First Hack: Metasploitable

Metasploitable (https://sourceforge.net/projects/metasploitable/) is a Linux instance that has been designed to be hacked - it has intentionally built-in vulnerabilities. Since it is known to be vulnerable, prudence requires running it in a walled garden. In my case, I'm running it behind the pfsense firewall I set up in my last post. Doing so is easy enough: once I download and extract the instance, I set its network connections to the internal LAN I created when setting up pfsense. I've connected my Debian instance to the same LAN, and we're off. Metasploitable is named after Metasploit, (https://www.metasploit.com/ a pen testing framework.

Now that both instances (the attack box and the target) are on the same, sheltered network, my next task is to find the target, using my attack box. One option is nmap, a rugged, versatile, loud tool initially designed for mapping networks as part of routine maintenance. At a minimum, nmap requires an ip address or network for it to map. Though chances are high that I'm on the 192.168.1 network, assumptions will get me nowhere so I quickly run ifconfig to determine my network.

It turns out that I am on the 192.168.1.x network, so nmap would be:

sudo nmap -sn 192.168.1.0/24

In this case, I can use nmap, since I'm the only one on the network, but nmap isn't exactly stealthy. As set up, it's using ARP requests (I discuss ARP here), blasting them out to every possible address in the 192.168.1.0-255 network range and listening for replies. Anyone else on the network who might be listening will hear this traffic, and since it's not a common benign pattern, it should raise a flag: someone's scanning your network. There are other ways to use nmap - I could send pings, for instance, but they're also noisy.

Another option is netdiscover. Netdiscover also sends out ARP requests by default (or ICMP, for non-local networks), but it can also be set to passively scan for ARP traffic and assemble a map of the network from that. Since ARP traffic is broadcasted (i.e. sent to all devices on a network), simply listening for long enough is likely to yield a near-complete or complete picture of the network, and since I'm just listening, the activity is much stealthier.

The syntax for an active scan, limited to this network, is sudo netdiscover -r 192.168.1.0/24. A passive scan is sudo netdiscover -p. Note the lack of addresses on the passive scan, as we're simply listening to whatever floats past.

On a passive scan, I don't catch anything while my metasploitable instance sits idle, but when I ask it to ping Google's DNS server, I get a result. Actually, I get two:

Address 102 is Metasploitable, as I previously determined by using ifconfig from that machine. Normally, I wouldn't be able to perform this type of check, but here I can. Address 1 is my host machine - the machine I use to host my Kali box, pfsense, and Metasploitable.

Next post 

EDIT: 2023-12-23: fix typos, distinguish between Metasploitable and Metasploit

EDIT: 2025-07-06: edit punctuation, it's to its

Home lab setup: 2

In my last post, I downloaded an ISO image of the pfSense firewall, adapting instructions written for VirtualBox to apply to my VMWare setup. I left off with the software running, but no ip address for the WAN, as seen at right.The menu gives an option to set an interface ip address - option 2. From here, I'm given the option to set the ip address via DHCP. ipv4 and ipv6 are separate options. Selecting 'no' to DHCP enables entering an ip address manually. Selecting 'yes' for ipv4 and 'no' for ipv6 does - nothing. Oops - it was already setup that way, so, no change. Googling a solution means finding pfSense setup directions; pfSense has their own page, it's the top hit, and I start there (https://www.pfsense.org/getting-started/).

I immediately realize that I've forgotten something pretty basic. When I downloaded the image, I never checked its integrity. If the file corrupted in download, I could chase error messages till Kingdom come and never solve anything, and in fact an integrity check should have been the first thing I did after downloading. The command is straightforward enough. I'm running a Windows host, and in the command prompt I enter certutil -hashfile [filename here] SHA256 (substituting the downloaded file's name, and without the square brackets). Hooray, the hash matches, so I know I'm working with an intact download.

Taking another look at the instructions, and looking at the settings for pfSense, and looking at the settings for my Kali box, I see that historically, I've used NAT for my outbound connections. Changing the WAN setting to NAT and rebooting pfSense does lead it to load up with an address for its WAN socket: I also note that previously, the loading process used to hang on "Configuring WAN interface" for over a minute; now this process only takes a few seconds. However, there is not yet a connection between machines on the LAN and the outside world. With my Kali and my Raven boxes on the internal LAN, I can reach one from the other, but attempting to reach the internet fails: I can't navigate to outside websites on a browser in Kali, nor can I ping the Google DNS server (8.8.8.8 - "ping: connect: Network is unreachable")

The solution, after starting several false hares and a few unhelpful google searches, was to reset pfsense to factory defaults and set the external network to NAT. "Well, nothing else has worked. Let's see what happens if I reset to factory default."

Setting up a home lab

A colleague suggested books by no starch press (https://nostarch.com/) as a good resource. I picked up two volumes, including Ethical Hacking by Daniel G Graham (ISBN: 978-1-7185-0187-4). Thew first section of this book is about setting up a home lab for practice.

Dr Graham gives instructions for setting up a lab using VirtualBox. In my bootcamp, I used VMWare. I don't remember the precise reasons, but I did try out both VirtualBox and VMWare, and was able to get VMWare started easier. Once it was up and running, there was no reason then to troubleshoot VirtualBox any further. Now my choice is to troubleshoot VirtualBox so as to be able to setup my lab like Dr Graham's, or try to adapt his instructions to VMWare. I think there's more to be learned by adapting his instructions, so that's the route I'm taking.

The first thing I learned was that if I was going to be running a vulnerable machine, I should probably place an additional firewall between it and the rest of the world. I actually have two firewalls: my ISP provides one with its router, and I use PiHole; so this will place three(!) firewalls around my vulnerable machines. In truth, I'm half convinced that this is overkill, but I don't think it will slow things down enough to matter, and I'd like the experience of setting up this additional firewall. Also, I expect it will simplify some of Dr Graham's later exercises, and as steep as I do like the learning curve, at a certain point you're looking at a funicular, which is self-defeating.

Dr Graham recommends the pfSense firewall, downloaded from their website (https://www.pfsense.org/). The download is straightforward, a zipped file that extracts to a .iso (disk image) file. You select your architecture (64-bit or Netgate; there's theoretically also a 32-bit option according to the help text on mouse-over, but that may be a legacy help text) and your (USB or iso), then download. Once you've unzipped the image, it's available to install: open the File menu on VMWare and select "New Virtual machine". A wizard launches - I used the Typical install option, then directed the wizard to the extracted iso. Strangely, I couldn't click on the image to select it, but by navigating to the folder then entering the filename manually, the install seems to have worked.

The default memory assigned by the wizard is 256MB. Dr Graham suggests a setting of 1024MB, which is changed via a vertical slider during setup. Alternately, you can change it later by right-clicking the machine's tab and selecting "Settings' form the resulting menu.

The network settings were the first real change. pfSense needs to connect to the internet and to a LAN - it's positioned between the internet and the machines on the LAN, in order to police the traffic passing between the two. This requires two network connections, and while the VirtualBox setup looks to have four network adapters out of the box, VMWare only provides one. In that same settings menu that I referenced last paragraph, though, on the Hardware tab, there's a button near the bottom of the window labeled "Add...", and clicking that gives the opportunity to add another network interface. this now gives me the two interfaces, one of which I set to Bridged (Automatic), and the other of which I set to LAN Segment:

• Bridged (Automatic) provides a direct connection to the physical network - this is the connection to the internet (and any threat actors) - the area outside the firewall.
• LAN Segment provides a connection to a local area network (LAN), the area inside the firewall. Initially, there are no LAN segments available, but adding one is easily managed through the LAN Segments button. Click 'Add' on the resulting mini window. I named my LAN 'Internal LAN' to keep it consistent with Dr Graham's design, and connected the Network Adapter 2 to this LAN Segment.

Thus configured, pfSense can be started up. There is an agreement to accept, then you can install the software. And about here is where I ran into my first puzzle.

Dr Graham now directs you to reboot pfSense, and then to note that pfSense redirects to the same copyright and distribution notices as before, since the machine is still booting form the original iso download. He directs you to Settings --> Storage, then select the iso file and click "Remove Attachment." I didn't find exactly that in VMWare, but on the Hardware tab of the Settings window, there is a CD/DVD (IDE) line, which when opened reveals checkboxes for "Connected" and "Connect at power on". For the connection, there is the downloaded, extracted iso file - looks like the same thing, right?

Well, I deselected the checkboxes, disconnecting the file, and restarted pfSense. And it didn't work. Foolishly, I didn't write down the error. The obvious soluiton was to reselect those checkboxes, which I did, but on restarting pfSense, it got stuck in a boot loop: rebooting and rebooting and rebooting.

Google is your friend, they say, and a quick web search on "pfsense stuck in boot loop" showed me that I was hardly the first person to face this scenario. The second hit was a Reddit post that included directions for fixing it (the first post looks to be a blog giving the same advice). I ran the appropriate command until there were no errors and successfully rebooted into the expected menu:

There is still one problem, which is that the WAN entry is blank, when it should be filled in. That is for tomorrow night.

Next Post

Firewall failures ground Southwest Airlines

CNN (and many others) are reporting a ground stop of Southwest Airlines flights, initiated by the FAA at the request of the the airline after "a vendor-supplied firewall went down and connection to some operational data was unexpectedly lost," according to spokesman Dan Landson (quoted from [5]). Many news articles remind readers of the airlines meltdown last December, when they cancelled nearly 17,000 flights over 10 days.[1,2,3] Southwest was not alone in cancelling flights then; the initial challenge was winter weather. However they were noteworthy in the reason and magnitude of their disruption, which was blamed in part on outdated crew scheduling software.[4]

Both of these failures are cybersecurity issues. I've mentioned the CIA triad before:

• Confidentiality: Data should access should be limited to those parties who are authorized to access it
• Integrity: Data integrity should be maintained; data should be complete and correct
• Accessibility: Data should remain accessible to those parties who are authorized to access it

Both cases represent failures of Accessibility: data that Southwest needed to meet its business goals was not accessible. In December, outdated software meant that the airline didn't know where its flight crews were. In some cases, personnel had to phone in their locations because they couldn't notify the airline electronically.[5] The airline used in-house software to manage its crews.[6] While doing so may enable a finely tailored result, it also means that they must be entirely self-reliant for any maintenance, expansion, upgrades, and security for that software - no one else uses it, no one else is familiar with it to offer insight. New employees enter entirely naive to the software, and have to learn it form the ground up. Legally, there may be more liability in providing their own software rather than outsourcing to a professional. Thus, though there may be short-term financial gains in in-house development, the aggregate picture becomes murky.

Today, the culprit appears to involve off-the-shelf software. Where the culpability lies is not yet clear, though. Setting up and maintaining the software may have been part of Southwest's responsibility. For the moment, we'll have to wait and see.

Sources:

1. Ivanova, Irina, "More than 2,000 Southwest Airlines flights delayed after temporary ground stop" CBS News (cbsnews.com). Accessed 4/18/2023 at https://www.cbsnews.com/news/southwest-flights-grounded-over-computer-issue/

2. Josephs, Leslie, "More than half of Southwest Airlines flights delayed after technology problem paused departures" CNBC (cnbc.com). Accessed 4/18/2023 at https://www.cnbc.com/2023/04/18/southwest-airlines-departures-pause.html

3. Baio, Ariana, "FAA briefly grounds all Southwest Airlines flights nationwide" Independent (independent.co.uk). Accessed 4/18/2023 at https://www.independent.co.uk/news/world/americas/southwest-airlines-ground-stop-faa-b2321980.html

4. Koeng, David, "US investigating December flight cancellations at Southwest" Independent (independent.co.uk). Accessed 4/18/2023 at https://www.independent.co.uk/news/ap-southwest-airlines-dot-dallas-b2269417.html

5. Wallace, Gregory et. al. "Hundreds of Southwest Airlines flights are delayed after FAA lifts nationwide ground stop" CNN (cnn.com). Accessed 4/18/2023 at https://www.cnn.com/travel/article/southwest-airlines-flight-delays/index.html

6. Arnold, Kyle, and Natalie Walters, "Holiday meltdown exposes Southwest Airlines’ technology woes" Dallas Morning News, The. Accessed 4/18/2023 at https://www.dallasnews.com/business/airlines/2022/12/29/holiday-meltdown-exposes-southwest-airlines-technology-woes/

Design for security

I recently got a new keyboard. My checkboxes were:

• ergonomic
• wireless, and sharing a dongle with my wireless ergonomic mouse
• full-sized, including number pad; arrow key cluster, and the cluster of keys for delete, home, and page-up, page down
• easy-type keys, which probably has an official name that I don't know. These are keys that don't havce to be pushed deeply into the keyboard to register, and can tollerate a certain amount of sideways push - they're buttons, really, more than keys

I ended up getting the Logitech K860. I've had it for a few weeks, so I'm still in the learning curve for the keyboard layout (I've had several ergonomic keyboards over the years, and each has it's keys layed out differently), but one feature stands out. I's the key at the top right, which features a lock symbol, and when pressed, it locks the computer, putitng up the lock screen and requiring me to enter my password if I want to resume using the computer. A year ago, I doubt I would have thought about this key, or ever used it, but I completed a cybersecurity bootcamp in the second half of 2023 and one of the many things I learned was the value of security habits. Being in the habit of locking my computer every time I step away from it closes one avenue of attack against my computer and my network, since no one else can sneak on to my computer during the several minutes that elapse between my last keystroke or mouse movement and when the computer automatically locks.

At home, the liklihood of a threat actor sneaking onto my machine is limited. However, I do recal a colleague of mine whose cat managed to blast her resume out onto a listserve by leaping up onto the keyboard and striking just the right set of keys. Security is about more than just protection against threat actors, and as much as I love my cats, I don't see benefit in giving them free reign over my keyboard.

At work, it's a different situation, of course, and for a several months I had been using a different wireless keyboard there, Logitech's K350. This keyboard also has a lock key, in the same location as the K860. This keyboard belonged to me, however, and was only intended as a stopgap, so when my department got me a new keyboard it came home. And then the value of that lock key really struck me, because my new keyboard doesn't have that key. I had developed the habit of hitting that key every time I stood up from my desk, but now I had to either use [CTRL] + [ALT] + [DELETE], then [ENTER]. or use the mouse to engage the start menu, then select user options, then select lock.

In truth, the extra time and effort is not large. But if you've ever seen someone toss recycling into the garbage can they're standing next to rather than crossing to the recyling bin three steps away, you know that many people are going to take the easiest route. Having a single button to press to lock the computer, and having that button be in a corner (you don't have to hunt for it), is about as easy as you can get. If we want our community members to lock their computers when they leave them unattended (and as security professionals, we do), the few extra dollars for a keyboard that does this is money well spent.

Don't advertise the IP address of your devices

Earlier today, I snapped the photo above. Clearly seen, on the side of the camera, is the camera's ip address (I've obscured the last two octets). Note also that this is not a private ip - the address that a device uses on a network - but a public ip: the camera appears to be connected to the internet directly. Assuming that the address is correct, I see a few issues here worth mentioning.

1. Anything on the internet is directy in the line of fire to attackers. Though the camera might have a username and password to protect it, we could add an additional layer of security by moving the camera behind the firewall of a network. Then, an attacker would first have to penetrate the firewall before they could address the username and password security. Placing the camera on the internet denies it of a layer of security. Granted, there are times when this is necessary or beneficial (e.g. traffic cams and raptor cams) but a security camera should probably have security.
2. Since this camera was installed in this way, I'm led to wonder about the security posture of the rest of this facility. Just on this camera, is the security still running on the default settings? There look to be manufacturer stickers on the bottom of the camera - if I could determine the make and model, a Google search might reveal the default username and password. More generally, have there been other flaws in creating the local network? In other words, the setup here advertises a loose security posture, inviting a hacker to take a stab at breaking in. It's a little like parking a car in a bad neighborhood with the doors locked but the key in the ignition.
3. Alternately, perhaps the address shown is not the address of the camera, but the address that the camera conncets to (the address of the security company, for instance). IN this case, the label may have been placed to enable the camera to be set up properly. In this case, the address is likely to be firewall protected, but there's still no reason to publically display it - keep that info need-to-know.

Least Privilege

One easy security practice is that of least-privilege. This is the concept that a user should be provided with as much in the way of privileges as they need to do their job, but no more. In a bank, for instance, the groundskeeper shouldn't have access to the vault.

Though the benefits to this may be obvious, they're still worthy of mention:

The most obvious benefit is that without access to the vault, the groundskeeper can't steal from the vault. But if the groundskeeper can't access the vault, this also means that someone posing as the groundskeeper can't steal from the vault, either. Think of how many heist movies involve stolen credentials; if the stolen credentials don't provide access to the loot, the thief is still empty-handed.

Similarly, can't enter the vault accidentally when looking for the bathroom, then damage something inside or leave it unlocked, nor can they enter it out of curiosity and do the same.

There are also benefits in the event of a break-in. If the groundskeeper doesn't have access to the vault, they are much easier to eliminate from the list of suspects, simplifying the investigation and speeding recovery.

A sub-concept is the idea of one user having multiple accounts, each account with differing privileges. The root or administrator account of a computer holds the keys to the kingdom. There are times when a user requires that level of access, such as when installing software, but using that level of access all the time creates a problem. If I'm in my root-level account and download a virus, I can inadvertantly install and execute that virus. If I'm using an account that isn't allowed to install software, though, this may prevet the virus's installation. Also, the amount of damage I can do is limited by the amount of access I have, whether that damage is accidental or intentional.

Root accounts in linux often include reminders of their elevated risk, sich as a skull symbol as part of the command prompt. This is good, but I think there's a benefit to going further. If the account is uncomfortable to use, the user is encouraged to complete their work and get out as soon as possible. The root account on my Windows machine has a red color scheme, with the eye of Sauraon as the wallpaper - I know I'm in the root account, and I don't linger.