As a future ethical hacker or penetration tester, it is quite important when testing exploits, payloads, or practicing your hacking skills that you do not disrupt or cause any sort of harm or damage to another person's systems or network infrastructure, such as that of your organization. While there are many tutorials, videos, and training programs you can read and view to gain knowledge, working in the field of penetration testing means focuses on continuously enhancing your skills. Many people can speak about hacking and explain the methodology quite clearly but don't know how to perform an attack. When learning about penetration testing, it's very important to understand the theory and how to use your skills to apply them to a real-world cyberattack.

In this chapter, you will learn how to design and create your penetration testing lab environment on your existing computer using virtualization technologies. You will...

To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirements:

• Oracle VM VirtualBox: https://www.virtualbox.org/wiki/Downloads
• Oracle VM VirtualBox Extension Pack: https://www.virtualbox.org/wiki/Downloads
• Vagrant: https://www.vagrantup.com/downloads
• Kali Linux 2021.2: https://www.kali.org/get-kali/
• OWASP Juice Shop: https://owasp.org/www-project-juice-shop/
• Metasploitable 2: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
• Metasploitable 3: https://app.vagrantup.com/rapid7/boxes/metasploitable3-win2k8
• OWASP Broken Web Applications: https://sourceforge.net/projects/owaspbwa/files/

Building a virtual penetration testing lab allows you to create an environment that is safe for you to hone your skills in, scale the environment to add new vulnerable systems and even remove older legacy systems that you may no longer need, and even create virtual networks to pivot your attacks from one network to another. The concept of creating your very own virtualized penetration testing lab allows you to maximize the resources on your existing computer, without the need to purchase online lab time from various service providers or even buy additional computers and services. Overall, you'll be saving a lot of money as opposed to buying physical computers and networking equipment such as switches and routers.

As a cybersecurity trainer and professional, I have noticed that many people who are beginning their journeys within the field of information technology (IT) usually think that a physical lab infrastructure is needed...

While there are many other hypervisors available within the industry, Oracle VM VirtualBox is a free and simple-to-use hypervisor that contains almost all the cool and awesome features as the commercial products. In this section, you will learn how to set up both the VirtualBox hypervisor and create virtual networks.

Before getting started, the following are some important factors and requirements:

• Ensure your processor supports VT-x/AMD-V virtualization features.
• Ensure the virtualization feature is enabled within your BIOS/UEFI.

Let's get started!

Part 1 – deploying the hypervisor

While there are many hypervisor applications from various vendors within the industry, we will be using Oracle VirtualBox throughout this book. However, if you wish to use another hypervisor, simply ensure you configure it using the same systems and network design. To begin deploying Oracle VirtualBox, perform...

The Kali Linux operating system is built on the Debian flavor of Linux and consists of over 300 preinstalled tools, with functions ranging from reconnaissance to exploitation and even forensics. The Kali Linux operating system has been designed not only for security professionals but also for IT administrators and even network security professionals within the industry. Being a free security operating system, it contains the tools necessary to conduct security testing.

Kali Linux has a lot of features and tools that make a penetration tester's or security engineer's job a bit easier when they're working. There are many tools, scripts, and frameworks for accomplishing various tasks, such as gathering information on a target, performing network scanning, vulnerability discovery, and even exploitation, to name just a few.

In this section, you will learn how to set up Kali Linux as a virtual machine, establish network connections...

When building a penetration testing lab, it's important to include vulnerable systems that will act as our targets. These systems contain intentional vulnerable services and applications so that we can practice and build our skills to understand how to discover and exploit vulnerabilities. A very popular vulnerable machine is known as Metasploitable 2. This vulnerable machine contains a lot of vulnerabilities that can be exploited and is good for learning about penetration testing.

Let's get started!

Part 1 – deploying Metasploitable 2

The following steps will help you acquire Metasploitable 2 vulnerable virtual machines so that you can deploy them within the hypervisor:

1. Go to https://sourceforge.net/projects/metasploitable/files/Metasploitable2/ and download the metasploitable-linux-2.0.0.zip file onto your host system.
2. Once the ZIP file has been downloaded, extract (unzip) its contents to the location...

In this section, you will learn how to deploy the two versions of Metasploitable 3 as vulnerable virtual machines using Vagrant. Metasploitable 3 is currently the latest version that's available for the Metasploitable line of vulnerable virtual machines created by Rapid7. These can help us learn about penetration testing and vulnerability assessments. A Windows version and a Linux version are available.

Let's get started!

Part 1 – setting up the Windows version

To start setting up the Windows version of Metasploitable 3, please use the following instructions:

1. Go to https://www.vagrantup.com/downloads, download Vagrant 2.2.17, and install it on your computer.
2. Once Vagrant has been installed, you will be prompted to reboot your system; ensure you do.
3. Once your system has been rebooted, open the Windows Command Prompt and use the following commands to install the Vagrant Reload and vbguest plugins:

   C...

Learning how to simulate real-world cyberattacks using Kali Linux would not be complete without understanding how to discover and exploit vulnerabilities within web applications. The Open Web Application Security Project (OWASP) is an organization that focuses on improving security through software, including web applications. OWASP is known for its OWASP Top 10 list of most critical security risks within web applications.

Important Note

At the time of writing this book, the latest version of OWASP Top 10 is 2017. More information can be found at the following URL: https://owasp.org/www-project-top-ten/2017/.

As an aspiring penetration tester, it's important to understand how to identify and perform security testing on each category within the OWASP Top 10 list. OWASP created a few projects that allow learners to safely use their offensive security skills and techniques in a safe environment to discover web application...

In this chapter, you learned about the importance of building your very own penetration testing lab on your computer. You learned how to use hypervisors to virtualize the hardware resources on a system, which can then be shared with multiple operating systems that are running at the same time on the same system. Furthermore, you have gained the skills needed to set up Kali Linux as a penetration testing virtual machine with vulnerable targets such as Metasploitable 2, as well as with vulnerable web application platforms such as the OWASP Juice Shop and OWASP BWA projects.

I hope this chapter has been informative for you and is helpful in your journey as an aspiring penetration tester, learning how to simulate real-world cyberattacks to discover security vulnerabilities and perform exploitation using Kali Linux. In the next chapter, Chapter 3, Setting Up for Advanced Hacking Techniques, you will learn how to set up a red team lab environment to perform advanced penetration...

To learn more on the topics that were covered in this chapter, take a look at the following resources:

• Why secure web-based applications? https://hub.packtpub.com/why-secure-web-based-applications-with-kali-linux/
• Kali Linux 2021.2 release information: https://www.kali.org/blog/kali-linux-2021-2-release/