Do any of you have a lab to test exploits/payloads etc? What does you lab involve? 2 machines, or 1 machine with virtualised machines etc? WOuld a single machine with muiltiple virtuals even work, I mean a workstation not a pricey server...
I have some basic experience in running attack tools ( I work as audit as opposed to pen tester) which were mainly password based attacks, and aside from that my main experience is manual audits often supplemented with vulnerability scanners such as nessus/mbsa etc.
But I do want to get more comfortable with targetting exploits of unpatched apps in a non lvie environment so not to screw anything up. I just wondered how you learnt this trade, or did you just go full steam ahead and test on live systems.
From what I have read I'd need an attackers machine and a target machine, networked together -- and the main player which has the payloads for most software is metasploit? Is that fair, or are there other free tools that target and exploit vulnerabilities in unpatched software.
My main concern with all this is stuff like windows server, sql server, oracle etc is not free. So I cannot test exploits in an offline environment on software/server products that costs a fortune, how do you get around that?
Are there any good books on exploits/vulnerabilities where I could learn the tricks of the trade offline. And does targettting an exploit really screw up the system not in terms of security but can it cause downtime and ned to be fixed if someone took advantage of the issue. Thats the last thing we'd want, show off to management how you exploited an unpatched vuln in a db server and got all the data, but then shafted the server so it didnt work anymore and they had to rebuild it...
Anyway, any comments most welcome...
Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Lab For Beginners
Started by
cb122
, May 25 2011 06:33 AM
6 replies to this topic
#2
bonarez
-
- Sergeant Major
-
- 1,252 posts
Retired GSO Second Lieutenant
Posted 25 May 2011 - 10:08 AM
I used to have multiple computers running, long ago before virtualization was in or even possible.. then came electricity bills 
If you're just testing exploits, a VM works perfectly. If you want to test live malware you should at least have one physical machine, that you will need to tie down (seperate LAN/VLAN, decent firewall, or/and seperate internet access)
Just don't expect to learn to find a 0day in 24 hours. And keep in mind: never ever ever try anything on a production machine unless you have a legally bounding contract allowing you to go 'full steam' on their machines. Such a thing would not make a career but could brake it..
If you're just testing exploits, a VM works perfectly. If you want to test live malware you should at least have one physical machine, that you will need to tie down (seperate LAN/VLAN, decent firewall, or/and seperate internet access)
Never go 'full steam' on any machines unless you either own them or have a legally bounding contract allowing you to do so. SimplesBut I do want to get more comfortable with targetting exploits of unpatched apps in a non lvie environment so not to screw anything up. I just wondered how you learnt this trade, or did you just go full steam ahead and test on live systems.
Metasploit is great for learning about this, setup vmware/virtualbox and dive in.From what I have read I'd need an attackers machine and a target machine, networked together -- and the main player which has the payloads for most software is metasploit? Is that fair, or are there other free tools that target and exploit vulnerabilities in unpatched software.
If you take lessons at a school that teaches IT you can dl versions of MS servers (I could for 15€/year) For Oracle you can DL free VM's if you have a developer license.My main concern with all this is stuff like windows server, sql server, oracle etc is not free. So I cannot test exploits in an offline environment on software/server products that costs a fortune, how do you get around that?
Good book on exploits is 'The art of exploitation'Are there any good books on exploits/vulnerabilities where I could learn the tricks of the trade offline. And does targettting an exploit really screw up the system not in terms of security but can it cause downtime and ned to be fixed if someone took advantage of the issue. Thats the last thing we'd want, show off to management how you exploited an unpatched vuln in a db server and got all the data, but then shafted the server so it didnt work anymore and they had to rebuild it...
Just don't expect to learn to find a 0day in 24 hours. And keep in mind: never ever ever try anything on a production machine unless you have a legally bounding contract allowing you to go 'full steam' on their machines. Such a thing would not make a career but could brake it..
"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"
Read the rules before you post
Read the rules before you post
#3
infiltrator
-
- Sergeant Major
-
- 421 posts
Staff Sergeant
Posted 28 May 2011 - 11:47 PM
Do any of you have a lab to test exploits/payloads etc? What does you lab involve? 2 machines, or 1 machine with virtualised machines etc? WOuld a single machine with muiltiple virtuals even work, I mean a workstation not a pricey server...
I at home have two separate networks, one for all the pen-testing and hacking and the second for general usage. In my lab, I have a physical machine running VMware with several vms running in it and a laptop I use as the attacker machine, with Backtrack running on it. In addition, I have another attacker machine, but running Windows, instead because some of the utilities I use don't run on Linux.
I have some basic experience in running attack tools ( I work as audit as opposed to pen tester) which were mainly password based attacks, and aside from that my main experience is manual audits often supplemented with vulnerability scanners such as nessus/mbsa etc.
As a pen-tester its always important to not be limited by your tools. If you can learn some scripting languages such as Python or PHP and also have a good understanding of some programming languages like C or Java
From what I have read I'd need an attackers machine and a target machine, networked together -- and the main player which has the payloads for most software is metasploit? Is that fair, or are there other free tools that target and exploit vulnerabilities in unpatched software.
Again you shouldn't always be limited to exploits, there are other ways to get into a system as well. Does the network have a wireless system or some type of Web-based application where you can do some SQL Injection. I personally use Backtrack, but Metasploit will do just fine.
#4
cb122
-
- Members
-
- 37 posts
Private First Class
Posted 31 May 2011 - 03:51 AM
Thanks for the excellent responses. When you say you have a physical machine running several virtuals - what kind of spec is that device? I need to get similar setup.
And when you say you have a pen testing network, is this just your physical device and your attack laptop?
Do you have any info on how you set this network up?
I agree with the point about web apps/wireless - but I was hoping I could also use like a test system and download some of the faulty web apps for testing purposes as well as unpatched systems, kind of a compelte mess network where everything is crap -
And when you say you have a pen testing network, is this just your physical device and your attack laptop?
Do you have any info on how you set this network up?
I agree with the point about web apps/wireless - but I was hoping I could also use like a test system and download some of the faulty web apps for testing purposes as well as unpatched systems, kind of a compelte mess network where everything is crap -
#5
bonarez
-
- Sergeant Major
-
- 1,252 posts
Retired GSO Second Lieutenant
Posted 31 May 2011 - 10:08 AM
If you're going to invest in a new setup, be sure to learn the differences between paravirtualization and full virtualization > not only in performance, but also in the fact that full virtualization is much less detectable by malware, if setup correctly..When you say you have a physical machine running several virtuals - what kind of spec is that device? I need to get similar setup.
Both intel and amd have their own 'full' virtualization, I recommend going for intel.
And when you say you have a pen testing network, is this just your physical device and your attack laptop?
I don't have a pentesting network anymore, last time I did was before virtualization was in. At the time it consisted of 2 separate networks (vlans) with one machine between the pentest network and the Wan router. That machine was running clarkconnect (does it still exist??) Doesn't matter much what OS, as long as it provides iptables/ipchains
Well here lies our choice between paravirtualization and full virtualization again. If you want to just test some vulnerable web apps, it's not worth the effort in setting up full V, Vmware or Virtualbox will do nicely, giving you a quick and easy way to set this up. All depends on what you want to do with it, and the budget of courseI was hoping I could also use like a test system and download some of the faulty web apps for testing purposes as well as unpatched systems, kind of a compelte mess network where everything is crap
If you just want to play around with vulnerable apps, check out 'damn vulnerable linux' You can get this up an running for free with Virtualbox on your current hardware no doubt
"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"
Read the rules before you post
Read the rules before you post
#6
infiltrator
-
- Sergeant Major
-
- 421 posts
Staff Sergeant
Posted 31 May 2011 - 11:26 PM
When you say you have a physical machine running several virtuals - what kind of spec is that device? I need to get similar setup.
If I may suggest, here are some articles that can help you better understand what virtualization, VMs are all about.
http://en.wikipedia....avirtualization
http://en.wikipedia..../Virtualization
http://www.smallbusi...ld-You-Care.htm
http://itknowledgeex...virtualization/
#7
ashish771
-
- Members
-
- 10 posts
Private
Posted 12 February 2012 - 10:00 PM
http://securitytube-...lity_Assessment Best Tools Collections With information. for Vulnerability Assessment and Exploitation . & more 
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
