[TUT]How To Set Up A Pentesting Lab - Printable Version

[TUT]How To Set Up A Pentesting Lab - Printable Version

+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Tutorials (https://sinister.ly/Forum-Tutorials)
+--- Thread: [TUT]How To Set Up A Pentesting Lab (/Thread-TUT-How-To-Set-Up-A-Pentesting-Lab)

[TUT]How To Set Up A Pentesting Lab - DaPaus - 12-25-2012

How To Set Up A Web Server Hacking Lab

Hello users of HC,

It's christmas time! And altough I hate christmas, I love the presents! Today I give you this present, a tutorial on how to set up your own pentesting lab. More specific, in this tutorial I will show you how to set-up your training grounds for web server hacking. Let's get started, shall we?

What do we need?
Okay first I'm going to introduce you to the programs we need and ofcourse the downloadlinks.

Programs

Oracle VM Virtual Box
VirtualBox is a general-purpose full virtualizer for x86 hardware, targeted at server, desktop and embedded use. Or in easy terms: you can create a virtual computer in your computer. This allow the user to run an operating system inside an operating system. (for example I can run Linux Backtrack inside Windows XP). For more information about the product please go to https://www.virtualbox.org/

OWASP Broken Web Applications
The OWASP (The Open Web Application Security Project) Organization has released an operating system that emulates a webserver with different applications. The Broken Web Applications project is a collection of vulnerable web applications that is distributed on a Virtual Machine. This virtual machine contains:

Spoiler:

Training Applications - Applications designed for learning which
guide the user to specific, intentional vulnerabilities.

- OWASP WebGoat version 5.4+SVN (Java)
- OWASP WebGoat.NET version 2012-07-05+GIT
- OWASP ESAPI Java SwingSet Interactive version 1.0.1+SVN
- Mutillidae version 2.2.3 (PHP)
- Damn Vulnerable Web Application version 1.8+SVN (PHP)
- Ghost (PHP)

Realistic, Intentionally Vulnerable Applications - Applications that
have a wide variety of intentional security vulnerabilities, but are
designed to look and work like a real application.

- OWASP Vicnum version 1.5 (PHP/Perl)
- Peruggia version 1.2 (PHP)
- Google Gruyere version 2010-07-15 (Python)
- Hackxor version 2011-04-06 (Java JSP)
- WackoPicko version 2011-07-12+GIT (PHP)
- BodgeIt version 1.3+SVN (Java JSP)

Old Versions of Real Applications - Open source applications with one
or more known security issues.

- WordPress 2.0.0 (PHP, released December 31, 2005) with plugins:
o myGallery version 1.2
o Spreadsheet for WordPress version 0.6
- OrangeHRM version 2.4.2 (PHP, released May 7, 2009)
- GetBoo version 1.04 (PHP, released April 7, 2008)
- gtd-php version 0.7 (PHP, released September 30, 2006)
- Yazd version 1.0 (Java, released February 20, 2002)
- WebCalendar version 1.03 (PHP, released April 11, 2006)
- Gallery2 version 2.1 (PHP, released March 23, 2006)
- TikiWiki version 1.9.5 (PHP, released September 5, 2006)
- Joomla version 1.5.15 (PHP, released November 4, 2009)
- AWStats version 6.4 (build 1.814, Perl, released February 25,2005)

Applications for Testing Tools - Applications designed for testing
automated tools like web application security scanners.

- OWASP ZAP-WAVE version 0.2+SVN (Java JSP)
- WAVSEP version 1.2 (Java JSP)
- WIVET version 3+SVN (Java JSP)

Demonstration Pages / Small Applications - Little applications or
pages with intentional vulnerabilities to demonstrate specific
concepts.

- OWASP CSRFGuard Test Application version 2.2 (Java)
- Mandiant Struts Forms (Java/Struts)
- Simple ASP.NET Forms (ASP.NET/C#)
- Simple Form with DOM Cross Site Scripting (HTML/JavaScript)

OWASP Demonstration Applications - Demonstration of an OWASP
application. Does not contain any intentional vulnerabilties.

- OWASP AppSensor Demo Application (Java)

Sources
OWASP site - https://www.owasp.org
OWASP BWA Project page - https://www.owasp.org/index.php /OWASP_Broken_Web_Applications_Project
OWASP BWA Blog - http://owasp.blogspot.be/2012/07/owasp-bwa-vm-version-10-released.html

Download links

Oracle VM Virtual Box - http://download.virtualbox.org/virtualbox/4.2.6/VirtualBox-4.2.6-82870-Win.exe
OWASP Broken Web Applications - http://sourceforge.net/projects/owaspbwa/files/latest/download?source=files

Installation
Now that we have our files we will set up or dojo. First we will install Oracle VM Virtual Box. After that we mount our Virtual Disk and configure the network. And finally we will set foot in our dojo by logging in and accessing the index page.

1. To install virtual box, it's as simple as pressing "next" "next" "instal" "finish". Or you can follow this video tutorial. (All credits for the video go to the maker of it)

2. Now we open up Virtual Box. Press New. You can choose the name, I named mine "OWASP BWA". Set Type to linux and version to Ubuntu and press "NEXT"

[Image: step2dv.jpg]

[Image: step2dv.jpg]

3. Just let the Memory Size at 512M. This is the recommended amount and we don't need to change it.

4. Now unzip the files from the OWASP BWA archive and put them all together in a folder.

5. For the Hard Drive we have to choose the option "Use an existing virtual hard drive file" then navigate to the folder and point it to the "OWASP Broken Web APPS-cl1.vmdk" file. And press create.

6. Now select your virtual machine, go to settings -> network -> adapter 1. Enable the adapter and set attached to "Host-only Adapter" and press OK.

[Image: owasp2.jpg]

7. Now select your machine and press start. Wait for it to boot up.

8. From the moment you can login your machine is ready for use. You don't have to login to use it. All you need is the IP. You can see this at the 6th line. You can access the web apps at http://xxx.xxx.xxx.xxx.
All you need to do is open up a webbrowser on your host computer and navigate to the IP. If you want to login on the machine, the username is "root" and the password is "owaspbwa".

9. To use the apps you can just click on them as a link but in front of every link there is a little green "+" icon. If you click on that one you can see some information about the application and the usercredentials to log in.

WARNING: Make sure that this server is only running local and that nobody can access this from outside your machine.

So I hope you have some fun playing with these apps. I'm sure you can find some good tutorials on this. If you have any feed back our you find any grammatical or writing errors, feel free to mention them. Also any tips on lay-out or writing style are welcome. Because I'm making these tutorials for you guys. I spended quite some time on this tutorial so please leave a reply.

If you have some Bitcoins to spare you can always donate at 12zDzuWE1Lgi51Axh4N2G4EK1Pj3K2WSPy

If you liked this tutorial you maybe also like my other tutorials
Earning BitCoins WITHOUT mining | InstaPaper

RE: [TUT]How To Set Up A Pentesting Lab - akb666 - 10-20-2013

nice information about how to make a simple web application labs and can you tell how to make lab's for network attack, like bypassing bluecoat, fortinet and other. i hope you can help !