In this tutorial we will be setting up the Lab Environment which we will use through out the course of CompTIA PenTest+ Tutorial.
We would be needing a lab setup to practice the pentesting so let us setup our own dedicated pentesting lab. You have different options to create a lab depending upon your convenience such as you can have a dedicated hardware where you basically launch the operating system with all the tools in it. You can also setup your lab on cloud environments such as AWS.
But we will keep it simple and use Oracle Virtual Box to setup our pentesting lab by creating different virtual machines which will act as server and client.
Here is a topology diagram of our Lab where we are using 3 virtual machines to perform the entire testing:
We will install Kali Linux which will act as the client initiating attacks on DVWA and Metasploitable. All these VMs would be connected over virtual host-only network so that our physical host network is not impacted.
Download and Install VirtualBox
VirtualBox is a an open source product from Oracle and is freely available so let's start by downloading this software from their official page. You can choose the software variant as per your host machine:
Since I am running my host on Windows so I will choose the first option. At the time of writing this tutorial, version 7.X was available from Virtual Box which may not be the case when you are reading it. So it is possible that some of the configuration options may vary based on the version you choose.
The installation of Virtual Box on Windows is pretty straight forward and I am afraid I won't be able to guide you through the installation steps but you basically have to just follow the screen and the default options should be enough in most cases. You can always refer VirtualBox Reference Guide for more information.
If you are using Linux host then you can refer How to install Oracle Virtual Box on Linux (CentOS / RHEL 7)
Once Virtual Box is installed, it is also recommended to download and install the Extension Pack of the same version which you can find on the same virtual box page.
Create Host Only Network in VirtualBox
Next we will create some virtual host only network which will be used by our virtual machines throughout the tutorial. Click on Files -> Tools -> Network
On the right hand side panel, select Host-only Networks. Here you will find a default VirtualBox Host-Only Ethernet Adapter with some default Adapter configuration. We will modify it with below values:
Next switch to DHCP Server Tab and make the following changes:
Click on Apply to save the changes.
Download and Install Kali Linux
Now that our Virtual Box network setup is ready, lets go ahead and install Kali Linux. Now Kali Linux is a distribution of Linux that's specifically oriented for pen testers. In other words, it's a collection of tools in your toolbox, all open source, all free stuff, and it's a great way to start building your toolbox.
You can access the official page to choose your Kali Linux platform. I will choose the Virtual Machine option so that I don't have to go through the complete installation stage and I can just import the downloaded VM files into Virtual Box.
Next based on my host environment, I will choose my downloaded file:
Next open the Virtual Box software and click on Machine -> Add.
I have extracted the downloaded kali image file under Downloads. So navigate to the extracted path and select the vbox file.
This will add a new VM to your Virtual Box software. Next let's configure the network settings for this VM. Select the VM and click on Settings. Here we will enable Adapter 1 and set it to Host-only Adapter which we created earlier.
We will also need to enable Adapter 2 and set that to NAT because we will be connecting to Internet as well. I will go one step ahead and also configure Port Forwarding to able to connect to the VM using SSH.
Click on start to power on the VM.
Once you get the access to the login console, login using kali/kali which is the default login credential of the image. If this doesn't work then you can again check the official download page to get the updated login credential.
Next we will enable SSH access, on the GUI, right click and Open a new Terminal.
If you want to enable root based SSH access then open /etc/ssh/sshd_config
using sudo access and update the value of PermitRootLogin
to yes
to enable root based SSH access.
Enable and start SSH server:
sudo systemctl enable ssh --now
Once connected I can verify my network details:
+--(root?kali)-[~] +-# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.10.1.10 netmask 255.255.255.0 broadcast 10.10.1.255 inet6 fe80::570:f0af:411c:e577 prefixlen 64 scopeid 0x20<link> ether 08:00:27:1e:36:4a txqueuelen 1000 (Ethernet) RX packets 35 bytes 8616 (8.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 25 bytes 3762 (3.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.3.15 netmask 255.255.255.0 broadcast 10.0.3.255 inet6 fe80::cbec:5e79:51cb:9218 prefixlen 64 scopeid 0x20<link> ether 08:00:27:83:cb:99 txqueuelen 1000 (Ethernet) RX packets 50 bytes 6912 (6.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 58 bytes 10134 (9.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Download and Install DVWA
Now that we have our Kali Linux up and Ready, next we need a web application server which we can target and attack, so we will use Damn Vulnerable Web App i.e. DVWA. We are choosing this framework as it is deliberately vulnerable and will help us practice for our course.
I have downloaded DVWA 1.0.7 ISO from DAMN VULNERABLE WEB APPLICATION (DVWA): 1.0.7 which I will use to create a new Virtual Machine.
Open your Virtual Box software and click on Machine -> New to create a new VM. Provide the required details as shown in the screenshot:
I am giving 2GB RAM and 1 vCPU for this VM:
Virtual Disk size of 10GB should be sufficient as we don't intend to add too many software and data on this VM. By default the provided size will be dynamically allocated i.e. the entire 10GB will not be reserved and based on the usage the storage will be used.
Finish the configuration process. Next change the network setting of this VM to Host-Only Adapter for Adapter 1.
Save the changes and start the installation by clicking on Start in the next step:
Once the DVWA boots up you can see the following screen on the console. Here you can either choose to run the application directly from the image by choosing first option i.e. boot the Live System or in our case we will go ahead an install the application using start the installer directly.
and that's it, DVWA is UP and Running.
Verify the Network Address of this VM:
Download and Install Metasploitable
Metasploitable is another framework which is one of the options for ethical hackers to perform pentesting as a vulnerable application. So we will download and install it with Virtual Box as a VM.
We have downloaded metasploitable-linux-2.0.0.zip from the official page. Here is the extracted content of the archive:
Let's create a new VM using these files. Open Virtual Box and click on File -> New to create a new VM. The Name of the VM must be same as the extracted folder which contains the above VMDK files.
Click on Expert Mode and choose the existing downloaded VMDK file as the hard disk instead of creating a new one.
Click on Finish to apply the changes. Configure the Network to use Host-only Adapter for Adapter 1.
Start the new VM.
and that's it your environment is ready to start the pen testing. The default login credential are msfadmin/msfadmin which is provided under logging-in-to-metasploitable-2
Verify the network address of this VM:
Now we have three virtual machines, two victims and one attack surface and we also can attack our host which is the Windows box.