As an aspiring ethical hacker and penetration tester, it’s important to ensure that you do not disrupt or cause any sort of harm or damage to another person’s systems or network infrastructure, such as that of your organization, when testing exploits and payloads or practicing your hacking skills. While there are many online tutorials, videos, and training materials you can read and view to gain knowledge, working in the field of penetration testing means continuously enhancing your offensive security skills. Many people can speak about hacking and explain the methodology quite clearly but don’t know how to perform an attack. When learning about penetration testing, it’s very important to understand the theory and how to use your skills to apply them to a simulated real-world cyberattack.

In this chapter, you will learn how to design and build a virtualized penetration testing lab environment on your personal computer...

To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirements:

• Oracle VM VirtualBox – https://www.virtualbox.org/wiki/Downloads
• Oracle VM VirtualBox Extension Pack – https://www.virtualbox.org/wiki/Downloads
• Kali Linux – https://www.kali.org/get-kali/
• Vagrant – https://www.vagrantup.com/
• The Open Web Application Security Project (OWASP) Juice Shop – https://owasp.org/www-project-juice-shop/
• Metasploitable 2 (Linux) – https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
• Metasploitable 3 (Windows and Linux) – https://app.vagrantup.com/rapid7

We’ll be covering the process of setting up Kali Linux, Vagrant, the OWASP Juice Shop, and Metasploitable 2 and 3 in detail in the chapter.

Building a penetration testing lab enables you to create an environment that’s safe for you to practice and enhance your offensive security skills, scale the environment to add new vulnerable systems and remove older legacy systems that you may no longer need, and even create additional virtual networks to pivot your attacks from one network to another.

The concept of creating your very own virtualized penetration testing lab allows you to maximize the computing resources on your existing computer, without the need to purchase online lab time from various service providers or even buy additional computers and devices. Overall, you’ll be saving a lot of money as opposed to buying physical computers and networking equipment such as routers and switches.

As a cybersecurity lecturer and professional, I have noticed that many people who are starting their journeys in the field of information technology (IT) usually...

There are many hypervisors from various vendors in the information technology industry. However, Oracle VM VirtualBox is a free and simple-to-use hypervisor that has all the essential features of commercial (paid) products. In this section, you will learn how to set up Oracle VM VirtualBox and create virtual networks on your computer.

Before getting started, the following are important factors and requirements:

• Ensure the computer’s processor supports virtualization features, such as VT-x/AMD-V.
• Ensure the virtualization feature is enabled on your processor via the Basic Input/Output System (BIOS) / Unified Extensible Firmware Interface (UEFI) firmware.

Let’s get started!

Part 1 – setting up the hypervisor...

Kali Linux is one of the most popular Linux distributions within the cybersecurity industry as it contains over 300 pre-installed software packages that are designed for mostly offensive security assessments. Kali Linux is built on the Debian flavor of Linux and, being a free operating system, it has gained a lot of attention over the years by cybersecurity professionals in the industry. It has a lot of features and tools that make a penetration tester’s or security engineer’s job a bit easier when they’re working.

Ethical hackers and penetration testers commonly use Kali Linux to perform passive reconnaissance (covered in Chapters 4 and 5), scanning and enumeration (covered in Chapter 6), exploitation (covered in Chapter 8), and even post-exploitation techniques (covered in Chapters 10 and 11) on targeted systems and networks. While many folks usually think Kali Linux is designed only for offensive security professionals...

Learning how to simulate real-world cyberattacks using Kali Linux would not be complete without understanding how to discover and exploit vulnerabilities within web applications. The OWASP is an organization that focuses on improving security through software, including web applications. The OWASP is known for its OWASP Top 10 list of most critical security risks within web applications. In Chapters 16 and 17, you will learn how to identify and exploit common vulnerabilities within web applications.

As an aspiring ethical hacker and penetration tester, it’s important to understand how to identify and perform security testing on each category within...

When building a penetration testing lab, it’s important to include vulnerable systems that will act as our targets. These systems contain intentionally vulnerable services and applications, enabling us to practice and build our skills to better understand how to discover and exploit vulnerabilities. A very popular vulnerable machine is known as Metasploitable 2. This vulnerable machine contains a lot of security vulnerabilities that can be exploited and is good for learning about ethical hacking and penetration testing.

To get started setting up Metasploitable 2 within our lab environment, please use the following instructions:

Part 1 – deploying Metasploitable 2

The following steps will guide you to acquiring the Metasploitable 2 virtual machine and deploying it within Oracle VM VirtualBox Manager:

1. Firstly, on your host computer, go to https://sourceforge.net/projects/metasploitable/files/Metasploitable2...

In this section, you will learn how to build and deploy Metasploitable 3, both the Windows server and Linux server versions. The Windows server version will be using a dual-homed network connection to both the PentestNet network (172.30.1.0/24) and HiddenNet network (10.11.12.0/24). This setup will enable us to perform pivoting and lateral movement between different networks. Finally, the Linux server version will be connected to the HiddenNet network (10.11.12.0/24) only.

The following diagram shows the logical connections between systems and networks:

Figure 2.46: Low-level lab diagram

As shown in the preceding diagram, this topology goes more in depth on how the virtual machines are interconnected within our virtual lab environment. For instance, to access the Metasploitable 3 – Linux version, we will need to first compromise the Metasploitable 3 – Windows version via the PentestNet network, then pivot our attacks...

Having completed this chapter, you learned about the importance of building your very own penetration testing lab on your computer. You learned how to use hypervisors to virtualize the hardware resources on a system, which can then be shared with multiple operating systems that are running at the same time on the same system. In addition, you have gained the skills of setting up and deploying Kali Linux, multiple vulnerable systems, and web applications within a virtualized environment.

You established a foundational understanding of virtualization technology, gained practical experience in configuring a secure, isolated lab environment, and practiced hands-on skills in utilizing penetration testing tools within that environment.

I trust that the knowledge presented in this chapter has provided you with valuable insights, supporting your path toward becoming an ethical hacker and penetration tester in the dynamic field of cybersecurity. May this newfound understanding...

• OWASP Top 10 – https://owasp.org/www-project-top-ten/
• Kali Linux Blog – https://www.kali.org/blog/

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet