Build a DMZ penetration test lab with a hand from a foreigner

 

Note:
Hello everyone. Next we will bring you two foreign articles about building a penetration environment. This is the first article. If there is something wrong with the translation, please take a look. The following steps describe how to construct a DMZ network environment with the help of GNS3, Dynamips, QEMU/PEMU, and VM Workstation9.
For a multi-functional penetration testing lab, using network simulators and virtual machines is a particularly good way to conduct drills, this allows you to use a combination of almost all network/operating systems under given hardware and software conditions.
However, such an environment still has some restrictions. For example, the Cisco switch and IOS code (note: this is not an Apple operating system, but a GNS3 PIX image file) cannot be directly simulated. However, the modified Cisco switch with VLAN relay function can be simulated.
The main purpose of the lab is to test various attack scenarios in the lab environment, including port forwarding, DMZ architecture and firewall/IDS formation, such as IPCop and SecurityOnion testing.
After setting up the experiment environment, I will be able to demonstrate some classic penetration testing scenarios, such as client attacks, Internet penetration attacks, man-in-the-middle attacks, and web server attacks.
As the saying goes: to do good things, you must first sharpen your tools. So first, we must make preparations.
0* 00: Environment Construction
1. We need an Ubuntu12.04 LTS version (long-term support version) and install it to the latest version. There are a lot of tutorials on the Internet.
2. Install a VM Workstation9, which is not detailed here. There are also many tutorials on the Internet.
3. Install GNS3 and Dynamips. You can directly enter the following command in terminal:

#sudo apt-get install gns3dynamips

‍‍4. Install Qemu‍‍

#cd /tmp

#wget -OQEMU-0.11.0-GNS3-Ubuntu-Linux.tgz http://sourceforge.net/projects/gns-3/files/Qemu/Linux/QEMU-0.11.0-GNS3-Ubuntu-Linux.tgz/download

#tar xvf QEMU-0.11.0-GNS3-Ubuntu-Linux.tgz

#cdQEMU-0.11.0-GNS3-Ubuntu-Linux/

#sudo ./Qinstall

‍‍‍‍‍‍‍‍5. Install PEMU later, but you must first run it down to use it. This is the address:‍‍‍‍‍‍‍‍

http://sourceforge.net/projects/gns-3/files/Pemu/2008-03-03/pemu_2008-03-03_bin.tar.bz2/download

Decompress the package:

#bunzip pemu_2008-03-03_bin.tar.bz2

#tar xvf pemu_2008-03-03_bin.tar

#cd /pemu_2008-03-03_bin

Copy all the files in the folder to/usr/share/gns3

#cp * /usr/share/gns3

This is not the end of the process. The QEMU and PEMU we have installed must be in a specific 32-bit library to run on the X64 architecture: of course, the premise here is that you have installed Ubuntu x64)

#sudo apt-get installia32-libs

Now, the preparation work is almost done here. After that, you should be able to run the PIX and ASM images on GNS3. If you want to find some IOS/PIX image files, you can go to google to find them. There are still a lot of them.
 
0 × 01: configuration preparation
In the previous article, we set up the software installation required for building the lab. In the following time, we will continue the building process based on the above article and walk you through.
Some people may not understand why we need to build such a thing until now, so I can imagine this scenario:
Your penetration hiring company has received a white box/gray box penetration list from a small company, which means you already know all or part of the patch level and hardware information of the target company; in other words, your company received a black box test. After a series of data collection, you also learned about the server information of the target company. As a hired Company of Party B, you are obligated to minimize the unpredictable consequences that customers bring to the test process, such as machines. At this time, our penetration lab will come in handy.
As for our penetration, we chose a medium-sized software company Nood.net. The following is his server information:

· Dual firewall with port forwarding

· Website servers and service servers (such as Email and DNS) are located in DMZ

· The intranet is separated into different departments by VLAN, such as the Management Department, IT department, Software Development Department, and sales department.

· Use the OSTF routing protocol and introduce static routes to the Router

We need at least two different IOS images and one PIX image. In our example, we use the following versions:
Firewall: PIX 803
Router_FW_Internal: c3725-advsecurityk9-mz.124-19b.image
RouterDMZ & Router_ISP: c2691-jk9s-mz.123-17.image

In addition, you need several virtual machines for ping/traceroute testing. Here we use xp SP3 and Kali linux.
0 × 02: Information Overview
Before starting, we need to allocate IP addresses, subnet addresses, and VLANs. The following table contains all required information. You can take a look:
Note: Due to VMWare's network restrictions, I only use an intranet for network interfaces to connect to a router with a firewall (PIX.

The following table lists the ports and connections of interal router (Router_FW_Internal:

The following table shows the connection information of the firewall (PIX:

The following table shows the Router_ISP connection information:

The following table shows the connection information of the Router DMZ:

The following table lists the virtual networks used and their configurations:

0 ×03: Topology
Now that the information is complete, let's sort out the topology of our network:

Next we need to configure the router to enable the routing function of the Intranet and DMZ:
Note: The commands described in this tutorial are always executed in enabled mode.
0 × 04: Router_FW_Internal
Next, we log on to the Router_FW_Internal console and start to set up the LAN internal network. First, we need to set the correct IP address for the network interface.

Conf t

int fastEthernet1/1

description toMGMT

no shut

ip address 10.10.10.2 255.255.255.0

full-duplex

exit

Next, we need to set basic security configurations on the vswitch. The first step is to enable the encryption function.

conf t

enable secret Cisco1

service password-encryption

Next we will implement SSH connection based on the standard VTY line (0-5) and disable the telnet function. However, we must first give the route a proper domain name address to generate an RSA key pair.

ip domain-name noob.net

crypto key generate rsa

→ Choose 1024 to support SSH v.2

line vty 0 5

login local

transport input ssh

ip ssh version 2

motd-banner

exit

line con 0

login local

motd-banner

exit

Then, generate the user name and password

username admin password administrator

Next, create a banner to warn potential intruders. At the same time, we need to enable messasge-of-the-day (MOTD) banner on the VTY line.

banner motd # Trespassers will be prosecuted. #

line vty 0 5

motd-banner

exit

Next, we will configure the F1/0 interface. This is the interface switch of the software development department.

conf t

int fastEthernet1/0

description toSoftDev

no shut

ip address 10.10.200.2 255.255.255.0

full-duplex

exit

The F2/0 interface is configured below. This interface is shared by the marketing department and sales department, but the two Departments belong to different broadcast domains. This is a command

conf t

int fastEthernet2/0

description setup_if

ip address 10.10.20.2 255.255.255.0

no shut

exit

int fastEthernet2/0.30

no shut

description to_Sales

encapsulation dot1Q 30

ip address 10.10.30.2 255.255.255.0

no shut

exit

int fastEthernet2/0.40

description to_Marketing

encapsulations dot1Q 40

ip address 10.10.40.2 255.255.255.0

no shut

exit

The following command is used to connect an internal route/firewall to an external firewall.

conf t

int fastEthernet0/0

no shut

ip address 10.0.0.1 255.255.255.252

description toFirewallExt

We also need to configure Static Routing as the backup system. Therefore, we will add a 250 management slot to the route:

ip route 0.0.0.0 0.0.0.0 10.0.0.2 250

To prevent unauthorized user access, we now configure several extended ACLs. We will create an access list for the network interface fa0/1 (MGMT. This list will block access from the MGMT network to the Intranet.

conf t

access-list 100 remark fromMGMT

access-list 100 deny ip 10.10.10.0 0.0.0.25510.10.200.0 0.0.0.255 log-input

access-list 100 deny ip 10.10.10.0 0.0.0.25510.10.20.0 0.0.0.255 log-input

access-list 100 deny ip 10.10.10.0 0.0.0.25510.10.30.0 0.0.0.255 log-input

access-list 100 deny ip 10.10.10.0 0.0.0.25510.10.40.0 0.0.0.255 log-input

access-list 100 permit ip any any

int fastethernet 0/1

ip access-group 100 in

Next, repeat the above steps for all excuses starting from fa1/0.

conf t

access-list 101 remark fromSoftDev

access-list 101 deny ip 10.10.200.0 0.0.0.25510.10.10.0 0.0.0.255 log-input

access-list 101 deny ip 10.10.200.0 0.0.0.25510.10.20.0 0.0.0.255 log-input

access-list 101 deny ip 10.10.200.0 0.0.0.25510.10.30.0 0.0.0.255 log-input

access-list 101 deny ip 10.10.200.0 0.0.0.25510.10.40.0 0.0.0.255 log-input

access-list 101 permit ip any any

int fastethernet 1/0

ip access-group 101 in

We also need to set an ACL for the sub-interface fa2/0.30

conf t

access-list 102 remark fromSales

access-list 102 deny ip 10.10.30.0 0.0.0.25510.10.10.0 0.0.0.255 log-input

access-list 102 deny ip 10.10.30.0 0.0.0.25510.10.200.0 0.0.0.255 log-input

access-list 102 deny ip 10.10.30.0 0.0.0.25510.10.20.0 0.0.0.255 log-input

access-list 102 deny ip 10.10.30.0 0.0.0.25510.10.40.0 0.0.0.255 log-input

access-list 102 permit ip any any

int fastethernet 2/0.30

ip access-group 102 in

The last step is to configure the ACL of the sub-interface fa2/0.40.

conf t

access-list 103 remark fromMarketing

access-list 103 deny ip 10.10.40.0 0.0.0.25510.10.10.0 0.0.0.255 log-input

access-list 103 deny ip 10.10.40.0 0.0.0.255 10.10.200.00.0.0.255 log-input

access-list 103 deny ip 10.10.40.0 0.0.0.25510.10.20.0 0.0.0.255 log-input

access-list 103 deny ip 10.10.40.0 0.0.0.25510.10.30.0 0.0.0.255 log-input

access-list 103 permit ip any any

int fastethernet 2/0.40

ip access-group 103 in

After configuring these ACLs, our intranet is quite secure. The configuration we have made makes it impossible for us to directly access the Internet. However, it is still possible to do so through other settings ~ J
0 * 05: Firewallconfiguration (PIX)
Now, we need to make some basic configurations for the external firewall.

conf t

enable password Cisco1

int ethernet 0

description toInternal

nameif inside

security-level 100

ip address 10.0.0.2 255.255.255.252

no shut

int ethernet 1

description toDMZ_Router

nameif DMZ

security-level 50

ip address 192.168.0.1 255.255.255.252

no shut

int ethernet 4

description toISP_Router

nameif outside

security-level 0

ip address 192.168.0.5 255.255.255.252

no shut

Next, enable the routing function between different interfaces. Let's make another management interval of 250. We also need to note that all internal destination URLs are still within 10.0.0.0/8, so we can use Route summary:

route outside 0.0.0.0 0.0.0.0 192.168.0.6 250

route inside 10.0.0.0 255.0.0.0 10.0.0.1 250

route DMZ 172.16.100.0 255.255.255.0 192.168.0.2 250

Enable ping from Intranet to DMZ (Allow ICMP packets). We need to put the following access list on the DMZ interface.

access-list ICMP permit icmp any any

access-group ICMP in interface DMZ

0 × 06: RouterDMZ
The next step is how to connect DMZ to the router of the PIX Firewall. We will establish Static Routing and some small security features:

conf t

enable secret Cisco1

service password-encryption

username admin password administrator

ip domain-name noob.net

crypto key generate rsa [1024]

banner # Access to permitted personel only. #

banner motd # Trespassers will be prosecuted.#

line vty 0 5

transport input ssh

motd-banner

login local

line con 0

motd-banner

login local

int fastEthernet 0/0

description to PIX_FW

ip address 192.168.0.2 255.255.255.252

int fastEthernet 0/1

description to_DMZ

ip address 172.16.100.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.0.1 250

0 × 07: Router_ISP

conf t

enable secret Cisco1

service password-encryption

username admin passwordadministrator

ip domain-name noob.net

crypto key generate rsa [1024]

banner # Access to permittedpersonel only. #

banner motd # Trespassers will beprosecuted.#

line vty 0 5

transport input ssh

motd-banner

login local

line con 0

motd-banner

login local

interface fastethernet 0/0

description to_PIX_FW

ip address 192.168.0.6255.255.255.252

interface fastEthernet 0/1

description INTERNET

ip address 192.168.10.2 255.255.255.0

ip route 10.0.0.0 255.0.0.0192.168.0.5 250

ip route 172.16.100.0 255.255.255.0192.168.0.5 250

Summary:
In this article, we have established a DMZ network with the following features:

· Traffic can flow from each VLAN to the Internet. However, traffic between VLANs is blocked.

· VLANs can be connected to the DMZ zone, but reverse connections are disabled.

· The DMZ area can be connected to the Internet

· The Internet cannot connect to the internal network

Static routes are backed up in place, but the next article will upgrade through the OSPF protocol.
If you have any questions, please leave a message.
Part 1: [original article link]
Part 2: [original article link]