1

1

Building a Cyber Range

Kevin Cardwell

Methods◦ New

From scratch◦ Clone

From and existing image◦ Convert

Works only on Windows

Virtual Machine Creation

2

Use the wizard◦ Has an easy install option

Only works for some operating systems Has two methods

Typical Accepts the standard defaults

Custom Can select memory allocation Network type

New

3

Custom◦ Preferred method◦ Allows for SCSI or IDE virtual disk◦ Store the virtual disk in another location

New (cont)

4

Creates a copy of the virtual machine◦ Linked

Related to the VM used as source◦ Full

Complete and separate clone

Cloning

5

Cloning (cont)

6

VmWare Converter◦ A tool to convert a physical machine to a virtual

machine◦ Not an exact science◦ Only on Windows

Converting

7

Network Connection Type

8

Connects to the network using the host network adapter

Connected to physical network

Bridged

9

Share the IP and MAC address of the host Not visible outside of the network

NAT

10

Creates a network completely contained within the host

Can isolate a network Cannot connect to the Internet

Host-Only

11

Can create sophisticated networks

Custom

12

Switch

Attacker Box

Vmnet1

Vmnet2Vmnet3

Vmnet4

Web

InfrastructureRC

TAC

13

Router◦ If do not have a device◦ Use dynamips

www.dynagen.org Requires Cisco IOS

Zeroshell www.zeroshell.org

Bastion Host◦ Any

Smoothwall free version – www.smoothwall.org pfsense

Based on FreeBSD Load balancing

Build it with 3 or 4 interfaces◦ Red◦ Green◦ Orange (DMZ)◦ Purple Wireless

Components

14

Attacker machine◦ Windows with a VM

Kali Pentoo Build your own custom box

An inside machine◦ Windows

All boxes with at least two network cards configured◦ Can bind and isolate attacks if needed

Start research◦ Lab it up and test it!

Components (cont)

15

Replaced teams Allows you to power on and off complex

ranges all with one click

Folders

16

When you do your information gathering Identify the systems, services and software Lab it up and play!

◦ Start with a flat network◦ If you cannot get it with that, you never will

through layers of defense Document what works and does not work

Planning

17

18

Building the Range

19

Island Hopping and Pivoting Exploit Proxy

Advanced Techniques

20

As you compromise assets, the perspective of the attacker changes

You now are located at the point of the compromised system

Allows us to leverage trust relationships

Island Hopping and Pivoting

21

Island Hopping and Pivoting (cont)

External

Screeningrouter

Internal

Bastionhost

WWWserver

FTPserver

Services subnet

22

A component of island hopping and pivoting Leverages the inside machine

◦ Plant my exploits there run exploits all from the inside machine

◦ This is fun!!!!! Requires an advanced shell

◦ The inside machine is not going to know about your network Have to add a route on the inside machine

Made easy with the tools Metasploit Meterpreter

Exploit Proxy

Thank You! Kevin Cardwell cesi@ieee.org

Questions?

23

Kevin Cardwell

2nd Edition