Pen Test Lab

Aim of this Lab:

  • Provide a complete lab for Penetration Testing a Windows XP box, Linux box and a bit of Web Servers
  • This lab provides three different scenarios:
    • A fully vulnerable box with all kinds of vulnerabilities for a user to exploit.
    • A fully vulnerable system behind a firewall/IPS
    • A fully patched system fully patched and updated behind a firewall. While the vulnerable system will give the attacker a way to try out all the exploits and the tools, the firewalled system will give a real case scenario with the IPS/Firewall/Updates & Patches.
    • A domain is created on a Windows Server 2008, with a Windows XP being a part of the domain. All domain related tests can be performed on these systems.
  • Further expand it to include Web Application testing and Wireless Assessments

You Need:

  • Box 1: Attacking Machine
    • 4 GB RAM
    • OS: RHEL/Ubuntu
    • BackTrack 5 (Attack)
  • Box 2: Target Machine running multiple VMs
    • 8 GB RAM
    • OS: Ubuntu
    • Snort, iptables (Defence)
  • Plenty of HDD space in both
  • Pre-built VMs or ISO for installing OS (Ubuntu, RHEL, Windows, Metasploitable)
  • VMWare/VirtualBox/KVM … Any solution for a virtual infrastructure

Box 1: The Attacker System

  • 4/8 GB RAM
  • OS: RHEL/Ubuntu
  • IP Address For Physical:
  • Virtual Infrastructure: BackTrack 5: The Attacker
    • IP:
  • Virtual: Vulnerable Windows XP
    • IP:
  • Same Copy as Vulnerable Windows XP which is deployed on Box 2. This virtual machine is to attack the XP system without any Firewall/IDS/IPS in between

Box 2: The Target System

  • 8 GB RAM
  • Ubuntu with Snort (Snort on RHEL is not advisable –
  • Install SE Linux and/or iptables
  • IP of Physical:
  • Windows XP SP3:
    • Fully Patched: This will give a sense of the systems which are deployed in production environment. Attacking this system would be fun! Make sure to change your wallpaper to the “Try Harder” from Offensive Security!
    • Make it a part of the Windows Server 2008 domain
  • Windows XP:
    • IP:
    • Not at all patched; Automatic Updates are Off
    • Windows Firewall Turned Off
    • Use “Simple File Sharing” (Control Panel)
    • Enable IIS and SNMP
    • Install Microsoft SQL Server 2005. Set a simple password. Ensure this is running on port 1433 (netstat -ano)
  • * Metasploitable:
  • * Windows Server 2008:
    • IP:
    • Install Directory Services
    • Enable DHCP, DNS, FTP
    • Firewall/Automatic Updates to be Enabled
  • * Ultimate LAMP:
    • IP:
    • Ultimate LAMP runs Apache, MySQL, PostFIX, and older versions of other services

PenTestLab Network


* While networking the systems, ensure the VMs on Box 2 is reachable from Box 1, and all traffic is being monitored by the iptables and Snort.
* Secure both the boxes if connecting to the Internet. It is the VMs which are vulnerable, the host machines should be secured before connecting to the Internet.
* Enable some simple routes to make the BT5 on Box 1 to reach the VMs on Box 2 and vice versa. I leave this as a home-work.
* Ensure no sensitive/personal information is stored on either of the Boxes. This is a testing environment.

Available Resources:


Security is my birth right, via open source I will have it !

Ascending one step in the Maslow’s hierarchy when we go beyond the basic needs, we reach at the second step which entails security as the next basic need of mankind. But when it comes to business, security is the privilege of a few. Much of this is attributed to the cost incurred for securing an enterprise. At the same time, the technologies for implementing security are progressing by leaps and bounds. This kind of results in a vicious circle, especially for the small and medium industries.

Last year, during my summers I came across this concept of a Security Operations Center (SOC) and how it contributes towards securing an organization’s information boundaries, if implemented properly. Then I found a wonderful paper from SANS about log management and its relevance in a SOC [1]. There were a few commercial and open source tools listed here and there for setting up a SOC. OSSIM is the undoubted choice in open source software. It contains a combination of few wonderful open source tools which can aid in Incident Management. But one big gap which I as a management student felt in these open source tools was lack of compliance specific reporting capabilities. Compliance being one the major drivers for security, can prove to be a boon if introduced in the open source world. It can also help SMEs in cutting the cost of abiding by the mandatory compliances.

This chain of thoughts motivated me to combine the processes taking place within a SOC with open source tools which can help carry out these processes. And further I mapped these processes with a few compliances I knew at that time. I ignored a few factors like skills required to run these open source tools, cost of support and maintenance etc. These factors would surely add to the Total Cost of Ownership (TCO) if implemented in real, but for the sake of theoretical simplicity I’ve ignored them for a while.

The final sheet prepared, contains FIPS (Federal Information Processing Standards) domains as the classification criteria for the SOC processes. Open source tools (if any) to fulfil the process requirements have been listed alongwith the process. Finally these processes have been mapped with the following compliances/standards/frameworks:

1. ISO 27001 & 27005

An overview of the mapping can be taken here: SOC_process_tool_compliance

Although I’ve tried to compile the list with the best of my knowledge, there’s still a lot of scope for correction. I’d be looking forward for reader’s comment on the same.

PS: Metasploit Pro is now coming with compliance capabilities. Hope they soon introduce the feature in open source version as well.


[1] NIST SP 800-92: Guide to Computer Security Log Management

Elliptic Curve Cryptography – Generation of Domain Parameters

“The transistor density of integrated circuits doubles every 2 years” – Gordon Moore

Let’s contemplate upon what Moore said. We live in a world where new advancements happen every fraction of second. Given the increase in processing power of the modern day computers and their successors, even unnerving problems can be solved in a matter of minutes. But on the other hand the same processing power has left many cryptographic algorithms – OBSOLETE.

Recently I came across the need of securing data in transit and storage by employing such a cryptographic algorithm which has no freely floating hacks. Since brute forcing is an answer to solve all kinds of cryptographic problems, the sole hope rests on making it computationally infeasible (in cryptographic terms). After breaking our heads on it for 2 days we came across Elliptic Curve Cryptography. The algorithm being relatively newer isn’t much in practice nor has any known mathematical attack (as of my writing Certicom has come out with one [1]). Further a key length of 160-bit in ECC is considered equivalent to 1024-bit in RSA.

I found an open source Java implementation of the algorithm on Sourceforge [2]. Free lunch! But alas it generated only static keys. So, I had to go through the entire process of generating the ‘Domain Parameters’ of ECC thereby causing a new key to be generated each time a new communication is initiated. Now there’s a whole lot of math involved (obviously) in ECC so I’ll discuss just a few major conditions which must be met while implementation. I worked only on the domain parameters for Prime Field as it was alone enough to overwhelm me. 😀

Let’s start off with the equation for prime field and its variables:

y2 mod p =  x3 + ax + b mod p

  • a, b are such that 4a3 + 27b2 mod p ≠ 0 and p is a huge prime number.

For generating p one can either use the premade function getFieldSize( ) or use the Big Integer class to generate very large primes.

Now the values of a & b should be chosen so that the expression doesn’t result in 0 after the entire calculation is done. These values can also be made to generate automatically with any custom built algorithm. For eg. a can be 1/kth part of p while b can be 1/lth part of p, where k and l are so chosen that 4a3>0 and 27b2 > p.

  • Order of the ellipse is represented by n.
  • G is the generator point (xG, yG) on the elliptic curve chosen for cryptographic purposes.

  • The cofactor, h = E(Fp)/n, where E(Fp) is the number of points on the elliptical curve.

Now what about h? How do we go on calculating the number of point on the curve? There are quite a number of algorithms for that too. But talking of open source and simplicity these two can be used [3]:

  1. Naive approach
  2. Baby step giant step method

Once h is calculated check whether it satisfies the criterion: h <= 4 & h = [(√p + 1)2/n]

There are a lot more conditions to be satisfied, but they are already being taken care by the open source implementation. Once the domain parameters are generated dynamically the entire process of generation of keys becomes automatic. In ECC:

  • Private key = any random number
  • Public key = Private key X (Generator point, G)

The generator point can be any point lying on the curve. Since, we’ve already found out which all points lie on the curve using the naïve approach, we can select one of them for our purpose

Okay, I hear people heaving a sigh of relief there. I agree it’s seemingly complex but that’s the beauty of cryptography, isn’t it? 🙂





Firing the Anti Virus …

Below is a recount of a small, simple and a sweet hack done on a network. Even when they had a firewall installed and used to monitor the network regularly, the hack could take place!

Scene : Target compromised through a User Account having default password. Thanks to Social Engineering 😀

Cast: Batman and the Joker (The compromised User Account). But the Joker is just an normal employee, not a top manager! Would be difficult to get escalated! (Attacker = Batman, Attacked = Joker)

Motive : Batman wants to plant a Key logger in to the target, but the bloody anti virus detects it as a virus and is deletes it!

Joker: Hey dude, what doing man? Are you free for a few minutes? This f*****g internet doesnt work on my system!! Batman: yeah, let me see. (after a few minutes) You seem to have entered the wrong credentials for the cyberoam! Whats your username …?
Joker: abcdefgh
Batman: … and your password?
Joker: sorry sir, cant give it! (he enters the password)
(Batman then clicks “login” and firefox pops up a message to save the password. Batman saves the password using the keyboard shortcuts w/o Joker knowing!)

To make the long story short, Batman is able to find out the password of Anil for the Cyberoam through the firefox saved password list! It seemed to be a default password set for all the users!!

Present: Batman is still trying to access the drives of the target system to deploy the key logger! No drives are shared and no simple passwords work; tried out all possible combination.

He then remembers the password Anil entered for Cyberoam and it works!! He is able to get into the system and access all the drives and files! Then another idea struck him. He tried the same password for the Admin account; and guess what, it worked too!! Awesome!

Now, the only thing to be done is to install a key logger. No other hacks to be done, strictly; we are good people :P. But, to his dismay, he finds out that a Symantec Anti Virus is installed which is deleting the key logger (bloody, all free key loggers are detected by the anti virus!!) Idea! Go to the Symantec drive and delete all the Symantec anti virus files (other than the ones in use) and your work is done!!! This was really surprising at that time that a high fundu security tool like Symantec could be shut down just by deleting its files!!

Restarted the system using the command “shutdown -r -t 01” (look up the man page). As was expected, Symantec did not run since there were no supporting files/dlls! Using the psexec command from the “pstools“, the key logger was installed remotely, after which a restart was required, which was easily done! Through this we got hold of a lot of sensitive information.

Through this, I was convinced that a successful hack does not require the use of any vulnerability assessment tool or any high fundu tools/scanners; that Social Engineering/Shoulder Surfing/etc is pretty simple and can mar the effect of the best of the networks and learnt one more way of bypassing firewalls.

The biggest learning from this project was about the Anti Virus. A tool which was supposed to safeguard us is vulnerable in such a simple way! The Anti Virus guys could any day afford to add a File Integrity Monitor!! As a friend said “So much so for companies that supposedly pour millions of dollars into R & D!!!