Читать книгу Web Penetration Testing - Radhi Shatob - Страница 3
ОглавлениеChapter 1: Lab setup
All the exercises will be done in a virtual environment inside the student laptop, using Virtual box in a Windows 10 host or Mac. In order to do all exercises comfortably the laptop should have enough RAM, CPU and Disk space. Kali Linux will be the Main attacker Virtual machine, the victims machine will be normal Windows 10 and 8 pro machine, plus Metasploitable machine which is a vulnerable Linux server and OWASP virtual machine is other Linux server meant to test webserver specifically
Laptop minimum requirement
In the book all exercise and tests will be performed in user laptop, so in order to run all Labs smoothly the laptop should meet the following requirement:
CPU: Core i5 or similar
RAM: 8G RAM (16G is recommended)
Disk space 120G
Virtual box
Virtual Box is an open source virtualization platform that provided by Oracle and it works with Windows, MAC and Linux, in this training we are going to use Virtual box as our main Virtualization platform that going to host our virtual machines that we are going to practice Penetration testing on them.
Virtual Box Installation:
Go to https://www.virtualbox.org/ and download latest version of virtual box software.
From the same page also download virtual box extension pack.
Run the virtual box software
Run virtual box extension pack software
After Virtual box installation complete, create new NAT Network
Open Virtual box software and go to File Preferences Network
Add NatNetwork
Virtual Machines installation
The Lab which we are going to use will be setup inside the virtual Box software and will contain 3 VMs:
1 Attacker Machine which is Kali Linux
2 Victim machine Windows 10
3 Vulnerable Web sites (Metaspoliatble )
4 OWASP virtual machines based on Linux)
Kali Linux
Kali Linux is an open source Debian based Linux distribution that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services, Kali contains several hundred of tools used for information security tasks such as Penetration testing, Security research, Computer forensics and Reverse Engineering.
Download Kali Linux Virtual Box VM from
https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/
The Kali Linux Virtual box 64-bit ova file is a readymade Virtual Machine, after finishing the downloading the file:
Right click the .ova file and open with Virtual box.
Setup name for the new Kali and the CPU, RAM then click import.
Depending in your host RAM give the Kali VM RAM, for example if your host max RAM is 8G , then give Kali 4G and if your host is 16G then give Kali 8G which the recommended configuration to run Kali smoothly without problems.
Note: Those who are familiar with previous versions of Kali Linux will find Kali version 2020 is different as no more default root access and sudo command must be used to run any privileged commands.
Start the new Kali Machine and login as
User: kali
Password: kali
Update Kali machine
Open Terminal and type #sudo apt-get update#sudo apt-get upgrade (depending on the internet speed the upgrade may take long time to finish)Metasploitable Linux Virtual Machine
Metasploitable is a vulnerable Linux distro made by Rapid7. This OS contains several vulnerabilities. It is designed for penetration testers to try and hack. Rapid 7 offer this software for free for the Penetration testers community. They just need to register with Rapid 7 and then download the Metasplotable virtual machine. This is going to be one of the victims machines that we will try to hack.
You can download Metasploitable from the following link: https://information.rapid7.com/metasploitable-download.html
to install Metasploitable in Virtual Box
In Virtual BOX click on New
Give it a Name, Type= Linux, Version= Ubuntu 64k
Next and give it 512 M Ram or 1 G ram then Next
Choose “Use an existing virtual hard disk file “
Go to the Metasploitable file location and choose “.vmdk “ file
OWASP Broken Web Apps virtual machine
OWASP Broken Web Applications (BWA) Project produces a Virtual Machine running a variety of applications with known vulnerabilities for those interested in:
Learning about web application security
Testing manual assessment techniques
Testing automated tools
Testing source code analysis tools
Observing web attacks
Testing WAFs and similar code technologies
You can download OWASP Broken Web Apps VM from the following page https://sourceforge.net/projects/owaspbwa/files/1.2/
Download OWASP_Broken_Web_Apps_VM_1.2.ova
Right click the OWASP_Broken_Web_Apps_VM_1.2.ova and open with Virtual box then import the virtual machine.
Put the OWASP VM in the NAT network
Start the OWASP VM and login=root and password=owaspbwa
Go to Kali machine and open the web browser and enter the OWASP IP address in your LAB environment.
You should get the OWASP web page
Windows Virtual machines
The below procedures explain installation of different Windows virtual machine to use in penetration testing exercises. In this book we only need Windows 10 virtual machine. However, Microsoft made many of its operating systems available as virtual machines for testing purposes with 180 days license key.
We will also install a normal windows 10 machine as a victim, we will be running our attacks against this machine.
Microsoft has released several windows virtual machines that can be downloaded from the following link (make sure you select windows 10 stable and VirtualBox)
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms
download Win10.0va file
right click the file and choose open with Virtual box.
Agree on import setting
For Windows Server 2012 R download 180 days evaluation copy from Microsoft Site
