As I have mentioned earlier VirtualBox and PHPVirtualBox didn’t work out for me and I have since moved on to KVM (QEMU) and ConVirt - which so far works out pretty well.

Uninstalling VirtualBox

First one needs to uninstall VirtualBox as it is no longer needed

$ sudo apt-get remove virtualbox-4.1
$ sudo apt-get autoremove

Installing KVM

KVM is very easy to install, even if you didn’t select the virtualization profile when you installed Ubuntu Server. The “magic” command to install KVM is:

$ sudo apt-get install qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils

Installing ConVirt

First you need to enable the partner repositories on your Ubuntu installation. Edit /etc/apt/sources.list and uncomment the following lines:

deb http://archive.canonical.com/ubuntu lucid partner
deb-src http://archive.canonical.com/ubuntu lucid partner

Then run the following commands to install ConVirt version 2

$ sudo apt-get update
$ sudo apt-get install convirt2 convirture-tools
$ sudo apt-get install ssh kvm socat dnsmasq uml-utilities lvm2 expect

Install required dependencies for convirt-tool:

$ sudo convirt-tool install_dependencies

To have a virtual machine connect to a network, bridge setup is required. With virtualization platform installation, depending on the version, you would have either virbr0 or eth0 or br0 setup. You can verify this using the brctl show command. If you do not have any bridge, convirt-tool can set up bridges for each network interface.

$ sudo convirt-tool setup

Once this is done you can start the ConVirt console:

$ sudo /etc/init.d/convirt2 start

The web interface can be reached at http://localhost:8081/ or the IP / hostname of your choice.

Setting up distributed file system for the virtual system images

ConVirt stores the virtual system images in /var/cache/convirt and the images needs to exists on all servers for system migration to work. See a separate blog post why this is a very cool thing.

Anyway, I already have GlusterFS installed and created a new share very much like the /home share I already have but this time share /export/convirt and mount it on /var/cache/convirt. Once that is done all my 3 systems share the same data and can perform system migration, both live and offline.

Converting VirtualBox and VMWare virtual machines to KVM/QEMU

If you haven’t noticed VMWare has become the de-facto standard when it comes to virtual machines (of all the virtual systems I have imported only ZeroWine seems to be shipping as a QEMU image). It can be useful to convert the .vmdk file to a .raw (or any other format that KVM/ConVirt supports). This I do using the qemu-img utility:

$ qemu-img convert virtualmachine.vmdk -O raw virtualmachine.raw

Then I create a new virtual machine using ConVirt and replace the created virtual hard disk with the converted one, something in the style of:

$ sudo cp $HOME/virtualmachine.raw /var/cache/convirt/vm_disks/virtualmachine.disk.xm

There is a conversion utility that supposed to solve this, but I didn’t get it to work. Maybe another time…

I promised a while ago that I would show you guys how my lab environment at home looks like, and here it is:

Sniper:

model name : Intel(R) Core(TM)2 Quad CPU Q9550 @ 2.83GHz
cpu MHz        : 2000.000
cpu cores    : 4
MemTotal:       16467156 kB

Hunter:

model name : Dual-Core AMD Opteron(tm) Processor 1214
cpu MHz        : 1000.000
cpu cores    : 2
MemTotal:        4057096 kB

Scout:

model name : Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz
cpu MHz        : 1596.000
cpu cores    : 2
MemTotal:        2056892 kB

Sniper has 4 NICs (Network Interface Cards), 3 of them currently in use: one to the LAN and 2 to some wireless access points I had laying around. One of the access points uses WPA2 encryption while the other is unencrypted. Connecting to the unencrypted is ill-advised as you are then targeted with SSLStrip, Metasploit, BeEF and other goodies. Don’t steal peoples internet without permission (the access point identifies itself as “Virus distribution network”). I plan to add a splash-screen when people tries to surf for the first time. The other AP (Access Point) is to provide network connectivity to my wireless devices.

I have removed VirtualBox as the virtualization environment as it didn’t work out for me, and phpvirtualbox kept loosing connectivity with the VirtualBox instances. I tried to run VMWare Server 2.0.2 but it didn’t want to build on my Ubuntu servers - which is actually a good thing as I discovered KVM and ConVirt (see separate blog post on how to get them installed).

I will blog about each aspect of the Hacklab the next few weeks, including creating (or converting) virtual machines for

• target practice (on-purpose vulnerable systems for penetration testing testing)
• malware collection
• malware analysis
• TOR network participant

among other things. Stay tuned!

I (tried) to participate in Defcon 19’s “Crack me if you can” contest with the “John Users” group, but I did not manage to contribute much to the team (more then CPU-cycles on my quad-core server). I have analyzed why I couldn’t contribute more and it came down to “time” and “internet access”.

Time: I went to Defcon to watch the presentations, not to crack hashes (although it is fun to crack hashes). I over-estimated how much time I could spend on cracking hashes while attending the talks.

Internet access: Free internet access was available at the conference area, if it wasn’t attacked by someone. Internet access at the hotel room was about $25/day, a bit more then I was willing to spend. Next year I’ll buy a MiFi from Best Buy and a month pre-paid subscription (@ USD$ 50) for my internet needs.

If I solve the internet access problem I can make more use of the time between the presentations, social activities and sleep at Defcon, which should add up to at lease a few hours every day. As most of the time the computer chugs along cracking hashes anyway it should be enough to take a 30-60 minute look at it a few times a day.

I hope that Defcon 20 will also have a “Crack me if you can” contest.

You can download the slide pack from http://dl.dropbox.com/u/10217290/Defcon19.zip. The DVDs with the material had ran out of stock when I got my badge (did get a real titanium badge though).

Note to Defcon staff: please make sure that all pre-registered, pre-paid (via Black Hat USA conference) attendees gets a complete conference stack. You don’t need to know who we are to get the number of sign-ups from Black hat crew.

Thanks!

According to BBC right-wing extremists that attended “Rock für Deutschland” was given free t-shirts with the following print (“Hardcore Rebels”):

However, when they was washed the hidden message was reviled:

The new message reads: "What happened to your shirt can happen to you. We can help you break with right-wing extremism".

The prank (I’d call it a cool hack) was done by the group Exit, who is trying to help people who has not been totally brain-washed to change their ways and turn their back on neo-Nazism for a more balanced world view.

Really cool hack, I wonder if it could be used for some sort of prank at next years Defcon?

The final statement says it all: Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

I am going to print this and put it at the geek corner in the office. XKCD should make a t-shirt of this one…

This post is triggered by @fyrtiosju’s tweet: @mboman maximizes his baggage allowance with all #DefCon swagger on our way back home to Sweden. See you at DC20! twitpic.com/633b27

Here are the t-shirts I managed to get my hands on:

PaulDotCom (Thanks for the t-shirt Paul!). The back says “Hack Naked”, which my colleges found very cool and somewhat disturbing.

 

HBGary is taking a piss at APT. I like the attitude.

Splunk

Metasploit / Rapid7. Doesn’t look as cool as a Metasploit-inspired t-shirt should. Corporate marketing must have been involved a bit too much.

DefCon 19 has some pretty nice graffiti-inspired print on the back.

…

…

…

This one must be my favorite one; not because of the vendor (eEye), but because it has quite a kick-ass lolzsec-inspired message on the back:

Core Security Technologies has a cool cobra on the back. Really cool, just like last years t-shirt was.

…

…

…

Just thought I would share what swag I brought home with me.

On day two of DefCon 19 I attended “Battery Firmware Hacking” by Charlie Miller, which was a very good presentation and hack. Charlie discovered how to update the Apple MacBook battery to make it lie about when the battery was manufactured, charge status and how many charge cycles it has done etc. This can be used to make the battery to be within the warranty even if it isn’t. It can also be used to cause a catastrophic failure on the battery and potentially destroy the computer the battery is connected to. Dangerous stuff. I am predicting that easy-to-use tools that change values related to warranty period will soon be made available.

I then attended the “Hacking Google Chrome OS” talk on how Chrome extensions can be used as an attack vector, possible with persistence. Scary stuff.

Hackajar went through the economics of password cracking in the GPU area. What you can take away from the talk is that if you don’t value your password (and what it’s protecting) to more then USD$2000 you can continue to use 8 character passwords; for everyone else make sure your password is longer then 8 characters.

Jason Ostrom talked about how to hack VOIP networks and released a tool for that. I’ll put that on my “to investigate” list.

Finally Nicole Ozer talked about how far from reality Hollywood is in their movies. Unfortunately it is not that far off, and governments in the western world (both US and EU) is making laws to make the technology legal.

There was a rumor that LulzSec had a party in the middle of no-where. Acrylic badges was handed out to some people with instructions to dial a certain number after 11pm for the location that was later mapped to an address quite a bit from the Rio hotel. Although we managed to get some badges we decided it was not worth going, and we were discouraged to go by some anonymous feds (anonymous in the way that they don’t want me to disclosed their names).

I have uploaded the contents from the Black Hat USA 2011 CD to http://dl.dropbox.com/u/10217290/BH-US-2011.zip. If you missed the conference then at least you can get (some) of the presentation material now.

Today we (some of my colleges and myself) changed hotel from Caesars Palace to Rio and DefCon 19. Started the day by listening to Mikko Hypponen (of F-Secure fame) about the history of malware (very educational and entertaining), followed by Moxie Marlinspikes talk about trust in SSL and his new tool Convergence (which was released today). Moxie had some cool ideas on how to fix the CA authority problem with SSL, and I will install his tool when I get back home.

I also attended panel discussions on hacker spaces and vulnerability databases, both of them pretty good.

I am also participating in this years “Crack me if you can” competition on the “John Users” team. I will (hopefully have time to) do a write-up on it at a later date.

Mark Russinovich starts of by mentioning how popular Sysinternals tools are with the anti-malware crowd and that some malware detects if the Sysinternals tools are running on the system and try to terminate them.

The workshop begins with walking through the features of Process Explorer followed by Process Monitor. I have been using the tools before, but there was a lot of things I haven’t tried out before that turns out to be pretty useful.

Mark also had plenty of war stories on how Sysinternal tools has been used to locate and remove malware, including one on Stuxnet. Very entertaining and I learned a few new techniques I will apply from now on.

The PowerPoint slides was not included on the conference CD so I have not been able to upload them. I hope that they will be available soon.

Black Hat USA 2011 is over for this year. I went to many good presentations but didn’t have time to blog about each of them, however the “Chip and Pin is Dead” was a particular interesting one that I want to look closer in to at a later date.

Black Hat has (again) inspired me to take a closer look at many different things, so I need to put them in some sort of list and get started.

Last night we went out to party: first we went to the Netwitness party at the Jet night club and then we moved to Qualys’ party at The Bank. Qualys party was the better one of them, but it didn’t match up to their party last year. Qualys: please bring back the live band for next year.

I will continue to blog from DefCon 19. Ta ta for now…

This workshop was an interactive experience where we, the participants, got to hack some servers. The target machine for the first challenge was running LAMP (Linux, Apache, MySQL and PHP), which is not my everyday target environment and I didn’t realize why I couldn’t crack the first challenge in time.

The workshop was haunted by technical problems, the software used was Windows only without any mentions in the material that a Windows machine is required for participate on some of the labs. I also got the feeling that the presenters was poorly prepared, and combined with the technical problems I lost interest and left after the first break.

Today I am attending the “Easy and quick vulnerability hunting in Windows” workshop taught by Cesar Cerrudo from IOActive Labs. I first meet Cesar when I was presenting at EUSecWest ‘06 in London, and he is a guy who knows his stuff. I choose to attend this workshop instead of going to a bunch of different presentations as I reasoned that a half-day workshop is much harder to consume after the Black Hat event when the videos are made available online compared to 40-50 minutes presentations.

Cesar walks through a bunch of examples (which are pre-recorded, a nice way to keep Murphy out of the workshop) explaining how one can use the Sysinternals tools, debuggers and hex-editors to locate vulnerabilities in Windows applications. As I do most of my vulnerability hunting on Web Applications it was nice to see some techniques I am yet to use on Windows applications.

It was a very rewarding workshop and I have much to play around with when I get back home. I have uploaded the presentation slides below.

My trip to Black Hat 2011 and Defcon 19 started by waking up 5am to take the 10:15am flight from Arlanda, Stockholm (Sweden) to Las Vegas via Chicago.

It took over an hour of queuing to get checked in, and only 2 open check in desks. Good old SAS, I hope that I won't be flying with you again anytime soon.

After getting checked in and clear the security control it was time to hit the bar for the traditional beer before flight.

The flight over the atlantic went fine without incidents, as they usually do. Clearing immigration and a second TSA security check point went fine and after locating a electrical outlet the electronics got a well needed recharge.

The almost 4 hour flight from Chicago to Las Vegas also went fine, but the lack of food included on the flight was disappointing - need to feedback my preferences to the travel agent.

After checking in as Caesars Palace we went out for an burger...



...followed by an mararita.


The sunset from Flamingo overlooking caesars Palace was amazing.


A good end of a very long day. I hope to meet a lot of cool, nerdy and geeky guys and gals here at Blackhat and Defcon.



Do say "hi" if you see me ;-)