Skill Level: Novice – Expert
What you need:
– A decent box * Multiple Processors/Cores * Lots of RAM (4 GB or more) * Lots of HD space
– Some sort of virtualization software (VMWare, VirtualBox, Hypervisor)
– Pre-built Virtual Machines or installer ISO’s
– A Can-Do Attitude
– A second box with 2 NIC’s (dedicated for Metasploit and assorted other tools)
One of the biggest challenges I’ve had in my time working on this stuff is finding systems to test against. Apparently using your neighbors is “frowned upon” for some reason, and hanging out in a Starbucks and pwning everyone on the public wifi is even worse. So what do we do? Build a test environment. The concept itself isn’t that tough, and there’s definitely easy ways and difficult ways to create these. For my vision, I wanted 2 machines: one with all my VM’s on it, the other with Metasploit and NeXpose on it. This isn’t necessary by any means, but for my particular use-case this Metasploit console will be very high-traffic and I wanted to make sure Metasploit has all the resources it needs.
Target Machine Specs:
– Intel Core 2 Quad @2.66 GHz
– 8 GB Crucial DDR3 RAM
– 500 GB WD HD
– Ubuntu 10.04 LTS 64 bit
– VMWare Workstation
Metasploit Box Specs:
AMD Quad Something, 1.8 GHz
8 GB DDR2 RAM (noname)
500 GB HD
Ubuntu 9.10 64 bit
There are a few reasons I chose this setup. The Core 2 Quad is hyper-threaded (can span tasks across several cores if necessary) which is ideal for VMware Workstation. For the amount of VM’s I wanted 4 GB of RAM simply wouldn’t be enough. This setup lets me run 6-8 VM’s at once, and will scale up or down based on the hardware you choose.
– Metasploitable (Link)
– Ultimate LAMP
– Windows XP SP3
– Windows 2003 Server R2
– RedHat 6.5
– Windows7 RC2
– Windows 2000 Advanced Server SP4
First up was defining my networks. When I built my environment I did this last, but in hindsight it would have been so much easier if I did it first (my loss of 5 hours worth of work, your gain =]). I gave a pretty basic overview of how to do this in my VPN Pivot post, and what I’ll do now is break it down into 2 options.
Option 1: The entire test environment installed on one machine (easy).
For limited resources this is the best way to do it, I have it set up this way on my laptop. All I really had to do was make sure all the machines were set up on the same virtual adapter and I was golden.
First I opened up my virtual network editor (Edit -> Virtual Network Editor) Once in that menu, In Linux I clicked Add Network… In Windows I just chose one from the list (VMNet1 is a good place to start) I switched the network config to Host Only and selected my subnet (I chose 192.168.187.0 but you can pick whatever you want so long as it’s a private range) and saved it. With this set up, I could now assign this virtual network to all the machines as I built them.
Option 2: The test environment is split between 2 machines: tools and targets (tricky).
This one took me a bit to figure out but I’ll try and make it as comprehensive as possible. What made this tricky for me is I didn’t want a bunch of uber vulnerable machines just chillin in my network so I had to keep them private, like in the single machine deployment. The problem with that is if there’s 2 machines involved, there needed to be a way to get the external machine to see the hidden vulnerable machines which is easier said than done. The first thing to notice is that the box I installed Metasploit Pro on has 2 NIC’s, this is for a reason. After fiddling with it for literally days, I learned that there really isn’t any way to give access from the 2nd machine to a “host only” network. To make it easier, I will refer to the Metasploit machine as box A and the machine with the target VM’s as box B. So here’s what I did:
- Set up box A so that access out is on eth0 and access to the box with box B is on eth1 (I only did this on Linux, setup will be different on windows). To do this:
- I first set up a dhcp server on box A for eth1 ONLY. If you don’t get this correct you can muck up your other interface, but don’t worry… it’s easy.
First, I got dhcp server
root@pro_server: apt-get install dhcp3-server
Next, I fired up my favourite text editor and edited the config so that it only runs on eth1
root@pro_server: vim /etc/dhcp3/dhcpd.conf
Find this line
Replace with the following line
Save and exit.
Next I made a backup copy of
root@pro_server: cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.back
I edited the conf file:
/etc/dhcp3/dhcpd.conf file using the following command
root@pro_server: vim /etc/dhcp3/dhcpd.conf file
From here, I just modified the file as I saw fit (you can check out my config here). One thing I wanted to make sure of was the subnet range on eth1 was different from that of eth0 (I chose 10.0.0.0/24). Then I modified my interfaces file:
root@pro_server: vim /etc/network/interfaces
The only thing that needs to be done here is to make the IP of Box A on eth1 static and in the 10.0.0.0/24 range (I chose 10.0.0.2). I saved that, and then ran:
root@pro_server: service dhcp3-server restart
- I Plugged a Cat5 in the eth1 port from Box A and connected it to the eth0 (should be the only one) port on Box B.
Now as a result, Box B was completely reliant on Box A for everything. You can also set up other services like Internet Connection Sharing and File Sharing if you’d like, it’s up to you how far you’d like to take it. This method is not necessary by any means, I just built mine this way because this setup was for a test-lab being used by a number of people and I wanted to make sure I would have enough resources.
When installing/building the actual VM’s you’re presented with a ton of options on ram, processor, network adaptors, etc. To figure this out, I just thought about what would be “period correct” for that operating system. That is, what would the minimum spec be to install it when it first came out? After talking to the Metasploit team and taking a look at their specs, I came up with these RAM numbers for my environment:
– Metasploitable: 256 mb (pre-built)
– Ultimate Lamp: 384 mb (pre-built)
– Windows XP SP3: 512 mb
– Windows 2003 Server R2: 512 mb
– RedHat 6.5: 256 mb
– Windows7 RC2: 768 mb
– Windows 2000 Advanced Server SP4: 256 mb
I also assigned a single core to each VM across the board (they’re not going to be doing much processing). Installing the OSes was actually pretty easy. Some of the installers were older and a bit tricky, but for the most part VMware Workstation just did it for me. I know for VirtualBox you may have to install manually, not sure about Hypervisor.
As I went along creating each VM, I also set up the network on each one individually. For Option 1 (the self-contained test environment) I simply assigned the Network setting to VMnet1 (the host-only network we created earlier).
Option 2 was totally different. Since Box A is the actual dhcp server in this scenario, I wanted to make sure all of the VM’s received IPs that would be on the same subnet as Box A. To do this, rather than assigning them each a host-only IP, I bridged the connections. This way, they are all sharing the connection as Box B and therefore can receive IPs from box A.
Now I was ready to run some tests to make sure everything worked. The first thing I did was fire up Metasploit, create a new project and fire off a Scan. Low and behold… Success!
Keep in mind folks, this is not always easy to build and it DEFINITELY took me a few tries to get it right. If you have any questions, feel free to comment or email me directly at matt (at) practicalpwnage.com.