We create vulnerable virtual machines in two accounts with SecGen

Today I want to draw your attention to an interesting SecGen project with the help of which it becomes possible to have a new Metasploitable or another virtual machine every day to learn the basics of ethical hacking.

Everything happens in automatic mode, you just need to install the framework. Getting started!

How it works?

SecGen is a script written in ruby. At the heart of his work are Vagrant and Puppet .
')
Let me remind you that Vagrant is a tool that allows you to quickly and conveniently deploy entire infrastructures from virtual machines using VirtualBox hypervisor, VM Ware locally or Amazon AWS cloud service. You can describe all the settings of the future virtual machine in a special Vagrantfile file. And you do not have to download the ISO images of the OS, because Vagrant already offers many ready-made images of virtual machines (box), which can be downloaded from a special directory .

And Puppet is an automation tool for setting up machines, replacing bash scripts. Puppet has a clear configuration language. Scripts are stored in files with the .pp extension. Puppet can install certain software on the machine, before checking that the system meets the required conditions, configure it, set environment variables and much more.

Thus, SecGen only needs to choose which box to download and deploy with Vagrant, which software to install and configure with Puppet and generate flags that the Pentester needs to find during operation.

SecGen has a modular structure and each module is a distribution kit with a vulnerable application, its settings, puppet scripts and some additional files for correct processing of SecGen.

Installation

Officially, testing is done on the Ubuntu distribution and the installation process is described on the official github . I will use 64-bit Ubuntu 16.04.3, which itself is a virtual machine with 2.5 GB of RAM.

Install the required packages

sudo apt-get install ruby-dev zlib1g-dev liblzma-dev build-essential patch virtualbox ruby-bundler vagrant imagemagick libmagickwand-dev exiftool 

Also, you (may) need to install another package not listed on the official website.

 sudo apt-get install libpq-dev 

Now we clone github repository

 git clone https://github.com/cliffe/SecGen.git 

Go to the created directory and perform the installation of all necessary

 cd SecGen bundle install 

The necessary Ruby libraries will be installed.



Check that the script is working.

 ruby secgen.rb --help 

And we see the available options

Create your first car with a random set of vulnerabilities

This is the basic mode of operation of SecGen, if no keys are specified. We execute the command

 ruby secgen.rb run 

The download of the Vagrant box will begin, which for us automatically chose SecGen



When the Vagrant virtual machine image is downloaded and imported, the virtual machine starts up.



The SSH forward is automatically configured to access the machine on port 2222. A key is generated, SecGen connects to the machine, installs rsync, and installs and configures everything needed.



Please note that if your host machine does not have direct access to the repositories, and you are working, for example, through a proxy, the installation process will be interrupted, since the guest virtual machine will not be able to install rsync. In this case, you will need to get direct access to the repositories, delete the virtual machine and run SecGen again with the build-vms key.

All the necessary puppet scripts will be executed.



And in the end you will see a message in the console.



And with the help of the virtualbox command you can make sure that the machine is really running.

Anatomy

In the SecGen directory, among others, there are directories projects, scenarios and modules.

Projects

projects, as the name implies, will store everything needed to create the virtual machine described in the project. You can remove the car and regenerate exactly the same. To do this, you will need to run the following command indicating the project

 ruby secgen.rb --project home/user/SecGen/projects/SecGen20170920_1154 build-vms 

To get a list of projects, you need to run the command

 ruby secgen.rb list-projects 

And we get the result



Similarly, there is a build-project key, by specifying which configuration files for Vagrant and Puppet will be created, but virtual machines will not be created.

Scenarios

SecGen, when launched without a key, will create for us a virtual machine with a random set of vulnerabilities, but we can influence their nature using scripts. They are stored in the scenarios directory as XML files and categorized. The default is default_scenario.xml and it looks like this.

 <?xml version="1.0"?> <scenario xmlns="http://www.github/cliffe/SecGen/scenario" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario"> <!-- an example remote storage system, with a remotely exploitable vulnerability that can then be escalated to root --> <system> <system_name>storage_server</system_name> <base platform="linux" type="server"/> <vulnerability privilege="user_rwx" access="remote" /> <vulnerability privilege="root_rwx" access="local" /> <service/> <network type="private_network" range="dhcp"/> </system> </scenario> 

It says that a Linux virtual machine will be created, containing two vulnerabilities of the types remote and local. Those. you will first need to get to the server through one vulnerability and then exploit the second locally.

Usually from the name of the script it becomes clear which machine SecGen will create, for example the script any_random_vulnerability.xml. I recommend to familiarize with examples in the scenarios / examples directory.

There are quite complex scripts in the scenarios / security_audit and scenarios / ctf directories.
For CTF is invited to use the frontend from the developers of SecGen.

Modules

From the description of the scenarios it becomes clear that the modules are divided into categories. All modules are collected in the modules directory and are divided into

• bases
• build
• encoders
• generators
• networks
• services
• utilities
• vulnerabilities

In turn, in each group there are subgroups, like smb, webapp, bash, ftp, etc.

Each module has approximately the following structure



The secgen_metadata.xml file describes the module in detail. This is necessary for the correct operation of the scripts and the selection of this module for the appropriate case.

Part of file

 <?xml version="1.0"?> <vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability "> <name>chkrootkit 0.49 privilege escalation</name> <author>Thomas Shaw</author> <module_license>MIT</module_license> <description> chkrootkit 0.49 and earlier contain a local privilege escalation vulnerability allowing a non-root user to place a script in /tmp that will be executed as root when chkrootkit is run. This module adds a cronjob to run chkrootkit periodically for exploitability. </description> <type>privilege_escalation</type> <privilege>root_rwx</privilege> <access>local</access> <platform>linux</platform> ... 

The manifes directory contains puppet configure.pp, init.pp and install.pp scripts.
The files directory contains the necessary distributions. In this case, one file chkrootkit-0.49.tar.gz

Project Details

When a project is created, you can find a scenario.xml file in it that describes which vulnerabilities were used and how to get flags in general.

For example, in our project we can find two XML vulnerability tags pointing to modules
modules / vulnerabilities / unix / misc / distcc_exec with a description of "distcc has a documented security weakness that enables remote code execution" and modules / vulnerabilities / unix / desktop / xfce_lightdm_root_login with a description of "Configures XFCE w / \. "

If it is not clear from the module description what the essence is, you can go to the appropriate directory and examine the module files.

Also in the project directory there is a hidden directory .vagrant, which, in particular, contains the private key for access to the server via the SSH protocol under the vagrant user. Private_key file

Thus, you can connect to a virtual machine as follows.

 ssh vagrant@127.0.0.1 -p 2222 -i private_key 

the ifconfig command will give us the following result

 eth0 Link encap:Ethernet HWaddr 08:00:27:86:1c:fb inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe86:1cfb/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:125254 errors:0 dropped:0 overruns:0 frame:0 TX packets:13570 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:177651061 (169.4 MiB) TX bytes:1034124 (1009.8 KiB) eth1 Link encap:Ethernet HWaddr 08:00:27:83:ea:5e inet addr:172.28.128.3 Bcast:172.28.128.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe83:ea5e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:14 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3130 (3.0 KiB) TX bytes:2304 (2.2 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 

We are testing

We found out the IP address and now you can perform penetration testing. Check the availability of the virtual machine from the host



Scan and detect the following open ports.

 sudo nmap -n -Pn -p- 172.28.128.3 

Further, with the help of your favorite distribution for penetration testing, you can begin the operation of distcc.

The only thing is that, by default, the virtual machine has two interfaces in the NAT and Host-Only modes, so you can get access to it from an external machine or by setting up port forwarding in the NAT interface.



Or reconfigure the machine, which is the entry point to use a different type of Virtualbox interface, accessible from the outside.

You can change the type of interface Host-Only to Bridged, restart the machine and assign a static IP address if your infrastructure does not have DHCP. And do not forget to set routes across the bridge.

In custody

Of course, people write modules and errors are possible. But in most cases, SecGen creates correctly configured and working virtual machines for practice. On the official website in English, you can study detailed instructions for creating your own scripts and modules, which greatly expands the capabilities of SecGen and, I hope, will allow the project to develop further.