Selling your Information Security Team Part 7

Now for the Fun Hacker Ninja work: the Attack VM.  We will use an OS designed for penetration testing that has the tools and a framework to make this job easier: Kali Linux.  We’ve already built a vulnerable Victim VM, so we will take advantage of known vulnerabilities in that build.  This is the build I had the most fun with!

Onward with the Attacker VM.  In order to make the attack sequence easier during a presentation, everything will be scripted.  The best tool for that in Kali Linux is Metasploit.  Each phase of the Cyber Kill Chain introduced at the beginning of the series will have it’s own Metasploit script and will use it’s own set of ports so we can clearly separate each phase for our audience.  Things will be much clearer in the final post wrapping up this series, but for now, onto the fun.

Continue reading “Selling your Information Security Team Part 7”

Vulnhub Boot2Root “PwnLab: init”

The Boot2Root challenge “PwnLab: Init” took me several hours to complete.  Once completed, I reinstalled the OVF and walked through the sequence again (this time taking screen shots) to validate what I had done.  This walk-through details my solution of the “PwnLab: Init” Boot2Root published on VunlnHub.com August 1, 2016.

Overview

While this walk-through looks fairly strait forward it was not in reality.  There were a lot of dead-ends and attempts that didn’t work, or didn’t give me the results I wanted.  Once I found the correct path though, it took only a few minutes to walk through it again and document it with screen shots.

If you have not had a chance to complete the PwnLab:Init challenge on VulnHub STOP READING NOW.  This is a fun challenge and I recommend you try it.

Continue reading “Vulnhub Boot2Root “PwnLab: init””

Selling your Information Security Team Part 2

In this installment of “Selling your Information Security Team”, we discuss recommendations for your host computer and installation of Virtualization Software. We define the network types we will use and reveal what the virtual network layout will look like. Prepare to WOW your Board of Directors!

In the previous installment of this series, we discussed how Information Security can be similar to insurance … it’s only discussed when bad things happen, and it’s rarely a revenue generating center.  We also talked about how one might show return on investment in the Information Security Team.  Finally we walked through a four phase Cyber Kill Chain that could be used to simplify a complex demonstration of Information Security that could be presented to non-InfoSec managers and Board of Directors.  In this part of the series we will install Virtualization Software for the Virtual Penetration Lab that will be the foundation of our demonstration to the Board of Directors.

Continue reading “Selling your Information Security Team Part 2”