Last updated at Wed, 27 Sep 2017 21:30:40 GMT

One of my biggest challenges in learning how to pentest was finding systems to test against. I heard that using your   neighbors network is "frowned upon", and hanging out in a   Starbucks and pwning your fellow coffee drinkers on the public wifi raises the occasional eyebrow.

So what do I do? Build a test environment. The concept itself isn't difficult, but there are easy and hard ways to do it. I wanted two machines: one with my vulnerable VMs,  the  other with Metasploit and NeXpose . This isn't necessary, but in my case the Metasploit Pro machine would generate a lot of traffic and I wanted to make sure it has all the   resources it needs.

What you need

  • A decent box
  • Multiple Processors/Cores
  • Lots of RAM (4 GB or more)
  • Lots of HD space
  • Some sort of virtualization software (VMWare, VirtualBox, Hypervisor)
  • Pre-built virtual machines or installer ISOs
  • Optional: A second box with two NICs (dedicated for Metasploit and assorted other tools)
  • A can-do attitude

Target machine specs

  • Intel Core 2 Quad @2.66 GHz
  • 8 GB Crucial DDR3 RAM
  • 500 GB WD HD
  • Ubuntu 10.04 LTS 64 bit
  • VMWare Workstation

Metasploit box specs

  • AMD Quad Something, 1.8 GHz
  • 8 GB DDR2 RAM (noname)
  • 500 GB HD
  • Ubuntu 9.10 64 bit

There are a few reasons I chose this setup. The Core 2 Quad is  hyper-threaded (can span tasks across several cores if necessary), which  is ideal for VMware Workstation. For the amount of VMs I wanted, 4 GB of  RAM simply wouldn't be enough. This setup can host six to eighth VMs at once. You can scale it up or down based on your requirements.

  • Metasploitable (Download through BitTorrent)
  • Ultimate LAMP
  • Windows XP SP3
  • Windows 2003 Server R2
  • RedHat 6.5
  • Windows 7 RC2
  • Windows 2000 Advanced Server SP4

I highly recommend that you first define your network. When I built my environment I did  this last, but in hindsight it would have been so much easier the other way around (my loss of five hours is your gain =]). I gave a  pretty basic overview of how to do this in my VPN Pivot post.

You have two options to set up your pentesting lab.

Option 1: The easy option - everything on one machine

This is the best option if you have limited resources. For example, I use this setup on my laptop. I only had to set up all machines on the same virtual virtual adapter, and I was golden.

First I opened up my virtual network editor (Edit -> Virtual Network Editor). If you're running VMware on Linux, click Add Network...; on Windows, choose one from the list (VMNet1 is a good place to start).  I then switched the network configuration to Host Only and selected my subnet (I chose but you can pick whatever  you want so long as it's a private range) and saved it. With this set  up, I could now assign this virtual network to all the machines as I  built them.

Option 2: The tricky option - separate tool and target machines

This one took me a bit to figure out, so I'm providing more detail. What made this setup tricky is that I didn't want  a bunch of über-vulnerable machines chillin' in my network so I had  to keep them private, like in the single machine deployment. The  problem is to keep them unavailable from any other machine but my pentesting machine. The first thing to notice is that the  box running Metasploit Pro has two NICs - for a reason.  After fiddling with it for literally days, I learned that there really  isn't any way to give access from the second machine to a "host only"  network. To make it easier, I will refer to the Metasploit machine as Box A and the machine with the target VMs as Box B.

So here's what I did:

I set up Box A so that access out is on eth0 and access to the box  with Box B is on eth1. (I only did this on Linux; setup on Windows will be different.) First, I configured a DHCP server on Box A, but only for eth1. Otherwise, this can muck up your other interface. But don't worry…  it's easy.

First, I installed the DHCP server:

root@pro_server: apt-get install dhcp3-server

Next, I fired up my favourite text editor and edited the config so that it only runs on eth1:

root@pro_server: vim /etc/dhcp3/dhcpd.conf

Find this line


Replace with the following line


Save and exit.

Next I made a backup copy of the /etc/dhcp3/dhcpd.conf file:

root@pro_server: cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.back

I edited the conf file: /etc/dhcp3/dhcpd.conf file using the following command

root@pro_server: vim /etc/dhcp3/dhcpd.conf file

From here, I just modified the file as I saw fit (you can check out my config here). I needed to ensure that the subnet range on eth1 was  different from that of eth0. I chose, then I modified my  interfaces file:

root@pro_server: vim /etc/network/interfaces

Make the IP of Box A  on eth1 static and in the range. I chose, saved, and then ran:

root@pro_server: service dhcp3-server restart

I then connected the two machines with a network cable, going from eth1 on Box A to eth0 on Box B.

As a result, Box B was completely reliant on Box A for network connectivity. If you want, you can set up services like Internet Connection  Sharing and File Sharing.

While Option 2 is not required for all pentesting labs, I built  mine this way because my lab would be used by several people, and I did not want to run out of resources.

How to host the vulnerable target machines

When installing/building the VMs I was presented with a ton  of options for RAM, processor, and network adapters. I simply thought: "What would be period correct for a particular operating  system?" That is, what would be the minimum system requirement to install it when the OS first came out? here is my recommendation for RAM - thanks to the Metasploit team for their input:

  • Metasploitable: 256 MB (pre-built)
  • Ultimate Lamp: 384 MB (pre-built)
  • Windows XP SP3: 512 MB
  • Windows 2003 Server R2: 512 MB
  • RedHat 6.5: 256 MB
  • Windows 7 RC2: 768 MB
  • Windows 2000 Advanced Server SP4: 256 MB

I also assigned a single core to each VM across the board (they're  not going to be doing much processing). Installing the operating systems was easy. Some of the installers were older and a bit tricky, but  for the most part VMware Workstation just did it for me. If you use VirtualBox, you may have to install them manually. (I'm not sure about Hypervisor.)

For each VM, I set up the network individually. For Option 1 (the self-contained test environment) I  simply assigned the network setting to VMnet1 (the host-only network we  created earlier).

Option 2 was totally different. Since Box A is the actual DHCP server  in this scenario, I wanted to make sure all of the VMs be assigned IP addresses that would be on the same subnet as Box A. Instead of assigning each a host-only IP address, I bridged the connections so all share the connection as Box B and are assigned IP addresses from box A.

I was now ready to test: Launch Metasploit Pro, create a project, and scan the network. Low and behold… Success!

Folks, this setup took me a few tries before I got it right. If you have any questions, feel free to comment or email me directly.