Selling your Information Security Team Part 6

If you are followed this series so you can present a similar demonstration, this VM will be used by the audience member that volunteers to be the victim.  We are not going to patch it so we can take advantage of some vulnerabilities that exist in the SP1 build.

We are on to building the Victim VM.  This VM will be built with Window 7 SP1 32-bit.  Be aware that when SP1 was released, these vulnerabilities were either not known or were later zero day discoveries.  More on the vulnerabilities in SP1 later during the post on the attacker VM.

Build the VirtualBox VM & Install OS

snag-0039We start off as usual defining the VM in VirtualBox.  Click the New VM button in VirtualBox and fill in the name, select the OS Type & Version, and set the VM Memory size to 2048 Mb.  Click Create and in the Drive File Size put 25.00 Gb.  Taking all other defaults click Create.

snag-0041Getting an ISO image of Windows 7 is more complicated than other ISO images we have downloaded, so I’m not going to go into details here.  I got mine from a MSDN subscription.  Just make sure you get the 32-bit version at Service Pack 1 (SP1).  I chose the Windows 7 Ultimate version.  Mount the image to your VM’s CD Drive by selecting Settings, Storage then mounting it as we have before; boot your VM and start the installation process.

snag-0055The build process takes all the defaults until you get to the question of updates.  Because we don’t want ANY updates to be added to this system, make sure you choose “Ask Me Later”.  The install process continues, again take all the defaults, or set values as appropriate to you.

Change Network Settings

snag-0065Eventually the install will complete and you will boot into the OS for the first time.  We are now going to change the network settings to place the VM into our demo network behind the firewall.  Open up the Network Connections by right clicking on the network icon in the systray and selecting “Open Network and Sharing Center”.  On the Network and Sharing Center, located on the left panel area, click on “Change Adapter Setting”.  You should see one Network Adapter called “Local Area Network”, right click on it and select “Properties”.  Highlight “Internet Protocol Version 4” and click on properties.  Set the values to static values as appropriate to your network.  If you are following my network values, remember from the firewall and network build post we chose an internal network of 10.10.10.x & and external network of 192.168.10.x, and from the Utility VM build post we created a Snort rule to detect traffic between (Victim) to (attacker).  So that makes this victim system  The subnet mask is and the gateway & DNS server addresses are the internal firewall address of

Staging the Victim VM

snag-0000The final part of the Victim setup is staging the device and creating a snapshot.  While the VM is running set the display exactly how you want your victim to see it when they first encounter the screen.  I had the browser already set to the webmail client and logged in.  That way when you reset the environment for the demo, the victim VM always come to the same known starting point.

Next Time

The last system to be built is the attack VM.  We will cover not only installing the OS, but creating the attack scripts to exploit our victim VM through the firewall.   What exploit delivery vector are we going to use?  Well of course: an email phishing vector.

The Victim setup was fairly straightforward, did I miss any points?  Do I need to focus on something?  Once we finish building the attack VM, I’ll wrap up then entire series with a how to use and run it post.  All will become clear soon.  In the meanwhile, if you have questions or comments, leave them as a reply.

Author: Philip Mire

Philip started in Information Security in 1984 and has worked for a number of Fortune-500 companies. He currently works in Security Operations & Incident Response and is additionally responsible for department capability growth: testing detections, new tools, and training/exercising. Philip holds certifications as a CISSP, Incident Analyst (GCIA), Incident Handler (CGIH) & Forensic Analyst (GCFA) and is certified by Offensive Security (OSCP). He has authored patents covering Public Key Infrastructure (PKI) Technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.