Lab Environment Setup
Introduction
This unit presents the steps to build your own pen testing lab to run your on-premises trial of Core Impact.
In order for you to practice your craft we'll help you to build your our own pen testing lab. Even if there are multiple ways that you can set up a pen testing lab we're going to use a Windows-based machine and we're going to run virtual machines with different machine images on them.
Let's set that up. That gives us the ability to keep everything local to one machine and it's a great test environment where you don't have to worry about getting anyone else's permissions. We're going to focus on local machines or local virtual machines and we chose to use VirtualBox. VirtualBox is an open-source product from Oracle. It's freely available and it's one of the two leading contenders.
Features
References
Virtualbox setup
Installation
- Go to Virtualbox.org
- Choose Downloads and download Virtualbox for your specific environment
- Download and install the Extension Pack
- Run the executable and follow the instructions. It's really straightforward, just accept all the defaults.
Network Configuration
- Open Virtualbox and you'll see a brand new environment, with no machines loaded
- Go to File > Host Network Manager
- Go to Properties to change the default configuration of the adapter
- Set the default IPv4 address to
10.10.1.1
to set up a new subnet - Leave the default value for IPv4 Network Mask
255.255.255.0
- Set the default IPv4 address to
- Configure the DHCP Server
- Set the Server Address to
10.10.1.2
- Leave the default value for Server Mask
255.255.255.0
- Set the Lower Address Bound to
10.10.1.10
- Set the Upper Address Bound to
10.10.1.254
- Set the Server Address to
- Apply the changes and, then now we have a new network.
Virtual Machines Creation
Core Impact Virtual Machine
Machine Setup
-
Open Virtualbox.
-
Click on Machine > New.
-
Fill the machine details
- Name
Core Impact Lab
. - Type:
Microsoft Windows
. - Version:
Windows 10 (64-bit)
. - Click Next.
- Set
8192 MB
as Memory size. Click Next. - Select
Create a virtual hard disk now
. Click Create. - Select
VDI (VirtualBox Disk Image)
. Click Next. - Select
Dynamically allocated
. Click Next. - Set
50 GB
as Disk size. Click Create. - Access Machine Settings > Network.
- Enable
Adapter 2
. - Set the option Attached to to
Host-only Adapter
. - Click Ok.
- Enable
- Name
-
Load a Windows 10 (64-bit) Windows ISO and install the operating system.
Mail Server Setup
-
Download hMailServer
-
Open an elevated PowerShell Shell and execute the following commands:
$ReqsPath="C:\users\<MYUSER>\Downloads"
New-NetFirewallRule -RemoteAddress Any -DisplayName "Mails" -Direction inbound -Profile Any -Action Allow -Protocol TCP -LocalPort @(25, 110, 143, 587)
$Path = Join-Path -Path $ReqsPath -ChildPath "hMailServer-5.6.7-B2425.exe"
Start-Process $Path -ArgumentList @('/VERYSILENT', '/SUPPRESSMSGBOXES', '/NORESTART', '/SP-') -Wait -NoNewWindow -
Configure hMailServer. Execute the following script in an elevated PowerShell Shell:
$ListOfUsers =
@"
[
{
'Name':'Philip',
'Domain':'Acme.corp',
'User':'Philip',
'Password':'Iamthe1'
},
{
'Name':'Ruth',
'Domain':'Acme.corp',
'User':'ruth.lane',
'Password':'Iamthe1'
}
]
"@
$usersList=ConvertFrom-Json $ListOfUsers
$hrUser=@{
Name='Human Ressources'
Domain='Acme.corp'
User='hr'
Password='HRdept1'
}
$usersList+=New-Object psobject -property $hrUser
try {
# Open the firewall ports to allow mail configuration
$hMailAdminAccount='Administrator'
$hMailAdminPassword=''
for ($k=0;$k -lt $usersList.Length;$k++) {
# Check whether domain already exists
$hmail = New-Object -ComObject hMailServer.Application
# Get connection to hMailServer
$autheticated=$hmail.Authenticate($hMailAdminAccount,$hMailAdminPassword)
$NumDomains=$hmail.Domains.Count
$DomainExists = $false
if ($NumDomains -gt 0)
{
for ($i=0;$i -lt $NumDomains;$i++){
$Domain = $hmail.Domains.Item($i)
if ($Domain.Name.ToUpper() -eq $usersList[$k].Domain.ToUpper()) {$DomainExists = $true;break;}
}
}
# Create domain if it does not yet exist
if (-Not $DomainExists){
$Domain = $hmail.Domains.Add()
$Domain.Name=$usersList[$k].Domain.ToUpper()
$Domain.Active=$true
$Domain.Save()
}
# Check whether account already exists
$AccountsList=$Domain.Accounts
$NumAccounts=$AccountsList.Count
$AccountExists = $false
$mailAddress="{0}@{1}" -f $usersList[$k].User.ToLower(),$usersList[$k].Domain.ToUpper()
if ($NumAccounts -gt 0)
{
for ($j=0;$j -lt $NumAccounts;$j++){
$Account = $AccountsList.Item($j)
if ($Account.Address.ToUpper() -eq $mailAddress.ToUpper()) {$AccountExists = $true;break;}
}
}
# Create account if it does not yet exist
if (-Not $AccountExists){
$Account = $AccountsList.Add()
$Account.PersonFirstName=$usersList[$k].Name
$Account.Address=$mailAddress
$Account.Password=$usersList[$k].Password
$Account.Active=$true
$Account.Save()
Write-Host ("New Account Created for {0} (email: {1})" -f $usersList[$k].Name,$mailAddress)
}
}
}
catch {
Write-Host "Error creating users in the mail server: ${_}" -Level "ERROR"
throw $_
} -
The mail server and the users are ready to be used on a client access test.
Core Impact Installation
- Download the latest version of Core Impact from the Community Portal on the machine where the product will reside. Please note: You need to be logged into the customer portal to access the product download.
- Download the third party add-on package from the same portal.
- Double-click on the Core Impact installer and follow the wizard. You can access the installation guide here. If internet connectivity is an issue, check the Installing Core Impact Offline section of the guide.
- Download the license bundle package from the link you received via Mail
- Double-click on the license bundle package.
- Enter the passphrase and click Decrypt. This will decrypt the license bundle installer and launch it.
- Click Install. Wait for the installer to complete.
- Click Finish. The installer will launch Core Impact.
- Core Impact needs to be activated on the machine, so please follow the wizard on the demo environment. Go through the wizard to automatically activate via your Internet connection.
- Click Finish.
Vulnerable machines setup
Active Directory Setup
Domain Controller
-
Open Virtualbox.
-
Click on Machine > New.
-
Fill the machine details
- Name
Domain Controller
. - Type:
Microsoft Windows
. - Version:
Windows 2019 (64-bit)
. - Click Next.
- Set
8192 MB
as Memory size. Click Next. - Select
Create a virtual hard disk now
. Click Create. - Select
VDI (VirtualBox Disk Image)
. Click Next. - Select
Dynamically allocated
. Click Next. - Set
50 GB
as Disk size. Click Create. - Access Machine Settings > Network.
- Enable
Adapter 2
. - Set the option Attached to to
Host-only Adapter
. - Click Ok.
- Enable
- Name
-
Load a Windows Server 2019 (64-bit) Windows ISO and install the operating system. The machine name should be
WIN2019DC
and the administrator user:- user:
impact
- password:
SuperSecure1
- user:
-
Access the machine and execute the following commands on an elevated powershell:
# Install Active Directory feature
install-windowsfeature AD-Domain-Services
# Configure Active Directory domain
Import-Module ADDSDeployment
$safemodepwd = ConvertTo-SecureString SuperSecure1 -AsPlainText -Force
Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath "C:\Windows\NTDS" -DomainMode "7" -DomainName "acme.corp" -DomainNetbiosName "acme" -ForestMode "7" -InstallDns:$true -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$false -SysvolPath "C:\Windows\SYSVOL" -SafeModeAdministratorPassword $safemodepwd -Force:$true
# Install Remote Server administration Tools pack (RSAT)
Install-WindowsFeature RSAT-ADDS
# Configure password policy
Set-ADDefaultDomainPasswordPolicy -Identity "acme.corp" -LockoutDuration 00:01:00 -LockoutObservationWindow 00:01:00 -ComplexityEnabled $false -ReversibleEncryptionEnabled $False -MinPasswordLength 4 -MaxPasswordAge 0
function AddADUser {
Param(
[string]$firstname,
[string]$lastname,
[string]$samAccountName,
[string]$password
)
$fullname = "{0} {1}" -f ($firstname , $lastname);
$principalname = "{0}.{1}" -f ($firstname, $lastname);
Write-Host "Creating $($samAccountName) User"
New-ADUser -Name $fullname -GivenName $firstname -Surname $lastname -samAccountName $samAccountName -UserPrincipalName $principalname@$Global:Domain -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru | Enable-ADAccount
}
$Global:Domain = "acme.corp"
$Global:Groups = @("Sales","Accounting","Executives","IT Admins","Marketing");
$Global:Users = @(@("Ruth", "Lane", "Iamthe1", "Sales"),@("John", "Perry", "blink182", "Accounting"),@("Philip", "Lahm", "Iamthe1", "Executives"),@("Suzanne", "Peacock", "ub2dkxau", "IT Admins"),@("Maude", "Murray", "w9nawku1", "Executives"),@("Lena", "Jackson", "iftzcx0a", "Executives"),@("Paul", "Compton", "29fra989", "Sales"),@("George", "Howell", "19vrzfnn", "Marketing"));
foreach ($group in $Global:Groups) {
Write-Host "Creating $($group) Group"
New-ADGroup -name $group -GroupScope Global
}
foreach ($user in $Global:Users) {
$SamAccountName = '{0}.{1}' -f $user[0],$user[1]
AddADUser $user[0] $user[1] $SamAccountName $user[2]
Add-ADGroupMember -Identity $user[3] -Members $SamAccountName
}
AddADUser "SQL" "Server" "mssql_svc" "trustno1"
Set-ADUser -Identity "mssql_svc" -PasswordNeverExpires $true -ChangePasswordAtLogon $false
Add-ADGroupMember -Identity Administrators -Members "mssql_svc"
setspn -a WIN2019DC/mssql_svc.acme.corp:60111 acme\mssql_svc
Set-ADAccountControl -Identity "john.perry" -DoesNotRequirePreAuth 1
Certificate Authority
-
Open Virtualbox.
-
Click on Machine > New.
-
Fill the machine details
- Name
Certificate Authority Server
. - Type:
Microsoft Windows
. - Version:
Windows 2016 (64-bit)
. - Click Next.
- Set
8192 MB
as Memory size. Click Next. - Select
Create a virtual hard disk now
. Click Create. - Select
VDI (VirtualBox Disk Image)
. Click Next. - Select
Dynamically allocated
. Click Next. - Set
50 GB
as Disk size. Click Create. - Access Machine Settings > Network.
- Enable
Adapter 2
. - Set the option Attached to to
Host-only Adapter
. - Click Ok.
- Enable
- Name
-
Load a Windows Server 2016 (64-bit) Windows ISO and install the operating system. The machine name should be
WIN2016ADCS
and the administrator user:- user:
impact
- password:
SuperSecure1
- user:
-
Access the machine and execute the following commands on an elevated powershell:
# Add Domain Controller as default DNS Server
foreach ($c in Get-NetAdapter) { write-host 'Setting DNS for' $c.interfaceName ; Set-DnsClientServerAddress -InterfaceIndex $c.interfaceindex -ServerAddresses ('10.27.34.88')}
# Join the domain
$domainname = "acme.corp"
$username = "acme.corp\impact"
$password = "SuperSecure1"
$pass = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$pass
Add-Computer -DomainName $domainname -Credential $cred -Force -PassThru -Verbose
Restart-Computer -Force -
Once restarted, access the machine and execute the following commands on an elevated powershell:
$MachineName='WIN2016ADCS'
$CACommonName = 'acme-{0}-CA' -f $MachineName
# Enable SMB Sharing
Set-NetFirewallRule -DisplayGroup "File And Printer Sharing" -Enabled True -Profile Any
#Add user to remote users group
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "acme.corp\Domain Users"
Install-WindowsFeature ADCS-Cert-Authority
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 5 -CACommonName $CACommonName -Force
Install-WindowsFeature ADCS-Web-Enrollment
Install-AdcsWebEnrollment -Force
Restart-Computer -Force -
Validate that you can access the web enrollment service at http://win2016adcs.acme.corp/certsrv using the admin credentials to access it.
Domain Member Server
-
Click on Machine > New.
-
Fill the machine details
- Name
Domain WorkStation
. - Type:
Microsoft Windows
. - Version:
Windows 10 (64-bit)
. - Click Next.
- Set
8192 MB
as Memory size. Click Next. - Select
Create a virtual hard disk now
. Click Create. - Select
VDI (VirtualBox Disk Image)
. Click Next. - Select
Dynamically allocated
. Click Next. - Set
50 GB
as Disk size. Click Create. - Access Machine Settings > Network.
- Enable
Adapter 2
. - Set the option Attached to to
Host-only Adapter
. - Click Ok.
- Enable
- Name
-
Load a Windows 10 (64-bit) Windows ISO and install the operating system. The machine name should be
WIN10VPN
and the administrator user:- user:
localuser
- password:
EzPassword1234
- user:
-
Access the machine and execute the following commands on an elevated powershell:
# Join the domain
$domainname = "acme.corp"
$username = "acme.corp\impact"
$password = "SuperSecure1"
$pass = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$pass
Add-Computer -DomainName $domainname -Credential $cred -Force -PassThru -Verbose
# Enable SMB Sharing
Set-NetFirewallRule -DisplayGroup "File And Printer Sharing" -Enabled True -Profile Any
#Enable autologon
$key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
New-ItemProperty -Name AutoAdminLogon -Path $key -PropertyType DWord -Value 1 -Force
New-ItemProperty -Name DefaultUserName -Path $key -Value "ruth.lane" -Force
New-ItemProperty -Name DefaultPassword -Path $key -Value "Iamthe1" -Force
New-ItemProperty -Name DefaultDomainName -Path $key -Value "acme.corp" -Force
#Add user to remote users group
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "acme.corp\Domain Users"
Vulnerable Linux machines
Metasploitable
-
Download the Linux Metasploitable 2.0.0 image
-
Extract the files in the directory where VirtualBox stores the virtual machines. By default
C:\Users\<UserName>\VirtualBox VMs
-
From VirtualBox, click on Machine > New.
-
Fill the machine details
-
Name
Webapps
. -
Type:
Linux
. -
Version:
Ubuntu (64-bit)
. -
Click Next.
-
Set
1024 MB
as Memory size. Click Next. -
Select
Use an existing virtual hard disk file
.- Select the recently extracted
Metasploitable.vmdk
file. 2.Click Create.
- Select the recently extracted
-
-
From the virtual machine configuration, go to Settings > Network and attach the Adapter 1 connection to the
Host-only adapter
-
Start the virtual machine. The user and password are both
msfadmin
Ubuntu 14.04
-
Download the Ubuntu Linux 14.04 ISO image
-
Click on Machine > New.
-
Fill the machine details
- Name
Ubuntu
. - Type:
Linux
. - Version:
Ubuntu (64-bit)
. - Click Next.
- Set
1024 MB
as Memory size. Click Next. - Select
Create a virtual hard disk now
. Click Create. - Select
VDI (VirtualBox Disk Image)
. Click Next. - Select
Dynamically allocated
. Click Next. - Set
10 GB
as Disk size. Click Create.
- Name
-
Load the previously downloaded ISO install the operating system.
-
From the virtual machine configuration, go to Settings > Network and set the option Attached to to
Host-only Adapter
on the Adapter 1. -
Restart the machine
Web Applications
Machine creation
-
Download Ubuntu Linux 18.04 ISO Image.
-
Click on Machine > New.
-
Fill the machine details
- Name
Webapps
. - Type:
Linux
. - Version:
Ubuntu (64-bit)
. - Click Next.
- Set
1024 MB
as Memory size. Click Next. - Select
Create a virtual hard disk now
. Click Create. - Select
VDI (VirtualBox Disk Image)
. Click Next. - Select
Dynamically allocated
. Click Next. - Set
10 GB
as Disk size. Click Create.
- Name
-
Load the previously downloaded ISO install the operating system.
-
Start the machine
Machine setup
-
Update packages:
sudo apt-get -y update
-
Install Apache web Server:
sudo apt-get -y install apache2
sudo a2enmod rewrite
sudo sed -i '/<Directory \/var\/www\/>/,/<\/Directory>/ s/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf
sudo service apache2 restart -
Install MySQL Server:
sudo apt-get -y install mysql-server
-
Reset MySQL root password:
sudo mysql -u root -e "use mysql;update user set authentication_string=PASSWORD('mutillidae') where user='root';update user set plugin='mysql_native_password' where user='root';flush privileges;"
-
Install PHP:
sudo apt-get -y install php libapache2-mod-php php-mysql php-curl php-mbstring php-xml
sudo service apache2 restart -
Install vulnerable Sudo:
sudo apt-get -y --allow-downgrades install sudo=1.8.21p2-3ubuntu1
-
Mutillidae installation:
sudo cd /var/www/html/
sudo git clone --depth 1 --branch 2.8.11 https://github.com/webpwnized/mutillidae.git mutillidae
# allow multillidae access from other hosts in subnet
sudo sed -i "/Allow from 192\.168\.0\.0\/16/a Allow from 10.10.1.0/24" ./mutillidae/.htaccess
sudo service apache2 restart
# trigger request to initialize mysql database
sudo curl --silent --output /dev/null http://127.0.0.1/mutillidae/set-up-database.php -
DVWA installation:
sudo cd /var/www/html/
sudo git clone --depth 1 --branch 2.0.1 https://github.com/digininja/DVWA.git dvwa
sudo chmod -R 777 dvwa
sudo cp ./dvwa/config/config.inc.php.dist ./dvwa/config/config.inc.php
sudo sed -i '2 c $dvwa_WEBROOT = "/var/www/html/";' /var/www/html/dvwa/config/config.inc.php
sudo sed -i '20 c $_DVWA[ "db_user" ] = "root";' /var/www/html/dvwa/config/config.inc.php
sudo sed -i '21 c $_DVWA[ "db_password" ] = "mutillidae";' /var/www/html/dvwa/config/config.inc.php
sudo sed -i '35 c $_DVWA[ "default_security_level" ] = "low";' /var/www/html/dvwa/config/config.inc.php
sudo mysql -u root -pmutillidae -e "CREATE DATABASE IF NOT EXISTS dvwa"' -
From the virtual machine configuration, go to Settings > Network and set the option Attached to to
Host-only Adapter
on the Adapter 1. -
Restart the machine