Ethical Hacking Series:

0x02 – Building Your Own Hacking

Lab

JaxHax Makerspace
Travis Phillips
 About Me
● Member of Jax Hax since it opened.
● Specializes in Ethical Hacking, IT Security,
and penetration testing.
● Formerly a programmer.
● Enjoys electronics, Linux, embedded
systems, anything hackery-ish, small
physical projects from time to time to keep
hands-on skills honed, puzzles, Open
Source everything, and lock picking.
● Easy to find. Big dude dressed in black or
grey. Seek me out anytime you are here.
 Intended Audience
● This is intended as an intro class as part
of a series of classes.
● This is a class that is for people who are
interested in security and require proof
it's working!
● This class covers the basics of building a
lab so that you will have a safe
environment to play in.
– DON'T BE AFRAID TO STOP ME TO ASK
QUESTIONS!
– The only stupid question is the question never
asked.
 So Why Do I Need a Hacking Lab?
● Keeps vulnerable software off your real
machine.
● A lab provides you a controlled environment
for your testing.
● You'll have physical access to the machines
for troubleshooting.
 So Why Do I Need a Hacking Lab?
● I'm teaching you things
that if conducted on
machines you don't own,
it's illegal! Hacking
machines you do own
however is legal!
● Not providing a lab setup
is like giving a kid a BB
gun without targets and
cutting him loose in the
outside; It can only end
badly!
Things to Consider When Building A
Hacking Lab
● What sort of hacking research are you
looking to do?
● Network Exploits
● Web Attacks
– DoS
● Mobile Devices
– MitM
● Malware Research
● Software Exploits
● Reverse Engineering
– Linux
● Wireless
– Windows
● Crypto
– Mac
 What Resources Do You Have On
Hand?
● Any old bare metal boxes laying around?
● Is your rig beefy?
– Plenty of memory and CPU for VMs?
● Any networking equipment laying around?
– Old ISP modems are usually great!
● Wifi and a 4 port switch are usually built-in
● Usually provide DHCP, Firewall, and DNS.
● Dumb network hubs are AWESOME!!!
● A USB drive you can dedicate to the Lab
 What to consider when buying
equipment?
● Networking equipment can usually be mid
tier SOHO gear.
– Although port mirroring/spanning can help
when it comes to sniffing.
● Machines can usually be home use grade.
– Keep architecture in mind!
● x64 can run x86 and x64 OSs but not the
other way around!
● If you want to test against ARM
architectures I would suggest an ODROID
or Raspberry Pi
 Raspberry Pi & ODROID

● $35 ● $65
● 700 Mhz CPU ● 1.7 Ghz quad
● 512 MB RAM core CPU
● HDMI+RCA
● 2 GB RAM
● GPIO Pins
● HDMI
 What to consider when buying
equipment?
● Get a beefy rig if you are planning on doing
crypto or password cracking heavily.
● Beefy rigs also make running VMs easier.
● Hard drives are cheap so if you're planning
on VMs, get large drives!
● Beefy rigs do also permit themselves to act
as servers as well.
● Make your lab easy to reconfigure for
various test.
 Network Considerations
● Is internet required? More importantly,
should it be present?
Depends on what your researching!
–

Can be present for: Probably don't want it

around when:
● Local machine exploits
● Web Attacks
● Remote machine exploits
on LAN ● Malware Research
● Crypto ● Reverse Engineering
● MITM Attacks ● DoS Attacks
● Mobile Devices ● Testing "In the wild" Hacking
Tools
 Network Considerations
● Build your lab so that internet can be
connected and disconnected easily on an as
needed basis.
● Keep your home LAN and Hacking Lab
isolated from each other if possible.
● VMware and VirtualBox both have network
settings that also contain Host Only
communications.
 Virtual Machines
● VMs are great for
hacking labs!
● Tons of vulnerable
hacking VMs already
pre-built and ready to
download.
● Easy to manage
● Portable - Take your lab
with you on your laptop if
it has the horse power!
 VM vs Bare Metal
● VMs are great but bare metal has its perks
too!
– DoS attacks against VMs come full circle.
You're attacking yourself basically and this
affects the results.
– Network isn't bridged through drivers on
your box. This bridging sometimes affects
MITM and network based attacks.
– Dedicated hardware relieves your machine
of heavy lifting such as crypto analysis
 VM vs Bare Metal
● Another bare metal machine is not your box
like a VM.
– Keep this in mind with Malware research
– Some malware has been seen to use
exploits to escape VMs and infect the host
OS.
– Some malware (a lot of malware actually)
won't run if it detects the OS is in a VM.
● Anti-virus researchers used to use VMs for
reverse engineering malware.
● Security researchers used VMs as
honeypots.
 VM vs Bare Metal
● If special hardware is needed for the attack
then bare metal generally will give you less
issues.
– E.g. Wifi packet injection, software defined
radio, video cards.
● Remember the network traffic has to pass
through the host OS network stack.
● Windows network stack can break things
from time to time since it doesn't allow raw
sockets.
 OS For Attacker Machine(s)
● Kali is a great choice if your new to hacking
or just don't have time to roll your own attack
machine.
– Kali is a Linux (Debian) based distro gear
towards pentesting.
– Loaded with tons of tools already to go!
● Use Linux and roll your own toolkits on to it.
– Takes more time but you get exactly what
you want.
– Configured to your specs with nothing
extra
 OS For Attacker Machine(s)
● One Windows machine for hacking
● Windows isn't ideal for hacking but not a
bad idea to practice with.
● Also requires expensive licenses.
● Pivoting will sometimes require you to
launch your attacks off of a windows box.
● Personally, I just use one of the windows
victim boxes in my lab for this purpose.
 OS For Victim Machines
● Older versions of either Linux or Windows
work great.
– Turn off automatic updates to keep them
vulnerable.
– Many of these are missing modern exploit
prevention methods which makes learning
easier at the start.
● Can be disabled on a lot of Linux systems.
● A few more modern OS to provide real world
challenges and compare changes against
exploits
 Victim VMs for example
● Metasploitable2
– Old Ubuntu Server loaded with vulnerable
software and mis-configurations.
● Web security dojo
– Loaded with a few vulnerable web hacking
labs and the tools needed to exploit them.
● De-Ice Vms
– Hacking cases setup as part of a wargame
● Check out vulnhub.com & pentesterlab.com
for tons more!
 Finding Vulnerable Software and
Services for Victims
● Vulnerable learning VMs can come with
vulnerabilities in the OS and software wise.
● Linux developers like to use SVN or GIT which
keeps all changes to software, you can pull
any revision from it.
● Some vendors leave old vulnerable version of
software for download
– example: windows tftpd32 from
tftpd32.jounin.net
● Older version contain known buffer overflows.
 Finding Vulnerable Software and
Services for Victims
● A lot of vendors don't do this though...
● So for them you can check out oldversion.com
● Lots of old vulnerable software available here:
– Browsers
– Flash
– Java
– Media Players
 Configuration of the Victim
Machines
● Try to make it either a learning lab or a real
world case study lab.
● make them have different levels of security
● weak to strong passwords
● some user follow bad practices (storing
passwords in text files) to paranoid
encrypted files.
 Configuration of the Victim
Machines
● Should be configured so some machines
are just defaults.
– No anti-virus.
– Host Firewall on by default.
– Think like an end user, do as little as
possible to make changes.
 Configuration of the Victim
Machines
● Others should have relax "Corporate LAN
settings"
– Host based firewalls off
– remote admin (RDP, SMB/NETBIOS, VNC,
SSH) might be enabled.
– Anti-virus solution likely present on
workstations, possibly on servers.
 Configuration of the Victim
Machines

● Others might be servers with any of the

following:
– Paranoid admins (lock it down with
defense in depth)
– Lazy admins or devs (open up things for
debugging purposes)
– New admins (take all the defaults.)
 Managing Machines in the Lab
● Once configured the way you want, You will
want to make a backup for reference and
restore if needed
● For VMs you can use snapshots
– Also not a bad idea to just keep a copy of
the image files backed up so you can just
restore it.
● For bare metal you can use disk cloning
– Clonezilla can make a backup image of
the drive.
 Managing Machines in the Lab
● For Raspberry Pi and ODROID:
– Uses SD cards
– You can use the linux tool 'dd' to make a
raw dump of the SD card to an image file.
– You can also just restore it using 'dd' as
well.
Example Labs (Memory Corruption
Bug Lab)
Example Labs (Malware Lab)
Example Labs (Reversing Lab VM)
Example Labs (Reversing Lab)
Example Labs (Mobile Lab)
Example Labs (Mobile Physical Lab)
Example Labs (Web Hacking Lab)
Example Labs (Pivoting Lab)
Example Labs (Wifi Labs)
 Notice Anything With Those
Examples?
● Two common themes we saw were:
– A standalone machine running VMs
– An air gap network.
● These two are very well rounded lab
configurations.
● I'd recommend a VM lab first and then the
air gap second unless you are doing
malware research.
 Hacking Outside the Lab Legally
● There are hacking
sites and challenges
that you can play on
legally outside your
lab.
● The two major ones
you will see are
wargame sites and
CTFs
 Wargames
● Wargames are sites hackers setup to allow
hackers to hone their skills. Here are a few:
– https://www.hackthissite.org/
– http://www.bright-shadows.net/
– http://www.wechall.net/
– http://www.thisislegal.com/
– http://overthewire.org/
– http://www.net-force.nl/
 CTFs (Capture The Flag)
● Capture The Flag games are contest where
hackers work alone or in teams. The goal is
to capture flags in the challenges and gain
the most points
● There are usually 3 types of CTFs
– Jeopardy
– Network Based
– Red vs Blue Team
 CTFs (Capture The Flag)
● A board of challenges, usually file based
hacking (Forensics, Memory Corruption,
Reverse Engineering). Beating these
challenges will give you a flag to redeem for
points.
● Network based – These give the players a
network and try to hack boxes on the network
that will give them a flag to redeem; or they will
have a control file you put your name in on the
server and a scorebot will credit points to that
team every 10 minutes or so. You have to fight
to protect it.
 CTFs (Capture The Flag)
● Red vs Blue Team – This is a game where
players are broken up into two teams. The
blue team is required to defend the network
while providing services that are required.
The blue team gets a head start before the
red team is allow to attack the network.
 CTFs
● Events that come
– Most security conferences will host one.
– CSAW
– Raytheon SI host the “Ghost in the
Shellcode” CTF.
● Can't Wait to Start?
– http://repo.shell-storm.org/CTF/
● This guy has a major archive of the
challenges from several CTFs
 Recap
● A hacking lab makes life easier and is
simple to setup. No excuse for failure to set
one up.
● Safe place to conduct your experiments.
● If your in IT, you probably have most of this
equipment.
● Make your lab flexible!
Questions?
 Next Month – FREE IT Sec
Conference!
●
November 15th is the
1st ever B-Sides Jax
Information Security
Conference!
● Free and open to
public, but please
RSVP!
● http://bsidesjax.org/
 Next Presentations
● Introduction to Base Numbering Systems
and ASCII.
● Common Networking Protocols, Sniffing,
and The Joys of RFCs
● Using OSINT (Open Source Intelligence)
For Footprinting and Passive Recon
● Scanning For Host and Services
Thanks
For
Coming
Out!