In this article, we will demonstrate how to create your own virtual penetration testing lab at home. Creating a pentesting lab is must for learning different testing tools and hacks out of legal trouble because hacking into other computers and networks where you don’t have rights to access is illegal without prior consent so having your own lab that replicates someone else’s environment is a perfect platform to practice hacking and security testing skills.

Moreover, when you perform security testing on a system, there is a chance of severe damage that can permanently delete the data of targeted device or destroy the target computer or network but in your own pentesting lab you will have complete control over environment for testing and you can also configure the target to the exact specifications needed for the test.

Having said that, creating your own pentesting lab is easier if you are working on a virtual environment as it is cost-effective as well as scalable. So these are some prerequisites before creating your own pentesting lab:

1. Virtualization should be enabled on the processor
2. VirtualBox or VMware must be installed
3. Atleast 8GB RAM of the host machine is required

In our setup, we will configure one attacking machine (Kali Linux) and three target machines (DVWA, MetaSploitable and Windows10) on which the attacking machine will generate some exploits

Kali Linux

Kali Linux is a Debian based Linux distribution designed for penetration testing. In this setup it will be our attacking machine because it has some pre-installed penetration testing tools i.e. (Wireshark, Aircrack-ng, BeEF, Burp Suite, Metasploit Framework, Hydra, Nikto, Maltego, Nmap) aid the pen-testers to gather information, perform scanning and find some vulnerabilities.

MetaSploitable

MetaSploitable is a virtual machine that is an intentionally vulnerable version of Ubuntu Linux specifically designed for penetration testing learners to test security tools and exploit common vulnerabilities. This project is created and maintained by rapid7 Community, Originally design for Metasploit Framework testing.

Installation of MetaSploitable

To install MetaSploitable in VirtualBox download the MetaSploitable file from https://sourceforge.net/projects/metasploitable/files/Metasploitable2/

Open up VirtualBox and create a new VM by selecting ‘Machine’ and choosing the option ‘New’

Type name of the VM, set the destination where you want to install this VM, set the Type as Linux and version as Ubuntu(64-bit)

Set the memory size

Use existing virtual hard disk file

Attach the vmdk file that you already downloaded

Now start the VM

After rebooting it will ask for login credentials. The default username and password are “msfadmin”

After logging in successfully you will get the MetaSploitable prompt

DVWA

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that provides a platform to practice hacking. It is the best platform for beginners to come and practice security tools because it is damn vulnerable as mentioned in its name.

As hacking is an illegal practice there is a requirement for security professionals to test their skills and tools in a legal environment and help web developers better understand the processes of securing web applications. This could be achieved by using DVWA that is got a lot of vulnerabilities, helps the beginners to learn and practice ethical hacking.

It runs on a local server hence there is no need for an internet connection to use this web application. It has different security levels as a beginner, intermediate, and expert to aid security professionals at every stage of learning.

Stages to Install DVWA

We are using Kali Linux operating system to install DVWA because this OS is designed for penetration testing and there are many pre-installed security tools present in Kali Linux. After that you require to configure a database

STAGE 01: Install DVWA on Kali Linux

Go to web browser in Kali Linux and search the link github.com/ethicalhack3r/DVWA to copy the address

Now go to terminal and switch the directory to /var/www/html/ because all the files need to be installed in this directory to run the web application

After switching the directory type git clone and paste the address that you have copied from browser

The DVWA file has successfully cloned

Type ‘ls’ to see DVWA directoy

Give this directory all the permissions by typing “chmod –R 777 DVWA/”

Switch the config DVWA/config directory to set the configuration

Type ls to see the config file

This is the default configuration file. Make a copy of this file to keep the default configuration file that will help you to restore if you have made some mistakes while configuring this file.

Now go to nano editor to edit the configuration

 

In the editor set the username and password of your choice, save it and exit the editor

STAGE 02: Configure the MYSQL Database

Start the service

Login to mysql as root

 

Create a new user in a database as:

• Create user ‘user’@’127.0.0.1’ identified by ‘321;

The username and password should be the same as you have entered in the configuration file of DVWA

Give user all the privileges over the database:

• grant all privileges on dvwa.* to ‘user’@127.0.0.1’ identified by ‘321’;

Now exit the database

 

STAGE03: Configure the Apache Server

First, start the service

Switch to the directory /etc/php/7.3/apache2/ where the configuration file is present that we have to configure

Type ls to see the file i.e. php.ini

Use the editor to set the configuration in the php.ini file. I am using gedit editor

Set the two highlighted parameter on i.e. allow_url_fopen = On and allow_url_include = On

Save the file, exit the editor and then start the apache service

Now open the browser and access the web application by typing 127.0.0.1/DVWA/ (because we are running this application on a local server)

When accessing the application for the first time you will be redirected to this setup page where it is showing the configuration of web application

Scroll down and select “Create/Reset Database” to create a database

Now finally you will see a login page of DVWA that requires credentials to enter. Default username is “admin” and password is “password”

After logging in you will see a home page of DVWA that is showing some instructions and warnings. In the left-most corner, there are different vulnerabilities showing that can be exploited.

Windows

The third target machine is set to be Windows 10 as we will create an environment that will target Linux as well as Microsoft operating system.

Creating Windows VM in VirtualBox is easy because we don’t need to have a product key and can download the ISO file from Microsoft using the Windows Media creation tool.

Go to the link https://www.microsoft.com/en-us/software-download/windows10 and select ‘Download tool now’ option

Download the ISO file from here and then create a VM on VirtualBox:

1. Set name, destination, type, and version
2. Set the memory size
3. Create the virtual hard drive
4. Set hard disk file type as VDI
5. Set storage on a physical device as dynamically allocated
6. Select the size of virtual hard disk
7. From settings go to Storage tab and select Controller: IDE, select Empty and from the rightmost corner select the tiny CD icon from where you can browse the ISO file that you have downloaded on your PC. Select the image file
8. Start the VM and configure

So we have created all the VMs and set up the penetration testing environment successfully!

Use Kali Linux to scan the target and exploit many vulnerabilities present in DVWA, MetaSploitable, and Windows machines, generate some attacks for example: Brute Force, SQL Injection, CSRF, and many more to let you start your Capture the Flag journey.

When a penetration tester or a security analyst starts to perform website testing, the first step is to conduct reconnaissance where he would get information related to target and from that, he can identify the attack surface.

The attack surface is nothing but a total sum of vulnerabilities that can be exploited to carry out a security attack. After the attack surface is identified by the analyst, he would use some useful web scanning tools to further identify those vulnerabilities, which might become the primary attack vectors.

So far, Nikto is one of the most commonly used website vulnerability scanners in the industry. It is an open source web server scanner that renders a bunch of vulnerabilities found on a website that could be exploited. Hence playing a primary role to perform website assessment and detects possible vulnerabilities on a site to keep it safe from an attacker.

Let’s just understand how this works. Assume that you have a URL of a target, by using Nikto you need to provide it with one of the three different types of information i.e. an IP Address for a local service, a web domain or an SSL/HTTPS enabled website. These are the three main target information used by Nikto to dig around and hunt the vulnerabilities.

Although we cannot deny the effectiveness of this tool, however one of the main disadvantages of the said tool is, it is not stealthy. While perform scanning on any website that has security controls enabled like Intrusion Detection System or Intrusion Prevention System, they would get notified that they are being scanned.

Installing the tool Nikto

You can install Nikto by apt-get install nikto, but in Kali Linux it is pre-installed located in the “Vulnerability Analysis” category.

Testing

Type nikto -Help to see all the options that we can perform using this tool.

From above we can see it has many options based on performing different tasks. We are going to use a standard syntax i.e. substituting the target’s IP with -h flag and specifying -ssl to force ssl mode on port:

This showing the quick scan of the targeted website.

Now try Nikto on a local network for finding embedded servers for example a login page for a router or an HTTP service on another machine that’s just a server with no website.

First find our IP address from ifconfig.

After getting the IP run ipcalc to get the range. If it is not installed in your machine first install it by: # apt-get install ipcalc then run # ipcalc 192.168.0.109

We got the range, now we are interested to run Nmap so that we can find services running in that network range.

Let’s get started with port 80 and scan our network range with it, also specify the flag -oG (grepable output) to take out all those hosts that are up and running. Save the output in a file named ‘ehacking.txt’. You can name it whatever you want.

Use cat command to read the output from our saved file

Use cat with ‘awk’, a linux tool that will scan the patterns where ‘Up’ means the port is open and the host is up whereas ‘print 2$’ would direct to print out the second word for each in that line, i.e., IP address. Save that data to a new file named ‘targetIP.txt’ as Nikto can easily interpret files like this.

These are all the hosts that have port 80 on. Run Nikto on targetIP.txt.

So far, we have scanned an SSL enabled website and an IP address on a local network, now let’s scan a website using port 80 (HTTP enabled) i.e an unsecured web domain:

So, this can tell us it is using Varnish server and some of the headers that would indicate the configuration of website.

The last entries with the OSVDB prefix are those vulnerabilities reported in the Open Source Vulnerability Database.

you can use the CVE tool to convert the OSVDB identifier into a CVE entry so that you can use one of the other sites above to learn more about the vulnerability. The CVE contain information about what can be exploited, what the severity score is (such as critical), and some other information that can help accessing an attack vector.

Advantages of Nikto

One of the best things about Nikto is that you can actually export information to a format that can be read by Metasploit when you are doing a scan. To do that, just use the above commands to scan, but append -Format msf+ to the end. The format will allow us to quickly pair data with a weaponized exploit.

This is all about scanning target website for vulnerabilities from identifying first the attacking surface then further hunting those vulnerabilities which can be used as a weaponized exploit.

As this tool is not stealthy, it is recommended that use this tool with a VPN or through TOR browser to be anonymous and protect your identity.