Jollyfrogs OSCP installation guide 1.03

1. Author: JollyFrogs, Brisbane, Australia
2. Version: 1.03
3. Revision date: 30 July 2015
4.  
5. Note: This guide is written for Windows 7 64-bit Host OS, I strongly advise using this operating system to install your OSCP machines.
6.  
7. This is the hardware that I used to set up this lab, if you don't have similar or better hardware, I advise investing a little in getting good hardware:
8. Asus Maximus Hero VI motherboard
9. 32GB memory (Kingston)
10. Intel 120GB SSD
11. Core i7-4770K CPU @ 3.50GHz, 4 Core(s), 8 Logical Processors
12. Windows 7 64-bit (6.1.7601 SP1)
13.  
14. I have created this lab using my own network IP addressing, details of which are:
15. (All subnet masks in the LAN are /24 aka 255.255.255.0)
16.  
17. The following components are what I start with, just my PC and a router which I used as default gateway to connect to the internet:
18. 10.1.1.1 = My physical internet router (a Ubiquity ERLite3) which acts as my default gateway and DNS server.
19. 10.1.1.110 = My main PC LAN interface, we will lose this IP when we configure a BRIDGE interface later
20.  
21. The following IP addresses are used for various components that are added during this guide:
22. 10.1.1.110 = My main PC BRIDGE interface
23. 10.1.1.199 = Kali 1.1.0a VirtualBox VM
24.  
25. You have two options when following this guide:
26. 1) Rename all references to the IP addresses above and in this guide to IP addresses you are using on your LAN.
27. or
28. 2) Renumber your internal network IP addressing to use the same IP addresses as in this guide.
29.  
30. You do not need hardware components to set up this lab other than a beefy PC, everything will be running in VirtualBox on your PC.
31.  
32. ------------
33. Preparations
34. ------------
35.  
36. Important notice: Do not skim over these instructions, they provide the foundation of your environment. Any typo or mistake here will affect your environment later in unpredictable ways, please take the time to go through these steps carefully. Spelling matters, typos matter. If you run into any issues during installation, please re-read the instructions carefully and ensure you haven't made a typo.
37.  
38. IMPORTANT NOTE: I don't isolate hosts on my network. This is a very *UNSAFE* practice, especially when meddling with vulnerable applications and systems while coding and testing new exploits. I run a simple but good firewall (Ubiquity ERLite3) which protects my network from outside attacks, but more importantly, I have off-line backups of all my important files and documents. If this is something that you don't feel 100% comfortable with, then you should set up an isolated network which is totally segregated from your home network. VirtualBox supports this kind of set up via "Host-only adapters" but this guide doesn't cover such a setup.
39.  
40. Get required files:
41. --------------------
42. VirtualBox 4.3.26 R98988:
43. http://dlc-cdn.sun.com/virtualbox/4.3.26/VirtualBox-4.3.26-98988-Win.exe
44.  
45. Kali 1.1.0a (kali-linux-1.1.0a-i486.iso):
46. http://images.offensive-security.com/kali-linux-1.1.0a-vm-486.7z
47. NOTE: For the OSCP exam, you'll need the 32-bit Kali, NOT the 64-bit version as people have reported issues with 64-bit.
48. NOTE: Don't get the "PAE" version of Kali linux! Some buffer overflows will be running on your Kali and PAE will make the exercise very needlessly hard
49. NOTE: You can also choose to use the PWK specific version of Kali: http://downloads.kali.org/kali-486-vm.rar
50.  
51. Create and bridge a loop-back adapter so your virtual machines can talk to your physical PC and network
52. -------------------------------------------------------------------------------------------------------
53. - Click the Windows Start button (bottom left)
54. - type "cmd" but do not press enter
55. - Right-click "cmd.exe" (top of start bar menu) and select "run as Administrator" (Click "Yes" to confirm)
56. Note: In the black cmd.exe screen:
57. - type "hdwwiz.exe" and press Enter
58. Note: the "Add Hardware Wizard" window opens
59. - Click "Next"
60. - Select “Install the hardware that I manually select from a list (Advanced)” and click "Next"
61. - Select “Network adapters” and click "Next"
62. - Select “Microsoft” and “Microsoft Loopback Adapter” under Manufacturer and Network Adapter respectively, then click "Next"
63. - Click "Next" to install the loopback adapter
64. - Click "Finish" to close the "Add Hardware" screen
65. Note: We're still in the black cmd.exe screen:
66. - type "ncpa.cpl" and press Enter
67. Note: the "Network Connections" window opens
68. - Right-click the adapter "Microsoft Loopback Adapter" and select "Rename"
69. - Rename the Loopback Adapter to "LOOPBACK" to remove confusion later
70. - Right-click your wired network adapter and select "Rename"
71. - Rename your wired network adapter to "LAN"
72. - Highlight (left click while holding CTRL key pressed) both the LOOPBACK adapter and your LAN network adapter
73. - Right click on the LOOPBACK while both adapters are highlighted and select "Bridge Connections"
74. Note: This will create a new network card called "Network Bridge"
75. - Right-click your new bridge adapter and select "Rename"
76. - Rename your wired network adapter to "BRIDGE"
77. - Right-click "BRIDGE" and select "Properties"
78. In the "BRIDGE Properties" screen:
79. - Left-click (this highlights) "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties"
80. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen:
81. In the "General" tab at the top:
82. Select "Use the following IP address"
83. IP address: 10.1.1.110
84. Subnet mask: 255.255.255.0
85. Default gateway: 10.1.1.1
86. Preferred DNS server: 10.1.1.1
87. Alternate DNS server: <leave blank>
88. - Click "OK" to close the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen
89. - Click "Close" to close the "BRIDGE Properties" screen
90. Note: We're still in the black cmd.exe screen:
91. - type "ping www.google.com"
92. Note: You should see replies from the google web server. Your BRIDGE adapter is now your main network adapter
93. Note: Do not proceed if you do not have internet connectivity
94. - Close the "Command Prompt" black cmd.exe screen
95.  
96. Install VirtualBox
97. ------------------
98. Run "C:\GNS3\INSTALLERS\VirtualBox-4.3.26-98988-Win.exe"
99. Note: Click "Yes" on any opening warnings
100. - Click "Next"
101. - Click "Next" (install all options)
102. - Click "Next"
103. - Click "Yes"
104. - Click "Install" to start the installation
105. - Click "Yes" at the UAC warning screen
106. - Click "Install" to install the device driver
107. - Click "Finish"
108.  
109. Install Kali 1.1.0a on VirtualBox 4.3.26 R98988
110. --------------------------------------------
111. http://downloads.kali.org/kali-486-vm.rar
112. Unzip the file "kali-linux-1.1.0a-vm-486.7z" to E:\VIRTUALBOX_DISKS\kali\
113.  
114. Start "Oracle VM VirtualBox"
115. - Click "New"
116. Name: Kali110a-32bit-nopae-v101
117. Type: Linux
118. Version: Debian (32 bit)
119. - Click "Next"
120. MB: 2048
121. - Click "Next"
122. Select "Use an existing virtual hard drive file"
123. - Click the little yellow folder with the green arrow
124. Choose: "E:\VIRTUALBOX_DISKS\kali\Kali-Linux-1.1.0-vm-486.vmdk"
125. - Click "Create"
126. NOTE: A new icon "Kali110a-32bit-nopae-v101" was created in your "Oracle VM VirtualBox Manager"
127.  
128. NOTE: Leave settings at default unless otherwise stated below
129. NOTE: I'm showing some important settings even though they are defaults, in case the defaults change some day
130. - Right-click "Kali110a-32bit-nopae-v101" in the left menu and click "Settings..."
131. General - Advanced - Shared Clipboard: "Bidirectional"
132. System - Motherboard - Floppy: Untick
133. System - Processor - Enable PAE/NX: Make sure this is NOT ticked
134. Audio - Enable Audio: Untick
135. Network - Adapter 1 - Enable Network Adapter: Tick
136. Network - Adapter 1 - Attached to: "Bridged Adapter"
137. Network - Adapter 1 - Name: "MAC Bridge Miniport"
138. Network - Adapter 1 - Advanced - Adapter Type: "Intel PRO/1000 MT Desktop (82540EM)"
139. Network - Adapter 1 - Advanced - Promiscuous Mode: Allow All
140. Network - Adapter 1 - Advanced - MAC Address: 222222222222
141. NOTE: Set the MAC address to an easily identifiable MAC
142. Network - Adapter 1 - Advanced - Cable Connected: Tick
143. - Click "OK" to close the "Kali110a-32bit-NOPAE - Settings" screen
144. - Right-click "Kali110a-32bit-nopae-v101" in the left menu and click "Start"
145.  
146. Note: A new screen "Kali110a-32bit-nopae-v101 [Running] - Oracle VM VirtualBox" opens and the Kali Linux installer will boot.
147.  
148. In the "Kali110a-32bit-nopae-v101 [Running] - Oracle VM VirtualBox" screen:
149. Your new Kali installation will boot, let it time out for 5s in the GRUB menu
150. You will be presented with the Kali login screen
151. Click anywhere in the screen with your mouse
152. Note: To unlock the mouse from Virtualbox, press the rightmost CTRL key on your keyboard
153. - Click "Other..."
154. - Username: root
155. - Password: toor
156. Note: You will be presented a desktop environment.
157.  
158. In the top of the screen, click the black >_ icon ("terminal")
159. In the "root@Kali110a:~" terminal window type:
160. # ifconfig
161. # ping 8.8.8.8
162. Note: You should see replies from 8.8.8.8
163. # apt-get clean && apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y
164. # reboot
165. # apt-get install linux-headers-$(uname -r)
166. # apt-get install virtualbox-guest-dkms virtualbox-guest-utils virtualbox-guest-x11 -y
167. # reboot
168. Note: After rebooting you will notice that your mouse magically enters and exits the VM. This is because of the VirtualBox Additions!
169. - Click "Other..."
170. Username: root
171. Password: toor
172. Note: Now that you have installed the VirtualBox additions to Kali, you can:
173. - Seamlessly move the mouse in and out of the virtual machine
174. - Copy/Paste to and from the virtual machine using clipboard
175. - Share folders between the virtual machine guest and your host machine
176.  
177. Note: We're going to install some additional tools that we might need later:
178. In the top of the screen, click the black >_ icon ("terminal")
179. In the "root@kali:~" terminal window type (omit "root@kali:~# "):
180. # apt-get -y install gedit
181. # shutdown -h now
182.  
183. Note: Now that we have a good clean install of Linux Kali, we'll back it up so you can restore a clean install in minutes if required
184. In the "Oracle VM VirtualBox Manager" window:
185. - Right-click "Kali110a-32bit-nopae-v101" in the left menu and click "Settings..."
186. - Click "Storage" -> Right-Click "Kali-Linux-1.1.0-vm-486.vmdk" -> Click "Remove attachment - "
187. - Click "OK" in the bottom
188.  
189. Open a Windows cmd.exe prompt and type:
190. "C:\program files\oracle\virtualbox\vboxmanage.exe" clonehd --format VDI "D:\STUDY\OSCP\KALIVM\kali-linux-1.1.0a-vm-486\Kali-Linux-1.1.0-vm-486\Kali-Linux-1.1.0-vm-486.vmdk" "D:\STUDY\OSCP\VIRTUAL_MACHINES\Kali110a-32bit-nopae-v101.vdi"
191. Note: The conversion could take up to 15 minutes
192.  
193. In the "Oracle VM VirtualBox Manager" window:
194. - Right-click "Kali110a-32bit-nopae-v101" in the left menu and click "Settings..."
195. - Click "Storage" -> Right-Click "Controller: SATA" and choose "Add Hard Disk" -> "Choose existing disk"
196. - Choose "D:\STUDY\OSCP\VIRTUAL_MACHINES\Kali110a-32bit-nopae-v101.vdi" and Click "Open"
197.  
198. - Click "OK" in the bottom
199.  
200. - Click "File" -> "Export Appliance..."
201. - Left-click "Kali110a-32bit-nopae-v101" to highlight it
202. - Click "Next >"
203. File: "D:\STUDY\OSCP\VIRTUAL_MACHINES\VANILLA_BACKUPS\Kali110a-32bit-nopae-v101.ova"
204. Format: "OVF 1.0"
205. Write Manifest file: Tick
206. - Click "Next >"
207. - Click "Export"
208. Note: The export can take quite a while.
209.  
210. - Right-click "Kali110a-32bit-nopae-v101" in the left menu and click "Start"
211.  
212. Note: We fix some startup and shutdown warnings and errors
213. # update-rc.d rpcbind defaults && update-rc.d rpcbind enable
214. # update-rc.d pulseaudio remove
215. # apt-get remove libccid -y
216.  
217. Note: Install additional tools
218. # apt-get install ldap-utils -y
219.  
220.  
221.  
222. # gem install rake
223.  
224. # apt-get install freerdp-x11 -y
225.  
226. # mkdir /opt/tools/ ; cd /opt/tools/ && git clone https://github.com/leebaird/discover.git
227. # cd /opt/tools/discover/ && /opt/tools/discover/setup.sh
228.  
229. # cd /tmp/ && git clone https://github.com/pentestgeek/smbexec.git && cd /tmp/smbexec/ && echo 1 | /tmp/smbexec/install.sh
230.  
231. NOTE: fimap is a RFI/LFI scanner that automates RFI exploitation
232. # git clone https://tha-imax.de/git/root/fimap.git /opt/tools/fimap
233.  
234. NOTE: b374k is a php shell with useful features
235. # git clone https://github.com/b374k/b374k.git /opt/tools/b374k
236. # cd /opt/tools/b374k && php -f index.php -- -l
237. # php -f index.php -- -o jollyshell.php -p somepassword -s -b -z gzcompress -c 9
238. # mv jollyshell.php /root/jollyshell_somepassword.php
239.  
240. NOTE: MinGW is used to compile C code intended to be run on Windows machines
241. # apt-get install mingw32 -y
242.  
243. NOTE: sqlmap contains useful windows and linux libraries to assist in MySQL and PostGRESQL exploitation
244. # git clone https://github.com/sqlmapproject/sqlmap.git /opt/tools/sqlmap
245.  
246. NOTE: We install Flash because who knows you might need it
247. # wget https://fpdownload.adobe.com/get/flashplayer/pdc/11.2.202.466/install_flash_player_11_linux.i386.tar.gz
248. # tar zxvf install_flash_player_11_linux.i386.tar.gz
249. # cp libflashplayer.so /usr/lib/mozilla/plugins/
250.  
251. NOTE: ColdFusion requires Java, you might need it
252. # wget http://download.oracle.com/otn-pub/java/jdk/8u45-b14/jdk-8u45-linux-i586.tar.gz?AuthParam=1434959032_b00c937d8fbce26ae2b7a1543e98e50b
253. # tar zxvf jdk-8u45-linux-i586.tar.gz && mv jdk1.8.0_45/ /opt && cd /opt/jdk1.8.0_45/
254. # update-alternatives --install /usr/bin/java java /opt/jdk1.8.0_45/bin/java 1
255. # update-alternatives --install /usr/bin/javac javac /opt/jdk1.8.0_45/bin/javac 1
256. # update-alternatives --install /usr/lib/mozilla/plugins/libjavaplugin.so mozilla-javaplugin.so /opt/jdk1.8.0_45/jre/lib/i386/libnpjp2.so 1
257. # update-alternatives --set java /opt/jdk1.8.0_45/bin/java
258. # update-alternatives --set javac /opt/jdk1.8.0_45/bin/javac
259. # update-alternatives --set mozilla-javaplugin.so /opt/jdk1.8.0_45/jre/lib/i386/libnpjp2.so
260.  
261. # /opt/jdk1.8.0_45/bin/ControlPanel
262. - Click Security tab and add "https://*" and "http://*" to the exception site list
263.  
264. NOTE: pass-the-hash allows authentication to windows services via LM/NTLM hash instead of password
265. # cd /opt/tools/
266. # wget https://passing-the-hash.googlecode.com/files/wmiPTH-1.0-1.deb
267. # wget https://passing-the-hash.googlecode.com/files/winexePTH1.1.0-1.deb
268. # dpkg -i winexePTH1.1.0-1.deb && dpkg -i wmiPTH-1.0-1.deb
269.  
270. Note: Veil installs lots of applications, use defaults and overwrite whatever it needs including python!
271. # cd /opt/tools/ && git clone https://github.com/Veil-Framework/Veil-Evasion.git Veil
272. # cd /opt/tools/ && wget http://ftp.tku.edu.tw/kali/pool/main/p/python-pefile/python-pefile_1.2.9.1-1_all.deb
273. # dpkg -i python-pefile_1.2.9.1-1_all.deb
274. # mv /opt/tools/Veil /opt/tools/Veil-Evasion
275. # cd /opt/tools/Veil-Evasion/setup && echo y | /opt/tools/Veil-Evasion/setup/setup.sh
276.  
277. NOTE: Veil-Catapult can be used to inject shells via pass-the-hash mechanisms
278. # cd /opt/tools/
279. # wget -c https://pypi.python.org/packages/source/i/impacket/impacket-0.9.11.tar.gz
280. # tar -xzf impacket-0.9.13.tar.gz && cd impacket-0.9.13 && python setup.py build
281. # cp -r build/lib.linux-i686-2.7/ /usr/lib/pymodules/python2.7/
282. # wget -c https://github.com/Veil-Framework/Veil-Catapult/archive/master.zip
283. # unzip -q master.zip && mv Veil-Catapult-master Veil-Catapult
284. # cd /opt/tools/Veil-Catapult/ && sh setup.sh
285.  
286. # mkdir /opt/tools/wce/ && cd /tmp/ && wget http://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip
287. # unzip -d /opt/tools/wce/ wce_v1_41beta_universal.zip && rm -f wce_v1_41beta_universal.zip
288.  
289. # cd /opt/tools/ && git clone https://bitbucket.org/LaNMaSteR53/peepingtom.git
290. # cd /opt/tools/peepingtom/ && wget https://gist.githubusercontent.com/nopslider/5984316/raw/423b02c53d225fe8dfb4e2df9a20bc800cc78e2c/gnmap.pl
291. # wget http://phantomjs.googlecode.com/files/phantomjs-1.9.2-linux-$(uname -m).tar.bz2
292. # tar xf phantomjs-1.9.2-linux-$(uname -m).tar.bz2
293. # cp /opt/tools/peepingtom/phantomjs-1.9.2-linux-$(uname -m)/bin/phantomjs .
294.  
295. # cd /usr/share/nmap/scripts/ && wget https://raw.githubusercontent.com/hdm/scan-tools/master/nse/banner-plus.nse
296.  
297. # cd /opt/tools/ && git clone https://github.com/mattifestation/PowerSploit.git && cd /opt/tools/PowerSploit/
298. # wget https://raw.githubusercontent.com/obscuresec/random/master/StartListener.py
299. # wget https://raw.githubusercontent.com/darkoperator/powershell_scripts/master/ps_encoder.py
300.  
301. # cd /opt/tools/ && git clone https://github.com/SpiderLabs/Responder.git
302.  
303. # cd /opt/tools/ && git clone https://github.com/trustedsec/social-engineer-toolkit.git set
304. # cd /opt/tools/set/ && /opt/tools/set/setup.py install
305.  
306. # git clone https://github.com/longld/peda.git /opt/peda && echo "source /opt/peda/peda.py" >> ~/.gdbinit
307.  
308. # mkdir /opt/tools/paexec && cd /opt/tools/paexec/ && wget http://www.poweradmin.com/paexec/paexec.exe
309.  
310. # mkdir /opt/tools/mimikatz && cd /opt/tools/mimikatz/
311. # wget https://github.com/gentilkiwi/mimikatz/releases/download/2.0.0-alpha-20150607/mimikatz_trunk.zip
312. # unzip mimikatz_trunk.zip && rm mimikatz_trunk.zip
313.  
314. # update-rc.d postgresql enable && update-rc.d metasploit enable
315. # /etc/init.d/postgresql start && /etc/init.d/metasploit start
316. # msfconsole
317. =[ metasploit v4.11.2-2015052901 [core:4.11.2.pre.2015052901 api:1.0.0]]
318. + -- --=[ 1454 exploits - 829 auxiliary - 229 post ]
319. + -- --=[ 376 payloads - 37 encoders - 8 nops ]
320. + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
321. msf > db_status
322. msf > search auxiliary
323. NOTE: It can take a while before the database has updated the cache (10-60 minutes)
324. Open up another terminal and type:
325. # sudo -H -u postgres bash -c 'psql -d msf3 -c "select count(*) from module_details;"' | sed -n 3p
326. NOTE: The query will return the number of rows updated so far.
327. NOTE: Add up all the exploits, auxiliary, post, payloads, encoders and nops in the welcome message
328. NOTE: In our case, that's 1454+829+229+376+37+8=2933. The command returns 2933 so the database is up to date.
329. msf > exit
330. # msfconsole
331. msf > search auxiliary
332. NOTE: You should not see the warning anymore that the database is disconnected or the cache has not been updated
333. msf > exit
334. # passwd
335. NOTE: We add the username and password to the login banner so we do not forget our password later
336. NOTE: This is the kind of practice that gets real administators in trouble, never do this in production environments!
337. # sed -i "/banner-message-text/a banner-message-text='user=root pass=jollyfrogs'" /etc/gdm3/greeter.gsettings
338. # sed -i "/banner-message-text/a banner-message-enable=true" /etc/gdm3/greeter.gsettings
339. NOTE: "locate" command uses a database that is first built using "updatedb"
340. # sudo updatedb
341. # nmap --script-updatedb
342.  
343. NOTE: lab-connection.conf is sent to you in your welcoming email. You can modify it to include the password if you want
344. # gedit ~/.config/autostart/gnome-terminal.desktop
345. ---
346. [Desktop Entry]
347. Type=Application
348. Exec=gnome-terminal --geometry 2x2 -e "/usr/sbin/openvpn --status /var/run/openvpn.client.status 10 --cd /root/lab-connection/ --config /root/lab-connection/lab-connection.conf --syslog openvpn"
349. Hidden=false
350. X-GNOME-Autostart-enabled=true
351. Name[en_US]=OpenVPN lab-connection.conf
352. Name=OpenVPN lab-connection.conf
353. Comment[en_US]=OpenVPN lab-connection.conf
354. Comment=OpenVPN lab-connection.conf
355. ---
356. # shutdown -h now
357.  
358. Note: After verifying everything works, we back up our VM so you can restore a clean install in minutes if required
359.  
360. In the "Oracle VM VirtualBox Manager" window:
361. - Click "File" -> "Export Appliance..."
362. - Left-click "Kali110a-32bit-nopae-v101" to highlight it
363. - Click "Next >"
364. File: "D:\STUDY\OSCP\VIRTUAL_MACHINES\VANILLA_BACKUPS\Kali110a-32bit-nopae-v101-all-apps.ova"
365. Format: "OVF 1.0"
366. Write Manifest file: Tick
367. - Click "Next >"
368. - Click "Export"
369. Note: The export can take quite a while
370.  
371. Note: After the export finishes, we have completed the installation of Kali for the PWK labs!