One of my biggest challenges in learning how to pentest was finding systems to test against. I heard that using your neighbors network is "frowned upon", and hanging out in a Starbucks and pwning your fellow coffee drinkers on the public wifi raises the occasional eyebrow.
So what do I do? Build a test environment. The concept itself isn't difficult, but there are easy and hard ways to do it. I wanted two machines: one with my vulnerable VMs, the other with Metasploit and NeXpose . This isn't necessary, but in my case the Metasploit Pro machine would generate a lot of traffic and I wanted to make sure it has all the resources it needs.
What you need
- A decent box
- Multiple Processors/Cores
- Lots of RAM (4 GB or more)
- Lots of HD space
- Some sort of virtualization software (VMWare, VirtualBox, Hypervisor)
- Pre-built virtual machines or installer ISOs
- Optional: A second box with two NICs (dedicated for Metasploit and assorted other tools)
- A can-do attitude
Target machine specs
- Intel Core 2 Quad @2.66 GHz
- 8 GB Crucial DDR3 RAM
- 500 GB WD HD
- Ubuntu 10.04 LTS 64 bit
- VMWare Workstation
Metasploit box specs
- AMD Quad Something, 1.8 GHz
- 8 GB DDR2 RAM (noname)
- 500 GB HD
- Ubuntu 9.10 64 bit
There are a few reasons I chose this setup. The Core 2 Quad is hyper-threaded (can span tasks across several cores if necessary), which is ideal for VMware Workstation. For the amount of VMs I wanted, 4 GB of RAM simply wouldn't be enough. This setup can host six to eighth VMs at once. You can scale it up or down based on your requirements.
- Metasploitable (Download through BitTorrent)
- Ultimate LAMP
- Windows XP SP3
- Windows 2003 Server R2
- RedHat 6.5
- Windows 7 RC2
- Windows 2000 Advanced Server SP4
I highly recommend that you first define your network. When I built my environment I did this last, but in hindsight it would have been so much easier the other way around (my loss of five hours is your gain =]). I gave a pretty basic overview of how to do this in my VPN Pivot post.
You have two options to set up your pentesting lab.
Option 1: The easy option - everything on one machine
This is the best option if you have limited resources. For example, I use this setup on my laptop. I only had to set up all machines on the same virtual virtual adapter, and I was golden.
First I opened up my virtual network editor (Edit -> Virtual Network Editor). If you're running VMware on Linux, click Add Network...; on Windows, choose one from the list (VMNet1 is a good place to start). I then switched the network configuration to Host Only and selected my subnet (I chose 192.168.187.0 but you can pick whatever you want so long as it's a private range) and saved it. With this set up, I could now assign this virtual network to all the machines as I built them.
Option 2: The tricky option - separate tool and target machines
This one took me a bit to figure out, so I'm providing more detail. What made this setup tricky is that I didn't want a bunch of über-vulnerable machines chillin' in my network so I had to keep them private, like in the single machine deployment. The problem is to keep them unavailable from any other machine but my pentesting machine. The first thing to notice is that the box running Metasploit Pro has two NICs - for a reason. After fiddling with it for literally days, I learned that there really isn't any way to give access from the second machine to a "host only" network. To make it easier, I will refer to the Metasploit machine as Box A and the machine with the target VMs as Box B.
So here's what I did:
I set up Box A so that access out is on eth0 and access to the box with Box B is on eth1. (I only did this on Linux; setup on Windows will be different.) First, I configured a DHCP server on Box A, but only for eth1. Otherwise, this can muck up your other interface. But don't worry… it's easy.
First, I installed the DHCP server:
root@pro_server: apt-get install dhcp3-server
Next, I fired up my favourite text editor and edited the config so that it only runs on eth1:
root@pro_server: vim /etc/dhcp3/dhcpd.conf
Find this line
Replace with the following line
Save and exit.
Next I made a backup copy of the /etc/dhcp3/dhcpd.conf file:
root@pro_server: cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.back
I edited the conf file: /etc/dhcp3/dhcpd.conf file using the following command
root@pro_server: vim /etc/dhcp3/dhcpd.conf file
From here, I just modified the file as I saw fit (you can check out my config here). I needed to ensure that the subnet range on eth1 was different from that of eth0. I chose 10.0.0.0/24, then I modified my interfaces file:
root@pro_server: vim /etc/network/interfaces
Make the IP of Box A on eth1 static and in the 10.0.0.0/24 range. I chose 10.0.0.2, saved, and then ran:
root@pro_server: service dhcp3-server restart
I then connected the two machines with a network cable, going from eth1 on Box A to eth0 on Box B.
As a result, Box B was completely reliant on Box A for network connectivity. If you want, you can set up services like Internet Connection Sharing and File Sharing.
While Option 2 is not required for all pentesting labs, I built mine this way because my lab would be used by several people, and I did not want to run out of resources.
How to host the vulnerable target machines
When installing/building the VMs I was presented with a ton of options for RAM, processor, and network adapters. I simply thought: "What would be period correct for a particular operating system?" That is, what would be the minimum system requirement to install it when the OS first came out? here is my recommendation for RAM - thanks to the Metasploit team for their input:
- Metasploitable: 256 MB (pre-built)
- Ultimate Lamp: 384 MB (pre-built)
- Windows XP SP3: 512 MB
- Windows 2003 Server R2: 512 MB
- RedHat 6.5: 256 MB
- Windows 7 RC2: 768 MB
- Windows 2000 Advanced Server SP4: 256 MB
I also assigned a single core to each VM across the board (they're not going to be doing much processing). Installing the operating systems was easy. Some of the installers were older and a bit tricky, but for the most part VMware Workstation just did it for me. If you use VirtualBox, you may have to install them manually. (I'm not sure about Hypervisor.)
For each VM, I set up the network individually. For Option 1 (the self-contained test environment) I simply assigned the network setting to VMnet1 (the host-only network we created earlier).
Option 2 was totally different. Since Box A is the actual DHCP server in this scenario, I wanted to make sure all of the VMs be assigned IP addresses that would be on the same subnet as Box A. Instead of assigning each a host-only IP address, I bridged the connections so all share the connection as Box B and are assigned IP addresses from box A.
I was now ready to test: Launch Metasploit Pro, create a project, and scan the network. Low and behold… Success!
Folks, this setup took me a few tries before I got it right. If you have any questions, feel free to comment or email me directly.