Purpose

You can build a home lab environment in many different ways, like virtualization, dedicated hardware, cloud-based, containers, or hybrid approaches. Building a home lab environment has many benefits and use cases.

My goal was to build a flexible virtual home lab that can be adjusted based on my needs at any given time. Virtualization seemed like my best bet so I scoured through the internet and found a phenomenal guide, Building a Security Lab in VirtualBox written by 0xBen. I used it to build my home lab with some tweaks and this is my version.

Back Story

I went on a side quest to try and recreate this home lab setup in my MacBook Pro M2 but quickly learned the limitations. But it allowed me to learn a lot about the different solutions available. If you’re looking to build a home lab similar to this one using a MacBook Pro M-series this isn’t the way. There are compatibility issues among other things that I won’t discuss here. However, I will go back and figure out a similar setup for my MacBook, and I’m excited to take on that challenge.

Setup Summary

For this home lab the following was used:

• VirtualBox
• pfSense — firewall and DHCP server
• Kali Linux — attack machine
• Metasploitable 2 — vulnerable machine

System Specs

Lenovo ThinkPad X1 Carbon:

• Processor: Intel Core 7
• RAM: 32GB
• Storage: 512GB

Note: I didn’t add the Active Directory machine that is part of the home lab but if you want to include it, follow 0xBen’s guide.

Phase 1: Start Downloads

pfSense

Netgate now requires users to sign in or create an account before downloading the image. If you don’t mind using your data then go for it but if you’re like me and don’t want to provide that, just make up the details and use a throwaway email. Download the AMD64 ISO IPMI/Virtual Machine version. Once checked out you’ll be emailed a download link, start the download.

Download here.

Kali Linux

Download the VirtualBox pre-built VM Kali Linux image here.

Metasploitable 2

Download Metasploitable 2 here or search for a different vulnerable machine in VulnHub. If you choose a different machine the install steps might differ so make sure to look for corresponding guides.

PeaZip

The VM image files need to be extracted and there are different methods but I like using PeaZip. If you’d like to use it, you can download it here.

Install Python Core / win32api

VirtualBox requires Python Core / win32api dependencies and I find it easier to download them beforehand and have them ready to go. First, download the latest Python version here. Once it’s done downloading, open it to begin installation. After it successfully installs you’ll need to run two commands in the Command Prompt, make sure to launch it as an administrator.

First command:

-m pip install pywin32

Second command:

python.exe -m pip install --upgrade pip

If you need a visual walkthrough, here is a straightforward YouTube video.

Install VirtualBox & Extension Pack

Download VirtualBox and the Extension Pack here. After the downloads are complete, start the installation process for VirtualBox, the Extension Pack is installed after.

If you’re unsure how to install them, here is a YouTube video.

Note: You might still get a message during the VirtualBox installation advising you to download missing dependencies Python Core/win32api, just ignore it and continue.

Phase 2: Extract VM Images

Extract the VM images you downloaded during Phase 1. You can use your preferred extracting method, I used PeaZip.

pfSense

Navigate to where the pfSense download is, it should have a .gz extension.

Right-click on the file → Open with → Select PeaZip

PeaZip will open and you have the option to Extract the file into the current directory or change it. If you want to change it, click on the drop-down arrow next to Extract.

Kali Linux

Navigate to your system’s root directory, open the Users folder and then select your user profile. Open the folder named VirtualBox VMs. You’ll need to create a new folder here named Kali Linux. You’ll be extracting the Kali Linux image here so keep note of the folder’s path.

Navigate to where the Kali Linux download file is.

Right-click on the file → Open with → Select PeaZip

Click on the drop-down arrow next to Extract and select Extract all to, and select the file path of the new folder you created titled Kali Linux.

Metasploitable 2

The extraction process will be the same as the pfSense file. Navigate to where the Metasploitable 2 download file is.

Right-click on the file → Open with → Select PeaZip

Feel free to extract it wherever you want to house it. I created a folder specifically for my VMs (pfSense and Metasploitable 2) to live in.

Phase 3: Import the VMs to VirtualBox

DO NOT START ANY OF THE VMs YET! YOU’RE JUST IMPORTING THE IMAGES FOR NOW!!!!

pfSense

Open VirtualBox and click on the New button.

Name: pfSense-HomeLab

ISO: Select the pfSense image you extracted earlier

Type: BSD

Subtype: FreeBSD

Version: FreeBSD (64-bit)

Click on the Hardware tab

Base Memory: 1024 MB

Processors: 1 CPU

Click on the Hard Disk tab

Select Create a Virtual Hard Disk Now

Under Hard Disk File Location and Size, the directory should auto populate

Make sure the Hard Disk space is set to 16.00 GB

Click Finish

DO NOT START THE MACHINE! LEAVE IT ALONE!!!

Kali Linux

To import Kali Linux click on the Tools tab located on the left side panel inside Virtual Box.

Click Add as shown below.

You’ll be prompted to select a file, navigate to the folder where you saved the exported Kali Linux files, and select the file ending in “.vbox”.

Don’t worry about making any adjustments to the machine now. You’ll be going back in the next phase to change a few things.

DO NOT START THE MACHINE! LEAVE IT ALONE!!!

Metasploitable 2

Click on the New icon.

Name: Metasploitable 2

Folder: Leave it as is

ISO Image: Leave it as is

Type: Linux

Subtype: Linux 2.4

Version: Linux 2.4 (32-bit)

Click on the Hardware tab

Base Memory: 1024 MB

Processors: 1 CPU

Click on the Hard Disk tab

Select Use an Existing Virtual Hard Disk File button

Click on the File icon

Click on the Add icon

Browse to the folder where you extracted the Metasploitable 2 files

Choose the file ending with .vmdk

Click Finish to create the machine

DO NOT START THE MACHINE! LEAVE IT ALONE!!!

Phase 4: Configure the VMs

pfSense

Select the pfSense machine, it should be highlighted in blue.

Click on the Settings icon as shown below.

Once the Settings window opens, click on the Experts tab.

System

Select the System tab

Under Boot Order move the Hard Disk up until it’s the first option, then move Optical after Hard Disk so it’s the second option

Uncheck Floppy

Your Boot Order should look like the screenshot below

Audio

Click on the Audio tab

Uncheck Enable Audio

USB

Click on the USB tab

Uncheck Enable USB Controller

Network

Now click on the Network tab

Adapter 1

Check Enable Network Adapter

Attached to: Bridge Adapter

Adapter Type: Paravirtualized Network (virtio-net)

Adapter 2

Attached to: Internal Network

Name: home-lab-LAN

Adapter Type: Paravirtualized Network (virtio-net)

Adapter 3

Attached to: Internal Network

Name: home-lab-isolated

Adapter Type: Paravirtualized Network (virtio-net)

Adapter 4

Note: Adding this network is optional if you plan on adding a Windows machine for Active Directory learning/hacking, 0xBen outlines the steps here.

Kali Linux

Click on the Kali Linux machine to highlight it and click on the Settings icon.

Once the Settings window opens, click on the Experts tab.

Network

Click on the Network tab

Adapter 1

Check Enable Network Adapter

Attached to: Internal Network

Name: select home-lab-LAN from the dropdown menu

Adapter Type: Paravirtualized Network (virtio-net)

Click OK to save the changes made

Metasploitable 2

Click on the Metasploitable 2 machine to highlight it and click on the Settings icon.

Once the Settings window opens, click on the Experts tab.

Network

Click on the Network tab

Adapter 1

Check Enable Network Adapter

Attached to: Internal Network

Name: select home-lab-isolated from the dropdown menu

Adapter Type: Intel PRO/1000 MT Desktop (82540EM)

Audio

Click on the Audio tab

Uncheck Enable Audio

USB

Click on the USB tab

Uncheck Enable USB Controller

Phase 5: Time To Start VMs

It’s important to start the machines one at a time in the order presented below. This section is lengthy but once you’re done, running your lab will be a smooth process.

pfSense

Select the pfSense machine, it should be highlighted in blue, then click on the Start icon.

It’ll take a few minutes for the machine to start. Let it do its thing, once done the Netgate Installer will appear. You won’t be able to click on the options with your mouse, instead use the arrow keys for option selection and the Enter key to accept the selection.

Choose Accept

Select Install and choose OK

I don’t have screenshots for the following steps but it’s fairly easy to follow along.

Next, WAN Interface Assignment and Configuration

Please select WAN

Select vtnet0 and OK

Next, WAN (vtnet0) Network Mode Setup

Adjust the network operation mode for the WAN (vtnet0) interface if necessary

Select >>> Continue and OK

Next, LAN Interface Assignment and Configuration

Please select the LAN interface

Select vtnet1 and OK

Next, LAN (vtnet1) Network Mode Setup

Adjust the network operation mode for the LAN (vtnet1) interface if necessary

Select >>> Continue and OK

Make sure LAN is vtnet1 and WAN is vtnet0

If it matches choose Continue

Select Install CE

Select >>> Continue and OK

Select Stripe and OK

Select OK

Select Yes

Select the option that states Current Stable Release and OK

The next screen which indicate it’s downloading

Select OK once done

Select Reboot

Allow the machine to finish booting, if it exits start the machine again. It will take a few minutes to load.

You’ll be asked, “Do VLANs need to be set up first?”

Type n and press Enter

Next, “Enter the WAN interface name or ‘a’ for auto-detection (vtnet0 vtnet1 vtnet2 vtnet3 or a):”

Type vtnet0 and press Enter

Next, “Enter the LAN interface name or ‘a’ for auto-detection”

Type vtnet1 and press Enter

Next, “Enter the Optional 1 interface name or ‘a’ for auto-detection”

Type vtnet2 and press Enter

Next, the interface assignments will appear:

WAN → vtnet0

LAN → vtnet1

OPT1 → vtnet2

You’ll be asked “Do you want to proceed [y:n]?”

Type y and press Enter

Configure the LAN interface further.

Type 2 and press Enter

Next, start configuring the LAN “Enter the number of the interface you wish to configure”

Type 2 and press Enter

Next, “Configure IPv4 address LAN interface via DHCP?”

Type n and press Enter

Next, “Enter the new LAN IPv4 address. Press <ENTER> for none:”

Type 10.0.0.1 and press Enter

Note: You can use any IPv4 address you’d like just keep it in the private IPv4 ranges.

Next, “Enter the new LAN IPv4 subnet bit count (1 to 31):”

Type 24 and press Enter

Next, press Enter since this is a LAN

Next, “Configure IPV6 address LAN interface via DHCP6?”

Type n and press Enter

Next, press Enter since you won’t be using IPv6

Next, “Do you want to enable the DHCP server on LAN?”

Type y and press Enter

Next, “Enter the start address of IPv4 client address range:”

Type 10.0.0.11 and press Enter

Next, “Enter the end address of the IPv4 client address range:”

Type 10.0.0.243 and press Enter

Note: If you assigned the LAN a different IPv4 address than the one above (10.0.0.1) make sure to stick to that range. Example, if you used 10.5.5.1, your range should start at 10.5.5.11 and end at 10.5.5.243.

Next, “Do you want to revert to HTTP as the webConfigurator protocol?”

Type n and press Enter

Next, you’ll see the confirmation for the changes made

Press Enter

Time to configure the Isolated LAN

Type 2 and press Enter

Next, start configuring the isolated LAN “Enter the number of the interface you wish to configure”

Type 3 and press Enter

Next, “Configure IPv4 address OPT1 interface via DHCP?”

Type n and press Enter

Next, “Enter the new OPT1 IPv4 address“

Type 10.6.6.1

Note: You can use any IPv4 address you’d like just keep it in the private IPv4 range.

Next, “Enter the new OPT1 IPv4 subnet bit count (1 to 31):”

Type 24 and press Enter

Next, press Enter since this is a LAN

Next, “Configure IPV6 address OPT1 interface via DHCP6?”

Type n and press Enter

Next, press Enter since you won’t be using IPv6.

Next, “Do you want to enable the DHCP server on OPT1?”

Type y and press Enter

Next, “Enter the start address of IPv4 client address range:”

Type 10.6.6.11 and press Enter

Next, “Enter the end address of the IPv4 client address range:”

Type 10.6.6.243 and press Enter

Next, “Do you want to revert to HTTP as the webConfigurator protocol?”

Type n and press Enter

Next, you’ll see the confirmation for the changes made

Press Enter

I won’t be using the Active Directory lab so I won’t be going over configuring interface OPT2. However, you can find instructions on configuring that interface here.

Leave the pfSense machine running in the background.

Kali Linux

Start the Kali Linux machine. Make sure it’s highlighted and click on the Start icon.

It will take a few minutes for the machine to load just let it do its thing. Once it’s done, the login screen will appear. Enter the default login which is Kali for both the username and password.

Once logged in, open the terminal and run the following to verify the machine got the right IPv4 address (10.0.0.11) from the DHCP server.

ip address

Setup Firewall Rules in pfSense

Don’t start the Metasploitable 2 machine until you set the firewall rules for pfSense. Remember the machine is vulnerable and you don’t want it running on your system without safeguards.

For this section, I’ll be directing you to “Configuring the pfSense Firewall for Our VirtualBox Lab”, written by 0xBen.

Metasploitable 2

After you configure the firewall rules, start the Metasploitable 2 machine. Make sure it’s highlighted and click on the Start icon.

It’ll take a few minutes to load and you’ll be asked to log in, use msfadmin for both username and password.

Verify the machine has the IP address you assigned it by running the following command, it should display 10.6.6.11

ip a

Tips

Booting Order

It is important to boot the virtual machines in the right order. Let the machine fully boot before starting the next one.

pfSense → Kali Linux → Metasploitable 2

pfSense

To turn off the machine safely, type 6 and press Enter

Type y and press Enter

Kali Linux

Change Root Password

It is highly advisable to change your Kali Linux root password to strengthen security. It’s important to note that changing the root password is not the same as changing the default user (Kali) password.

Change Default Username and Password

To change the default username (Kali) and password (Kali) you’ll need to restart the machine and login as root. The username will be root and the password is the one you created in the previous step. If you didn’t change the root password, the default is Kali.

Change the username:

usermod -l newuser olduser

Update the directory:

usermod -d /home/newuser -m newuser

Update the group name:

groupmod -n newuser olduser

Change the User ID:

usermod -u newID newuser

Restart the machine for the changes to take effect.

Log in using the new username and the default password (Kali).

If you don’t see any icons when you log in and only see the desktop wallpaper, use Ctrl + Alt + T to launch the terminal.

sudo rm -r .cache .config .local
Enter password:

Restart the machine.

sudo reboot

Change the password:

passwd 
Enter current password:
Enter new password:
Retype new password:

The password is now changed. To test this, you can restart the machine and log in using the new username and password.

All Machines

Snapshots

Take a snapshot of all your virtual machines to avoid importing and setting them up all over again if something goes wrong. By taking a snapshot after the initial installation and configuration, you can revert to the snapshot and use the machine as if nothing happened.

Select each machine and click on the side menu

Click on Snapshots

Click on Take

Give the snapshot a name, description and click Ok

Follow these same steps for the other machines.

Conclusion

Setting up a home lab can be a lengthy process, but a worthy one. You get to learn a lot along the way. Spend some time and get familiar with your environment. There are a lot of Metasploitable 2 writeups you can follow and I find this a great way to learn. However, I encourage you to go back and try to recreate the steps from memory to help you grasp the skills and techniques used.

Stay curious!

Flag 0 …

Hints:

• Something looks out of place with checkout.
• It’s always nice to get stuff free.

To find this flag we have to figure out a way to get a JPEG for free.

As you can see on the homepage there are two JPEGS that can be added to the cart. If you add one to the cart and proceed to check out you will see Payments temporarily disabled message displayed.

So how can we check out and get the JPEG for free?

Let’s start by inspecting the Check Out button located in the Shopping Cart page.

Upon inspection, we can see that there is something hidden in the form. To find out what it is we need to erase the text hidden next to type. An input box should pop up on the webpage. The price needs to be changed to zero and this can be done through that box or from the Inspector section.

Once the price is set to ZERO go ahead and click on the Check Out button.

Your FLAG should appear!

Flag 1 …

Hints:

• There must be a way to administer the app.
• Tools may help you find the entry point.
• Tools are also great for finding credentials.

It looks like we need to find a way to login as an admin to take control over the webpage.

Note: You must prepare yourself because to find this flag there are several steps to take.

Let’s go back to the Home page. There are no buttons or links to click on to log in so the next step is to try commonly used login paths.

Try using /admin at the end of the URL. Okay, that did not work.

Let’s try /login this time. Bingo, we got us a winner!

Once the login page loads go ahead and try using default admin usernames and passwords. I tried using the following:

Usernames: admin, administrator, user

Password: admin, password, 12345

Each combination produced a Invalid username message. This message is important because it let’s us know which credential is invalid.

It is clear that we need help from tools to brute force our way in. I tried using Hydra but it was acting up so I used Burp Suite Community with the Turbo Intruder extension.

Step One:

Open Burp Suite.

* If you already have the Turbo Intruder extension installed skip to Step 2.

To install the Turbo Intruder extension go to Extensions tab > BApp Store > Search bar > type in Turbo Intruder > Click Install

Once it’s done installing the Turbo Intruder tab should populate at the top.

Tutorial: If you are a visual learner here is a step by step video to help you out, Turbo Intruder Tutorial.

Now, the fun part begins …

Step Two:

Go to the Proxy tab in Burp Suite.

Turn on the proxy on the browser.

Go back to Burp Suite and click Intercept is off to turn in on

Go back to the webpage and try to log in using any credentials.

Burp should capture this interaction.

You can turn off the proxy.

Right-click on the Raw capture > Extensions > Turbo Intruder > send to Turbo Intruder

Step Three:

Turbo Intruder pops up and the capture will be on top and the coding section on the bottom.

Click on Last code used drop-down menu > examples/basic.py

Tip: Before we edit the code, first we need to download or create a list of usernames and passwords. I used the rockyou.txt and this can be downloaded here. Note the path you save your file to.

On the code section we will make the following adjustments:

Line 3 & 4

CurrentConnections=200
requestPerConnection=150

Line 8

for word in open('<Your file path goes here>'):

Line 14 & 15

if ('Invalid username' not in req.response):
table.add(req)

Head over to the Raw capture section on top and make the following adjustments:

Line 20

username=%s&password=test

* This tells the code we are only looking for the username.

Click on Attack.

You should see it running. Give it about a minute and then the table above should load up with results.

On the table we are looking at the Status column and looking for code 200. Under the Payload column you’ll find the username.

Head over to the webpage and input that username and pair it with a random password.

Click Log In.

The message that should appear is Invalid password.

Congrats you now have a valid username!

Step Four:

Go back to the Turbo Intruder window and click on Configure located at the bottom. It will take you back to the Raw capture and coding window.

Make the following adjustments to the code:

Line 14

if ('Invalid password' not in req.response):

Make the following adjustments to the Raw capture:

Line 20

username=<input valid username here>&password=%s

*Make sure you type the valid username next to username=

Click on Attack.

Give it a few minutes and once the table loads up look for Status code 302 and the Payload value is your password.

Go back to the webpage and input the valid username and found password.

Click Log In.

Congrats you have found your FLAG!

Flag 2 …

Hints:

• Always test every input.
• Bugs don’t always appear in a place where data is entered.

Now that we have admin access we can edit and this flag is pointing us in that direction!

Click on one of the edit buttons. Here we can edit Name, Description, and Price.

Let’s attempt an XSS payload on the Name field.

Insert the following:

<script>alert(1)</script>

Then click on Save.

Note: I attempted the XSS payload in the two other fields and got an error with one and got no flag with the other. I advise you try it so you can see the outcome for yourself.

Head back to the Home page.

TIP: use the URL path

Click on the link that takes you to the cart.

You should see your FLAG!

Give yourself a hug! You’ve made it to the end and captured all three flags!

Time for a water break …

If you want to learn more about Turbo Intruder and all its uses, check out James Kettle article and video here.

Flag 0

Hints:

• The person with username “user” has a very easy password.

Click on Sign In

Input the following:

Username: user

Password: < I think you can guess it >

Once you’ve successfully logged in, you will capture your first FLAG!

Flag 1

Hints:

• Try viewing your own post and then see if you can change ID.

To capture this flag we have to try to view another user’s post.

This can be done by clicking on one of the posts to view it. Then change the ID # on the URL path and press Enter.

Tip: Go lower

You captured another FLAG!

Flag 2

Hints:

• You should definitely use “Inspect Element” on the form when creating a new post.

On the Home page we need to inspect the What’s on your mind? field.

Look for the user_id and change the value.

Write something to post and click on Create post.

Now, you have captured the FLAG.

Flag 3

Hints:

• 189*5

This flag really works our critical thinking and problem solving skills.

Find the product of this multiplication.

Then insert the product inside the URL path.

You have captured the FLAG!

Flag 4

Hints:

• You can edit your own posts. What about someone else’s?

Right now we have user access and the only post we can see that does not belong to user is the one posted by admin.

So, let’s attempt to edit an admin post.

Click on one of your post to edit it. Then on the URL path you will have to change the ID number.

Tip: Go lower.

It should take you to the admin’s post where you can edit. I suggest you add “EDITED” on the title so you can see the difference.

Click on Save post.

You’ve captured another FLAG!

Flag 5

Hints:

• The cookie allows you to stay signed in. Can you figure out how they work so you can sign in to user with ID 1?

To capture this flag we need to look for our cookie ID.

On the Home page right-click and Inspect.

Click on the Storage tab > look for Cookies > look for ID.

Click > copy the value.

Find a MD5 decrypt and encrypt engine by doing a quick Google search.

First you must decrypt the value to see which number it is. This will show you which user you are.

Admin must have an ID # 1.

So, now encrypt the #1 and obtain its MD5 hash.

Copy the MD5 hash for #1 and paste it in the table, replacing the other cookie ID.

Refresh the page.

FLAG 5 is now captured!

Flag 6

Hints:

• Deleting a post seems to take an ID that is not a number. Can you figure out what it is?

We have admin access now so we must delete one of the user’s post.

1. View one of the user’s post. Notate the post ID number.

2. Hover over the delete button for one of the admin’s post > right click > Inspect > find the delete hash ID.

3. Go back to the MD5 encrypt engine and generate the hash for the user’s post ID number.

4. Copy it > paste it on the delete hash ID section.

Now click the Delete button you inspected.

The FLAG should appear!

Flag 0 …

The first hint tells us we need to look at the source code.

Go ahead and take a look …

Do you spot anything out of the ordinary?

You should’ve found something is missing from the webpage.

The code indicates that there should be an image displayed but there isn’t.

To view the image copy the file name and insert it to the end of the URL path.

Congrats, you captured the FLAG!

What is it?..

We have seen an incline in data breaches through ransomware attacks, with big corporations headlining such as the Colonial Pipeline and most recently Caesars Entertainment. Bringing penetration testing into focus as a great security preventative measure.

Penetration testers act as malicious actors attempting to breach an organization by finding and exploiting vulnerabilities. In simplest terms, organizations contract penetration testers to act as adversaries and exploit vulnerabilities to aid the organization in understanding its security landscape.

Penetration testing allows for a deeper look at the damage a breach can cause. Of course, there are a lot of moving parts before, during, and after a penetration test which I will cover in-depth in other posts. For now, I just want to provide a general overview of what penetration testing is.

Why is penetration testing important?..

Having a penetration test done is the best investment an organization can make. How can organizations defend their assets against malicious actors when they are unaware of how they could be potentially breached? Most organizations will implement basic security practices which is a great start but in today’s ever-evolving technological world much more is needed. When organizations are informed of where their weaknesses lie they can better protect their assets by strengthening those areas.

Additionally, many organizations are required to undergo penetration testing to remain compliant and abide by the laws and regulations pertaining to their specific industry. Some of these regulations include PCI DSS, HIPPA, GDPR, and many others.

Breaking it down …

To get a more rounded basic understanding of what penetration testing is, it’s important to break it down into its categories, types, environments, and stages.

Categories

• White-Box: all the information necessary is provided by the organization about the environments that will be tested. This includes a range of things like IP addresses, source code, credentials, documentation, network infrastructure, etc.
• Black-Box: this test best simulates a malicious actor since it involves heavy reconnaissance due to the penetration tester having zero knowledge of the environments to be tested.
• Gray-Box: a combination of white-box and black-box testing. Partial information about the environments is provided while keeping other information hidden.

Types

• Internal: testing begins inside the network, aiming to gain access to privileged information.
• External: testing begins outside the network, aiming to gain access to the internal network.

Environments

• Network: a network scan is conducted to identify open/closed ports, the corresponding services, the versions running, etc.
• Perimeter Devices: Routers, switches, firewalls, IDS/IPS, antivirus, etc.
• Wireless Networks: Wi-Fi, Bluetooth, RFID, NFC, etc.
• Mobile: iOS and Android devices.
• Web Applications: web applications and the technology used to operate them.
• Physical: building entry points, gates, security personnel, cameras, buildings, etc. Social engineering plays a big role here.
• Cloud: tests are conducted to determine the technology used and if any vulnerabilities exist.
• Databases: MySQL, PostgreSQL, Oracle, etc.

Stages

1. Pre-engagement: The penetration tester and organization agree on what is to be tested (in scope) and what is not (out of scope). The legal implications for both sides are discussed and mutually agreed on. The organization specifies its goals, business requirements, and much more.
2. Reconnaissance: The penetration testers will begin gathering as much information about the organization and its network as possible. There are two types of reconnaissance, passive and active. The information gathered can be used to formulate an appropriate approach for later stages.
3. Discovery: A combination of additional reconnaissance and vulnerability discoverability. Here a penetration tester can find additional information such as IP addresses, DNS details, directories, usernames, etc. A vulnerability scan is also performed to find any potential known vulnerabilities.
4. Vulnerability Assessment: Vulnerabilities found are scored based on their severity level using The Common Vulnerability Scoring System. This helps determine which vulnerabilities need to be urgently addressed by the organization and the damage they can cause. These vulnerabilities are used to gain access in the next stage of the penetration test.
5. Exploitation: This stage requires the exploitation of the vulnerabilities found previously. Notes are taken on the exploitation process so it can be replicated by the organization if needed.
6. Post-Exploitation: This stage is all about maintaining access and documenting the data encountered throughout the exploitation. Important things to note are how long access was maintained and if the breach was noticed at any point.
7. Reporting & Risk Analysis: All the information gathered in previous stages is compiled into a comprehensive report. This report includes a risk analysis of the vulnerabilities found. Recommendations are also made to the organization on how to mitigate the vulnerabilities.
8. Remediation: The organization is now tasked with addressing the vulnerabilities and implementing the recommendations. After they complete their tasks the penetration tester will go back and reassess the vulnerabilities.

Let’s Wrap It Up …

This concludes the quick overview of penetration testing and its basic concepts. There is a lot more that goes into penetration testing which I will be breaking down further in upcoming posts. Performing a penetration test against an organization requires authorization from the organization’s stakeholders, otherwise it is considered illegal and punishable by the law.

Lure Me In Honey …

Hackers are constantly finding creative ways to penetrate a network to extract sensitive data. Imagine if there was a way to entrap hackers in a fake network environment and get front-row seats to witness their attack tactics. Well, there is a way and it’s called honeypots! Honeypots are decoy environments set up near the actual network to lure hackers and gather insights into their attack methods. Once the hacker is inside the honeypot security teams can monitor their activities and help keep them from reaching the real network.

Main Honeypot Types

Production

This type of honeypot is very popular due to how relatively easy it is to implement and the amount of information gathering it does. It collects IP addresses, traffic volume, intrusion date and time, etc. It is commonly used by corporations, private businesses, politicians, and many others.

Research

A research honeypot is very sophisticated and collects various details about attack techniques used. It is commonly used by governments, intelligence agencies, research organizations, and more. This type of honeypot is great at providing a deeper insight into how attackers perform attacks and the techniques they use.

Specialized Honeypot Types

Malware

The environment is exposed to known vulnerabilities to attract attacks and gather intelligence to better understand how attackers execute these attacks. Organizations can use the information gathered and make necessary changes to strengthen their security posture.

Spam

Focuses on capturing spam emails by creating a dedicated spam email address that can be scrapped by attackers using an email harvester. Once the attacker has the email address they will begin sending spam emails. The information gathered can be used to block the sender and similar emails.

Database

Houses fake datasets in an environment vulnerable to software and architecture structures to attract attackers. Information is gathered on injection attack techniques, credential hijacking, and various similar attacks.

Spider

This honeypot targets web and ad-network crawlers to collect the necessary information to help better understand malicious bots and blocking methods.

Honeypot Complexity Classification

Low-interaction

A low-interaction honeypot complexity environment collects basic information about an attacker as it contains low resources which results in advanced attackers easily spotting them. It is a convenient and commonly used complexity due to how easy it is to set up and maintain.

High-interaction

A high-interaction honeypot complexity environment consists of multiple levels making it interactive to hold an attacker’s attention. Implementing a “honeywall” or perimeter around the honeypot is highly recommended to protect the real network as it allows the security team to control the inbound/outbound traffic.

Pure

A pure honeypot complexity environment is a full-scale environment mimicking the real production environment making it highly interactive. This complexity allows the security team to track the attackers’ activity and is mostly used for research purposes.

And Then There are Honeynets

A honeynet consists of two or more interconnected honeypots and they are designed to collect data from sophisticated attacks like ransomware and DDoS. Honeynets offer a more realistic feel for attackers making them believe they are successfully moving from one point to another. This allows the security team to gather information on the techniques attackers use to launch sophisticated attacks and how they move about once inside the network.

Benefits & Risks

Benefits

• Test incident response
• Slow down or deter attackers
• Gather intelligence and use it to strengthen the security posture

Risks

• Cannot detect data breaches
• Improper configuration can lead to attackers breaching the real network
• Attackers can use false attacks on honeypots to distract the security team from a real attack

Sticky Situation…

Honeypots enhance cybersecurity by providing intelligence to organizations and enabling researchers to study attack techniques and attacker methods. These controlled environments allow malicious actors to launch attacks without causing real damage, offering insights unattainable until after a data breach. However, honeypots also carry risks, and acknowledging them and their limitations is crucial to keeping the real network secure.

Phish, Phish, Phish …

Social engineering is the most common threat companies and individuals alike face. Malicious actors launch social engineering attacks in an attempt to gain access to information they can further exploit. There are several social engineering attacks such as Baiting, Pretexting, Quid Pro Quo, Phishing, etc. So, which social engineering attack is most commonly used? Phishing! That’s right, phishing has a high success rate making it a favorite among malicious actors. But how effective are we at detecting phishing emails? Well, the answer is … we are not as effective as we like to think. Even cybersecurity professionals have fallen victim to phishing attacks!

Hooking The Bait …

Malicious actors have a way of making their phishing emails sound important and urgent. They hook the victim by making them think that they must take action and if not there will be a negative consequence in return. Phishing emails will usually contain a malicious link or attachment.

Let’s look at the following email …

… Do you spot any red flags?

Although phishing emails vary in content, they all tend to contain the same red flags. Let’s examine the above email in detail …

The subject line of this email suggests that the contents of the email are important and action must be taken. To be fair sometimes providers do send emails with subjects similar to this one. But it is important to note the sense of urgency the malicious actor is implementing here as it sets the tone for the rest of the email.

Next, take a look at the sender’s name and email address. This is the first clear red flag encountered in this email. The sender’s name indicates that this email should be coming from Zelle® but the name is zelle fast and the email address is bakaretracy123@gmail.com which shows that this email is not coming from Zelle® but rather from someone attempting to impersonate the company. Why would a legitimate company use a regular Gmail account to send its customers emails?

Phishy …

The UNDER REVIEW purple button is clickable although at first glance it does not show any indication that it is. If the victim of this email had clicked on the button, they would have been taken to a website that prompts them to input their login credentials. Many times, malicious actors will include buttons like these to trick the victim into clicking it either out of curiosity or accidentally.

Upon further inspecting the body of the email many red flags can be spotted. The name of the person who is “sending” money is inside parentheses which is unusual. Malicious actors tend to use phishing templates for a faster creation process which contain fill-in fields and we can assume that they placed the name Brett Trent as one of the fillers.

The second paragraph also urges the victim to take action in order to receive payment by following the given instructions. It also fails to mention the name of the sender’s bank. Another thing to note here is the use of the word usually which hints at a may or may not meaning.

“You’ll may or may not get their payment once you follow the instructions below.”

Smells real phishy …

Again, pay attention to word usage. Here the malicious actor used the word hereby to sound authoritative. At the beginning of the email, there is an amount of $85 USD shown but, in this paragraph, it is stated that the victim will receive an additional $315.00 USD in order to obtain a certificate that provides an unrestricted zelle account. The malicious actor is promising more money than expected plus an unrestricted account, sounds too good to be true. The last sentence contains incorrect grammar which is typical for phishing emails. Grammar mistakes are not spotted right away and can be easily missed if not read thoroughly.

The malicious actor uses persuasive language to put the victim at ease and ensure them that they will receive their payment and an unrestricted zelle account. But hold on! They finish off by stating “neither the buyer nor the seller will lose a dime”, this is an odd statement to make. I have not come across a company that uses language like this.

Lastly, at the end of the email, the malicious actor added a copyright stamp to further legitimatize the email. The legitimate Zelle® has the trademark symbol and it is owned by Early Warning Services, LLC.

Spotting The Phish …

Here are the main takeaways to help spot phishing emails:

• Email address — Pay attention to the structure of the email address and the sender’s name. Often the name will look legitimate, but the email address will contain an error and give it away.
• Tone & Timing — Malicious actors are notorious for setting a tone of urgency on their email subject lines and email bodies. If an email is prompting you to take action make sure you are expecting such email and if not, it is best to call your provider directly to verify.
• Color scheme & graphics — If the email contains any graphics such as logos pay close attention to them as they will often seem a bit off (pixelated) and the color scheme will not match the actual legitimate company. This might not always be the case since some phishing emails are more sophisticated than others.
• Grammar — This is probably one of the best things to look for because 9/10 times the phishing email contains misspelled words, improper sentence structure, slang, etc. However often these errors are overlooked because most people just skim through the email instead of reading it thoroughly.
• Too good to be true offers — Some phishing emails will promise something in return for doing what is being asked of them but the reward sounds too good to be true. No one gives away money via email … yea I know bummer.
• Greeting — Phishing emails will contain a generalized greeting such as Hello Customer or Dear Customer. This is because malicious actors do not know your name or as explained earlier they are using fill-in phishing templates. Any service provider you use will always greet you by your first name or last name or both.
• Attachments & Links — Be on the lookout for weird attachments and links since these can be malicious. Malicious attachments will have the file extension ending in something unfamiliar like .exe.
• Requesting sensitive data — Credentials, financial information, and any Personal Identifiable Information (PII) are considered sensitive data. If an email is asking you to verify or provide sensitive data it is most likely a phishing email.

Phish Me Not …

As technology evolves so do social engineering attacks and phishing emails are getting more sophisticated every day. Staying informed about phishing email trends and learning more about social engineering can save you from becoming a victim. Successful phishing attacks can cause devastating damage to companies and individuals. Data has become one of the most valuable assets that must be protected. Stay vigilant and say phish me not to malicious actors.

What is Social Engineering?..

Social engineering is a form of attack that exploits humans by using manipulative tactics to trick victims into doing what the malicious actor needs to further perform an attack. Humans are inherently trusting in the workforce and attackers use this to their advantage. There are many forms of social engineering such as phishing, baiting, tailgating, quid pro quo, and more.

The first step malicious actors take is to investigate the target which is also referred to as the reconnaissance phase. They will find information regarding the organization, employees, emails, phone numbers, social media, third-party vendors, etc. Malicious actors will use this information to determine which social engineering attack to launch.

Social Engineering Attacks …

Phishing — An attacker sends an email to its victim masquerading it as legitimate communication to trick them into clicking on a link that either takes the victim to a site where they are asked to input login or personal information or the link downloads malware.

Baiting — This attack involves leaving a physical device such as a USB stick containing malware in a location where it could be found by the target or someone with access to the target.

Tailgating — Also known as “piggybacking”, tailgating is when an attacker follows an authorized party into a secured area. An authorized party will often just hold the door open for the attacker under the assumption that they also are allowed in the secure area.

Quid Pro Quo — This term translates to “a favor for a favor” and involves an attacker pretending to be someone exchanging a favor with the victim. This attack is best explained by using an example: An attacker pretends to be someone from the IT department calling the victim to help walk them through the steps to update their system or install a required software. The attacker is pretending to help the victim when in reality they are using them to gain access to the network by obtaining credentials or remote access.

Prevention …

Avoid clicking on links sent via email or other forms of communication if it is from an unknown source. Always double-check the email address of the sender and be aware that attackers can spoof a legitimate email address so always double-check by contacting the source.

Provide training to your employees on cybersecurity awareness and all the different social engineering attacks they might face. Education is knowledge and employees need to be aware of what these attacks might look like to help them prevent attacks.

Keep software up to date on all devices as updates usually offer security patches. When there is a known vulnerability and your systems are not patched against it, attackers will exploit it to gain access.

Always verify the identities of individuals you do not know to ensure they are who they say they are. Be wary of calls claiming to be from IT, any other department, third-party vendors, or anyone claiming to need a favor from you or is offering to help you.

Maintain anti-malware up to date so the most recent version is running on the systems. Anti-malware companies send out updates to patch vulnerabilities and because they have added detection tools for new attack vectors.

Don’t Be Fooled …

Social engineering is meant to trick, fool, and manipulate individuals into doing what an attacker wants without much resistance. It is vital for companies to invest in cybersecurity training as employees are vulnerable to these types of attacks. If an employee is not informed on what to look out for the attacker will use that to gain access and compromise the network. DON’T BE FOOLED!!!

The Culprit …

Human error is the main culprit behind security breaches and employees are at the forefront when it comes to keeping them at bay. Human error can result from erroneous execution of daily tasks, uninformed decision-making, or a combination of both. Most companies fail to invest in cybersecurity education and when their employees come face to face with a potential attack, they fail to recognize it as such.

Given that human error is considered the number one cause of security breaches the best defense against it, is end-user education. Providing company employees with cybersecurity education can better equip them to detect and even stop a breach before it even begins. But how can companies do this?

Cybersecurity & End-user Education Starting Point …

Finding topics to cover can be overwhelming because there are so many attack vectors out in the wild. The best thing to do is to focus on one of the most common forms of attacks such as social engineering which gives you plenty of coverage. Social engineering is the most common form of attack companies face and this is where most attackers begin. There are many subcategories to social engineering such as phishing, vishing, baiting, pretexting, and so many more.

Building simple and easy-to-digest educational material around social engineering and its subcategories will help employees understand, recognize, and potentially prevent these types of attacks. Conduct regular training or workshops and promote a security focus work environment to encourage employees to participate.

Human Error …

The two most common human errors are those involving daily tasks and decision-making. Employees are required to make decisions and if not well informed they can make the wrong decision thinking they made the correct one. One example of this is clicking on a link from a phishing email that looks legitimate but it is not. The employee does not know what to look for in phishing emails or the tactics used by attackers. By the employee clicking on that link the network is now compromised.

Human error involving daily tasks can be something like sending an email containing sensitive information to the wrong person. This can occur due to the employee being distracted, tired, or simply because of the suggestion feature most email providers offer. Something so minuscule can place company security at risk of a security breach.

Combating Human Error …

As previously stated, the best way to combat human error is by providing end-user education through workshops or regular training. The material provided should be informative and easy to understand. Take into consideration that everyone has different learning styles and try to incorporate them as best as possible in your workshops or training. Every company operates differently therefore implement solutions to employee tiredness, distraction, etc. that best suits your company’s needs.

Originally published at https://walkingeclipse.hashnode.dev on January 20, 2023.