Building an ethichal hacking lab on your laptop with VirtualBox – Part 11 – Damn Vulnerable Web Application (DVWA)

DVWA is much like the install of Metasploitable and by that I mean simple!

Download DVWA from the download link on their website

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is as the name suggests damn vulnerable.

It’s main goal is to aid security professionals and allow them to test their skills in a legal environment, once setup in our internal environment that is what we will achieve here so let’s get to it!

In VirtualBox click the ‘New’ button to create a new virtual machine and enter in the name type and version as seen in the image below and click on ‘Next’ to continue

1 - DVWA VirtualBox Name Type Version

1 – DVWA VirtualBox Name Type Version

Allocate 1GB of memory as that is enough, you can always increase this later anyway

2 - DVWA RAM allocation

2 – DVWA RAM allocation

Leave the creation of the hard drive with the defaults and click ‘Create’ to continue

3 - DVWA create hard drive

3 – DVWA create hard drive

Leave with the defaults once again and click ‘Next’ to continue as VDI is fine for what we are doing here

4 - DVWA VDI selection

4 – DVWA VDI selection

Defaults are fine again, click ‘Next’ to continue and leave the dynamically allocated disk selected

5 - DVWA Dynamically allocated selection

5 – DVWA Dynamically allocated selection

Leave the defaults again, 8GB’s is fine so click on ‘Create’ to continue

6 - DVWA Hard disk size

6 – DVWA Hard disk size

Once created open up the virtual machine settings and remove the floppy and move the CD/DVD and HDD up in the boot order

7 - DVWA remove floppy move disks

7 – DVWA remove floppy move disks

Next step is to add your ISO to the CD/DVD drive so that you can boot from it

8 - DVWA add ISO to disc drive

8 – DVWA add ISO to disc drive

Next change the NIC to internal so that you do not broadcast on your local network

9 - DVWA change NIC to internal

9 – DVWA change NIC to internal

Finally boot it up and press Enter to continue at the screen below

10 - DVWA first boot press Enter

10 – DVWA first boot press Enter

At the next screen choose the live boot option or just wait and it will boot for you with no interaction

11 - DVWA select live boot

11 – DVWA select live boot

Next you will see the following screen which means you have successfully booted up the live CD

12 - DVWA Booted

12 – DVWA Booted

In the next installment we will go through the installation and configuration of Kali Linux which is a penetration testing distribution created for security professionals and researchers. You will then have something to poke the vulnerable systems installed so far and see what you can do in a safe environment.

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 10 – Metasploitable

Following on from the installs and configurations so far of pfsense, linux mint and a whole host of applications to turn the system into a Network Intrusion Detection System (NIDS).

Now it’s time to install some other OS that are vulnerable to attack in order to be able to both attack and forensically analyse the attacks and understand what is actually going on within your environment from the point of both attacker and incident responder (IR) later down the road.

First download Metasploitable2

Once you have extracted the folder inside called Metapsloitable2-Linux you should have the following directory structure like is seen in the image below:

1 - Extracted Metasploitable zip file

1 – Extracted Metasploitable zip file

You now have a virtual machine disk that is already configured for you and full of vulnerabilities which is great for practice. Next we need to open VirtualBox and click on ‘New’ to create a new virtual machine.

Configure with a name of your choosing and select Linux for the type and Ubuntu (32 bit) for the version and click on ‘Next’

2 - Creating the metapsolitable vm

2 – Creating the metapsolitable vm

Adjust the memory and click ‘Next’, you can give the system 1GB but I like to give it 2GB’s which can always be adjusted at a later stage anyway.

2 - Adjusting the metapsolitable vm RAM

2 – Adjusting the metapsolitable vm RAM

Because you already have the vmdk hard disk downloaded already you have to point to the location of the extracted files, you can do this by clicking on ‘Use an existing virtual hard drive file’ and click on the little folder that has the upward green arrow on it to locate the file on your system and select it so that you then have the Metasploitable.vmdk selected and then you can click ‘Create’ to continue.

4 - Selecting the metapsolitable vm hard disk

4 – Selecting the metapsolitable vm hard disk

Once you have completed the previous step you will then have a system created and ready to spin-up on your system but first we need to make a few adjustments so navigate to settings and make the following changes outlined below

5 - Metapsolitable system settings

5 – Metapsolitable system settings

Remove the floppy and the CD/DVD as all you need is the Hard Disk to boot and then finally make sure the Network adapter is set to internal as you don’t want this system live on your network as it is full of exploitable holes as that is the nature of this OS

6 - Metasploitable network settings

6 – Metasploitable network settings

Now power up your system, let it load and then you will see the following screen below:

7 - Metasploitable loaded

7 – Metasploitable loaded

An excellent resource to use is the Metasploit Unleashed free online security training which you should consider donating to as all the proceeds go to Hackers for Charity.

I had mentioned in the previous lesson that we would also be installing DVWA but one thing I forgot was that it is already included in Metaploitable 2 thanks to the creators integrating it within the image. You also have Mutilldae from OWASP installed and ready to go. But as the image is a bit dated we are going to spin-up DVWA anyway as there are some things like ShellShock which was previously covered now included in the newer version so it’s worth spinning it up.

 

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 9 Linux Mint Snort IDS – Making it permanent

Last but not least, lets make everything so far permanent with the following modifications so snort and barnyard will load at boot.

sudo vi /etc/init/snort.conf

129 - Modify snort conf permanent

129 – Modify snort conf permanent

Add in the following to the file:

description “Snort NIDS service”
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 -D
end script

Which will make it look like this

130 - Snort conf modification

130 – Snort conf modification

Run the following

chmod +x will make the file executable
initctl list will list services loading at startup, grep is used to pick snort only from that list

sudo chmod +x /etc/init/snort.conf
initctl list | grep snort

And you should see the following printout on the screen

131 - chmod initctl

131 – chmod initctl

Now to modify the barnyard configuration file

sudo vi /etc/init/barnyard2.conf

132 - Barnyard conf modification

132 – Barnyard conf modification

Add in the following:

description “barnyard2 service”
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D
end script

So it looks like the following

133 - Barnyard file modifcation

133 – Barnyard file modifcation

Run the following:

sudo chmod +x /etc/init/barnyard2.conf
initctl list | grep barnyard

You should see the following output

134 - barnyard chmod initctl

134 – barnyard chmod initctl

Reboot and then check the status of both after the reboot with the following:

service snort status

service barnyard2 status

You should see they both have a running process like below

135 - service snort and barnyard check

135 – service snort and barnyard check

That’s it, well done for getting this far! As you can see the ethical hacking lab is coming together quite nicely. Yes it takes time but don’t rush things and if things don’t work out. Try harder next time.

Next we will be covering Metaspoitable and DVWA so stay tuned!

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 8 Linux Mint Snort IDS – BASE install and configuration

Now to install Base and get ourselves a little GUI for all of this, but first some more installing

sudo apt-get install -y apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear

110 - Installing for Base

110 – Installing for Base

It should finish like this, ignore that error for now we will fix it soon

111 - Prerequisites installed for Base

111 – Prerequisites installed for Base

sudo pear install -f Image_Graph

112 - Install Image graph pear

112 – Install Image graph pear

cd ~/snort_source
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz/download -O adodb518.tgz

113 - cd wget adodb

113 – cd wget adodb

Extract with:

tar -xvzf adodb518.tgz

114 - tar adodb

114 – tar adodb

sudo mv adodb5 /var/adodb

115 - mv adodb5 to adodb

115 – mv adodb5 to adodb

Run the following to add “snort-nids” or the name of your hostname to the fqdn file in the apache2 conf-available directory

echo “ServerName snort-nids” | sudo tee /etc/apache2/conf-available/fqdn.conf

116 - echo snort-nids

116 – echo snort-nids

a2enconf is a script that will enable the specified configuration files within apache2, in this case fqdn that we created in the previous step

sudo a2enconf fqdn

service apache2 reload

117 - a2enconf fqdn apache2 reload

117 – a2enconf fqdn apache2 reload

cd ~/snort_source
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

118 - cd wget base

118 – cd wget base

Extract with:

tar -zxvf base-1.4.5.tar.gz

119 - tar base

119 – tar base

Configure base so that we can run it from apache2:

sudo mv base-1.4.5 /var/www/html/base/
cd /var/www/html/base
sudo cp base_conf.php.dist base_conf.php
sudo chown -R www-data:www-data /var/www/html/base
sudo chmod o-r /var/www/html/base/base_conf.php
sudo vi /var/www/html/base/base_conf.php

120 - mv cd cp chown chmod vi

120 – mv cd cp chown chmod vi

Modify line 50 as follows $BASE_urlpath = ‘/base’;

121 - Modify line 50 base

121 – Modify line 50 base

Modify line 80 as follows $DBlib_path = ‘/var/adodb/’;

122 - Modify line 80 base

122 – Modify line 80 base

Modify line 102 – 106 as follows:

$alert_dbname = ‘snort’;
$alert_host = ‘localhost’;
$alert_port = ”;
$alert_user = ‘snort’;
$alert_password = ‘YOUR_MYSQL_PASSWORD’;

123 - Modify lines 102 - 106 base

123 – Modify lines 102 – 106 base

Restart the apache2 web server:

sudo service apache2 restart

124 - restart apache2

124 – restart apache2

Now in your browser navigate to http://snort-nids/base/index.php and click on ‘Setup page’

125 - base first load

125 – base first load

Click on Create Base AG

126 - base create base ag

126 – base create base ag

Success then looks like the following, click on ‘Main page’ next

127 - base ag created

127 – base ag created

You will be brought to the main page and it will look something like the following

128 - Base main page

128 – Base main page

Have a play around and click on alerts, look at the packet information, download a pcap of an event to analyse further. Just click around and see for yourself!

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 7 Linux Mint Snort IDS – Pulled Pork install and configuration

Now to configure and install pulled pork, but first once again we need to install a few prerequisites first

sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

81 - Pulled pork prerequisites install

81 – Pulled pork prerequisites install

cd ~/snort_source
wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz

82 - cd and wget pulled pork

82 – cd and wget pulled pork

Extract with tar

tar xvfvz pulledpork-0.7.0.tar.gz

83 - tar pulledpork

83 – tar pulledpork

cd pulledpork-0.7.0/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort
sudo mkdir /etc/snort/rules/iplists
sudo touch /etc/snort/rules/iplists/default.blacklist

84 - cd mod cp mkdir touch

84 – cd mod cp mkdir touch

Check things are working

/usr/local/bin/pulledpork.pl -V

85 - Check pulled pork

85 – Check pulled pork

Sign up for a free snort account and get yourself an oinkcode at the snort.org website then modify the next configuration file located here

sudo vi /etc/snort/pulledpork.conf

86 - modify pulledpork conf

86 – modify pulledpork conf

Modify lines 19 and 26 to include your oinkcode at the end of the line which should look something like this

87 - modify pulledpork conf line 19 and 26

87 – modify pulledpork conf line 19 and 26

Uncomment the # on line 27 to use the open ruleset

88 - modify pulledpork conf un comment

88 – modify pulledpork conf un comment

Modify line 72 to match rule_path=/etc/snort/rules/snort.rules

89 - modify pulled pork line 72

89 – modify pulled pork line 72

Modify line 87 to match local_rules=/etc/snort/rules/local.rules and line 90 to match sid_msg=/etc/snort/sid-msg.map

90 - modify pulled pork line 87 and 90

90 – modify pulled pork line 87 and 90

Modify line 117 to match config_path=/etc/snort/snort.conf

91 - modify pulled pork line 117

91 – modify pulled pork line 117

Modify line 131 to the following distro=Ubuntu-10-4

91 - modify pulled pork line 131

91 – modify pulled pork line 131

Modify line 138 to the following black_list=/etc/snort/rules/iplists/default.blacklist

92 - modify pulled pork line 138

92 – modify pulled pork line 138

Modify line 147 to the following IPRVersion=/etc/snort/rules/iplists

93 - modify pulled pork line 147

93 – modify pulled pork line 147

Modify lines 194 – 197 with the following

enablesid=/etc/snort/enablesid.conf
dropsid=/etc/snort/dropsid.conf
disablesid=/etc/snort/disablesid.conf
modifysid=/etc/snort/modifysid.conf

94 - modify pulled pork line 194 - 197

94 – modify pulled pork line 194 – 197

Update pulledpork with the following

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

95 - Pulledpork update

95 – Pulledpork update

It should update successfully like below

96 - Pulledpork update finished

96 – Pulledpork update finished

Now modify line 543 of the snort.conf file with the following

sudo vi /etc/snort/snort.conf

include $RULE_PATH/snort.rules

97 - Modify snort conf line 543

97 – Modify snort conf line 543

It should look like this

98 - Modified snort conf line 543

98 – Modified snort conf line 543

Now to test and see that this is working with the following

sudo snort -T -c /etc/snort/snort.conf

99 - Testing snort configuration

99 – Testing snort configuration

It should finish with the following message showing everything was a success

100 -Snort configuration test success

100 -Snort configuration test success

Some snort daemon testing again with

sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth1 -D

101 - Snort daemon testing again

101 – Snort daemon testing again

Running barnyard again as a daemon this time for some testing

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D

102 - Barnyard daemon testing again

102 – Barnyard daemon testing again

Test the database

mysql -u snort -p -D snort -e “select count(*) from event”

103 - MYSQL database testing

103 – MYSQL database testing

I also added the following to /etc/network/interfaces

104 - Modify network interface settings

104 – Modify network interface settings

To the following to make sure eth1 stays in promiscuous mode

up ip address add 0/0 dev eth1
up ip link set eth1 up
up ip link set eth1 promisc on

down ip link set eth1 promisc off
down ip link set eth1 down

105 - Network interface settings modified

105 – Network interface settings modified

Modify the /etc/rc.local file

106 - Modify etc rc local

106 – Modify etc rc local

To add the following

107 - Modified etc rc local

107 – Modified etc rc local

Create a cronjob, select option 2 for nano

sudo crontab -e

108 - Modify crontab

108 – Modify crontab

Add in the following and save the file

01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

109 - Create cronjob

109 – Create cronjob

Well done getting this far! In the next tutorial we will configure Base and see this all through a GUI front-end to view what is going on within our network or at least the pings received from the pfsense box.

 

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 6 Linux Mint Snort IDS – MYSQL & Barnyard

Time now for a bit more installing now before we move on further and configure MYSQL:

sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool gettext automake

54 - More installing

54 – More installing

You will be prompted to enter a password twice with the second time being just a confirmation for your MYSQL database, enter a password and remember it for later

55 - MYSQL password

55 – MYSQL password

The process should complete without error like below

56 - Install complete

56 – Install complete

Now navigate to line 520 of the snort.conf file

sudo vi +50 /etc/snort/snort.conf

57 - Navigate to line 520 snort conf

57 – Navigate to line 520 snort conf

Modify line 520 with the following and delete the commented line already in place then save it

output unified2: filename snort.u2, limit 128

58 - Modify line 520 snort conf

58 – Modify line 520 snort conf

Next we are going to install Barnyard with the following

cd ~/snort_source
wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz
tar zxvf barnyard2-2-1.13.tar.gz
cd barnyard2-2-1.13
mv configure.in configure.ac
autoreconf -fvi -I ./m4

59 - cd and wget barnyard

59 – cd and wget barnyard

Use tar to extract the contents of the download

60 - untar the barnyard download

60 – untar the barnyard download

Next cd to the directory again mv the file to .ac and run autoreconf

61 - cd move autoreconf barnyard

61 – cd move autoreconf barnyard

You can ignore the errors at the end of the autoreconf

62 - autoreconf ignore errors

62 – autoreconf ignore errors

Next run the following to configure mysql for your OS architecture type in my case this is 64Bit

./configure –with-mysql –with-mysql-libraries=/usr/lib/x86_64-linux-gnu

63 - MYSQL configure

63 – MYSQL configure

It should end without any errors like below

64 - MYSQL configure without error

64 – MYSQL configure without error

make
sudo make install
cd ~/snort_source/barnyard2-2-1.13
sudo cp etc/barnyard2.conf /etc/snort
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo
sudo touch /etc/snort/sid-msg.map
echo “create database snort;” | mysql -u root -p
mysql -u root -p -D snort < ~/snort_source/barnyard2-2-1.13/schemas/create_mysql
echo “grant create, insert, select, delete, update on snort.* to snort@localhost identified by ‘YOUR_MYSQL_PASSWORD'” | mysql -h localhost -u root

65 - Make barnyard

65 – Make barnyard

This should finish without error

66 - Make barnyard without error

66 – Make barnyard without error

sudo make install

67 - Make install barnyard

67 – Make install barnyard

This should finish with no errors

68 - Make install barnyard without error

68 – Make install barnyard without error

Then run the following

cd ~/snort_source/barnyard2-2-1.13
sudo cp etc/barnyard2.conf /etc/snort
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo
sudo touch /etc/snort/sid-msg.map

69 - cd mkdir chown touch

69 – cd mkdir chown touch

Create a MYSQL database called snort

echo “create database snort;” | mysql -u root -p

70 - Create MYSQL database snort

70 – Create MYSQL database snort

mysql -u root -p -D snort < ~/snort_source/barnyard2-2-1.13/schemas/create_mysql

71 - Create MYSQL schemas

71 – Create MYSQL schemas

Modify the barnyard configuration file

sudo vi /etc/snort/barnyard2.conf

72 - modify barnyard conf

72 – modify barnyard conf

Add the following to the bottom of the file

output database: log, mysql, user=snort password=YOUR_MYSQL_PASSWORD dbname=snort host=localhost

73 - modified configuration file

73 – modified configuration file

echo “grant create, insert, select, delete, update on snort.* to snort@localhost identified by ‘YOUR_MYSQL_PASSWORD'” | mysql -h localhost -u root -p

74 - Create MYSQL grant select delete update

74 – Create MYSQL grant select delete update

sudo chmod o-r /etc/snort/barnyard2.conf

75 - chmod barnyard conf

75 – chmod barnyard conf

Start a snort daemon

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 -D

76 - snort daemon start

76 – snort daemon start

Start barnyard2

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort

77 - Start barnyard2

77 – Start barnyard2

Now on your pfsense box ping your snort machine and you should see some alerts, this shows you that everything you have been doing up until now has worked

78 - Ping from pfsense

78 – Ping from pfsense

Your running barnyard should then show you output similar to the following

79 - ICMP alert detected

79 – ICMP alert detected

You can also check your MYSQL database directly with the following

mysql -u snort -p -D snort -e “select count(*) from event”

80 - MYSQL database check

80 – MYSQL database check

That’s it for now, the next tutorial will deal with the pulled pork installation and configuration on your system to keep your snort rules up to date.

 

 

 

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 5 Linux Mint Snort IDS – Testing Snort

Now comes the joy of using the pfsense system created in the first tutorial as we now have our own little internal cut off system from the rest of the world contained on our machine, I used to use host-only networking here but that leaks and you can actually see the connections going through your system with tools like tcpview for example.

I noticed the internal adapter did not show up so I have stuck with it ever since, at the end of the day it’s like using a hub except it’s virtual if you use the host only adapter.

So let’s get to testing with a local ICMP rule to check and alert you when someone ping’s your system.

Navigate to:

sudo vi /etc/snort/rules/local.rules

48 - Testing snort ICMP local rule

48 – Testing snort ICMP local rule

Paste in the following rule and then save the file

alert icmp any any -> $HOME_NET any (msg:”ICMP test”; sid:10000009; rev:001;)

49 - Saving snort ICMP local rule

49 – Saving snort ICMP local rule

Run the snort test again and make sure it saved with:

sudo snort -T -c /etc/snort/snort.conf

50 - Testing snort ICMP local rule saved

50 – Testing snort ICMP local rule saved

Looking through the output you should then see the following showing that one rule has been loaded and it is an ICMP rule

51 - Snort ICMP rule loaded

51 – Snort ICMP rule loaded

Now run the following command in order to test your configuration so far before you go further down the rabbit hole:

sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth1

And on your pfsense box ping your snort IDS IP and you should then see some activity here after you have done this

52 - Ping from pfsense to snort box

52 – Ping from pfsense to snort box

On your snort machine you will see the following result which matches the source and destination IP’s of our pfsense machine and our snort machine

53 - Snort ICMP test success

53 – Snort ICMP test success

That’s it for this tutorial, well done for getting this far, it’s wise to make a snapshot now before we install and create the MYSQL database and install baryard2.

 

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 4 Linux Mint Snort IDS – Configuring Snort

Following on from the previous tutorial where we installed DAQ and Snort from source, now it is time to configure snort.

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
sudo cp ~/snort_source/snort-2.9.7.3/etc/*.conf* /etc/snort
sudo cp ~/snort_source/snort-2.9.7.3/etc/*.map /etc/snort

37 - Configure snort from source

37 – Configure snort from source

Install tree to see what the directory structure looks like

38 - Install tree

38 – Install tree

Your directory should now look like the following when you run

tree /etc/snort/

39 - tree output of snort directory

39 – tree output of snort directory

Modify snort.conf and add a ‘#’ in front of include in the configuration file so that you don’t have everything enabled when you start playing with snort in the next tutorial to test everything is working correctly. This will effectively comment out all the rulesets for now.

sudo sed -i ‘s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf

‘sed -i’ will edit the file in place

40 - sed change snort conf

40 – sed change snort conf

Navigate to line 45 with vi so you can change it to what you see below

41 - snort conf file change

41 – snort conf file change

Before it looks like the following

41 - snort conf file change before

41 – snort conf file change before

Afterwards I have changed the HOME_NET so it looks like the following [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] to cover pretty much all private subnets and anything outside of this is going to be flagged under EXTERNAL_NET !$HOME_NET or think of this as anything NOT included in your HOME_NET so this is external traffic.

41 - snort conf file change after

41 – snort conf file change after

modify EXTERNAL_NET as it is below from any to !$HOME_NET

42 - EXTERNAL_NET

42 – EXTERNAL_NET

Next navigate to line 104 to modify the three lines below

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

FUN Tip’s:
Use Shift + :, then type 104 to navigate directly to line 104

43 - vi command line jump

43 – vi command line jump

Pressing dd on a line will delete that entire line quickly for you

Pressing ESC will take you out of editing mode when something weird is happening

Pressing ‘i’ and ‘a’ will allow you to modify the file, I will let you figure out how they work

44 - Path to rule files

44 – Path to rule files

Now navigate to line 113 and remove lines 113 and 114 and replace with the following

var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

45 - set absolute path

45 – set absolute path

Uncomment the # from line 45 so it looks like this

include $RULE_PATH/local.rules

46 - local rules uncomment

46 – local rules uncomment

Finally, test it!
sudo snort -T -c /etc/snort/snort.conf
‘-T’ will allow you to test your configuration

‘-c’ will load the configuration for testing

47 - Testing snort configuration

47 – Testing snort configuration

It should finish without error like the following

47 - Testing snort configuration finish

47 – Testing snort configuration finish

In the next tutorial you will need pfsense as outlined in the first tutorial for some testing of our configuration so far.

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 3 Linux Mint Snort IDS – Installing DAQ & Snort

Following on from the previous tutorial where we installed Linux Mint and updated it, now it is time to install DAQ which stands for ‘Data AcQuisition library’  and it replaces calls to the packet capture libraries with an abstraction layer making it easier to add software or hardware packet capture implementations later on if you need to very easily without having to recompile the Snort core. Snort will also be built from source.

First you need to install a few packages:

sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev

33 - Install some packages required to build snort from source

33 – Install some packages required to build snort from source

It should finish like below without error

34 - packages installed without error

34 – packages installed without error

Next create a file called snort_source and download daq, configure and make to install it from source. You can do this simply by just copying and pasting the commands below into your browser

mkdir ~/snort_source
cd ~/snort_source
wget https://www.snort.org/downloads/snort/daq-2.0.5.tar.gz
tar -xvzf daq-2.0.5.tar.gz
cd daq-2.0.5
./configure
make
sudo make install

35 - Install daq from source 1

35 – Install daq from source 1

Extract:

tar -xvzf daq-2.0.5.tar.gz

35 - Install daq from source 2

35 – Install daq from source 2

cd daq-2.0.5
./configure

35 - Install daq from source 3

35 – Install daq from source 3

Finished ./configure

35 - Install daq from source 4

35 – Install daq from source 4

make

35 - Install daq from source 5

35 – Install daq from source 5

Finished make

35 - Install daq from source 6

35 – Install daq from source 6

sudo make install

35 - Install daq from source 7

35 – Install daq from source 7

When finished without error it will look like the following below

35 - Install daq from source 8

35 – Install daq from source 8

So to install snort from source it is pretty similar to daq

cd ~/snort_source
wget https://www.snort.org/downloads/snort/snort-2.9.7.3.tar.gz
tar -xvzf snort-2.9.7.3.tar.gz
cd snort-2.9.7.3
./configure –enable-sourcefire
make
sudo make install

The –enable-sourcefire flag enables Packet Performance Monitoring(PPM), which is how the Snort team builds Snort from source.

36 - Install snort from source 1

36 – Install snort from source 1

Extract:

tar -xvzf snort-2.9.7.3.tar.gz

36 - Install snort from source 2

36 – Install snort from source 2

cd snort-2.9.7.3
./configure –enable-sourcefire

36 - Install snort from source 3

36 – Install snort from source 3

Make finishes without error

36 - Install snort from source 4

36 – Install snort from source 4

sudo make install looks like the following

36 - Install snort from source 5

36 – Install snort from source 5

sudo ldconfig (Creates the necessary links and cache)

sudo ln -s /usr/local/bin/snort /usr/sbin/snort (Create a symbolic link between the two directories, that’s what the -s is for)

/usr/sbin/snort -V (Test’s that the snort binary runs, executing with the -V will show you the version number)

36 - Install snort from source 6

36 – Install snort from source 6

That’s DAQ and Snort installed from source, in the next tutorial we will start to configure snort.

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 2 Linux Mint Snort IDS

I am focusing on Snort at the moment as this is something that has been consuming my life recently and I have got to know it a bit more intimately and in depth, I know it can be bypassed but at the same time it is a very powerful tool when no Antivirus or Malware detection is currently detecting threats on your local system, I find it fantastic for tracking down the source of Ransomware infections too as some people can think they were just infected by Cryptowall for example when they had actually been hit by the Angler Exploit kit a second earlier exploiting a Flash zero day from a compromised website or advertising service and it can often be overlooked, you can also see some strange things you would not expect to see too! With the advantage of creating your own custom signatures as well as having the option to go for the paid or community route you have a lot of signatures available to you for free also and they are kept up to date. Being able to go back in time with some of the GUI front-ends and some other tools turns snort into a powerful network incident response forensic tool but for now we will be using BASE to analyze the alerts coming from the Snort IDS.

I take it you have already downloaded and installed VirtualBox and the extension pack for whatever platform you are using and are following along from the previous tutorial where this is outlined and explained.

Download Linux Mint, you can use Ubuntu, Centos or any other linux distro but YMMV if you choose a different path to what I have outlined here.

Now it’s time to create your Virtual Machine, up the top left click on the New Button

1 - Create a new Virtual Machine

1 – Create a new Virtual Machine

Next give it a name and select the following type and version and click next

2 - Name - Type and Version

2 – Name – Type and Version

Select some RAM that you have free to spare and click next

3 - Select RAM size

3 – Select RAM size

Select next to create the Hard Drive now

4 - Create HDD now

4 – Create HDD now

Leave it at VDI for VirtualBox Disk Image, feel free to change it but I currently have no need to do this so leave as is and click next

5 - HDD type select

5 – HDD type select

Leave the disk as dynamically allocated unless you want to assign the full disk space to your virtual machine now, this takes more time and dynamic has always worked for me so just click on next

6 - HDD Dynamic select

6 – HDD Dynamic select

Now you need to decide how much space you want to allocate to your virtual machine, I have chosen 20GB’s as this should be more than sufficient to carry out tests but feel free to add some more if you like and click on Create

6 - HDD Size select

6 – HDD Size select

You will now see the following created, either right click on it and select settings or just click on settings up the top left

6.1 - Virtual machine ready to modify

6.1 – Virtual machine ready to modify

The following window then opens where you can modify settings you just selected or make further changes to the environment of the virtual machine you are about to create, you can even come back later and make changes once you have shut the virtual machine down.

7 - Virtual Machine Settings

7 – Virtual Machine Settings

Fun Tip:
When creating and playing around in a virtual environment you can often make a mistake or get to a point where what you were doing has stopped working altogether or you break the machine, don’t fear though as there is an option called ‘Create a Snapshot’ which you guessed it allows you to create a snapshot of the current system state. You can move the location of the snapshot folder for example and in this case I moved it to a drive with loads of free space as I am a bit snapshot happy and you can really fill up your host hard drive very quickly, I also took the opportunity to enable the shared clipboard from host to guest now (This is where the VirtualBox extension pack comes in handy and I take it you have already installed it at this point, if not just double click on it after and it will be installed quickly)

8 - Virtual Machine Settings Advanced

8 – Virtual Machine Settings Advanced

In the system settings remove the floppy as you don’t need it and arrange the CD/DVD and Hard Disk as you see them below

9 - System settings remove that floppy

9 – System settings remove that floppy

Next you need to select your Linux Mint ISO you already downloaded and select it for booting, click on where it says empty and then click on the disc icon over on the right next to where it says ‘IDE Secondary Master’

10 - Storage options

10 – Storage options

Once selected it should look like the following

11 - Storage options selected

11 – Storage options selected

The last things we need to change now are the NIC’s on the system, select Network and you should already have NAT configured for you which is fine for now and will provide you with an Internet connection necessary for updating the system as well as installing and configuring everything else along the way, this will change throughout the tutorial. If you require an Internet connection, turn NAT on, if not use the internal NIC.

12 - Network Options

12 – Network Options

Click on Adapter 2 too and tick the box to enable the network adapter, for testing I will be mainly using my internal lab but feel free to choose your physical Ethernet or wireless adapter for this too by selecting bridged here and choosing the correct adapter from the drop down, in my case it looks like below. You can see I have changed the adapter Type and also see Promiscuous mode which is important for sniffing to Allow VM’s, if you were on a physical NIC you could change this to allow all to capture outside of the virtual environment in the physical network

13 - Second adapter Type changed

13 – Second adapter Type changed

Click OK and that’s it you are good to go!

Start your virtual machine now by clicking on the Start button up the top left or alternatively right click and do this

14 - Click the start button

14 – Click the start button

Fun Tip:
You will get a warning about capture of the mouse etc just accept it and remember right CTRL will remove you from the virtual guest environment and take you back into the host again

Now it’s time to install Linux Mint by double clicking on the Install Linux Mint icon on the desktop

15 - Install Linux Mint from ISO

15 – Install Linux Mint from ISO

Choose your language and click continue

16 - Select your language

16 – Select your language

If you followed all the steps so far you should see the same ticks so just click on continue

17 - System requirments check

17 – System requirments check

Just click Install Now to erase the disk and install Linux Mint

18 - Erase disk and install

18 – Erase disk and install

Yep you are aware things are going to be wiped, just click on continue to start things off and format the drive

19 - Just erase and continue

19 – Just erase and continue

Select your country and click continue

20 -Select your country

20 -Select your country

Do the same for the keyboard layout and click continue

21 - Keyboard layout

21 – Keyboard layout

Pick your name, computer name, username and enter a password and click on continue

22 - Pick your name - password etc

22 – Pick your name – password etc

Wander off and do something for a few minutes depending on the speed of your machine and then come back to it

23 - Linux Mint installing

23 – Linux Mint installing

You should then get a screen like below and can hit Restart Now

24 - Linux Mint installed - restart

24 – Linux Mint installed – restart

First login

25 - First login

25 – First login

Up the top left click on devices and install Guest additions

26 - Guest additions

26 – Guest additions

Navigate to the mounted disc

cd /media
cd your_username
cd VBOXADDITONS_X.X.XX_XXXXX
sudo ./VBoxLinuxAdditons.run

Enter yes if given a warning like below and press enter to continue

27 - Installing Guest additions

27 – Installing Guest additions

Once complete you should see no errors, reboot and login again

28 - Guest additons installed

28 – Guest additons installed

You will notice now that you can go full screen after the reboot

Now to update the system fully before continuing any further, use the following command in the terminal:

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y

Enter your password once and leave to run for a while and come back later and it should be fully up to date for you

29 - Upgrading the system

29 – Upgrading the system

Once finished without errors you should be back at the prompt again in the terminal

30 - System updated fully

30 – System updated fully

You will also see a tick in the system tray on the shield now as you are fully up to date

31 - Update shield ticked

31 – Update shield ticked

You don’t have to but I like to reboot after any changes are made to the system, also might be wise to take a snapshot if you haven’t taken any already.

Set some easy firewall rules with UFW

sudo ufw default deny
sudo ufw logging high
sudo ufw enable
sudo ufw status verbose

32 - Simple firewall rules UFW

32 – Simple firewall rules UFW

That’s it for today, tomorrow we will install snort and get this really moving!