCE NIC and Opensolaris 2009.06

When I first started up Opensolaris I noticed that the internal motherboard NIC didn't work and went out in search of a solution. Here is a culmination of my findings in a solution that worked for me.

Verify you have an Nforce chipset based NIC:

“/usr/X11R6/bin/scanpci -v”
pci bus 0×0000 cardnum 0×0f function 0×00: vendor 0×10de device 0×07dc
nVidia Corporation MCP73 Ethernet
CardVendor 0×1043 card 0×816a (ASUSTeK Computer Inc., Card unknown)
STATUS 0×00b0 COMMAND 0×0007 CLASS 0×02 0×00 0×00 REVISION 0xa2 BIST 0×00 HEADER 0×00 LATENCY 0×00 CACHE 0×00
BASE0 0xefffd000
BASE1 0×0000f600
BASE2 0xefffc000
BASE3 0xefffb000
BASEROM 0×00000000 addr 0×00000000
MAX_LAT 0×14 MIN_GNT 0×01 INT_PIN 0×01 INT_LINE 0×0f

It’s there so it must need a hardware driver to function.

After Google searching a bit I found the following driver:

The steps straight outta the README

1. gunzip nfo-2.6.3.tar.gz
2. tar -xvf nfo-2.6.3.tar
3. cd nfo-2.6.3
4. rm obj Makefile
5. ln -s Makefile.${KARCH}_${COMPILER} Makefile ( for me it was ln -s Makefile.amd64_gcc Makefile )
6. ln -s ${KARCH} obj ( for me it was ln -s amd64 obj )
7. rm Makefile.config
8. ln -s Makefile.config_gld3 Makefile.config
9. /usr/ccs/bin/make
10. /usr/ccs/bin/make install
11. cp nfo.conf /kernel/drv/nfo.conf
12. ./ (I had to reboot here and resume at the following steps, YMMV)
13. modload obj/nfo
14. devfsadm -i nfo
15. ifconfig nfoN plumb ( where N is the device number, for me it was nfo0 )
16. ifconfig nfo0 dhcp start ( this is if you want your interface to use DHCP )
17. touch /etc/dhcp.nfo0 ( this is if you want your interface to use dhcp when it come back up)
18. edit /etc/nsswitch.conf ( Where it says host: files, change it to host: files dns )
19. reboot —r

All is well now.

Today is the day...RootWars!

The last 10 days have been a whirlwind of computer power geeking:

1. Crash course on Opensolaris, I chose it for whatever reason and am now glad for it. I had the opportunity to learn the platform and some basic administration for the OS such as installing GCC, adding NICs, managing accounts, adding package repositories, installing TUN/TAP, bridging and tunctl capabilities from source, getting NTP to work correctly as a Stratum 3 server, centralized syslog, getting packet sniffing to work correctly, etc.

2. Getting an ircd-hybrid IRC server up and running in SSL mode with an accompanying Eggdrop bot on Opensolaris.

3. Cloning the Rootwars Virtualbox HD image using VBoxManage and learning a lot about Virtualabox and its networking capabilities (or lack thereof).

4. Writing documentation such as Rules of Conduct (with a manual scoring system), a Survival guide (based on the old materials...R.I.P. epic), instructions how to connect to the IRC server with SSL enabled, etc.

5. Configuring the Rootwars image itself (standing on the shoulders of giants, thanks j0e!), getting NTP, syslog and general networking to function correctly in a Redhat 9 Virtualbox appliance.

6. Being introduced to Securix-NSM, this will be the monitoring platform I will use for a sguil server and connect sguil clients via Mac OSX and Backtrack 4. Securix-NSM will also be running as a Virtualbox appliance. As a standby I also created OSSIM, HeX Live and Honeywall Roo Virtualbox appliances.

There was more...I probably won't be able to recall it in totality until the smoke clears and I have had a chance to review my notes and soak in the entire experience.

I'm very excited about the Rootwars this evening and the hands on experience it will deliver to the students and participants.

May Your Skill Prevail

Tuesday, May 4, 2010


I have spent the last week and a half putting together a Rootwars exercise for the IS317 Hacking and Network Defense class that will run over the course of the next 3 weeks. The bastion host is running Opensolaris with Virtualbox 3.1.6. The Rootwars images are Redhat 9 appliances with built in backdoors, trojans and rootkits. The whole thing will be monitored using Securix-NSM and sguil. I plan to post a link when the exercise is complete with a .pcap file as well as an analysis of what worked and what didn't. I wouldn't have been able to put this together on such a short time schedule without the assistance of Joe McCray of Thanks j0e!

Stay tuned.

May Your Skill Prevail.

"Training" Now

Who would have ever thought? For the past few months I have been presenting a Security Workshop for ITT Tech and providing instruction and labs for Bachelor level classes (Firewall/VPN and Windows Security classes last quarter, Hacking and Forensic classes this quarter).

Its been very rewarding transferring my knowledge in the field to up and coming Information Security Professionals. I look forward to what the future brings in this regard.