Setting Up A Pentest Lab For Beginners

UPDATE: 12-14-2013 – Attempting to create a customized Kali Image and convert to .iso that will include completion of a lot of the steps below as well as add vulnerable applications to it. Might take a while to learn how to do this and get it setup. Working on it.
Before continuing, please see feedback at the bottom of the page. Also, this page is going to drastically change over the next week or so as I add new images that can be added to your lab so check back every so often.
My job for the past decade has been in the computer security field and before that I managed a network of servers and desktops.  I have been obsessed with security for the last 20 years or more and that obsession has driven me to teach myself pretty much everything I know about information security. I get a lot of requests for recommendations on how to break into the computer security industry, what courses to take, etc. I can’t really offer that kind of advice since I am self-taught but I can show you how to at least get started in building up your skill set which to me, is more important than any certification hanging on a wall. I think most companies today are interested in your set of skills than classes you have taken. Though don’t base your entire career goals based on this as I am sure there are some who look at certifications as well.
OWASP (Open Web Application Security Project) is one project you need to pay attention to. I will not explain everything they do (which is a lot) here so go look for yourself . They release a yearly top ten list (list for 2013) of the 10 most popular exploitation techniques.  Injection has been on the top of the list a lot lately so this should be your starting point to focus on. This kind of attack is what makes news headlines about customer data being stolen and can be VERY expensive for a company to recover from. First, there are the actual costs involved in mitigating the damage to it’s customers then there is the damage it causes to the business’ reputation. Customers like to trust that their data is safe in their hands and destroying that trust can be devastating to the company.
So, lets get started. First rule. NEVER, under any circumstance perform unauthorized penetration testing. I am saying this wearing a “white hat” that should be worn by every person trying to get a job in the security field. I am not bashing other hackers who wear the other two colors of hats. This is merely my recommendation if you want to have a career in computer security where someone pays you to do your job.

Setting up the lab

I set mine up on a Windows 7 box so keep that in mind.
Download Oracle’s VirtualBox - https://www.virtualbox.org/wiki/Downloads and install it. The instructions I am giving here are for those who”s computer is behind a router such a Comcast, Verizon, etc.
Download Kali Linux ISO –  http://www.kali.org/downloads/ Not the “mini” version. Never used it before so this tutorial might not work if this image is used.
Install VirtualBox (it will temporarily disrupt your network connection so keep that in mind).
Start VirtualBox
When you create a new virtual machine ensure that the network setting is attached to “Bridged Adapter”. Again, remember this is if you are behind a router at home. Don’t do this at work or it might get you in trouble.
Installing Kali Linux
Setting up the Virtual Machine
There is also a video guide that is 45 minutes long here https://www.youtube.com/watch?v=k5mNnkG0FVk but below will get you there quicker and easier

1. Click New
2. Name your machine
3. Change to Linux and choose Debian (include the regular or 64- bit based on which ISO you downloaded)
4. Click Next
5. Increase memory if desired and click next (I suggest increasing it as if you don’t, it takes FOREVER to setup OpenVAS)
6. Choose default “Create a virtual hard drive now”
7. Choose hard drive file type. Default VDI is okay for this tutorial. Hit next
8. Choose fixed size hit next
9. Change the drive size of it’s default of 8GB. I recommend creating a larger drive to make room for expansion. Say 30GB or more
10. Hit  Create and wait while your computer becomes a bit VERY sluggish Will take about 10 minutes or so or longer.
11. Right click on new machine and choose settings
12. Change network to “Bridged Adapter” and click OK
13. Hit Start
14. A box will popup asking you for a CD image. Click and choose your Kali .iso.
15. Kali Live will boot and give you the option to install. Choose either Install or Graphical install. (Right-CTRL to get mouse out of screen if needed)
16. Name host/hostname kali or your own cute name
17. Partition method “Guided – Use entire disk”
18. Partition Scheme “All files in one partition”
19. Finish, yes commit the changes and wait
20. Will get prompted for “Use network mirror” hit enter for yes
21. Leave proxy blank unless you need to use one then you are on your own
22. Say yes to install GRUB bootloader
23. Installation complete! Hit enter and you will end up booting into your new awesome Kali box

You can now log in to your Kali machine as root. I suggest making a snapshot at this time.
Optional
Install VirtualBox tools if you want better control over screen resolution. Not sure what else this installs

1. Click “Devices” then click “Insert Guest Additions CD image”
2. Autorun doesn’t work on Kali so close that box and “cd /media/cdrom0″ <- zero not an oh.
3. cp VBoxLinuxAdditions.run /tmp
4. cd /tmp
5. ./VBoxLinuxAdditions.run
6. Right click CD on desktop and eject
7. Reboot
8. Click Applications/System Tools/Preferences/System Settings
9. Change resolution to suit your desire and hit apply

Optional #2
If you want to use this tutorial from your host machine and copy and paste into the virtual machine you can go ahead and setup SSH to make it easier. Or you can navigate to this tutorial from inside the machine using the web browser. Up to you.
Optional #3
Change default editor. I HATE vi because it confuses me. This is where all the hardcore sysadmins laugh at me now. I use nano.

update-alternatives –config editor
Choose nano (should be number 2)

Installing SSH
By default, SSH is not allowed to be run automatically but you can start it using the following command

/etc/init.d/ssh start

You can now connect via root to your box using your favorite ssh client. If you want to be able to have ssh autoload on start, follow these instructions.

nano /usr/sbin/update-rc.d
find “ssh disabled” which will be in the blacklisted init scripts
change to “enabled” and copy the line “ssh enabled”
Hit CTRL-K to delete the line
Scroll down to whitelisted and paste
CTRL-V
CTRL-X then Y then ENTER to save
update-rc.d ssh defaults

Now ssh “should” start automatically at boot. (update, this didn’t work so just type service ssh start)
Now it is time to perform the updates.  Kali recommends leaving the apt-get repositories the default as it could break some of your applications if you add other repositories. Leave the defaults as they suggest for now unless you feel like messing up things. This will take a while and to save the hassle of typing each command and waiting, simply run apt-get update then the entire line below an walk away for a while. It will take a bit to update.

apt-get update
apt-get -y upgrade; apt-get -y dist-upgrade; reboot

Your Kali box is now fully updated with the latest and greatest! Now, log back into the console. After the reboot I noticed ssh didn’t start automatically. I may have left out a step but am not going to deal with that now. /etc/init.d/ssh start.
Optional
I like using the dev version of SQLMap because I find the features work better on it than the release version.
Go to http://sqlmap.org/ and download the “git” dev version.
Make a directory /root/tools and then cd /root/tools and run

git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

Now, edit the sqlmap script as followed

1.  nano /usr/bin/sqlmap
2. change cd /usr/share/sqlmap/ && ./sqlmap “$@” to  cd /root/tools/sqlmap-dev/ && ./sqlmap.py $@ <– have to remove quotes now for some weird reason.
3. CTRL-X and then Y then  hit enter

Now sqlmap will use the development version. You can also setup a crontab to check for weekly updates if you like.

crontab -e
add
@daily sqlmap –update
CTRL-X Y Enter

 Setting up OpenVAS – Vulnerability Scanner
This is seriously one of the touchiest applications I have ever worked with. I have had epic failures with this application before so hopefully these instructions will get you up and running with a fail.
There is a good very long video on how to set this up as well but doesn’t show you how to update the feeds. You really need to update the feeds via command line because greenbone security assistant can’t sync the NVT updates after a default install https://www.youtube.com/watch?v=0b4SVyP0IqI
If you want to access the scanner from remote follow these instructions, otherwise skip this step. If you want to use the openvas-cli from a remote computer you will need to change one of the other config files to listen on 0.0.0.0. Can’t remember which service but it will tell you. The config file is in /etc/default.

1.  nano /etc/default/greenbone-security-assistant
2. change GSA_ADDRESS=127.0.0.1 to GSA_ADDRESS=0.0.0.0
3. CTRL-X and then Y then  hit enter
4. type openvas-setup this will take a while a LONG time (perhaps increase memory in initial machine setup). You will see an error that there is no such table main.meta. Wait, it is creating it. Then just wait until it asks you for a password.
5. Enter password (make sure you type it carefully as it doesn’t verify it so only one chance)

OpenVAS is now setup. First test it out by connecting to the console

https://192.168.1.8:9392 (replace IP with your actual IP you can get from the ifconfig command)

After connecting you will likely see “Failed to receive data: A TLS packet with unexpected length was received.” showing up in your console. Researched this forever and could never find the problem but ignore it.
Now check the setup

openvas-check-setup

You should see errors including

WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
ERROR: No OpenVAS SCAP database found. (Tried: /var/lib/openvas/scap-data/scap.db)
FIX: Run a SCAP synchronization script like openvas-scapdata-sync or greenbone-scapdata-sync.

This means the modules haven’t been synced. And no, greenbone-scapdata-sync doesn’t work. Here is what you run

 openvas-feed-update

You will be prompted to migrate. Choose Y and hit enter. If you don’t get prompted to migrate there may be a serious problem and you can send tweets to @ventdesk (which I own) to release your frustration. But wait until you reach the end of this setup guide, first. BTW, if you still see the “Failed to receive data: A TLS packet with unexpected length was received.” error popping up during the feed update, just ignore it. Has nothing to do with the update. Just residual irritation from the previous web connection.
This update will take a while. Go ahead and log out of the web console from https://192.168.1.8:9392.

When the update is finished (some errors may show but ignore for now) go back and log into via the web interface https://192.168.1.8:9392 and click on SecInfoManagement then NVTs. If you get a list showing up, your update was likely a success. If you get a weird looking error. You will need to start from scratch. This is the time to yell at me via @ventdesk.
Now, setup a cronjob and add a weekly feed update.

crontab -e
add
@weekly openvas-feed-update
CTRL-X Y Enter

There is an overwhelming number of tools on this box for recon, vulnerability testing and exploitation. Starting out, focus on 3 of them.

1. NMAP – The best port scanner in the universe. Learn it in and out and use the -sV option to probe open ports to determine service/version info
2. SQLMap – Must have for testing SQL Injection – Download extensive documentation README.pdf from https://github.com/sqlmapproject/sqlmap/tree/master/doc
3. OpenVAS – Formerly known as Nessus before Tenable bought it.
4. Metasploit – Ultimate free (Community version) exploitation tool. Learn more at https://github.com/rapid7/metasploit-framework/wiki - SQLMap can integrate with this as well.

Your Kali box is now ready to rumble. Now all you need are applications to test your tools on. Below are a list of images with instructions on installation.

Vulnerable Images

-Take your pick depending on what you want to test.
Owasp Broken Image Vulnerable Web Applications
OWASP Broken Application image (.ova image) – Direct Link - http://sourceforge.net/projects/owaspbwa/files/1.1.1/OWASP_Broken_Web_Apps_VM_1.1.1.ova/download
Setting up OWASP Broken Application Machine
I couldn’t find a way to actually install this image, though I gave it a good shot so we simply import the current image and go from there.
Got to your VirtualBox manager. and click on New and give it a name. Choose Linux/Other Linux and click next

1. Click File/Import Appliance
2. Click the little folder icon thingy and find your Owasp .ova file and click Next
3. Click import
4. After the image has imported, right click on the new machine and click Settings.
5. Click Network then change to “Bridged Adapter” and hit OK
6. Hit the Start button

Log into the console using the credentials provided on the screen (you can change the password later if you like via passwd command)
It will show you the URL needed to access the application from your web browser or exploit tools.
Go ahead and load it up in your web browser and you can see all of the broken applications listed on the page.
Bad Store Vulnerable Web Applications - Thanks to Chris McAndrew for this one provided in the comment section below
Bad Store Vulnerable Web Application
Setting up Bad Store Machine
This is a perfect extremely small (12MB) bootable ISO to practice SQL Injection on. You have to register to download it but it didn’t verify my information…sooo..
Got to your VirtualBox manager. and click on New and give it a name. Choose Linux/Other Linux and click next

1. Give it a name choose your cute name for it. Type is Linux and Other Linux then hit Next
2. Change memory – Would probably run on a very small amount so decrease or increase and hit Next
3. Choose Create a virtual hard drive now and leave default option and click Create
4. Default VDI hard drive type is fine – click Next
5. Leave default Dynamically allocated and click Next
6. Can leave size the same (default 8GB) or make smaller and click Create
7. After the image has imported, right click on the new machine and click Settings
8. Click Network then change to “Bridged Adapter” and hit OK
9. Hit the Start button
10. When it boots, it will ask you to locate the ISO go find it and load it up
11. Done! Type in ifconfig to get the IP and you can open it in your browser to see the app

Metasploitable2 – Awesome vulnerable image to test with wide range of tools
ISO image from https://sourceforge.net/projects/metasploitable/files/Metasploitable2/

1. Unzip image
2. Open Virtual Box
3. Click New and Give it a cute name. Type: Linux Version: Other Linux 64 bit and hit Next
4. Choose default memory or increase. Choosing 512 MB myself and hit Next
5. Click Using an existing virtual hard drive file then click the folder icon.
6. Locate Metasploit image Metasploitable.vmdk in folder unziping the vile created.
7. Click Create
8. Highlight new VM and click Show

Login information will be shown on the screen. Metasploitable is now installed.
Your virtual pentest lab is now fully setup. Take a Snapshot as well as make an unlinked clone of it now because you will likely need it later. The OWASP Broken Apps image can only take so much hammering before it runs out of disk space. I had to create a new virtual machine, release the hard drive from it, attach it to this machine and mount/format the new drive where I then rsync’d the /usr directory to the new drive. That is an entirely new article which I may not write.  Here is a link that I learned how to do it from (outside of it being for a VM Box, that is). https://help.ubuntu.com/community/Partitioning/Home/Moving