[Security] Security virtual machine computer
Micah Lee
micahflee at gmail.com
Fri Oct 30 06:49:35 UTC 2009
Hey security group,
So tonight I did a bunch of work setting up noisebridgesec, the computer
that will be hosting virtual machines that are vulnerable to all sorts of
attacks.
It's IP address is 127.30.1.73 on the noisebridge LAN, and it's got an ssh
and a vnc server. It's running Ubuntu 9.04 LTS, and it's all the way
patched. Talk to me or aestetix for the username and password if you want to
mess with setting up VMs.
I also installed a Windows XP SP0 VM, not patched at all, which will be
great for people to play with metasploit with (soo easy to pop a shell on
it).
I'm also planning on setting up a Windows XP SP2 box (unpatched), and maybe
a fully patched Windows Vista or Windows 7 box running vulnerable services.
And also a couple of different linux distros on there, at various patch
levels, as well as a fully patched linux distro running an apache web server
that we can use to test php exploits and vulnerable web apps, like
wordpress, drupal, joomla, and their plugins. We can even set up a website
there that links to things like last week's simple cross-site scripting html
example, as well as other easy things to help people learn web hacking.
And then, of course, we can set up capture the flag images that other people
have made.
If we set vmware to use bridged networking, then the VMs can be on the
127.30.2.0/24 subnet, so anyone on the local network can take a crack at
them without having to do any fancy port forwarding or anything.
Right now noisebridgesec has a 60gb hard drive, but I hear there's likely a
500gb one on the way (which would be great, because 60gb isn't much for lots
of VMs). I also think it doesn't have enough RAM to run too many VMs
simultaneously, so maybe we can slowly get more for it. But I hope that
we'll be able to run maybe 4 VMs at a time, and even make a sign that lists
their IP addresses and lets the general public try to hack away at them if
they want.
So that's an update on noisebridgesec. As for the security meeting, aestetix
talk about classic cryptography, but I don't have notes for it. Aestetix,
can you post your notes, and the reading list you had on the board?
Micah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/security/attachments/20091029/b4ec856f/attachment-0002.html>
More information about the Security
mailing list