If you are interested in any pen testing certification, especially CompTIA’s PenTest+ (my cert pick for 2021), you need to be able to practice.
In this home lab setup, I mostly followed guidance from Michael Solomon’s LinkedIn Learning PenTest+ Learning Path and fixing things where necessary. His course is outdated by now, but that’s ok because I have updated the home lab procedure below.
This setup guide should be viewed as a companion to my CompTIA PenTest+ PT0-001 Study Notes post, ordered by the exam objectives. Be sure to have followed this setup guide by the end of the first section – 1. Planning and Scoping, so you can experiment with the labs while you learn the concepts.
Table of Contents
System Requirements
You will need a modern Windows 64-bit system with virtualization enabled in your BIOS.
- Windows XP/7/8/10 64-bit.
- At least 4 GB free disk space. Total space used will be around 24 GB.
- At least 512 MB dedicated RAM. Having at least 4 GB of dedicated RAM is better.
Downloads
First things first, download VirtualBox (or your favorite VM manager).
Then, you will need to download all of these so we can set each of them up in a separate VM within VirtualBox.
- Kali Linux – A collection of free security tools in a Linux package. A great download for your toolbox.
- DVWA – A web application that is written in PHP that is deliberately vulnerable. Damn vulnerable even.
- Metasploitable – A vulnerable VM. From the makers of Metasploit.
Installation and Setup
You can have dedicated hardware. You can also use virtualization through a virtual machine manager with virtual machine images. You can setup a cloud-based machine, still virtual.
- Focus on local machine. You can use VMWare or VirtualBox.
- Host is what you will run the virtualization software on.
VirtualBox
- Install Oracle VirtualBox.
- Install VirtualBox VM VirtualBox Extension Pack.
- Run VirtualBox
Change network to a custom subnet.
- File > Host Network Manager
- Properties on default VirtualBox Host-Only Ethernet Adapter.
- Default is 192.168.56.1. Change to 10.10.1.1 to set up a new subnet.
- Click on DHCP Server tab. DHCP Server gives the virtual machines their IP address.
- Default is 192.168.56.100. Change to 10.10.1.2.
- Lower Address Bound will be 10.10.1.10.
- Upper Address Bound will be 10.10.1.254.
- Click Apply. Now we have a new network.
Kali Linux
Download Kali Linux 64-bit Vbox. It is an OVA file around 3GB. You don’t have to create and configure a new image. Just use the OVA file to import a predefined appliance.
- File > Import Appliance.
- Choose path > Navigate to OVA file > Select OVA file > Click Open > Click Next.
- Quickly glance at settings > Click Import.
- Select the machine and Click Start.
- Dismiss notifications.
- Update Kali with
sudo apt update
andsudo apt full-upgrade -y
.
Note: Kali’s default credentials have changed. It is no longer root, toor. it is now kali, kali. Documentation here: https://www.kali.org/docs/introduction/default-credentials/.
After updating Kali, click the Power Button in the top right, then click Power Off to shut off the machine.
Kali Troubleshooting
You try to update Kali and can’t due to this error:
Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
You simply forgot to run apt with sudo. If this wasn’t the case, you may have a stale lock file. Remove it with:
sudo rm /var/lib/apt/lists/lock
DVWA
- In VirtualBox, click on New.
- Name it DVWA, Change Type to Linux, Change Version to Ubuntu (64-bit) > Click Next.
- It is based on Ubuntu, defaults are fine here. Use the default of 1GB (1024MB) memory. Click Next.
- Make sure Create a virtual hard disk now radio button is selected, Click Create.
- VDI disk type is fine. Click Next.
- Select Dynamically allocated to save space. Click Next.
- 10 GB is fine. Click Create.
- While DVWA VM is selected, go to Click on Settings.
- Go to General > Advanced > Change Shared Clipboard and Drag’n’Drop to Bidrectional.
- Go to Storage > Select Empty IDE Drive > Click on disc icon on far right of window > Choose optical virtual disk file > Select DVWA ISO file > Click Open > Click OK.
- While DVWA is still selected, click Start. Dismiss warnings. Press Enter to boot to live disk.
To close the machine, select Close and Power off to power down the machine. There are options for it to run in the background (headless), but we don’t need to worry about that now.
Metasploitable
If you open the Metasploitable archive download, you will see a Metasploitable Virtual Machine Disk Format file. It’s the largest one. This is how we will import the machine, but not in the same manner as before.
- First, go to File > Preferences in VirtualBox.
- Under General, you will see the Default Machine Folder that VirtualBox uses. This path is
C:\Users\%USERPROFILE%\VirtualBox VMs
by default. Click Ok to close the preferences window. - Click on New to Create a New Virtual Machine. Name it Metasploitable, Type Linux, Version Ubuntu (64-bit). Click Next. Now the Metasploitable directory has been created.
- From here extract the Metasploitable files to the newly created Metasploitable directory. I made sure the files were at the root of the Metasploitable directory and not under the metasploitable2-Linux directory. The VM Name and folder name must match.
- Go Back to VirtualBox. The default memory size can be 1GB (1024MB). Click Next.
- Select Use an existing virtual hard disk file radio button. Click the file button and navigate to
C:\Users\%USERPROFILE%\VirtualBox VMs\Metasploitable
and select the Metasploitable Virtual Machine Disk Format file. - Click Open and Click Create.
- While the Metasploitable VM is selected, click Start.
- Dismiss warnings.
Note: We did it in this order because if you create the directory first, VirtualBox will not be able to create the new VM since the folder already exists. It’s a protection mechanism to keep you from overwriting VMs.
Note 2: The default credentials is msfadmin/msfadmin.
Now we are setup! It involved creating VMs in 3 different ways but now we have 3 VMs – 2 victims and one attack service.
OpenVAS (Greenbone)
OpenVAS (open vulnerability assessment system) that you hear so much about is now called GVM (Greenbone Vulnerability Management). To be clear, the company Greenbone has been behind OpenVAS for years, it just wasn’t as apparent. Existing components have been renamed:
- openvas-{nvt,certdata,scapdata}-sync => greenbone-{nvt,certdata,scapdata}-sync
- Openvas Management Protocol (OMP) => Greenbone Management Protocol (GMP)
- Open Vulnerability Assessment System (OpenVAS) => Greenbone Vulnerability Management (GVM)
- OpenVAS Manager Daemon (openvasmd) => Greenbone Vulnerability Management Daemon (gvmd)
Even though it is tough to install the free version of OpenVAS now, you can still install the gvm
package in Kali.
sudo apt-get update sudo apt-get dist-upgrade sudo apt-get install openvas sudo gvm-setup
GitLab here: https://gitlab.com/kalilinux/packages/gvm. Note the name of components in the package:
create-postgresql-database
gvm-check-setup
gvm-feed-update
gvm-reset-passwd
gvm-setup
gvm-start
gvm-stop
openvas-9-migrate-to-postgres
openvas-check-setup
openvas-feed-update
openvas-setup
openvas-start
openvas-stop
OpenVAS Troubleshooting
If after installation, you can’t get setup to run (sudo openvas-setup
won’t work), run sudo openvas-start
.
If you can’t launch the web interface after installation, or get to the web interface by typing the address manually (https://127.0.0.0.1:9392), then you need to run sudo gvm-start
.
If it still doesn’t work, wait a few seconds, then run sudo gvm-start
again, and try the address in the browser again (https://127.0.0.0.1:9392). You may have to do this 3 times for it to work. It’s super strange, I know, but it works.
Nmap Lab
Nmap Cheatsheets
- https://www.stationx.net/nmap-cheat-sheet/
- https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/
- https://www.tutorialspoint.com/nmap-cheat-sheet
- https://hakin9.org/nmap-cheat-sheet/
- https://github.com/jasonniebauer/Nmap-Cheatsheet
- https://highon.coffee/blog/nmap-cheat-sheet/
- https://www.networkstraining.com/nmap-commands-cheat-sheet/
Adding Vulners Script
cd /usr/share/nmap/scripts sudo git clone https://github.com/vulnersCom/nmap-vulners.git
Link to vulners depot: https://github.com/vulnersCom/nmap-vulners
sudo git clone https://github.com/scipag/vulscan.git
Link to vulscan depot: https://github.com/scipag/vulscan
Vulscan can take a while.
- cve
- openvas
- scipvuldb
- securitytracker
- exploitdb
- osvdb
- securityfocus
- xforce
ls vulscan/*.csv
nmap --script nmap-vulners -sV 10.10.1.10
nmap --script vulscan -sV 10.10.1.10
Another example:
nmap --script vulscan --script-args vulscandb=exploitdb.csv -sV 10.10.1.10
This is to only use 1 csv file instead of all 8.
Pass User ID and Password Lab
THC (The Hacker’s Choice) Hydra – sectools.org.
Pass user id and password lists to try all of them.
cd Downloads ls -al hydra -L usernamelist.txt -P passwordlist.txt ftp://10.10.1.11
You have to have a good list, the above command will error out if you don’t have them.
Finding bad usernames – https://nordpass.com/blog/all-time-most-popular-usernames/.
Copy this list, use vi, nano, or leafpad (save in root/Downloads).
In nano, press Ctrl + \, add 4 spaces, replace with nothing, replace all (same in leafpad), Ctrl + X to save, y to confirm save.
Find SecLists, https://github.com/danielmiessler/SecLists, a well known repository for pentesting lists.
Files will determine the quality of your attack.
Metasploitable – msusers.txt – mspass.txt
- user – user
- postgres – postgres
- sys – batman
- klog – 123456789
- service – service
Multiple threats, parallel approach, so order will be different.
SCADA systems are hard to update. Look at layers.
If you don’t have sendmail installed in lab, you can install via kali Linux.
apt-get install sendmail sendmailconfig
Using USB drives: https://null-byte.wonderhowto.com/how-to/hack-wpa2-wi-fi-passwords-using-jedi-mind-tricks-usb-dead-drops-0185290/
Press tab key as you are typing a directory in Linux to have it completed.
msfconsole use exploits/unix/ftp/vsftpd_234_backdoor info set RHOST 10.10.1.10 run
DVWA Lab
DVWA IP was 10.10.1.11.
DVWA login is admin/password.
Set security to low so you can see stuff.
- ‘, single quote, tells SQL that you terminated the command, this is why there can be injection.
- Union, add command and produce output as the combination of both outputs.
in Kali,
sqlmap -u <website> --cookie="<cookie>" sqlmap -u "http://10.10.1.11/vulnerabilities/sqli/?id=2&submit=submit#" --cookie="cookie hash"
- Ctrl + Shift + I for inspector mode. Go to network and reload page.
- Click on top level that includes command, click on Headers on the right side, click on cookie and copy the cookie and paste it into the cookie quote.
- Sqlmap checks SQL injection attacks to find ones you can use.
- Attacking an application can give you direct access to data.
- XSS attacks the server, CSRF/XSRF attacks the user (uses session).
- XSS Reflected.
- Input a name, then type name
<script>alert("XSS")</script>
. - Attack websites by testing. Review source code after changing security levels.
- Capitalizing Script and adding a body onload tag:
<body onload=alert("XSS")>
can be ways to beat basic security.
Tricks and Methodology
- It’s like a dance, try one thing, then try something else. The developer probably won’t consider all options.
- The more you know about systems and how developers write code, the better. It’s not just about knowing tools and pentesting methods.
- Windows services should be quoted in path. Otherwise, Windows will choose the first folder that matches the first word.
ls
to show files in a directory.ls -l
is a long list.ls -al
is the list with hidden files included. Hidden files start with a period.mv test.txt .test.txt
will make it a hidden file. Still shows with-al
.cat .bash_history
shows telnet and command history.