nulldelev.com

Creating a Home Lab

Attack simulations and practice

For this article we will explore the idea of creating a home lab. Now we can create a lab for a myriad of reasons actually. We can create a network of computers to experiment with various network configurations and practice how to implement network controls or we can create a lab that is vulnerable enough to practice offensive security. This is not only beneficial for practice but also there is less pressure if you were to mess up the environment as it is your own creation so you can avoid the issue in the future or learn how to make repairs which can be a bonus. A lab can be as simple as 2 virtual machines or it can be expansive with a physical network. In this lab we will use a hybrid of virtual and physical hardware as shown in the diagram below.

As for the purpose of this lab setup we will:

  • Simulate a wireless attack to gain a point of entry into the network
  • Attempt to gain access to a host using a password dictionary attack
  • After gaining access to a host we will pivot to access the hidden network

Stage 0: Initial Setup

To create this lab there is a mix of virtual machines and some physical components. What makes this lab a bit different is the initial point of entry will be connecting to the network via wireless. This network itself will be isolated or “air gapped” from the actual internet. I had an older Cisco 1900 Series router laying around as well as a Cisco switch while hooking up a TP-Link switch to create my wireless access point. I choose a random password that could be found on the rockyou.txt file to practice a wireless attack. As for the machines I set up 4 virtual machines using Virtualbox. One machine known as “BoxOne” would be accessible initially while the other 3 machines are on a subnet that was hidden behind BoxOne. Those 3 machines I had downloaded from the website VulnHub. BoxOne I had configured myself and used a random password also found in rockyou.txt to demonstrate an online password attack. As for the subnet I created this to practice pivoting which is a useful skill to master as this is covered in various practical offensive security exams. So the intent is to first conduct a wireless attack to connect to the network (192.168.2.0/24) and once connected find any live machines such as BoxOne, conduct an online attack on the name kevinm. Once BoxOne has been accessed we will then attempt to pivot to the hidden network (192.168.101.0/24) to continue.

Stage 1: Initial Point of Entry

With the lab setup we can begin the first stage. We need to first find the AP or Access Point. I used a laptop with Kali Linux loaded as a VM since it already has most of the tools we need for this lab. Now in order to find and attack a wireless network we need to have a wireless device that can go into “monitor” mode. For optimal results I used an Asus Alfa AWUS051NH v.2 wireless antenna as it is compatible with Kali Linux and can be put into monitor mode.

Most wireless adapters will run in Managed mode by default which will listen only for specific devices and connections only meant for that device. Monitor mode is also known as “promiscuous” mode which will listen to all devices and connections within range. First we need to ensure that no other services will interfere with this operation by running the command:

  • sudo airmon-ng check kill

Once this is completed we can then begin to run wlan0 into monitor mode so we can find other wireless devices nearby by running this command:

  • sudo airmon-ng start wlan0

As you can see here it has started in monitor mode and has the name wlan0mon as this will be the device name we will use for the rest of this portion of the lab. To begin viewing potential wireless access points to attack we will use airodump-ng as shown below:

  • sudo airodump-ng wlan0mon

By executing this command you will see something similar to this window shown below. (Some access points have been blocked out to protect the innocent here)

Since we are interested in the TP-Link_A7C0 access point which is on channel 8 with the MAC address of 90:25:4A:2F:A7:BF as we will need to focus on finding a client that connects to this device so we can capture the so called 4-way handshake which can give us the required hashes needed to begin cracking the wireless password. There are a few options here as we can patiently wait for a connection to be made or we can perform what is known as a “deauth” attack. Since this is a home lab I can connect a device of my own and also deauth the device to ensure that the 4-way handshake is captured. First we need to start the capture of the access point.

  • sudo airodump-ng -c <channel number> –bssid <MAC address of access point> -w <name of capture file you want to call it> <name of capture device>

As you can see here in this example it is on channel 8 with the MAC address we found earlier 90:25:4A:2F:A7:BF and we will call the capture file “capture” and wlan0mon is the capture device being used. Once the command executes it should produce results such as this:

Now we have another device that actually connects to this access point as has the MAC address of 2E:EC:1C:1C:B3:24 as this is known as a client. In a seperate window we will attempt to deauth or disconnect the client from the access point and wait for it to reconnect. (Note: we will leave the airodump-ng command running while we open a new terminal window to run aireplay-ng).

  • sudo aireplay-ng -0 <number of attempts> -a <MAC of access point> -c <MAC of client device> <name of capture device>

The -0 will instruct the command to run a deauth attack 5 times as it will disconnect the client 2E:EC:1C:1C:B3:24 from the access point 98:23:4A:2F:A7:BF as the output of the command should look similar to the window shown below:

With all of this the capture file should now have captured enough information to begin trying to guess the password of this network. To do this we will run the command aircrack-ng on the capture file capture-01.cap while using the rockyou.txt wordlist file which is included in kali linux by default.

  • sudo aircrack-ng -w <wordlist to use> -b <access point> <name of capture file>

Once this command is executed it should display a window similar to this as it iterates through the list of words in the rockyou.txt file until it either finds a match or runs through the entire file. If it finds a match it will stop running with ‘KEY FOUND’ and the password shown in the window below. Note that this may run for awhile before it finds a match. In this example it could be running for a few hours even and in some cases it could be longer than that.

As seen here it has found the password to this wireless network which is ‘zukazuka’. With this information we can connect to the network as we normally would on a wireless network (we have the password now). We can move on to Stage 2 which is locating a machine on the network and trying to gain a foothold into that machine.

Stage 2: Gaining a Foothold

At this point of the lab I have created a box known as BoxOne which will have a username ‘kevinm’. To create a scenario let’s say we have found some username but we do not know what the password is so we will try to perform an online password attack on an open service such as SSH. An online password attack is usually a last ditch effort to guess a password and isn’t recommended as it will generate a lot of noise on a network and anyone viewing logs or firewall events will likely notice. Another drawback of an online password attack is it can trigger account lockouts after so many failed login attempts. However in a pentesting engagement this attack might be used to check the security posture of an organization. it is also a fairly common exercise in a CTF.

Before we delve into a password attack we need to find out what our own assigned IP address is on this wireless network. After connecting to the wireless network with the password ‘zukazuka’ we can run the command ‘ifconfig’ to find out our IP address. In this example it was found under eth0 as shown below:

As it is displayed here we have the IP address of 192.168.2.45. The netmask (255.255.255.0) actually provides another clue which means our network is 192.168.2.x. A way to look at it is the netmask 255.255.255 portion means that part is already set while the 0 at the end means it can be any number from 1-254. So in this example 192.168.2 is already set as that is our network. The last part allows devices to connect and be assigned a number. One number which is 45 was assigned to the computer I am currently using. In a typical network the number 1 is provided to a network device such as my Cisco router that I have used to create this network so that IP address will be 192.168.2.1. Now the next part is we need to find out if any other devices are connected to the network. To do this we will perform a sweep. There are different tools that can be used as the most common kind of sweep is a ping sweep. A ping sweep will scan this network for live hosts (from 1-254) by sending a ping and checking if there is a reply. If there is a reply then that host will be considered up. A common tool for this method is nmap as we would type in the command like this:

  • nmap -sn 192.168.2.0/24

This is the recommended way to run a sweep as it will list any live hosts on a network. I changed it slightly for this lab only because speed and congestion isn’t too much of a factor here with this command:

  • nmap -v -p- -A 192.168.2.0/24 -oN tcpScn
    • -v : verbose
    • -p- : scan all 65535 tcp ports/services
    • -A : Enable OS detection, version detection, script scanning, and traceroute
    • -oN : create/name a file to save the scan results

Take note I only ran this command because it was on my own network so speed wouldn’t be too much of an issue. In a CTF this command would run very slowly as it tries to not only check for every host on a network but also scans all the ports of live hosts. In a CTF it is recommended to first run nmap -sn 192.168.2.0/24 as it will simply just check to see if a host is up or down. Then run another scan to check for open services and so on afterwards. Since I ran all of it at once it shows 3 hosts are up which are:

  • 192.168.2.1 (Cisco router)
  • 192.168.2.45 (my pc)
  • 192.168.2.16

The address 192.168.2.16 is interesting because it also shows that port 22/tcp is open and it is running an SSH service. SSH which is short for Secure Shell is a common service used in Linux to log in remotely. Now in this scenario let’s say we have a username ‘kevinm’ but no password. We can perform an online password attack using the rockyou.txt wordlist with the tool hydra.

  • hydra -vv -l kevinm -P rockyou.txt 192.168.2.16 ssh -f -t 6
    • -vv : very verbose (displays progress)
    • -l : username
    • -P : wordlist file to guess password
    • 192.168.2.16 : <ip address to attack>
    • ssh : <name of service to attack>
    • -f : stop on success
    • -t 6 : number of threads (limit to >8 in ssh or service may crash)

After running for awhile hydra has found a password which is ‘lmaoily2’. With this we can login to the user kevinm. From here we can move onto Stage 3 which is gathering more information from this machine and using it to pivot to another network that is hidden behind BoxOne.

Stage 3: Pivoting

With a foothold in BoxOne we can begin to interact with the hidden network. As we scanned earlier we only found 3 devices on the network while overall this lab has more than that. The idea of pivoting can also be considered “lateral movement” throughout a network. We gain access to one machine and use that box to jump to another machine on the network for example. To get started on this we need to SSH into BoxOne as kevinm with the password ‘lmaoily2’ as shown below with this command:

  • ssh kevinm@192.168.2.16

As we are logged in we can do all sorts of things such as view files, check for credentials and so on. In this lab we are most concerned with finding the hidden network. One option is to run the ‘ip’ command.

  • ip a s

This machine shows 2 network cards with separate IP addresses 192.168.2.16 and 192.168.101.4. Since we haven’t seen the 192.168.101.4 address before this likely would indicate a hidden network. We can verify our finding by using the metasploit framework which is also included in Kali Linux. In a terminal window we can just type in the command ‘msfconsole’ to get started. Once it has started we can log into ssh again this way by finding the ssh_login module in metasploit.

Once we have username, password and rhosts set we can simply type the command ‘run’ as it will log into the BoxOne machine over metasploit. The advantage of doing it this way is we can upgrade this connection to meterpreter which provides us with some more tools to work with. To ensure that the ssh_login session is working correctly we can type in the command ‘sessions’ which will list all of the running sessions in metasploit.

As shown here we have one session running with the Id of 1. This is our ssh session which we want to upgrade. To perform an upgrade we can type in:

  • sessions -u <session Id>

After this command is run we now have 2 sessions running as the upgraded session is now with the Id of 2. Since we have a hint of a hidden network we can also try to do a ping sweep from metasploit. We can start by searching with the word ‘sweep’ in metasploit.

There are a few options here but we can choose option 2 by typing in ‘use 2’ which will put us into the ping_sweep module. We will need to set rhosts and session in this module as shown below:

As shown here we set rhosts to 192.168.101.0/24 as this is our likely hidden network we found earlier. This will scan from 1-255 for any live hosts on this hidden network. The command can be executed by typing in ‘run’ .

From this output we have multiple hosts running on the network. If we try to run nmap on any host found here it likely won’t work. Metasploit does provide modules for port scanning like nmap does however I find the modules to be somewhat clunky. From my experience I prefer to do an nmap scan as it can provide more information on a successful scan. This is where we can begin tunneling by pivoting from BoxOne. There are a few ways to do this however for this article I will be using metasploit to begin a tunnel. To get started we can search for the ‘autoroute’ module. The autoroute module will look for any routes found in the machine BoxOne and automatically assigns new routes into the metasploit routing table. The purpose of upgrading session 2 is so we can use the autoroute module. Session 1 which is only an ssh login did not work with autoroute.

With the results shown above we have added 192.168.2.0/24 and 192.168.101.0/24 to the routing table. There is a final step in creating our tunnel which is running a socks5 proxy. We can use the command ‘search socks_proxy’ in metasploit which will be located in auxiliary/server/socks_proxy. The default options of this module are shown in the image below:

We will need to set the SRVHOST and SRVPORT options here. The SRVHOST will be set to 127.0.0.1 as this is the default loopback address and SRVPORT can be left as it is or changed. I prefer to change it to 9050 as this is the port that I have already set in the /etc/proxychains.conf file. In a separate terminal window we can check or edit the proxychains.conf file by typing in:

  • sudo nano /etc/proxychains.conf

As shown here ProxyList is at the end of the proxychains.conf file. Often it is set to socks4a by default so if that was the case I can edit the file here in nano. With the options set we can begin to set the options in metasploit and run the socks proxy.

The window may hang for a little bit which is fine. After a few minutes you can just press Enter a few times. In another terminal window we can now run an nmap scan on one of the hosts we have found earlier. A few things to take note here is we will need to use some special options in nmap as a normal scan may not work as expected. The command is run as follows:

  • sudo proxychains nmap -v -Pn -sT 192.168.101.7 2>/dev/null
    • v : verbose
    • -Pn : treat all hosts as online
    • -sT : TCP Scan
    • 2>/dev/null : do not show errors

This scan here reveals some open tcp ports but not too much information at this point. We don’t know what version these services are or what operating system is being used here. This is okay, sometimes running this command first is not a bad idea since it can test to see if the scan even works at all and with the 3 port numbers shown here we can scan again asking for a bit more detail. Note that when we run this command we must make sure we also include the command proxychains in front of it so nmap will run through proxychains. If we did not do this then it will try to scan 192.168.101.7 without proxychains and it will not work because it is unreachable. Now back to the task at hand, we can run a more detailed scan on the 3 ports we have found with this command:

  • sudo proxychains nmap -v -sT -p 21,80,443 -A 192.168.101.7 2>/dev/null
    • -v : verbose
    • -sT : TCP Scan
    • -p : ports to scan as it is 21, 80 and 443 here
    • -A : Enable OS detection, version detection, script scanning and traceroute
    • 2>/dev/null : don’t print errors on screen

Now we have some more information provided here. The command isn’t perfect as some things didn’t quite work but the version information we have from ports 21, 80 and 443 can help us find potential vulnerabilities among other things. From here it’s really up to how you want to experiment with this setup on pivoting. We can also run more than just nmap here as we could run firefox to view the webpage by typing in ‘proxychains firefox’ in a terminal window. The result of this is shown below. Just notice that it will be slow so it may take some time for the page to even load. Remember this is being run through a tunnel so speed does start to become a factor.

None of this would have been possible unless we pivot from BoxOne and create a tunnel to run our tools through that machine. So it does act as a proxy server of sorts. From here on out the world is your oyster as there are plenty of ways to experiment with this. Not everything will work in this setup but it is a start. There are other tools you can try such as sshuttle and Ligolo-ng as metasploit is one option out of many.

Conclusion : Lessons Learned

The idea of a home lab is a way to experiment on various techniques without the hassle of time limits or having to deal with network congestion and slow speeds which can be common in a CTF environment as there are other players on the network. There is also the element of if you break it you can fix it yourself without the worry of disrupting someone else’s productivity. As a bonus you learn how to set up a specific environment and even have a little more insight on the other side of an attack.

As a final note there are some points to be made here on how to avoid becoming a victim of some of these methods practiced here. Mostly it is basic security 101 that can guard against these attacks. On the wireless side of things:

  • If possible upgrade or ensure you are using wpa3 as it is more up to date
  • Create a strong password or create a passphrase that is more than 12 characters long with a mix of upper/lowercase, numbers and symbols.
    • An example might be “MissMaryHad5PurpleLambsN@medJosey!”
  • For the paranoid (requires work)
    • Create an allow list of devices that are allowed to use your wireless connection
    • turn off your network ID/SSID
    • reduce the power to your wireless antenna

So if you can’t upgrade to wpa3 and only use wpa2 (it happens) then at least create a long password such as a passphrase that is more than 14 characters at least. As for the paranoid section you can also create an allow list to only allow the devices you list to connect to your network but this can become a hassle if you have family members or roommates who also have devices as you will need to constantly update your allow list each time a new device needs to connect. You can also turn off the SSID but you will have to enter your wireless network ID manually in order to connect for the first time and reducing the power of your antenna can cut down on the signal leaking outside your home but this can be tricky if you can’t put your wireless router in a central location of your home. As for Stage 2 the way to avoid that attack is to turn off unneeded services and again make sure to use a strong password that is more than 14 characters with a mix of upper/lowercase, numbers and symbols. The longer the password the more possibilities an attacker has to guess which takes more time and time can become costly.

Well this was a long one and hope it was helpful in some way. In the future I do plan to do some more experiments with this lab such as different network configurations such as creating an Active Directory lab which is a common setup for most organizations. That is all for now and until next time, take care.