BASKETS: Ep. I: Hardware Components

In this post, I’m going to list the hardware that comprises the BASKETS, with some notes on why I chose it and roughly how much it cost.

However, before I get into that, it’s worth putting up a quick diagram to explain what I’m trying to achieve. This may evolve as I learn more, or people tell me problems with this, but this is where I’m starting from.#

I haven’t mentioned this yet, but the computational hardware for the BASKETS will be Raspberry PI 2 Model Bs. When I started the project, the RP2 was the latest. If I was starting now, the Raspberry Pi 3 is now the one to get.

If I was starting today, I don’t think I’d use Raspberry Pi Nano Ws. While a lovely little machine – smaller and cheaper with built in Wifi – they’re single core and have half the RAM of the RP2/3. Since I’ll be running databases and servers, I need the power of a full size Pi.

 

I will have a Primary Pi fitted with a 802.11 Wireless USB dongle that will enable me to SSH into it from my home network. It will also be wired to a network switch, through which it will connect to (up to) 4 other Secondary Pis.

The intention is that the Primary Pi will act as the gateway – to allow me to connect to the BASKETS – and will act as domain controller / DNS + DHCP server, monitor, etc as required.

The Secondary Pis will either host security tools (one will be running Kali Linux) or target applications (one will be running OWASP Juice Shop or similar).

Let’s go through my bill of materials;

Computer – Raspberry Pis x5, from £32

You clearly don’t need as many as all this. For reasons I don’t recall, I decided to have 5 Raspberry Pis in my environment. I’m sure it made sense at the time.

In terms of getting cheap computers for a project such as this, it’s hard to beat the Raspberry Pi for price, power, and size.

Storage – 16 / 32Gb microSDHC Class 10 memory cards x 5, from £6

You need somewhere to store your operating systems and data. I got a mix of 16Gb and 32Gb cards Class 10. Get the fastest cards you can afford; the fastest 90Mbps cards start from £50 and are probably overkill. Class 10 (10Mbps) are fine for our purposes.

Case – 5L Really Useful Box, from £5

Unless you have an old Xbox 360 you’re willing to gut (which was my original plan for the case), this is the next best thing. It’s solid (so you can screw stuff to it, or cut it easily), won’t cut your hands to bits, and it’s meant to be opened.

Case – Transparent plastic Raspberry Pi cases x5 – from £3 each

Not strictly necessary, but makes it easier when you’re trying to  pack box-shaped things inside a larger box-shaped thing. Plus it gives you nice flat surfaces to help stick them together.

Network – TP-LINK TL-SG108 8 Port Metal Gigabit Ethernet Switch, from £20

I need a switch to handle at least 5 machines, and this fit the bill. It’s solid and well made, and not too costly, and it has room for expansion.

Network – Wireless USB Network Adaptor [Optional] – from £5

You could use one of the spare switch ports and wire the BASKETS to your home network, but I wanted it to be wireless, just because it’s one less wire and more flexible.

I only need one; to connect the Primary Pi to my home network. The Pis will be connected to each other via the TPLink switch.

The price of these things varies depending on the supported bands and frequencies. Make sure you get one that matches your home Wifi. The one pictured is 802.11n

Network – 20cm Cat5 Ethernet Cables x5 – from £2 each

Each Pi will be wired via the TPLink switch. To keep the cost – and clutter – to a minimum, I bought the shortest cables I could find, with a different colour for each Pi. Because what is life without whimsy?

Power – Anker Quick Charge 3.0 – from £30

These Anker USB charging blocks are great. I have one for everyone in the house. They’re not super cheap, but they’re small, well made, and reliable.

Power – Anker 6-pack USB charging cables, 30cm – from £10

Obviously all the Pis need power from the Anker, and if you’re lucky you can get a package deal for the Anker power block plus cables. You can pay less for USB A > micro B cables, but Anker ones are the sturdiest I’ve found.

Since these will be protected inside a sturdy plastic box and not unplugged much, you could probably save a little cash here.

Power – 2-gang 2m extension lead – from £7

I needed to power both the Anker USB power supply and the TPLink switch, but I didn’t want to have two power cables outside the box. So I bought a simple two plug extension cable to keep all that cable mess inside the box.

Icing on Cake – Raspberry Pi 7-Inch Touch Screen Display – from £60

This is very much a nice to have, but I had this spare from another incomplete project, so it made sense to re-purpose it for this. This will act as the display from the primary Pi and is intended to display status information about the environment.

That comes to about £300 (before the very optional extras)

By reducing the number of Pis, it should be possible to get this down to £200 for a smaller setup. So, the cost is non-trivial, but it’s all stuff that can be used for other things; nothing is sacrificed or used up.

In the next post, I’ll go over how I intend to package all that together into the Really Useful Box.

Building a self-contained environment for testing security (or BASKETS. Kinda)

I’ve been a tester for a while now, and I’ve done most types of testing for a little while. However, there is one really glaring hole in my skillset (among many other, slightly less glaring ones). and that is security testing.

While I’ve used code scanners (AppScan, AppSpider, Checkmarx, OWASP Dependency Checker) and automated them with Jenkins in a DevSecOps fashion, I don’t really consider that security testing. Using code scanners is testing in the same way that automated testing is testing; i.e. not.

They can find things they know to look for, but can’t recognise or highlight anything else, unless it gets in the way of what they’ve been told to do. Sure, code scanners make available the work of security researchers around the world, but they don’t do anything to educate those who use them. If all I have to do is push a button and then send the report to the devs, what have I learned? Nowt.

Some time ago, I decided I wanted to make my own security testing environment. The reason for this is mostly to learn how, but the other major driver was that setting up a security testing environment in a corporate IT infrastructure is problematic.

No matter how friendly your IT folks are – and mine are very friendly and exceedingly accommodating – they will quite sensibly baulk at letting some n00b tester install security software into their lovely corporate environment.

Security testing tools use the same techniques and look to exploit the same vulnerabilities that malicious hackers would, so performing security testing on the network will (or should) cause their network monitoring and intrusion detection systems to light up like a Christmas tree.  Sure, in the initial reconnaissance phase you’re not doing anything naughty, but which IT guy really wants that noise and hassle in their life?

My initial plan was to rip the guts out of an old Xbox 360 (who had suffered the dreaded RROD) and use that as the case, but it was a bitch to work with; lots of sharp metal edges and, unsurprisingly, hard to get into, with losing patience and layers of skin.

The project died, but not until after I had bought the initial pieces of hardware.

In the next post I’ll go into the hardware I am using, with some idea of how it all fits together into one package.