If we are using Linux as a base operating system, we will need to update our software repository's information before installing anything on it. Open a Terminal and issue the following command:

# sudo apt-get update

The following steps need to be performed for installing VirtualBox:

# sudo apt-get install virtualbox

# virtualbox

VirtualBox will allow us to run multiple machines inside our computer through virtualization. With this, we can mount a full laboratory with different computers using different operating systems and run them in parallel as far as the memory resources and processing power of our host allow us to.

The VirtualBox extension pack gives the VirtualBox's virtual machine extra features, such as USB 2.0/3.0 support and remote desktop capabilities. It can be downloaded from https://www.virtualbox.org/wiki/Downloads. After it is downloaded, just double-click on it and VirtualBox will do the rest.

There are some other virtualization options out there. If you don't feel comfortable using VirtualBox, you may want to try the following:

Kali Linux can be obtained from its official download page https://www.kali.org/downloads/. For this recipe, we will use the 64-bit image (the first option on the page).

The process of creating a virtual machine in VirtualBox is pretty straightforward; let's look at this and perform the following steps:

 

In this recipe, we created our first virtual machine in VirtualBox, set the reserved amount of memory our base operating system will share with it, and created a new virtual hard disk file for the VM to use and set the maximum size. We also configured the VM to start with a CD/DVD image and, from there, installed Kali Linux the same way we would install it on a physical computer.

To install Kali Linux, we used the graphical installer and selected guided disk partitioning, this is, when we install an operating system, especially a Unix-based one, we need to define which parts of the system are installed (or mounted) in which partitions of the hard disk; luckily for us, Kali Linux's installation can take care of that and we only need to select the hard disk and confirm the proposed partitioning. We also configured Kali to use the network repositories for the package manager. This will allow us to install and update software from the internet and keep our system up to date.

There are different (and easier) ways to get Kali Linux running in a virtual machine. For example, there are pre-built virtual machine images available to download from the Offensive Security site: https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-hyperv-image-download/. We chose this method as it involves the complete process of creating a virtual machine and installing Kali Linux from scratch.

Once you have a working instance of Kali Linux up and running, perform the following steps:

In this recipe, we have covered a basic procedure for package updates in Debian-based systems (such as Kali Linux) by using the standard software manager, apt. The first call to apt-get with the update parameter downloaded the most recent list of packages available for our specific system in the configured repositories. As Kali Linux is now a rolling distribution, this means that it is constantly updated and that there are no breaks between one version and the next; the full-upgrade parameter downloads and installs system (such as kernel and kernel modules) and non-system packages up to their latest version. If no major changes have been made, or we are just trying to keep an already installed version up to date, we can use the upgrade parameter instead.

In the last part of this recipe, we installed the kali-linux-web meta-package. A meta-package for apt is an installable package that contains many other packages, so we only need to install one package and all of the ones included will be installed. In this case, we installed all web penetration testing tools included in Kali Linux.

Firefox is a very flexible browser that fits the purpose of web penetration testing very well; it also comes pre-installed in Kali Linux. Let's customize it a little bit to make it better using the following steps:

So far, we've just installed some tools in our web browser, but what are these tools good for when it comes to penetration testing a web application? The add-ons installed are as follows:

Other add-ons that could prove useful for web application penetration testing are the following:

 

 

OWASP BWA is hosted in SourceForge, a popular repository for open source projects. The following steps will help us in creating a vulnerable virtual machine:

OWASP BWA is a project aimed at providing security professionals and enthusiasts with a safe environment to develop attacking skills and identify and exploit vulnerabilities in web applications, in order to be able to help developers and administrators fix and prevent them.

 

This virtual machine includes different types of web applications; some of them are based on PHP, some in Java. We even have a couple of .NET-based vulnerable applications. There are also some vulnerable versions of known applications, such as WordPress or Joomla.

There are many options when we talk about vulnerable applications and virtual machines. A remarkable website that holds a great collection of such applications is VulnHub (https://www.vulnhub.com/). It also has walkthroughs that will help you to solve some challenges and develop your skills.

In this book, we will use another virtual machine for some recipes, bWapp bee-box, which can be downloaded from the project's site: https://sourceforge.net/projects/bwapp/files/bee-box/.

There are also virtual machines that are thought of as self-contained web penetration testing environments, in other words, they contain vulnerable web applications, but also the tools for testing and exploiting the vulnerabilities. A couple of other relevant examples are:

Before we proceed, open VirtualBox and make sure that the vulnerable server and client virtual machines are turned off.

VirtualBox creates virtual network adapters in the base system in order to manage DHCP and virtual networks. These adapters are independent from the ones assigned to virtual machines; we will create a virtual network and add the Kali and vulnerable virtual machines to it by using the following steps:

ifconfig

ping 192.168.56.11

arping -c 4 192.168.56.103

A host-only network is a virtual network that acts as a LAN, but its reach is limited to the host that is running the virtual machines without exposing them to external systems. This kind of network also provides a virtual adapter for the host to communicate with the virtual machines as if they were in the same network segment.

With the configuration we just made, we will be able to communicate between the machine that will take the roles of client and attacking machine in our tests and the web server that will host our target applications.

We need to have our vulnerable_vm running and its network correctly configured. For this book, we will be using 192.168.56.10 as its IP address.

The steps that need to be performed are as follows: 

The applications in the home page are organized in the following six groups:

Even though OWASP BWA is one of the most complete collections of vulnerable web applications for testing purposes, there are other virtual machines and web applications that could complement it as they contain different applications, frameworks, or configurations. The following are worth a try: