Penetration testing is the practice of figuring out what makes a computing system vulnerable. As a penetration tester (pen tester), your job is to find the holes in a system so that the owner of the system can seal them. It takes practice to become a good pen tester. A great way to get started is to create your own protected lab for practicing. That’s what we’ll do here.
First, A WARNING – NEVER DO PEN TESTING AGAINST A SYSTEM YOU DON’T OWN OR AGAINST A SYSTEM FOR WHICH YOU WEREN’T GIVEN PERMISSION – YOU DEFINITELY COULD GO TO JAIL IF YOU DO, BECAUSE IT IS ILLEGAL. Again, you need permission to pen-test a system. IF YOU DON’T GET PERMISSION AND YOU PEN-TEST ANYWAY, YOU ARE BREAKING THE LAW AND MIGHT BE PROSECUTED.
So, if you’re not going to build and use your own practice lab, your definitely putting yourself at risk.
It is easiest to set up a training environment using just a single physical machine. To do this, we will use virtual machines. A virtual machine is like a real, physical computer, except that it runs on the computer in front of you with no additional hardware. It’s like having multiple machines in one.
To use virtual machines, you need a piece of software that manages them. VMWare, VirtualBox, and HyperV are the most popular virtual machine managers. We will use VirtualBox.
VirtualBox uses virtual machine images. Each virtual machine image is like an operating system you might install on a physical machine. You can make your own virtual machine images, or you can download them for VirtualBox from websites.
We will download images to create two virtual machines. The first will be a virtual machine image of Kali Linux. Kali is a version of the operating system Linux that has lots of penetration testing tools built into it. The second virtual machine we will create is called Metasploitable. Metasploitable is a version of Linux that has been made insecure on purpose.
Download the Kali virtual machine image from here:
I chose the 32-bit one, but I think the 64-bit version would work too.
Clicking the link will download a .ova file. These files can be read by VirtualBox. All you have to do is choose File >> Import Appliance to start working with it. The default username is root. The default password is toor.
Metasploitable can be downloaded from here:
Download the zip file and unzip. In there, you will also find a vmdk file. To use it, do the following:
File >> New
Fill in the name and type as “Metasploitable” and “Linux”
Accept 1024 MB as the memory size
Choose “Use an existing hard disk”, and then click the folder button and navigate to the Metasploitable.vdmk file.
Once the two machines are created, right-click on each and choose properties. Switch to Networking, and choose Internal (instead of NAT) as the network type. That will enable the virtual machines to talk with each other but not with the physical host machine or anything on the internet. That will isolate your activity, which is important.
Double-click on Metasploitable to launch it. Log in as msfadmin with a password of msfadmin. Open up a terminal window and type the following to set up networking:
sudo ifconfig eth0 10.10.10.2 netmask 255.0.0.0 up
Double-click on Kali to launch it. Log in as root with a password of toor. Open up a terminal window and type the following to set up networking:
sudo ifconfig eth0 10.10.10.1 netmask 255.0.0.0 up
Now the two machines are on the same network. You can verify that Kali can reach Metasploitable by pinging metasploitable:
From Kali, explore Metasploitable to see what its open ports and services are:
nmap –sV 10.10.10.2
That will reveal everything that is running and accessible on Metasploitable.
Once we know what is running and accessible, we can try to exploit various services, ideally to open up a shell from which we can issue commands to the Metasploitable machine remotely. Here’s how. From Kali, do the following:
Start the Metasploit framework:
The framework specifies hundreds of exploits you can launch against a vulnerable machine. For example, you might find in your nmap results that ftp is running on the target machine. You can search the Metasploit framework for attacks agains ftp:
For example, you’ll see this as an exploit you can run through the Metasploit framework:
To use it, type this at the msf>> prompt:
Each exploit has options. You can see the options like this:
For the vsftpd exploit, for example, the option you have to set is RHOST, the ip address of the target machine. In our case, that is 10.10.10.2:
set RHOST 10.10.10.2
Then, launch the exploit by typing exploit at the msf prompt:
If it’s successful, a back door will be established. You can then issue commands remotely as if you were sitting there at the 10.10.10.2 machine. You could run things, edit files, delete files, etc.
In other words, you have hacked into the target machine.
Here are other exploits you could try:
Armitage – a Graphical Approach
Armitage provides a graphical way to do what we just did. Although you ultimately have more control using the command line, Armitage provides a nice and engaging way to try things out.
First, at a terminal in Kali, issue this command to initialize the database of vulnerabilities and exploits.
Then, to run Armitage, choose it from the Applications menu.
Choose Hosts >> Add Hosts, and type the address of the target: 10.10.10.2 in this case.
Right click on the computer symbol that pops up, and choose scan. This will do essentially the same thing as nmap –sV did, revealing all the open ports and services.
Then, choose Attack >> Hail Mary from the main menu. This throws every attack appropriate to the list of open services at the target.
As the attacks run, sessions will become available. Right-click on the computer symbol and choose the shell you want to interact with. This is similar to typing exploit at the msf>> prompt.
Basically, Armitage creats a more user-friendly way for doing the same thing that we did with the Metasploit framework.