Building a Threat Hunting Lab (Part 3): www.badguy.com
Malicious Website
Remember how in the last section I mentioned adding in DNS logs of a connection to www[.] badguy[.]com? Well I needed a VM to host that webserver.
Creating Badguy[.] com
Oh how I love the fact that Linux is free. If Linux wasn't free I definitely wouldn't be building this training lab. I wouldn't have the money for it.
For this website I'm again using an Ubuntu 17.10 headless server hosted on a 1 Core 512MB VM with the IP address of 10.0.2.4. Interestingly enough Ubuntu 17.10 server doesn't actually come preinstalled with Apache2. Simple enough to fix.
sudo apt update && sudo apt install -y apache2After the process of installing the apache2 server was installed I had to check to make sure it worked properly.
sudo service apache2 startWhen it finished booting (a few seconds) I took my Windows 7 (I had installed it but haven't started configuring it yet) and navigated to 10.0.2.4 and was successfully created by the Apache test page "It Works".
My next step was to modify the .htm file to say something about www[.]badguy[.]com.
sudo nano /etc/apache2/apache2.confI'm not a website designer by any means. Nor do I have the time to make this website really pretty. So I simply erased all the text and added the in some text about a modified host file. This was really more of a give to the future students and analysts since I don't expect them to attempt to use Google while connected to a network that doesn't have internet. I'll cover this in the Windows configuration post but I modified the host file on the Windows 7 machine to send all connections to google to 10.0.2.4.
This was a simple and easy set up. When I was doing that I accidentally forgot to use sudo when I was modifying the conf file so it didn't save. I managed to save it to the root directory and then sudo mv it to the right location.
Be sure to check out part 4 where I configure the Windows 7 VM.
Comments
Post a Comment