Setting up a Pentesting Lab

As I mentioned previously, I am going to start  working through Georgia Weidman’s book, Penetration Testing, as a sort of primer on penetration testing. The first step in the process is to build a lab. Once my school account opens up and I can access all of that sweet free VMWare software I will be building out an ESXi server with FreeNAS storage and migrating all of this to that server, but for now I am using VMWare Workstation and running these on the Toshiba laptop mentioned in my last post. It works, even if I am anxious to build out the real home system I want.

All of these instructions are assuming VMWare Workstation 12 and x64 Kali environment. This took me about two weeks to do  and then go back and redo for documentation, working on it an hour or two per day. A motivated person could do it in a day I am sure. I spent a lot of time experimenting and trying to get different things to work, such as a Windows 7 x64 build working with SQL Express.

Kali can be downloaded as a pre-built VM from https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/ and imported into VMWare Workstation. This is a very simple process. Before powering the VM on, go into the CPU settings and change the processor to Intel VT-x/EPT or AMD-V/RVI, which will be necessary in order to run Android emulators:

cpu

Once in, change the password for the root account and create a user.

useradd -m xxxxx
usermod -a -G sudo xxxxx

Next, perform a system update using:

apt-get install update
apt-get install upgrade

Installing Nessus is a very easy process. Navigate to https://www.tenable.com/products/nessus-home and register for the code. The code will be emailed to you, and you can download the software. Once the .deb file is downloaded you install it using dpkg-i and follow the configuration instructions.

This is where the modern versions of software and Kali start to diverge from the book. The mingw-64 compiler is already loaded into Kali and should have been updated in the previous step. Download Hyperion 1.2 from the following link: http://nullsecurity.net/tools/binary.html. Unzip it and use the following command to compile it:

i686-w64-mingw32-c++ Hyperion-1.2/Src/Crypter/*.cpp -o hyperion.exe

Veil Evasion set up is by the book and simple, but it will take quite a bit of time. Once that is complete, make the Ettercap config changes detailed in the book. Then it is time to move on to the Android SDK. First to make some changes required by the SDK to run the phone emulators properly. Run the following command to add libraries required by the SDK:

sudo apt-get install lib32z1 lib32ncurses5 lib32stdc++6

Then two environment variables must be set. The first tells the SDK to use Kali’s libraries, installed in the previous step. The second tells the SDK what the SDK root directory is. Add the following two lines to /etc/environment:

ANDROID_EMULATOR_USE_SYSTEM_LIBS=1
ANDROID_SDK_ROOT=/root/Android/Sdk

Once those have been added, add a script to the /etc/profile.d directory that exports the two environment variables:

export ANDROID_EMULATOR_USE_SYSTEM_LIBS=1
export ANDROID_SDK_ROOT=/root/Android/Sdk

Download the Android SDK for Linux at : https://developer.android.com/studio/index.html. Unzip it and then navigate to the bin directory within the unzipped files and run the studio.sh script. That should start the Android Studio software. Prior to creating the emulated smartphones, download the associated packages with each smartphone image. You find those by opening the SDK Manager within Android Studio and selecting the “Show All Packages” button. Once selected, you can view supporting packages for the images. Select the packages for download that support the Android versions mentioned in the book.

sdk_mgr

Once these downloads are complete, navigate to the AVD Manager utility with Android Studio and create a new smartphone image for each image listed in the book, being sure to select the correct version of Android.

avd

There is an issue in my version of Android Studio in which ARM emulated smartphones must have their config files manually pointed to the correct image. The config files are located in a default installation at /root/.android/avd and there should be a separate directory for each smartphone created in the SDK Manager. Within each directory, navigate to the config.ini file and note the image.sysdir.l path. The smartphones will be listed by API version, below is the config.ini entry for API 8:

image_loc

This points to an unknown directory in the default installation. To correct this, change the image.sysdir.l path to point to the relative path of the installed image for the smartphone. For the newer API 7 and 8 versions, this is located in the platform directory, at $INSTALL_DIR/platforms/android-X/images, as seen below:

fixed_loc

The image for the API 18 emulator is located in $INSTALL_DIR/system-images/android-18/default/armeabi-v7a after installation, as seen below:

18_loc

You should now be able to run the emulators from the SDK Manager window. When running ARM emulators in an x86 framework, expect to receive the following warning:

error

Building a Windows XP machine can be tricky. I tried to build one from disc but had issues with the VMWare SCSI driver. The driver is available Here: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1005208.  I tried pre-loading the driver but was unable to get this to work and in the interest of saving time I went another route. Test VMs for Windows XP are still available from Microsoft, although they do not publish the link. The link is located here: http://www.askvg.com/download-free-windows-xp-vista-and-windows-7-vhd-image-files-for-microsoft-virtual-pc/. After extracting the .vhd file, follow the steps at http://alstechtips.blogspot.com/2013/11/how-to-migrate-vhd-to-vmware-workstation.html in order to import the .vhd file for use. After successful import, log into the server and install the network drivers located at https://downloadcenter.intel.com/download/18717.

For software associated with the book, download Firefox first. IE 8 will be unsupported on the websites needed to download the software detailed in the book. The software associated with Windows XP installs according to the book description with the exception of mona, which is now located at https://github.com/corelan/mona/ instead of the link given in the book.

The Ubuntu VM can be downloaded via the torrent link given in the book. The book provides the password for unpacking the files, and importing the VM did not have any issues.

Building a Windows 7 VM is significantly easier than the Windows XP VM was. There are no driver issues with the stock Windows 7 SP1 x86 build, so you can install from disc or you can use this link to find a Windows 7 test VM and follow the directions to import it to VMWare. Once installed, again download Firefox to access the software needed to follow along with the book, since IE 8 will not be able to. Note that if you try and use a Windows 7 SP1 x64 build, the version of SQLExpress in the torrent package will not install correctly. There is an x64 version available from Microsoft, but I did not have much luck getting SP3 to install correctly even with the x64 package. Rather than spend more time trying to get this to work under an x64 platform, I moved forward with an x86 platform and it worked without a hitch.

References:

Moving Forward – Setting up a Pentest Lab

So, having solved all other problems, I want to learn more about the offensive side of security. The best way to do that, that I can see, is to really get a good lab going and work through some material. So here’s my new goal: a year from now I want to take the OSCP. I’m giving myself a year because there’s no ticking clock, and I want to be thorough and learn the material and this gives me time to learn on my own and to get involved in at least 2, possibly 3 CTFs between now and then with Bsides DC, Baltimore, and Shmoocon all coming up.

Step 1: identify material. There’s some official OSCP materials available at the usual places. But that’s no good, you want to pay for that. And besides, you want to be able to interact with the instructor and other students. And yet now is not a good time to take the official material due to a new school semester starting soon (incident handling and “big data” classes, should be fun). Georgia Weidman’s book on pentesting, cunningly titled Penetration Testing, gets great reviews from people in the industry and after going through the first couple of chapters it seems on point. So, I’m going with this to start. Also going to work my way through Black Hat Python by Justin Seitz finally, improve and focus my coding skills. So I’m going to use this blog to track progress through this material and figure out where to go next.

Step 2: make a lab. I am cheap, and am determined to make a lab as cheap as possible while still having as much potential as I need. I made it through nearly two years of college in an IT program using only an Acer C-720 Chromebook that I picked up for $150 bucks back in the day. I am confident I can make this work. So I am taking two approaches. First, is my laptop that I replaced that chromebook with, a Toshiba Satellite C-55 that I picked up last fall for about $400. That laptop plus a quick memory upgrade to 16 GB has been pretty formidable. More than enough to run a few low budget VMs, and probably to run through some basic offensive lessons.

But, of course, I want more. So a year or so ago I picked up a 1U Dell 1900 Poweredge server from eBay. It’s an older server, definitely not up to modern standards. But it also cost $90. It came with 16 GB RAM, but I was able to get that up to 32 GB with a total cost of about $24. The goal with this is to wait until GMU activates my Dreamspark account again this fall, download the free ESXi software available from there, and configure and run multiple VMs from there and run through scenarios remotely when possible.

So that leaves me with the following:

  • 2.2 GHz Intel Core i5 laptop with 16 GB RAM
  • Dual 2 GHz Intel Xeon server with 32 GB RAM
  • still rockin the chromebook

Total cost of all of this comes out to about $650, but considering the only thing I actually purchased for this initiative was the memory for the server I had sitting in a closet, I think so far so good.

I’ve set up the initial Kali VM from the Weidman pentesting book on the laptop, but since the book is a bit older there are some things that don’t quite fit with the new version of Kali and probably just the passage of time. I’ll get through them as I come to any problems.

So far that’s the only thing I have had time to do though because in the past month life has interfered. I gave my first talk at NovaHackers, it wasn’t great because I was nervous and stepped on what I had planned to say, but whatever. It was nice to meet people and see the great talks. Tomorrow is another meeting. I’ve learned Python, using Python Crash Course by Eric Matthes, which is a good teaching tool. I’m transitioning to a new job over the course of the next few weeks. I’m even thinking up new blog ideas and possibly even talks. I want to do one possibly on Nessus API, that could be something that is useful. We will see. Passed the CEH, I hate to say things are easy but really, it is, how they charge that much money for it I have no idea. Still hoping to do this blog ever week, even if I did fall behind for a month.