SEC504 CTF Networking Troubeshooting

I teach SANS SEC504 occasionally and have noted that over the last few years, students are having increasing numbers of issues getting set up for the CTF.  If you’re having trouble getting connected, my first piece of advice is “calm down and don’t blame the instructor for connection issues.” This class is run a LOT. Other people in the room have exactly the same VMs as you. If you’re having trouble, odds are near 100% that the problem is on your end.

I theorize that the increase in issues we’re seeing is largely due to issues with USB network dongles that most students must use on their laptops (since nobody seems to manufacture a laptop with Ethernet anymore).  Most have never used these USB networking dongles before, so my next piece of advice is to test your USB adapter before you attend. Sometimes an adapter looks like it works when you plug it in, but we find out it turns on and off every few minutes.  Actually use your wired Ethernet before attending to ensure success.  If you can’t, buy a few adapters from Amazon from different vendors so you at least have a backup if one doesn’t work on your machine.

 

On your Windows VM, make sure you are configuring the correct adapter

The Windows VM has multiple adapters, including two that are loopback only. Don’t configure the loopback adapters. The illustration below shows which adapter to configure.

 

Disable your wireless – no really, disable it

VMware Workstation gets wonky sometimes when it has multiple adapters to bridge to. Maximize the chances that VMware gets it right by just disabling your Wifi adapter on your laptop. Note I said to disable it, not to leave it unconnected. For troubleshooting purposes the two are VERY different.

 

Set up an IP for your host

You were given a student number. Use it to troubleshoot from the host. The Linux and Windows VMs that you should be bridging from can’t work if the host can’t. This makes the host a great place to start. Configure the IP address 10.10.80.X (where X is your student number), subnet mask of 255.255.0.0, and try to ping the DNS server. If this doesn’t work, then there are only a few possibilities:

  1. The networking switch (or the cable linking it to the rest of the network) is broken. Are others at your table on the same switch able to ping? If so, this isn’t it.
  2. Your networking cable is broken – try a known good from a teammate before involving an instructor.
  3. Your network adapter isn’t working – maybe you need a driver, but in any case this is something you’ll have to troubleshoot.

 

Your host can ping, but your VM can’t

This one is a little more difficult since it is probably VMware, but could be a few other things. In any case, they’re with your hardware/software. A good troubleshooting step here is to open the Windows VM. Open VMware settings and select NAT mode.

Next, configure networking on your Windows VM to obtain an IP address automatically. Make sure you are configuring the correct adapter. If the adapter has the word “loopback” in the name, that’s the wrong adapter. Pick the adapter named “Ethernet0” to be successful.

Then set it to obtain an IP address automatically. This will clear any settings you saved previously for the adapter, but that’s okay for this. We actually want to get an IP address from the VMware DHCP server running on your host.

Now open a command prompt in your Window VM and try to ping the DNS server. If this works but bridge mode did not, then you have a problem with the VMware installation talking to your bridged adapter. There are dozens of things to try here, including uninstalling and reinstalling VMware. But you have network connectivity now so you really don’t need to do anything else. You can do EVERYTHING we do in the course with NAT except for getting a callback from Meterpreter and shoveling a shell. As long as you call in vs. calling back, everything should work fine.

 

Now put Linux on NAT

If you are good on NAT with Windows, repeat the same for Linux. Change the VM settings to NAT mode (instead of bridged). Then open a terminal window, become root (sudo -s), and type “dhclient eth0” to force the adapter to obtain a DHCP address.

 

What if NAT didn’t work?

If the host works and NAT doesn’t, then it’s still probably a VMware issue. The easiest solution is to uninstall and reinstall VMware workstation. I’ve seen problems with people who have both VMware Workstation Pro and Workstation Player installed on the same machine. If you have both, get rid of one and try that. In one case, the problem was solved by removing both Workstation Pro and Workstation Player, rebooting the machine, and then installing VMware Workstation Pro again.

If you’ve tried everything and nothing will work, don’t fret. You can still participate using just your web browser. When I demo the solution to the challenge, I use only tools that you already have installed on your machine (you know, living off the land and all). Pop open a command prompt and a web browser. If you can’t get wired networking to work at all, then help your team by cracking passwords they are obtaining from compromised systems or Google for answers to your teammates’ questions about how to proceed next. Or help them find the next steps in your course material.  In years of teaching the course, I can tell you that winning teams spend as much time off keyboard looking for help on that “next step” as they do on keyboard pentesting. You can be a force multiplier for your team even without a computer.