style="font-size:15px;"> 3 Vulnerable Web sites (Metaspoliatble )4 OWASP virtual machines based on Linux)
Kali Linux
Kali Linux is an open source Debian based Linux distribution that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services, Kali contains several hundred of tools used for information security tasks such as Penetration testing, Security research, Computer forensics and Reverse Engineering.
Download Kali Linux Virtual Box VM from
https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/
The Kali Linux Virtual box 64-bit ova file is a readymade Virtual Machine, after finishing the downloading the file:
Right click the .ova file and open with Virtual box.
Setup name for the new Kali and the CPU, RAM then click import.
Depending in your host RAM give the Kali VM RAM, for example if your host max RAM is 8G , then give Kali 4G and if your host is 16G then give Kali 8G which the recommended configuration to run Kali smoothly without problems.
Note: Those who are familiar with previous versions of Kali Linux will find Kali version 2020 is different as no more default root access and sudo command must be used to run any privileged commands.
Start the new Kali Machine and login as
User: kali
Password: kali
Update Kali machine
Open Terminal and type #sudo apt-get update#sudo apt-get upgrade (depending on the internet speed the upgrade may take long time to finish)Metasploitable Linux Virtual Machine
Metasploitable is a vulnerable Linux distro made by Rapid7. This OS contains several vulnerabilities. It is designed for penetration testers to try and hack. Rapid 7 offer this software for free for the Penetration testers community. They just need to register with Rapid 7 and then download the Metasplotable virtual machine. This is going to be one of the victims machines that we will try to hack.
You can download Metasploitable from the following link: https://information.rapid7.com/metasploitable-download.html
to install Metasploitable in Virtual Box
In Virtual BOX click on New
Give it a Name, Type= Linux, Version= Ubuntu 64k
Next and give it 512 M Ram or 1 G ram then Next
Choose “Use an existing virtual hard disk file “
Go to the Metasploitable file location and choose “.vmdk “ file
OWASP Broken Web Apps virtual machine
OWASP Broken Web Applications (BWA) Project produces a Virtual Machine running a variety of applications with known vulnerabilities for those interested in:
Learning about web application security
Testing manual assessment techniques
Testing automated tools
Testing source code analysis tools
Observing web attacks
Testing WAFs and similar code technologies
You can download OWASP Broken Web Apps VM from the following page https://sourceforge.net/projects/owaspbwa/files/1.2/
Download OWASP_Broken_Web_Apps_VM_1.2.ova
Right click the OWASP_Broken_Web_Apps_VM_1.2.ova and open with Virtual box then import the virtual machine.
Put the OWASP VM in the NAT network
Start the OWASP VM and login=root and password=owaspbwa
Go to Kali machine and open the web browser and enter the OWASP IP address in your LAB environment.
You should get the OWASP web page
Windows Virtual machines
The below procedures explain installation of different Windows virtual machine to use in penetration testing exercises. In this book we only need Windows 10 virtual machine. However, Microsoft made many of its operating systems available as virtual machines for testing purposes with 180 days license key.
We will also install a normal windows 10 machine as a victim, we will be running our attacks against this machine.
Microsoft has released several windows virtual machines that can be downloaded from the following link (make sure you select windows 10 stable and VirtualBox)
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms
download Win10.0va file
right click the file and choose open with Virtual box.
Agree on import setting
For Windows Server 2012 R download 180 days evaluation copy from Microsoft Site
Chapter 2: Introduction to Penetration Testing
What is a Penetration Testing (Pen-test)?
Penetration testing is the attack simulation on an IT system with the intention of finding security weaknesses to determine how the systems react to these attacks.
Wikipedia definition of Penetration testing “Pentest is an attack on computer system with the intention of finding security weaknesses, potentially gaining access to its functionality and Data”.
CISSP definition of Penetration testing “Pentest can determine how system react to an attack, whether or not systems defenses can be breached,
