All the software installations we do for this assignment will need to be done on
your personal laptop because we will be using this during class sometimes. Also,
even if you have Kali Linux installed as the OS on your laptop you'll want to
install the virtual environment because you will need the testing computer and
the target computer to be on the same (virtual) network.
To complete this assignment you will do the following steps. NOTE: This is just
an overview. More detailed instructions are provided below.
- Install VirtualBox
- VirtualBox is free software written by Oracle that
allows virtual computers to run inside of it. This is helpful to us because
a typical pentesting environment involves one or more hosts to be tested
(targets) along with the test computer from which you launch those tests.
Some of the pentesting software requires the testing machine to have some
vulnerabilities of its own and so a virtual environment will allow you to
play around with things without putting your host machine at risk and without
you getting arrested as you attempt exploits on the target.
- Install Kali (in VirtualBox)
- Kali Linux comes setup for the
purpose of performing pentests and has a lot of software ready-to-go for
that purpose. We'll call this virtual machine “the host”.
- Install Metasploitable2 (in VirtualBox)
- Metasploitable2 is a Linux
host that is intentionally configured to have a variety of vulnerabilities
for the purpose of practicing pentesting. We'll call this virtual machine
“the target”.
- Establish a Virtual Network (in VirtualBox)
- The host and the target
will need to talk to one another so we'll put them in the same virtual
network.
- Post-Install Tasks
- There are a variety of post-install tasks for you
to do that will hopefully make things go more smoothly though the semester.
For those of you who took the Cybersecurity course last semester this step may
already be complete. It is likely that the version has changed since your install.
If you want, you can do like I did and uninstall the old version and resinstall
from scratch.
- You may need to install Python first, depending on your OS
(https://python.org/downloads). (In Windows I first installed Python and
then installed the win32api bindings with this command from the command
prompt: pip3 install pywin32).
- Install VirtualBox by visiting https://www.virtualbox.org/wiki/Downloads and selecting the link for your OS. Then run the downloaded install program.
- At the same site find, download, and install the VirtualBox Extension Pack.
Even if you have Kali installed from last semester let me encourage you to put that one
on mothballs and install a fresh, clean instance of Kali. NOTE: The steps to install and
organization of the site changes periodically. These are the steps that worked for me.
- Visit https://www.kali.org/downloads/ and go to the section called “ Virtual
Machines”. From there download the compressed image for VirtualBox (64-bit).
NOTE: When I did the download, the file was compressed in 7zip format. You will need
to uncompressed the file. If your computer does not have a decompression program
that will properly handle 7z files you'll need to download an uncompressor.
NOTE: When I decompressed the file, I put the decompressed folder in my own file
space rather than keeping it in Downloads because it appears VirtualBox will
remember the location.
- After you have successfully downloaded and decompressed the Kali image, you
need to create a virtual machine within VirtualBox. In VirtualBox, click
the Add icon (plus symbol) on the opening screen and navigate to your
decompressed folder. Select the vbox file and click OK. For me this loaded and
created a new virtual machine called Kali within VirtualBox.
- After it installs select Kali Linux from the list of virtual machines and
then click the Start icon. NOTE: I switched the view to scaled mode.
- Log in to Kali with username kali and password kali.
- Open a terminal window and change password with this command: passwd
IMPORTANT: Don't forget this password!
- Update the newly installed OS by issuing these commands in the terminal:
sudo apt update
sudo apt upgrade
NOTE: The second command will likely take a while to complete, so you can move on the
other parts of this assignment while that is running.
- I followed the Quick-Start instructions at Rapid7's github page:
https://github.com/rapid7/metasploitable3. I did not already
have Vagrant installed, so I also had to install it first:
https://developer.hashicorp.com/vagrant/downloads
- Following the Quick-Start instructions should result in there being two
new VMs available in VirtualBox:
Metasploitable3-ub1404
(a vulnerable Ubuntu
machine) and Metasploitable3-workspace_win2k8
(a vulnerable Windows machine).
- Start (if needed) and connect to the Ubuntu MS3 box and verify you can
log in using the default credentials: vagrant / vagrant
NOTE: If you are capturing mouse clicks, you may find sometimes that the mouse
pointer will disappear. If that happens you can restore it by pressing the right
CTRL key.
- Start (if needed) and connect to the Windows 2008 box and verify you can
log in as both Administrator and Vagrant users using the password: vagrant
NOTE: To enter CTRL+ALT+DEL in the virtual machine, do RIGHT CTRL+DEL.
- After you have verified the machines will start and allow you to log in,
we need to make some modifications to get them all on the same virtual network
so they will be able to communicate with each other:
- Shut down each machine by right clicking on the running machine in the
VirtualBox window and then choosing
Stop->Power Off
.
- Create a new “NAT Network” called “NatNetwork” by clicking on the
menu icon in the Tools tab.
- For each virtual machine in VirtualBox modify the Adapter 1 network
card to utilize the newly-created NatNetwork. This can be done by
right-clicking on each machine and choosing
Settings...
followed
by clicking on the Network tab. Then under the Adapter 1 tab specify
“Attached to” to be NAT Network (instead of simply NAT) and then
choose NatNetwork from the “Name” dropdown list.
- Restart each virtual machine (Kali, Ubuntu, Windows 2008) and
verify that they each have a unique IP number and that all the
IP numbers are in the same 10.0.2.0/24 subnet.
On the due date bring your laptop to class and be prepared to show your
successful completion of these steps to the instructor.