CYBER  THREAT  
RESPONSE  CLINIC  
Module  2  -­‐  Lab  –  HackMDs.com  –  Connectivity  and  Setup    

©  CISCO  SYSTEMS,  2017  

 
 Lab  Guide:  Module  2            
 
Welcome  to  HackMDs.  As  the  new  security  admin,  you’ll  want  to  familiarize  yourself  
with  the  resources  that  you  will  be  working  with  in  this  enterprise.  During  this  exercise,  
you’ll  be  walked  through  connecting  to  our  model  enterprise  and  ensure  that  the  tools  
that  will  be  used  today  are  up  and  available.  
 

Outcome  
At  the  end  of  this  module  you  will  have  access  to  the  lab  environment  and  a  map  to  the  
resources  you  will  need  for  using  the  tools  within  this  lab.  
 

Components  
o   Lab  Resources  
o   Lab  Steps  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic    2-­2  

 Lab  Resources                    
 
This  lab  is  hosted  inside  of  Cisco  dCloud.  Within  the  labs  are  a  number  of  virtual  
machines.  These  hosts  include  models  of  enterprise  resources,  Cisco  security  assets,  
and  hosts  that  will  be  launching  “attacks”  against  the  enterprise.  
 
   

Required  Resources  
•   Laptop  with  Microsoft  Remote  Desktop  
•   Internet  Connectivity  
 

   

©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic    2-­3  

 Lab  Resource  Sheet  
 
Device  Logins  for  Hosts:  
Host   IP  Address   Username   Password  

RDP  Jump  Box   dCloud  Session  Assigned   Hackmds\administrator   CTRLab123!

Cisco  ISE  Server   192.168.30.4   admin   CTRLab123!

Cisco  Firepower   192.168.30.5   admin   CTRLab123!  

Management  Center  

Stealthwatch  Manager   192.168.30.6   admin   CTRLAB123!

Console  

Cisco  Private  AMP  Server   192.168.30.9   ctr+lab@hackmds.com   CTRLab123!

   
   

©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic    2-­4  

 Lab  2                          
Complete  this  lab  to  verify  connectivity  to  the  lab  environment  and  ensure  all  lab  systems  are  
up  and  running  for  lab  operations.  

Task  1:  Connect  to  the  dCloud  Jumphost  

 
Step  1   From your laptop open a browser to: https://dcloud.cisco.com/
Step  2   Either register with dCloud or login into dCloud using your Cisco CCO account.
Step  3   Select the data center as designated by your instructor and choose if you want to make this your
preferred preference.
Step  4   Once you have logged in, click the Dashboard tab to access your current sessions.

Step  5   You should see your Cyber Threat Response session available. Click the view button

Note   If  you  do  not  see  your  CTR  session,  contact  your  Cisco  instructor  or  dCloud  lab  support  representative  for  
registration  support.    

Step  6   This will bring up the CTR clinic environment. On the right side of the screen will show the
remaining time available for completing the lab. The Details tab will display details on your
session such as start, end and login credentials. The Resources tab provides links to support
documentation.

Step  7   The Servers tab pulls up all of the systems running with the CTR environment. You have the
ability to turn systems on, off or reboot, if needed from this location.
©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic    2-­5  
 Step  8   To work on the lab, you will need to access the Jumphost. You can either click the Remote
Desktop link to launch a web VPN session or use the IP address and credentials provided with your
own local desktop RDP client. Those credentials are username: hackmds\administrator and
password: CTRLab123!

Note   At  this  point  you  should  now  be  successfully  logged  into  the  windows  Jumphost  desktop.    If  you  are  NOT  
able  to  successfully  login  to  the  Jumphost  Windows  PC,  please  ask  your  instructor  for  assistance.  

   

©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic    2-­6  

 Task  2:  Validating  “Enterprise”  Systems  
This  next  task  will  ensure  that  the  systems  that  will  be  “attacked”  are  properly  operating  
and  available  within  this  lab  environment.  The  following  resources  will  be  accessed:  
 
Host   IP  Address   Username   Password  
hackmds.com 192.168.1.107 N/A N/A
WOW (Workstation on
192.168.40.5 HACKMDS\wow-generic CTRLab123!
Wheels)
DR. Workstation 192.168.40.10 HACKMDS\dhowser CTRLab123!
 
Step  9   Make sure that you are logged into the Jumpbox PC.
Step  10   Open a web browser (Firefox is available from the Windows taskbar).
Step  11   Connect to the following websites using your browser: http://www.hackmds.com,
http://portal.hackmds.com and http://ad.hackmds.com
Step  12   Validate that the web page loads properly, which will verify reachable to the web server.
Step  13   From the Jumpbox PC desktop, double click on the “WOW Workstation RDP” shortcut icon to
start a remote desktop session to the Workstation on Wheels desktop. If you receive a warning
message, click “Connect” button to continue.
Alternatively: You can click the Windows start button and type “remote desktop” to start a remote desktop
application and use the WOW IP address of 192.168.40.5
Step  14   When provided a login screen, if needed, enter the login name HACKMDS\wow-generic and the
password CTRLab123!
Step  15   Validate that you are now able to access the Workstation on Wheels (WOW) desktop.
Step  16   Close the RDP connection to the WOW desktop.
Step  17   From the Jumpbox PC desktop, double click on the “DR Workstation RDP” shortcut icon to start
a remote desktop session to the Doctor Workstation desktop. If you receive a warning message,
click “Connect” button to continue.
Alternatively: You can click the Windows start button and type “remote desktop” to start a remote desktop
application and use the DR. Workstation IP address of 192.168.40.10
Step  18   When provided a login screen, if needed, enter the login name HACKMDS\dhowser and then the
password CTRLab123!
Step  19   Validate that you are now able to access the DR. Workstation desktop.
Step  20   Close the RDP connection to the DR. Workstation desktop.

Note   At  this  point,  you  have  now  successfully  validated  that  the  enterprise  systems  above  are  accessible.    

   

©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic    2-­7  

 Task  3:  Validating  “Attack”  Systems  
This  task  will  ensure  that  you  will  be  able  to  access  the  “attacker”  platform  for  launching  
attacks  in  later  labs.  
Host IP Address Username Password
Kali Attacker 192.168.1.5 root CTRLab123!
Step  21   Make sure you are logged into the Jumpbox PC

Note   We  will  be  using  the  NoMachine  Remote  Desktop  application  instead  of  Microsoft  RDP  client  to  connect  
to  the  Kali  Attack  client  for  better  compatibility  with  the  Linux  system.  

Step  22   From the Jumpbox PC desktop, double click on the “Kali_Attacker” shortcut icon to start
the NoMachine remote desktop application.

Step  23   Once the NoMachine program starts, double click the “Connection to 192.168.1.5” icon to
connect to the Kali Attack host.
Step  24   When prompted, login to the Kali Attack host with the username: root and password:
CTRLab123!
Step  25   Validate that you are now able to access the Kali Attack Linux desktop.
Step  26   Now from the Kali Attack Linux desktop, let’s start a Linux Terminal session by clicking on the
icon in the favorites bar on the bottom of the desktop. You can also find applications by clicking
the magnifying glass at the bottom and searching for the term “terminal”.

Step  27   Now let’s resize the Kali Attack Linux desktop session. From the Linux terminal session, enter
the following on the command prompt: xrandr -s 1024x768
Note: Additional screen resolution might be available depending upon your laptop configuration. To
check for additional screen resolution options, enter the command xrandr without any options. You will
then be presented with a list of possible screen resolutions.
Step  28   Next click on the “root” account name in the upper right corner of the Kali Linux desktop, then
click “Log Out…” from the menu options. Next, click “Log Out” from the “Log out root” popup
menu to close the Kali Attack Linux session.
Step  29   Now you can close the NoMachine application by clicking on the X in the right corner of the menu
program.

Note   At  this  point  you  have  now  successfully  connected  to  the  Kali  Attack  host.  

   

©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic    2-­8  

 Task  4:  Validating  “Security”  Systems  
This  task  will  ensure  that  the  security  tools  available  to  HackMDs.com  are  running  and  
available  within  the  lab.  
Host   IP  Address   Username   Password  
Identity Services Engine
192.168.30.4 admin CTRLab123!
(ISE)
Firepower Management
192.168.30.5 admin CTRLab123!
Center (FMC)
Stealthwatch Management
192.168.30.6 admin CTRLab123!
Console (SMC)
Private AMP Server 192.168.30.9 ctr+lab@hackmds.com CTRLab123!
 
Step  30   Make sure you are logged into the Jumpbox PC.
Step  31   From the Jumpbox PC desktop, open the web browser application.
Step  32   Connect to the Cisco Identity Services Engine (ISE) server at: https://192.168.30.4
Step  33   At the login screen, login with the username: admin and password CTRLab123!

Note   If  you  get  a  message  asking  you  to  install  Adobe  Flash  Player,  just  click  “Accept  and  Close”  

Step  34   Validate that you are now connected to the Cisco Identity Services Engine (ISE) dashboard.
Step  35   Now browse to the Cisco Firepower Management Console (FMC) at: https://192.168.30.5

Note   If  you  receive  a  message  saying  “Existing  Session  Detected”  just  click  the  “Proceed”  button.  

Step  36   At the login screen, login with the username: admin and password CTRLab123!
Step  37   Validate that you are now connected to the Cisco Firepower Manager Console dashboard.
Step  38   Now browse to the Cisco Stealthwatch Management Console (SMC) at: https://192.168.30.6
Step  39   At the login screen, login with username: admin and password CTRLab123!
Step  40   Validate that you are now connected to the Cisco Stealthwatch Management Console.
Step  41   Now browse to the Cisco Private AMP server at: https://amp.hackmds.com/ or https://192.168.30.9
Step  42   At the login screen login with username: ctr+lab@hackmds.com and password: CTRLab123!

Note   Do  NOT  log  into  the  Cisco  Private  AMP  server  with  the  web  browser’s  cached  credentials  for  the  Admin  
user  account.    Make  sure  you  are  using  the  username  ctr+lab@hackmds.com  

Step  43   Validate that you are now connected to the Cisco Private AMP console.

Note   At  this  point  you  have  now  successfully  connected  to  HackMDs.com  security  management  platforms.  

 
 
 

©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic    2-­9  

 Task  5:  Establish  and  Test  pxGrid  Services  Between  ISE  and  FMC  
 
The  Cisco  pxGrid  (Platform  Exchange  Grid)  is  an  open,  scalable  and  IETF  standards-­
driven  data-­sharing  and  threat-­control  platform  designed  to  help  your  multiple  security  
products  work  together.  We  will  be  showcasing  pxGrid  functionality  within  the  CTR  
clinic.  In  this  tasks,  we  will  be  enabling  pxGrid  within  Cisco  Identity  Services  Engine  
(ISE)  and  Cisco  Firepower.  There  are  many  other  integrations  available  beyond  the  
tools  leveraging  pxGrid  in  this  lab.  Learn  more  about  pxGrid  at  
http://www.cisco.com/c/en/us/products/security/pxgrid.html  

Step  1   Sign into ISE go to Administration>PXGrid Services and check the boxes next to the two bottom
FMC options: then click the Delete button and then select “Delete Selected”

Step  2   Now move to your FMC console via the Firefox browser‐.

1) System

2) Integration

3) Identity Sources

4) Next select the “Identity Services Engine” button

5) Click the “Test” button to reestablish the pxGrid connections between FMC and ISE.

Step  3   Now return back to your ISE console session and verify the two FMC pxGrid connections have been
reestablished as shown below. (Do not worry about the fireshightisetestfmc.hacmds.com connection being
offline.)

Step  4   Now completely close your previous AnyConnect session.

 
Please  let  your  instructor  know  when  you  have  successfully  completed  Lab  2.  
©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic    2-­10