My New Home Lab Setup

After I posted in Twitter that I was building a second ESXi server for my lab I got quite a large number of replies and direct messages on what I used as a lab. Based on the interest I decided to write a blog post on why I choose the gear I did and where do I see upgrading it in the near future.


I have to say we need to start with the needs first since this will dictate what hardware I will need, what hypervisor is best for the work I will do and will also have an impact on my budget.

I need a lab where I can run:

  • Operating Systems:
    • Windows XP/2003 to the latest version 8.1/2012 R2 - I have a MSDN Subscription this year that will help me cover the older versions of the OS and allow me to build permanent labs for complex setups since do to time and work I can not be rebuilding every couple of months. For the latest versions of Windows I use trial versions since Microsoft offers 180 days for server versions and 90 days for client version of the OS this allows me to test different types of persistence and weird configs and I just re-deploy from a template.
    • Linux - I run all kind of different versions of Linux where I test Bash, Python and Ruby scripts I write plus also test forensics and log management research.
    • Oracle Solaris - Currently have customers that run Solaris so I need to be able to run it to test all kinds of configurations, scripts and custom Metasploit modules.
    • FreeBSD - To isolate my labs I use PFSense and also I run several VMs with versions of JunOS that is based on FreeBSD.
    • OS X - Even do I can run OS X on my MacBook Pro I still prefer to have several copies of the server products and the recent client versions since I have been seeing it more and more in corporate environments and it has always been present in educational ones.
  • Nested Hypervisors (VMware, MS Hyper-V, KVM and Xen) - In my day job I do a lot of work on the security of different hypervisors and also I maintain some post-exploitation code to detect when running inside of a VM.
  • Support for Virtual Switches - Virtual Switching allows me to create separate networks with different policies so as to isolate traffic and also mimic a real network better. Some virtual switches allow for port mirroring and bandwith throttling so I can use IDS/IPS for testing, Capture traffic and also mimic WAN connections.
  • API for VM Management - The ability to automate deployment and configuration of VMs becomes important when one needs to tests conde or workflows against different operating systems under different configurations.
Read More

Deploying EMET 4.0 in Small to Medium Environments using WSUS

The Enhance Mitigation Experience Toolkit (EMET) has to be one of the Microsoft security tools that I recommend the most to organizations of all sizes, friends and family do to that it helps curve in many cases the window of exploitation for many client side attacks when configured right on client machines in the network. EMET also provides protection for known vulnerabilities that have not been tailored to bypass it and against 0 day client side exploits for known software.

Many other people have written about the capabilities of EMET so I will not cover all the new features added and new capabilities in 4.0, in fact the documentation from Microsoft is great it covers how to deploy EMET via Group Policy and how to deploy it using System Center Configuration Manager. The documentation also cover all the features in great detail so I will not bore you regurgitating that information from there.

Now for this blog post it will part from some pre-conceived notions:

  • All machines where we will deploy EMET are part of a Domain.
  • WSUS is configured and issuing patches to the machines in the domain.
  • You have organized your machines in to groups and your deployment of EMET is planned along this groups.
Read More

PowerShell for Security Professionals Class at Derbycon

On September 25 and 26 I will be teaching at Derbycon my class on Introduction to PowerShell for Security Professionals . To give a bit of background on it I have since 2007 been using PowerShell since version 1 for automating, managing, securing and breaking Exchange, Windows, VMware, NetApp and even Cisco for several customers in the Caribbean, Central and South America. I have to admit of all the command shells I have used PowerShell has to be my favorite, it is truly a very powerful shell. I have coded several thousands of lines of PowerShell, in modules both in PowerShell and C#, I have also written several blog posts on it, all of this leading me to the creation of these class. Microsoft is evolving its technologies at a more rapid pace and PowerShell has become a critical pillar of its Management Framework for Windows and Server products. In the class targeted at security professionals, to me these are:

  • System Admins that care about security.
  • Auditors and Incident Response teams that need to work with live and offline Windows Systems.
  • Pentesters that want to expand their skills with new ways to discover, enumerate, attack and do post exploitation using PowerShell.

The first day it will be a fast paced introduction to PowerShell and its philosophy, Covering:

  • What is PowerShell.
  • Using the Help Subsystem.
  • Working with the Pipeline.
  • Extending PowerShell via Module and Snappings.
  • Formatting
  • Remoteting
  • PowerShell notion of security
  • WMI and CIM
  • Powershell Scripting Syntax

The second day will cover:

  • Network Discovery.
  • Incident Response and Auditing.
  • Post Explotation
Read More

Stealing User Certificates with Meterpreter Mimikatz Extension

The Mimikatz extension on Meterpreter allows us to use the same commands we would on the standalone tool inside of Meterpreter as native commands. This blog post will cover specifically the stealing of a users certificates by exporting their keys for use by the attacker. In this specific scenario we have gotten a Meterpreter session on a developers system. The system is a Windows 7 System as we can see

Read More

DNSRecon 0.8.6 is Out!

Just updated DNSRecon to check if it can pull the Bind Version by doing a query for the TXT Record version.bind and it will now check if the RA Flag is set in responses from each of the NS servers it detects. If the server has recursion enabled it could be used for DDoS attacks and for performing Cache Snooping.

Read More