Building an ethichal hacking lab on your laptop with VirtualBox – Part 12 – Kali Linux

Kali Linux is a Debian based penetration testing distribution created by Offensive Security for the purpose of making it easier to carry out penetration tests or security audits by having more than 600 tools easily available.

It is fully customisable and runs on a number of different devices, it was covered in a previous tutorial when I installed it from source in order to get wireless injection working and received a lot of interest.

This team has been around for some time and had previously created and maintained Backtrack Linux, Kali Linux however is a complete overhaul of the OS so that it can run on as many devices as possible and is fully customisable.

Let’s start and get it installed!

Download it from here and take a sneak preview of Kali 2.0 which I am very excited about, I see a sneak preview of the reaver Pixie attack towards the end too which looks fast!

Give your machine a name, select the type ‘Linux’ and the version ‘Linux 2.6 / 3.x (64Bit)’ or the version of your own architecture if it is 32 Bit for example and then click ‘Next’

1 - VirtualBox Create Kali Linux virtual machine

1 – VirtualBox Create Kali Linux virtual machine

Allocate a chunk of memory to the system and click ‘Next’, 2 or 3GB’s is fine

2 - Allocate a chunk of memory to Kali Linux

2 – Allocate a chunk of memory to Kali Linux

Create a virtual hard drive for Kali by clicking ‘Create’

3 - Create a virtual hard drive for Kali

3 – Create a virtual hard drive for Kali

Click ‘Next’ to continue and create a VDI image

4 - Create a virtual hard drive for Kali select VDI

4 – Create a virtual hard drive for Kali select VDI

Select ‘Dynamically allocated’ and click ‘Next’ to continue

5 - Create a virtual hard drive for Kali select dynamically allocated

5 – Create a virtual hard drive for Kali select dynamically allocated

Allocate some hard drive space to Kali and give it a nice chunk as this system may fill up quicker than you expected for some things. Click ‘Create’ to continue

6 - Allocate hard drive space to Kali

6 – Allocate hard drive space to Kali

Next navigate to settings and change System first by removing the floppy and moving the CD/DVD to the top and the Hard Disk second from the top

7 - VirtualBox remove floppy move disc and hard drive

7 – VirtualBox remove floppy move disc and hard drive

Select the ISO on you hard drive

8 - Select Kali Linux ISO

8 – Select Kali Linux ISO

Now we are going to select NAT and click on ‘OK’ for the initial install so that we can update and upgrade the system to the latest version of everything before changing it into internal only mode for testing in the lab

9 - VirtualBox Kali keep NAT as NIC

9 – VirtualBox Kali keep NAT as NIC

Now it’s time to startup the machine, select ‘Graphical install’ at the boot menu to continue

10 - Select Graphical Install

10 – Select Graphical Install

Select your language to continue

11 - Select your language

11 – Select your language

Select your country

12 - Select your country

12 – Select your country

Select your keyboard layout

13 - Select your keyboard

13 – Select your keyboard

Wait for the loading to finish

14 - Loading Kali components

14 – Loading Kali components

Give your system a name

15 - Kali system hostname

15 – Kali system hostname

Leave the domain blank if you don’t have one and click ‘Continue’

16 - Leave domain blank

16 – Leave domain blank

Enter in the password you want to use for root

17 - Enter Kali root password

17 – Enter Kali root password

Select ‘Guided – use entire disk’ and continue

18 - Select Guided - use entire disk

18 – Select Guided – use entire disk

Yes you are sure you want to erase everything and continue so just click on ‘Continue’

19 - Yes I want to erase everything

19 – Yes I want to erase everything

Select ‘All files in one partition’ and click on ‘Continue’

20 - All files in one partition

20 – All files in one partition

Click on ‘Continue’ to finish off the partitioning

21 - Partition Kali disk

21 – Partition Kali disk

Once again select ‘Yes’ and click ‘Continue’ to erase and install

22 - Erase it all

22 – Erase it all

Next comes copying files to disk and installing the system once the partitioning has finished

23 - Copying files to disk

23 – Copying files to disk

Select ‘No’ to not use a mirror and click ‘Continue’

24 - Kali don't select a mirror

24 – Kali don’t select a mirror

Wait for a little bit while and then select ‘Yes’ to install the GRUB boot loader to the hard disk

25 - Kali continue select grub

25 – Kali continue select grub

You’re nearly finished

26 - Kali nearly finished

26 – Kali nearly finished

When it’s finished you will see the following screen, select ‘Continue’ to finish the install

27 - Kali finished select Continue

27 – Kali finished select Continue

Don’t worry if it looks like this for a while

28 - Kali finishing installation

28 – Kali finishing installation

Finally you get to the login screen. Enter the username ‘root’ and your password entered earlier to login.

29 - Kali login screen

29 – Kali login screen

Now you have probably noticed the screen is not in full screen and you have to move a slider around but we can fix that by installing ‘VirtualBox Guest Additons’ but first we need to update the system first so run the following

apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

The above commands will string together the update and upgrading of the system to the latest version and accept the downloads along the way with a ‘y’ for yes

30 - Kali system update upgrade dist-upgrade

30 – Kali system update upgrade dist-upgrade

Let the system work away for a while and let it upgrade the system, feel free to get up and walk around and come back to it again in a bit as this may take some time depending on your Internet speed and memory allocated to the system

31 - Kali upgrading

31 – Kali upgrading

Once finished upgrading it will look like the following below without any errors

32 - Kali upgrading finished

32 – Kali upgrading finished

Next select and install VirtualBox Guest additions by selecting devices from the VirtualBox menu

33 - Select to install guest additions

33 – Select to install guest additions

Next run the following

cp /media/cd-rom/VBoxLinuxAdditions.run /root/
chmod 755 /root/VBoxLinuxAdditions.run
cd /root
./VBoxLinuxAdditions.run

34 - Installing guest additions fail

34 – Installing guest additions fail

As you can see the above has failed as we need to update the headers to so let’s do that and get full screen!

Open the sources.list file in /etc/apt/

35 - Check the sources file

35 – Check the sources file

Add in the following line

36 - Add to sources list

36 – Add to sources list

After saving the file run an update with

apt-get update

37 - Kali update

37 – Kali update

Updating the Kali headers works now

apt-get install -y linux-headers-$(uname -r)

38 - Updating the Kali headers works now

38 – Updating the Kali headers works now

And finishes without error

39 - Kali headers finish without error

39 – Kali headers finish without error

VirtualBox guest additions will now also complete

40 - VirtualBox guest additons now completes

40 – VirtualBox guest additons now completes

reboot and then you will get full screen

41- Kali reboot

41- Kali reboot

Full screen is great as it will make your life a lot easier in the long run

42 - Kali VirtualBox Guest additons full screen

42 – Kali VirtualBox Guest additons full screen

Take a look around and see what you can do so far with the lab and remember to put it back into internal NIC mode before you do!

43 - Kali internal NIC mode

43 – Kali internal NIC mode

 

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 11 – Damn Vulnerable Web Application (DVWA)

DVWA is much like the install of Metasploitable and by that I mean simple!

Download DVWA from the download link on their website

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is as the name suggests damn vulnerable.

It’s main goal is to aid security professionals and allow them to test their skills in a legal environment, once setup in our internal environment that is what we will achieve here so let’s get to it!

In VirtualBox click the ‘New’ button to create a new virtual machine and enter in the name type and version as seen in the image below and click on ‘Next’ to continue

1 - DVWA VirtualBox Name Type Version

1 – DVWA VirtualBox Name Type Version

Allocate 1GB of memory as that is enough, you can always increase this later anyway

2 - DVWA RAM allocation

2 – DVWA RAM allocation

Leave the creation of the hard drive with the defaults and click ‘Create’ to continue

3 - DVWA create hard drive

3 – DVWA create hard drive

Leave with the defaults once again and click ‘Next’ to continue as VDI is fine for what we are doing here

4 - DVWA VDI selection

4 – DVWA VDI selection

Defaults are fine again, click ‘Next’ to continue and leave the dynamically allocated disk selected

5 - DVWA Dynamically allocated selection

5 – DVWA Dynamically allocated selection

Leave the defaults again, 8GB’s is fine so click on ‘Create’ to continue

6 - DVWA Hard disk size

6 – DVWA Hard disk size

Once created open up the virtual machine settings and remove the floppy and move the CD/DVD and HDD up in the boot order

7 - DVWA remove floppy move disks

7 – DVWA remove floppy move disks

Next step is to add your ISO to the CD/DVD drive so that you can boot from it

8 - DVWA add ISO to disc drive

8 – DVWA add ISO to disc drive

Next change the NIC to internal so that you do not broadcast on your local network

9 - DVWA change NIC to internal

9 – DVWA change NIC to internal

Finally boot it up and press Enter to continue at the screen below

10 - DVWA first boot press Enter

10 – DVWA first boot press Enter

At the next screen choose the live boot option or just wait and it will boot for you with no interaction

11 - DVWA select live boot

11 – DVWA select live boot

Next you will see the following screen which means you have successfully booted up the live CD

12 - DVWA Booted

12 – DVWA Booted

In the next installment we will go through the installation and configuration of Kali Linux which is a penetration testing distribution created for security professionals and researchers. You will then have something to poke the vulnerable systems installed so far and see what you can do in a safe environment.

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 10 – Metasploitable

Following on from the installs and configurations so far of pfsense, linux mint and a whole host of applications to turn the system into a Network Intrusion Detection System (NIDS).

Now it’s time to install some other OS that are vulnerable to attack in order to be able to both attack and forensically analyse the attacks and understand what is actually going on within your environment from the point of both attacker and incident responder (IR) later down the road.

First download Metasploitable2

Once you have extracted the folder inside called Metapsloitable2-Linux you should have the following directory structure like is seen in the image below:

1 - Extracted Metasploitable zip file

1 – Extracted Metasploitable zip file

You now have a virtual machine disk that is already configured for you and full of vulnerabilities which is great for practice. Next we need to open VirtualBox and click on ‘New’ to create a new virtual machine.

Configure with a name of your choosing and select Linux for the type and Ubuntu (32 bit) for the version and click on ‘Next’

2 - Creating the metapsolitable vm

2 – Creating the metapsolitable vm

Adjust the memory and click ‘Next’, you can give the system 1GB but I like to give it 2GB’s which can always be adjusted at a later stage anyway.

2 - Adjusting the metapsolitable vm RAM

2 – Adjusting the metapsolitable vm RAM

Because you already have the vmdk hard disk downloaded already you have to point to the location of the extracted files, you can do this by clicking on ‘Use an existing virtual hard drive file’ and click on the little folder that has the upward green arrow on it to locate the file on your system and select it so that you then have the Metasploitable.vmdk selected and then you can click ‘Create’ to continue.

4 - Selecting the metapsolitable vm hard disk

4 – Selecting the metapsolitable vm hard disk

Once you have completed the previous step you will then have a system created and ready to spin-up on your system but first we need to make a few adjustments so navigate to settings and make the following changes outlined below

5 - Metapsolitable system settings

5 – Metapsolitable system settings

Remove the floppy and the CD/DVD as all you need is the Hard Disk to boot and then finally make sure the Network adapter is set to internal as you don’t want this system live on your network as it is full of exploitable holes as that is the nature of this OS

6 - Metasploitable network settings

6 – Metasploitable network settings

Now power up your system, let it load and then you will see the following screen below:

7 - Metasploitable loaded

7 – Metasploitable loaded

An excellent resource to use is the Metasploit Unleashed free online security training which you should consider donating to as all the proceeds go to Hackers for Charity.

I had mentioned in the previous lesson that we would also be installing DVWA but one thing I forgot was that it is already included in Metaploitable 2 thanks to the creators integrating it within the image. You also have Mutilldae from OWASP installed and ready to go. But as the image is a bit dated we are going to spin-up DVWA anyway as there are some things like ShellShock which was previously covered now included in the newer version so it’s worth spinning it up.

 

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 9 Linux Mint Snort IDS – Making it permanent

Last but not least, lets make everything so far permanent with the following modifications so snort and barnyard will load at boot.

sudo vi /etc/init/snort.conf

129 - Modify snort conf permanent

129 – Modify snort conf permanent

Add in the following to the file:

description “Snort NIDS service”
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 -D
end script

Which will make it look like this

130 - Snort conf modification

130 – Snort conf modification

Run the following

chmod +x will make the file executable
initctl list will list services loading at startup, grep is used to pick snort only from that list

sudo chmod +x /etc/init/snort.conf
initctl list | grep snort

And you should see the following printout on the screen

131 - chmod initctl

131 – chmod initctl

Now to modify the barnyard configuration file

sudo vi /etc/init/barnyard2.conf

132 - Barnyard conf modification

132 – Barnyard conf modification

Add in the following:

description “barnyard2 service”
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D
end script

So it looks like the following

133 - Barnyard file modifcation

133 – Barnyard file modifcation

Run the following:

sudo chmod +x /etc/init/barnyard2.conf
initctl list | grep barnyard

You should see the following output

134 - barnyard chmod initctl

134 – barnyard chmod initctl

Reboot and then check the status of both after the reboot with the following:

service snort status

service barnyard2 status

You should see they both have a running process like below

135 - service snort and barnyard check

135 – service snort and barnyard check

That’s it, well done for getting this far! As you can see the ethical hacking lab is coming together quite nicely. Yes it takes time but don’t rush things and if things don’t work out. Try harder next time.

Next we will be covering Metaspoitable and DVWA so stay tuned!

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 8 Linux Mint Snort IDS – BASE install and configuration

Now to install Base and get ourselves a little GUI for all of this, but first some more installing

sudo apt-get install -y apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear

110 - Installing for Base

110 – Installing for Base

It should finish like this, ignore that error for now we will fix it soon

111 - Prerequisites installed for Base

111 – Prerequisites installed for Base

sudo pear install -f Image_Graph

112 - Install Image graph pear

112 – Install Image graph pear

cd ~/snort_source
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz/download -O adodb518.tgz

113 - cd wget adodb

113 – cd wget adodb

Extract with:

tar -xvzf adodb518.tgz

114 - tar adodb

114 – tar adodb

sudo mv adodb5 /var/adodb

115 - mv adodb5 to adodb

115 – mv adodb5 to adodb

Run the following to add “snort-nids” or the name of your hostname to the fqdn file in the apache2 conf-available directory

echo “ServerName snort-nids” | sudo tee /etc/apache2/conf-available/fqdn.conf

116 - echo snort-nids

116 – echo snort-nids

a2enconf is a script that will enable the specified configuration files within apache2, in this case fqdn that we created in the previous step

sudo a2enconf fqdn

service apache2 reload

117 - a2enconf fqdn apache2 reload

117 – a2enconf fqdn apache2 reload

cd ~/snort_source
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

118 - cd wget base

118 – cd wget base

Extract with:

tar -zxvf base-1.4.5.tar.gz

119 - tar base

119 – tar base

Configure base so that we can run it from apache2:

sudo mv base-1.4.5 /var/www/html/base/
cd /var/www/html/base
sudo cp base_conf.php.dist base_conf.php
sudo chown -R www-data:www-data /var/www/html/base
sudo chmod o-r /var/www/html/base/base_conf.php
sudo vi /var/www/html/base/base_conf.php

120 - mv cd cp chown chmod vi

120 – mv cd cp chown chmod vi

Modify line 50 as follows $BASE_urlpath = ‘/base’;

121 - Modify line 50 base

121 – Modify line 50 base

Modify line 80 as follows $DBlib_path = ‘/var/adodb/’;

122 - Modify line 80 base

122 – Modify line 80 base

Modify line 102 – 106 as follows:

$alert_dbname = ‘snort’;
$alert_host = ‘localhost’;
$alert_port = ”;
$alert_user = ‘snort’;
$alert_password = ‘YOUR_MYSQL_PASSWORD’;

123 - Modify lines 102 - 106 base

123 – Modify lines 102 – 106 base

Restart the apache2 web server:

sudo service apache2 restart

124 - restart apache2

124 – restart apache2

Now in your browser navigate to http://snort-nids/base/index.php and click on ‘Setup page’

125 - base first load

125 – base first load

Click on Create Base AG

126 - base create base ag

126 – base create base ag

Success then looks like the following, click on ‘Main page’ next

127 - base ag created

127 – base ag created

You will be brought to the main page and it will look something like the following

128 - Base main page

128 – Base main page

Have a play around and click on alerts, look at the packet information, download a pcap of an event to analyse further. Just click around and see for yourself!

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 7 Linux Mint Snort IDS – Pulled Pork install and configuration

Now to configure and install pulled pork, but first once again we need to install a few prerequisites first

sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

81 - Pulled pork prerequisites install

81 – Pulled pork prerequisites install

cd ~/snort_source
wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz

82 - cd and wget pulled pork

82 – cd and wget pulled pork

Extract with tar

tar xvfvz pulledpork-0.7.0.tar.gz

83 - tar pulledpork

83 – tar pulledpork

cd pulledpork-0.7.0/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort
sudo mkdir /etc/snort/rules/iplists
sudo touch /etc/snort/rules/iplists/default.blacklist

84 - cd mod cp mkdir touch

84 – cd mod cp mkdir touch

Check things are working

/usr/local/bin/pulledpork.pl -V

85 - Check pulled pork

85 – Check pulled pork

Sign up for a free snort account and get yourself an oinkcode at the snort.org website then modify the next configuration file located here

sudo vi /etc/snort/pulledpork.conf

86 - modify pulledpork conf

86 – modify pulledpork conf

Modify lines 19 and 26 to include your oinkcode at the end of the line which should look something like this

87 - modify pulledpork conf line 19 and 26

87 – modify pulledpork conf line 19 and 26

Uncomment the # on line 27 to use the open ruleset

88 - modify pulledpork conf un comment

88 – modify pulledpork conf un comment

Modify line 72 to match rule_path=/etc/snort/rules/snort.rules

89 - modify pulled pork line 72

89 – modify pulled pork line 72

Modify line 87 to match local_rules=/etc/snort/rules/local.rules and line 90 to match sid_msg=/etc/snort/sid-msg.map

90 - modify pulled pork line 87 and 90

90 – modify pulled pork line 87 and 90

Modify line 117 to match config_path=/etc/snort/snort.conf

91 - modify pulled pork line 117

91 – modify pulled pork line 117

Modify line 131 to the following distro=Ubuntu-10-4

91 - modify pulled pork line 131

91 – modify pulled pork line 131

Modify line 138 to the following black_list=/etc/snort/rules/iplists/default.blacklist

92 - modify pulled pork line 138

92 – modify pulled pork line 138

Modify line 147 to the following IPRVersion=/etc/snort/rules/iplists

93 - modify pulled pork line 147

93 – modify pulled pork line 147

Modify lines 194 – 197 with the following

enablesid=/etc/snort/enablesid.conf
dropsid=/etc/snort/dropsid.conf
disablesid=/etc/snort/disablesid.conf
modifysid=/etc/snort/modifysid.conf

94 - modify pulled pork line 194 - 197

94 – modify pulled pork line 194 – 197

Update pulledpork with the following

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

95 - Pulledpork update

95 – Pulledpork update

It should update successfully like below

96 - Pulledpork update finished

96 – Pulledpork update finished

Now modify line 543 of the snort.conf file with the following

sudo vi /etc/snort/snort.conf

include $RULE_PATH/snort.rules

97 - Modify snort conf line 543

97 – Modify snort conf line 543

It should look like this

98 - Modified snort conf line 543

98 – Modified snort conf line 543

Now to test and see that this is working with the following

sudo snort -T -c /etc/snort/snort.conf

99 - Testing snort configuration

99 – Testing snort configuration

It should finish with the following message showing everything was a success

100 -Snort configuration test success

100 -Snort configuration test success

Some snort daemon testing again with

sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth1 -D

101 - Snort daemon testing again

101 – Snort daemon testing again

Running barnyard again as a daemon this time for some testing

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D

102 - Barnyard daemon testing again

102 – Barnyard daemon testing again

Test the database

mysql -u snort -p -D snort -e “select count(*) from event”

103 - MYSQL database testing

103 – MYSQL database testing

I also added the following to /etc/network/interfaces

104 - Modify network interface settings

104 – Modify network interface settings

To the following to make sure eth1 stays in promiscuous mode

up ip address add 0/0 dev eth1
up ip link set eth1 up
up ip link set eth1 promisc on

down ip link set eth1 promisc off
down ip link set eth1 down

105 - Network interface settings modified

105 – Network interface settings modified

Modify the /etc/rc.local file

106 - Modify etc rc local

106 – Modify etc rc local

To add the following

107 - Modified etc rc local

107 – Modified etc rc local

Create a cronjob, select option 2 for nano

sudo crontab -e

108 - Modify crontab

108 – Modify crontab

Add in the following and save the file

01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

109 - Create cronjob

109 – Create cronjob

Well done getting this far! In the next tutorial we will configure Base and see this all through a GUI front-end to view what is going on within our network or at least the pings received from the pfsense box.

 

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 6 Linux Mint Snort IDS – MYSQL & Barnyard

Time now for a bit more installing now before we move on further and configure MYSQL:

sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool gettext automake

54 - More installing

54 – More installing

You will be prompted to enter a password twice with the second time being just a confirmation for your MYSQL database, enter a password and remember it for later

55 - MYSQL password

55 – MYSQL password

The process should complete without error like below

56 - Install complete

56 – Install complete

Now navigate to line 520 of the snort.conf file

sudo vi +50 /etc/snort/snort.conf

57 - Navigate to line 520 snort conf

57 – Navigate to line 520 snort conf

Modify line 520 with the following and delete the commented line already in place then save it

output unified2: filename snort.u2, limit 128

58 - Modify line 520 snort conf

58 – Modify line 520 snort conf

Next we are going to install Barnyard with the following

cd ~/snort_source
wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz
tar zxvf barnyard2-2-1.13.tar.gz
cd barnyard2-2-1.13
mv configure.in configure.ac
autoreconf -fvi -I ./m4

59 - cd and wget barnyard

59 – cd and wget barnyard

Use tar to extract the contents of the download

60 - untar the barnyard download

60 – untar the barnyard download

Next cd to the directory again mv the file to .ac and run autoreconf

61 - cd move autoreconf barnyard

61 – cd move autoreconf barnyard

You can ignore the errors at the end of the autoreconf

62 - autoreconf ignore errors

62 – autoreconf ignore errors

Next run the following to configure mysql for your OS architecture type in my case this is 64Bit

./configure –with-mysql –with-mysql-libraries=/usr/lib/x86_64-linux-gnu

63 - MYSQL configure

63 – MYSQL configure

It should end without any errors like below

64 - MYSQL configure without error

64 – MYSQL configure without error

make
sudo make install
cd ~/snort_source/barnyard2-2-1.13
sudo cp etc/barnyard2.conf /etc/snort
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo
sudo touch /etc/snort/sid-msg.map
echo “create database snort;” | mysql -u root -p
mysql -u root -p -D snort < ~/snort_source/barnyard2-2-1.13/schemas/create_mysql
echo “grant create, insert, select, delete, update on snort.* to snort@localhost identified by ‘YOUR_MYSQL_PASSWORD'” | mysql -h localhost -u root

65 - Make barnyard

65 – Make barnyard

This should finish without error

66 - Make barnyard without error

66 – Make barnyard without error

sudo make install

67 - Make install barnyard

67 – Make install barnyard

This should finish with no errors

68 - Make install barnyard without error

68 – Make install barnyard without error

Then run the following

cd ~/snort_source/barnyard2-2-1.13
sudo cp etc/barnyard2.conf /etc/snort
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo
sudo touch /etc/snort/sid-msg.map

69 - cd mkdir chown touch

69 – cd mkdir chown touch

Create a MYSQL database called snort

echo “create database snort;” | mysql -u root -p

70 - Create MYSQL database snort

70 – Create MYSQL database snort

mysql -u root -p -D snort < ~/snort_source/barnyard2-2-1.13/schemas/create_mysql

71 - Create MYSQL schemas

71 – Create MYSQL schemas

Modify the barnyard configuration file

sudo vi /etc/snort/barnyard2.conf

72 - modify barnyard conf

72 – modify barnyard conf

Add the following to the bottom of the file

output database: log, mysql, user=snort password=YOUR_MYSQL_PASSWORD dbname=snort host=localhost

73 - modified configuration file

73 – modified configuration file

echo “grant create, insert, select, delete, update on snort.* to snort@localhost identified by ‘YOUR_MYSQL_PASSWORD'” | mysql -h localhost -u root -p

74 - Create MYSQL grant select delete update

74 – Create MYSQL grant select delete update

sudo chmod o-r /etc/snort/barnyard2.conf

75 - chmod barnyard conf

75 – chmod barnyard conf

Start a snort daemon

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 -D

76 - snort daemon start

76 – snort daemon start

Start barnyard2

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort

77 - Start barnyard2

77 – Start barnyard2

Now on your pfsense box ping your snort machine and you should see some alerts, this shows you that everything you have been doing up until now has worked

78 - Ping from pfsense

78 – Ping from pfsense

Your running barnyard should then show you output similar to the following

79 - ICMP alert detected

79 – ICMP alert detected

You can also check your MYSQL database directly with the following

mysql -u snort -p -D snort -e “select count(*) from event”

80 - MYSQL database check

80 – MYSQL database check

That’s it for now, the next tutorial will deal with the pulled pork installation and configuration on your system to keep your snort rules up to date.

 

 

 

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 5 Linux Mint Snort IDS – Testing Snort

Now comes the joy of using the pfsense system created in the first tutorial as we now have our own little internal cut off system from the rest of the world contained on our machine, I used to use host-only networking here but that leaks and you can actually see the connections going through your system with tools like tcpview for example.

I noticed the internal adapter did not show up so I have stuck with it ever since, at the end of the day it’s like using a hub except it’s virtual if you use the host only adapter.

So let’s get to testing with a local ICMP rule to check and alert you when someone ping’s your system.

Navigate to:

sudo vi /etc/snort/rules/local.rules

48 - Testing snort ICMP local rule

48 – Testing snort ICMP local rule

Paste in the following rule and then save the file

alert icmp any any -> $HOME_NET any (msg:”ICMP test”; sid:10000009; rev:001;)

49 - Saving snort ICMP local rule

49 – Saving snort ICMP local rule

Run the snort test again and make sure it saved with:

sudo snort -T -c /etc/snort/snort.conf

50 - Testing snort ICMP local rule saved

50 – Testing snort ICMP local rule saved

Looking through the output you should then see the following showing that one rule has been loaded and it is an ICMP rule

51 - Snort ICMP rule loaded

51 – Snort ICMP rule loaded

Now run the following command in order to test your configuration so far before you go further down the rabbit hole:

sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth1

And on your pfsense box ping your snort IDS IP and you should then see some activity here after you have done this

52 - Ping from pfsense to snort box

52 – Ping from pfsense to snort box

On your snort machine you will see the following result which matches the source and destination IP’s of our pfsense machine and our snort machine

53 - Snort ICMP test success

53 – Snort ICMP test success

That’s it for this tutorial, well done for getting this far, it’s wise to make a snapshot now before we install and create the MYSQL database and install baryard2.

 

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 4 Linux Mint Snort IDS – Configuring Snort

Following on from the previous tutorial where we installed DAQ and Snort from source, now it is time to configure snort.

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
sudo cp ~/snort_source/snort-2.9.7.3/etc/*.conf* /etc/snort
sudo cp ~/snort_source/snort-2.9.7.3/etc/*.map /etc/snort

37 - Configure snort from source

37 – Configure snort from source

Install tree to see what the directory structure looks like

38 - Install tree

38 – Install tree

Your directory should now look like the following when you run

tree /etc/snort/

39 - tree output of snort directory

39 – tree output of snort directory

Modify snort.conf and add a ‘#’ in front of include in the configuration file so that you don’t have everything enabled when you start playing with snort in the next tutorial to test everything is working correctly. This will effectively comment out all the rulesets for now.

sudo sed -i ‘s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf

‘sed -i’ will edit the file in place

40 - sed change snort conf

40 – sed change snort conf

Navigate to line 45 with vi so you can change it to what you see below

41 - snort conf file change

41 – snort conf file change

Before it looks like the following

41 - snort conf file change before

41 – snort conf file change before

Afterwards I have changed the HOME_NET so it looks like the following [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] to cover pretty much all private subnets and anything outside of this is going to be flagged under EXTERNAL_NET !$HOME_NET or think of this as anything NOT included in your HOME_NET so this is external traffic.

41 - snort conf file change after

41 – snort conf file change after

modify EXTERNAL_NET as it is below from any to !$HOME_NET

42 - EXTERNAL_NET

42 – EXTERNAL_NET

Next navigate to line 104 to modify the three lines below

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

FUN Tip’s:
Use Shift + :, then type 104 to navigate directly to line 104

43 - vi command line jump

43 – vi command line jump

Pressing dd on a line will delete that entire line quickly for you

Pressing ESC will take you out of editing mode when something weird is happening

Pressing ‘i’ and ‘a’ will allow you to modify the file, I will let you figure out how they work

44 - Path to rule files

44 – Path to rule files

Now navigate to line 113 and remove lines 113 and 114 and replace with the following

var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

45 - set absolute path

45 – set absolute path

Uncomment the # from line 45 so it looks like this

include $RULE_PATH/local.rules

46 - local rules uncomment

46 – local rules uncomment

Finally, test it!
sudo snort -T -c /etc/snort/snort.conf
‘-T’ will allow you to test your configuration

‘-c’ will load the configuration for testing

47 - Testing snort configuration

47 – Testing snort configuration

It should finish without error like the following

47 - Testing snort configuration finish

47 – Testing snort configuration finish

In the next tutorial you will need pfsense as outlined in the first tutorial for some testing of our configuration so far.

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 3 Linux Mint Snort IDS – Installing DAQ & Snort

Following on from the previous tutorial where we installed Linux Mint and updated it, now it is time to install DAQ which stands for ‘Data AcQuisition library’  and it replaces calls to the packet capture libraries with an abstraction layer making it easier to add software or hardware packet capture implementations later on if you need to very easily without having to recompile the Snort core. Snort will also be built from source.

First you need to install a few packages:

sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev

33 - Install some packages required to build snort from source

33 – Install some packages required to build snort from source

It should finish like below without error

34 - packages installed without error

34 – packages installed without error

Next create a file called snort_source and download daq, configure and make to install it from source. You can do this simply by just copying and pasting the commands below into your browser

mkdir ~/snort_source
cd ~/snort_source
wget https://www.snort.org/downloads/snort/daq-2.0.5.tar.gz
tar -xvzf daq-2.0.5.tar.gz
cd daq-2.0.5
./configure
make
sudo make install

35 - Install daq from source 1

35 – Install daq from source 1

Extract:

tar -xvzf daq-2.0.5.tar.gz

35 - Install daq from source 2

35 – Install daq from source 2

cd daq-2.0.5
./configure

35 - Install daq from source 3

35 – Install daq from source 3

Finished ./configure

35 - Install daq from source 4

35 – Install daq from source 4

make

35 - Install daq from source 5

35 – Install daq from source 5

Finished make

35 - Install daq from source 6

35 – Install daq from source 6

sudo make install

35 - Install daq from source 7

35 – Install daq from source 7

When finished without error it will look like the following below

35 - Install daq from source 8

35 – Install daq from source 8

So to install snort from source it is pretty similar to daq

cd ~/snort_source
wget https://www.snort.org/downloads/snort/snort-2.9.7.3.tar.gz
tar -xvzf snort-2.9.7.3.tar.gz
cd snort-2.9.7.3
./configure –enable-sourcefire
make
sudo make install

The –enable-sourcefire flag enables Packet Performance Monitoring(PPM), which is how the Snort team builds Snort from source.

36 - Install snort from source 1

36 – Install snort from source 1

Extract:

tar -xvzf snort-2.9.7.3.tar.gz

36 - Install snort from source 2

36 – Install snort from source 2

cd snort-2.9.7.3
./configure –enable-sourcefire

36 - Install snort from source 3

36 – Install snort from source 3

Make finishes without error

36 - Install snort from source 4

36 – Install snort from source 4

sudo make install looks like the following

36 - Install snort from source 5

36 – Install snort from source 5

sudo ldconfig (Creates the necessary links and cache)

sudo ln -s /usr/local/bin/snort /usr/sbin/snort (Create a symbolic link between the two directories, that’s what the -s is for)

/usr/sbin/snort -V (Test’s that the snort binary runs, executing with the -V will show you the version number)

36 - Install snort from source 6

36 – Install snort from source 6

That’s DAQ and Snort installed from source, in the next tutorial we will start to configure snort.