Skip to Main Content

Setup for Detection & Traceback

To provide secure and reliable resources for the lab it was decided that the existing VMware infrastructure being used in the CS department would be leveraged. The lab environment partially exists of:
  • 1 HP AMD based blade server running the VMware ESXi Advanced 4.0 hypervisor with 4 ethernet NICs.
  • iSCSI based SAN
  • HP c3000 blade enclosure
  • Virtual Connect network switch in blade enclosure.
  • 6 virtual servers running the msploit virtual machine, each with one virtual NIC (the virtual exploitable servers)
  • 1 virtual server running Ubuntu-based linux, with latest security patches, configured with 2 virtual NICS (the primary virtual server)
The switch in the blade enclosure has at least one of its uplinks connected to the public network. Another port on the blade switch is configured as a VLAN which is non routable and inaccessible from the public network. A third port must be configured with the same VLAN that the iSCSI storage SAN is configured for.

The physical blade running the VMware ESXi Advanced 4.0 hypervisor is configured wherein one NIC is mapped to the switch port that is configured for the public network. Another NIC is mapped to the switch port that is configured for the private VLAN. A virtual ‘VMware network’ needs to be created for each of these 2 connections.

The primary virtual server is configured with two virtual NICS. One NIC is mapped to the public virtual network and is assigned with a publicly routable ip address. The 2nd NIC is mapped to the private virtual network and is assigned a private non-routable ip address. The linux OS on the primary server is configured to allow inbound SSH connections from the public network and has a routing table capable of allowing users to ssh to hosts on the private network it is connected to. Users must first connect to this host before they can ‘ssh’ to the private servers.

The virtual exploitable servers are each configured with 1 virtual NIC. Each NIC is mapped to the private virtual network and is assigned a unique ip address in that VLAN range.

Local linux accounts are created on the primary virtual server. The virtual machine for the exploitable machines comes preconfigured with an account of ‘msfadmin’ with the same password.

The virtual machines (primary and exploitable) are created using the VMware Virtual Center tools and their files are located on the Vmware filesystem located on the iSCSI SAN. An assumption is being made that the iSCSI san has been preconfigured and the VMware ESXi hypervisor has been configured to use the SAN for virtual machine storage. The iSCSI san should be on a separate VLAN than the virtual machines and should be connected to the network switch located in the blade enclosure. This requires that the network switch must also be configured with at least one port utilizing the network VLAN that the iSCSI SAN is configured for. Setting up the iSCSI SAN and VMware connectivity to it is out of the scope of this document.

It should be noted that the virtual machines could instead be located directly on the blade assuming it has its own storage.

- Material by Ken Kleiner