Security training is very important for any organization. When developing a training program, do not forget about the security staff. I am all for sending people to SANS and other company’s security courses. Once your people come back, how will they practice what they have learned? Hopefully, everyday at work does not involve tracking inventive hackers through your network. Hands-on security is the best way to develop skills and stay sharp. This is where security challenges, practice sites, and examining attack data can be fun and of great benefit. It all provides an opportunity to test one’s knowledge along with the security tools used for discovering vulnerabilities and defending your organization.
Johnathan Ham and Sherri Davidoff from SANS Internet Storm Center (ISC) and Raul Siles from InGuardians have created two recent, still open, security challenges. Sherri, co-author with Jonathan of the SANS’ Network Forensics course, has posted “Network Forensics Puzzle Contest!” (8-14-2009). The most elegant solution wins a free SANS On-Demand class (worth up to $3500 depending on the course). Raul wrote a new hacking challenge on the Ethical Hacker Network site, titled “Prison Break – Breaking, Entering & Decoding” (7-27-2009). Three winners will be selected based on: the best technical answer, creativity (while also technically correct), and a random drawing. Winners will receive signed copies of Ed’s book, “Counter Hack Reloaded.”
Ed Skoudis, of Counter Hack Reloaded fame along with various SAN’s hacking and penetration testing courses (see Ed in Virginia Beach teaching “Network Penetration Testing: Planning, Scoping, and Recon” August 30th – September 4th), is the host bringing monthly new challenges created and managed by the fine folks of InGuardians. The great thing about past challenges is that they allow you to try the problems and check your solutions immediately. Check out Ed’s Counter Hack Reloaded site for a few additional, older challenges.
UPDATE: For a challenge in the forensic’s realm, check out the series of posts by Dave Hull (trustedsignal) on the SANS Forensics Blog. This series discusses the FAT file system. Dave provided the following description: “I’ve provided a copy of the disk image used during the series and have ended almost every post with a challenge question and have been giving away a forensics related title from the Syngress Publishing group. We’ve had a great time and the series is in the archives for anyone who wants to check it out.” Dave is working on a series for NTFS, which he should start posting in the next few weeks. The series is very informative and a great hands-on way to learn.
Greg Conti, author of Security Data Visualization, co-authored the paper, “Toward Instrumenting Network Warfare Competitions to Generate Labeled Datasets.” The paper was done for the CSET ‘09 Worksop on Cyber Security Experimentation and Test. The authors demonstrates how the network warfare competitions can be instrumented to generate modern labeled data sets. They have made available the archived data capture and log files from the 2009 Inter-Service Academy Cyber Defense Competition. The annual competition pits the service academies, including West Point, against an actual National Security Agency Red Team. There is a great deal to be learned by examining this data. A blog has been setup to discuss the data. They are hoping to do a few data captures of network warfare games, as well as, data captures of red-on-blue events at the US Military Academy at West Point.
There are a few additional sites where you can obtain data captures. JJC, from the “Security – The Global Perspective” blog, manages the OpenPacket.org site. The site’s mission is to “provide quality network traffic traces to researchers, analysts, and other members of the digital security community.” The site pcapr, powered by Mu Dynamics, calls itself a “social nOtworking site.” Go to the site to learn about networks and protocols from packet captures.
UPDATE: The folks from pcapr wrote in and pointed out that they just made available the “Collaborative Network Forensics” area where they “took the recently published ITOC dataset and the CCTF captures from the Shmoo group, indexed them for real-time browsing and contextual search/extract.” As they point out, “with over 15.0 GBytes and 26.3 million packets, this now represents the largest collection of indexed pcaps online.” Really nice.
The VizSEC site maintains links to various repositories of data sets. SourceForge, as part of the NetworkMiner tool, has links to publically available PCAP files. The wireshark site also has a few links and sample PCAP files.
Practice can be done by installing software, using disk images, or by going to sites/training grounds. Installing software will create a vulnerable site. Make sure to do it onto a local machine inside your LAN which is used solely for testing. For ISO images, make sure you set the VM to use the IP addresses that are only available from the local host OS (NAT or Host-only). If you go to a site, take caution and remember the site could be hostile. In other words, be properly paranoid.
In my post “WebGoat, Lua, and ModSecurity verses Password Guessing,” I go through the steps of setting up WebGoat. WebGoat is a deliberately insecure J2EE web application maintained by OWASP and is intended to teach a structured approach to test and exploiting vulnerabilities within an application security assessment. WebGoat is written in Java and installs on any platform with a Java virtual machine. The YGN Ethical Hacker Group has made available a series of video on walking through WebGoat v5.2. There are currently over 30 lessons.
Damn Vulnerable Web App (DVWA) is a PHP/MySQL Web application that is light weight, easy to use and full of vulnerabilities to exploit. Ryan Dewhurst, developer of DVWA, created a video showing the installation process:
If you prefer PHP scripts, Mutillidae is a set that implements the OWASP Top 10 vulnerabilities. Adrian Crenshaw posted the presentation he gave to the Louisville Chapter of OWASP about the Mutillidae project titled “OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and Cross Site Request Forgery (CSRF/XSRF).”
ISO Disk Images
On the ISO disk image side, there are few interesting options. Badstore demo helps in the understanding of Web application vulnerabilities and shows how to reduce exposure.
For full scaled lesson based environment, there is the Linux-based distribution Damn Vulnerable Linux (DVL). Mayank Sharma writes in the article “Securing Linux by breaking it with Damn Vulnerable Linux:”
“Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop — it’s a learning tool for security students.” “The one thing that sets DVL apart the most,” Josh Sweeney says, “is the focus on buffer overflows and disassembly.” Disassembly, he says, is often talked about in conjunction with buffer overflows and reverse engineering. “Disassembling is when someone breaks down a program into the assembly language for further analysis. By doing this, users can analyze code at a very low level and look for security issues. There have been many excellent papers on the subject over the years, but these generally don’t come with learning tools in a self-contained, easy-to-use environment.”
Thomas Wilhelm is the author of “Professional Penetration Testing: Creating and Operating a Formal Hacking Lab” and the creator of both the Hackerdemia project and the De-ICE.net Pentest LiveCDs project. Hackerdemia is a LiveCD that containing several vulnerabilities, including un-patched software, mis-configured services, default passwords and a few other surprises. Paul Asadoorian posted “Scanning Vulnerable Linux Distributions With Nessus” where he walks through using Nessus to determine the vulnerabilities within Hackerdemia. The De-ICE.net Pentest LiveCDs are disk images that are fully-functioning server. The Security Aegis site has an interview with Thomas where he discusses these projects along with the Heorot.net pentest video training and his recently published book.
One more Linux VM intentionally configured with exploitable services pWnOS. It was created by Brady Bloxham, a.ka bond00. Below is a nice introduction video.
The Web Application Attack and Audit Framework (w3af) project has created a VMware image, called Moth, which is a set of vulnerable Web Applications and scripts. The w3af core and it’s plugins are fully written in Python, has more than 130 plugins checking for SQL injection, cross site scripting (xss), local and remote file inclusion, etc. What is really interesting about Moth is that it allows for testing of web application scanners and learning how web application firewalls work by providing a way access web applications and vulnerable scripts directly, through mod_security, and through PHP-IDS.
On the system side, LAMPSecurity has been creating a series of capture the flag exercise that uses a full Linux virtual machine that is vulnerable to remote root compromise due to a number of vulnerabilities. The most recent exercise is Capture the Flag 6 and was released 7/17/2009. The documentation will take you through the steps of the exercise.
The Mighty Seek Podcast did a Hands On Series and setup the NTO Hackme Test site, which includes the podcasts with the opportunity to test what is discussed out. Dan Kuykendall did two episodes: “Episode #01 – SQL Injection Part 1 [Intro]” and “Episode #02 – Cross Site Scripting (XSS) Part 1 [Intro].”
Hack This Site (HTS) is a website to test and expand one’s hacking skills. You will need to register with the site to access the hacker challenges. There are various lessons and missions. User cwade12c has posted the several video tutorial covering missions. Below is “Hack This Site – Basic 1 Tutorial” to give you an feel for the simplest of challenges:
HellBound Hackers (HBH) is another site offering a large resource consisting of challenges, articles, forums, etc. The LifeofaHacker site has published some challenge tutorials/walkthrough guides for both Hack This Site (HTS) and HBH.
Enigma Group is similar to HTS and HBH in terms of tutorials, articles, and hacker challenges. There are some education and humorous short tutorial videos.
Smash The Stack (StS) Wargaming Network has a progression of challenges where each challenge is dependent on the completion of the previous challenge. The challenges are *nix based. To get started you ssh into one one of the wargame servers on port 2224 using password “level1″, at which point you receive a message letting you know how to get started. The password for the next level will be located in different placed, depending on the game. Questions can be asked on their forums area. OverTheWire offer similar wargame challenges.
A Few Final Thoughts
The above list represents a few source I have experience with. Duncan Alderson on his site Webantix has done a great job of listing war games/hacking simulators in his post, “War Games. Current and past hacking simulators and challenges. The New Order site also has a much more comprehensive list.
Just remember, it is good to be paranoid. Even HTS, with a user base of over 1,300,000 can still have problems with disgruntled and past employees. We are talking very skilled, intelligent, and disgruntle employees. In the last major attack, root-level access to the website was gained and HTS was taken down for months.
It is a dangerous world. That is exactly why skilled ethical hackers are needed. One of my college professors would always say, “Repetition is the key to learning.” He repeated it so many time, I finally learned that lesson. The above links help provide a challenging way to practice and learn. Give them a try and have some fun.