Hits
- I learned a huge amount about the Metasploit Framework and its capabilities.
- I became more familiar with Windows PowerShell and it's use in automating tasks.
- I was enlightened by having to think of all the various aspects of a system that would be changed by nefarious activity on the machine, and thus need to be monitored.
- I became somewhat familiar with Microsoft SQL Server; how to set it up and work with it.
- I learned quite abit concerning virtual machines and networks; what type of communication is possible, how it can be monitored.
- I got to work on a project with professional people and feel like I made contributions to that project.
Misses
- I was overambitious on what I could do in a given time frame and the monitoring aspects of the lab suffered for it.
- I should have set up Snort to use output alert_full along with the database output. My SQL skills are limited (at this point) and I couldn't view the database entries in any way that made sense.
- Installing IIS on srv-snort was a waste of time since I didn't have time to investigate it.
- I used the database capabilities of Metasploit to organize and keep track of all the attack sessions but once again I don't know how to turn information in a database into usable information.
- I should have installed something like the Dradis framework to keep better track of what I was doing and what were the results.
- Every attack should have been correlated with information showing that it was either detected or not detected. I didn't set my lab up to properly do this.
- I should have started off by finding a 'pentesting checklist' and adapted it to my lab. Why reinvent the wheel?
Final Thoughts
I think there are a lot of directions that an internship like this could take in the future. My lab was focused on client side attacks and pivoting, but I didn't really have time to investigate the pivoting aspect closely enough. That could be the target of a future internship. My attack was extremely noisy and obvious, perhaps someone could adapt it by concentrating more on stealth. An internship could possibly be done on creating a 'toolkit' for use once you have breached a host. I installed some programs but they were obvious and the installation was painful, can we use automation for toolkit installation? The lab network could be created with a "treasure" embeded somewhere within, and the intern's job is to go "treasure hunting". It would also be good to somehow tie in this lab setup with the actual Simwitty appliance, but this may be pushing resource usage on an interns machine.
I think that my lab setup (and documentation of it) could possibly aid future interns by reducing the time for planning and install. They now have a blueprint to follow (and improve) so that they can spend more time actually doing work within the lab environment. Finally I want to say thank you to everyone involved with Simwitty. Time is precious and the fact that you all give up some of yours to make this project work is praiseworthy. I have had a great time working on this project and hopefully can continue to be a contributor once the job issue is taken care of.
The pleasure was all mine, Jeff. You wrote on your blog that you were overambitious on what you could do in a given time frame. I was initially a tad concerned with the amount of work that you bit off. There was a lot of breadth to the materials. The time you logged definitely represents that breadth. You doubled the required time (264.5 versus 150 hours). If it feels like you have worked two internships in one, that's because you have. The end results were excellent.
ReplyDeleteYou have provided us with a solid foundation for future labs and internships. The fact is we can now truly do intrusion testing in a virtual environment. That problem had been holding us back for some time. From what you have wrote, you have built up quite the knowledgebase on Metasploit and Windows. We have met the goals of advancing the community and of advancing your skills.
Hands down, it has been a successful internship. Congratulations!