Shopping Cart

No products in the cart.

How to Build a Home Lab (with Bill Stearns)

How to Build a Home Lab

This webcast was originally published on April 19, 2020

In this video, John and Bill discuss setting up and utilizing a home lab for security testing and experimentation. They cover the importance of a controlled environment for safely running malicious software and testing security tools, illustrating how to configure network isolation and capturing traffic for analysis. Additionally, they provide insights into various tools and techniques for monitoring network traffic, handling malware, and ensuring a robust learning platform for cybersecurity enthusiasts.

  • Building a home lab provides a safe environment to experiment and learn without risking production systems.
  • Webcasts often generate new ideas for future webinars based on community interactions and feedback.
  • Community-driven platforms like Discord servers enhance learning and interaction among participants.

Full Video

Transcript

John

I’m in charge of the slides, I guess today. Dive right in, we’ll get started. This is a webcast that we’ve been talking about for quite a while.

bill, correct me if I’m wrong, it actually started with the, raspberry PI network sniffing webcast, really. And it really exploded from there.

Then whenever we got into full Covid-19 we actually had to create labs and set it up. So I have my lab set up. You have your lab set up. And I think a lot of the concepts are the same, but we wanted to walk people through what are some things that they need to have in their home lab.

Now that you’re in lockdown with everything that you should do, I’ll go ahead and, kick it off. We have discord servers. We have the threat hunting community discord server, which now has 1045 people on it, which is pretty cool.

So if you want to be part of that conversation and communicate with everybody else that has kind of a shared interest in the idea of threat hunting, this is really the place to hang out.

And it’s really designed not just to be part of this webcast right now, but it’s something you can continue to go through as well, so you can.

Bill

Run through it again. We’ve had some wonderful mentoring going on between people, and, we love the idea that anyone can answer questions, that we can all help each other along.

I’m not going to have knowledge in some areas, but twelve other people will, and we just love having that community going on. There’s also a black gills information security discord as well, the second link down below.

And ongoing discussion about webcasts may go on there, too. And all kinds of, kind of technical discussions. We love having you join both and kind of find out where your interests are and take apart.

John

Well, and I also think that that interest is important because it helps direct where we’re going to go for future webcasts. We’ve had some people ask, where do we come up for ideas of webcasts? And a lot of the ideas for webcasts actually pop up out of these existing webcasts that we’re in.

So please keep contributing. Keep contributing. so, Bill, do you want to walk us through why anyone would ever want to do this? Right.

Bill

Yeah. When I was a camp counselor, many, many decades ago, there was a, I worked with a ropes course, and one of the things that I learned was that when you want to teach somebody how to try something new, the first thing that you got to provide is a safe environment, someplace where people can try out things, not only where they’re physically safe, but also where they feel free to try new things without any fear that they’re going to break existing systems or hurt somebody or shut down some critical service when you move back to the computer side of the analogy.

So we really want to provide a, by the way, thanks, John. Okay, great. So when we’re talking about building a home lab, there are a couple of things that you might do with it, but the primary reason for making it is to give people a safe place to play.

Everybody raise your hand if you’ve taken down a production service by typing some wrong command or pulling some wrong cable or. Yeah, exactly. I think we just had 2369 people, all raise their hands just a moment ago.

John

for the people that didn’t raise their hand, Bill, I think that we can safely say that they will be raising their hand at some point in the future. Right?

Bill

You’ve either done it or you will, or both. Absolutely true. And we’ve got lots of stories. We may go and fill you in, some at the end. So when you’re setting up a home lab, you get a couple of things out of this.

One is you can try out a piece of software in place that’s not going to affect your production network. If you’ve got policies or rules or even just requests from your company or organization to not do certain things on the network, but you want to try out something like a password cracker, or you want to try out, a network probing or network mapping tool that just isn’t allowed on, a production lantern, you can try it at home, set up your own network, get a chance to play with it, even trying out new applications, ones that you’re perfectly allowed to use, but you don’t want to try it on a production machine, set it up at home, see how you installed it, document the procedure.

This is your chance to try it out safely. If you want to put in patches on a system and you think, hey, wait a second, we’ve got this special network set up. We want to make sure it’s not going to get screwed up, put in this latest, patch Tuesday release.

This is a good place to try it out. And finally, if you’ve got systems that you think are infected, have problems, where you want to do forensics, this is a, wonderful environment to do that.

You’ve got an isolated network where you’re not going to be worried about whether this infected machine is actually shipping data in and out. Take a laptop over to here, disconnect the other systems.

And then there’s your chance to do your forensics.

John

Now it’s funny, you talk about working in a nice safe environment where you don’t have to worry about making mistakes. And I have a lot of people that ask me how I got started in computer security.

And if you want to look it up, there’s a court case, Cobell versus the Department of Interior. Where Cobell was working on behalf of Native Americans.

And misappropriation of native american funds. Department of Interior computers and fund transfers and things of that nature. But the moral of the story is they actually shut down mineral resource management, mineral management services where I was working at the time.

And they shut down an entire enterprise environment for something like nine months. So it’s kind of like a Covid situation, right? So we were completely shut, down.

Nothing in or out of the Internet whatsoever. But all the servers were allowed to keep running. So like Oracle, we had a bunch of Linux computer systems. We had active directory, we had workstations.

And I was able to learn security in that environment where I could go through and I could do whatever I wanted. And if it ended up crashing something, no one cared because literally there was no work that was getting done.

And then all the systems administrators, they were spending all of their days playing total annihilation. Which was a video game kind of like command and conquer. I would break things and then I would sit down with like Mark Bruinink, one of the lead systems administrators or Pete Tocum.

I would sit down with these people that were just geniuses. Bob Angus. CJ remembers Bob Angus. He was the network administrator. And they had this unending patience to kind of work with me to get things working again.

So I had this safe sandbox that just happened to be a m multimillion dollar enterprise environment that I could break, test, do all kinds of exploits for nine months.

And that really helped me. And the cool thing about this webcast is everything we’re going to discuss actually correlates to anything you would do in the enterprise as well. So Bill, do you want to talk a little bit about the network layout?

Bill

Yeah. What we’ll talk about today just doesn’t cost multi millions of dollars. And doesn’t shut down your business for nine months.

John

But unless you’re doing it. Awesome.

Bill

That’s right. Absolutely. So the layout that we’re going to use is very simple but we want to go over the different components and how you lay these out. The switch at the center is the one that you’re going to use to capture traffic between these machines and the, capture the traffic heading out, you do want some kind of separate firewall, and we’ll talk a little bit about what that can be.

There are only a couple of very small requirements. And then down in the lower right, we’ve got a sentinel system that’s actually watching traffic and a lab serve system, which is going to serve up different services to the machines in this isolated lab.

And then if you want to work with Wi Fi enabled systems, then we also have an access point plugged in. If you only need wired or you only need wireless, that’s great. But we have a very small number of requirements, and that’s including packet capture and also isolated systems the sentinel and lab serve that are going to be used for forensics and mapping and so on.

You want to go ahead, John?

John

You bet.

Bill

So we, left out the power cables, but this is a very simple layout. Switches in the center, the one says netgear with AI hunter on top of it.

I’m actually using different colored cables. You don’t have to, but it does help me keep track of the fact that we’ve got traffic that needs to stay isolated with the red, yellow, and blue cables.

The gray one is the one that’s heading out from our firewall in the upper left, and that’s just a sonic wall that was left over from a previous project. Our sentinel and lab serve systems at the top right.

It happens to be a raspberry PI. It can be anything. And one thing you’ll learn through this webcast is go down to your basement, find stuff that’s left over from old projects.

It doesn’t have to be expensive. It certainly doesn’t have to be new. It just has to be basically capable. And near the end, we’ll have a slide that says the minimum requirements for all of this.

And finally, the wireless access point is at the bottom. Go ahead, John, if you would.

John

So, all right, so this is my network set up, so I thought it would be nice. Bill was talking about working out of the basement, so I had to migrate my entire lab from the studio here in our offices in spearphish, and I had to migrate it to my home.

So underneath you can see the Perl video capture system that I have, and you’re going to see more of that stuff here in a second. But this is my go to lab device. I have yet to find anything short of, like doing a full pfsense implementation that is as quick and easy and as inexpensive and as useful as the suite of tools that you get from microtick microtick is amazing.

Now, I’m going to talk a little bit later about how this particular device is configured and how it actually works. But the vast majority of my lab is here on the right hand side of this fire hazard, where you can see that we have multiple lan cables that are plugged into the right hand side.

Those are the gig Ethernet ports. On the left hand side, you have the standard Ethernet ports, which would be about 100 megabits per second for those particular adapters. Now, the reason why I go with this is it has absolutely everything built in to, has absolutely everything built in to the device itself.

And I can watch the status and I can do packet sniffing. I can do absolutely anything I want with this. People are giving me a hard time. They’re like, you got to do something with that spaghetti. Yeah, it’s bad.

so that was about to be my comment.

Chris

That’s beautiful.

John

Yeah, it’s bad, right. And the other thing is that’s really important, and I don’t think a lot of people think about this much, is it doesn’t put out a lot of heat. And I think that it not putting out a lot of heat is important because otherwise it would set my house on fire, and we don’t want that.

So this is the one that I’m using. It’s a little microtech router board. The functionality in these is off the charts and they’re very inexpensive.

So you have like full switch, you have wireless, you can do any of the different routing things that you want to do, full packet capture. And the important thing on this slide is the command at the bottom where it says port mirroring.

Right. So port mirroring. What you do is you basically do forward slash interface Ethernet switch. That means you’ve gone into the context of actually configuring the switch portion because it can support routing, it can support switching.

So you’re going to be going through and doing the Ethernet switch. Then down at the bottom it says set switch one, mirror source ether two, mirror target ether three.

What that means is you have switch zero and you have switch one. Believe it or not, there’s actually two switches in this device. There’s the left switch, that’s the 100 megabits per second, and then there’s the fast Ethernet, which is the gig per second.

on this particular device itself, we’re making a configuration to the second switch, which is the fast Ethernet switch that, we have here. We’re going to do port source, the specific port that you’re going to be looking at then where you want that to be mirrored to.

I plugged in another switch and I’ll show you here in a second where I have a bunch of computers that I had laying around in the basement that I’m spinning up the virtual machines on.

Then I took that switch with my domain controller and my windows workstations. I basically plugged that into a switch plug, plugged that switch into a port on the fast ethernet side and then I mirrored all the traffic over to another port.

Really super simple to do. And then on that system I actually have brozeek completely set up as well. The other thing that I think is important is the ability to actually have the kind of unwind and play games.

So I’ve got a full x arcade system plugged into this as well. Bill, did you have a question or anybody have any questions?

Bill

No, I just totally agreed on the microtik. The list of things that you can do with that particular, switch router is mind boggling.

All kinds of built in diagnostic tools and export netflow records and export pcaps directly from the switch. It’s wonderful.

John

Yeah.

Chris

Guys, on the microtik, just for clarification, it’s often the case with a lot of these networking gadgets that people have to be experts at the command line or know all these esoteric kind of commands.

So with this device, and I’m kind of leading you on with the question, right? I’m guessing that’s not the case. Correct.

Bill

No, the web interface is wonderful. Go ahead.

John

Yep. And the web interface also has the ability to shoot yourself in the foot instantaneously.

Bill

Oh yeah.

John

so like the DHCP server I went through and I deleted the DHCP server off of mine because I wanted my domain controller to handle, DHCP in my environment.

And you go to DHCP. So you just go to like IP DHCP configuration settings on the left hand side and it shows the DHCP configuration and you could do plus or minus.

And I’m like, well, I want to get rid of this one. So I hit minus and it just boom, disappeared. There was no pop up, like are you sure that you want to do this? It literally just bang.

Just, just deleted it. No information.

Chris

It does exactly what you want. You just need to know what you want.

John

Yeah, you have to know what you want. But it was just cool. Yeah.

Bill

Chris, did you have one? Chris, you’re on mute.

Joff

Thank you, Bill. So we’re getting a bunch of questions that you can kind of, I think we can kind of combine these together. one is having it at home versus having it in, like, a public cloud, and the other is staging it all on dedicated hardware versus maybe running like a VM type of environment.

Bill

We’ll talk about VM.

John

Yeah, we’re going to talk about vms here in just a little bit. I like having a hodgepodge of crap I have in my basement already just because I feel like I’m making all of these computer systems useful again.

Bill, what’s your quick take on that?

Chris

Bill?

Bill

you’re absolutely right. The other quirk is that one of the primary goals of a project like this is isolation. Want to keep this traffic away from the Internet, and that’s a little harder.

In a cloud environment. It’s not impossible. If you want to set up a virtual private network at virtual, what’s, the term I’m thinking of up on Amazon where you set up a subnet.

I’m spacing on the term anyways, if you want to set up an isolated space up there. Absolutely. And you can spin up and throw down, virtual machines all day long, but it’s just a little nicer to have it physically close to you where you’re certain you aren’t letting packets leak out.

John

All right, so let’s talk a little bit about network layout and how you should set this up. So I drew out my network over here on this. No, I’m joking.

My spaghetti network. So whenever you’re talking about that isolation and stuff, Bill, you want to talk a little bit about the network?

Bill

Sure. Any kind of network that you want to use. you want to have at least one network segment that’s reserved just for questionable machines, questionable processes, ones where you’re doing forensics.

Beyond that, the interesting part is there’s no requirement for speed or type or number of ports if you’ve got an eight port switch hanging around.

Awesome. Give it a try. If you need more ports later, that’s great. It can be ten megabit. Awesome. It’s going to be slow to do your images when you want to take an image of an infected system, but you can also save those images to flash drives.

We do want to have a firewall, and that’s really one of the requirements, something that’s going to block all traffic going out. We’ll talk a little bit about that in upcoming slides, how you do that.

And we’re also very keen that you come up with a switch that has a span port, something where you can capture traffic. John’s microtik router is a perfect example.

It’s built right in. Other switches can include that. I had a Netgear G’s 305 e that was just hanging around for another project. I like the GS 116 and I was going to put that in the, slides, but unfortunately the only one I have here is actively in use right now.

So I couldn’t pull that out. And some kind of access point that will let you capture wireless traffic as well. So if you’ve got a cell phone that you think may have some malware on it, you want to be able to watch the traffic going in and out.

You erase any other wireless networks, you say, only use this one wireless ap and that way I can watch all of its traffic.

John

I will point out though, one of the problems that you do run into whenever you set up wireless networks that people have got to be aware of is if you go from a wireless access point, going into a switch, and you have m multiple different wireless devices associated with it, they’re all going to look like they’re coming from the network address translation device.

Now there are wireless devices that you can buy that’ll actually allow you to be like a layer two bridge. And what that does, it allows it to be a wireless network, but it’s getting the DHCP leases directly from the routing functionality, usually the router or switch, whatever you’re using, it’ll allow you to actually get that from the routing device.

I hate to say router, because in the enterprise router doesn’t do that. But you get the idea. You want to make sure that you’re setting up your configuration. So from the wireless side, it doesn’t make every device look like it’s coming from that wireless access point.

Right, whenever you plug it into your switch. So one of the things I’ll do is I’ll do a ruckus. I’ve m got a ruckus sitting around at the house and I’ll set that up and it just does transparent layer two bridging.

Also with the microtick, it actually looks as though there are three separate switches. There’s the fast Ethernet switch, the Ethernet switch and the wireless switch. But if you actually have your uplink port is the one that you’re doing port mirroring on, then you see everything.

Pre network address translation. So that’s going to be one little gotcha that you’ve got to work through as well.

Bill

Joff, what you got for us?

Chris

I was just going to double down on what John was saying. Actually separating your wireless gear out. So the wireless AP’s are actually bridges is one of the critical things that you do because if you don’t, as John says, you’re just not going to be able to see that independent traffic, and really important for any analysis to be able to do that.

And there’s so many devices out there that combine the AP in with the router functionality. So you have to be very deliberate, about doing that. Not something that you can just completely agree automatically.

Yep, yep.

Bill

So for hardware. Want me to take this one?

John

Yeah, you got it. Go for it. Great.

Bill

For hardware, we’ve talked about the idea that you need a firewall. This doesn’t have to be a dedicated firewall device. A computer with two network ports and some kind of firewall software.

And that’s basically any os that you like, any firewall software you like, switches not to, don’t know, particular recommendations other than the fact that it needs a span port.

Wireless AP, the same thing. We’ve talked about those and the fact that you need to turn off Nat. When I’m setting up something like this, if I’ve got a bunch of dedicated systems, I may want to have just a single keyboard, monitor and mouse and then a switcher not particularly tied to this one model, but it is nice that it has keyboard, mouse and HDMI and will take up to four PCs.

Please reuse old hardware. Grab stuff that you already have and make use of it. 100% gigabit Ethernet might be a good minimum requirement just for the fact that if you’re going to send images across the network, that can take a lot of bandwidth.

But if you’re just going to save an image of an infected system off to an external drive, that’s fine too. And that also means that you want to have a couple of extra drives around.

Those can be flash drives, micro sds or sds. External SATA hard drives. You’ll want to make sure that they’re USB 3.0 with the blue center on the USB connector.

or USB C is appropriate because USB, two will let you save stuff, but it’s going to be a lot slower. You just don’t find drives that are usb one, it just doesn’t exist because they’re so functionally impossible to use.

Chris

Yeah.

John

Now I’ve got a question, a little bit of trivia. This is a recent news story. So I’ve got a picture here. And Bill, if you look at that, you can see that that’s kind of old.

does anybody know they can mention on the Discord channel, where this picture came from. It was a story that came up that was really super interesting.

If anybody has.

Bill

Oh I know, that’s your guest bedroom.

John

Yes, my guest bed actually. No, that’d be way too organized for my guest bedroom duchesse. Yeah.

Chris

So I’m thinking radio shack.

John

It isn’t actually, it isn’t. What happened is back in 2000 there was a computer store and the computer store was owned by the person that owned the strip mall.

And then it got into this huge legal argument between him and the lending organization and basically they shut the entire computer store down in 2000, walked out and just left it and they’ve rediscovered it and it’s exactly as it was sitting in 2000.

Bill

Wow. Those are probably shrink wrap boxes of windows 95. That’s scary.

John

Yeah, I actually see that right here?

Chris

right about there.

John

Yeah. Yeah I think it’s Windows 2000 actually. But it’s so cool. I think it was a computer city is what was shut down. So I would love nothing more than to go hang out in that store.

That would be just amazing.

Bill

Absolutely.

John

Oh, go ahead.

Chris

Quick comment on Bill’s gigabit Ethernet statement. if you get adventurous, and I tend to get adventurous around my office and go to ten gig.

Ten gig Ethernet, John, dirty mind John, ten gigabit Ethernet, investigate jumbo frames because you cannot run ten gig and Ethernet at line speed with 1514 bytes.

You need to go to 9000 byte frames. So just a little extra.

Bill

Yep.

John

Good, good tip. Especially when we’re talking about imaging systems. Yeah. Another question.

Bill

Yeah, some questions out there about the price range you’re looking at. What’s your low and high? Obviously there’s no upper end, so. No upper end there. Yep.

John

Yeah. So my switch was $140 and I think Bill has a slide a little bit later with the total pricing, but my switch was $140. I had it laying around forever. And then the rest of the equipment that I have, I’m just scraping together junk notebooks that I have.

So Bill.

Bill

Yeah, laptops, notebooks, old, old tower systems, old rack mount systems that are too slow for anything today you can, you don’t have to buy anything if you’ve got a little bit of gear hanging around.

If your company has just a closet that’s full of stuff that’s no longer used, go through there, say hey, can I take this stuff home and do some testing? Here’s what I’m going to learn from it.

This is what I’m going to contribute back from the company. You may just head home with a trunk full of gear systems. My sentinel system on that, slide a little while back was a raspberry PI that was probably $120 with everything included.

I think people are getting a little wrapped around the axle about, hey, what brand of that or what make or what. Like, for this, it just doesn’t matter. Go to ebay and get whatever you want.

I defy you to show me a system that will not run Linux.

John

Yeah. Okay. I might have some a little bit later.

Bill

Okay, good.

John

Why does it keep doing that? my screen keeps. I’ll not be doing anything, and then all of a sudden I’ll just jump, but. Okay. So you want to talk a little bit about firewall or IPS system?

Bill

Sure. I think we’ve got a slide coming up on, how firewalls work. The only thing to keep in mind for the firewall is that don’t go into the rule set and say, okay, allow all outbound traffic.

We’re assuming these are systems that may be infected where software is doing stuff that it shouldn’t open up ports one by one as they’re needed.

And we have a slide coming up on that. We appreciate Marcus’s suggestion on the ultimate firewall. I’ve used that more than once, and hopefully you won’t have to use it yourself.

John

Yep. Now, as far as the allow all outbound traffic. Now, my network, I actually do. The goal is I’m actually running malware on the inside of this network, and I’m tracking it through brozeek and Rita and AI hunter.

I want to be able to have that type of visibility, to see everything that it’s actually doing. However, one of the things that’s important about my network is it’s not dumping the network connection into my home network with everybody else.

It’s actually a, completely separate, dedicated link that’s isolated from the rest of my house, because I don’t want to be running malware that all of a sudden runs rampant across the rest of my home network.

So it’s a dedicated link out that’s going into my edge and then going out from there.

Bill

So you’re doing the isolation just at a different layer. That’s awesome. Hey, whatever it takes is fine with me. Yep. all right, you need two interfaces, one for the inside and the outside.

Technically, you can do a firewall with one interface. We’re not going to talk about that today because there are this potential for leakage there. You really do want ipv four and ipv six support.

You want to at least be able to let systems try to connect out with ipv six as well. Just an existing firewall or a Linux system with UFW, or firewalld or something else is just fine.

If you’re a Mac user and you want to hook up a Mac as your firewall, there’s a little snitch, which I find very good. Although unfortunately, at the load that I put on my particular system, it keeps crashing my Mac.

So, that’s not a slant on little snitch, that’s a slant on the jerk who keeps putting that much load on it. All right, next slide.

John

I was going to say, you talk about things that are left around. And this is another thing that I really feel like people just don’t take enough advantage of is leftover gear at work.

Almost every organization I’ve ever been at, they have a closet, they have a room where they throw switches and they throw routers and they throw all this networking gear.

That is a goldmine for you to just learn and just dig in. And more importantly, if you break it, no one cares. So take advantage of that as well.

Bill

Two of us went down with a, truck and some, gear from Dartmouth that had been left over. We basically rebuilt the fiber infrastructure down in a school near New Orleans after Hurricane Katrina based on the leftover gear that the network team was kind enough to contribute.

John

Yep.

Bill

So a couple of examples for the switches. I particularly like the netgear, series. The GS 116 E is 16 port is a link for it in Amazon, and it’s similar price to the microtik.

So 130 or 108 versus 140. Was it or 114 for the microtech?

John

It was 140 for the microtick.

Bill

Absolutely. And I love that microtick, too. Don’t let me, let me talk that one down.

John

And I’m going to give a dig on the micro tick. And it shouldn’t necessarily be a dig, but I’ve noticed the microtick on the wireless side. The wireless signal is horrific, and it also can really only support about like, 1015 active users on it.

But when we’re talking a lab, having kind of attenuated signal strength isn’t necessarily a bad thing because then I don’t have to worry about, people messing with my wireless signal, which actually helps out quite a bit.

Bill

Wonderful. Absolutely. You’re going to use up, about five ports right off the bat with the uplink this the mirror or span port, the other port needed for the Sentinel to get its Internet access.

Going down to lab serve one for the wireless AP. You’ve got five ports taken already. So an eight port switch is going to cut you pretty close. I would say eight would be a practical minimum, and 16 if you can.

John

And you’re absolutely right, I had to expand mine out with a secondary switch. I had to just because I ran out of ports.

Bill

Absolutely. All right, AP, well, I just grabbed a Netgear AC 1200, I think it was, or 2100, I can’t remember that was hanging around again.

You have to be able to turn off Nat so that you can see the raw ip addresses when packets get to your sentinel box, which is the sniffer, and also when they get to the firewall.

If you can get one that supports at least 2.4, that’s great. It’ll give you some more flexibility on who you can talk to. And many AP’s will have a couple of extra Ethernet ports as well.

So if your main switch doesn’t have enough ports, you can add a couple more systems on the apartment.

John

So kind of jumping in here, we had a couple of people that were asking, so does John, have a Venn diagram of what his network looks like? Just dump a bowl of spaghetti on the ground and call it good.

it’s like total mad scientist with me plugging things in. And there was another person that was like, do you have to have a goal in mind when building it? And I would say, bill, I’d like to get your impressions on this, but I would say you absolutely need to have a goal of core functionality, the span port data capture.

Come up with some core ideas, of what you absolutely need and then it becomes interchangeable. And I’d recommend taking a nod from enterprise level networks. On an enterprise network, you’re going to have some routing.

On an enterprise network, you’re going to have the ability to span off and view traffic on an enterprise network, you’re going to have active directory build the enterprise network first and then just go crazy.

Another thing I wanted to throw in on the wireless, some wireless devices support client isolation, which makes some of the attacks a little bit more difficult to launch.

Like if you try to do LMR, style attacks or Arp cache poisoning, those get a little bit more difficult. So if you’re trying to launch some layer two attacks on a wireless network, you might want to check the security settings and see if you have client isolation enabled there.

Bill

Well done. Good point. I hadn’t considered that.

John

Oh, this is the one I was excited about. So can you tell us a little bit about Sentinel?

Bill

Here’s the, go ahead, Joff. You got something for us?

Chris

Whoops. Yeah I do. I was just going to add one more point to what John said. If your wireless access point is able to support multiple ssids, it’s also a nice feature to have, especially if it has vlaning support along with that to partner with that, because then you can sort of compartmentalize your lab up into different wireless areas, which I find to be very useful.

Bill

Well done.

John

and I think Ethan’s blog post, if we could put a link on that in discord, but Ethan just did a blog post this week that is probably the single most detailed kind of segmentation and isolation of a home network blog, post in history.

It is fantastic.

Bill

On that note, we have links at the end of this presentation. Absolutely. So for me the Sentinel is one of the more interesting parts of this. This is the box that’s going to be listening on the span port.

This is where you can do packet capture. If you’re going to come in and do network probing, if you’re going to do port mapping, if you’re going to do vulnerability assessments of the systems that you connect, this is the system you’ll run it from.

This is the one that you trust and you want to keep this one very well locked down. Your choice of operating systems up to you. What operating system has the tools that you need?

And if that’s windows ten, awesome, physical, that’s great. If it’s a dog barking in the background, that’s cool too, I don’t mind. But you do want to make it so that there aren’t ways to access this box from the IP addresses of the labs.

And so the usual way you’ll do that is a host firewall on that system, you’ll want extra drive space because if you’re keeping forensic images, if you’re uploading malware, if you are, if you need to just rebuild a box, you need some place to put the images.

External USB three drive will be just fine, or internal storage as needed. I also really encourage people not to try to use a single Ethernet port.

It’s tricky to try to get something like a span port connected interface that’s also being used for the input and output of that system.

John

Yeah, I’ve almost never had that work well at all.

Bill

Spring for the extra USB to Ethernet port and you’ll be glad that you did.

John

Yeah, and this also gets into a question of virtual machines. If you’re running virtual machine and you want to do additional ethernet, it’s just easy, just go get a USB to Ethernet adapter and don’t bridge it as a networking device to the virtual machine.

Rather hook it up as a USB device to the virtual machine. Might tend to get better performance doing that, but it works really, really easy in a virtual machine. You want to throw in more ethernet adapters, just throw in more USB to Ethernet adapters and then it just makes it so your management is through the standard quote unquote interface that vMware gives it, and then your actual sniffing interface is through your USB Ethernet dongle.

Bill

And just be aware that when you’re going to do sniffing from a virtual machine, you’re going to take some time playing with it. It doesn’t work immediately. just be ready for that.

John

Yep. This is one of those key differences between an enterprise and what you do at home. I think we got to spend a couple of seconds on this, Bill. If you do get it to work, understand that you can’t immediately go to work and talk to your virtualization team and say we need to set up a span port and have it go to a virtual machine.

It worked at home. There’s a big difference. 100 megabit switch and doing it at like five gigabits. And virtualization tends not to get along too terribly well with sniffing.

Tremendous amount of traffic. So do be careful with that.

Bill

Agreed? Yep.

John

Okay, so file and drive transfer image. Now this is getting into a little bit of doing the forensics side, and I liked this. Right. The idea of this whole entire environment is flexibility.

And you’ve created a little bit of a swiss army knife on this. Do you want to talk a little bit about file and drive image transfer?

Bill

So we got a slide coming up on how you can use the sentinel or potentially the lab serve system. Either way, to make images of these systems. The hope is that if you’ve got a system that is been brought in because you think it’s infected or it’s got problems, one of the first things that you may want to do is take an image of it, so that if you screw up with your forensics or you need to actually get into a court case with a given system, you’ve got a pristine image to work from.

The other reason why you might want to look at taking images of systems is if you build a pristine system, you fully patch it, you’ve locked it down to standards. If you do that here in a home lab, you want to take an image of that system before you start installing additional software.

So make sure that you’ve got something like gigabit Ethernet. You can do it with 100 megabit fast ethernet, but you’re not going to enjoy the process. It’s going to take a long time.

If you’re going to do this onto USB drives, that’s great. Make sure that they’re at least USB three because of the transfer rate, we don’t want you sitting around for hours and hours while you wait for an image to go and holding up the rest of the work that you’d want to do.

Flash drives, absolutely. You can find USB 3.0, possibly, 3.1 and 3.2, and USB C, just something that’s fast enough to take up to, carry the content that you need.

Anything else, John? There we go.

John

No, I was going to talk about memory analysis, and this one breaks my heart. I don’t want to say that recall is dead as a project, but it definitely is looking like it hasn’t been updated in a really long time.

One of the main people behind it is, starting another project called Velociraptor. If you want to do Velociraptor security, somebody maybe can throw a link up in the Discord channel, but he’s moved over as endpoint monitoring project called Velociraptor.

If you’re looking at memory analysis, one of the big things that you’re going to be looking at now is you’re going to be looking at volatility and using FTK imager to do acquisition of memory on computer systems.

Because if you’re trying to learn security, I think the biggest thing that you should need to do is not just understand the infrastructure and how all these things work. I mean, that’s definitely, it’s definitely important.

But you also want to practice doing acquisition of drive images like Bill just talked about, on the previous slide. And you want to practice doing memory captures on systems as well.

Because anytime you’re doing forensics, the days of just pure hard drive forensics are over, right. There’s a lot of malware that actually resides exclusively in memory. Thank you, Dale.

Dale, put it out there. The, days of just doing simple hard drive forensics are done. You need to have the ability to actually pull that memory down. So the question was, win pmem.

Now, remember, win Pmem was part of the recall project, and that works if you’re using recall. But as I said, I’m not seeing the recall project get as much love as the volatility foundation is putting towards what they’re doing these days.

So, the newer version of volatility was somewhat problematic. I was just talking with malware Jake because he’s an expert at, doing forensics and stuff and we’re going to be getting him on, on some future webcasts.

So the newer version of volatility has some issues, especially with backwards compatibility of legacy plugins. So it’s a good idea to have multiple different versions of volatility around anytime you’re doing analysis.

So. All right, so any questions so far, CJ?

Bill

There are so many dang questions. I have a little trouble hearing you, CJ.

John

He said there’s so many questions. I think he was crying, Bill.

Bill

Okay, all right. Hey, just because of time, I think we may go and, move a little bit faster through a couple of these slides, but I’ll try to at least get a basic coverage of each.

So lab, serve, the second system that you can hook up to a network like this is going to provide any services that the infected or systems under test need.

So if you need to provide a DNS server or an SMTP server, if you want to send logs over to an internal system, if you want to use a web proxy so that you can investigate traffic before it goes out or log individual requests, put them on lab serve.

And ideally that’s going to be a separate box from, the sentinel system that’s capturing traffic. You can put them both on the same box if you want. It just gets a little bit more complicated.

Make sure that you turn on logging of all requests and don’t allow. And if you have to send any, connect any traffic. If you have to make connections, make them from labserv to the lab system as opposed to opening up file shares.

Where the lab systems connect up to lab serve, they should go the other way. You want to take the systems that you trust and make connections outbound to the systems you don’t.

All right, can you keep, can you put them on the same box? Yeah, you can. Ideally, if you’ve got a firewall, a sentinel and lab serve as three separate boxes, that’s great.

If you have to combine them, you can do that for cost reasons. You can do everything on one box. I wouldn’t recommend it. The security is really hard to keep.

It’s hard to do and hard to think about it. Joff, what you got for us?

Chris

Oh, I just had a quick question on the prior slide, Bill. Are you making the assumption that lab serve is going to be a, virtualized server? It’s going to be some sort of ESX server?

John

It could be either one, right? You could do it virtual. You could do it with just some stuff that’s sitting around, right, Bill?

Bill

Absolutely. Sentinel lab serve could both be virtual machines. I tend to like doing sniffing right on the host box, but other than that one particular function, the other ones could be virtual machines.

Chris

All right, sounds good. Thanks.

Bill

Yep. CJ. Yeah, we are streaming uncle. So we’ve got 25 to 2600 people here.

John

Let’s hold the questions, guys. Let’s hold the questions till the end. We’ll stop the recording and then we’ll go into Q and a mode.

Bill

Yeah, we need to keep them general. We’re getting a lot of very specific questions that I’m like, you guys gonna have to Google that. Yeah, keeping up, trying to answer questions and we cannot keep up.

Yep. Hey, thank you everybody. We have a lot of people on the webcast today and we appreciate your patience. So the other thing that you can do with a lab network like this is come up with guinea pigs.

So if you want to test out software, if you want to install something, if you want to see how it works, have a system where you can put a, do a dry run of installing something.

If you have a windows, a Mac and a Linux system that you can put packages on, that’s great. If you want to test out phones, install different apps on them, see how they work, that’s great.

Virtual machines in this case are wonderful. So if you can take a physical box and hook it up to the lab network and then you have different virtual machines with different operating systems, you start them up and shut them down as needed.

Take snapshots, make clones of them. This is where you really start to understand how virtual machine, architectures work. It’s a perfect use.

Now if you can’t afford that, go back to the TRS 80 model one level two in the lower right and that will do everything that you need.

John

Yep, just all you need.

Bill

Great.

John

So my systems at home, these are the two systems that are running the windows side of my environment. The one on the right is a system 76 with 32 gigs of memory.

I’ve got multiple windows ten workstations that are all tied to the domain controller on the thinkpad on the left. Those are plugged into a switch that’s actually dangling right in the middle of the wall because I don’t have a lan cable long enough to try to tie everything together.

But in this environment I’m really, really keen on getting an accurate representation of an active directory environment. Multiple windows, ten clients and an active directory server.

By the way, Kent and Jordan are on. At least I saw, Kentucky Kent. Can you share out on discord a couple of your links for auto generation of users and also auto generation of white noise, the white noise generator.

And then Dan of Stack said, why would you put Windows on a system 76 computer? It’s actually a Windows virtual machine. It’s actually running pop OS.

And then I’m using vmware to actually run all the Windows workstations on that. Now, the span port, I’ve got another span, port, and I’ve got another old thinkpad that was sitting around my house.

And this is my zeek system I went through, and I installed AI hunter and zeek on this box, and it’s currently pushing all of the, traffic up to the cloud.

After we get through the core of the webcast, I’ll actually show you guys my interfaces for my elastasearch, Kibana and Logstash server. And I’ll actually show you my AI hunter interface from my house as well.

I’m using AI hunter and Rita at home. Like I said, when we’re done, I’ll be sure to show you guys exactly what this looks like. I’ve got malware running, and I’m detecting the beacons and doing all kinds of crazy stuff with that as well.

Here’s a HelC system. I stood up a helc system. Actually, I didn’t. Kent and Jordan stood me up. A helc system in the cloud. I’m shoving all of my endpoint logs to this healthcare system.

One of the things we’re going to be coming out with next week, and we’re going to be sharing a little bit with you all here, with a little bit of a preview, is we’re going to be running malware, and then we’re going to share the sysmon event logs for what that malware did.

And then we’re also going to be sharing the kind of the bro Zeek logs and network captures associated with that malware executing as well, because we really want people to play around and really get familiar with what malware actually looks like and what the logs actually look like.

So we aren’t just buying a sim and hoping the vendor tells us exactly what it should be without actually knowing what it is as well. This is my beaker system. This, is actually part of the dev environment.

Beaker. Once again, a preview. We’re going to be releasing this elk stack that’s specifically dedicated for doing network based threat hunting off of the Sysmon event.

Id three s. This will be coming up here in a bit. Somebody had some, if you hadn’t heard.

Bill

Of Viker, this is the software that identifies, the process that’s holding a particular network connection open. It’s good supporting information when you’re trying to track down on a given system.

Why is somebody connecting out to Bulgaria yet again today, huh?

John

It’s Thursday.

Bill

That’s right.

John

I wanted to talk a little bit about creating evil because we’re creating a lab bill for actually doing, monitoring and doing all this stuff. But you gotta get evil in that lab, and there’s so many things that you can actually play with that are free.

Of course, you have metasploit, right? And I’ve got a couple of additional things up here. The Metasploit project is fantastic. Everyone knows that you also have the atomic red team from Red Canary, part of our training.

We give 10% of the proceeds for training to a project, and we donated a, good percentage to Atomic Red team, which they very graciously declined and asked us to give it to a different project.

But atomic Red team allows you to automatically generate a series of scripts that’ll replicate what attackers do. The other tool that I’ve been playing with a lot is scythe.

Scythe is a, product by Bryson and the folks at Grimm. And there is an amazing threat catalog that you can generate campaigns, create executables, and it’ll automatically, automatically go through these campaigns matching what actual attacks do.

So it’s really easy to work with. So we’ve got a number of different things that you can play with to actually create evil in your environment in a way that’s contained and it works. And then you can actually monitor what the attack looks like from the logs and the network traffic perspective.

Bill

I’ve been told this because I’m simply in the house. I have plenty of evil in my environment and plenty of evil. Yeah, exactly.

John

So this is actually, a lot of people didn’t believe me the last webcast when I said, I have a whiskey egg for my base kind of platform for my recording system.

This is the recording system I have set up using stream deck and obs. And I’ve got cameras and stuff set up. So we’ll be recording a lot of videos and security training coming up in the near future.

So that’s the recording deck, and you can see once again the rat’s nest of wires behind it. So, Bill, do you want to talk about incrementally opening up the firewall?

Bill

So this is one of the core ideas that I’ve been, pushing. When you set up a network like this that you close out as much as you can, you don’t let systems get instant Internet access.

The goal for me is that I start off with a firewall that’s almost entirely closed. We have a couple of openings set up so that you can access the sentinel and firewall and lab serve systems, but you block pretty much everything else and you put at the end of the ruleset, block and log everything else.

When you look at the firewall log and you see that a system is trying to make an outbound connection, then you add in a new rule for that. And if you agree that it should be allowed, you set it to allow.

And if you say nope, that shouldn’t be happening, then you put it to block and log it, block and drop or drop, depending on how your firewall phrases it. And then you keep doing this and you get a picture of how this is working.

It’s slow and it’s painful. The reason I wrote Mason at the bottom was that this was one of my first big software projects. If you can picture a firewall creator that is written in bash.

yes, that’s Mason right there. And I’m proud of the work that I did. I’m not proud of the architecture. If I started over again, I would not be using bash for that.

I’m not going to give a link to it because quite frankly, the software is quite old, it’s unmaintained. I wish you the best of luck. So go ahead, John. let’s move forward.

John

All right, so ids, ips systems. Oh wait, software. So there’s a bunch of software out there that you can work with. And this is at the point, Bill, where I realize this probably needs to be a series.

when we’re talking about doing forensics on systems, we’re talking about how to use things like OS query or was, which we’ve already done some.

There’s just so much that we could get into. But here’s the cool thing. If you guys go through and you create a lab that has span ports and you have it set up and it’s firewalled off, well, it’s flexible.

So from this point on, whenever we start talking about these architectures, you’re going to be able to use these tools and play along with us. So we really, really hope that you all work and build a label.

So whenever we sit down and we play with OS query, you’ll be ready to rock and roll. For ids and ips. There’s a ton of them that are out there personally.

My favorite is securityonion. Rock NSM, I think is very, very, very cool as well. But securityonion is just a huge contributor to the community.

The other project that we are going to donate money from our training on, so security onion is great for getting this stuff set up. Now I’m just using standard Brozik and doing packet captures, and that makes it flexible, so I can incorporate it into a wide variety of additional platforms as well.

Bill

John, you got, an excellent point there is that go ahead and play with these tools. Give them a try. You’re going to install three of them and you’re like, this is terrible. I’m not going to use this anymore.

But you’re going to come across three more that are like, why have I not been using this all my life?

John

Your m whole life?

Bill

Yeah.

John

so do you want to talk a little bit about packet capture?

Bill

Absolutely. Because you’re getting a full feed of all the packets out of the span port over at the sentinel system. Here’s your chance to save them, to disk, to analyze them live, to analyze the PCAP files after the fact and the fact that the PcAp format, while there are technically a couple of different Pcap formats, but as a basic rule, anything you capture on one pcap system piece of software, you can read with any of the others.

And this is just beautiful. When you’re doing forensics, you may go and just use one tool to start with, and you may switch over to two or three others when you have special needs.

Joff, Joff, you’re on mute. I hate to say it, mister Joff, you’re on mute.

John

Well, let’s keep moving then. Let’s talk about network monitoring. There’s a bunch of tools now I had not heard of, Shinkin monitoring.

of course, Nagyos, I’m familiar with that. Could you tell us a little bit about some of these monitoring tools for the network side?

Bill

I think from the time that we’ve got, I may not try to go into that level of detail, if that’s okay. John would be good. Yeah, I’m not going to go into each of them.

What we did want to do is give you a couple of different options of things you can try. Go ahead and take a look at the different packages. We even have some lists of separate tools down at the bottom that you can look at.

Let’s go ahead and skip ahead because this is really where people can try out the packages on their own.

John

Yeah, there’s tons of tools. The ATT and CK platforms. The world’s your oyster. Run nmap, run Linux, run passer, run attack tools that you’ve always heard about and really start to take apart.

What does that attack actually look like if you’re looking at a metasploit exploit, what does that exploit look like when it fires? What does the command and control look like whenever it calls back?

These are things that I think far too few security professionals actually do. And Bill, what did you call it whenever you were working at camp? People were making all kinds of jokes about this one time at camp, but what did you call it?

Where people had a safe environment where they could practice things?

Bill

Yeah, exactly. That’s it. That you could. That you felt like you’re physically safe, but you also had a chance to say, look, I can make mistakes here, and no one’s going to judge me for it, and nothing’s going to crash and nothing’s going to get hurt.

That’s where learning happens. Not when you feel like people are watching you and they’re going to judge you if you screw something up. Do it where in a safe environment.

John

Absolutely. So disk imaging. Tons of tools out there for disk imaging. Do you want to talk about any of these projects? I’ve used clonezilla. That’s been the project that I’ve used forever. And anything else you want to add for disk imaging?

Bill

the two raspberry PI tools are down below. Those are specifically if using raspberry PI. Other than that, just come up with a tool that you trust that you can make an image from and make sure that you can restore it to a different system or a different hard drive and make sure that you can boot off of that before you trust it.

John

Very good. So we talked about a budget, and we talked about isolation. The idea of limiting what gets in and gets out of this environment is incredibly important.

Having the ability to storage all these. Yeah, it should be your first priority. And then, like you said, the rest of it is completely negotiable. Like, how fast is it? How beefy is the server?

Who cares? So some closing notes. And I did this a bit different. So you said, do not connect other systems to this network. However, I did attach my kids computers to this network, mainly because I can monitor what they’re actually doing on the network connection side.

And I got to be honest, Rita is awesome. I could be like, okay, I can see that there was like a gig of traffic that was transferred last night to Netflix from the hours of like eleven till 03:00.

I know it this, is Logan’s computer. And I know that he was up late doing these watching videos or things like that. And it’s so awesome whenever you finally get this going in your environment to get it to the point where you’re having enterprise visibility on your home network, you feel like a God in your basement.

And I made this joke. Your laptop, your teenager’s laptop. And my daughter was like, oh, that Drake meme has more layers to it than you think. And I started researching it and I was like, oh yeah, there’s a lot there.

So we’d like to open it up for some questions. Now, we barely made it to the end of the, presentation on time, so we can officially say that this is the end of the webcast because we got it done in an hour.

So round of applause. Very good, Bill. we had a lot to get through, but now let’s open up to all those questions that people were asking because we know that Chris and CJ and Jeff and a bunch of people were melting down because we had 2600 people on this webcast.

So let’s get started.

Joff

Before we take questions, I do want to point out one thing. Bill keeps talking about the summer camp thing he was doing. I’ve gone through that. It was a rope obstacle course, like 70ft in the air.

And yeah, Bill did a really good job of making you feel like you were safe and that you weren’t going to die.

Bill

Which is only fair. Hey, John, if you can leave that slide up the links to Ethan’s. Ethan’s.

John

I’ll bring it up in a second. just connecting in something else.

Joff

Had a lot of questions around Sentinel, if you want to start there.

Bill

Sure.

John

Absolutely.

Joff

Let’s talk about Sentinel. What is it? How does it work? What do you think of it?

Bill

It’s just the name of a machine. In this case, it’s not a particular software package unless somebody was referring to an actual software package called that. Now this is just where you run your forensics from, where you do your packet captures, where you do your analysis.

This is the box that’s safe, that’s watching the network as opposed to the lab serve system. And that again is just a name. It’s not a piece of software where you provide services to the machines on your lab.

Joff

And had somebody mentioned that the memory analysis slide was missing from the deck we shared. So I think maybe that got added after the deck was made that got posted.

So we may want to get that updated. Shelby, maybe you can kind of connect with John on that one.

Bill

Shelby, you should be able to download a new PDF if your game, and, to print it and then save it.

Chris

Hey, so I was going to drop a quick comment in on the capture slide, which I. When my wireless microphone went battery flat. So anyway, the quick comment was this, get familiar with tshark for those who have never used it before.

Unlike TCB dump, unless you specially compile your own version of TCP dump, tshark has a nice ring buffer in it and it’s very, very high performance.

and so if you are capturing traffic, tshark on the command line is really, really good at capturing very representative traffic.

Bill

Wonderful, excellent. The two links to the blogs that John had mentioned. Ethan Robisch did a really nice job on how to do serious, serious isolation between the systems on a lab network.

Home network design part two, I think, is still steaming. It just barely came off the presses.

John

It’s a full book. It’s amazing.

Bill

There’s a lot in there. And, he deserves a lot of credit for a nice blog.

Chris

on that, Ethan’s blog also back references an earlier one from myself about 2016, which talks about Soho router using Ubuntu Linux.

There’s a lot of good tips in there as well.

John

So.

Bill

Wonderful. Keep following the chain.

John

So we have about 2000 people, folks, that’s staying for the post show banner. So for the 2000 of you that are still here, do you guys want to see something cool?

No, I never want to see people like cool things. So, let’s talk about, am I going to jump into a creek? If I could break through the ice, I would.

So, I want to talk about. There’s a bunch of people that support us in doing just an amazing job. And Keith is one of those people guy that’s behind the scenes and he’s amazing.

This is what we’ve been working on. This is a preview of what’s coming up. This is the malware of the day sheet, where we’re using tools like cobalt strike and metasploit and empire, and a bunch of tools to generate basic step by step instructions for setting up the ATT and CK.

So here you can see this is a, hav X malware sample setup. This is pity tigers sample setup. But then we also have the PCAP files associated for all of those.

Now, it’s not an enterprise class pcap file. It’s basically a PCAp file from one system going out to another computer system. But it’ll at least get you familiar with what evil command and control looks like.

Now, all of this not all of this. We’re loading up the first two. He said he wanted to do havocs and pity Tiger, and we shared them [email protected].

dot go to activecountermeasures.com and you go to documents. You’ll be able to gain access to this file share that has all kinds of different presentations and stuff, but the one that you want to look at is malware of the day.

Malware of the day has the setup sheet for explaining the malware and pity tiger and havocs, and then also the capture files associated with it.

So this is something that we’re going to be releasing a series of blog posts with. And the reason why I wanted to talk about this is this wouldn’t have been possible if it wasn’t for the fact that Keith set up his own home network.

And Keith started doing this and doesn’t, see it and he doesn’t sleep with. Neither do I. Right? So we have this kind of amazing repository that we’ve started building, and you all can basically start working with this, doing, this exact same type of thing.

But I want to really stress keeping good records of what you do is important because you’re going to come back and you’re going to say, how did I do that? How did I set up that malware?

Where’s that packet capture? When you’re setting up your network for wiring, be nuts, go insane. But whenever it comes to actually collecting the data, try to be a little bit more meticulous.

So this is [email protected] documents. We do have to put in the, we do have to put in the user the first name, last name, email address just to make sure that we don’t get Dropbox really mad at us.

So everybody, if you could just say thanks to Keith, that would be great. And did we just give activecountermeasures.com the kiss of death?

Bill

Probably did. We’ll find out later.

Joff

No, because Keith is running that site, so, it can take.

Bill

And do yourself a favor, whenever you run little hand.

Joff

Thank you for Keith. He likes little hands.

John

Yep, yep. Give him little hands. I mean, just come back to the website a little bit later. We don’t all have to hit it. So, guys, we’ve just did, a stress test of the Bhis or, excuse me, the active countermeasures website.

So well done, everybody.

Bill

whenever you’re running malware, make sure you’re capturing the raw traffic, because then you can come back and analyze it with 700 other tools later. Yes, it really makes a difference.

And you can learn so much more from multiple tools rather than saying, oh, I’m just going to capture this with fill in the blank here and then not keep the packet.

Joff

Yes. Does your ids catch it? If not, maybe you need to be doing something else.

Chris

Yeah, it’s helpful to, it’s helpful to develop a quick script that does a continuous capture and just keeps writing out PCAp files on a periodic basis because then you kind of got a video recorder and you can go back like.

Bill

Like this in the slide. Yep. Yeah.

Chris

Had a screen on that, that with TCP dump and Yeah, it’s, it’s worthwhile to do that on any of your devices that you use for analysis because then you always know it’s just sitting there.

Joff

Although I will say I’ve impressed. That’s a built build bash command that fits on a single slide.

Bill

It’s hard to do. Yes.

John

You had to strip it down.

Bill

The two commands are identical except for the fact that the second one throws away the body of TCP connections and only keeps the opening and closing packets. So the second one will take up a lot less disk space.

But then you can’t analyze the payload. That’s the only difference between the two.

Chris

Right. And another option for that is to modify, the snap len, if you’re really concerned about that and you only want to keep like the first 96 bytes of the snap link, you can do that, use a lot less disk space.

But the trade off the downside is that you’re not capturing that full packet that, you’re trading size for, accuracy in the result.

Joff

Well, 96 bytes will get you the IP header, it’ll get you the transport header, and it’ll get you to the start of the payload.

Chris

Yeah, exactly.

Joff

Right. So you might not get everything, but you’ll at least see like what was the DNS query being made? And stuff like that.

Chris

Exactly. And that’s often a really good thing to do. Full packet capture, much more difficult. You may end up dropping packets because it’s, it’s quite intensive. This is why I mentioned, well, there’s.

Joff

Never anything interesting at the end of the packet anyway. It was interesting, right.

Chris

If you’re into developing ring zero attacks against Ethernet drivers, there is really interesting stuff at the end of the package.

John

are we going to start talking about like the urgent flag and the urgent pointer? Because usually. Yeah, really urgent pointer. That’s the interesting part of the package. I can only imagine, like, Keith is getting huge kudos right now online.

And Keith just typed into discord. You all just ddos our website.

Bill

And.

Chris

Of course, emergency stands for please urgently, covertly transmit my data now.

John

Absolutely. So get on that, start fixing. It’s like, Keith’s like, thank you, everybody. Oh, my God. On fire.

Bill

That’s dead.

Chris

Keith’s office just went up by about 20 degrees.

Joff

Hey, one thing I did want to throw out. So we did get a lot of questions that were kind of around how do I build this? How do I afford it? Where do you get the equipment?

And I guess the point I wanted to make, and you guys can correct me if I’m wrong, is we’re not designing a production network. It’s not about, oh, hey, what’s the latest and greatest Dell pizza box?

Let me get that. It’s about what do I want to learn? Let me scrap together the stuff I can find on the cheap. If it’s setting it up virtual. And that’s all I can do. Do it.

If you can do dedicated hardware, do it. It’s really, it’s about creating an environment where you can m make mistakes. And it’s okay because it’s your own home network.

Bill

Yeah, we had to squeeze. If you’ve got people nearby that have some old hardware that they don’t want, if you’re working somewhere and they’ve got hardware that they’re not using.

Joff

Yeah. Maybe your neighbor’s not doing much on their wireless,

Bill

Absolutely.

Joff

I’m totally kidding.

Bill

We had questions like, what os should I put on this? I’m like, right. What are you learning and what do you need?

Joff

Yeah, what do you want to learn? What do the least? That’s the one to start there.

John

Start there and work your way up.

Bill

Absolutely. So you can put, windows or Linux on almost anything. MacOS, you want a Mac itself. But absolutely, if you got tools that you want to try, and they only work on FreeBSD, well, now what to install.

But if you’ve got a virtualization platform and you can just install vmware, virtualbox, KVM on Linux, then install them all, come up with some extra disk space, download everything and say, great, today I’m going to install NMap over on Ubuntu Linux 1404.

Great. Give it a try. What other questions did we have coming in? Dude, this is crazy. I mean, normally we’ve only got, maybe 30 or 40 things left.

And we’ve been in a, I’ve got, I can just scroll throughout, questions out.

Chris

Yeah.

Joff

Although I, quite honestly though, I think we covered an awful lot of it because a lot of them were kind of consistent and they were around that. Can I do it virtual? Can I do it in the cloud?

How do I afford this hardware? And again, this isn’t. Oh, but that’s the other part of this too is a lot of folks were saying, oh my God, too much information.

It’s like drinking from a fire hose. Hey, welcome to our webcast. This is what we do. You don’t have to do everything all at once. What do you want to learn first?

Okay. What do you need to accomplish that goal? Okay, do that. What does that be? Latherance. Repeat.

Chris

Yeah, I was going to say on your virtualization platforms, as you’re looking at that, having a little cpu power is helpful. The other thing is you can get an awful lot of bang for your buck out of spinning disks.

They’re not dead anymore. if you look, yes, everybody’s going out there and looking at their SSD’s and getting excited.

Joff

But especially at home Internet speeds.

Chris

Yeah, exactly. Few spindles of spinning disks can get you a, a ton of storage. B very inexpensive price.

Bill

Old hard drives. Absolutely. Hook them up.

Joff

Also, sir, a question on hey, what about raspberry PI’s?

Bill

Hmm.

Joff

M I seem to remember a webcast.

Bill

On what about raspberry PI? A lot of the things that you could do on a big Linux box you can do on a raspberry PI. I’m not going to go and redo the January webcast, but yes, we have.

Joff

A webcast on that. Go to the education section on the website once it starts responding again.

Bill

Yep. Www. Dot YouTube.com. both active countermeasures and Black Hills have YouTube channels. Please subscribe to both. But there’s a full webcast on that.

And you can do so much of this on a box that you can get fully outfit for under $100.

Joff

Can I just say I’m a little frightened. We have more people on the webcast now than we had 15 minutes ago.

John

I know how that’s working.

Chris

I think we flattened the curve and then it started accelerating.

Bill

Don’t do it, John. Look lame.

John

On our curve here, somebody brought up that Microsoft offers 120 day trials and they do. But the best thing about the 120 day trials on Microsoft is you can rearm them.

So you just need to google rearming Microsoft trial and it’s one command and that rearms it for another 120 days. And I think you can do that three times so there’s no excuse not to have just a really awesome Windows environment.

By the time you get to the end of your trial, licenses for your environment, probably time to burn it down and restart. And to be honest, if, you haven’t burnt it down and rebuilt it from the ground up, you probably are playing your lab wrong.

because honestly, you should be doing that all the time because that’s how you get good.

Bill

I’m not sure if it’s still available, but there used to be a Microsoft developer network you could sign up for. And for some ridiculously small amount of cost per year, you get licenses for everything.

I haven’t done it in a while. I couldn’t tell you if it’s still available, but it’s certainly worth looking up.

Chris

And don’t forget the clock. You can always play fun games with the clock. I actually had in my environment some old Cisco wireless AP’s, and they’ve got built in manufacturer certificates for their communications.

Well, if you’ve got really old AP that manufacturer certificates going to expire at some point, all you have to do is turn back the clock and you’re back in business.

Bill

I love it.

Chris

It’s tricks like that that you can actually make things work again. It just takes a little bit of thought. and, in fact, my home wireless network is running on that.

My home wireless network is running in 2015 right now. Just FYI.

Bill

I love it. Other questions that came in so many?

Joff

Well, we’re 15 minutes after the hour, so I think we’re kind of at the end of it. But I do think we covered an awful lot of the questions, so I think we’re in good shape.

Bill

Sounds great. Thank you for ddosing our web server. We appreciate it. Now we know how many connections we can take. Hey, seriously, thank you for taking the time to join us today.

We really appreciate it. If you’ve got questions, please connect up to the discord server. The conversation can continue there as long as you want. We would love to have more, ongoing discussion, especially if you’ve got specific questions.

I won’t be able to join in for the rest of the day today, unfortunately, but I will try to check in tomorrow and see if there are, ongoing discussions.

John

All right, later, everybody.

Chris

Awesome.

Joff

Thank you, folks.