Welcome to the home page of the De-ICE PenTest and Tutorial LiveCD projects.
The PenTest LiveCD disks presented by De-ICE.net are fully-functioning servers that provide a safe and secure way to learn and practice Penetration Test skills. Intended to be used in a PenTest Lab, these LiveCDs use Slax as the Linux base Operating System.
The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs.
Where to get the current PenTest Lab Level 1 disks:
Forum support: http://forums.hackerdemia.com/viewforum.php?f=26
The MD5 Hash Values of Each Disk:
'de-ice.net-1.100-1.1.iso'
a3341316ca9860b3a0acb06bdc58bbc1
'de-ice.net-1.110-1.0.iso'
a626d884148c63bfc9df36f2743d7242
* Note that these files are ”.iso”, meaning, you will have to use a program like Nero (Windows) or cdrecord (Linux) and burn the image to a CD-R. If you are using these disks in VMware you don't need to burn them to CD-R.
Where to get the current PenTest Lab Level 2 disks:
Forum support: http://forums.hackerdemia.com/viewforum.php?f=26
The MD5 Hash Values of Each Disk:
'de-ice.net-2.100-1.0.iso'
9eabdaa5a84179ae5accb81296c99e26
http://remote-exploit.org/backtrack_download.html - BackTrack Download
*(NOTE: version “bt20061013.iso” and “BT2_Beta-Nov_19_2006.iso” were used to exploit the PenTest disks. Newer (when released) and older versions may work just as well).
The scenario for this LiveCD is that a CEO of a small company has been pressured by the Board of Directors to have a penetration test done within the company. The CEO, believing his company is secure, feels this is a huge waste of money, especially since he already has a company scan their network for vulnerabilities (using nessus). To make the BoD happy, he decides to hire you for a 5-day job; and because he really doesn't believe the company is insecure, he has contracted you to look at only one server - a old system that only has a web-based list of the company's contact information.
The CEO expects you to prove that the admins of the box follow all proper accepted security practices, and that you will not be able to obtain access to the box. Prove to him that a full penetration test of their entire corporation would be the best way to ensure his company is actually following best security practices.
The scenario for this LiveCD is that a CEO of a small company has tasked you to do more extensive penetration testing of systems within his company. The network administrator has reconfigured systems within his network to meet tougher security requirements and expects you to fail any further penetration attempts. This system is an ftp server used by the network administrator team to create / reload systems on the company intranet. No classified or sensitive information should reside on this server. Through discussion with the administrator, you found out that this server had been used in the past to maintain customer information, but has been sanitized (as opposed to re-built).
Prove to the network administrator that proper system configuration is not the only thing critical in securing a server.
The scenario for this LiveCD is that you have been given an assignment to test a company's 192.168.2.xxx network to identify any vulnerabilities or exploits. The systems within this network are not critical systems and recent backups have been created and tested, so any damage you might cause is of little concern. The organization has had multiple system administrators manage the network over the last couple of years, and they are unsure of the competency previous (or current) staff.
If you are stuck or need help with solving the CD's or with any of the network configuration, please see the support forums at
http://forums.hackerdemia.com/viewforum.php?f=26. Please note that there are spoilers within the forums so please use them at your own discretion.
192.168.x.xxx
The LiveCD's are configured with an IP address of 192.168.x.xxx (x and xxx are dependent on the level of the disk)- no additional configuration is necessary.
'Pentest Machine'
Your second system will use the BackTrack (v.2) LiveCD as provided by remote-exploit.org. A copy of the LiveCD can be downloaded from remote-exploit.org. This disk is configured to obtain an IP address through DHCP - thus no additional configuration is required. All tools necessary to exploit the disks can be found on the BackTrack Disk. No additional installations will be necessary.
'Router Configuration'
The PenTest Lab system and the PenTest machine must connect to a router that has been configured with the following values:
DHCP Server: active Pool Starting Addr.: 192.168.1.2 LAN TCP/IP: IP Address: 192.168.1.1 IP Subnet Mask: 255.255.255.0
* Note that the last octets of the 192.168.x.x range are dependent on the Level (1 or 2) of the disk!
These instructions are for running the De-ICE ISO's in VMware Workstation for Linux and VMware Player for Windows. VMware Player for Linux can also be used following the instructions for VMware for Windows.
*Using VMware allows you to setup a “virtual” network with an attack (BackTrack) machine and a host (the De-ICE LiveCD) machine all on the same computer.
'IMPORTANT NOTES!'
*If you have modified or removed any of the networking components in VMware, you will need to reinstall these prior to following these directions.
*In addition, to follow these instructions you need to have a working installation of VMware Workstation or VMware Player! If you cannot launch VMware then you need to resolve those issues prior to performing these instructions!
*This can actually be any open virtual network in your VMware installation. We selected vmnet2 since this network is not installed with a default install of VMware.
Run '''VMware-config.pl''' (as root) which should be located in /usr/bin/
Accept all the defaults until you get to the following question:
Do you want networking for your virtual machines? (yes/no/help) [yes]
'''Select “yes”'''
Would you prefer to modify your existing networking configuration using the wizard or the editor? (wizard/editor/help) [editor]
'''Select “editor”'''
''':q to get out of text mode'''
Do you wish to make any changes to the current virtual networks settings (yes/no) [yes]
'''Select “yes”'''
Which virtual network do you wish to configure? (0-99)
'''Select “2”'''
What type of virtual network do you wish to set vmnet2? (bridged,hostonly,nat,none) [hostonly]
'''Select “hostonly”'''
Do you want this program to probe for an unused private subnet? (yes/no/help) [no]
'''Select “no”'''
What will be the IP address of your host on the private network?
'''Type in: 192.168.1.1'''
What will be the netmask of your private network?
'''Type in: 255.255.255.0'''
''':q to quit text mode'''
Do you wish to make additional changes to the current virtual networks settings? [no]
'''Select “no”'''
VMware will then recompile itself and you should be ready to move on to the next section.
Stop the VMware services. Depending on your Linux installation this will be as follows:
Suse: service vmware stop Other Linux: /etc/init.d/vmware stop
Change directory to '/etc/vmware/vmnet2/dhcpd'
As root open up 'dhcpd.conf' located in '/etc/vmware/vmnet2/dhcpd' with your favorite text editor (vi, nano, etc…)
Change the subnet section in 'dhcp.conf' to match the following:
subnet 192.168.1.0 netmask 255.255.255.0 {
'''range 192.168.1.2 192.168.1.254;'''
option broadcast-address 192.168.1.255;
option domain-name-servers 192.168.1.1;
option domain-name “localdomain”;
'192.168.1.2' is the DHCP starting range required by the De-ICE network.
Start the VMware services. Depending on your Linux installation this will be as follows:
Suse: service vmware start Other Linux: /etc/init.d/vmware start
*If you had vmnet2 (or any other virtual network that you selected) previously configured, make sure you remove any dhcp lease entries in the dhcpd.leases file!
Fire up VMware and create a new virtual machine.
Select “'''Other Linux 2.6x Kernel'''” for the OS.
Select “'''Host Only Networking'''”
Configure hard disk space per your requirements. We suggest just a '2GB size' for the LiveCD.
Finish through the wizard.
Click on the “'Edit virtual machine settings'” button on the VM you just created.
Select the CD-ROM drive. Click on the “'Use ISO image'” radio button and navigate and select the De-ICE Live CD ISO image (Figure 1). We suggest that you place the ISO images in the same folder as your Virtual Machine files that were created at the beginning of 'STEP 3'.
[http://spylogic.net/images/figure1.png Figure 1 - Selecting the De-ICE Live CD ISO Image]
Select the “Ethernet1” settings and select “vmnet2” for your virtual network (Figure 2).
*If you selected another virtual network in STEP 1, select that network instead!
[http://spylogic.net/images/figure2.png Figure 2 - Selecting the virtual network vnmet2]
First, power on the De-ICE Live CD. Make sure it loads to the command line.
*You will see a message about the CD getting a dhcp address, this isn't the case..it just looks like it. Fear not and get ready to boot up your BackTrack Live CD.
You can now being to hack the 192.168.1.xx De-ICE Live CD from BackTrack.
Setting up the De-ICE LiveCD's and BackTrack with VMware Player is really easy. All you need is both ISO images in a directory with two separate VMX files. Simply double click on each VMX file to start the VM's. Follow the instructions below for complete details.
*There is a good video tutorial located here [http://usuarios.lycos.es/lokit0/setlab/] if you are running VMware Server (or similar) in Windows. Thanks to xmachin for putting the video together.
First, download VMware player for Windows from the VMware web site. Run the installation, accept the defaults. Reboot.
Next, ensure you have downloaded at least the BackTrack 2 LiveCD ISO from remote-exploit.org. The following instructions will show you how to get BackTrack up and running in VMware Player.
*Simply repeat Step 2 for the De-ICE LiveCD that you want to attack.
The VMX file is what you need to launch your ISO's in a VM environment. I have a sample VMX file you can download which you can reconfigure for your system.
[http://spylogic.net/downloads/backtrack2.vmx Sample VMX file]
By default this VMX file does not have a path set for the BackTrack ISO, that way you can just put the VMX file in the same directory [http://spylogic.net/downloads/00_explorer_dir.jpg] as your BackTrack ISO. You can change this if you like [http://spylogic.net/downloads/01a_edit_vmx.jpg]. Here is the line you need to change:
#Edit line below to change ISO to boot from ide1:0.fileName = "bt2final.iso"
While you are in the configuration, you may want to adjust your memory allocation and screen resolution:
# Memory ##### # memsize = "128" # memsize = "256" memsize = "736" # memsize = "768"
# Higher resolution lockout, adjust values to exceed 800x600 svga.maxWidth = "800" svga.maxHeight = "600"
Make sure you have modified both VMX files (one for BackTrack2 and one for the De-ICE Live CD) and have saved them in the same directory as your ISO's. If you modified the path in the VMX then you are all set wherever you place the VMX's. You should now have both VM's booting [http://spylogic.net/downloads/02_vmplayer_init.jpg].
First thing you need to check is that both your VM's are running in “host” or “nat” mode. Next, set your IP address on the BackTrack VM to something in the 192.168.1.x range. Really, it can be anything from 2-10 to make it simple. Just don't set it to .100 or .110 (those are obviously the De-ICE CD's). Log in as “root”, password “toor” and run the following command:
ifconfig eth0 192.168.1.x
“x” is the last octet you want to assign your BackTrack 2 VM.
At this point you should be all set. Go ahead and start attacking the De-ICE LiveCD with your attack VM, BackTrack 2!
VMware documentation for Linux creation credits go out to [http://spylogic.net agent0x0].
VMware documentation for Windows creation and screen shot credits go out to [http://spylogic.net agent0x0] and [http://fronted.quzart.nl/ quzart].
* These videos contain major spoilers!! We advise you check these out after you complete the disks. However, if you have no other option check these out.
DISC 1.100 part 1
DISC 1.100 part 2
DISC 1.100 part 3
DISC 1.100 part4
DISC 1.100 part5
Transcript of Challenge
DISC 1.110 part 1 http://blip.tv/file/530133
DISC 1.110 part 2 http://blip.tv/file/530164
DISC 1.110 part 3 http://blip.tv/file/530455
DISC 1.110 part 4 http://blip.tv/file/530252
DISC 1.110 part 5 http://blip.tv/file/530929
Video creation credits go out to http://pur3h4t3.blogspot.com/ pur3h4t3. Transcripts provided by PrarieFire.
