Intro to Linux System Hardening and Applying it to Your Pentest System

actually Dan Becker is looking for senior all right catch them damn that's proof time great thanks and I want you to stellar start so yeah speakers they you know what's up with them they will bring the laptops they show up and then just leave with no words you don't need them in here actually

what's my password actually I told something I are see that there's somebody else I'm right that is elsewhere remember this for me because I can never seem to remember no not this time sorry rushing Henry Rollins apparently left the CD in there sorry so this one you're watching healing Rollins before we actually came you know inspiration I'll try not to swear as much the same

you

blue

okay warm-up area you know I was actually sharing my laptop it's not so I'm trying to find where slight decades where's my mouse okay so here's this is actually a Linux system a little bit about me I am a network engineer I've been doing network administration or network engineering since the 90s I had been doing in linux administration almost as long presentations

so sorry methylase everybody okay so yeah it's free so in trojan linux hardening why does this matter what is it about and why are we doing it so Who am I my name is Rattus some of you guys probably see me in the lockpick village I am the guy that runs an arbor tool my name is Chris jinx I have been a network engineer since 1996 I having a linux administrator since 1998 my work has been mostly in telco and other large energy is like that is a senior engineer at my last company I am a network engineer in health care at this point so how what is this talk this talk is a basic one on one level talk I expect

people to have a basic understanding of Linux at this point you have heard what backtrack is you may have downloaded backtrack and actually played around with it some I expect that you have at least learned a handful linux shell shell commands i'll ask kat PS stuff along those lines you know what mounting a hard drive is you know if mounting your path is know how to move through the pad this talk is not going to be a high-level talk it's not going to be this is what you do to be the coolest person on the block it is just to get you started and where did this all come from the few times I've done penetration

testing have actually been off of Windows machines but this talk actually came out of two different things one was a conversation with rogue clown and boost set we're talking on IRC one night about people's hacking habits and some of the Vince I had happened it has CTF to the CTF of my second one point and while we were getting ready and everything is ready the more experienced hackers in the group decided to see what everybody else is running so they started running scans and pin test against their own teammates you know we're waiting about what we're supposed to do yeah yay so we were talking about that and then road crown bought up when she first got into penetration testing

she got pwned a few times by the system administrators they saw her log onto the system with the bee tee box the login as root shut it out and boost sec works at a university and he does pretty much the same thing he's the network administrator and charges their security and when you see somebody in the dhcp logs logged in for BT box he logs in his route and shuts it down who here this is the Paul com okay got a couple of hands anybody else in what Paul calm is okay so Paul calm is a security-based podcast they have a lot of pen testers on their show the aisle on state was in May it

wasn't me when was it does it was recently it's just before CCDC they actually had an entire episode dedicated to hardening your systems and what did you to keep the panic that people trying to pin test you out so CCDC you have blue team's yep you're trying to defend your system scans thread teams and a lot of stuff that we're talking about there is actually already ate already presenting to the slides so it's like wow you got Paul calm talking about you know pen testers talking about what did you protect your systems and then talking about the same thing I let's talk about so I built a lab for this talk and as you can see here whistlers

the host is in fact this box here this is a debian system everything else was an installed version of backtrack on a portable hard drive everybody else is virtual virtual back patrick instant a buncha desktop and what with desktop / server you know a lot people going to out install and buttery server it doesn't came up didn't come with any default ports open and while show show you and give you an example of a default system and a lot of people when they first get started they're going to grab hey we need a server and i've seen this in the real world we need a server that go grab a bunch of desktop because it's

what they use at home and solid on server and start running services lastly it was centos um last place where I did live linux administration we use centos almost across the board so when you do a basic install of CentOS what's open so in this case I actually looked at the open ports I've run nmap from an external server to it and we see that port 22 is open which I actually opened my cell so I could control it from the separate system and make it easier because pins you screenshots on the council and what's this RPC by tcp port 111 I didn't say anything tell anything to open on that so that is actually part of the

base install looking at a bun to actually looking at the sorry so looking at centos itself from the command line that's everything that's open you've got way more that's showing up outside SSH you have cups just a lot of stuff it doesn't really need to be there same thing looking at a bun to you is actually more impressed with the default install I turn SSH I myself so it showed up less than anything else but when I looked inside well here's that port 631 again and that happens to be cups which is your printing demon I'm putting a server why does it need to be there and then the ones that had the 0 colon colon

and then the port number at the end that's your IP six stops with IP sixes I then automatically turned on on both systems so don't just worried about IP for worry about ip6 as well so I want to turn off cups my servers don't need a print demon on them I don't need listening for something to print there's no reason for it no it doesn't matter i'm tossing up a web server a mail server 99 percent of time i'm never going to print anything off this box so let's turn it off under centos you can use the service cup command or service status command put your dæmon inside there and see what it's running you know

is it what's it status is it running is it started as it stopped this case i turn it off check it you can see it stopped if i want to go beyond their i want to actually not have the startup at boot time so i don't have to worry about it ever again under CentOS and red hat you can actually use checking fig the list what's money where so at one level one it's off run level zero it's off two three four five those are the ones you're going to interact as a user it's all turned on I don't like that so I'm gonna turn that off so I run the levels command behind check config tell the

process i jus wanna kill and then turn it off on those processes and then you have another listing showing that it will is off it's going to stay off after the reboot doing this debian way so I keep mentioning a bun to its based off of Debian normally the command would be update our CG cops and then status in this case disabled unfortunately a bunt too has made some changes off its dock debian and you actually have to go in and change configuration files by hand another option is to actually just remove it but it's going to be more packages than what you really want so that takes care of turning the process is off but you know

I'll still show up if somebody tries sweeping my network or trying to sweep my system so what I want to do is I want put a firewall up and when I drop their packets coming in to me so that's what I've done here I've taking a basic drop output so anything coming the Indus Graham you going to be dropped anything I'm seeing how it's going to be accepted so the fire all's going to let my traffic go up it's not gonna let anything come in now there is a problem with doing this this way but I'm not worried about that at this point the problem would be if my assistants been infected at some point in the past

before I've actually turned it up sigh everything else up it's still going to outbound traffic that's not going to do but anything about I'm going to set the same things up on my loopback interface I'm going to say if I have a an established state is any kind if I started the traffic I want the traffic to be able to come back into me I want 420 to work I forgot this command the first time and lock myself out all the systems because I scripted this out and it's like ok start this up on start great I can't get anything now you gotta go back over to my virtual server from the other room type everything in hit

every box by hand so if you're going to use it SSH for anything for port 22 make sure you actually open it and have it open before you start doing your drop statements and then I want to see anything I've hit anything it hits this filter and gets dropped and want to see it in a log I wanna know what's going on with on that you know even if I don't have to log up and running at real time I want to be able to go back and look and if it doesn't fit any of my previous parameters I'm dropping it it's going to get rejected so if i want so i made a mistake right i

need to turn off the firewall start start fresh this is how you would actually turn it off you can again script it and set it up in your start config files at the end of the talk it will tell you where I found these I've actuated me some slight modifications the original source material actually had some syntax errors that they didn't catch in there editing process so i actually had to go back to make some minor changes but it's actually really easy to find both of these files online so okay i mentioned when back check comes up it comes up with the name of bt well other systems have defaults to in this case the centos default was what it

asks me for okay that's great but every time i boot up it's going to show up in dhcp if i'm pulling a dhcp address on the network is going to say hey I'm here this is my box name what's an IP address have you seen me before oh it's an okay name same thing into the w desktop so i want to change those in the case of centos i'm going to go into ecchi sis config network and i'm going to change it at the host hostname line debian ubuntu i'm going to change it in under /s a hostname and then we certainly networking services now some of the systems come with default password some of them come with no passwords who here

is used a bun to you ok and you know how everything is done via sudhi all right what do you do with the root password does anybody actually know how is the root generated does it have a password to start with is completely random but that's there's two problems with that if something happens I loose you to access I can't I don't have a back way into protect my own system I don't have a back way into work as administrator my own system if I have something happen where you know it's still password I'd rather have it something I set because I feel Claire about password I make up then letting somebody run a John the

Ripper against it fighting the hash and knowing the password when I don't that's just me so changing passwords pretty simple it's just the command password as root and I'll ask you password like I said this is basic level people I know some of you guys are back there nodding off it's okay it's meant to be a boring talk I'm sorry talking about sue do all right i want to add a new user to it it's just sudo add you well no sorry that's actually further down adding a new user I need to add new user I don't like having so in the case of CentOS it was um even though it has a bunch of desktop here in case of CentOS

the only person that was installed was the root user I don't want to everything that's rude there's too much of an issue of genuine typos there's too much stuff that's just available for the access then why is setting up the screenshots a jump back and forth or whatever system was most handy to type the commands into these your basic level commands so you know you want to add another user you want to add more users to the system so they're not doing things as root they're not doing things as you um we're talking about SSH a little bit ago a couple things that need to be changed most of the systems nowadays use ssh v2 by

default and that's actual part of the default config these are the three things I change on every system I ever touch if I'm responsible hood system I'm turning off x forwarding so they're not going to be able to log into it and then pull the next session back to them I'm going to turn off TCP forwarding and I'm going to turn off root login so if you're trying to login as root I don't want you to do that I want you to login as the local user or the main user and then escalate to route when you need to you I don't want you starting there as default don't want people forwarding through my boxes if that box wasn't

designed to be your proxy if it wasn't designed to be a forwarding shallow count Apache basically when it starts off it listens on every single interface now why is this matter for BTW if you're running Nessus it will install the default apache config and it will set it up to list on every single interface well I don't like that I just want to listen to local host so I'm going to change that and that's what I'm doing here I'm making it so only the local host can access my apache server male yeah you've got too many options with sin mail too many options with postfix too many options are fixing I'm not going to go into them there's a lot

of great material on the internet really easy to find and i'll tell you how lock your mail servers down this exact same way I and it's that it's a case of I'm basing this off CentOS and a bunt too because there's going to be the oxygen mostly thinking to find out there one uses sendmail one uses post fix I didn't want include both is just pay for talking even longer so a few extras what else am I going to do I like getting emails on my logs of important data or information that hits a certain filter so I'm going to solve something is like log check I'm going to turn around and well it doesn't checks for anomalies and

then mails those anomalies to the to the administrator it's a really great tool you can set it up on one server and have it forward to your pop account you can have it forward to multiple accounts it's really nice I'm going to install things like trip water so as soon as I've got this box set up before I even put on the internet I'm pulling most of these packages out of my own positive my own repository so I know they're safe and I'm going to set it up tripwire it's going to run a database across the entire box and every time a file changes it'll tell you if it's in the fits in the monitoring system so trip or I'll

look at it and say hey this is changed and sends you an email when that happens actually beckylyn nope a couple of things there's a tool out there called deny host I really like that I hosts on my previous job we had an instance where we had to share data with another company it was their data that we were processing for them but it was very sensitive data who here knows a playboy you guys are laughing that was the customer it was very sensitive data is basically every copy of the magazine scan electronically to our systems so they could create the playboy DVD and they've now taken that and moved it forward into a new product that's gonna

be coming out very soon for the ipad we want to make sure people couldn't log into the system that weren't authorized to you and we didn't want to worry about brute forcers so I use a tool called denied hose it's set up to actually deny your system based on how many times you fail blogging name of sshd now there's other tools out there that do the exact same thing another really good ones fail2ban and it watches more than just SSH okay I need it for my time no is it yg is today yes because on the ranch and robe server I've got failed a band setup so if you've messed up too many times trying to log into my web page which is

a wordpress site it's going to try locking you up because it's going to see the errors in the logs so instead of tried logging in an invalid password I get emails on a regular basis of people locking out if you get ssh arm trying to log into wordpress and a couple other things i'm not going to talk about that sir the system because i don't want to invite people trying to break into my own stuff and i don't want to have potential listeners band if their potential listeners and a pea sized event so what does this have to do a backer why am I talking about basic linux well backtrack is linux who knows who pure hate is a couple of hands pure

hates actually one of the developers of backtrack linux i happen to be in the ISDN podcast channel at one point and some of you is asking what distribution do you use at a security conference first I was looking for what system is built for bat for black hat pure hate reply back because somebody said BTW and the quote is on the screen PT is not meant to be a secure or not meant to be secure is a security distro not a secure distro now what does that mean it means that it's designed for people to test things it's designed to put me fast quick and dirty unfortunately it leaks your data unfortunately it gives the

admins ways to get back into your own system and turn you off so we've just been talking about all the soft and we're basically going to go back over it again now there's a couple of things about when doing penetration tests or CTFs or whatever way you want to do this I love live CDs I love virtual environments they're great for some uses but if it's going to be a system i'm going to attack with our go basis it's going to be a full install i'm not going to put an a virtual machine they're nice but they leak too much data i'm not going to run it from a live USB or live CD they're nice but it's too easy to

delete your underlying data so you know some people I'm safe enough of live DVD that's great who here uses full disk encryption on their laptops not a lot of hands fold us encryption on their laptops okay so you're running from a live CD get into your life CD you can mount your local hard drive I've got a bad habit of actually logging into mice live CDs when i'm using them and then mounting my encrypted hard drives because i want the data that's on the other line hard drive if i have a direct and so i don't have to worry about that and dual booting again leaks data so talking about virtual systems this is actually a packet capture off of

Whistler when I was doing this actually no this wasn't even Whistler this was a this was actually off the backtrack box and what I did is I started up chrome on the host machine that was running the virtual lab and that's all the day that popped out across the network because it was a shared network interface now what does that tell a network person that's watching their logs at two o'clock in the morning or has some other kind of ids set up at two o'clock in the morning there's a lot of traffic coming over the network Commission either when its installed our hard drive that's what it'll look like so you say hey what's your drive state what's your information

all right yeah it gives you back your physical hardware that's what it looks like on our virtual hard drive something to notice model name vbox does that matter is that something you should care about let me show you a quick story arm again in a previous place I worked at we had a deal with another company we provided on the server the server they were providing as a service the software they were using actually uses a lot of processing power really really hits the processing power and we gave them box speaking enough to do it what was their policy can install a virtualization software on top of it and then put whatever processes need to run on top of

it the box up crashing they came over and said Chris here's an IP address we need you to find out what's going on here why is this box crashing it's strong enough for the syrup software we're using the exact same thing in our office but when we're using at the customer site it's crashing my fkin right first thing I did logged in what's the hardware state and the first thing it listed in virtual listed it was a virtual box virtual hard drive it's like well is this supposed to be virtualized physical hardware they just look at me fine it's like what do you mean they virtualize the server and put the server on the virtual server no this is

supposed to be using the real hardware you know so small you know it's things like this that I now know that I've the guy thats attack may the network has a virtual hard drive I know there's an underlying OS and there have been published attacks out there that will let you go down the next layer attack the host from the vm you know but you know why would you want to do that well often try and stop a hacker and you're on my network you're fair game so look at it disks I've got a multiboot system here look at all those nice juicy disks those are all things I can mount and find other information on so you know

multiboot kind of sucks again default name for vac track is BTW you'll notice in the slides the boxes are called Asherah an SD challenger my assistant of you lean usually named after submarines and they usually have some kind of archaeological importance SD Challenger was James Cameron's trip or submarine he is recently to hit challenger deep Asher was actually the first submarine ever use an underwater archaeology so change the name from bt the d/s Challenger does that tell you anything does the last thing tell you anything yes no maybe is every sleeping now so I'm leaking data here I'm telling you I'm a backtrack box if you're going through your DHCP files and you see this

OH look somebody's using backtrack if you've got a demon set up to monitor your logs and watch for that but you'll know when they're on the network but now it's just es shelter what's that is that somebody's iphone is that somebody's iPad is that some college students just walking by is that just some guy outside that happened to grab the same access point somehow somebody that likes every yes again we're changing the password um you know when you first install backtrack its root toor so your login name is root your passwords tour well if I don't change that I start sshd your sh do you get started somehow what happens somebody logs in then what did whatever

do they want to mount your hard drives do you just want to turn you off and make you go away do they wanna send you nasty messages we're calling the cops you're they're on their way you've just given the full control your box change your passwords add a user so I don't like the fact that backtrack only has the root account in the beginning I'd like to see more out of it I'd like to see you I'd like to see it when you install it as you create an actual sub user that you have to start as and then move up but that's me doing Linux administration since 98 okay so i was talking about adding users

to vice you do a lot of people go out to the and when they do it and this is where i is adding gratis to the vice you file for backtrack a lot of people just go out and say oh well it works for route along well that's great but what if somebody gets into the raddest one because i actually messed up and use a weak password like password instead of something that's 32 characters long in this case all you can do is go to route or change user technically that would be change user but that's the only command that i can run as that user from that location I can run other commands I can

run your basic bash commands i can run command I can run PWD I can run LS I can do all that but I can't do anything at the system level I can't shut it down I can't restart it I can't change protected files and this is what it looks like it's locked out change back to the new user I created change the home directory shows me my home directory I say show sudo show me showing my home directory sorry not allowed to do that doesn't tell you what command you can write just says you can't do it okay well I don't like this box being here I'm going to shut down to do shut down minus H now sorry Dave I

can't do that sorry Dave I can't do that in case anybody didn't hear you is that student make me a sandwich but studi route now it's not showing my password here because I was dropping in and out of route left and right and in and out of route from from left and right so it's already got my password cached which I could actually turn off if I wanted but I can go to route and what are my open ports so scanning from one box towards the other one the only part that's open right now is the one that I open so I didn't have to keep walking back and forth featuring rooms so but even then 22 I've seen backtrack

instances where iftin it's turned on 22 by default I've seen other ones where it's turned that work on by default and I've seen other ones where you get turn both on by hand I think currently you have to turn both on by hand which is BTR 5 or bt5 are too but don't quote me on that because i'm really not to spend about two weeks as I've touched anything made the slide decks like that's it i'm not i'm done i don't want to do the same work um especially since this was the second slide deck the first one had much different backgrounds um so again looking to open ports going back to the other way Asherah is actually built off

of um BTW for then upgraded to five and there's a lot more stuff open before this but look HTTP is open and it's open everybody well after i actually has a copy of Nessus writing about it when i say about NASA's earlier it makes it installs a default apache config makes it readable to everybody yes now keep talking about TCP ports but wrote about UDP in this case this is an nmap UDP scan it takes a lot longer than TCP out of the skit on porch it ran it against it didn't find it found one open port 68 which if I remember is dhcp client which you kind of need if you're running DHCP and not statically but using a static IP

address and why does that matter well for the most part you're going to need to figure out what the IP address frame is on a network that you've never seen before and the users way is to get the dhcp address from the dhcp server oh look i'm singing my name back to the new system oh look i'm sending my mac address with it oh look i'm leaking my day to left and right but i don't have a choice because i don't know what the addresses are and again I'm enabling the firewall again it's all the same commands I don't want anybody to be able to log into the system without me knowing about it I don't want people

have hit in my port 80 I don't want people I don't want I don't want to be the target of somebody else while they're my target scanning still works so I set the fire wall up on astra remember i said any state that i establish i create i want to see it my port scan still works so I notice working right coming back from the other direction Appaji so my partner still open oh there's a patchy and it's still listening to add review address out there coming back in the other direction

it's filtered it just says that it's into the packing and didn't get anything back now that tells me I might have something there I can attack me I have to find the right IP addresses hack it or it might just mean it's they're filtered remember i said i want to see the logs I want to see what's happening if nobody's of somebody's trying to get into the system here it is i'm doing a grip on dropped inbound packets so normally i had the setup on side window as a tail and watch messaging to see what's going on here there's a lot more because it's dropping pretty much everything is dropping all the network traffic so if you ever do a packet

capture on network you'll see a bunch of netbios stuff you know who's got this IP address tell the server who's got this MAC address tell the server I'm dropping those too but I want to show that I'm drop in port 80 in this case so my destination ports 80 and you can see from the scan it's being dropped you're not getting through ssh i don't want people to be able to pull an ssh session especially off of a backtrack because it starts you up and start you up in X 11 it starts you up in a nice pretty GUI depend on how you configured but no backtrack doesn't but it's easy to start and most people started anyways so I

just think it's automatically writing because I don't think I've ever done anything back to a command line without going through the GUI at some point 0 X 11 for teens no but here is can root login no and when I was testing that route solid log in but I've also got tonight host running at this point so I should lock myself how the box trying to log into it deny host is set to say as soon as anybody tries to log in the room you denied you put them in the host and I file so it actually blocks you out there too you're not going to be able to login as root I couldn't do much else entirely went

back and did everything by hand setting up apache ok we're still listening everywhere anybody out there can hit my port 80 in theory even though it's filtrate at this point that's great but I don't want to trust my firewall to always be running something happens in stop stirring for whatever reason I still don't somebody coming in so I'm going through and I'm standing your patch you up just to listen to local host so you know that's your basics there right beyond that you want to patch you want patch immediately after install the first time and you want to have a regular backup patch management system going from that point forward you want to be able to sit there and say

this is up today you don't want to be a way I think he's in the room you don't want to be like everybody Keith who is last night doing patching before the artesian metasploit classes because he hasn't passed for a couple weeks you know what you mean it's like why am I putting this off to the last minutes like I don't know dude mind backs off every Saturday night what are you talking about f updating backtrack it's really simple it's your app basic system so it's apt get update will do hit the repositories how it's a tell me what's new and think it's at the bottom down here yeah well isn't in this case nothing because there's a recently

updated system usually also when you say upgrade will give you a list of what needs to be upgraded and say this is what I have this is the new version what can you do with it you can update it you can not update it whatever this case it's all up to date final steps i'm going to set up tonight host I'm fela ban i'm going to set it up so you can't get into my box and a few i see you in the logs it's going to automatically fail you that's going to put you in a nice tip section basically adding you to the firewall and saying you're not welcome here i'm going to a Boyar that

way if something changes even if i'm the one it changes it i'll know it changed so if i've installed new package and i didn't know was going to touch etsy password i'll still no password has changed because it'll show up in an email to me it's a back draft box i'm using it for attacks i'm taking out the customer sites I'm create I've got known clean image here so what am i doing I'm taking that and making a good backup it's going to save me time down the road if I need to reinstall this like when i get back from the customer site just to make sure it's still a clean image i'm going to

have an image of the box to drop it into place and i'm going to read image that every time i patch it so I've got a known good and it's going to stay that way now when you're on site um jeito security AKA Boris he likes to take a live CD and write it that way and then save everything to his USB I'd still rather do a basic install but I liked his idea taking the USB because if you can script everything to save to the USB drive and then hand your customer everything you've done here's every command Iran here's everything I've got from your network here's everything I know about your systems all in one place

all electronically if you want to see what I've done questions yes

yep

okay so remember how I said um PS Challenger is actually loaded on a portable USB Drive that was actually set for live boot it was set up originally as host name BTW after the insult so it's leaking that that's the fdisk from the from Des challenger before I change his name it's on here right put it telling you to show me your disks show me what you have locally it's showing you every other disk i have on the system this is my old backup system so it has all my backup data on it still so yeah you can speak you know okay well so you know your question i'm linking data what does the guy have here right does

it give me more information I know about them I take I take mount I tell it to mount this device and now I've got access to everything on that hard drive so I can go through and it's like oh look here's the skies tax files I'll look his name is Chris jinx oh look he lives here hello police yeah I got hacker here's his name here's his address well yeah cuz I found his tax files on his machine that's how I know yeah nope

yes so if you set your if you do if you make it so this basically imaging at that point you major you've done your live CD install and you said I'll make a copy and running that live CD still has access to everything underneath it you haven't taken out fdisk my SL you haven't taken out mount and still there it's going to be on the system it's going to show you what you what you're asking about yes we were seeing before about CP client being a necessary evil to try and find the IP ranges would make more sense leave yourself is our net static for your Ethernet interface and the dish flare up wireshark and look for

broadcast to find the address ranges you could do it that way I never actually thought of that that's actually a good look at Point year then you're not send anything out you found the address range you looking for you can set yourself in there another way to do that would actually means you set yourself not so much it was static just leave it blank put yourself in promiscuous mode and just listen that way to one easier step you could downside to that is let's say bob is scanning the network right and bob has done your step then Ellis comes in the morning Bob's still connected LLC is a statically assigned IP address and Bob is taking her address because he saw

that's the editor and didn't see any action on it right but I also had to come at five o'clock in the morning because she's got your payroll out what happens when what happened to me yeah so yeah it's a necessary evil there's ways around it that's one way around it but you brought in other things you've got to worry about that one to anybody else yes wolf

okay so we were actually saving this for rats and robes I didn't I dropped hints about where Sandburg's during the talk i am rattus i am one of the two hosts of rats and rogues where's Justin that's right song before I came in here so we're actually going to announce that this weekend but we've had some podcasting issues rats and rogues is the local podcast we actually did all the D sides interviews woof woof out usually he's a tough slave driver but he's a great guy to work for it's like dear just trouble 5 where's the episode I've only forgotten for um anyways so we were going to announce it on the podcast we're actually going to be doing my my

sec workshops coming up been talking about with wolf and that was basically the next step from here what's next we're going to do workshops that help people build their skills has anybody listen to rats and robes how many people heard the career panel too okay so recently we did a career panel after b-side Chicago you brought back the panelists from Chicago and we three wolf and Linden there um and one of the things we said is we're not really mentoring properly in our own community and how can we start bringing people up that you know everybody there saying zero percent job job loss or a zero percent unemployment in infosec how many people here have something to do with

info SEC but really don't have a job in infosec and are trying to get a new job in infosec handful of us all right well you got handful of us that's more than zero percent the case is they want people to have more Skills so how do we do that we'll all we mentor but we gotta go beyond just mentoring people we've actually got to do a little bit more than that and we'll just started me on a really nice ran sorry guys um so what we're going to do is we're starting up workshops and we're going to give you basic level skills we're going to teach you how to set up a lamp stack it's

going to be a lot like this but instead of just in here let's you drone on and you guys 19 off you're going to be setting the stuff up and then we're going to come after you in a lab and you'll have enough data to take that home and set up a lamp stack at home to set up your own blog to set up your own mail server to set up whatever you want to do with your own server outside of work some place to practice something to say yeah so here's my website go check it out if you're interested you know it's got my resume it's got my slide decks it's got my email address on it you know email me

here at this domain name we're good to go so we're going to get you there we're going to start with that what was the other ones we're talking about wolf so watch the my second mailing well do we have my second on English yet my sec yeah my sex coming up listen the rats and rogues if wash their ass and robux website so you're doing after we sign listening to us if you don't want you but watch the website will make announcements there watch the IRC channel if you don't with the my sec I see our channel is I you see our chat all right app yeah if you don't know what the my sec I RC channel is find us

run free node is pound my sack mis cmi sec actually d Tom come here come on you're wearing the my sector come on it's not like you haven't been in front people once already no but for fonts to come up here so we've got a joke in my sack wolf doesn't like hugs so we're consoling season found my sec on freenode and you can find us yeah what's that lurk shuffle in it so yeah a lot of us you're a part of my sack it started last year p sides it's a growth out of this community and everybody's welcome this in the area you know our only membership requirements here in michigan and even that's loosely based

vm escapes but i just don't like it because like i showed and like it was talking about it's telling you that it's a vm box so you've got the vm xscape out option but you also know there's more of a juicy target there because if you remember the scan when i started that's going to show up if i use something stupid or I've got something on ntp running on the host right never time it's going to leak at some point and you've just made yourself twice the target you were before yes more than vm escapes because it so whistler leaks a lot of data it's my day to date box it um ntp automatic updates through debian

several other things so it's always hitting the network it's always looking reports that firefox is open it's always hitting gmail because i got gmail checker so every five minutes it sends a blast packets off gmail I'm using that somebody's network at two o'clock in the morning I they know I'm there because I've got multiple addresses hitting i left the slides out on purpose but if I turn off the host machines network if I'm not using a dedicated USB network device at that point either wireless or USB to Ethernet I have no network connection so I turn off the networking it's turning the networking off not just for the local box but for all the hopes

the host can talk to each other but they can't talk out now like I said you get around that by using alpha card plugged into USB device with the USB device charity or virtual but that's when we're working that point I gotta remember to bring more stuff with me anybody else come on some ways guys something has it has something

so brilliant jun how do you mean

um you're still netting out at that point through your regular network interface so you still have to rid of your regular network turned on if you want to talk to anything else besides us on your machine so I mean for lab yeah it's great I use virtual I love virtualization it works great for labs it works great to have multiple servers running off of the newer hardware because it can support it I had production environments running on four blades at one point 48 servers virtualized the four blades the company loved it because it was saving a lot of money but from an attack perspective it's going to make you more of a target and part what we're trying to get around

here is not to be the target shrink your own footprint so you're not standing up quite as much

oh it has a basic config but if you don't have the stuff installed so on the rats and rogue server it doesn't have anything related to X installed on it it's an Apache server doesn't need it I have to guy should go through and take all of those out or comment all those out in the trip our config so it takes a little bit to get set up it's going to take you about a week of prep time until you get used to it then I'll take you about day but you've got sit there and you guys see what's it listening on what's it looking at it's going to keep throwing you messages saying hey I can't

find any of these files where are they so it's it's a bit of a pain to set up but it's worth it in the long run a little bit paying upfront says you la pain later I don't know if your fire works on windows I don't use windows

my day-to-day tokbox is a linux box does that what's this how you about me in Windows only to pop it thank you

oh i cured