Sorry readers – pen testing is far from a prescriptive field. A good deal of fun can be had, but there is an element of choose your own adventure here that means you’re going to have to continually adjust your plans and ensure you are meeting your needs, be they training or job specific. One of the most awesome aspects of the field is how many tools are published that can help you out! The hacking community is pretty collaborative, so there have been a plethora of tools out there for many years that evolve, receive updates, and see some pretty vibrant extensions and support.
A more recent development has been the official support by the potential targets themselves. Operating system vendors and application developers have been bitten hard by their closed and proprietary model, and a good deal of them now make images available to pen testers and bug hunters to ensure that the community has every opportunity to help them uncover issues and keep their code solid. Some folks even get paid through bounty programs offered by either vendors or potential target organizations! This isn’t just small companies or insignificant enterprises. The US DoD has their own highly touted program through HackerOne. My employer, Cisco, also has a program in place and additional programs of note can be seen on this nice list compiled by Guru99 (https://www.guru99.com/bug-bounty-programs.html)
Crawl before you walk…
It is fun to look, isn’t it? No matter how open the companies or organizations that welcome community assistance might be, we probably shouldn’t venture out there without some training time in our own dojo. Ethical hacking requires permission, yes, but it also requires competence, awareness, and care to ensure that no unintended consequences harm the target environment, its users, or your legal record. So how do we build a safe practice environment? How can we pick a fight and know we’re going to win and not piss someone off in the process?
A majority of the server targets that we’ll encounter will be hosted on the Linux or Windows operating systems, and the clients will be Linux, Windows, Mac OS, or mobile (Android, iOS, Windows Phone, or Blackberry). Let’s take the server and client sides separately.
Finding gullible servers
Pen testers in training are well served by working from images provided from some of the resources that follow. As we become more competent, and some of you actually gain employment in the field, it is much more likely that you will round out your lab with images that you roll of your own, to include the OS, platform, and application versions and configurations of your customers’ targets. No pen testing of a real target happens without permission, but ideally none should occur without mastery of the technique and where possible, dry-runs against a mocked-up environment in the safety of a lab.
Microsoft Windows and other MS apps
If you have an active Microsoft Developers Network (MSDN) license, you can use these images to test; but for the rest of us without the budget to support this, you can download full versions of almost any operating system or software package from Microsoft for an evaluation term of 60 to 180 days at their evaluation center website. Both options are suitable, but the frequent need to start fresh and the non-existent cost of the evaluation licenses make the latter a perfectly suitable option. I would recommend having access to images for MS Server 2008, 2012, and 2016 at a minimum, with images configured for IIS and other important web services. Just check out the sheer variety of products Microsoft has opened for evaluation!
Linux-based hosts
Finding suitable Linux & BSD clients is much easier. You can locate options for pretty much any variant you need; and for enterprise/commercial variants, you can find a free and community-supported approximation that is extremely close. Most Linux & BSD implementations for web services include not only the OS but also the appropriate Apache web server, MySQL database, and PHP versions, which together form the LAMP web stack. Having a current image of a Debian, Ubuntu, CentOS (for Red Hat targets), FreeBSD, Fedora, or SuSE Linux can ensure you are ready for any potential scenarios.
Virtual Images
The best thing to happen to aspiring pen testers is the advent of the hackable server VMs, of which there are several that allow practicing attempts against a wide variety of vulnerabilities. Rapid7 released and supported the Metasploitable VM, which just underwent a refresh in 2017 and is well worth in practicing against for general penetration testing. Metasploitable includes some web services, but it can be helpful to have dedicated images. Specific web pentesting images come with preconfigured applications, so we can get right to the fun stuff. The images of interest are the Damn Vulnerable Web Application (DVWA), the OWASP Broken Web App (BWA) and the Beebox VM (a VM-based version of the Buggy Web Application or bwAPP module). These all have some great scenarios and sub-apps that can simulate blogs, commerce portals, customer service front-ends, and the like.
Additional VMs for practice can be found at VulnHub, which is a slick collection of VMs and applications collected from capture-the-flag (CTF) events, training classes, conferences (like Blackhat, Defcon, BSides, etc.) and the community at large.
Unwitting clients
Desktops
More often than not, the browsers are a secondary target or unwitting accomplice, as these are the client-side application most-often used to interact with the web application. The underlying platform does have different secondary vulnerabilities that a web-based exploit might target, but we’re really focused on the web application itself and its interoperation with the client.
Windows
If you are averse to disclosing your information and creating an account just to download a suitable MS desktop OS, you can also download OS and browser combination images that Microsoft encourages for the use of testers and developers. You’ll want a selection of Windows 7, 8, and 10 hosts to play with for the sake of completeness; at various points in the book, it will make sense to try each of the multitude of browsers available (Internet Explorer/Edge, Firefox, Chrome, and so on). While the MSDN, Eval Center, and developer downloads will all work, for ease of setting up new environments, the latter approach sufficed for most of my preparatory work.
Alternate Platforms
Linux desktops are less of a focus – the browser overlap and the lower reliance on Flash tends to make them a much smaller priority. Mac OS hosts might also come up – and more companies are beginning to allow users to choose between traditional PCs and Mac or Linux with the Millennials helping diversify the client base. Education (K-12 or equivalent worldwide) are seeing a move to Google’s Chrome OS as well, given that it requires minimal (i.e. cheap) hardware – after all, Chrome OS is basically there to support a browser. Mac, Chrome OS (using projects like Neverware) and Linux can be virtualized if need be, but tend to be on special request rather than a default platform of interest given the much smaller footprint in the enterprise.
Mobile Devices
Mobile device operating systems can be run virtually with varying success, with iOS being the lone holdout (good luck getting iOS running virtually!) Most of our techniques will exploit the browsers alone, so using a browser plugin or developer tool configuration can do the trick. A quick search from Firefox or Chrome for user agent browser changer will yield tools that allow a desktop browser to emulate any number of other browsers, both mobile and desktop based. I used the Kali VM’s Firefox or Iceweasel browser whenever possible, falling back on Chrome on the same VM or IE/Edge, Safari, or others on the appropriate Windows VM, or my laptop’s browser as needed.
The “S” in “IoT” is for Security…
Internet of Things should be mentioned, as many of those devices either serve or use web services to do their job. A contender for the biggest oxymoron in the tech space is “IP Security Camera” and printers are still the chattiest, most lonely device on a network. The issues with IoT device security are many, and will be a great topic for an upcoming blog post. Gotta keep this blog’s 3 readers coming back for more (hi Mom!).
Summary
Hopefully this post gave you a bunch to chew on – this is one of the most interesting fields to lab given the diversity of options and the exhilaration you will feel when you crack these hosts and apps in your lab. We’re almost done rounding out the preparatory stages here, and I hope to get into some demos and tutorials of actual techniques and tools soon!