Labtainers#

Labtainers is a collection of labs published by the US Navy Postgraduate school. More details can be found on their page here. They include walkthroughs so I wont get too far into it here. This page is more to record some rooms or interesting finds. Any tools used will have their own pages.

General Process#

The general process for all the labs is the same

  1. In the labtainers VM, open the terminal

  2. Enter labtainer [room]

  3. Let it download the lab. ‘log in’ (its just a user to record against)

  4. RTFM

  5. Press enter to start

  6. When youre finished, type exit to close the containers

  7. Type stoplab to close the lab internally and do all the reporting things.

Rooms used:

wireshark-intro
network-basics
nmap-discovery
pass-crack
ssl
routing-basics
tcpip

Wireshark Intro#

This one actually fails to launch for me, with missing dependencies…. huh. Google says reboot so I did… Didnt work.
Ran update-labtainer.sh, and now it works.

As for the lab itself, its just finding a telnet stream (by filtering for “telnet.data”) then following the stream to find the password packets. Only a couple of steps here.

Network Basics#

This lab introduces TCPdump, a tool for dumping the output of a TCP port or interface. We used it to analyze a SSH connection for the 3-way handshake. Pretty standard here except the flags looks a bit strange. [S] is the SYN, nice and logical there. The SYN-ACK is [S.] however (with a . symbolizing the ACK part). Following this we have the pure ACK, just a [.]. This is explained, just make sure you read.

Nmap-discovery#

Finally one that doesnt hold your hand. The scenario is you have to find an ssh server on the network, but aren’t given an IP and its not on the default port… Fun.
So, for Nmap, we really need two things. A list of targets and a list of ports. While we could throw it all together, I decided to try find the targets firs. I just thought it would be faster than scanning everywhere. I scanned the whole current subnet, more as an educated guess than anything else

nmap -sn 172.25.0.0/16 -v

This found 2 addresses quite quickly; us (ignoring that) and 172.25.0.5, ‘nmap-discovery.friedshrimp.student.intranet’. Considering we are looking for ‘friedshrimp’, I’ll take it as what we are after. Next we scan the ports to see where to connect.

nmap 172.25.0.5 -p 2000-3000

and we get port 2601/tcp ‘zebra’. The manual tells us how to connect “ssh -p [port] [target].

ssh -p 2601 172.25.0.5

We can then ls then cat the found file. And we’re done.

Pass-Crack#

This one is more for understanding how password are stored (and what a hash/digest is). This goes on to show the differences between hash speeds and what this means for cracking them. It also includes dictionaries and their limitations (namely they take time, and only work if the password is in the dictionary).

It did include a few helpful references for shadow files too. Replicated below

Each row is one user, with values : separated.

Login Name
Digest
Date of last change
Min password age
Max password age
Password warning
Password inactivity
Account expiration
Reserved

For the Digest, it is 3 values broken by \( symbols<br> \)hashID\(salt\)digest

The IDs are:

  1. MD5

  2. Blowfish

  3. NT-Hash

  4. unused??

  5. SHA256

  6. SHA512

SSL#

Quite a bit going on here. Basically we are simulating encrypted and plain text traffic across the wire. Initially, there is PLC1 (encrypted) and PLC2 (unencrypted). Shockingly (/s), we can see the traffic for both, but only read the data for PLC2. We then go and generate the certs on the CA (where it starts to get interesting).

  1. First we generate the keys

  2. Next, ‘queue’ the certificate for signing

  3. Last, run the batch to sign the certs.

Now, this is worth diving into a bit more as, while I know most of the arguements/switches, It’s worth playing around with in my own environment.

Routing-Basics#

This one covered the basis of routing, surprise. If you already understand the concepts, it’s still helpful for practicing the linux commands

route -n (list the defined routes)
sudo route add default gw [ip] (add a gateway)
DNS resoluton is in the /etc/resolv.conf file

Nat rules on the gateway

sudo iptables -L -v -t nat
(these are in the /etc/rc.local file)
MASQUERADE is the NAT rule (NAT rules are always initiated by the internal source)
DNAT changes the Destination IP (so updates an inbound packet)
SNAT changes the Source IP (so updates an outbound packet)

TCPIP#

TCP attacks was an interesting one. It introduced Nping and is application for TCP SYN & RST attacks. More details in the Nping page.