How to build a SECURE hacking lab based on internal network (VirtualBox Networking)
The first rule of becoming a good pentester is to know how to set up a secure hacking lab.
TLDR
- Download & Install VirtualBox
- Download Kali Linux & the “Vulnerable Machine” (i.e., Mr. Robot)
- Import the OVA files
- Isolate the network
Here I explain how you can do that.
First thing first, if you want to make your hands dirty and practice pentesting you have to get access to vulnerable machines.
The best place to find them is on VulnHub. Go there and download a few machines.
Now, let’s start with the procedure.
Hash verification
A good practice, after you download a VulnBox, is to verify what you have downloaded by comparing the MD5 file hash that you find in the File Info description with the MD5 file hash on your computer. This is how you do it in PowerShell.
Verifying what you download:
Powershell: get-filehash -algorithm MD5 .\Downloads\mrRobot.ova
Installing VM
Next, install the downloaded VMs into VirtualBox.
Setting up Internal Network
In this step, you will create a DHCP server. This server will issue out or provide IP addresses to the VMs you downloaded. If you don’t create that server, then the VMs cannot talk to each other. They will only be isolated from one another and they will not know of each other’s existence.
STEPS:
- Navigate to Settings > Network (of the VM).
- Change Attached to: Internal Network.
- Give it a name and click OK.
Do the same thing for your Kali VM.
Now, both VMs are compartmentalized into one internal network.
However, they don’t have IP addresses associated with them yet. For this to happen you need to install a DHCP server on your VirtualBox.
Lastly, run the two VMs and verify that they are connected to the same Internal Network you have set up (see above).
Note: bridged adapter means that you put your VMs on your router so everyone can see it. In other words, your VMs will get exposed to the internet.
Setting up DHCP server
STEPS
- Navigate to the path of VirtualBox. This is usually in: C:\Program Files\Oracle\VirtualBox
- Open Command prompt and change directory to that path ($ cd C:\Program Files\Oracle\VirtualBox)
- List the directory ($ dir)
- Before creating the DHCP server, verify if there’s already a DHCP server running
You can do that by this command: VBoxManage list dhcpservers
Here you see only the host network. This means that there is no DHCP server running. Now, we can add one.
DHCP script:
VBoxManage dhcpserver add — network=CyberStudyLab — server-ip=192.168.3.1 — netmask=255.255.255.0 — lower-ip=192.168.3.2 — upper-ip=192.168.3.254 — enable
Now, check again and you should see the DHCP server added.
From now on, the DHCP server will start issuing out IP addresses in your isolated virtual internal network.
The endgame here is that you do not want to be exposed to the internet. Also, you want those vulnerable boxes to be isolated from your home environment (your gateway), yet to be able to assign them IP addresses so they can communicate with each other (for example, to ping each other). If you don’t have an IP address assigned to one of the vulnerable machines you cannot do anything with them.
To verify whether those vulnerable boxes are isolated, open up a terminal on your Kali VM (which you have configured) and try to ping Google for instance: ping 8.8.8.8
You should see Network is unreachable which means that the VM is isolated from the internet. In other words, the VM can only talk to itself and whatever else is there in the internal network that you have configured above.
A cool TRICK to scan the internal network is by using these NMAP commands:
- nmap -sS -T4 192.168.3.2–254
- nmap -p0- -v -A -T4 192.168.3.2–254
- 192.168.3.2–254 → IP range or Intern Network
The result will show you which VMs are on the internal network. Ping them to confirm they are alive & reachable!
Now, you are all set up and ready. Time to practice!
Note: You can always add a new VulnBox to the internal network. The DHCP server will automatically assign it an IP address.
Sources:
