Hacker vs Hacker

License

This work by Z. Cliffe Schreuders at Leeds Beckett University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Contents

License

Contents

Preparation

Lab Setup using oVirt

Lab setup using the latest LinuxZ image on campus or VMware Player remotely

Note IP addresses

Optional preparation (in advance of the lab session)

Hacker vs hacker!

Preparation

The oVirt system will provide much more flexibility for this task than other methods.  It is possible to complete this lab using the VMware VMs, on campus or remotely,  if you are struggling with oVirt but this approach is not recommended.

Lab Setup using oVirt

In this lab, you may wish to use snort (and/or Wireshark) on the Kali VM to monitor traffic going to and from your metasploitable VM.  The metasploitable VM has been placed on a network with port mirroring which will allow the Kali VM to monitor all traffic on the network.  Therefore, you will need to change the “nic1” setting of you Kali VM to the “snoop/hostonly” network.  The server running oVirt is the host so you will be able to monitor each other's traffic.

Change your Kali VM nic1 to the snoop/hostonly3 network:

1. Make sure your Kali VM in shutdown
2. Right-click on the Kali VM in the oVirt Open Virtualization Manager and select Edit.  
3. Change nic1 to snoop/hostonly3.
4. Click OK

Create and start these VMs (always use the latest versions):

• Kali_2_XFCE (user: root password: toor)
• Metasploitable (user: msfadmin password: msfadmin)

Lab setup using the latest LinuxZ image on campus or VMware Player remotely

It is possible to complete these tasks using the latest LinuxZ IMS image on campus or by downloading VMware VMs remotely but this approach is not very flexible. Download the Metasploitable and Kali Linux Installed VMs.

Use edit settings on the two VMs, and confirm the VM network interface settings are set as you wish (this should be set to “Bridged” on both VMs in the IMS labs so that your classmate can access your metasploitable VM).

If you are using a Linux host system (e.g. the LinuxZ image on campus) and wish to use snort (and/or Wireshark) on the Kali VM to monitor traffic going to and from your metasploitable VM, you must enable VMware player VMs to put the NIC into promiscuous mode using the following command on the host system.

sudo chmod a+rw /dev/vmnet*

Note IP addresses

Login to the Metasploitable VM (the username and password are displayed on screen when you start the VM: msfadmin/msfadmin), and run “sudo dhclient” on the Metasploitable VM to renew its IP address^[1].

On your two VMs run ifconfig. Make a note of the two IP addresses. You will need these later.

Optional preparation (in advance of the lab session)

Run Snort (and/or Wireshark) on your Kali Linux VM, to detect attacks.

Use md5sum/shasum to record the state of the Metasploitable system, so you can detect what files have changed. (md5sum is available on Metasploitable)

Configure Metasploitable to do remote logging, so that the attacker cannot modify your logs.

Create a backup of the files on your Metasploitable system, for later comparison.

Any other responsive or detection methods you like. You are not allowed to increase defensive security.

Hacker vs hacker!

In this session:

1.  Share the IP address of your Metasploitable system with classmates

        Use this public scratch space.

2. Exploit a vulnerability in someone else’s Metasploitable system

You could follow an online tutorial such as: http://securitypadawan.blogspot.co.uk/2011/10/metasploitable-backtrack-fun.html
OR
http://securitypadawan.blogspot.co.uk/2011/10/attacking-metasploitable-part-2.html
OR
Any other tutorial, or just find an exploit that works!

During the Hacker vs Hacker lab session, take a screenshot showing how you have compromised their system.

Label it or save it as “HackerVsHacker-A1”.

3. Edit a file on their compromised system: for example, /etc/syslog.conf or /etc/securetty
4. Create a user account on their compromised system (optionally install a rootkit or backdoor, but you may not have time to do this)

To make life a little easier for your classmates, leave your connection(s) to their systems open. (For example, leave the shell open.)

During the Hacker vs Hacker lab session, take screenshots showing the file(s) you have modified, and any backdoors you have created.

Label it or save it as “HackerVsHacker-A2”.

5. On your own system, use all the skills you have learned in this module (and software tools of your choice) to figure out:

1. The IP address of the attackers that have compromised your own system

During the Hacker vs Hacker lab session, take screenshot(s) showing the IP address of an attacker, and how you came to that conclusion (for example, a Snort alert, Syslog, Wireshark logs, network access, etc). This should preferably be using both online (network/process) and offline (logs and alerts) information.

Label it or save it as “HackerVsHacker-A3”.

2. How they exploited your system

During the Hacker vs Hacker lab session, take a screenshot showing evidence of how they compromised your system; for example, what exploit and/or software did they use to do the attack? What software did it target on your system?

Label it or save it as “HackerVsHacker-A4”.

3. What files they changed, user accounts they created, or backdoors they left

During the Hacker vs Hacker lab session, take a screenshot showing which files they changed, user accounts they created, or backdoors they left and how you came to that conclusion (for example, using shasum output, Autopsy, mactime, diff, etc).

Label it or save it as “HackerVsHacker-A5”.