Building a security Home Lab

I get asked a lot about how to create a home and what hardware is required?

The truth is you don’t need to start out   here is a pic of my home closet super duper data center ….its not a data center lol

Here it is in all its glory my Lab

my home lab

 

I have done alot of work to reduce the amount of physical devices that I have instead I have a single high specs desktop with a couple of managed switches a seperate desktop PC which acts as my “edge firewall) – SOPHOS UTM

I have a Cisco router ( Cisco 1841 router)

Gigabit Desktop switch ( Dlink not sure of the model)

Cisco managed switch ( For VLAN seperation) I   highly recomend a managed switch

 

My Main PC has the following hardware specs

CPU- AMD bulldozer 8 core

RAM  – 32G

HDD 1  128GB SSD  ( for main OS)

HDD 2 2TB  mechanical WD drives ( for VM’s and data)

3 – Wired NIC’s

1 Wireless NIC ( For wireless attacks)

I have a few hardware based firewalls from various vendors for testing ( Not required )

I used to have big rack mount servers loud as hell but found that I could scale down with much more power on comodity hardware remeber your not running a production enviroment so having normal PC compnets is absolutley fine

 

The Setup

While my setup changes alot based on what I am doing  I normally have my network setup with multiple vlan’sto seperate my home network traffic with my lab traffic

My server connects to all of the networks some of the networks I have segeragated from the internet those networks I use for malware analysis

I have another network for attack traffic that is on a seprate network switch and NIC to the server so when launching attacks I can still manage the server and not knock down my  whole network.

I use virtualbox and vmware to virtualize all of my servers and GNS I use to virtualize my routing and switching however I do more with the servers than network labs

For the wireless NIC its just a USB wireless dlink NIC that supports monitor mode for things like aircrack and other wireless labs

 

To setup the actually software and settings from the LAB well thats based on what you want to do  my LAB is able to handle everything that I need it for

If you need more help and advice on building you lab reach out to me I would be glad to help you out !

 

 

Connecting TO Multiple Networks With Ubuntu/Debian

So I had an issue today with my main lab server

I have multiple subnets in my lab some that can reach the  Internet some are strictly internal

I have an Ubuntu server that  I want to connect to 2 subnets one is connected to my fast Gigabit network while the other is connected to my slow 10/100 network but I want to make sure that the internet traffic goes out my internet firewall.

My server has 2 NIC’s  I ran into a reverse path filtering roadblock! GRR reverse path verify is a great security feature but it can be messy  to deal with

Here is how I solved my problem

First here is my interfaces config

 

# Managment
auto enp3s0
iface enp3s0 inet static
network 192.168.1.0
address 192.168.1.2
gateway 192.168.1.254
netmask 255.255.255.0
dns-nameservers 208.67.222.222

###Payload
auto enp1s5
iface enp1s5 inet static
network 192.168.2.0
address 192.168.2.2
netmask 255.255.255.0
dns-nameservers 208.67.222.222
post-up route add -net 192.168.2.0/24 gw 192.168.2.254

Here is what my routing table looks like

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 enp3s0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp3s0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s5
192.168.2.0 192.168.2.254 255.255.255.0 UG 10 0 0 enp1s5

 

I first added a post-up directive under the payload interface to install a route after the interface comes up during a reboot also note that only 1 of the nic’s has a gateway configured.

with the above setup, I had an issue with SSH to 192.168.1.2 from the 192.168.2.0/24 network  because my traffic from the 2.0 network would get dropped because the server is doing a reverse check

I was able to resolve this by

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/enp3s0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/enp1s5/rp_filter

This will disable reverse path verify which in my case fixed my issue!

 

Hope this helps!

 

 

Check out the SNARE web application Honey-pot (successor to Glastopf)

Hello Everyone

If you have followed my YouTube channel for a while you may have seen my video on the GLASTOPF webapplication honeypot by https://github.com/mushorg/snare

https://avatars3.githubusercontent.com/u/2742625?s=200&v=4

Web application honeypots allow you to host a page that is functioning while being able to see all the traffic and activies that occour on that page.

This information is useful when you want to see the behaviours of web attack traffic or scans that occour agains sites.

The installation is pretty simple here is the steps

{

 

  • Get SNARE: git clone https://github.com/mushorg/snare.git
  • Install requirements: pip3 install -r requirements.txt
  • Clone a page: sudo python3 clone.py --target http://example.com
  • Run SNARE: sudo python3 snare.py --port 8080 --page-dir example.com
  • Test: Visit http://localhost:8080/index.html
  • Make sure  to have your OS up to date !

}

 

The Instructions above are copied from the projects github site

 

After you have installed the Honeypot you can clone a  active webpage/web app and host that in the honeypot  you use the clone.py script in the snare directoy  see below

The below will clone my project page and the SNARE honeypot will encode the content to be used for hosting

{

sudo python3 clone.py –target https://trulyrandom.tk/
name: /index.html
name: / http:/www.seanmancini.com
name: /gtag/js?id=UA-111740696-1
name: /pagead/js/adsbygoogle.js

name: /entro.php
name: /updates.html
name: /index.html

}

After the cloning is done the page will be located in /opt/snare/pages

 

You may need to make a couple of modifications as I show in my video if you are running this in a virtual machine and accessing the page from a differnt computer.

Here is how I modified mine in the video

sudo python3 snare.py –host-ip 192.168.2.53 –port 80 –page-dir trulyrandom.tk

After I got the page up and running I did a quick scan using NIKTO and here is a sample output that I got

_____ _ _____ ____ ______
/ ___// | / / | / __ \/ ____/
\__ \/ |/ / /| | / /_/ / __/
___/ / /| / ___ |/ _, _/ /___
/____/_/ |_/_/ |_/_/ |_/_____/

privileges dropped, running as “nobody:nogroup”
serving on (‘192.168.2.53’, 80) with uuid 00c718aa-6bfd-44b1-aa2d-3bc4fa05bfdc
you are running the latest version
Request path: /
Request path: /gtag/js?id=UA-111740696-1
Request path: /pagead/js/adsbygoogle.js
Request path: /entro.php
Request path: /gtag/js?id=UA-111740696-1
Request path: /pagead/js/adsbygoogle.js
Request path: /
Request path: /
Request path: /
Request path: /Oz4hFCi9.render_warning_screen
Request path: /Oz4hFCi9.cmd
Request path: /.Oz4hFCi9
Request path: /Oz4hFCi9.conf
Request path: /Oz4hFCi9.backup

 

 

See my video below for more details and a quick demo

 

 

If you have any questions please reachout to me !

 

quick note on installing KIPPO Honeypots and logging to a SQL DB

Hey Guys

If you are installing  the kippo honey pot and you are having issues with logging to mysqlmake sure you are using the proper version of twisted

Twisted 8.0 to 15.1.0 as the versions compatibile if you have the latest version you will not be able to log to the DB and may have other issues

If you get the latest version downgrade by first removing twisted via PIP then install 15.1

pip install Twisted==15.1.0

 

Just thought Id put this info here in case someone needs it

A blog for Helping users and professionals with their security questions and challanges !