Advanced Pentesting Lab with VMware, VyOS, Kali, and Metasploitable3
This article was written as a supplement for a book I am co-authoring. It is set to release mid 2019. I’ll come back and provide a link for it here once it is released. In the meantime, I highly recommend checking out The Hacker Playbook 3 by Peter Kim. This lab setup will enhance your experience as you work through the examples in the book.
Learning pentesting is best done hands on. You can talk about how to perform advanced attacks and pivoting without ever having done it yourself or you can put in the reps by building a proper lab and mastering the grunt work with hands on practice. At a bare minimum a good lab needs two, arguably three, subnets and a router(s)/firewall(s) between them.
In this article we will build a lab consisting of two subnets (DMZ and WORLD). We will place a VyOS router and firewall between them. Here is a visual of our network.
Grab some coffee, Red bull, Monster, or [INSERT YOUR FIX HERE] as we roll up our sleeves and get busy building our network.
We are setting this lab up in VMware. You can do it in Virtualbox but I will not be discussing the settings for it here. With enough interest I may write another article for setting up Virtualbox. I am also considering an AWS pentesting lab. Let me know what you’d like to see in the comments.
First things first let’s build our virtual networks in VMware. We will have one host-only network and one that is NAT’d from the host machine. The NAT’d network is where the Kali VM will sit and shares an Internet connection with the host.
Open the VMware Virtual Network Editor by clicking Edit > Virtual Network Editor. Depending on the configuration of your system, you may need to click the Change Settings button to perform the remaining steps.
Create the host-only network by clicking the Add Network… button. You are prompted to Select a network to add… I am using VMnet1 but you can choose any name you would like. Click the OK button. The network is initialized and automatically configured but for the purposes of distinction in our lab, lets change the Subnet IP field to 10.10.10.0. Once you have made the change click the Apply button. The network interface will restart and you are all set.
Now lets create the NAT network where our Kali attack machine will sit. It’s the same process but in this case VMnet8 is the name. Once the network is initialized, change the network type to NAT and set the Subnet IP to 192.168.148.0.
Depending on the names you used and other Networks you may have already had configured, you should have something similar to the screenshot below.
Metasploitable3 is great. It comes packed with vulnerable services. The downside is that there as so many ways to get system that is makes pentesting feel far too easy. However, it’s hard to beat from the standpoint of packing tons of hands on learning into two VMs. If you are looking for a more challenging VM check out Vulnerable by Design (http://www.vulnhub.com) where there are several hundred VMs configured with specific vulnerabilities that you can work on. Caution: If you choose to use systems from a third party you are trusting that the author doesn’t have malicious intent toward you. Tread lightly!
The build instructions provided by the makers of metasploitable3(Rapid7) are great but if you are like me you only want the finished VMs and are not interested in using Vagrant every time you want to start the VMs you’ll want to follow my instructions. If you want to use Vagrant then ignore my instructions and stick to the instructions on Github.
I’ll be working in Windows so if you are in a Linux or Mac environment you’ll need to modify as necessary.
Download and unzip metasploitable3.
Open powershell and cd into the unzipped metasploitable3 directory. I am building for VMware. If you are building for VirtualBox you’ll need to use the virtualbox-iso provider. We need to run packer twice(once for the ubuntu VM and once for the Windows VM). This process will take a while so sit back and relax, read a book, go for a run…you get the idea. Move on once the process is complete.
In the top level of the metasploitable3-workspace directory there is now a folder name output-vmware-iso that contains your new Windows 2008 VM. Before you build the Ubuntu box, rename this folder to something like metasploitable3-win2k8. If you don’t, the next build process will overwrite the directory. Additionally, if you need to free up some space, you can delete the .box file in the packer/builds directory. Once complete, run the process for Ubuntu. This one will be faster.
Once again rename the output folder. You can move the VMs to a different location on your hard drive if desired. Go ahead and open but don’t start the VMs in VMware. The next step is to configure the network interface and a static IP addresses.
Configure Interfaces and Static IP Addresses
For each VM, right click and select Settings… to open the Virtual Machine Settings dialog. Click Network Adapter and set the network connection to the Host-only subnet that we set up earlier. If you used the same name as I did, it is VMnet1(example below). Click OK.
Start both VMs.
We are going to login to each machine and set static IP addresses. This is the only time we will need to sign into the machine. From then on you will be hacking your way in.
To sign in to the Windows VM select the windows tab, click VM from the main menu, and select Send Ctrl+Alt+Del. Click the Administrator user and use the password vagrant. Cancel the Windows registration dialog. Click the network icon in the system tray and select Open Network and Sharing Center.
Click Change Adapter Settings from the left hand menu. Right click on Local Area Connection and select Properties. Highlight Internet Protocol Version 4 and then click the Properties button.
Change the settings to match the screenshot below and click the OK button.
Shutdown or restart the VM. On the next start, it will connect to the network with the address 10.10.10.2. Ubuntu is a bit different, let’s do that now. Login to the VM using vagrant:vagrant.
Enter the command sudo nano /etc/network/interfaces and enter the lines below so that your config file matches.
Close and save the file then shutdown or restart the VM. On the next start, the VM will connect to the network at 10.10.10.1.
Download and Configure the Kali VM
This part is easy thanks to the pre-built VMs available for download from the folks at Offensive Security.
Download your choice from https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/
Once the download is complete, unzip and open the VM in VMware.
Just as you did with the metasploitable3 VMs set the network interface. Only this time choose the NAT network. See below.
Start Kali and login with the credentials root:toor
Open a terminal and enter the command nano /etc/network/interfaces to edit the config to give your machine a static IP and to add a route to the 10.10.10.0/24 network.
All set. Time to get the final piece in place.
Download and Configure VyOS VM
VyOS also has a convenient VMware download. Head to https://vyos.io/ and click the VyOS on VMware link to get the latest release.
Once the download is complete open the .ova file to import it into VMware. Open the settings dialog for the VM so we can configure the network interfaces. Since this is a router/firewall it ships with two interface. Configure one to connect to the 10.10.10.0/24 Host-only network and one to connect to the 192.168.148.0/24 NAT network. Your settings should be similar to the ones below.
Start the VM and sign in with the credentials vyos:vyos
The next step is to assign addresses and descriptions to the interfaces in VyOS.
Run the command below to verify your settings.
We now need to set some firewall rules. We won’t go into all the ins and outs of creating a firewall in VyOS but the basic process is you create IN, OUT, and LOCAL policies that are composed of rules and then you apply the policies to an interface. The following commands will lock down 10.10.10.0/24 to only allow inbound port 8585 and outbound connections over port 443.
First set a default action to drop anything that does not match a rule.
Allow inbound connections that are established and related.
Open port 8585 so we can access the metasploitable3 web app.
Now for the outbound rules. Allow established or related traffic.
We are only allowing outbound on 443(https). That’s secure, right?
Commit, save, and reboot.
We have setup the firewall rules but have not applied them to the interface. To do so, follow the instructions below. I intentionally separated that portion of the config because you’ll likely want to turn toggle the firewall off and on for different exploitation activities.
Turning the firewall Off/On
Enable the firewall with the following commands and reboot.
If you want to disable the firewall, run the following commands and reboot
You’re all set!
In this article you learned the basics for developing an advanced pentesting lab using VMware, Metasploitable3, Kali, and VyOS. With this knowledge you should be able to expand upon this network to add other hosts and subnets. Hint: The Ubuntu VM may or may not have a docker container running on a different subnet just waiting to be discovered.
Have fun and thanks for reading!