Skip to main content

Lab Environment Setup

Introduction

This unit presents the steps to build your own pen testing lab to run your on-premises trial of Core Impact.

In order for you to practice your craft we'll help you to build your our own pen testing lab. Even if there are multiple ways that you can set up a pen testing lab we're going to use a Windows-based machine and we're going to run virtual machines with different machine images on them.

Let's set that up. That gives us the ability to keep everything local to one machine and it's a great test environment where you don't have to worry about getting anyone else's permissions. We're going to focus on local machines or local virtual machines and we chose to use VirtualBox. VirtualBox is an open-source product from Oracle. It's freely available and it's one of the two leading contenders.

Features

References

Virtualbox setup

Installation

  1. Go to Virtualbox.org
  2. Choose Downloads and download Virtualbox for your specific environment
  3. Download and install the Extension Pack
  4. Run the executable and follow the instructions. It's really straightforward, just accept all the defaults.

Network Configuration

  1. Open Virtualbox and you'll see a brand new environment, with no machines loaded
  2. Go to File > Host Network Manager
  3. Go to Properties to change the default configuration of the adapter
    • Set the default IPv4 address to 10.10.1.1 to set up a new subnet
    • Leave the default value for IPv4 Network Mask 255.255.255.0
  4. Configure the DHCP Server
    • Set the Server Address to 10.10.1.2
    • Leave the default value for Server Mask 255.255.255.0
    • Set the Lower Address Bound to 10.10.1.10
    • Set the Upper Address Bound to 10.10.1.254
  5. Apply the changes and, then now we have a new network.

Virtual Machines Creation

Core Impact Virtual Machine

Machine Setup

  1. Open Virtualbox.

  2. Click on Machine > New.

  3. Fill the machine details

    1. Name Core Impact Lab.
    2. Type: Microsoft Windows.
    3. Version: Windows 10 (64-bit).
    4. Click Next.
    5. Set 8192 MB as Memory size. Click Next.
    6. Select Create a virtual hard disk now. Click Create.
    7. Select VDI (VirtualBox Disk Image). Click Next.
    8. Select Dynamically allocated. Click Next.
    9. Set 50 GB as Disk size. Click Create.
    10. Access Machine Settings > Network.
      1. Enable Adapter 2.
      2. Set the option Attached to to Host-only Adapter.
      3. Click Ok.
  4. Load a Windows 10 (64-bit) Windows ISO and install the operating system.

Mail Server Setup
  1. Download hMailServer

  2. Open an elevated PowerShell Shell and execute the following commands:

    $ReqsPath="C:\users\<MYUSER>\Downloads"
    New-NetFirewallRule -RemoteAddress Any -DisplayName "Mails" -Direction inbound -Profile Any -Action Allow -Protocol TCP -LocalPort @(25, 110, 143, 587)
    $Path = Join-Path -Path $ReqsPath -ChildPath "hMailServer-5.6.7-B2425.exe"
    Start-Process $Path -ArgumentList @('/VERYSILENT', '/SUPPRESSMSGBOXES', '/NORESTART', '/SP-') -Wait -NoNewWindow
  3. Configure hMailServer. Execute the following script in an elevated PowerShell Shell:

    $ListOfUsers = 
    @"
    [
    {
    'Name':'Philip',
    'Domain':'Acme.corp',
    'User':'Philip',
    'Password':'Iamthe1'
    },
    {
    'Name':'Ruth',
    'Domain':'Acme.corp',
    'User':'ruth.lane',
    'Password':'Iamthe1'
    }
    ]
    "@

    $usersList=ConvertFrom-Json $ListOfUsers

    $hrUser=@{
    Name='Human Ressources'
    Domain='Acme.corp'
    User='hr'
    Password='HRdept1'
    }

    $usersList+=New-Object psobject -property $hrUser

    try {
    # Open the firewall ports to allow mail configuration
    $hMailAdminAccount='Administrator'
    $hMailAdminPassword=''

    for ($k=0;$k -lt $usersList.Length;$k++) {
    # Check whether domain already exists
    $hmail = New-Object -ComObject hMailServer.Application
    # Get connection to hMailServer
    $autheticated=$hmail.Authenticate($hMailAdminAccount,$hMailAdminPassword)
    $NumDomains=$hmail.Domains.Count
    $DomainExists = $false
    if ($NumDomains -gt 0)
    {
    for ($i=0;$i -lt $NumDomains;$i++){
    $Domain = $hmail.Domains.Item($i)
    if ($Domain.Name.ToUpper() -eq $usersList[$k].Domain.ToUpper()) {$DomainExists = $true;break;}
    }

    }
    # Create domain if it does not yet exist
    if (-Not $DomainExists){
    $Domain = $hmail.Domains.Add()
    $Domain.Name=$usersList[$k].Domain.ToUpper()
    $Domain.Active=$true
    $Domain.Save()
    }

    # Check whether account already exists
    $AccountsList=$Domain.Accounts
    $NumAccounts=$AccountsList.Count

    $AccountExists = $false
    $mailAddress="{0}@{1}" -f $usersList[$k].User.ToLower(),$usersList[$k].Domain.ToUpper()
    if ($NumAccounts -gt 0)
    {
    for ($j=0;$j -lt $NumAccounts;$j++){
    $Account = $AccountsList.Item($j)
    if ($Account.Address.ToUpper() -eq $mailAddress.ToUpper()) {$AccountExists = $true;break;}
    }

    }
    # Create account if it does not yet exist
    if (-Not $AccountExists){
    $Account = $AccountsList.Add()
    $Account.PersonFirstName=$usersList[$k].Name
    $Account.Address=$mailAddress
    $Account.Password=$usersList[$k].Password
    $Account.Active=$true
    $Account.Save()
    Write-Host ("New Account Created for {0} (email: {1})" -f $usersList[$k].Name,$mailAddress)
    }
    }
    }
    catch {
    Write-Host "Error creating users in the mail server: ${_}" -Level "ERROR"
    throw $_
    }
  4. The mail server and the users are ready to be used on a client access test.

Core Impact Installation

  1. Download the latest version of Core Impact from the Community Portal on the machine where the product will reside. Please note: You need to be logged into the customer portal to access the product download.
  2. Download the third party add-on package from the same portal.
  3. Double-click on the Core Impact installer and follow the wizard. You can access the installation guide here. If internet connectivity is an issue, check the Installing Core Impact Offline section of the guide.
  4. Download the license bundle package from the link you received via Mail
  5. Double-click on the license bundle package.
  6. Enter the passphrase and click Decrypt. This will decrypt the license bundle installer and launch it.
  7. Click Install. Wait for the installer to complete.
  8. Click Finish. The installer will launch Core Impact.
  9. Core Impact needs to be activated on the machine, so please follow the wizard on the demo environment. Go through the wizard to automatically activate via your Internet connection.
  10. Click Finish.

Vulnerable machines setup

Active Directory Setup

Domain Controller
  1. Open Virtualbox.

  2. Click on Machine > New.

  3. Fill the machine details

    1. Name Domain Controller.
    2. Type: Microsoft Windows.
    3. Version: Windows 2019 (64-bit).
    4. Click Next.
    5. Set 8192 MB as Memory size. Click Next.
    6. Select Create a virtual hard disk now. Click Create.
    7. Select VDI (VirtualBox Disk Image). Click Next.
    8. Select Dynamically allocated. Click Next.
    9. Set 50 GB as Disk size. Click Create.
    10. Access Machine Settings > Network.
      1. Enable Adapter 2.
      2. Set the option Attached to to Host-only Adapter.
      3. Click Ok.
  4. Load a Windows Server 2019 (64-bit) Windows ISO and install the operating system. The machine name should be WIN2019DC and the administrator user:

    • user: impact
    • password: SuperSecure1
  5. Access the machine and execute the following commands on an elevated powershell:

    # Install Active Directory feature
    install-windowsfeature AD-Domain-Services
    # Configure Active Directory domain
    Import-Module ADDSDeployment
    $safemodepwd = ConvertTo-SecureString SuperSecure1 -AsPlainText -Force
    Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath "C:\Windows\NTDS" -DomainMode "7" -DomainName "acme.corp" -DomainNetbiosName "acme" -ForestMode "7" -InstallDns:$true -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$false -SysvolPath "C:\Windows\SYSVOL" -SafeModeAdministratorPassword $safemodepwd -Force:$true
    # Install Remote Server administration Tools pack (RSAT)
    Install-WindowsFeature RSAT-ADDS
    # Configure password policy
    Set-ADDefaultDomainPasswordPolicy -Identity "acme.corp" -LockoutDuration 00:01:00 -LockoutObservationWindow 00:01:00 -ComplexityEnabled $false -ReversibleEncryptionEnabled $False -MinPasswordLength 4 -MaxPasswordAge 0

    function AddADUser {
    Param(
    [string]$firstname,
    [string]$lastname,
    [string]$samAccountName,
    [string]$password
    )
    $fullname = "{0} {1}" -f ($firstname , $lastname);
    $principalname = "{0}.{1}" -f ($firstname, $lastname);
    Write-Host "Creating $($samAccountName) User"
    New-ADUser -Name $fullname -GivenName $firstname -Surname $lastname -samAccountName $samAccountName -UserPrincipalName $principalname@$Global:Domain -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru | Enable-ADAccount
    }
    $Global:Domain = "acme.corp"
    $Global:Groups = @("Sales","Accounting","Executives","IT Admins","Marketing");
    $Global:Users = @(@("Ruth", "Lane", "Iamthe1", "Sales"),@("John", "Perry", "blink182", "Accounting"),@("Philip", "Lahm", "Iamthe1", "Executives"),@("Suzanne", "Peacock", "ub2dkxau", "IT Admins"),@("Maude", "Murray", "w9nawku1", "Executives"),@("Lena", "Jackson", "iftzcx0a", "Executives"),@("Paul", "Compton", "29fra989", "Sales"),@("George", "Howell", "19vrzfnn", "Marketing"));
    foreach ($group in $Global:Groups) {
    Write-Host "Creating $($group) Group"
    New-ADGroup -name $group -GroupScope Global
    }
    foreach ($user in $Global:Users) {
    $SamAccountName = '{0}.{1}' -f $user[0],$user[1]
    AddADUser $user[0] $user[1] $SamAccountName $user[2]
    Add-ADGroupMember -Identity $user[3] -Members $SamAccountName
    }
    AddADUser "SQL" "Server" "mssql_svc" "trustno1"
    Set-ADUser -Identity "mssql_svc" -PasswordNeverExpires $true -ChangePasswordAtLogon $false
    Add-ADGroupMember -Identity Administrators -Members "mssql_svc"
    setspn -a WIN2019DC/mssql_svc.acme.corp:60111 acme\mssql_svc
    Set-ADAccountControl -Identity "john.perry" -DoesNotRequirePreAuth 1
Certificate Authority
  1. Open Virtualbox.

  2. Click on Machine > New.

  3. Fill the machine details

    1. Name Certificate Authority Server.
    2. Type: Microsoft Windows.
    3. Version: Windows 2016 (64-bit).
    4. Click Next.
    5. Set 8192 MB as Memory size. Click Next.
    6. Select Create a virtual hard disk now. Click Create.
    7. Select VDI (VirtualBox Disk Image). Click Next.
    8. Select Dynamically allocated. Click Next.
    9. Set 50 GB as Disk size. Click Create.
    10. Access Machine Settings > Network.
      1. Enable Adapter 2.
      2. Set the option Attached to to Host-only Adapter.
      3. Click Ok.
  4. Load a Windows Server 2016 (64-bit) Windows ISO and install the operating system. The machine name should be WIN2016ADCS and the administrator user:

    • user: impact
    • password: SuperSecure1
  5. Access the machine and execute the following commands on an elevated powershell:

    # Add Domain Controller as default DNS Server
    foreach ($c in Get-NetAdapter) { write-host 'Setting DNS for' $c.interfaceName ; Set-DnsClientServerAddress -InterfaceIndex $c.interfaceindex -ServerAddresses ('10.27.34.88')}
    # Join the domain
    $domainname = "acme.corp"
    $username = "acme.corp\impact"
    $password = "SuperSecure1"
    $pass = ConvertTo-SecureString $password -AsPlainText -Force
    $cred = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$pass
    Add-Computer -DomainName $domainname -Credential $cred -Force -PassThru -Verbose
    Restart-Computer -Force
  6. Once restarted, access the machine and execute the following commands on an elevated powershell:

    $MachineName='WIN2016ADCS'
    $CACommonName = 'acme-{0}-CA' -f $MachineName

    # Enable SMB Sharing
    Set-NetFirewallRule -DisplayGroup "File And Printer Sharing" -Enabled True -Profile Any
    #Add user to remote users group
    Add-LocalGroupMember -Group "Remote Desktop Users" -Member "acme.corp\Domain Users"

    Install-WindowsFeature ADCS-Cert-Authority
    Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 5 -CACommonName $CACommonName -Force

    Install-WindowsFeature ADCS-Web-Enrollment
    Install-AdcsWebEnrollment -Force

    Restart-Computer -Force

  7. Validate that you can access the web enrollment service at http://win2016adcs.acme.corp/certsrv using the admin credentials to access it.

Domain Member Server
  1. Click on Machine > New.

  2. Fill the machine details

    1. Name Domain WorkStation.
    2. Type: Microsoft Windows.
    3. Version: Windows 10 (64-bit).
    4. Click Next.
    5. Set 8192 MB as Memory size. Click Next.
    6. Select Create a virtual hard disk now. Click Create.
    7. Select VDI (VirtualBox Disk Image). Click Next.
    8. Select Dynamically allocated. Click Next.
    9. Set 50 GB as Disk size. Click Create.
    10. Access Machine Settings > Network.
      1. Enable Adapter 2.
      2. Set the option Attached to to Host-only Adapter.
      3. Click Ok.
  3. Load a Windows 10 (64-bit) Windows ISO and install the operating system. The machine name should be WIN10VPN and the administrator user:

    • user: localuser
    • password: EzPassword1234
  4. Access the machine and execute the following commands on an elevated powershell:

    # Join the domain
    $domainname = "acme.corp"
    $username = "acme.corp\impact"
    $password = "SuperSecure1"
    $pass = ConvertTo-SecureString $password -AsPlainText -Force
    $cred = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$pass
    Add-Computer -DomainName $domainname -Credential $cred -Force -PassThru -Verbose
    # Enable SMB Sharing
    Set-NetFirewallRule -DisplayGroup "File And Printer Sharing" -Enabled True -Profile Any
    #Enable autologon
    $key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
    New-ItemProperty -Name AutoAdminLogon -Path $key -PropertyType DWord -Value 1 -Force
    New-ItemProperty -Name DefaultUserName -Path $key -Value "ruth.lane" -Force
    New-ItemProperty -Name DefaultPassword -Path $key -Value "Iamthe1" -Force
    New-ItemProperty -Name DefaultDomainName -Path $key -Value "acme.corp" -Force
    #Add user to remote users group
    Add-LocalGroupMember -Group "Remote Desktop Users" -Member "acme.corp\Domain Users"

Vulnerable Linux machines

Metasploitable
  1. Download the Linux Metasploitable 2.0.0 image

  2. Extract the files in the directory where VirtualBox stores the virtual machines. By default C:\Users\<UserName>\VirtualBox VMs

  3. From VirtualBox, click on Machine > New.

  4. Fill the machine details

    1. Name Webapps.

    2. Type: Linux.

    3. Version: Ubuntu (64-bit).

    4. Click Next.

    5. Set 1024 MB as Memory size. Click Next.

    6. Select Use an existing virtual hard disk file.

      1. Select the recently extracted Metasploitable.vmdk file. 2.Click Create.
  5. From the virtual machine configuration, go to Settings > Network and attach the Adapter 1 connection to the Host-only adapter

  6. Start the virtual machine. The user and password are both msfadmin

Ubuntu 14.04
  1. Download the Ubuntu Linux 14.04 ISO image

  2. Click on Machine > New.

  3. Fill the machine details

    1. Name Ubuntu.
    2. Type: Linux.
    3. Version: Ubuntu (64-bit).
    4. Click Next.
    5. Set 1024 MB as Memory size. Click Next.
    6. Select Create a virtual hard disk now. Click Create.
    7. Select VDI (VirtualBox Disk Image). Click Next.
    8. Select Dynamically allocated. Click Next.
    9. Set 10 GB as Disk size. Click Create.
  4. Load the previously downloaded ISO install the operating system.

  5. From the virtual machine configuration, go to Settings > Network and set the option Attached to to Host-only Adapter on the Adapter 1.

  6. Restart the machine

Web Applications

Machine creation
  1. Download Ubuntu Linux 18.04 ISO Image.

  2. Click on Machine > New.

  3. Fill the machine details

    1. Name Webapps.
    2. Type: Linux.
    3. Version: Ubuntu (64-bit).
    4. Click Next.
    5. Set 1024 MB as Memory size. Click Next.
    6. Select Create a virtual hard disk now. Click Create.
    7. Select VDI (VirtualBox Disk Image). Click Next.
    8. Select Dynamically allocated. Click Next.
    9. Set 10 GB as Disk size. Click Create.
  4. Load the previously downloaded ISO install the operating system.

  5. Start the machine

Machine setup
  1. Update packages:

    sudo apt-get -y update
  2. Install Apache web Server:

    sudo apt-get -y install apache2
    sudo a2enmod rewrite
    sudo sed -i '/<Directory \/var\/www\/>/,/<\/Directory>/ s/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf
    sudo service apache2 restart
  3. Install MySQL Server:

    sudo apt-get -y install mysql-server
  4. Reset MySQL root password:

    sudo mysql -u root -e "use mysql;update user set authentication_string=PASSWORD('mutillidae') where user='root';update user set plugin='mysql_native_password' where user='root';flush privileges;"
  5. Install PHP:

    sudo apt-get -y install php libapache2-mod-php php-mysql php-curl php-mbstring php-xml
    sudo service apache2 restart
  6. Install vulnerable Sudo:

    sudo apt-get -y --allow-downgrades install sudo=1.8.21p2-3ubuntu1
  7. Mutillidae installation:

    sudo cd /var/www/html/
    sudo git clone --depth 1 --branch 2.8.11 https://github.com/webpwnized/mutillidae.git mutillidae
    # allow multillidae access from other hosts in subnet
    sudo sed -i "/Allow from 192\.168\.0\.0\/16/a Allow from 10.10.1.0/24" ./mutillidae/.htaccess
    sudo service apache2 restart
    # trigger request to initialize mysql database
    sudo curl --silent --output /dev/null http://127.0.0.1/mutillidae/set-up-database.php
  8. DVWA installation:

    sudo cd /var/www/html/
    sudo git clone --depth 1 --branch 2.0.1 https://github.com/digininja/DVWA.git dvwa
    sudo chmod -R 777 dvwa
    sudo cp ./dvwa/config/config.inc.php.dist ./dvwa/config/config.inc.php
    sudo sed -i '2 c $dvwa_WEBROOT = "/var/www/html/";' /var/www/html/dvwa/config/config.inc.php
    sudo sed -i '20 c $_DVWA[ "db_user" ] = "root";' /var/www/html/dvwa/config/config.inc.php
    sudo sed -i '21 c $_DVWA[ "db_password" ] = "mutillidae";' /var/www/html/dvwa/config/config.inc.php
    sudo sed -i '35 c $_DVWA[ "default_security_level" ] = "low";' /var/www/html/dvwa/config/config.inc.php
    sudo mysql -u root -pmutillidae -e "CREATE DATABASE IF NOT EXISTS dvwa"'
  9. From the virtual machine configuration, go to Settings > Network and set the option Attached to to Host-only Adapter on the Adapter 1.

  10. Restart the machine