Hacker vs Hacker
This work by Z. Cliffe Schreuders at Leeds Beckett University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Lab Setup using oVirt
Lab setup using the latest LinuxZ image on campus or VMware Player remotely
Note IP addresses
Optional preparation (in advance of the lab session)
Hacker vs hacker!
The oVirt system will provide much more flexibility for this task than other methods. It is possible to complete this lab using the VMware VMs, on campus or remotely, if you are struggling with oVirt but this approach is not recommended.
In this lab, you may wish to use snort (and/or Wireshark) on the Kali VM to monitor traffic going to and from your metasploitable VM. The metasploitable VM has been placed on a network with port mirroring which will allow the Kali VM to monitor all traffic on the network. Therefore, you will need to change the “nic1” setting of you Kali VM to the “snoop/hostonly” network. The server running oVirt is the host so you will be able to monitor each other's traffic.
Change your Kali VM nic1 to the snoop/hostonly3 network:
Create and start these VMs (always use the latest versions):
It is possible to complete these tasks using the latest LinuxZ IMS image on campus or by downloading VMware VMs remotely but this approach is not very flexible. Download the Metasploitable and Kali Linux Installed VMs.
Use edit settings on the two VMs, and confirm the VM network interface settings are set as you wish (this should be set to “Bridged” on both VMs in the IMS labs so that your classmate can access your metasploitable VM).
If you are using a Linux host system (e.g. the LinuxZ image on campus) and wish to use snort (and/or Wireshark) on the Kali VM to monitor traffic going to and from your metasploitable VM, you must enable VMware player VMs to put the NIC into promiscuous mode using the following command on the host system.
sudo chmod a+rw /dev/vmnet*
Login to the Metasploitable VM (the username and password are displayed on screen when you start the VM: msfadmin/msfadmin), and run “sudo dhclient” on the Metasploitable VM to renew its IP address.
On your two VMs run ifconfig. Make a note of the two IP addresses. You will need these later.
Run Snort (and/or Wireshark) on your Kali Linux VM, to detect attacks.
Use md5sum/shasum to record the state of the Metasploitable system, so you can detect what files have changed. (md5sum is available on Metasploitable)
Configure Metasploitable to do remote logging, so that the attacker cannot modify your logs.
Create a backup of the files on your Metasploitable system, for later comparison.
Any other responsive or detection methods you like. You are not allowed to increase defensive security.
In this session:
Use this public scratch space.
You could follow an online tutorial such as: http://securitypadawan.blogspot.co.uk/2011/10/metasploitable-backtrack-fun.html
Any other tutorial, or just find an exploit that works!
During the Hacker vs Hacker lab session, take a screenshot showing how you have compromised their system.
Label it or save it as “HackerVsHacker-A1”.
To make life a little easier for your classmates, leave your connection(s) to their systems open. (For example, leave the shell open.)
During the Hacker vs Hacker lab session, take screenshots showing the file(s) you have modified, and any backdoors you have created.
Label it or save it as “HackerVsHacker-A2”.
During the Hacker vs Hacker lab session, take screenshot(s) showing the IP address of an attacker, and how you came to that conclusion (for example, a Snort alert, Syslog, Wireshark logs, network access, etc). This should preferably be using both online (network/process) and offline (logs and alerts) information.
Label it or save it as “HackerVsHacker-A3”.
During the Hacker vs Hacker lab session, take a screenshot showing evidence of how they compromised your system; for example, what exploit and/or software did they use to do the attack? What software did it target on your system?
Label it or save it as “HackerVsHacker-A4”.
During the Hacker vs Hacker lab session, take a screenshot showing which files they changed, user accounts they created, or backdoors they left and how you came to that conclusion (for example, using shasum output, Autopsy, mactime, diff, etc).
Label it or save it as “HackerVsHacker-A5”.
 In the IMS lab, it should start with “192.168.”