SimWitty Internship: Week 8

This week's blog isn't going to be real verbose. My two main tasks the last two weeks have been to come up with an actual plan of attack and to document a standard for the installation of all components of the lab. I am going to have to go a bit past deadline on this one, as creating good documentation is a lot of work.

The good news is that I have figured out my connectivity problems and can now reliably connect from the internal network to the external network. This bodes well for the actual successful completion of the lab.

As far as the actual attacks go, I am keeping it pretty generic. I am going to use Metasploit to produce simulated client side attacks. The internal network has two workstations. One of these will get a malicious document attached through simulated email and the other will get a malicious web link through simulated email. The goal of the attacks is to see what kind of pivot can be made into the internal network. The preferred method of attack will be through the use of meterpreter sessions due to the fact that they are the stealthiest and would be the sweetest to detect.

The documentation is the hard part. Even on a small simulated network with two servers and two workstations there is a ton to write. I have to cover installation of the server OS, the workstation OS, the installation and configuration of Active Directory and other server roles such as: DHCP, DNS, and RRAS. Once that is documented I have to install, configure, and document SQL Server 2008 and Snort.

One thing I will post up here on the blog, because it could be useful to others, concerns the Server 2008 OS and automatic activation. Microsoft offers the OS as a 60 day trial which can be legally "rearmed" three times before it has to be activated. This is a great feature, and wonderful for learning and testing. The problem with this is that the OS is set up to automatically go online and activate itself three days after the first logon. You can see this by looking at the system properties (start, right click computer, choose properties). This is very problematic in a lab environment, since you may well be wiping and reinstalling as you make mistakes and learn from them.

In searching for a solution, I saw many people who said that if you didn't enter a product key during install, then you wouldn't have the activation problem. The problem with this is that I was never presented with an opportunity to insert my product key during the OS install. Well, after lots of searching I found a solution on technet (http://technet.microsoft.com/en-us/library/cc770903%28WS.10%29.aspx). There is a registry setting that controls this behavior. The key is at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL\Activation look for the value Manual and change it from zero to one. You can see the effects immediately when you reopen system properties. The windows activation section should now show 59 days left til activation. To rearm the counter, you can use c:\windows\system32\slmgr.vbs If you read this file in notepad, you will see the different switches that can be used.