Kali 2 Sana Custom ISO Build – Software Defined Radio (SDR) & Wireless Tools

So I have been meaning to do this for ages as who likes configuring a system every time anyway, it’s the definition of insanity doing the same thing again and again so let’s fix that and automate the installation of Kali and modify it along the way so that you only install what you want or need in the process!

First things first you need to update your system with

apt-get update

1_Kali_Sana_Prep_Work_update

1_Kali_Sana_Prep_Work_update

Install live-build

apt-get install git live-build

2_Kali_Sana_Install_Live_Build

2_Kali_Sana_Install_Live_Build

Next you need to create a directory, git clone the live-build-config, change into the directory and then check whats inside

mkdir Kali_2.0_Custom_Build
git clone git://git.kali.org/live-build-config.git
cd live-build-config
ls

3_Kali_Sana_git_clone_live_build

3_Kali_Sana_git_clone_live_build

Now use the editor of your choice for this task and open up the following directory

nano kali-config/variant-xfce/package-lists/kali.list.chroot

4_Kali_Sana_Modify_Packages

4_Kali_Sana_Modify_Packages

For the GUI I am going to use kali-desktop-xfce as I like the speed that comes with it as it’s quite basic and light, I don’t really want the full package as I only really use the wireless and plan on using the Software Defined Radio (SDR) tools too so no need to install everything in there (You may be different so decide here what you want or need before you continue).

I will just be removing the hash from the start of kali-linux-sdr and kali-linux-wireless in order to only install those tools.

The kali.list.chroot file will look like this below

5_Kali_Sana_Packages_Before_Modification

5_Kali_Sana_Packages_Before_Modification

After it should look like I have it below, so save the file and continue to the next step

6_Kali_Sana_Packages_After_Modification

6_Kali_Sana_Packages_After_Modification

Create a new file called 01-unattended-boot.binary in kali-config/common/hooks/

nano kali-config/common/hooks/01-unattended-boot.binary

Chmod it to make it executable also

chmod +x kali-config/common/hooks/01-unattended-boot.binary

7_Kali_Sana_Unattended_File_Configuration

7_Kali_Sana_Unattended_File_Configuration

Paste in the following:

#!/bin/sh

cat >>binary/isolinux/install.cfg <<END
label install
menu label ^Unattended Install
menu default
linux /install/vmlinuz
initrd /install/initrd.gz
append vga=788 — quiet file=/cdrom/install/preseed.cfg locale=en_US keymap=us hostname=kali domain=local.lan
END

And once again save the file, courtesy of the Kali dojo.

8_Kali_Sana_Unattended_File_Configuration_Created

8_Kali_Sana_Unattended_File_Configuration_Created

When you have this done the next step is to get yourself or create a preseed file so that all the questions will be automatically answered for you, I’m going to pull mine from the kali dojo which the Offensive Security Team use for building their images, you can download it from their website located here.

Pull down the file and save it in the correct directory like this
wget https://www.kali.org/dojo/preseed.cfg -O ./kali-config/common/includes.installer/preseed.cfg

9_Kali_Sana_Unattended_Preseed_wget

9_Kali_Sana_Unattended_Preseed_wget

Now we are nearly there but the desktop is going to be bare so find a high quality image of your choosing and modify the output below in order to replace the background image with your own custom one. As I am indecisive though I am going to use the following image once again from the Kali dojo located here.

Make a new directory
mkdir -p kali-config/common/includes.chroot/usr/share/images/desktop-base/

Download and save the image into the newly created directory
wget https://www.kali.org/dojo/wp-blue.png -O kali-config/common/includes.chroot/usr/share/images/desktop-base/kali-wallpaper_1920x1080.png

10_Kali_Sana_Unattended_Desktop_Background

10_Kali_Sana_Unattended_Desktop_Background

Start off your new build

./build.sh –variant xfce –distribution sana –verbose

“build.sh” is the script that will be used to build your ISO from your configuration options
“–variant xfce” specifies you want to use the xfce desktop environment
“–distribution sana” selects the correct distribution for Kali Sana 2.0
“–verbose” will give your plenty of output on your screen to stare at for a while as it may take some time, don’t worry about reading everything as everything is parsed to a log file so you can review it all when finished anyway.

11_Kali_Sana_Build_Unattended_ISO_Start

11_Kali_Sana_Build_Unattended_ISO_Start

Patience at this point as this may take some time, the last time I created a full ISO with everything it took two hours in total to complete. With only the wireless and SDR tools I expect it to take less time to complete (This actually took six hours to complete for me).

When finished it will look like the following below without any errors

12_Kali_Sana_Build_Unattended_ISO_Finish

12_Kali_Sana_Build_Unattended_ISO_Finish

The ISO will be saved in the /live-build-config/images directory

13_Kali_Sana_Build_Unattended_ISO_File_location

13_Kali_Sana_Build_Unattended_ISO_File_location

At this point I like to copy the ISO out of my VM into my host OS. Depending on your setup this will be different.

14_Kali_Sana_Build_Unattended_ISO_File_Copy_Host

14_Kali_Sana_Build_Unattended_ISO_File_Copy_Host

Configure VirtualBox to your liking, if your unsure of configuration settings please refer to this tutorial for guidance. When booting just click on “Install” and watch the configuration magic happen all on it’s own!

15_Kali_Sana_Select_Install_to_automatically_install

15_Kali_Sana_Select_Install_to_automatically_install

Log in with
username: root
password: toor

16_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_first_boot

16_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_first_boot

Select the default configuration when prompted

17_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_first_boot_select_default_config

17_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_first_boot_select_default_config

Now you have your own custom built XFCE ISO with only Software Defined Radio (SDR) and wireless related tools that will automatically install for you, cool isn’t it? You can also use it as a live image too without installing it.

18_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_complete

18_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_complete

You can do all the normal things like install VirtualBox guest additions, for help on this refer to this tutorial

19_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_VirtualBox_Guest_additions_install

19_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_VirtualBox_Guest_additions_install

Have fun building!

 

18 – WPS Offline Pixie Dust Attack

Hey everyone it’s been a while since my last blog entry and I recently started playing around with the WPS offline Pixie Dust Attack which I first mentioned back in May 2015 and wanted to document it as I have not had any success in exploiting a router vulnerable to this attack but that doesn’t mean we can’t exploit it using the older reaver method which I previously wrote about here and here. Please refer to my previous tutorial for some background on attacking WPS.
For this tutorial I am using Kali 2.0 “sana” in a VM which has all the necessary tools required to preform this attack so just get the latest ISO of Kali updated fully and you will be good to follow along 🙂

I have two routers that are susceptible to the old method using reaver so I used them again for this tutorial, unfortunately this doesn’t work but the the process does so it’s worthy of a blog entry!

First as always get your card into monitor mode, I actually came across a random issue that looks like it is a bug in Kali 2 “sana” when running airmon-ng

“airmon-ng check kill” will kill anything that may be interfering with your card when in monitor mode
“airmon-ng start wlan0” as you probably know now will place your card into monitor mode

1_Monitor_mode_Kali_Sana

1_Monitor_mode_Kali_Sana

As you can see instead of a new interface called “mon0” being created we instead have “wlan0mon” which will do the same thing. I thought it was worth mentioning as it was a weird issue.

Checking with iwconfig will show you that monitor mode is actually enabled so you don’t need to make any further changes:

“iwconfig” used below to make sure that the card is in monitor mode

2_iwconfig_monitor_mode_check

2_iwconfig_monitor_mode_check

BUT sometimes I have also found that even though it says the card is in monitor mode when you start airodump-ng sniffing the airwaves you actually see nothing so you just have to put the interface down and set monitor mode manually on the card.

“ifconfig wlan0mon down” this will put the interface down
“iwconfig wlan0mon mode monitor” this will manually set monitor mode on the wireless interface
“ifconfig wlan0mon up” this will put the interface up again

3_Kali_sana_manual_monitor_mode_configuration

3_Kali_sana_manual_monitor_mode_configuration

After you do this if you run

“airodump-ng wlan0mon” to make sure you are sniffing the airwaves

You will see things are working as expected:

4_airodump-ng_output_after_manual_configuration

4_airodump-ng_output_after_manual_configuration

My lab routers for attacking are named “dlink” and “test” under the ESSID column above

Trying this attack against the access point labeled test first:

“reaver” runs reaver
“-i wlan0mon” specifies that you want to use the wlan0mon interface for this attack
“-b 2C:B0:5D:XX:XX:XX” is used to specify the MAC address of the access point you are targeting
“-vv” is used to display very verbose output
“-w” used to mimic a Windows 7 registrar
“-n” is used as this target access point always sends a NACK
“-S” is to only use small DH keys to improve the cracking speed
“-c 1” is used to specify the channel on which the access point resides

reaver -i wlan0mon -b 2C:B0:5D:XX:XX:XX -vv -w -n -S -c 1

5_reaver_pixiedust_attack_kali_2_sana

5_reaver_pixiedust_attack_kali_2_sana

You may get different results with different access points so make sure you look at the reaver and pixiewps man pages and try different switches! I already know this access point is not vulnerable but just to show you what to do with this information all you need to do is open up pixiewps and enter in the following details you just enumerated in order to crack WPS on the target access point:

“pixiewps” runs pixiewps
“-e” Enrollee public key
“-s” Enrollee hash1
“-z” Enrollee hash2
“-a” Authentication session key
“-n” Enrollee nonce (mode 2,3,4)
“-S” Small Diffie-Hellman keys (PKr not needed)

pixiewps -e PKE -s E-Hash1 -z E-Hash2 -a AuthKey -n E-Nonce -S

6_pixiewps_kali_2_sana_pin

6_pixiewps_kali_2_sana_pin

As you can see no WPS pin is found but that just means my access point is not vulnerable to this offline attack method, it is however vulnerable to the online method as can be seen in previous tutorials here and here.

Now I also have another access point to check labeled “dlink” as you can see above so lets jump straight to it!

“reaver” to run reaver
“-i wlan0mon” will run on the interface of your wireless card
“-b 00:18:E7:XX:XX:XX” is to set the MAC address of the target access point
“-vv” runs in very verbose mode
“-w” is to mimic a Windows 7 registrar
“-n” as the target AP always sends a NACK
“-S” to use small DH keys to improve the crack speed
“-c 6” is to set the channel the access point is running on

reaver -i wlan0mon -b 00:18:E7:XX:XX:XX -vv -w -n -S -c 6

This PIN generated is incorrect as the PIN on the router is neither of the PIN’s generated below but it’s worth trying if the access point is either a D-link of Belkin, you may get lucky with the default PIN generator created by the devttys0 team especially if your router is listed in the D-link or Belkin posts showing how they were reversed in order to generate these WPS PIN’s.

7_Kali_sana_2_pixiewps_d-link_default_pin_generation

7_Kali_sana_2_pixiewps_d-link_default_pin_generation

Another method

“reaver” to run reaver
“-i wlan0mon” will run on the interface of your wireless card
“-b 00:18:E7:XX:XX:XX” is to set the MAC address of the target access point
“-a” to auto detect the best advanced options for the target access point
“-vv” runs in very verbose mode
“-w” is to mimic a Windows 7 registrar
“-K 1” to Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom, Realtek). Increment the value after -K.
“-n” as the target AP always sends a NACK
“-S” to use small DH keys to improve the crack speed
“-c 6” is to set the channel the access point is running on

reaver -i wlan0mon -b 00:18:E7:XX:XX:XX -a -vv -w  -K 1 -n -S -c 6

8_Kali_sana_2_pixie_dust_reaver_WPS_PIN_method

8_Kali_sana_2_pixie_dust_reaver_WPS_PIN_method

Even though these methods aren’t working for me it doesn’t mean they won’t work for you so give them a try on your home router and see if you are vulnerable to this attack as the amount of time needed to crack a wireless network is greatly decreased if this method works so it’s definitely worth trying.

Before I end this tutorial though I just want to point you in the direction of some cool switches I discovered in the latest version of the aircrack-ng suite which you can use for WPS enumeration.

“airodump-ng” to start airodump-ng sniffing the airwaves
“-i wlan0mon” to set the interface to sniff on
“-W” to display if the access point supports WPS
The first field of the  column  indicates the version supported. The second field indicates the WPS config methods of which there can be more than one separated by a comma:
USB = USB method,
ETHER = Ethernet,
LAB = Label,
DISP = Display,
EXTNFC = External NFC,
INTNFC = Internal NFC,
NFCINTF  =  NFC Interface,
PBC = Push Button,
KPAD =  Keypad. Locked is displayed when the AP setup is locked.
“-M” to display the manufacturer from the IEEE OUI list

airodump-ng -i wlan0mon -W -M

9_Kali_sana_airodump-ng_WPS_enumeration

9_Kali_sana_airodump-ng_WPS_enumeration

Wash also has a cool feature now too to enumerate some more information from your router

“wash” to run wash
“-i wlan0mon” to run the interface of your wireless card
“-g” to pipe output and run reaver alongside wash to get the chipset
“-c 1” specifies the channel you wish to run on

wash -i wlan0mon -g -c 1

10_Kali_sana_wash_enumeration

10_Kali_sana_wash_enumeration

It’s handy for checking if the access point is locked out quickly before trying the reaver or Pixie Dust Attack.

That’s it for now, attacking WPS has come a long way in a short period of time and it’s only a matter of time until this is a simple procedure that works in a matter of seconds to minutes once enough PIN generation algorithms are reversed and added to make this much simpler than WEP to crack. You remember how easy WEP was to crack right, it’s like traveling back in time to 2005 all over again.

 

DNS Spoofing

I was asked what DNS spoofing (Cache Poisoning) was during the week and when it came to explain it all I could think of was arp-spoofing and I got muddled up as this was in a fast paced environment!

So in order to solidify this into my brain as I have encountered it many times in my studies I have chosen to write briefly on the subject.

What is it?

Well it’s when data is introduced into a DNS resolvers cache which then causes the name server to return an incorrect IP address and this then diverts traffic to the attacking device or any other device.

What is DNS?
In simple terms something that makes your website address human readable allowing you to type in the fully qualified domain name for example ‘itfellover.com’ is my fqdn.

To follow along with this tutorial you need a Windows box, pfsense and Kali so if you don’t have them installed do so first.

Let’s get started:

This is as always for educational purposes only. Understanding an attack like this is thought in many security syllabus and it has been a long time since I played with this in the lab myself.

Start setoolkit first:

setoolkit

1 - Kali setoolkit start

1 – Kali setoolkit start

After setoolkit loads you can scroll up to see the following information about the toolkit:

2 - Kali setoolkit started

2 – Kali setoolkit started

Select option 1 first for ‘Social-Engineering Attacks’:

3 - Kali setoolkit option 1

3 – Kali setoolkit option 1

Then select option 2 for ‘Website Attack Vectors’:

4 - Kali setoolkit option 2

4 – Kali setoolkit option 2

Select option 3 for ‘Credential Harvester Attack Method’

5 - Kali setoolkit option 3

5 – Kali setoolkit option 3

Finally select option 1 for ‘Web Templates’

6 - Kali setoolkit option 1

6 – Kali setoolkit option 1

Check your Kali IP address with ‘ifconfig’

7 - Check your Kali IP address

7 – Check your Kali IP address

As my address is 10.0.0.23 this is what I will use in setoolkit so enter your Kali IP address next

8 - Kali setoolkit IP address Website Template

8 – Kali setoolkit IP address Website Template

Next select option two for ‘Google’

9 - Kali setoolkit select option two for Google

9 – Kali setoolkit select option two for Google

The website is then cloned from templates and placed in the apache root directory, let setoolkit start apache for you by just entering ‘y’ to start the process

10 - Kali setoolkit start apache

10 – Kali setoolkit start apache

Apache is then enabled and you can browse to ‘/var/www’ to modify ‘post.php’ if you want. Just press ‘Enter’ to continue

11 - Kali setoolkit apache webserver on

11 – Kali setoolkit apache webserver on

It’s ok when you arrive back at this page, your first thought may be to think something is wrong but it is not.

12 - Kali setoolkit menu return

12 – Kali setoolkit menu return

Change directory into /var/www

cd /var/www

13 - Kali change directory var www

13 – Kali change directory var www

‘Watch’ is a cool command and I love it for things like this, think of it like saying hey watch this file and give me an update in real-time if anything changes. In order to run ‘cat *.txt’ though we need to use quotes to encapsulate the command because of the space so that you can then use watch to run it. The asterisk ‘*’ says watch all txt files in this directory, I used it as the name of the file is very long. You can use the filename here if you want also.

Fun Tip!:
To find out more about watch run ‘man watch’ and have a read

14 - watch cat tall txt files

14 – watch cat tall txt files

It will then listen and should look blank if you haven’t run anything already, just delete the contents if you have something in here.

15 - Kali watch all txt files waiting

15 – Kali watch all txt files waiting

Next navigate to your hosts file and modify it like mine below with the google domain of your country and save

Kali IP address *.google.ie
Kali IP address *.google.com

vi /etc/hosts

16 - Add your Kali IP address and google domain

16 – Add your Kali IP address and google domain

Next start dnsspoof listening with the following:

‘dnsspoof’ to start dnsspoof
‘-i eth0’ to start on eth0 which is my Kali network interface on the internal LAN
‘-f /etc/hosts’ is used to start with your modified hosts file in /etc/hosts

17 - Kali dnsspoof start

17 – Kali dnsspoof start

Now on your Windows 7 test machine or system of your choosing navigate to ‘google.com’ in your web browser and you should get a Spoofed google login screen, you will notice though as we are not connected to the Internet here we don’t get any loaded images, you can change your WAN NIC in pfsense to access the Internet if you want images but it is safer to stay in the sand-boxed environment.

18 - Windows 7 googledotcom spoofed

18 – Windows 7 googledotcom spoofed

Looking at your ‘dnsspoof’ output you left running you should see something similar to the following:

19 - Kali dnsspoof spoofing

19 – Kali dnsspoof spoofing

What happens above is simple

10.0.0.24 (Windows 7) says hey 10.0.0.12 (pfsense) on port 53 I would like to get the ‘A’ record or address of www.google.com

dnsspoof sitting in the middle of all this then says hey i’m www.google.com! I will serve the address up to you so then 10.0.0.24 receives the fake page spoofing the Google home page.

Now enter a random username and password and hit ‘Sign In’

20 - Windows 7 Google Fake Login

20 – Windows 7 Google Fake Login

In the output displayed by ‘watch’ below you can see my username beside ‘Email’ and password next to ‘Passwd’ at the bottom of the page:

21 - Kali watch listening output

21 – Kali watch listening output

One thing I didn’t say to do at the start was to start Wireshark, I just take it you do that anyway now in order to learn what’s going on in the background. If you didn’t do it go back and start this exercise from the start again and this time run ‘wireshark &’ to start Wireshark from the terminal as root.

1 - WireShark start

1 – WireShark start

After running your ‘dnsspoof’ attack again stop Wireshark and save your packet capture so you can look at it again in the future and start to analyse the capture.

Below we see packet 12 is where I queried pfsense 10.0.0.12 from the Windows 7 box 10.0.0.24 and said hey give me the address for www.google.com

2 - Wireshark google A record query

2 – Wireshark google A record query

Following on down through the rest of the packets you will see some similar looking packets trying to resolve Google for you including the Windows 7 machine 10.0.0.24 asking via a broadcast also, that’s the 10.0.0.255 address you see below. What that is effectively doing is broadcasting to everyone on your network saying hey!, you there!, do you have the address of www.google.com as I would like to access this resource.

3 - Wireshark search for google A record

3 – Wireshark search for google A record

What you are looking for here though is a SYN packet like you see below over TCP saying hey I am 10.0.0.24 and I am looking for a website address called www.google.com can you find it for me?

4- Wireshark dnsspoof SYN

4- Wireshark dnsspoof SYN

Next the attacker device says hey 10.0.0.24 take this SYN-ACK because I can give you access to the address you are looking for!

5 - Wireshark dnsspoof SYN ACK

5 – Wireshark dnsspoof SYN ACK

The client then replies with an ACK to say thank you and open the TCP socket to establish a connection.

6 - Wireshark dnsspoof ACK

6 – Wireshark dnsspoof ACK

In order for connection to be successful a TCP Three Way Handshake is required here as outlined in the diagram below:

TCP - Three way handshake

TCP – Three way handshake

The DNS Spoofing looks similar as you can see below, the difference is that the attacker device is listening on the local LAN and says hey i’m www.google.com instead of your server or router serving up your requests as it is Man in the middling everything on your local area network.

Three way handshake - DNS Spoofing

Three way handshake – DNS Spoofing

So there you have it, a question that made me think and realise I had forgotten all about DNS spoofing and how it actually worked under the surface. There are other ways to do this but I had mentioned modifying the host file at the time of this question. For now once again back to Learn Python the hardway as I am currently on exercise 37 and flying along, I highly recommend using this resource if you want to either go over Python again and refresh your memory or just start it from the beginning as a newbie.

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 13 – All the Windows

Next install the following operating systems below which I am not going to go through here as the installation guides can easily be found online in either readable or video form and I imagine most of you have configured Windows systems at some point. If not go with the defaults of just next, next, next etc as that’s what most people are going to do anyway!:

Windows Server 2008 R2Configure Active Directory, DNS and DHCP
Windows Server 2012Install, Configure Active Directory, DNS and DHCP
Windows 7
Windows 8
Windows XP

You won’t need to run all of these systems at the same time but try to run them with as much memory as possible, I recommend 2GB’s for XP, 7 and 8 even though they will operate with 1GB albeit much slower and 3-4GB’s for the 2008 R2 server and 2012 server.

And that’s it! For now at least, I am teaching myself Python currently so I can work on some side projects.

You now have a lab on either a laptop, server or PC that will allow you to exploit and investigate what has happened in a safe environment with or without access to the Internet. Stay tuned for future tutorials in which we will exploit and analyse within our sandboxed environment. I encourage you to play around with the environment once you have these operating systems installed and see what you can do! I also encourage you to install other operating systems and tools too and not to stick to the few that have been included in this lab, let me know if you find any vulnerable systems you personally find useful and I may include them in a future lesson.

Remember one thing though about all this, keep the network cards internal especially when running exploits as you don’t want to scan a subnet online or send exploits to something you are not authorised to because you will get in trouble for doing so. You have been warned so go have some fun and learn!

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 12 – Kali Linux

Kali Linux is a Debian based penetration testing distribution created by Offensive Security for the purpose of making it easier to carry out penetration tests or security audits by having more than 600 tools easily available.

It is fully customisable and runs on a number of different devices, it was covered in a previous tutorial when I installed it from source in order to get wireless injection working and received a lot of interest.

This team has been around for some time and had previously created and maintained Backtrack Linux, Kali Linux however is a complete overhaul of the OS so that it can run on as many devices as possible and is fully customisable.

Let’s start and get it installed!

Download it from here and take a sneak preview of Kali 2.0 which I am very excited about, I see a sneak preview of the reaver Pixie attack towards the end too which looks fast!

Give your machine a name, select the type ‘Linux’ and the version ‘Linux 2.6 / 3.x (64Bit)’ or the version of your own architecture if it is 32 Bit for example and then click ‘Next’

1 - VirtualBox Create Kali Linux virtual machine

1 – VirtualBox Create Kali Linux virtual machine

Allocate a chunk of memory to the system and click ‘Next’, 2 or 3GB’s is fine

2 - Allocate a chunk of memory to Kali Linux

2 – Allocate a chunk of memory to Kali Linux

Create a virtual hard drive for Kali by clicking ‘Create’

3 - Create a virtual hard drive for Kali

3 – Create a virtual hard drive for Kali

Click ‘Next’ to continue and create a VDI image

4 - Create a virtual hard drive for Kali select VDI

4 – Create a virtual hard drive for Kali select VDI

Select ‘Dynamically allocated’ and click ‘Next’ to continue

5 - Create a virtual hard drive for Kali select dynamically allocated

5 – Create a virtual hard drive for Kali select dynamically allocated

Allocate some hard drive space to Kali and give it a nice chunk as this system may fill up quicker than you expected for some things. Click ‘Create’ to continue

6 - Allocate hard drive space to Kali

6 – Allocate hard drive space to Kali

Next navigate to settings and change System first by removing the floppy and moving the CD/DVD to the top and the Hard Disk second from the top

7 - VirtualBox remove floppy move disc and hard drive

7 – VirtualBox remove floppy move disc and hard drive

Select the ISO on you hard drive

8 - Select Kali Linux ISO

8 – Select Kali Linux ISO

Now we are going to select NAT and click on ‘OK’ for the initial install so that we can update and upgrade the system to the latest version of everything before changing it into internal only mode for testing in the lab

9 - VirtualBox Kali keep NAT as NIC

9 – VirtualBox Kali keep NAT as NIC

Now it’s time to startup the machine, select ‘Graphical install’ at the boot menu to continue

10 - Select Graphical Install

10 – Select Graphical Install

Select your language to continue

11 - Select your language

11 – Select your language

Select your country

12 - Select your country

12 – Select your country

Select your keyboard layout

13 - Select your keyboard

13 – Select your keyboard

Wait for the loading to finish

14 - Loading Kali components

14 – Loading Kali components

Give your system a name

15 - Kali system hostname

15 – Kali system hostname

Leave the domain blank if you don’t have one and click ‘Continue’

16 - Leave domain blank

16 – Leave domain blank

Enter in the password you want to use for root

17 - Enter Kali root password

17 – Enter Kali root password

Select ‘Guided – use entire disk’ and continue

18 - Select Guided - use entire disk

18 – Select Guided – use entire disk

Yes you are sure you want to erase everything and continue so just click on ‘Continue’

19 - Yes I want to erase everything

19 – Yes I want to erase everything

Select ‘All files in one partition’ and click on ‘Continue’

20 - All files in one partition

20 – All files in one partition

Click on ‘Continue’ to finish off the partitioning

21 - Partition Kali disk

21 – Partition Kali disk

Once again select ‘Yes’ and click ‘Continue’ to erase and install

22 - Erase it all

22 – Erase it all

Next comes copying files to disk and installing the system once the partitioning has finished

23 - Copying files to disk

23 – Copying files to disk

Select ‘No’ to not use a mirror and click ‘Continue’

24 - Kali don't select a mirror

24 – Kali don’t select a mirror

Wait for a little bit while and then select ‘Yes’ to install the GRUB boot loader to the hard disk

25 - Kali continue select grub

25 – Kali continue select grub

You’re nearly finished

26 - Kali nearly finished

26 – Kali nearly finished

When it’s finished you will see the following screen, select ‘Continue’ to finish the install

27 - Kali finished select Continue

27 – Kali finished select Continue

Don’t worry if it looks like this for a while

28 - Kali finishing installation

28 – Kali finishing installation

Finally you get to the login screen. Enter the username ‘root’ and your password entered earlier to login.

29 - Kali login screen

29 – Kali login screen

Now you have probably noticed the screen is not in full screen and you have to move a slider around but we can fix that by installing ‘VirtualBox Guest Additons’ but first we need to update the system first so run the following

apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

The above commands will string together the update and upgrading of the system to the latest version and accept the downloads along the way with a ‘y’ for yes

30 - Kali system update upgrade dist-upgrade

30 – Kali system update upgrade dist-upgrade

Let the system work away for a while and let it upgrade the system, feel free to get up and walk around and come back to it again in a bit as this may take some time depending on your Internet speed and memory allocated to the system

31 - Kali upgrading

31 – Kali upgrading

Once finished upgrading it will look like the following below without any errors

32 - Kali upgrading finished

32 – Kali upgrading finished

Next select and install VirtualBox Guest additions by selecting devices from the VirtualBox menu

33 - Select to install guest additions

33 – Select to install guest additions

Next run the following

cp /media/cd-rom/VBoxLinuxAdditions.run /root/
chmod 755 /root/VBoxLinuxAdditions.run
cd /root
./VBoxLinuxAdditions.run

34 - Installing guest additions fail

34 – Installing guest additions fail

As you can see the above has failed as we need to update the headers to so let’s do that and get full screen!

Open the sources.list file in /etc/apt/

35 - Check the sources file

35 – Check the sources file

Add in the following line

36 - Add to sources list

36 – Add to sources list

After saving the file run an update with

apt-get update

37 - Kali update

37 – Kali update

Updating the Kali headers works now

apt-get install -y linux-headers-$(uname -r)

38 - Updating the Kali headers works now

38 – Updating the Kali headers works now

And finishes without error

39 - Kali headers finish without error

39 – Kali headers finish without error

VirtualBox guest additions will now also complete

40 - VirtualBox guest additons now completes

40 – VirtualBox guest additons now completes

reboot and then you will get full screen

41- Kali reboot

41- Kali reboot

Full screen is great as it will make your life a lot easier in the long run

42 - Kali VirtualBox Guest additons full screen

42 – Kali VirtualBox Guest additons full screen

Take a look around and see what you can do so far with the lab and remember to put it back into internal NIC mode before you do!

43 - Kali internal NIC mode

43 – Kali internal NIC mode

 

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 11 – Damn Vulnerable Web Application (DVWA)

DVWA is much like the install of Metasploitable and by that I mean simple!

Download DVWA from the download link on their website

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is as the name suggests damn vulnerable.

It’s main goal is to aid security professionals and allow them to test their skills in a legal environment, once setup in our internal environment that is what we will achieve here so let’s get to it!

In VirtualBox click the ‘New’ button to create a new virtual machine and enter in the name type and version as seen in the image below and click on ‘Next’ to continue

1 - DVWA VirtualBox Name Type Version

1 – DVWA VirtualBox Name Type Version

Allocate 1GB of memory as that is enough, you can always increase this later anyway

2 - DVWA RAM allocation

2 – DVWA RAM allocation

Leave the creation of the hard drive with the defaults and click ‘Create’ to continue

3 - DVWA create hard drive

3 – DVWA create hard drive

Leave with the defaults once again and click ‘Next’ to continue as VDI is fine for what we are doing here

4 - DVWA VDI selection

4 – DVWA VDI selection

Defaults are fine again, click ‘Next’ to continue and leave the dynamically allocated disk selected

5 - DVWA Dynamically allocated selection

5 – DVWA Dynamically allocated selection

Leave the defaults again, 8GB’s is fine so click on ‘Create’ to continue

6 - DVWA Hard disk size

6 – DVWA Hard disk size

Once created open up the virtual machine settings and remove the floppy and move the CD/DVD and HDD up in the boot order

7 - DVWA remove floppy move disks

7 – DVWA remove floppy move disks

Next step is to add your ISO to the CD/DVD drive so that you can boot from it

8 - DVWA add ISO to disc drive

8 – DVWA add ISO to disc drive

Next change the NIC to internal so that you do not broadcast on your local network

9 - DVWA change NIC to internal

9 – DVWA change NIC to internal

Finally boot it up and press Enter to continue at the screen below

10 - DVWA first boot press Enter

10 – DVWA first boot press Enter

At the next screen choose the live boot option or just wait and it will boot for you with no interaction

11 - DVWA select live boot

11 – DVWA select live boot

Next you will see the following screen which means you have successfully booted up the live CD

12 - DVWA Booted

12 – DVWA Booted

In the next installment we will go through the installation and configuration of Kali Linux which is a penetration testing distribution created for security professionals and researchers. You will then have something to poke the vulnerable systems installed so far and see what you can do in a safe environment.

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 10 – Metasploitable

Following on from the installs and configurations so far of pfsense, linux mint and a whole host of applications to turn the system into a Network Intrusion Detection System (NIDS).

Now it’s time to install some other OS that are vulnerable to attack in order to be able to both attack and forensically analyse the attacks and understand what is actually going on within your environment from the point of both attacker and incident responder (IR) later down the road.

First download Metasploitable2

Once you have extracted the folder inside called Metapsloitable2-Linux you should have the following directory structure like is seen in the image below:

1 - Extracted Metasploitable zip file

1 – Extracted Metasploitable zip file

You now have a virtual machine disk that is already configured for you and full of vulnerabilities which is great for practice. Next we need to open VirtualBox and click on ‘New’ to create a new virtual machine.

Configure with a name of your choosing and select Linux for the type and Ubuntu (32 bit) for the version and click on ‘Next’

2 - Creating the metapsolitable vm

2 – Creating the metapsolitable vm

Adjust the memory and click ‘Next’, you can give the system 1GB but I like to give it 2GB’s which can always be adjusted at a later stage anyway.

2 - Adjusting the metapsolitable vm RAM

2 – Adjusting the metapsolitable vm RAM

Because you already have the vmdk hard disk downloaded already you have to point to the location of the extracted files, you can do this by clicking on ‘Use an existing virtual hard drive file’ and click on the little folder that has the upward green arrow on it to locate the file on your system and select it so that you then have the Metasploitable.vmdk selected and then you can click ‘Create’ to continue.

4 - Selecting the metapsolitable vm hard disk

4 – Selecting the metapsolitable vm hard disk

Once you have completed the previous step you will then have a system created and ready to spin-up on your system but first we need to make a few adjustments so navigate to settings and make the following changes outlined below

5 - Metapsolitable system settings

5 – Metapsolitable system settings

Remove the floppy and the CD/DVD as all you need is the Hard Disk to boot and then finally make sure the Network adapter is set to internal as you don’t want this system live on your network as it is full of exploitable holes as that is the nature of this OS

6 - Metasploitable network settings

6 – Metasploitable network settings

Now power up your system, let it load and then you will see the following screen below:

7 - Metasploitable loaded

7 – Metasploitable loaded

An excellent resource to use is the Metasploit Unleashed free online security training which you should consider donating to as all the proceeds go to Hackers for Charity.

I had mentioned in the previous lesson that we would also be installing DVWA but one thing I forgot was that it is already included in Metaploitable 2 thanks to the creators integrating it within the image. You also have Mutilldae from OWASP installed and ready to go. But as the image is a bit dated we are going to spin-up DVWA anyway as there are some things like ShellShock which was previously covered now included in the newer version so it’s worth spinning it up.

 

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 9 Linux Mint Snort IDS – Making it permanent

Last but not least, lets make everything so far permanent with the following modifications so snort and barnyard will load at boot.

sudo vi /etc/init/snort.conf

129 - Modify snort conf permanent

129 – Modify snort conf permanent

Add in the following to the file:

description “Snort NIDS service”
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 -D
end script

Which will make it look like this

130 - Snort conf modification

130 – Snort conf modification

Run the following

chmod +x will make the file executable
initctl list will list services loading at startup, grep is used to pick snort only from that list

sudo chmod +x /etc/init/snort.conf
initctl list | grep snort

And you should see the following printout on the screen

131 - chmod initctl

131 – chmod initctl

Now to modify the barnyard configuration file

sudo vi /etc/init/barnyard2.conf

132 - Barnyard conf modification

132 – Barnyard conf modification

Add in the following:

description “barnyard2 service”
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D
end script

So it looks like the following

133 - Barnyard file modifcation

133 – Barnyard file modifcation

Run the following:

sudo chmod +x /etc/init/barnyard2.conf
initctl list | grep barnyard

You should see the following output

134 - barnyard chmod initctl

134 – barnyard chmod initctl

Reboot and then check the status of both after the reboot with the following:

service snort status

service barnyard2 status

You should see they both have a running process like below

135 - service snort and barnyard check

135 – service snort and barnyard check

That’s it, well done for getting this far! As you can see the ethical hacking lab is coming together quite nicely. Yes it takes time but don’t rush things and if things don’t work out. Try harder next time.

Next we will be covering Metaspoitable and DVWA so stay tuned!

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 8 Linux Mint Snort IDS – BASE install and configuration

Now to install Base and get ourselves a little GUI for all of this, but first some more installing

sudo apt-get install -y apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear

110 - Installing for Base

110 – Installing for Base

It should finish like this, ignore that error for now we will fix it soon

111 - Prerequisites installed for Base

111 – Prerequisites installed for Base

sudo pear install -f Image_Graph

112 - Install Image graph pear

112 – Install Image graph pear

cd ~/snort_source
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz/download -O adodb518.tgz

113 - cd wget adodb

113 – cd wget adodb

Extract with:

tar -xvzf adodb518.tgz

114 - tar adodb

114 – tar adodb

sudo mv adodb5 /var/adodb

115 - mv adodb5 to adodb

115 – mv adodb5 to adodb

Run the following to add “snort-nids” or the name of your hostname to the fqdn file in the apache2 conf-available directory

echo “ServerName snort-nids” | sudo tee /etc/apache2/conf-available/fqdn.conf

116 - echo snort-nids

116 – echo snort-nids

a2enconf is a script that will enable the specified configuration files within apache2, in this case fqdn that we created in the previous step

sudo a2enconf fqdn

service apache2 reload

117 - a2enconf fqdn apache2 reload

117 – a2enconf fqdn apache2 reload

cd ~/snort_source
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

118 - cd wget base

118 – cd wget base

Extract with:

tar -zxvf base-1.4.5.tar.gz

119 - tar base

119 – tar base

Configure base so that we can run it from apache2:

sudo mv base-1.4.5 /var/www/html/base/
cd /var/www/html/base
sudo cp base_conf.php.dist base_conf.php
sudo chown -R www-data:www-data /var/www/html/base
sudo chmod o-r /var/www/html/base/base_conf.php
sudo vi /var/www/html/base/base_conf.php

120 - mv cd cp chown chmod vi

120 – mv cd cp chown chmod vi

Modify line 50 as follows $BASE_urlpath = ‘/base’;

121 - Modify line 50 base

121 – Modify line 50 base

Modify line 80 as follows $DBlib_path = ‘/var/adodb/’;

122 - Modify line 80 base

122 – Modify line 80 base

Modify line 102 – 106 as follows:

$alert_dbname = ‘snort’;
$alert_host = ‘localhost’;
$alert_port = ”;
$alert_user = ‘snort’;
$alert_password = ‘YOUR_MYSQL_PASSWORD’;

123 - Modify lines 102 - 106 base

123 – Modify lines 102 – 106 base

Restart the apache2 web server:

sudo service apache2 restart

124 - restart apache2

124 – restart apache2

Now in your browser navigate to http://snort-nids/base/index.php and click on ‘Setup page’

125 - base first load

125 – base first load

Click on Create Base AG

126 - base create base ag

126 – base create base ag

Success then looks like the following, click on ‘Main page’ next

127 - base ag created

127 – base ag created

You will be brought to the main page and it will look something like the following

128 - Base main page

128 – Base main page

Have a play around and click on alerts, look at the packet information, download a pcap of an event to analyse further. Just click around and see for yourself!

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 7 Linux Mint Snort IDS – Pulled Pork install and configuration

Now to configure and install pulled pork, but first once again we need to install a few prerequisites first

sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

81 - Pulled pork prerequisites install

81 – Pulled pork prerequisites install

cd ~/snort_source
wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz

82 - cd and wget pulled pork

82 – cd and wget pulled pork

Extract with tar

tar xvfvz pulledpork-0.7.0.tar.gz

83 - tar pulledpork

83 – tar pulledpork

cd pulledpork-0.7.0/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort
sudo mkdir /etc/snort/rules/iplists
sudo touch /etc/snort/rules/iplists/default.blacklist

84 - cd mod cp mkdir touch

84 – cd mod cp mkdir touch

Check things are working

/usr/local/bin/pulledpork.pl -V

85 - Check pulled pork

85 – Check pulled pork

Sign up for a free snort account and get yourself an oinkcode at the snort.org website then modify the next configuration file located here

sudo vi /etc/snort/pulledpork.conf

86 - modify pulledpork conf

86 – modify pulledpork conf

Modify lines 19 and 26 to include your oinkcode at the end of the line which should look something like this

87 - modify pulledpork conf line 19 and 26

87 – modify pulledpork conf line 19 and 26

Uncomment the # on line 27 to use the open ruleset

88 - modify pulledpork conf un comment

88 – modify pulledpork conf un comment

Modify line 72 to match rule_path=/etc/snort/rules/snort.rules

89 - modify pulled pork line 72

89 – modify pulled pork line 72

Modify line 87 to match local_rules=/etc/snort/rules/local.rules and line 90 to match sid_msg=/etc/snort/sid-msg.map

90 - modify pulled pork line 87 and 90

90 – modify pulled pork line 87 and 90

Modify line 117 to match config_path=/etc/snort/snort.conf

91 - modify pulled pork line 117

91 – modify pulled pork line 117

Modify line 131 to the following distro=Ubuntu-10-4

91 - modify pulled pork line 131

91 – modify pulled pork line 131

Modify line 138 to the following black_list=/etc/snort/rules/iplists/default.blacklist

92 - modify pulled pork line 138

92 – modify pulled pork line 138

Modify line 147 to the following IPRVersion=/etc/snort/rules/iplists

93 - modify pulled pork line 147

93 – modify pulled pork line 147

Modify lines 194 – 197 with the following

enablesid=/etc/snort/enablesid.conf
dropsid=/etc/snort/dropsid.conf
disablesid=/etc/snort/disablesid.conf
modifysid=/etc/snort/modifysid.conf

94 - modify pulled pork line 194 - 197

94 – modify pulled pork line 194 – 197

Update pulledpork with the following

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

95 - Pulledpork update

95 – Pulledpork update

It should update successfully like below

96 - Pulledpork update finished

96 – Pulledpork update finished

Now modify line 543 of the snort.conf file with the following

sudo vi /etc/snort/snort.conf

include $RULE_PATH/snort.rules

97 - Modify snort conf line 543

97 – Modify snort conf line 543

It should look like this

98 - Modified snort conf line 543

98 – Modified snort conf line 543

Now to test and see that this is working with the following

sudo snort -T -c /etc/snort/snort.conf

99 - Testing snort configuration

99 – Testing snort configuration

It should finish with the following message showing everything was a success

100 -Snort configuration test success

100 -Snort configuration test success

Some snort daemon testing again with

sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth1 -D

101 - Snort daemon testing again

101 – Snort daemon testing again

Running barnyard again as a daemon this time for some testing

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D

102 - Barnyard daemon testing again

102 – Barnyard daemon testing again

Test the database

mysql -u snort -p -D snort -e “select count(*) from event”

103 - MYSQL database testing

103 – MYSQL database testing

I also added the following to /etc/network/interfaces

104 - Modify network interface settings

104 – Modify network interface settings

To the following to make sure eth1 stays in promiscuous mode

up ip address add 0/0 dev eth1
up ip link set eth1 up
up ip link set eth1 promisc on

down ip link set eth1 promisc off
down ip link set eth1 down

105 - Network interface settings modified

105 – Network interface settings modified

Modify the /etc/rc.local file

106 - Modify etc rc local

106 – Modify etc rc local

To add the following

107 - Modified etc rc local

107 – Modified etc rc local

Create a cronjob, select option 2 for nano

sudo crontab -e

108 - Modify crontab

108 – Modify crontab

Add in the following and save the file

01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

109 - Create cronjob

109 – Create cronjob

Well done getting this far! In the next tutorial we will configure Base and see this all through a GUI front-end to view what is going on within our network or at least the pings received from the pfsense box.