Hack Yourself: Building a Test Lab - David Boyd

[Applause] [Music] so how's everyone doing this afternoon everyone good yall having a good time all right you'll have to mind my voice a little bit I've got a uh little bit of a cough so you know if you see me over here dying I'm okay I promise uh let's give a big round of applause to Adrien and all the guys that kind of put this together for us can we can we do that man you know two years ago we didn't have a bsides Knoxville and now we've grown to I think he said 150 people like that's insane guys you know Knoxville is finally on the map so it's great so uh the name of this talk is

hack yourself building a pen testing lab for Fun and Profit four scoring s years ago Abraham Lincoln Rode into battle battle on a bear with an assault rifle and he said these words as he wrote in a battle give me six hours to chop down a tree and I will spend the first four sharpening the AXS I don't know if any of that's true Albert Einstein also had a great quote that's related to this talk he said any fool can know the point is to understand so keep those in the back of your mind as I go through this uh so who's this guy standing in front of you uh my name is David Boyd

I'm a security analyst for contextual Security Solutions uh spent a few years in the Army and then when I got out I worked in every sector from retail it government Finance media energy sector then I got tired of sitting in hot crowded cubicles and I decided to do uh Consulting uh I'm a Christian uh which I'm just a forgiven sinner uh I am a new husband a new father of that uh little five-month-old right there uh rumor has it he's Unleashed a new vulnerability out in the wild it's called a diaper shock or maybe that's me that's the shock I get from seeing as diapers uh I'm also a geek and a huge gamer uh as a

matter of fact I'll be putting together a uh D and D Group after this so if anybody's interested come see me uh so on the agenda today we're going to talk about setting up a lab uh the different pen testing distributions uh we're going to talk about the various intentionally vulnerable uh virtual machines that are out there uh I'm going to talk about uh touch on a little bit of the recommended tools that um I think anybody should just kind of install and kind of play with uh if all goes well I'm going to do a live demo for you guys of kind of what you know a lab would look like um and then I'm going to go on

a little bit of a rant and then we're going to go eat does that sound good all right so let's take a poll show hands who learns a little better by reading about something go raise him up okay that's that's not what I thought who learns better by actually trying something Hands-On okay a little more there so in our industry in the security industry and and in technology in general reading is great I mean I've got a library full of books and I highly suggest you do that but there is just no better way to learn than by actually doing it and the whole point of building a lab is to help teach yourself and to help improve your

skills so that's what I was talking about here why build a lab skill set Improvement if there's something you're a little weak on build a lab get strong in it right I'm not great at web app testing I'm really not so in my lab when I get the time I try to practice with mati and a couple other things you got to try out something new you know we get uh you know a little focused on well a b and c work uh but you get into different customer environments and none of those things work right uh so it's easy for us to kind of get you know that single Focus this gives you a chance to try out

some new things kind of break the barrier without breaking your customer's network uh you get to brush up on some tactics both old and new I can't tell you how many old tricks still work like Kane you know back in '95 Kane still works uh it's proof of concept for customers if you've got uh you know we love our customers and we try to take care of them but if you've got a customer that's you know little bit picky and you find a vulnerability on their on their site or you know you know within their Network and they're like man I really don't want you to to exploit that you know uh you can go

ahead and build it out in your lab show video show screenshot do a web X you know just kind of show them a good proof of concept hey man this is really something serious you guys really need to look at that and remember scanners don't find everything beginning of your career uh and I'm just as guilty of it too it's easy to go on the automated scanners look at your vulnerabilities go from there you know and that's great you know that's we we definitely need that that's all part of it but scanners don't find everything sometimes you got to be able to just kind of go in there and look at different things and most of all

don't be a script Kitty right all right so who should build a lab pent testers obviously if you're a pentester and you don't have a lab you're failing yourself uh any kind of security Personnel red team and blue team both uh you can actually build a blue team lab with snort and things like that you can build a red team lab you can have the two fight against each other it's pretty cool uh any IT personnel sea level execs my highle guys go ahead and build a lab in your spare time uh see what all that money that you're spending on your security team is going towards learn some of the tools that they're using uh you know that way

you're better equipped when you go and sit down you talk to these guys you say hey how are we looking you better understand what they're actually talking about and then anybody want to learn a new skill like Mr Deadpool here so here's what you need to build a lab uh a hallway full of servers and a half million dollars right now uh really and truly you just need a laptop okay you can do it on a desktop uh you can even find an old server somewhere you know Craigslist got a bunch of them for like a 100 bucks if you wanted to but really my lab is right here on this laptop uh you need a virtualization

software of your choice um I'll go over those here in a second you need a couple of vulnerable VMS to practice on and then you get money flowing out of your laptop it's great uh so here's some of the uh virtualization software that's out there you've got VM player it's free uh it's easy to use me personally that's what I prefer I've had a little more success with it a little more luck with it uh there's also virtual box which is equally as good um it's kind of based on what you want what you want to do uh there's also paid software so unfortunately for Mac users we have to pay for uh VMware Fusion uh it gives you

a 30-day free trial it's 80 bucks after that and then for PC there's a VMware Workstation again another 30day free trial it's 150 after that the only difference between these and the free ones is snapshots that's like the biggest difference so if you're messing around and you've got all these machines running and you end up hosing one of your machines you can go revert back to one of your snapshots bring it back up no problem right so let's go over some pen testing platforms here we've got uh you know Cali Linux that's obviously the most popular one everyone knows that everyone uses it uh that's the one I would suggest you use and and work on um pen

two backbox Linux you've got Samurai WTF that actually stands for web testing framework uh that's great for web app testing uh Samurai STFU uh which is utility hacking and it's actually there's no icon there because uh Justin serel will be unleashing a new version uh under a new name called the control things platform uh he'll be unleashing that at black hat this uh this summer so go out and check him out and there's also def Linux if forensics is your thing and you want to kind of practice with that download that uh here's list of some vulnerable VMS you've got met exploitable too um that's great for metlo that's great for web app testing um it's an intentionally

uh vulnerable version of Ubuntu Linux uh that's designed for testing all kinds of security tools common vulnerabilities it's got remote logins back doors vulnerable web services default passwords it's got all kinds of cool stuff man um you've got uh I put Windows XP on there and Windows Server so XP is still out there okay it's still out in the wild there's still customers using it still sitting on network sites you're fooling yourself if you're thinking otherwise I just saw one two weeks ago at a customer site XP just sitting out there man I golly uh so still practice on it uh server you can download for free for 180 days um so build out a

domain controller while you're doing this you know practice popping into domain controller um I said look at the bottom of an old laptop when you go to install XP it asks for a key so you got those old laptops still lying around flip those over there's your key uh morning catch is a good fishing it's a good vulnerable uh fishing VM that's built out uh specifically to practice fishing against and on uh Olas for and web go both for web applications that's great for web app testing and then vul hub.com is a website that's got a whole bunch of uh vulnerable VMS kind of made by the community and a couple good ones there were copc and ponos uh with vul

hub.com you got to kind of you know use your discretion as you download the stuff um make sure it's something that you can actually use and and it's safe uh some of it's not supported so it's kind of up to you uh here's some recommended tools I think you should play with and map or mass scan right if you're great with nmap practice on mass scan if you've never practiced on mass scan or you've never practiced on nmap go ahead and use that n's great vulnerability scanner um the ness's home is free for up to 20 IPS so you're lab's not going to get any bigger than that I don't think so that's that's great to practice you know

vulnerability scanning kind of seeing things cane again it's an old tool it still gets me credentials it still works to this day it still works on Windows 7 I haven't tried it on eight or 10 yet um and it's great I I would definitely recommend you practice with that uh responder is also fantastic uh for grabbing hashes out in the wild fire up responder let it run for a while you'd be surprised what you get uh once you get all those yummy hashes with responder you need to crack them with John or hash cat if you've never practiced with either one of those highly suggest you do so hashcat is more geared towards gooey cracking so using

your graphics cards to try to correct the hashes uh Jon is more CPU intensive I I've had more luck with Jon myself but we're actually spitting up a hashcat box so we'll see how that works uh metlo menit's free medit community should definitely definitely use that uh it's mostly for exploits running exploits um which hopefully I'll show you here uh social soci engineering two kit uh goish and SPF which Adam who just spoke Adam Compton uh is the creator of SPF there um those are great uh fishing tools to use again they're all free um so go ahead and you know reach out and grab those and practice with them uh discover scripts is great for open source

intelligence and uh Powershell Empire if you're if you're a little weak on Powershell go ahead and download poers shell Empire and start kind of playing around with that any questions far all right let's uh see if the live demo works here give me a second let me set this up so this is my lab here excuse me drink water here man all right so as a Mac User I have uh VMware Fusion so this is my uh lab right here welcome to Wayne Enterprises right I've got my C Linux machine which is an attacker machine I've got M exploitable um an XP Service Pack 3 machine uh Alfred's machine uh another Windows 7 machine that's another

attacker so you know remember I was talking about Kane Kane doesn't work on Linux it only works on windows so it's good to have kind of both uh there's the domain controller Windows Server 2012 and then uh the fishing server morning catch so let's see here I didn't even start that let's try the first attack here let's do a youall remember MSO 8067 right call it out here you get a free thing what what what what was the biggest thing for it anybody remote access remote Cod execution there you go all right so we're going to go ahead and fire up our let's let's let's play pretend right that we're we're doing a pen test for

way Enterprises we're going to go ahead and fire up our C Linux box here can you'all hear me okay okay M was from my mouth here all [Music] right make that big there you go you can see that a little better okay so for the sake of time I've gone ahead and made a host list so we're going to go ahead and move to our client's directory and let's go ahead and just scan our host list see what happens show- hl. text see what happens see what pulls through here hopefully everything's open and live I think it is y That's

up that's up that's what up okay all right so it looks like it

found well said freeze up on me

here control bam there we go okay so it looks like we found a couple servers here right we've got uh oh wow a whole bunch of open on on that one there on that 128 that looks like a good Target you know we got some remote stuff there we got FTP SSH tnet man that that might be a good one uh looks like it's a Linux box so and map you know it takes a pretty good guess it does a pretty good job of telling you what OS is on there uh let's see what else we got here oh we've got a Windows XP box out in the wild oh man I can't believe people still

have those didn't they stop you know supporting them like 100 years ago man uh and it looks like it's XP two or Service Pack three so that might be interesting that might be a cool little Target there Windows 7 box okay and uh oh wow an xp2 professional man I'm going to have to Target that one I'll bet you that one there probably got some good stuff so let's go ahead and open up MF console uh Menlo

here oh I can make this go big for you

all right there's Min console with a nice little mukow there all right so like I said Windows XP great for ms67 so after you fired up metlo here You' go ahead and do a search for ms8 d67 it's going to go ahead and do a search

we should feel bad for the boiling water it's going to be

missed stay okay now so you do a search in metlo for any kind of module and it'll pop back and tell you okay hey we've got a list of modules here this here is the most popular exploit that I know of it's the easi thing to exploit it's the most popular one to know of everyone talked about it for years it's still out there so we're going to go ahead and say use and then paste it use exploit Windows smbm 067 all right we're going to go ahead and set our R host here well let me back up we're going to go a and show options right you want to do that for any Menlo module that you open

right so it's got you know you got to set an R poost uh an R host an rport SMB pipe so we're going to go a and set are our host to that lovely little XP box that we found out in the wild there this one

here hit paste and then you just type in one simple little command here exploit and if all goes

well it didn't work that's okay uh let's see here I can fix that though give me 30 seconds here

well okay if at first you don't succeed try and try again uh just because it doesn't work one time doesn't mean it won't work again

right there we go so now we have a interpreter session all right so who knows what you can do with an interpreter session right that's basically uh complete access to the machine no password required right so we go ahead to our hand you did a little notebook here full of notes let's see

here uh right here here it is okay by the way it's always good to take notes um on pentests make a methodology document full of commands um it's hard to keep up this stuff in your head I'm not you know I'm not great at memory so it's good to kind of have this stuff so back on here we've got our interpreter command full access to the machine we're going to just dump all the hashes here see what happens oops so there's all the hashes there on the local machine again no password required right you can go ahead and run those through John uh we've got Alfred we've got Bruce Wayne man what what what's he

doing logging into Alfred's machine there uh Jane Smith a couple other people uh let's see here we can do web I believe it's web show inter terrible commands uh yeah webcam list uh cool thing I like to do for customers is webcam list that lists any video devices that they have on there then you can do webcam snap so if everyone will uh smile for the camera here there you go so uh that's always kind of cool to do for customers that that tends to kind of freak them out a little bit uh so we've got all the hashes off the machine we've got their webcam let's go ahead and get a shell now we have full

access to the machine there and from there we can just do whatever we want right uh so let's say we want to go ahead and go a little bit further here we see that Bruce Wayne logged in his machine we've got his hash there let's go ahead and load that into John and see what we get I'm not going to run John for time sake I'm going to go ahead and just say that we got his password but you go ahead and copy that over over a new screen here paste it into John paste it into a document here and save it as a you know whatever you want hashes do text or

whatever and then you run John on the on the file there as soon as you get that you'd have his password so for time sake let's say we got his password we're running John oh man we got his password oh that's cool okay let's see I wonder if he's got domain admin let me try this here let's see if he's got domain admin you know he was logging in Alfred's machine he's kind of a high level guy you know we did our we did our passive reconnaissance of the company we looked and saw the uh the guys that worked there so let's go and see what we got here so we'll load up another tool here

called crack map this thing is great right and looking back at our uh at our inmap scans from before we saw that one of the machines was named DC so I wonder if that's a domain controller right so let's go ahead and just run this with the captured br swing password we've got well let me make it big here sorry we've got our tack loaded up here we've got crack map that's the uh python script uh there's the domain controller that we're targeting there's his username and there's his password so let's run it and let's see what happens ah it didn't work it's probably because the main controller's not turned on let's

see

again all of this is for free right I've I've been able to do all of this for free it's all on my own thing here it's all on my own network it's all

self-contained all right so that's working now so we're going to do D Das NDS because we all love our ntds f right uapi and there is the entire domain's worth of password hashes right there on their domain controller right yay so uh so yeah I mean this is all stuff you could practice right uh just by building your lab from home man I mean you know if if if stuff's not working if you're on a customer site you're just like man you know this is this is just killing me I don't know I don't know what's going on try to see if you can recreate at least that section of it in your lab here you

know uh let's see I'm going to try to do one more thing here another cool thing now remember how I said you should definitely try to try out train cane right it's old but it still works here's a cool thing you can do with it right turn on your sniffer see what you see right there right click resolve the host names uh and it'll tell you sometimes you know CIS admins aren't aren't great about naming their systems uh we can see right there you know if you didn't already know 101 is a domain controller so that might be a target for later right uh go and cancel that come on the other thing too about Kane it's a

little wonky so sometimes it might crash on you you know you just kind of got to go with it uh another cool thing you kind of look at the network here see if you can get some more information you can see oh okay that's a test lab domain let me see what they got on there so you go and look at all the computers on it kind of look at the Quick List there look at the users oops oh look at that got a back computer got an XP machine on there okay cool so it kind of gives you you know enumerates some information for you kind of gives you some more information there's other

ways of doing it this is just kind of a cool little graphical way to kind of look see what you're looking at and any potential targets that you might want to look at so uh it's an old tool still works great for me man uh with that I think that's the end of my demo so I'll go back to my slide deck now and all that was to say that and several bad puns later you should build a lab right you could practice this stuff um in our in our industry right like I said reading is great you got to read your books in fact I've got a reading list you know a couple slides

over blogs are great you should go out and write them and read them but the guy that all he does is read blogs or all he does is read books isn't going to be able to figure out Crack matat probably I mean maybe he might be smarter than me but he's not going to be able to figure out hey you know if I dump the hashes off this computer maybe I could try to use it and then escalate my privileges on this computer over here you know you can get some of that from books but you can't get it as well as you could from reading right so let me tell you all a story I am raspy as all get out good

grief I uh like I said I've worked in every industry and uh I've worked for private sector I work for everything man and there's just been no better way for me to learn than by having a mentor right uh I was given a chance I was was a young guy you know I knew some things from reading some books trying some things of my own or whatever but I didn't really have a whole lot of experience and so I had a guy come up he gave me a chance and then he turned me over to another guy he decided to Mentor me and it has been fantastic I cannot tell you guys how much I've learned uh from

having a mentor right if you have knowledge if you have if you're really really great at something say like web app testing is your thing man and you were just the bomb at it don't keep that to yourself man pass that along write up a Blog do a video uh you know come do a talk you know teach people share your knowledge uh if you're really weak at something go out and learn about it build it out in the lab break it try it fail it uh you know you you can't fail yourself you know this this this industry moves way too fast man and you are letting yourself down you're letting your company down you're letting your

customers down right by not trying to learn by not trying to improve and you higher level guys your experts you were failing the people underneath you you're failing your peers and you're failing yourself if you're not mentoring if you're not teaching if you're not passing on that knowledge all right back in the day this movie here is what got me into this right I loved that movie I thought man I wanted to be those guys right somebody gave me a chance and I got to be those guys and I love it it has been the most fun I've had doing any job I've ever had it is fantastic pass on your knowledge take some time to

learn take some time to teach some folks so go and build a lab now here's some books I'd recommend reading these are all great love them all uh I did put three mnik books on here but that's all for social engineering if you want to learn social engineering go back in history read do your history read your books uh black hat Python's great if you need to learn some scripting uh medit is written by Dave Kennedy so that's great uh all these are good uh the hacker Playbook fantastic I've used that probably the most on all my engagements it's got a bunch of Cool Tools bunch of cool scripts uh highly recommend picking that one

up so any questions no none okay I'm David voyd there's my Twitter info my email work for contexual security and there's the dog tax thank you guys appreciate it