Setting up a lab

okay can you hear me gotcha can you hear me fine like this okay we'll go that way okay so how many people are professionals in here you work okay you work in IT okay how many people work in security IT security how many people are trying to work in security so students great and that gives us an idea all right so first thing if you trust me if you want the slides you can get them from there there's no drive-by downloads do nothing preview the URL it's a Google Google Drive link I'll do it for you if you want and I'll show you that makes you feel better all right so she already said who we are

we own a security agency and we do pen testing and a lot of times when we're trying to answer questions for people on forums we get the question I want to learn how to hack so I'm assuming everyone here is interested in that that's why you're here and I always tell them I always get questions what certification should I get what courses do you recommend etcetera said I always say go to lab in my opinion that's the best way to learn how to do anything get hands-on and just do it so that's what we're gonna talk about today is house how to set up hybrid hacking lab environments with the cloud we use that in our workflow all the time if I wanted

to start cracking some hashes I'm gonna pentest so I'll spin up a Cali AWS instance I can cram as much GPU and ram and there's I want for $5 an hour I can crack hashes so why would you want to set up a hacking lab environment and of course number two if you want to learn penetration testing and hacking one thing that gets overlooked sometimes for you who work in security if you are consultants is if you want to do a quick demo you're on a sales pitch with a client spin up a VM show them a common attack most of them most of time that blows their mind are sure you got the deal like they've been talking about

Labs are great in corporate structures corporate environments if you want to improve your blue team skills and learn how attackers work if you're say a stock analyst or anything of that nature setting up a lab and then learning some of the attacks that the red team as we call them do and it's a great way to improve your defenses and finally setting a lab up at your company is great for practice we do engagements with clients where we'll set up a lab with the blue team and we'll walk through like they talked about purple teaming with some scenarios but even within your environment it's a great thing to do is to set it up and have the

if you have a red side and a blue side and have them work against each other find out the weaknesses of each so what do you need to set up a lab probably think you need a whole data center right it kinds of servers and need tons of power not necessarily nowadays your laptop give me your lab your laptop your desktop servers you can buy service pretty cheap off of ebay nowadays I've got two or three of them sitting in the closet at my house as my lab there I've got a couple at work that are my lab servers are pretty cheap nowadays the desktop will work yeah it really depends on what you have what you have access to

and what you're looking to do and so when you're setting a lab up what kind of hardware are we looking for and of course your processor has to support virtualization again this is going towards a laptop type scenario storage you probably gonna want 256 gigs because as you guys know when you set up your virtual machines each of those gets a virtual hard drive right and that takes up space on your disk and depending on how extensive your lab is gonna get how much you're trying to learn that space can quickly add up so I typically recommend at least 500 gigs SSDs work better of course they're faster but they're not a must and your

RAM you're gonna want at least eight gigs windows if you're on a Windows box takes what two gigs to run by itself and then you start allocating RAM out to each of your VMs you're going 18:16 nice and that's the hardware you need and that's essentially it and as you know pretty much every modern laptop has all of those specs right ok so once you have your Hardware selected the next thing is you need a host in your host machine setup you are going to need your virtual machine software and we have tons of options for this if you're using Windows you've got hyper-v as an option if you use a Windows 10 Pro we're gonna talk about

later how you can get that for free legally of course you've got hyper-v there's VirtualBox we've got VMware and for Linux we got Xen with hyper-v and VMware being where being the paid version which is only like $90 $120 you get the capability you guys know what checkpoints alright anyone not know what a checkpoint is ok so a checkpoint is essentially when you build a machine you can checkpoint it and create an instance at that moment it copies the how that machine is set up and then later you want to revert back to it your lab it's taking over with malware you're trying something you messed something up you just revert back to that checkpoint which is a nice

capability but with vien or fuse vmware it comes with the paid version hyper-v has it by default so before you start something new in your lab before you branch out do it run a checkpoint you have something to go back to and we'll get there so now that you have your VM set up you're gonna have to pick a distro write an operating system for your hacking Kali Linux anyone here not heard of Kali okay I thought so yes that's the hacking operating system right and we've got parrot parrot is essentially I've been playing around with that one a lot lately in my opinion it's Kali with a little bit more focus on cryptography it's got some

cryptographic tools on it there's pin two of course back box if you're looking to get into web we have the samurai web testing framework if you're looking to learn more about forensics we have dephts anybody here heard of commando vm you played around with it yeah I I didn't know that commando VM great tool it was released earlier this year February March time ish around the time of what's the conference out in California it's my main debt and fire I and it is a windows-based hacking OS it essentially you download it the stager I guess I'll call it and it downloads everything else it installs it and you can run pretty much anything you can run a Kali you can

run it on a Windows box I use that recently on a pen test the scenario was a rogue vendor so I got a laptop like him and here we get with non admin credentials and I had to see how far I could get the network I tried everything I could to access elevate my access on that this was a bank super lockdown I mean I was sticking a free the laptop in the freezer trying to do memory dumps and cold boots and everything I couldn't elevate access but what I could do when we did finally find a way around that like so the scenario was I'm a vendor I can't bring my own laptop on the network right I have to

use what I have so I downloaded camino vm put it on the box kept out a couple tools that would have set off flags and antivirus I was good to go so yeah commando Vienna something I would recommend looking into

okay so once you have your lab setup and you have the operating system of choice or operating systems the next thing you're gonna want to do is find something to hack right you've got to do this legally what are we gonna hack the nice thing is there's tons of vulnerable systems that you can download to practice on and you can download these at any skill level and as you build you can get harder ones so of course there's Metasploit able by Metasploit you guys anyone not hurt a Metasploit good okay there's morning catch anyone here heard of morning catch all right so morning catch is a virtual machine you can download and it's sort of automated and

it's for learning social engineering and phishing attacks when you get on a pen test if that's where you're looking to go and you're working on social engineering the last thing you want to do is make a dumb mistake in your spoof email that sets it off through my Caesar right so you can get a BM like morning catch and you can practice that so you have your skills home by time you get to the job the OWASP broken web applications anyone anyone here familiar with a wasp anyone not familiar with Oh wasps you know okay so the old wasp I can't remember what it stands for but every year they do research based on the top web

vulnerabilities and they release the top ten the OWASP top 10 we call it most common vulnerabilities and coding of websites and so they released that study every year they're pretty much always the same cross-site scripting variations of that etc and they have vulnerable web apps on their site that you can download they have a web app testing framework that's really nice that'll walk you through how to test for a bunch of these different things web goat has vulnerable web apps and then bone hub you guys heard of own hub they've got tons and tons of vulnerable instances that you can download for practicing sometimes this is overlooked you guys heard of exploit dB work with exploit development use an

exploit singer attacks anyone not heard of exploit dB okay so if you you're on a testing I'm looking at SL mail for an example that's a pretty old something I was playing around with recently you can go there and you can download shell codes etc that you can put into Metasploit or just run as an executable and elevate privileges get route get access etcetera sometimes people don't realize for some of those exploits you can actually download the version of the software that it runs on and not all of them but sometimes they have that and you can get vulnerable software that way also and of course outdated operating systems Windows XP I see that in so many

environments XP Windows 7 is going into blithe I see old versions of Server last guy talk about Server 2000 I see that all the time in environments Microsoft had some O's available for you you can go download from TechNet in different places and have a way I don't exchange the same way

okay so you've got the machines and now you need the tools right there are hundreds and hundreds and hundreds of hacking tools yeah you know so we can't go through them all I'm just gonna go through some of the basics there's n map I'm sure everybody hears heard of a map right Network mapping Nessus is a vulnerability scanner that's a paid tool but they recently released a free version previously it was a home version and you can scan up to 16 or 24 machines just plenty for a lab responder you guys know about responder okay so I'm responder essentially it does an ARP spoof in it spoofs you can get into get ntlm hatches you can get SMB

authentication you can do DNS spoofing with it if I want to pin cash there in a Windows environment a lot of times I'll run responder to try to in the authentication of course ntlm b2 is the most up-to-date version but a lot of times you can force it to downgrade to an ntlm you can grab those hashes of their credentials and they login so I like to run that on a pin test if I'm on site I'll start in the morning when there everybody is getting there for 10 to 15 minutes at the most because it can get pretty messy ARP spoofing caused a lot of problems yeah well I'll do it at lunchtime oh I'm back from lunch

I'll run responder I can usually pull five the caches there and then I'll send them up to start getting cracked yeah John the Ripper for password cracking it's pretty old when everybody knows about it and there's others patch cat there's quite a few password cracking anybody here heard of pret critter exploitation toolkit it's a really really nice tool as you know what's there typically the two weakest points of a network printers and Hawaii yeah printers and void I can you can pretty much always get in printers of what they never setup right they're using old technology or easy way and so for printers a gentleman I believe is from Sweden Jen's molar he developed the printer

exploitation toolkit essentially what it allows you to do is it uses the printer PC J&P Co commands and you can connect to a printer and copy off print jobs come to the printer all day don't need to dumpster dive anymore right you just go to the printer and see what they print it's a really nice tool Metis point everybody's heard of Metasploit again these are just basic tools there's tons and tons more social engineers tool kit you guys heard of that anyone not heard of it okay so Dave Kennedy who was earlier that is a tool developed by them and it's it allows you to create payload it documents you can spoof emails with it

it's a social engineering toolkit nice go fish is another another one I use I've got a couple VMs up in the cloud that I run that off of and what's nice about go fish is you have an email you want a copy of course you're gonna spoof it so I can copy the HTML code of a gmail email for example I can put it into here and sin that I can also if I want to mimic a landing page I just put in the URL and it will copy the code and make a landing page for me that looks just like it so yeah I want to send them the Facebook to log in put in the

facebook URL log in URL and it copies it you got to work with it yeah yeah I've had very various success rates tweaking things you can get it to work it depends on what email client or user so using the exchange on Prem PowerShell Empire so that these three are post exploitation Metasploit can be post exploitation to probably pret also you're gonna have to be on the network PowerShell Empire is a offensive PowerShell toolkit tons and tons of nice tools in there nice commands you can run what you have to watch out for with that is as these things become more common they get picked up by the antivirus companies or the endpoint protection and

the a lot of times they are caught like me me cats pretty much everyone catches me me cats nowadays the Kerberos toolkit is a nice toolkit and I'm sure working on Active Directory environments I'm it everyone everyone heard of a Kerberos attack were you essentially the short of it is everyone else how Kerberos works right with to get granting servers and you get a ticket and you use your ticket to authenticate throughout the network well there's golden tickets which give you elevated access in Kerberos attack is you find a service account I mean there's multiple ways to do it typically what works for us is we find a service account you pull down the Kerberos you request a Kerberos ticket

for that service account anyone can do it windows will unless they blur security really ramped up anyone can pull down the Kerberos ticket and it goes to RAM then you use me me cats for another tool to dump out of RAM and crack it then you have the credentials for a service account and then you can use that to elevate and get a golden ticket and then if you're at that point you're doing pretty well and then cracked mac crack map exec is another powershell toolkit it's nice to use post exploitation and again these are just a few out of hundreds and hundreds of tools and what i would say when you're using these tools is

understand what they're doing and how they work nobody wants to be called a script kitty for one but for two when you get into an environment your environment change like that pen test I've talked about I was on I had a Windows box low-level access I could not run PowerShell I couldn't download or install any tools I couldn't do memory dumps because of my access so I could run command prompt so essentially what I did is I wrote first thing I did is I wrote in map in a Windows command prompt and created my own tool I know how it works and I ran out as a batch file I had a I could do that so learn how the tools

work and then you can retrofit it to your environment what you're up against

then I would say in your lab learn active directory what is it 87 percent of organizations 85 or something like that that use Windows as their systems so you're gonna come up against Active Directory you're gonna deal with Active Directory so build a domain anyone here not dealt with Active Directory not set up a domain you but you understand how domains work right gotcha so essentially you have your domain controller and then you have different levels of access you have groups right and that regulates everything yeah cuz most the times it's not set up securely so it's pretty easy to get it can be a great benefit for attackers so build out a domain and we're gonna show

you how you can get that for free to do that because Windows Server is very expensive set up various users set up access levels set up groups and then so you're getting a couple benefits from this for one you're understanding more deeply how when those works for two as you set this up you can see what common people are doing a could see the mistakes that they were most likely making and how you can take advantage of that the guy before showed the the event views that's a that's a great example once you see how the admins work how they look at that then you start getting an idea of how you can undermine it

practice with GPL is group policy objects seeing how you can attack those get around them the hacker playbook is a book but on their website they have a great tutorial how to set up a Windows domain and then there's another great tutorial that walks you through the entire process of the basics setting up the domains if you don't trust it to me and copy the link those are in there so if you want to set up Active Directory domains how can you get it server is very expensive right has anyone here heard of the windows evaluation center anyone not heard of it okay so Windows evaluation center basically every operating system they make you can get it free for 180 days

server Windows Windows Enterprise all of them you can get them free for 180 days and what Microsoft tells you when you download it and install it set up a checkpoint the beginning one hundred eighty eight hundred hundred and eighty days runs up revert back to your checkpoint and you're good for another hundred eighty eight 180 days fully legal and it's a great way to learn

so of course what we've talked about is we can build all of this on our own hardware but where it gets very interesting and fun is when you start using the cloud with cloud computing nowadays it's super super cheap Amazon AWS instance is a sure anybody here heard of vulture vulture hosting I like them one of the reasons I like them so much for one they're cheap and you can upload your own ISO so if you've had you have your own operating system that you've customized and built say you've got Ubuntu with your own tools you like build an ISO of it and then you can put it up there in the cloud also one house

one host clout there another good one because they allow pretty cart pretty much any type of pentesting you want to do on your own environment that's so long as you're not ddossing or tossing and we're gonna look at the those in a little bit more in a second but then capture the flags you guys are all aware of capture the flags right there's online ones you can use to learn pack the box everybody's heard of pack the Box played with them got in of course there's a little challenge to get in but there's tutorials to help you hack the world over the wire you guys sort of over the wire so if you're wanting to

learn Linux I tell everybody go check out over the wire essentially you SSH on to it and then you have to find tokens hidden on the computer and each token is your SSH key for the next level and you learn all kinds of Linux it's a great tool and then you keep progressing up the ranks all right so as you can see you are allowed to pen test your environments on AWS as long as you are not doing DDoS and if you are using any of those types of instance this you are allowed to pen test your own environment you can't do DNS zone walking daxing port flooding protocol flooding or requests flying but other

than that you can do what you want on your own instance and they're pretty cheap they even have a Kelly eye so that you could AWS gives you that you can install on your instance if you want this is vulture I was talking about I've got a couple c2 servers sitting up on vulture that I use that's the $10 a month there's another one at $5 a month it's pretty cheap and it's $5 a month it's a gig of ram 25 gb of storage it's great for a lab so if you don't have access to hardware which we pretty much all do but that is another option and as you start doing more pen testing like I

said we've got a couple c2 servers sitting up on vulture about as much as I'll say about that and then some books that are great for learning Georgia Weidman she wrote the book penetration testing a hands-on introduction to hacking that is a great book it's a little old but if you learn the principles they still apply of course the hacker playbook by Peter Kim that is at version 3 now that's another great resource blackhat Python one thing I like about that book is they teach you like I talked about learning how your tools work one of the exercises in that book is building your own in map out of Python they teach a lot of nice things

in there hacking the art of exploitation all of them those are great books you guys sort of kevin Mitnick his book is great for social engineering it can broaden your understanding hero to some unorthodox methods you can take I'd say the same thing for the social engineers playbook by Jeremiah and tell'em antes you guys heard of him red team secure about of Minnesota they do a lot of physical pen testing and a lot of social engineering it's a great book he just released another one on physical pen testing that's good and then of course this is only the beginning you've got your lab and you're working on it security is a constant lifelong learning right I guess how I got onto the train

was back in high school a friend of mine got hacked I said wow that was neat I want to do that I've been learning ever since that's how I got started cyber Erie you guys heard of cyber right cyber is a wonderful resource I mean there's tons and tons I've only picked out a few hacker one now you guys familiar with bug bug hunting hacker one anyone not heard of hacker one okay so they'll pay you of course for bugs have you guys seen their hacker one University the intro to web hacking yeah it's a I think it's on the once you log in when did you set up a count a ton of right I believe I'm looking at the

hacker one University bug crowd you guys have a bug crowd same thing as hacker one they have a universe it's called a university they have tons and tons of videos that teach you web exploitation YouTube there's tons and tons of great channels on YouTube I'd say check out all the Derby con videos from the previous derbycon conferences as many besides events as you can see there's great talks at those all the DEF CON are great and then a couple of the recent ones I've been looking at some cyber mentor Heath Adams from here in Charlotte he spoke earlier his channel is great you guys heard of C choir they are a Polish cybersecurity company they

did a lot of talks they developed their own tools they're a great company and have a lot of nice tutorials memory dumps developing shellcode etc then blogs a lot of blocks have a lot of really great tutorials on as you guys probably know you guys heard of hackers arrives he has tons and tons of hands-on tutorials walked you through he's got a whole series on Wi-Fi hacking he'll walk you through a WPA hack WPS hacking wpa2 he's got tons and tons of great tutorials he also teaches courses I've never taken any up to you to figure out trusted SEC has great tutorials Dave was here you guys heard a Black Hills InfoSec they have a lot of great

tutorials too and they got a lot of good information on Kerberos they have a lot of good blue team tutorials too how to set up honey service accounts so that should someone try to do a Kerberos attack you can set up service accounts that automatically alert someone's using this because only an attacker would and then Metasploit Unleashed is a course on the Metasploit website that's a great place for learning and I'm sure you guys have other places would that's just a few I picked so that's what I have to say I do have a blog on my website if you're interested yes yeah yeah yeah yeah I got quite a few back at Christmas I think it was like 40 books for twenty

dollars really nice

yeah those are great keep an eye on