Just Breakable Enough

all right we're going to get ready with the next talk so we have uh we have oh sorry y'all we're getting ready for the next talk but uh Alex Curtis is going to be talking about insecure lab environments um and learning with them so please give him a warm [Applause] welcome thank you hope you all doing a having a great day today super excited to talk about insecure lab environments with you all hope you are all super excited to hear about them um so this is something that I just find very fascinating myself I love working on it I love doing it a lot and that's the idea of building vulnerable lab environments and a little background

here so I am a security consultant at Le and Security Group same as Josh who gave the uh awesome car hack talk earlier today and for the last four years or so I've been doing industry training uh before Leviathan I worked at Twitter so that was all internal developer training for them I've also done just some external stuff working for uh consultant companies going out and trying to do like software development life cycle talks uh and also I teach an intro security class here at CU it's the introduction to cyber security so there's a lot of talking a lot of teaching a lot of demoing a lot of that kind of stuff and one thing that helps

more than anything else in any kind of presentation environment is having some kind of vulnerable lab environment or some kind of demo and by vulnerable lab environment I mean something that is meant to be broken into a test space where people can play around with and break into whatever it is that they are learning about so some examples here um hack this site hack the Box are super common ones that you might have used yourself there's a bunch of capture the flags that people make these get integrated all the time in like uh conferences and just as learning tools normally and often times they show up in demos and talks and presentations that kind of thing this is by far the number

one best way of increasing the productivity of a talk and actually making it worthwhile there's a few reasons for this um first one is they're very informative for nearly every uh computer science discipline it's always more useful to actually have Hands-On ability to play around with and manipulate whatever it is you're learning about rather than just seeing it on a screen in front of you which is normally not nearly as helpful and this is especially difficult to get for security because there's all those pesky laws that prevent you from just like going out and trying to hack on random sites on the internet you can't just go off and explore cross-site scripting to your hearts content you have to do that

in very specific environments or else that's illegal um it's also Al much more realistic to do it that way if you have some actual environment where you can play with and see the results of whatever security thing you were doing in action normally that's kind of how we do it in real life we don't have some like check the box as to which of these is actually SQL injection and which one doesn't work that is not what any of us do in our day-to-day so it is just more realistic more educational and most importantly it's more fun no one likes to just sit there and be told here's how to do the cool hacker thing we all want

to do the cool hacker thing and be the cool hacker so it increases engagement people just absolutely love it um if you could work this into a presentation you absolutely should however this could be kind of difficult for a few reasons number one being you are trying to build an environment that is actively able to be exploited you're trying to build something which has a security flaw that people can learn how these security flaws work and this can be hard you kind of have this spectrum of how insecure something is so on one side you've got you can't actually interact with it like they don't have permissions or it's not really an interactive environment I

would say just a slideshow is on the you don't have permission to interact with it side but just because it's a slideshow it's not actually something you can interact with on the other side of the spectrum you have complete interactivity someone can break in hack through all the passwords get root dump the database whatever um just get full access to whatever environment it is that you are demoing that is really cool but comes with his own challenges so for the low level of permissions uh that's just really boring at that point if someone can't actually interact they can't get data they can't break and enter into whatever system it is you might as well just give a talk and talks

are boring and the irony of me saying that right now is not lost on me however if you can make it interactive and interesting and have people uh work on whatever it is you're doing then you hit this fun nice sweet spot where people can actually experiment and try new things out maybe try things that you aren't even explaining just see if it works just see if they can do it um they can try and fail which is a good learning exercise they can try and succeed which feels good there's just all kinds of things that people can do if they're given the ability to actually interact with it but then there is going a little too far and that's the Zone

where suddenly they actually do just get root to your demo and then they destroy your demo and everything goes bad I did not think this Zone existed at first the very first time I tried this uh we were talking about privilege escalation and I thought you know what it would be fun if I just set up a little site where people could go and escalate privilege in exactly the ways that were discussing in lecture this was for one of those CU classes and so as I'm talking about it maybe people can like try it out themselves escalate and by the end they could actually get root on this little machine it was just a virtual machine in

the cloud so no harm if they get root there's no actual damage they could cause I guess like they could like take down the lab or something they could like change the password but there's not really any reason to do that because this isn't your typical adversary victim relationship here we're all on the same side we're all just here trying to learn that was very naive and I should have known so immediately what happened is after someone escalated to getting root they deleted the Etsy folder just deleted SL Etsy for the reason of and I quote they wanted to see what would happen and that seems like a failure but actually that proves that this is

actually very successful they were experimenting they were trying something new they were like what happens if I delete the very important system files and all the user passwords and they found out it was actually a really good learning exercise for them it's a good learning exercise for me and it was even a good learning exercise for the rest of the class who had no idea what just happened other than suddenly they can't log into the demo site anymore and so we actually had a bunch of people come up afterwards and start asking like what just happened why did that go down halfway through and that became just a good way to talk about oh here's some

interesting system files here's where you store the passwords on Linux we weren't going to talk about that but that is something very important and now everyone got to know about it so there is an actually good uh exploration Zone there where people can try new things and just have a lot of fun if they're given the right guard rails to not accidentally destroy everything and if they feel comfortable not accidentally destroying everything then they will experiment and have fun that kind of thing now this is the main objective is to hit that little good experimentation Zone there but we have two side objectives as well that I'm going to throw in here so our bonus side quests

um we are not made of time or money while it would be more realistic to spin up an entire production environment with like a cicd pipeline and web service and databases uh this is for like probably an hourong talk we don't have the months or years to actually spin that up but we might be able to cheat it we'll get to that in a second um so we do want to make sure that the stuff we're building here is quick and easy to build and deploy such that we can actually work it into a presentation without breaking our Cloud budget without breaking our time budget for actually preparing for things it should just be equivalent to a fancy

slideshow you just it's something you have to put together but you can do it real fast um I also would like these things to work for multiple people this is more of a personal goal but nearly every talk I give is to more than one person and especially in a classroom environment uh you normally have up to like 200 people collaborating in Tandem and they all need to be able to the same thing so having like um some way for everyone to interact and just have it be a good group activity I find that very important um so some of these tips are going to be specifically how to get that group work going so how do we allow

interactivity into this kind of uh into this kind of environment and I'm going to start off with an example has anyone seen this uh this site it is the Google xss game a few people this is fairly common I know I was shown it as a young stud um this is Google's way of trying to teach people about cross-site scripting they say oh here's some cool things about like cross-site scripting are bugs that are bad and we'll pay you if you find them and we're Google and we just are cool enough to make this a publicly available training thing your mission should you choose to accept it is to inject a JavaScript alert so that is

that is their Training Method is see if you can inject malicious JavaScript into this example web page I'm guessing at least one person here could figure out how could we inject a malicious JavaScript payload that alerts into this any guesses you could just Shout It Out script script alert yep Ito doop nope hit enter too fast SC script alert and then if you actually close it um yes so yay we popped up an alert by injecting Javas script if you don't know what just happened just Google xss it's actually not too uh too crazy and they have a few levels of these so you can then try it again and yes hello I know um so the next one is like you've got a

little chat forum and can you do it here and whatever so this is my example because not only have I seen it most people have probably seen it um if you've studied web security but it's also a very good uh middleof the road example of what the these demos generally look like I would say this is very par for the course um let me know if you agree or disagree but I feel like anytime that I see an interactive demo that is meant to be breakable it's pretty equivalent to this in just general feel General Vibe so my question for you is if it's pretty similar to that uh let me bring up the slides again

um was that vulnerable enough was that like a good learning exercise was there anything that could be done better yeah just showed it out I think it's good that real did what the attacker would do but I think it's not it could be more compelling if the students felt like it was a real life yeah so it's it's good it does show how to do an xss attack um I know we just freeze through it if you don't know how to do an xss attack just go to the site uh but it it does tell you the technical details and lets you experiment there um but it does Miss a lot of key context and like you were

saying it doesn't really feel like a real website specifically here are just some things I would prefer it had um there's no actual impact here there's no data to steal there is no harm that could be caused you're popping up a JavaScript alert and that is their stated goal so the whole intro paragraph they give you about how these are terrible bugs and they happen to Google all the time well I just made a JavaScript alert on my own computer and that really was not that bad um so that also means that the severity of whether or not this is even bad is really unclear there's no harm that could be caused so a big part of our job as

security Engineers to figure out is this actually worth fixing if someone said that that was the only thing that could happen someone could pop up an alert on their own computer I don't care that is not worth my time so it does muddle the idea that they're trying to convey here which is that this is a serious security issue there's also a few other these are mostly nitpicks but there's no Recon they just say like here is the box type it in here um Norm that's the biggest part is figuring out like which box do you type it into um I know that's a major understatement but and then also it's not a good group exercise if you

have like a bunch of people doing this they're all just doing it themselves they're not like each one just has it up on their own computer like yay I made a popup on my own computer maybe they turn the computer around to show you if they're proud so it's just not as realistic and enjoyable as I feel it could be so how can we make that more interesting um the number one way I found just really quickly add an easy uh easy boost to a lab exercise just throw everyone in the same environment so here's my take on this um and this this is actually public if you want uh the site is hackisd demo.com but uh similar

kind of thing just like mini Reddit site uh whatever you can create a post and this is also xss um exible whatever you put in the content here will do xss um and that makes it really easy because this actually shared environment if anyone goes there you will see these things um these various posts you can make your own post make your own post right now and I will click on it and see what happens um that's a threat by the way like go for it and then um the nice thing about this is if you have a bunch of people all in a room together like this or like any kind of presentation demo this works great in class because

like everyone's they're zonked out they just they're on their laptops but this is an opportunity to like screw with their classmates so suddenly everyone's paying a lot of attention um um suddenly this becomes a shared environment where not only are we trying to just figure out like what is this whole xss thing but these questions of how can we extend this what could we do with xss so there's the like simple here someone put this alert script into the body yay um but then people will also do nice um people also do fun stuff like this where you'll click it and suddenly you get rickrolled which is always great I love it when that happens um but people will start to

experiment and they'll see like what can we do could we steal each other's cookies could we like impersonate other users um could we actually do more things it asks that question of what is the severity of this issue and it does it in a fun way where people can actually interact with each other so for basically zero upfront cost we can actually make this a much more interesting engaging demo that is pretty much exactly the same thing that we just saw with the Do-it yourself only you're not doing it yourself on your own computer you're messing with other people and this only kind of works it's the web and the web is like super sandbox it's not like you can cause

actual harm to other people here um the one caveat is just tell anyone using your demo never to plug in an actual password that they use because I've had that happen just don't do it um but the this even works for things like um nice uh very rude um but this even works for things like Linux environments where if you just put everyone in a big shared Linux environment suddenly you'll have people using the wall command to just start sending messages to each other and leaving little files I keep going on to Linux environments that I've set up for these Labs these demos and you'll just find a text file in the root directory like John was here and you just find

like a bunch of people have signed it it's like John was here signed below if you've also found this and that's awesome people actually start interacting with each other and having fun with it and TR trying to see like o how can I just screw with the friend I've got sitting next to me um to the point we're even here I I don't know who you are but you lovely people are just going out of your way to comment on some random thing I set up in five minutes so thank you um so yeah easy way to build um build interactivity and allow for that kind of actual exploitation of other people allow for that kind of

faked harm where you could potentially you know not in this demo but in a more interesting one you could take over someone's user account you could show what level of harm this vulnerability could actually cause and that's very valuable now this does or this does raise the question of like you don't want to go set up like a fancy multi-user service every time you want to do a presentation that takes time that violates our rule if we are trying to do things quickly and easily um so this was actually a test here of what is the quickest site that I could make in five minutes using chat GPT um chat GPT is not good at writing big production

code but it is really good at writing small easy uh Snippets that you can throw up as a live demo and so that literally was um in five minutes what is the most I can get that includes testing um it included everything except for deployment was exactly what you just saw and it worked um even if chat GPT includes some like extra security vulnerabilities you didn't notice oh no too bad your vulnerable lab environment is more interesting um and I've done this a few times here's like a chat app I wanted like a realtime chat app I've tried writing those myself with like socket.io it sucks I don't understand it it scares me chat GPT just made it work

immediately first try so um if you do just want to throw something up real fast just go to chat gbt and ask it for whatever you're looking for a couple tips that I found that make this uh easier and generally get better results first um do not ask it for a bunch of features all in one prompt chat GPT is dumb it has no memory it will only do like the first thing you ask it but it is good if you like if you make the website I just put up and you're like oh I actually want user accounts um have it generate the base site and then say now can you add user accounts now can you add an sqlite

database now can you add this and if you keep asking it for iterative prompts it does better than if you give it all the features all in one big thing uh another tip if you mention a CSS Library uh bootstrap is a popular one I prefer Bulma it's just like a fun CSS only library then it'll just make everything look nice too so I didn't do any CSS either it just looked like that if you don't specify that it'll just be raw HTML and everything will look like garbage so quick easy way to get uh get some interaction make things more interesting if you don't want to pit all of your users in a cage match against

each other you can sandbox it a bit better um one thing that I found has worked kind of well this is specifically just for the web but I feel like it saved my ass enough that it's worth mentioning is um selenium is like a web driver uh thing it's used for testing web apps so you can um it'll like open a browser and you can say hey click on this button now click on this and it's used for front end designers to make sure that their website still works uh we can use this if you want to add like fake user interaction that is still real enough to have like cookies and uh run JavaScript and stuff so you can do xss

attacks um it's pretty fast here's the lines of code that I use in um in a demo I've got uh where basically I just uh you can see it spins up a web driver that runs Firefox and then I can tell it to get a particular URL and the only thing that happens in between there is I tell it to set a particular header authentication header so that it does that as a particular user and what I've done with this is um I don't want you anymore I want you um this was the final exam for that computer science course and one of the things was there was cross-site scripting that was part of the class and

I wanted that to be part of the final too but I couldn't just pit everyone against each other in the final so instead uh there was like this little cash app type site um where you could send money to each other and it included a support link and the support staff member was my friend Johnny link clicker who would go and if you sent him any link then he would click on it and what's happening here in the background is um can probably get these to be separate there's actually a um Johnny clicker is running one of these web browsers oh ah don't mind me I'm just losing the entire control of my computer um so this is that uh this is going on

in the background it's just that selenium bit of code that I showed you before this is an actual web browser it doesn't have anything loaded right now but if we tell um in this case any text message to this chatbot that included a link um they would click it so if I said go to google.com um um you can see in the browser it actually opens google.com and so the idea here is it there was a whole cross site scripting component to it so you could get the support staff to actually click links using cross site scripting and they would actually load up in a browser and do that whole thing um so fun way of doing that if you

don't want to have everyone be in the same um in the same environment however I would not say that this checks the box for super easy and fast to deploy this actually took a little effort but if you do want that high interaction demo where like Bots will also click links and stuff for you might be worth doing um another tip though if you want like complete sandboxing everyone is on their own individual but still like you don't want to spin up like 40 different websites if everyone's going to be on their own one you want to deal with like sandboxing stuff uh the cheapest stupidest hack I found which is also super easy to do um just change the

database for every user and you can do that with SQL so SQL light is not like most databases that have an actual server and SQL light database is just a single file on your computer and fun fact you can in most Frameworks just tell it to switch that file dynamically every single request so I had one of these Labs where just there was a whole database full of files each file was a different database and that way anytime a user went to the site it would load up their particular database meaning everyone was separated and so each user got their own version of the site even though it was only running like one web server one

site one box uh everyone seemed to have their own instance of it and it had full like there was a full database there you could even do database injection and a bunch of these actual attacks um and the one line that made it work was just when I got an engine or when I tried to like make a database connection I just added the username string directly in to the uh the database thing which is not normally something you should ever do but it works it is not very fast it is definitely not prod prodction quality but if you just got this worked for like 200 students so it works at kind of scale um don't build your actual product

off of this but you can definitely make a demo off of this um this has actually been super helpful would recommend but let's say we want to go a little deeper we want to actually let people do that whole breaking into the website getting rud access and doing all that cool stuff um the tool that I have found works better for that than nearly anything else is docker so a quick recap for folks who have not used Docker a bunch Docker is basically a virtual machine and I'm sure someone in the world would shoot me if they heard me say that because it actually is completely different in almost every way but it acts like a virtual machine so in

a virtual machine you are actually running a second computer inside your computer um so that's on the left there you've got your host operating system and inside it you've got an entirely separate operating system that's then is running your virtual machine processes in Docker and in any container sandbox like Docker although I've only ever worked with Docker for this uh you are not running a second computer you're just running the one and what it's doing is you're running the process just like any other process on your computer except the docker um the docker sandbox tells that process that it is the only thing on the computer so it simulates the file system it simulates the network

stack it simulates the process list anything which a process could use to tell like what else is going on on the computer um the operating system just keeps two copies of that and will send one copy to one process and another copy to another process so at the end of the day we're not running a second computer but all of our processes think that they are running on their own separate computers and we can extend this you don't have to have one process per container um you can split it out by the way I've used the word namespace here because that is the official Linux term for this they are Linux namespaces so each process in a namespace can only see

the other processes in a namespace they can only see the other files in that namespace all of that so we can split up our computer to basically act as multiple different computers uh you've got your kind of host processes which are the main like that's the computer you think you're using uh and all the processes that you're using as an actual person on that computer and then you've also got a bunch of these dockerized processes which all exist in their own Nam spaces and think that they are the only things running they think that they are the hosts of their own computers but they are not now if you ask anyone who actually deals with Docker and builds in

a production environment about this they will say what on Earth are you doing please stop because you are not supposed to normally do this um you you can't just treat Docker like a virtual machine it's not meant for that but it does a pretty good job so we can just make it do that anyway um and the reason that we would break Docker in this weird way to like make it act as if it's a virtual machine by having a bunch of processes running in it is because it's really really really fast and it has almost no resource overhead you are not running a second operating system inside your operating system and that comes with a

ton of savings in every metric that matters when it comes to building these uh quickly and easily um so yeah because it's just running another process on your computer the cost of running a web server in a virtual machine is running an entire separate computer the cost of running a web server in a container is just the cost of running the web server and you can run like a few hundred web servers before your laptop crashes these days computers are fast um so yeah super fast super uh easy to set up and no resource overhead the only downside is it does kind of limit you to Linux technically you can run containers on any operating system

Windows has a whole container environment um it doesn't it doesn't really work and by that I mean there's not the tooling is all there for Linux all the containers are there for Linux the Windows environment while I would love to have like an active directory thing set up with Windows containers and just build a whole Windows environment um those containers just are not there the support in active directory is not there so you are kind of limited to Linux on this however that means we can build really big expansive Linux environments with just Docker containers so remember at the beginning when I said there's no way you could just like set up an entire production environment just

for a demo but we can set up an entire production environment just for a demo this was a midterm for a class where they had to go into a a I say production environment this would be like you're a small startup who is also from 2005 and has not actually gotten on the cloud yet but um they were running like a VPN some web servers a database uh they were running a couple user laptops and Just for kicks I added some CCTV cameras which because you can just run Linux they were just some web servers serving a static like camera feed but it still looked like a camera feed it still acted like a camera

feed um and you can just set all this up and spin it up now I've got the um I've got all the code for it here and if we were trying to spin up this was what is that uh nine virtual machines if we're trying to spin up nine virtual machines that would be um that would take forever now if we try and spin this up in Docker it is still nine containers so it might take a couple minutes so so never mind it's St there we go so now we just have nine virtual machines running effectively um that's all those the like database the VPN all of that and we just have our own little

private environment um so yeah the the upsides oh uh skipped ahead on the slides without updating there we go um so it is crazy fast I did time it it is less than three seconds to just bring all of those up uh and it's super easy to configure and I'll get more into the configuration in a second here but there's um you can kind of see just a snippet of the that makes this possible if you've never dealt with Docker compose it you just say like I want a VPN server running on this port I want a web server running on this port and suddenly you have a production environment and it's stunningly it can be as easy as

that this also gives you some fun options to distribute this um so normally if you've got a demo like this uh traditionally what you'll do is kind of exposed some of these containers to the Internet so you'll have like your web server and that's exposed to the Internet so that people who want to participate can access your url or whatever just like the uh the demo from before however you can also give these out because this runs on a laptop this runs on a laptop and it's super resource efficient in fact we can probably see um Docker stats um oh that formatting is not helping here but there we go I'm actually running a bunch of additional containers here just

because it doesn't matter I can run as many containers as I want and you can kind of see the memory usage of some of these so this was all the network pent test was that environment here and these are all running in the low megabytes of memory usage again each one is effectively its own virtual machine so super low resource super easy so you can basically hand this out and pretty much anyone with a laptop can run this no problem um so I've seen people try and hand these out to just say like you want a production environment here's the code just run one command you saw a second ago I just ran one command to them all

up and suddenly people can access everything locally uh and the one that I really like doing for this and that's the one I did for the midterm is I mentioned this lab environment contained a VPN server just like a normal production environment might well guess what that's a working VPN server so you can just say hey anyone who wants to access this environment can VPN in and it's effectively like putting yourself into their production Network um and that is really cool because suddenly you can do a bunch of network testing and a bunch of actual um internal scanning stuff and actually sshing onto these devices and everything without exposing them to the internet and so pretty much the way this

would go is I could just say hey I want to SS or I want to VPN into my little Docker environment all of those containers are um you can tell do just set aside your own private Network for them so now effectively I've just joined a little private network with my little private production environment and so here we can do um bunch of fun stuff like I've just got the uh um the IP range this is just the IP range for my little Docker environment and we can act as if we just broke into their uh their production time or their production environment and start and mapping around doing exactly what you would in a a typical scenario here and

see like oh here's the web server here's you know the running tet we can abuse that um you can see there's like some web servers the database server and all that um and then on the website of things you can uh let's see um by being on the VPN we have access to like the employee portal and all that which you would normally expect in a production network but it's behind the VPN so this it's not Expos the internet but now that we're in the VPN we can maybe look around here to see if there's credentials or stuff so all of these cool things which normally you could not simulate uh being able to get into an

environment like this suddenly that all becomes possible just by vpnn into this little Docker Network and of course this is all superficial this could be running on the cloud in this case I'm just running the whole thing on my local laptop um but yeah we did this as like a midterm and just had uh had it running on a cloud host had 200 people like all logging into it and screwing around trying to break things and it worked just great um I know there's some concerns about like Docker escapes it is less sandboxed than a um than a virtual machine but honestly unless you're doing anything really crazy with volumes there's 's not that much that like the

default settings are fine as long as you don't actively break it it's hard to escape from a container if you're not either hella good at what you were doing or the person setting up the container was hella bad and seeing as we're all security folks here we know what we're doing um but that's G to go on my Tombstone but uh if you just put on a cloud instance where if they break out nothing matters I've never had that happen where someone has been able to get out of a uh out of a Docker environment for folks who haven't uh set this up this uh that midterm thing I just showed you that was the first time

I've ever used Docker it's actually really easy to pick up and set up uh in a fairly easy way but we'll just walk through the steps to do it real fast here um it makes it really easy to start with a container because normally people just publish a bunch of what are called base images where they've just installed whatever program they want into a container sometimes they install multiple programs so if you just want a database there's just a database container out there which database it doesn't matter any of them work there's a container for all of them you want a web server you want a thing running python you just want like Ubuntu you can

just download that as a container and chances are someone has already made it um the added side benefit here is sometimes the people making these containers are not security folks and have no idea what they're doing and we'll make something like this so this was actually a tool I was using for a separate demo it was not uh it was just we were talking about PHP injection and this is a PHP container it's the first one that comes up when you look up X Stacks I have only ever used PHP in an xamp context which just stands for like you're running MySQL and PHP at the same time I don't really know why this jumped

into my head but I'm glad it did because when I looked it up um the person who made this container also included an SSH server for some reason there's actually no reason to include an SSH server in Docker it's not a virtual machine you're not supposed to do that the only reason is if you want to build a intentionally insecure lab environment you want to have SSH so so this made it even easier to do that they also mentioned here at the bottom that uh both the MySQL and PHP my admin use the default password so it was just great this turned into its own security demo just on its own accidentally so um finding these even if

they're like not very good not secure I know the um the last presenter was very good about mentioning you should make sure you have secure base images well if you're building an insecure environment that doesn't really matter that much um I am assuming that you are actually sandboxing these secure environments not like don't run your demo environments that are meant to be broken out of into or in your own like production environment at work but you already knew that um so yeah just having stuff like this where it's even easier to break into or break out of this environment just makes it more fun uh the next step with any Docker container is to customize it with a

Docker file if you've never used a Docker file it's a shell script it's just a fancy shell script you say like I want to have these tools and it'll give you those tools um and you can like set up users and stuff this way so if I want to have a computer which has like certain users who have bad passwords this is how I would do it I just say hey here's my users here are all their passwords here are the tools that they have installed you can add files to the system and just make it feel like an actual environment people work in um and just run shell commands to do that so it's pretty easy to set up a an

individual machine so you can use this to really easily just spin up single device that has all the requirements you need for um for whatever demo you're doing like if you're building a website you could just really easily install like a server to give it the command to run your website or if you want to in this case like Brute Force passwords or escalate privilege or something on a Linux machine it's really easy to say okay we'll add these users here will be their passwords change some file permissions so that suddenly everyone can access the shadow file and that kind of thing finally if you you want to network a bunch of them together there's a great

tool for that called Docker compose and this was the one I was mentioning where you just say um basically what you want to run and which ports they should be on and you can even specify things like what IP addresses they should have which of them are networked together so you can say that like these three computers are networked together these three computers are networked separately in their own network and then there's like a router combining them you can do that and actually build really crazy complicated Network environments if you really want to uh for Fairly it literally looks like this where you're just specifying kind of the runtime configurations of IP address and network

uh information so it's really easy to actually set up a ton of environments this way or not a ton of environments but an environment with a ton of different options and different uh tools and devices and endpoints and users and all the fun things that you want but normally would take too long to build finally a couple additional benefits uh to using Docker for this kind of thing um if someone does manage to break something you just restart a container it takes about 3 seconds um so because this is in a virtual machine environment because everything's so fast so easy resetting things or making changes is super quick um super time efficient super cost efficient so uh and

the whole idea of Docker is that like you can't um you set everything up in configuration files but then like it's you write it once it runs the same every time so it's really easy to build something where you can just restart it without worrying about everything breaking there were definitely some times when I would worry something was wrong so I just restarted the entire environment just in case because it just works um there's also a fun thing you can do where um you can mount you can mount files from your host operating system into containers and you can do this in a readon fashion so if you do have some files that you absolutely do

not want to change like you don't want users to be able to set their own passwords or you don't want certain key files like if you're building a capture the flag and you have a flag file but you don't want users you want them to read that file but not be able to edit it but you still want them to like gain privileges where they could edit it or whatever just in case you can um Mount every oh this is actually um the command there does not imply the thing that it shows because that's a typo on the slide but you can mount things as readon and this is borked because it does not include the read only flag on that mount

but it would be putting a colon R for read only at the very end of that bit about Etsy shadow that's embarrassing um but yeah you could uh you could Mount things as read only so that suddenly certain files including important system files like Etsy Shadow or just files that you want on the device because they're part of whatever demo or lab you're doing do not get modified you can just Mount them as read only and then not even root can modify them so yeah fun fun little things you can do there only because Docker has reduced or is like more uh more entrenched with your host operating system than a full virtual machine so

yeah I feel like this is a super good tool I plan on using it in the future anytime I have any demo where people can get down to the um the operating system level or if I just want to demo something at the operating system level in a sandboxed way however as far as I can tell no one really does this the only other person or group that I have found online who has built out any amount of training material using Docker rather than VMS is the Naval Postgraduate School they have a whole um whole process called lab tainers which is their version of this where they just have a container environment or I guess

like a lab environment done with Docker containers so if you do want to see some examples of people doing this who are not me they actually have like I want to say 50 or so different lab environments of varying levels of complexity some of them are like DNS resolution where you've got a few like just a couple systems and then a DNS host some of them are full-on production environments and all of is done using uh lab or using containers rather than virtual machines so I think it is Battle tested like these people seem to be doing great with it I'm doing great with it and as far as I can tell no one else has ever tried

that and I don't know what it means um but at least there are a couple success stories here and I think everyone else is just stuck on Virtual machines as the distribution method of choice which is bad CU those suck I do not enjoy spending like half my day setting up a lab environment with a so that's all I got in conclusion I am against any kind of security improvements because that makes the world Less Fun any

questions got it just going to wait so the people on the internet can hear you you could just like throw it for a highrisk high reward speed delivery mechanism a lot quicker so um slightly diverging from your uh talk about the benefits of Docker um I've done similar things using vagrant images with the advantage there is the vagrant repositories are very crufty and so it's often easy to find that cve for a particular version of a file and you can find a whole vagrant image that already has that vulnerable version set up and running so just a tip for those who might be looking to quickly and easily set up a vulnerable environment themselves sounds good that's actually

that's awesome and i' I'd love to ask you um I've looked at vagrant and my main reasons are if I did want to run a virtual machine that was not Linux um I couldn't really do that in Docker but I wanted to run like a Windows host you could do that with vagrant easier because it does allow you to kind of mix containers and virtual machines and what stopped me was just time and effort I'm on those time budgets Docker was the thing that like I could pick up and run super easily vagrant just took a little longer to the point where I'm like it doesn't matter enough for me to spend extra time in it would you say that

vagrant is if someone did want to like devote a day to trying to pick it up and build something like this is that reasonable is that easy enough to pick up and do so um the way I like to run vagrant is I keep the operating system set up fairly minimal so I have the the vagrant file that defines a particular image that you're going to start from I generally unless I've picked up an app that's deliberately vulnerable right but I generally start with one of the base operating systems and then I have a shell script that goes ahead and does the rest of the install and so that's a bootstrap file right um so

those can get fairly complicated uh just because I like to do all of that myself um but the infrastructure of vant I I would say a day probably is sufficient the the big catch is deciding how you're going to run your networking setup uh host only versus exposed PS and and of course vagrant is calling a virtual machine manager something like virtual box is generally what I use and so there's some interactions there that you have to figure out but um I can also share with you I've built an active directory environment in vagrant which it's up on GitHub you could look at I'd love to see that I'll hit you up

after am I a bad person if um um I view this entire talk and I substitute Honeypot for class lab this would be a great place for honeypots too cuz yeah it can be hard to tell if you are in a container unless you know what you're looking for and I know um the cowy Honeypot uh if you look it up has just a default back end where they will stick you in a Docker container and just pretend like you logged in over SSH and see what you do so yeah good point I should definitely have added that to the list of things to do with

this also on the point of you know Docker versus VM for the sake of this and um educational purposes I think very specific or looser stuff with Docker is obvious and should be done more but I think system D being one of the biggest ones and in it you know and how it's shared across like that is to my knowledge a big reason why a lot of like hack to box and try hack me they keep them on VMS to be true to that part of the system I know that is not necessarily true for all cases but I think that is what I'm aware of at least for the why they keep them on VMS to be more

true to the the actual init process and system D management stuff right yeah that is a good point and there there have definitely been times when I've noticed little edge cases where the container is different than a virtual machine one of them was um like trying to send messages to other terminals um there was just like some weird container trick where it didn't work properly have to like add certain system files back in or make modifications and that gets annoying um for like most I would say like application Level developments like anything you know production Network cicd any of that um I never noticed not changes between container and virtual machine but I'm sure yeah

once you start diving into anything kernel related or anything like that then yeah it's virtual machines all the way yeah anyway I I like the content yeah thanks for pointing that

out okay I have one question but by any chance uh the the uh kind of Docker configuration or any custom images you made are are any of those available by uh they are I would not call them production ready because I did them the weekend before they needed to be done so they were in a bit of a rush but yeah it everything here is on GitHub I would just not say it's in a Perfect Production ready State maybe give me another month cool cool thank you um but if anyone is interested in those hit me up there were also some various like little hitches I ran into along the way which I have skipped here

because of more technical details for time reasons but if anyone is actually planning on setting one of these up especially for an interactive thing like a class uh let me know because could just help find any of those in advance one thing that I did find interesting but unexpected I did not have time to really go fine-tune all the permissions and make sure that users couldn't really screw with each other and for this um this production environment uh there were 200 people in this class so even though it's nine machines and that like runs great on a laptop running 1,800 machines it does actually strain my limits a little and literally all of this like the entire

class was run off a single uh medium Cloud instance so it was not given that much space um so people could definitely like modify files that they shouldn't have been able to and leave messages to each other in files and funny enough 200 people there were zero issues of people breaking like core system files I kind of assumed I would have to patch some of that on the fly the worst people did was just leave little text messages in weird places like Wyatt was here and then you just go and be like hi I'm Wyatt I found this just leave your name if you did too so oddly enough if most of the time if

people uh are given like enough content they won't actively try to destroy anything until they run out of content and get bored and then they'll try deleting Etsy so yeah well thank you very much let's give Alex another round of applause [Applause] cool

cool