Practice you Penetration Testing Skills with Metasploitable 2

Good news, a new version of Metasploitable is available. Metasploitable is a Linux virtual machine that is left purposefully vulnerable so you can practice your mad cyber skills.

The latest version, Metasploitable 2, has a ton of open services for you to discover and try to exploit. Version 2 has several built in backdoors (intentional and unintentional) already present, weak passwords to crack and multiple vulnerable web services including DVWA (Damn Vulnerable Web App) and Irongeek’s vulnerable web application Mutillidae.

Mutillidae is really cool and a great learning tool as it has all the vulnerabilities from the OWASP Top Ten with a few extra thrown in for good measure. Irongeek’s website has a ton of tutorials on using Multillidae.

We had some fun a few months ago with gaining root on the first version of Metasploitable, hopefully in a week or two we will take a closer look at Metasploitable 2. In the mean time, download it and check it out!

Hacking Virtual Machines: Sniffing Guest Traffic with Wireshark

Thanks to Bozidar Spirovski’s article on Infosecisland for the heads up on this. I have always been concerned with virtual machine security. One place I worked at had thousands of virtual machines. My concern was always – if a guest OS was compromised, could they access the other guests or worst, the host?

I read the other day in “Protect Your Windows Network: From Perimeter to Data” (Excellent book by the way) that most virtual machine interfaces act more like an old style hub (re-broadcasts all traffic to every port), instead of a switch (broadcasts data only on destination port). In essence, if you can compromise a guest OS, and put the network card in promiscuous mode, you can view all of the data of all of the virtual machines using the physical NIC.

Well, the video above is a sample of this in action. A guest OS is compromised, and Wireshark is installed. With it running, they capture simulated traffic on another guest OS that includes user names, bank accounts and passwords.

The book “Protect Your Windows Network: From Perimeter to Data” was written 5 years ago! The video was made last month…

I’ll look into this some more, but it is insane if this is still possible. By the way, the video author claims this works in VMWare and Microsoft’s Hyper-V.  

Oracle VirtualBox on Ubuntu 10.10

I am a huge fan of Ubuntu. Each new release seems faster, smoother and easier to use. The latest release called “Maverick Meerkat” is no exception. You can even run Ubuntu in a “Live CD” mode so no changes are made your system. If you are a Windows user and haven’t taken the Linux plunge, check out Ubuntu 10.10, you will not be disappointed. 

Okay, Ubuntu praise aside, I am a huge VMWare fan and am somewhat skeptical of other virtual desktop software. I have seen several people using VirtualBox and decided to try it out. Wow, I was truly impressed.

VirtualBox was developed by Sun Microsystems for home and corporate users and is open source software (translated “Free”). It also runs equally well under Windows or Linux. Having never run a virtual system on Linux, I decided to give it a test run under Ubuntu.

Installation was painless, and quick. I just went to the VirtualBox site, picked the “Ubuntu” version and installation was automatic. When it was installed, creating a new virtual machine was extremely easy. You just hit the “New” button, pick what OS you will be installing, set a few options if you want, create the virtual disk then power it on and install the OS.

The picture above is Windows XP running in a VirtualBox session on my Ubuntu system. The XP system was fast and responsive. The only problem I did have was getting my USB camera to connect to the session. But, since I had the same problem with VMWare on my Windows 7 desktop, I was not really surprised.

According to the documentation, VirtualBox can read VMWare images and also has a cool RDP remote desktop option that I will have to try.

I highly recommend both Ubuntu 10.10 and VirtualBox. If you get a chance, check them out, you will not be disappointed.  

How to Build a Virtual System with VMWare Workstation

Well, recently the power board on my laptop smoked. Maybe it was over worked, maybe it just needed a break, not sure. The problem is, I used said laptop as my virtual hacking playground. It had 3 OS’s available at the boot menu, 4 virtual Microsoft OS’s and several virtual versions of Linux. Yeah, I know, I need a hobby.

Well, I have backups of the virtual machines, but I wanted to create some new ones anyways. So, I figured I would create a follow along type blog post for those who have not created a Virtual Machine yet. So, if you want to know how to create a virtual operating system and run it on top of your current one, here goes!

1. Get VMWare Workstation. (Others are available, but I like this, it is quick and easy). If you do not own VMWare workstation you can get a 30 day trial key. Once you create a virtual machine, you can run it in the free version of VMWare player. You can also download “VMWare appliances”. These are virtual machines that someone else has already made. I prefer to make my own, as I know what is in it and that it is safe.

 You will need to create an account with VMWare to get the 30 day trial key. After installing VMWare workstation, go ahead and run it. You will get a screen that looks like this:

2. Now, click “Create a new Virtual Machine”. We are just creating a Windows 7 Pro Virtual Machine, so just hit “Typical” at the next prompt and select “Next”.

Step 3. We are going to install from Disk, so go ahead and put your OS disk in. You can also install from an ISO if you have one. Select Next.

Sweet! Look at this next screen, it recognizes the Windows 7 Pro CD, and it allows an EASY install. This means that the VMWare system knows the OS and the install will be pretty much automated.

Step 4. Put in your Windows key, and choose your version of Windows 7 from the pull down menu. Next, put in your username & password and confirm password. You can put in the product key later if you want. Hit next.

Step 5. Name your virtual Machine and give it a location to save the data files. Click Next.

Step 6. Specify how big you want the virtual drive to be and if you want it to be a single file or split. I just chose the defaults here. Click Next.

Step 7. VMWare workstation is now ready to create the virtual machine. Check out the virtual hardware settings. I want to be able to do more than just log in so I want to allocate more memory. To do so, click “Customize Hardware…”

Step 8. Select Memory and then slide the memory button up to 2 GB. Hit “OK”. Alright! almost done, Click “Finish”.

Step 9. Now, Click on POWER ON THE VIRTUAL MACHINE

Step 10. That’s it! When the Virtual Machine is power up, it will install the OS from your source disk. The next screen shots are of the install in progress:

And when the install finishes, Viola! Done!

 

If you click the Full Screen button, on the menu bar you get this, a full OS running on top of your current OS:

From here you can finish setting it up just like a regular OS install. Security updates, anti-virus, auto-updates, etc. To shutdown the virtual machine, you can shutdown the virtual OS, or to suspend the OS, just close the whole virtual OS window.

That is all there is to it. I hope you enjoyed this.