Like many individuals in security, I didn’t find the role; the role found me.
I remember one late night when our Security Champion proceeded to convince me in assisting him with the responsibilities of this secondary role of his. I was somewhat interested and the role didn’t really require much technical knowledge either. We were just supposed to help in getting our team to threat modeling new features and occasionally looking at static analysis reports. With this in mind I figured it would be a good way to prove my worth to the team by taking on an additional role. I fell in love with the field shortly thereafter and after two years of learning, doing, and teaching, I’m finally ready to start my journey to the OSCP.
I know one thing; that I know nothing — Socrates
If there has been one thing that I’ve learned so far is that there’s a lot for me to learn. With this knowledge, I plan on going through a couple of resources to round out my existing know-how before taking the PWK course from Offensive Security.
In this blog, I’ll outline the resources I plan on using, my thoughts on each of them, and summarize some of the material that I’ve learned. While I already have a shallow breadth of knowledge in a lot of areas, I will avoid skipping any section of material as to round out my knowledge as best as possible. This includes more trivial items such as Linux permissions.
Chapter 1
The first resource I plan on using is a book by Georgia Weidman; Penetration Testing, A Hands-On Introduction to Hacking. I found some pretty amazing reviews for it on Reddit and Amazon including one individual recounting their surprise that the author wasn’t sued for copying material from the OSCP (in jest, I assume).
Last Sunday, I started off with Chapter 1: Setting Up Your Virtual Lab.
Kali Linux
Originally, I was setting up Kali Linux on my PowerEdge R610 running XenServer but it was certainly taking a while to actually install software in the Kali instance. I ended up going back to an old, familiar hypervisor, Virtual Box. The book recommends VMWare but I figured that VBox would be fine too.
After I created my Kali VM, I installed the other software the book instructed me to install: Nessus, Hyperion, Veil-Evasion, Ming C Compiler (32 bit version!). The book indicates that this software will be used in later chapters. I encountered some problems with getting mingw32 originally because I used a Kali 2 ISO which, from what I read online, does not have mingw32 in any of the repositories listed in /etc/apt/sources.list. I found other individuals with similar problems and ended up adding the old Kali repositories to get access to mingw32.
After that, I used apt-get update and was able to install it as listed in the book. After installing mingw32 you should probably remove those sources from your source list to avoid any potential conflicts. Another thing I found helpful was making sure to check https://www.nostarch.com/pentesting for any updates to the book. For example, the book wants you to install Hyperion version 1.0 but that doesn’t exist anymore at the web address listed. The current version of Hyperion is version 1.2.
I ended up skipping setting up the android SDK and android emulators currently because I actually do mobile development as part of my day job and as a result, already have most of the software needed configured on my machine at home.
Windows XP
The next section asks you to build a couple of target machines. These include a prebuilt Ubuntu machine, Windows XP SP3 machine, and a Windows 7 SP1 machine. While the Ubuntu virtual machine comes prebuilt, you have to create the Windows XP and Windows 7 machines yourself. This includes finding the ISOs.
You can find genuine ISOs for various windows operating systems on MSDN. Keep in mind that the Windows systems will not have product keys and will probably start to nag you after 30 days. Make sure to get the 32 bit versions of both Windows XP SP3 and Windows 7 SP1.
By following the book, you should have no problem installing all of the old, vulnerable software on XP as it’s all straight forward. One of the interesting parts of creating this virtual machine however was making the virtual machine act like it was a part of a Windows domain.
To do this without actually setting up a domain, you can start secpol.msc which opens the Local Security Settings. Under the Security Options you’ll find the Network Access: Sharing and security model for local accounts policy. You’ll change the setting from Guest only to Classic. The book doesn’t really explain much about what this does but I decided to look more into it. Thankfully, the setting has a section dedicated to explaining what it does.
This security setting determines how network logons using local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. If this setting is set to Guest only, network logons that use local accounts are automatically mapped to the Guest account.
So it appears to me that the way that we’ll be making Windows XP act like it’s on a domain is by setting up user level permissions on resources on the system. Much like an enterprise environment where you can restrict access to a resources by User account or group policy, it seems we’ll be able to do that now with Classic mode enabled, otherwise all users “Authenticate” (probably should be Authorize) themselves as Guest. Cool workaround!
Ubuntu
This was easily the most simple VM to set up. You just need to torrent the supplementary files found on the nostarch webpage. It contains a zip file with the prebuilt VM. It’s password protected with a password found in the book (and no, I’m not telling!). All you have to do is unzip the zip file and create a new Ubuntu VM in VirtualBox or VMWare with the virtual hard disk found in the zip.
Windows 7
I’ve installed Windows XP and 7 probably more times than I can count and this installation was no different. The book does ask you to install some additional, vulnerable software such as an old version of Java and Winamp. There is a custom web application that comes in the supplemental file torrent that was built for this book that you must install. I highly recommend opening up the InstallApp.pdf and following those instructions. The book has an overview of each step but you will likely screw up without opening this PDF as it is definitely more detailed.
Closing Remarks
Setting all of this up was definitely tedious but it got me very excited for what I’ll be doing on these machines in the future. I already read a little ahead into Chapter 2 which discusses some of the more commonly used Linux commands and how the permission system works. While I’m familiar with most of the commands here, I definitely learned a thing or two from the Data Manipulation section.
See ya next week!
