Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Author: JollyFrogs, Brisbane, Australia
- Version: 1.03
- Revision date: 30 July 2015
- Note: This guide is written for Windows 7 64-bit Host OS, I strongly advise using this operating system to install your OSCP machines.
- This is the hardware that I used to set up this lab, if you don't have similar or better hardware, I advise investing a little in getting good hardware:
- Asus Maximus Hero VI motherboard
- 32GB memory (Kingston)
- Intel 120GB SSD
- Core i7-4770K CPU @ 3.50GHz, 4 Core(s), 8 Logical Processors
- Windows 7 64-bit (6.1.7601 SP1)
- I have created this lab using my own network IP addressing, details of which are:
- (All subnet masks in the LAN are /24 aka 255.255.255.0)
- The following components are what I start with, just my PC and a router which I used as default gateway to connect to the internet:
- 10.1.1.1 = My physical internet router (a Ubiquity ERLite3) which acts as my default gateway and DNS server.
- 10.1.1.110 = My main PC LAN interface, we will lose this IP when we configure a BRIDGE interface later
- The following IP addresses are used for various components that are added during this guide:
- 10.1.1.110 = My main PC BRIDGE interface
- 10.1.1.199 = Kali 1.1.0a VirtualBox VM
- You have two options when following this guide:
- 1) Rename all references to the IP addresses above and in this guide to IP addresses you are using on your LAN.
- or
- 2) Renumber your internal network IP addressing to use the same IP addresses as in this guide.
- You do not need hardware components to set up this lab other than a beefy PC, everything will be running in VirtualBox on your PC.
- ------------
- Preparations
- ------------
- Important notice: Do not skim over these instructions, they provide the foundation of your environment. Any typo or mistake here will affect your environment later in unpredictable ways, please take the time to go through these steps carefully. Spelling matters, typos matter. If you run into any issues during installation, please re-read the instructions carefully and ensure you haven't made a typo.
- IMPORTANT NOTE: I don't isolate hosts on my network. This is a very *UNSAFE* practice, especially when meddling with vulnerable applications and systems while coding and testing new exploits. I run a simple but good firewall (Ubiquity ERLite3) which protects my network from outside attacks, but more importantly, I have off-line backups of all my important files and documents. If this is something that you don't feel 100% comfortable with, then you should set up an isolated network which is totally segregated from your home network. VirtualBox supports this kind of set up via "Host-only adapters" but this guide doesn't cover such a setup.
- Get required files:
- --------------------
- VirtualBox 4.3.26 R98988:
- http://dlc-cdn.sun.com/virtualbox/4.3.26/VirtualBox-4.3.26-98988-Win.exe
- Kali 1.1.0a (kali-linux-1.1.0a-i486.iso):
- http://images.offensive-security.com/kali-linux-1.1.0a-vm-486.7z
- NOTE: For the OSCP exam, you'll need the 32-bit Kali, NOT the 64-bit version as people have reported issues with 64-bit.
- NOTE: Don't get the "PAE" version of Kali linux! Some buffer overflows will be running on your Kali and PAE will make the exercise very needlessly hard
- NOTE: You can also choose to use the PWK specific version of Kali: http://downloads.kali.org/kali-486-vm.rar
- Create and bridge a loop-back adapter so your virtual machines can talk to your physical PC and network
- -------------------------------------------------------------------------------------------------------
- - Click the Windows Start button (bottom left)
- - type "cmd" but do not press enter
- - Right-click "cmd.exe" (top of start bar menu) and select "run as Administrator" (Click "Yes" to confirm)
- Note: In the black cmd.exe screen:
- - type "hdwwiz.exe" and press Enter
- Note: the "Add Hardware Wizard" window opens
- - Click "Next"
- - Select “Install the hardware that I manually select from a list (Advanced)” and click "Next"
- - Select “Network adapters” and click "Next"
- - Select “Microsoft” and “Microsoft Loopback Adapter” under Manufacturer and Network Adapter respectively, then click "Next"
- - Click "Next" to install the loopback adapter
- - Click "Finish" to close the "Add Hardware" screen
- Note: We're still in the black cmd.exe screen:
- - type "ncpa.cpl" and press Enter
- Note: the "Network Connections" window opens
- - Right-click the adapter "Microsoft Loopback Adapter" and select "Rename"
- - Rename the Loopback Adapter to "LOOPBACK" to remove confusion later
- - Right-click your wired network adapter and select "Rename"
- - Rename your wired network adapter to "LAN"
- - Highlight (left click while holding CTRL key pressed) both the LOOPBACK adapter and your LAN network adapter
- - Right click on the LOOPBACK while both adapters are highlighted and select "Bridge Connections"
- Note: This will create a new network card called "Network Bridge"
- - Right-click your new bridge adapter and select "Rename"
- - Rename your wired network adapter to "BRIDGE"
- - Right-click "BRIDGE" and select "Properties"
- In the "BRIDGE Properties" screen:
- - Left-click (this highlights) "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties"
- In the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen:
- In the "General" tab at the top:
- Select "Use the following IP address"
- IP address: 10.1.1.110
- Subnet mask: 255.255.255.0
- Default gateway: 10.1.1.1
- Preferred DNS server: 10.1.1.1
- Alternate DNS server: <leave blank>
- - Click "OK" to close the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen
- - Click "Close" to close the "BRIDGE Properties" screen
- Note: We're still in the black cmd.exe screen:
- - type "ping www.google.com"
- Note: You should see replies from the google web server. Your BRIDGE adapter is now your main network adapter
- Note: Do not proceed if you do not have internet connectivity
- - Close the "Command Prompt" black cmd.exe screen
- Install VirtualBox
- ------------------
- Run "C:\GNS3\INSTALLERS\VirtualBox-4.3.26-98988-Win.exe"
- Note: Click "Yes" on any opening warnings
- - Click "Next"
- - Click "Next" (install all options)
- - Click "Next"
- - Click "Yes"
- - Click "Install" to start the installation
- - Click "Yes" at the UAC warning screen
- - Click "Install" to install the device driver
- - Click "Finish"
- Install Kali 1.1.0a on VirtualBox 4.3.26 R98988
- --------------------------------------------
- http://downloads.kali.org/kali-486-vm.rar
- Unzip the file "kali-linux-1.1.0a-vm-486.7z" to E:\VIRTUALBOX_DISKS\kali\
- Start "Oracle VM VirtualBox"
- - Click "New"
- Name: Kali110a-32bit-nopae-v101
- Type: Linux
- Version: Debian (32 bit)
- - Click "Next"
- MB: 2048
- - Click "Next"
- Select "Use an existing virtual hard drive file"
- - Click the little yellow folder with the green arrow
- Choose: "E:\VIRTUALBOX_DISKS\kali\Kali-Linux-1.1.0-vm-486.vmdk"
- - Click "Create"
- NOTE: A new icon "Kali110a-32bit-nopae-v101" was created in your "Oracle VM VirtualBox Manager"
- NOTE: Leave settings at default unless otherwise stated below
- NOTE: I'm showing some important settings even though they are defaults, in case the defaults change some day
- - Right-click "Kali110a-32bit-nopae-v101" in the left menu and click "Settings..."
- General - Advanced - Shared Clipboard: "Bidirectional"
- System - Motherboard - Floppy: Untick
- System - Processor - Enable PAE/NX: Make sure this is NOT ticked
- Audio - Enable Audio: Untick
- Network - Adapter 1 - Enable Network Adapter: Tick
- Network - Adapter 1 - Attached to: "Bridged Adapter"
- Network - Adapter 1 - Name: "MAC Bridge Miniport"
- Network - Adapter 1 - Advanced - Adapter Type: "Intel PRO/1000 MT Desktop (82540EM)"
- Network - Adapter 1 - Advanced - Promiscuous Mode: Allow All
- Network - Adapter 1 - Advanced - MAC Address: 222222222222
- NOTE: Set the MAC address to an easily identifiable MAC
- Network - Adapter 1 - Advanced - Cable Connected: Tick
- - Click "OK" to close the "Kali110a-32bit-NOPAE - Settings" screen
- - Right-click "Kali110a-32bit-nopae-v101" in the left menu and click "Start"
- Note: A new screen "Kali110a-32bit-nopae-v101 [Running] - Oracle VM VirtualBox" opens and the Kali Linux installer will boot.
- In the "Kali110a-32bit-nopae-v101 [Running] - Oracle VM VirtualBox" screen:
- Your new Kali installation will boot, let it time out for 5s in the GRUB menu
- You will be presented with the Kali login screen
- Click anywhere in the screen with your mouse
- Note: To unlock the mouse from Virtualbox, press the rightmost CTRL key on your keyboard
- - Click "Other..."
- - Username: root
- - Password: toor
- Note: You will be presented a desktop environment.
- In the top of the screen, click the black >_ icon ("terminal")
- In the "root@Kali110a:~" terminal window type:
- # ifconfig
- # ping 8.8.8.8
- Note: You should see replies from 8.8.8.8
- # apt-get clean && apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y
- # reboot
- # apt-get install linux-headers-$(uname -r)
- # apt-get install virtualbox-guest-dkms virtualbox-guest-utils virtualbox-guest-x11 -y
- # reboot
- Note: After rebooting you will notice that your mouse magically enters and exits the VM. This is because of the VirtualBox Additions!
- - Click "Other..."
- Username: root
- Password: toor
- Note: Now that you have installed the VirtualBox additions to Kali, you can:
- - Seamlessly move the mouse in and out of the virtual machine
- - Copy/Paste to and from the virtual machine using clipboard
- - Share folders between the virtual machine guest and your host machine
- Note: We're going to install some additional tools that we might need later:
- In the top of the screen, click the black >_ icon ("terminal")
- In the "root@kali:~" terminal window type (omit "root@kali:~# "):
- # apt-get -y install gedit
- # shutdown -h now
- Note: Now that we have a good clean install of Linux Kali, we'll back it up so you can restore a clean install in minutes if required
- In the "Oracle VM VirtualBox Manager" window:
- - Right-click "Kali110a-32bit-nopae-v101" in the left menu and click "Settings..."
- - Click "Storage" -> Right-Click "Kali-Linux-1.1.0-vm-486.vmdk" -> Click "Remove attachment - "
- - Click "OK" in the bottom
- Open a Windows cmd.exe prompt and type:
- "C:\program files\oracle\virtualbox\vboxmanage.exe" clonehd --format VDI "D:\STUDY\OSCP\KALIVM\kali-linux-1.1.0a-vm-486\Kali-Linux-1.1.0-vm-486\Kali-Linux-1.1.0-vm-486.vmdk" "D:\STUDY\OSCP\VIRTUAL_MACHINES\Kali110a-32bit-nopae-v101.vdi"
- Note: The conversion could take up to 15 minutes
- In the "Oracle VM VirtualBox Manager" window:
- - Right-click "Kali110a-32bit-nopae-v101" in the left menu and click "Settings..."
- - Click "Storage" -> Right-Click "Controller: SATA" and choose "Add Hard Disk" -> "Choose existing disk"
- - Choose "D:\STUDY\OSCP\VIRTUAL_MACHINES\Kali110a-32bit-nopae-v101.vdi" and Click "Open"
- - Click "OK" in the bottom
- - Click "File" -> "Export Appliance..."
- - Left-click "Kali110a-32bit-nopae-v101" to highlight it
- - Click "Next >"
- File: "D:\STUDY\OSCP\VIRTUAL_MACHINES\VANILLA_BACKUPS\Kali110a-32bit-nopae-v101.ova"
- Format: "OVF 1.0"
- Write Manifest file: Tick
- - Click "Next >"
- - Click "Export"
- Note: The export can take quite a while.
- - Right-click "Kali110a-32bit-nopae-v101" in the left menu and click "Start"
- Note: We fix some startup and shutdown warnings and errors
- # update-rc.d rpcbind defaults && update-rc.d rpcbind enable
- # update-rc.d pulseaudio remove
- # apt-get remove libccid -y
- Note: Install additional tools
- # apt-get install ldap-utils -y
- # gem install rake
- # apt-get install freerdp-x11 -y
- # mkdir /opt/tools/ ; cd /opt/tools/ && git clone https://github.com/leebaird/discover.git
- # cd /opt/tools/discover/ && /opt/tools/discover/setup.sh
- # cd /tmp/ && git clone https://github.com/pentestgeek/smbexec.git && cd /tmp/smbexec/ && echo 1 | /tmp/smbexec/install.sh
- NOTE: fimap is a RFI/LFI scanner that automates RFI exploitation
- # git clone https://tha-imax.de/git/root/fimap.git /opt/tools/fimap
- NOTE: b374k is a php shell with useful features
- # git clone https://github.com/b374k/b374k.git /opt/tools/b374k
- # cd /opt/tools/b374k && php -f index.php -- -l
- # php -f index.php -- -o jollyshell.php -p somepassword -s -b -z gzcompress -c 9
- # mv jollyshell.php /root/jollyshell_somepassword.php
- NOTE: MinGW is used to compile C code intended to be run on Windows machines
- # apt-get install mingw32 -y
- NOTE: sqlmap contains useful windows and linux libraries to assist in MySQL and PostGRESQL exploitation
- # git clone https://github.com/sqlmapproject/sqlmap.git /opt/tools/sqlmap
- NOTE: We install Flash because who knows you might need it
- # wget https://fpdownload.adobe.com/get/flashplayer/pdc/11.2.202.466/install_flash_player_11_linux.i386.tar.gz
- # tar zxvf install_flash_player_11_linux.i386.tar.gz
- # cp libflashplayer.so /usr/lib/mozilla/plugins/
- NOTE: ColdFusion requires Java, you might need it
- # wget http://download.oracle.com/otn-pub/java/jdk/8u45-b14/jdk-8u45-linux-i586.tar.gz?AuthParam=1434959032_b00c937d8fbce26ae2b7a1543e98e50b
- # tar zxvf jdk-8u45-linux-i586.tar.gz && mv jdk1.8.0_45/ /opt && cd /opt/jdk1.8.0_45/
- # update-alternatives --install /usr/bin/java java /opt/jdk1.8.0_45/bin/java 1
- # update-alternatives --install /usr/bin/javac javac /opt/jdk1.8.0_45/bin/javac 1
- # update-alternatives --install /usr/lib/mozilla/plugins/libjavaplugin.so mozilla-javaplugin.so /opt/jdk1.8.0_45/jre/lib/i386/libnpjp2.so 1
- # update-alternatives --set java /opt/jdk1.8.0_45/bin/java
- # update-alternatives --set javac /opt/jdk1.8.0_45/bin/javac
- # update-alternatives --set mozilla-javaplugin.so /opt/jdk1.8.0_45/jre/lib/i386/libnpjp2.so
- # /opt/jdk1.8.0_45/bin/ControlPanel
- - Click Security tab and add "https://*" and "http://*" to the exception site list
- NOTE: pass-the-hash allows authentication to windows services via LM/NTLM hash instead of password
- # cd /opt/tools/
- # wget https://passing-the-hash.googlecode.com/files/wmiPTH-1.0-1.deb
- # wget https://passing-the-hash.googlecode.com/files/winexePTH1.1.0-1.deb
- # dpkg -i winexePTH1.1.0-1.deb && dpkg -i wmiPTH-1.0-1.deb
- Note: Veil installs lots of applications, use defaults and overwrite whatever it needs including python!
- # cd /opt/tools/ && git clone https://github.com/Veil-Framework/Veil-Evasion.git Veil
- # cd /opt/tools/ && wget http://ftp.tku.edu.tw/kali/pool/main/p/python-pefile/python-pefile_1.2.9.1-1_all.deb
- # dpkg -i python-pefile_1.2.9.1-1_all.deb
- # mv /opt/tools/Veil /opt/tools/Veil-Evasion
- # cd /opt/tools/Veil-Evasion/setup && echo y | /opt/tools/Veil-Evasion/setup/setup.sh
- NOTE: Veil-Catapult can be used to inject shells via pass-the-hash mechanisms
- # cd /opt/tools/
- # wget -c https://pypi.python.org/packages/source/i/impacket/impacket-0.9.11.tar.gz
- # tar -xzf impacket-0.9.13.tar.gz && cd impacket-0.9.13 && python setup.py build
- # cp -r build/lib.linux-i686-2.7/ /usr/lib/pymodules/python2.7/
- # wget -c https://github.com/Veil-Framework/Veil-Catapult/archive/master.zip
- # unzip -q master.zip && mv Veil-Catapult-master Veil-Catapult
- # cd /opt/tools/Veil-Catapult/ && sh setup.sh
- # mkdir /opt/tools/wce/ && cd /tmp/ && wget http://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip
- # unzip -d /opt/tools/wce/ wce_v1_41beta_universal.zip && rm -f wce_v1_41beta_universal.zip
- # cd /opt/tools/ && git clone https://bitbucket.org/LaNMaSteR53/peepingtom.git
- # cd /opt/tools/peepingtom/ && wget https://gist.githubusercontent.com/nopslider/5984316/raw/423b02c53d225fe8dfb4e2df9a20bc800cc78e2c/gnmap.pl
- # wget http://phantomjs.googlecode.com/files/phantomjs-1.9.2-linux-$(uname -m).tar.bz2
- # tar xf phantomjs-1.9.2-linux-$(uname -m).tar.bz2
- # cp /opt/tools/peepingtom/phantomjs-1.9.2-linux-$(uname -m)/bin/phantomjs .
- # cd /usr/share/nmap/scripts/ && wget https://raw.githubusercontent.com/hdm/scan-tools/master/nse/banner-plus.nse
- # cd /opt/tools/ && git clone https://github.com/mattifestation/PowerSploit.git && cd /opt/tools/PowerSploit/
- # wget https://raw.githubusercontent.com/obscuresec/random/master/StartListener.py
- # wget https://raw.githubusercontent.com/darkoperator/powershell_scripts/master/ps_encoder.py
- # cd /opt/tools/ && git clone https://github.com/SpiderLabs/Responder.git
- # cd /opt/tools/ && git clone https://github.com/trustedsec/social-engineer-toolkit.git set
- # cd /opt/tools/set/ && /opt/tools/set/setup.py install
- # git clone https://github.com/longld/peda.git /opt/peda && echo "source /opt/peda/peda.py" >> ~/.gdbinit
- # mkdir /opt/tools/paexec && cd /opt/tools/paexec/ && wget http://www.poweradmin.com/paexec/paexec.exe
- # mkdir /opt/tools/mimikatz && cd /opt/tools/mimikatz/
- # wget https://github.com/gentilkiwi/mimikatz/releases/download/2.0.0-alpha-20150607/mimikatz_trunk.zip
- # unzip mimikatz_trunk.zip && rm mimikatz_trunk.zip
- # update-rc.d postgresql enable && update-rc.d metasploit enable
- # /etc/init.d/postgresql start && /etc/init.d/metasploit start
- # msfconsole
- =[ metasploit v4.11.2-2015052901 [core:4.11.2.pre.2015052901 api:1.0.0]]
- + -- --=[ 1454 exploits - 829 auxiliary - 229 post ]
- + -- --=[ 376 payloads - 37 encoders - 8 nops ]
- + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
- msf > db_status
- msf > search auxiliary
- NOTE: It can take a while before the database has updated the cache (10-60 minutes)
- Open up another terminal and type:
- # sudo -H -u postgres bash -c 'psql -d msf3 -c "select count(*) from module_details;"' | sed -n 3p
- NOTE: The query will return the number of rows updated so far.
- NOTE: Add up all the exploits, auxiliary, post, payloads, encoders and nops in the welcome message
- NOTE: In our case, that's 1454+829+229+376+37+8=2933. The command returns 2933 so the database is up to date.
- msf > exit
- # msfconsole
- msf > search auxiliary
- NOTE: You should not see the warning anymore that the database is disconnected or the cache has not been updated
- msf > exit
- # passwd
- NOTE: We add the username and password to the login banner so we do not forget our password later
- NOTE: This is the kind of practice that gets real administators in trouble, never do this in production environments!
- # sed -i "/banner-message-text/a banner-message-text='user=root pass=jollyfrogs'" /etc/gdm3/greeter.gsettings
- # sed -i "/banner-message-text/a banner-message-enable=true" /etc/gdm3/greeter.gsettings
- NOTE: "locate" command uses a database that is first built using "updatedb"
- # sudo updatedb
- # nmap --script-updatedb
- NOTE: lab-connection.conf is sent to you in your welcoming email. You can modify it to include the password if you want
- # gedit ~/.config/autostart/gnome-terminal.desktop
- ---
- [Desktop Entry]
- Type=Application
- Exec=gnome-terminal --geometry 2x2 -e "/usr/sbin/openvpn --status /var/run/openvpn.client.status 10 --cd /root/lab-connection/ --config /root/lab-connection/lab-connection.conf --syslog openvpn"
- Hidden=false
- X-GNOME-Autostart-enabled=true
- Name[en_US]=OpenVPN lab-connection.conf
- Name=OpenVPN lab-connection.conf
- Comment[en_US]=OpenVPN lab-connection.conf
- Comment=OpenVPN lab-connection.conf
- ---
- # shutdown -h now
- Note: After verifying everything works, we back up our VM so you can restore a clean install in minutes if required
- In the "Oracle VM VirtualBox Manager" window:
- - Click "File" -> "Export Appliance..."
- - Left-click "Kali110a-32bit-nopae-v101" to highlight it
- - Click "Next >"
- File: "D:\STUDY\OSCP\VIRTUAL_MACHINES\VANILLA_BACKUPS\Kali110a-32bit-nopae-v101-all-apps.ova"
- Format: "OVF 1.0"
- Write Manifest file: Tick
- - Click "Next >"
- - Click "Export"
- Note: The export can take quite a while
- Note: After the export finishes, we have completed the installation of Kali for the PWK labs!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement