Installing Kali Linux on ProxMox – Building a Penetration Test Lab – Part 2

In the process of building a Penetration Test Lab, I wanted to get started with the installation of Kali Linux virtual machine running on ProxMox. To get started, first download the latest version of Kali Linux (ISO) here. Grab the version

Kali 64 bit ISO | Torrent 2.6G 2017.1

Build your new VM (Proxmox > Create VM) using the ISO you’ve downloaded.

According to other user’s accounts of Kali not working after installation, it’s recommended to change the display type to VMWare compatible: After building the VM, change Hardware > Display > Edit > Choose VMWare compatible:

Kali installs onto a virtual hard drive on ProxMox (we will not be running a “live” version of Kali.) Start the new VM and scroll down the menu and choose Install  – (not GUI install.)

During installation, when grub asks where to have grub installed, choose “select your own location.”
Manually enter the path: /dev/sda
Otherwise, if you choose the ‘default’ or the path already listed, after completing the installation and a restart, you’ll get a message “Booting from Hard Disk” and the boot sequence will not complete, the VM will essentially hang.

Kali has completed its setup, I’ve booted the Kali VM, I’ve logged in, and I’m on the desktop.

Run apt-get update and apt-get upgrade to update the packages on your system.

Before we go on to complete the setup of the rest of our lab with known-vulnerable hosts, let’s run some cursory nmap scans.

Let’s run a ping scan on our own network with the command:

nmap -v -sn 10.0.10.0/24

This says: nmap, print verbose output (-v), do a Ping Scan (-sn) – (disable the default port scan for each address), and use the network 10.0.10.0 with a CIDR of /24.

This scan will attempt to ping all 254 addresses. The highlights of the scan are below:

root@HN-kali01:~# nmap -v -sn 10.0.10.0/24

Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-04 15:13 PDT
Initiating ARP Ping Scan at 15:13
Scanning 255 hosts [1 port/host]
Completed ARP Ping Scan at 15:13, 1.95s elapsed (255 total hosts)
Initiating Parallel DNS resolution of 255 hosts. at 15:13
Completed Parallel DNS resolution of 255 hosts. at 15:13, 5.53s elapsed
Nmap scan report for 10.0.10.0 [host down]
Nmap scan report for pfSense2x.jasoncoltrin.local (10.0.10.1)
Host is up (0.00048s latency).
MAC Address: 62:65:B1:30:52:A7 (Unknown)
Nmap scan report for 10.0.10.2 [host down]
Nmap scan report for 10.0.10.3 [host down]

...
...
Nmap scan report for 10.0.10.51
Host is up (0.00049s latency).
MAC Address: 18:03:73:34:34:36 (Dell)
Nmap scan report for 10.0.10.52 [host down]
Nmap scan report for 10.0.10.53 [host down]

So here we see that the scan detected my pfSense virtual machine firewall on IP 10.0.10.1, and gave me the MAC Address.

Let’s take a closer look at my the Dell workstation found on 10.0.10.51. To do so, let’s run a port scan:

nmap -p 1-65535 -sV -sS -T4 10.0.10.51

This scan does the following:

Run a full port scan on ports 1-65535, detect service versions, run a Stealth Syn scan, use T4 timing and the target of the scan is IP 10.0.10.51.

Below are the results:

root@HN-kali01:~# nmap -p 1-65535 -sV -sS -T4 10.0.10.51

Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-04 15:17 PDT
Nmap scan report for 10.0.10.51
Host is up (0.00047s latency).
Not shown: 65528 filtered ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
2179/tcp  open  vmrdp?
27036/tcp open  ssl/steam    Valve Steam In-Home Streaming service (TLSv1.2 PSK)
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 18:03:73:34:34:36 (Dell)
Service Info: Host: JCDESKTOP; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 141.84 seconds

Because I don’t always like to use my new Kali VM via the ProxMox console, I want to run my Kali desktop over VNC & SSH. Here is a good resource for learning how to connect to your Kali Linux system with VNC over a secure SSH connection:

In the next post, we’ll look some more at NMAP, as well as some other pen-test tools.

 

Security – Blue Team – Building a security project on a budget

How to Create and Build a Security Profile for Your Network on a Budget – Part 1

Start with Building a Foundation (or use an existing good one).

Credit to Kyle Bubp & irongeek.com: http://www.irongeek.com/i.php?page=videos/bsidescleveland2017/bsides-cleveland-102-blue-teamin-on-a-budget-of-zero-kyle-bubp

Use a Base Framework for your security project. There are a lot of standards available and the NIST government standards are a good solid foundation:

  • NIST 800-53
  • NIST Cybersecurity Framework
  • NIST CSF Tool
  • CIS Critical Security Controls
  • NIST-CSF tool – this is a nice visual tool – graphical interface for the stages of building a security program

Document everything

A core documentation repository is critical when setting up a security project – others will follow you and will need to look up the information you have recorded. It’s best to have a security incident response ticketing system and documentation before you need it. Have these tools up and ready.

For policy, procedure, how-tos, etc:

  • MediaWiki(free)
  • Atlassian Confluence ($10 for 10 users) – glyfee plugin for confluence
  • OneNote/SharePoint – not every company is entirely open source

Incident Response Ticketing/Documentation systems:

Map out your entire network

  • NetDB – Uses ARP tables and MAC databases on your network gear. (use a service account and NetDB will use ssh/telnet to find every device connected, will give a nice http interface. You can setup a cron job that will scan NetDB database every hour. You can pipe new device connections to an email address. Knowing if something comes onto your network is critical.

.ova is available at https://www.kylebubp.com/files/netdb.ova

Supports the following: Cisco, Palo Alto, JunoOS, Aruba, Dell Powerconnect

  • nmap scans + ndiff/yandiff – not just for red teams; export results, diff for changes. Alert if something changed.
  • NetDisco

https://sourceforge.net/projects/netdisco – uses SNMP to inventory your network devices.

  • Map your network – create a Visio document and have a good network map.

Visibility

Facebook-developed osquery and this tool can give you all you need.

Agents for MacOS, Windows, Linux

Deploy across your enterprise w/ Chef, Puppet, or SCCM

Do fun things like search for IoC’s (FBI file hashes, processes) – pipe the data into ElasticStack for visibility & search-ability

User Data Discovery

OpenDLP – (github) or (download an .ova) – will scan file shares and using a normal user account you can scan for available shares and data. Run over the weekend and see what you can find. Find the data owners and determine where the data should reside.

Hardening Your Network

CIS Benchmarks – Center for Internet Security Benchmarks: 100+ configuration guidelines for various technology groups to safeguard systems against today’s evolving cyber threats.

Out of the box, windows 10 is 22% for the CIS benchmark.

It’s difficult to secure your network if everything is a snowflake. While not exciting, configuration management is important. Deploy configs across your org using tools like GPO, Chef, or Puppet.

Change management is also important – use git repo for trackign changes to your config scripts.

Safety vs. Risk

Scanning for Vulnerabilities:

OpenVAS (greenbone) is a fork of Nessus which is still maintained, is the default vulnerability scanner in AlienVault. It does a great job in comparison with commercial products. Be careful, do some safe scans first and it’s not recommended to scan critical life-support equipment for example in a hospital.

Scan web apps:

Arachni Framework – for finding bugs in your developer’s code

OWASP ZAP (Zed Attack Proxy)

Nikto2 (Server config scanner)

Portswigger Burp Suite (not free – $350)

Harden your web servers:

Fail2ban – python-based IPS that runs off of Apache Logs

ModSecurity – Open source WAF for Apache & IIS

 

 

 

Dell Latitude 3450 cannot install windows 7 with samsung se-208 DVD driver missing

So I recently had problems installing Windows 7 SP1 with an original certified Dell installation DVD using a Samsung thin profile SE-208 external USB DVD/CD. Upon booting to the Windows 7 installation, after telling the Windows 7 installer to go ahead, it said that the DVD/CD ROM drivers were missing. I also could not install with a bootable Windows 7 USB key that I created by first ripping the Dell DVD to an ISO with IMG Burn, and then creating a bootable USB drive with rufus-2.12.exe. The same error – no drivers detected. After finding this post here, it came to me that I had only tried the external DVD drive on the USB port that is on the right-hand side of the laptop (USB 3.0). I instead connected the external USB DVD drive into the Left-hand side of the laptop USB port (USB 2.0) and booted the DVD into the installation and proceeded normally. So if this happens to you, connect your bootable device to only a USB 2.0 port, when trying to install Windows 7 on a newer PC or laptop that has both USB 2.0 and USB 3.0 ports!

Fix ubuntu when the OS will not boot – kernel panic – kernel panic not syncing vfs unable to mount root fs on unknown-block 0 0 – error /boot full remove old kernels from command line

To begin, it will probably take at least 30 minutes resolve this issue…

This fix solved my problem with the “vfs unable to mount root fs” error, but of course your results may vary. As always, first backup your system or do an export of the vm so you have a copy of the system as it existed before you started screwing around with it 😉

After running apt-get update / apt-get upgrade and then a reboot, you may receive the following error: kernel panic not syncing vfs unable to mount root fs on unknown-block 0 0 on ubuntu 16.04.

In many cases this  will be due to the /boot drive becoming 100% full because many updates have been made to the kernel. By default, ubuntu will retain the old kernels and add them to the list of available kernels you can boot into in the Grub2 boot loader menu. You can confirm that your drive is full by issueing the command:

df -h

The result will likely show the following:

In order to resolve this issue and boot successfully, while you’re looking at the error during boot, (you should already be at the console), and restart the vm or computer into the Grub2 menu then choose “Advanced options for ubuntu” view where you can see a list of old kernels you can boot into. Some report you can do this booting with the Shift key held down, or in the event it’s a virtual machine, you should be able to arrow-down in the Grub start screen and choose Advanced options for ubuntu on startup:

Grub2 boot menu.

Once you go into the advanced boot menu you will likely see several kernels listed. Choose the next-oldest kernel from the top/highest version of kernels. In my case I booted into the version labeled Ubuntu, with Linux 4.4.0-57-generic (my boot menu screenshot below is clean, but you’ll likely see several kernels listed).

Cross your fingers and hope you get to your login prompt. From here I jumped on putty and connected from that client, as I prefer it over the console.

Next, login and follow the directions that I found here:

http://askubuntu.com/questions/2793/how-do-i-remove-old-kernel-versions-to-clean-up-the-boot-menu

To save you the search, here are the instructions I used to first list and then remove the old kernels:

Open terminal and check your current kernel:

uname -a

DO NOT REMOVE THIS KERNEL! Make a note of the version in notepad or something.

Next, type the command below to view/list all installed kernels on your system.

dpkg --list | grep linux-image

Find all the kernels that are lower than your current kernel version. When you know which kernel to remove, continue below to remove it. Run the commands below to remove the kernel you selected.

sudo apt-get purge linux-image-x.x.x.x-generic

Or:

sudo apt-get purge linux-image-extra-x.x.x-xx-generic

Finally, run the commands below to update grub2

sudo update-grub2

Reboot your system.

sudo reboot

As you can see from my terminal history, I had to remove a few:

589  uname -a
 590  dpkg --list | grep linux-image
 591  sudo apt-get purge linux-image-4.4.0-21-generic
 592  sudo apt-get purge linux-image-4.4.0-22-generic
 593  sudo apt-get purge linux-image-4.4.0-24-generic
 594  df -h
 595  sudo apt-get purge linux-image-4.4.0-24-generic
 596  sudo apt-get purge linux-image-4.4.0-28-generic
 597  sudo apt-get purge linux-image-4.4.0-31-generic
 598  sudo apt-get purge linux-image-4.4.0-34-generic
 599  sudo apt-get purge linux-image-4.4.0-36-generic
 600  sudo apt-get purge linux-image-4.4.0-38-generic
 601  df -h
 602  sudo apt-get purge linux-image-4.4.0-42-generic
 603  sudo apt-get purge linux-image-4.4.0-45-generic
 604  sudo apt-get purge linux-image-4.4.0-47-generic
 605  sudo apt-get purge linux-image-4.4.0-51-generic
 606  sudo apt-get purge linux-image-4.4.0-53-generic
 607  sudo update-grub2
 608  dpkg --list | grep linux-image
 609  df -h
 610  sudo apt-get purge linux-image-extra-4.4.0-21-generic
 611  sudo apt-get purge linux-image-extra-4.4.0-22-generic
 612  sudo apt-get purge linux-image-extra-4.4.0-24-generic
 613  sudo apt-get purge linux-image-extra-4.4.0-28-generic
 614  sudo apt-get purge linux-image-extra-4.4.0-31-generic
 615  sudo update-grub2
 616  df -h
 617  sudo reboot
 618  dpkg --list | grep linux-image
 619  uname -a
 620  sudo reboot

After the reboot, you can see my /boot partition returned to a manageable size:

I hope this post helps someone save some time and help them fix their ubuntu boot problems. Please leave a comment if this helped resolve your issue or if there is a smarter/faster way to fix this problem.

Get a list of computers, 32/64 bit architecture, Service Pack level, and IP address in active directory with PowerShell

To get an inventory .csv file list of all computers in AD, run the following command in powershell:

Make sure you import Active Directory modules into PowerShell prior to running the command.

Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion,ipv4* | Export-Csv -Path "c:\admin\ComputersList.csv"

If you first receive the following error:

“The term ‘Get-ADComputer’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.”

This error indicates that the Active Directory module has not been imported into PowerShell. First do this by running the command:

import-module activedirectory

This script should produce and export a .csv file list that looks like the following:

Name OperatingSystem OperatingSystemServicePack OperatingSystemVersion IPv4Address
DC01 Windows Server 2008 R2 Standard Service Pack 1 6.1 (7601) 10.1.3.4
JasonCWKS Windows 7 Professional Service Pack 1 6.1 (7601) 10.1.2.129
JColtrinWin7 Windows 7 Professional Service Pack 1 6.1 (7601) 10.1.2.85

If you want to take this further, and get the csname (computer name), caption (Operating system title), OS Architecture (32/64 bit), and ServicePackMajorVersion (service pack level) from a list of IP’s that the previous command produced you can do the following:

  1. Copy the IP addresses of all the machines to a new file called win7pcs.txt and place it in C:\admin\
  2. Open Powershell ISE  and enter the following script:
$a = Get-Content "C:\admin\win7pcs.txt" 
foreach ($i in $a) 
{Get-WmiObject Win32_OperatingSystem -ComputerName $i | Format-Table csname,caption,OSArchitecture,ServicePackMajorVersion -AutoSize
}

This should produce the following output for each IP address:

csname caption OSArchitecture ServicePackMajorVersion
—— ——- ————– ———————–
JasonCWKS Microsoft Windows 7 Professional 64-bit 1

csname caption OSArchitecture ServicePackMajorVersion
—— ——- ————– ———————–
JcoltrinWin7 Microsoft Windows 7 Professional 32-bit 1

 

Set up Ubuntu as a domain controller with SAMBA on VirtualBox

If you want to run a domain controller on your network but don’t have access to a Windows Server license, you can use SAMBA, the free open-source software, and VirtualBox, the free virtualization software. We’ll describe the procedure for setting up a virtual server using VirtualBox and netboot.xyz iPXE and move on to setting up your domain controller with SAMBA.

Read my full article here:

Set up Ubuntu as a domain controller with SAMBA on VirtualBox

Clone a Ubuntu server in Hyper-V 2012 R2

Ubuntu runs on Hyper-V perfectly fine, so you may want to run many Ubuntu Virtual Machines (VMs) on Hyper-V Server 2012. R2 This article will show you how to clone or duplicate a single Ubuntu server on Hyper-V with different network interfaces and host names. Cloning Linux servers on Hyper-V is easy and quick when you have the right knowledge and tools.

Read my full article here:

Clone a Ubuntu server in Hyper-V 2012 R2