This article will show you how to set up a $5 VPS for penetration testing with Digital Ocean. Having a hack box in the cloud is useful in numerous ways. My initial idea was to have an affordable box somewhere that I could use to catch shells when I’m on an engagement. It’s not always practical or even possible to configure port forwarding on a per port basis when you are expecting shells. However after I configured a VPS with Metasploit I quickly found other uses which I’ll cover throughout the article.
To begin, let’s cover some of the advantages of a VPS hack box. The first major advantage is connection speed, the national average broadband speed is in the 16 Mb/s range, any reasonable VPS you purchase will give you a 100 Mb/s symmetric connection. Having the extra speed and low latency is important in cases where you find yourself on an engagement and need to download a large amount of files, and need it done quickly. Secondly, if you’re like me and have issues with shells being blocked upstream by your provider, having a box where you can return your shells is invaluable.
It’s also important to cover the downsides of a VPS hack box. A considerable downside is that confidential data is possibly being stored in non-optimal conditions, therefore heavily securing the VPS before launching any attacks or handling customer data is crucial. It pays to be responsible when it comes to client data, so I would definitely recommend taking the necessary steps to ensure client data is as secure as possible, and wipe the VPS to start anew after each engagement.
Having said all that, let’s get on with it. The first step is obtaining the VPS. Digital Ocean has a super simple sign-up process, and VPS creation is done quickly (mine was ready in 50 seconds), so wait time is painless. To sign-up, go to https://www.digitalocean.com and click the sign-up button. You’ll be asked to enter a valid e-mail address and a password.
Once logged in, click the green “Create” button to begin configuring your droplet.
You’ll need to give your droplet a hostname, as you would in any Linux based system.
After you’ve given the droplet a hostname, you’ll need to select the size you want for your droplet.
I opted for the firstt option, which is 512 MB RAM, 1 CPU core, 20GB SSD Disk, and 1TB transfer. This configuration is more than enough for a basic set of tools, but if you’re going to be using tools like Zmap or Team Servers with Armitage/Cortana, you’ll need to select option two or higher, as Zmap will simply not run on 512 MB of RAM, and you’ll need extra responsiveness for a Team Server.
Next, you’ll need to select the region closest to you from the four options given.
Now, we get to select our OS. Only *nix based OSes are available, but the choices are pretty broad. You have the option to select from Ubuntu 10.04 – 13.10 in both x32 and x64 flavors. You can also opt for versions of Debian, CentOS, Arch Linux, and Fedora. For this article I will be using Ubuntu 12.10 and installing tools from there, but you’re free to choose a Debian distro and install tools from the Kali repos or PPAs. Tutorials for doing that are available via a quick Google search and are relatively painless.
The last thing we need to do is select VirtIO, or Private Networking. For this scenario you’ll want to leave VirtIO checked, and steer clear of Private Networking. To wrap things up and get the ball rolling, we’ll click the green “Create Droplet” button, and wait for our root password to be e-mailed.
Once we have our root password, we’re ready to log in and begin our set up. So fire up your favorite SSH client, and connect to your Droplet. If you’ve never tried it, I would recommend giving Remmina a try for the easy to use GUI and quick connect capabilities. On Ubuntu based systems, running the following command will grab it for you.
- sudo apt-get install remmina
- Ssh root@xxx.xxx.xxx.xxx
After you’ve logged in via SSH, you can of course use ssh-keygen to generate a keypair, so you can login quickly without the need for a password by doing the following on your local machine.
- Ssh-keygen
Enter a password, or leave the password field blank.
This will generate your key and place it in /.ssh
Now you need to copy your public key to paste on your VPS by entering:
- cd /home/username/.ssh
- cat id_rsa.pub
- cd .ssh
- echo paste_output_here > authorized_keys
We’re now ready to start installing our sec tools. Since Metasploit is the logical place to start, we’ill tackle that first. Carlos “DarkOperator” Perez has created a fantastic script to automate the msf install process. It’s in my experience the easiest way to quickly install the framework, nmap, postgresql, and all of Metasploits dependencies in a quick fashion. You can grab the script off of Github with the following commands:
- # Install git first.
- Apt-get install git
- # Grab the script from Github.
- Git clone https://github.com/darkoperator/MSF-Installer.git
- # Move to the directory and list contents.
- cd /MSF-Installer;ls
- # Run the installer
- ./msf_install.sh -i -p -r
- -i == Install Metasploit
- -p == password to use for database (-p pass will set the password to pass, -p alone will generate a random pass)
- -r == Install necessary Ruby Gems through RVM.
- source ~/.bashrc
Now, since I really only needed a VPS to catch shells and launch attacks that typically required forwarded ports, the next tool I installed was the Social Engineer Toolkit from the folks at TrustedSec. SET is an amazing tool and I honestly believe it should be a part of every pentester’s arsenal. You can grab it from Github as well. You can install SET wherever you like, but I recommend installing it in /usr/local/share, to make it a bit easier to keep track of where your tools are located. To launch it, enter:
- Git clone https://github.com/trustedsec/social-engineer-toolkit/ /usr/local/share/set/
- cd /usr/local/share/set;setoolkit
Move to SET’s config folder:
- cd /usr/local/share/set/config
- nano set_config
- ### Define the path to MetaSploit, for example: /pentest/exploits/framework3
- METASPLOIT_PATH=/opt/metasploit/apps/pro/msf3
- ### Define the path to MetaSploit, for example: /pentest/exploits/framework3
- METASPLOIT_PATH=/usr/local/share/metasploit-framework
- ### How many times SET should encode a payload if you are using standard MetaSploit encoding options
- ENCOUNT=4 <--change this value for better A/V bypass.
AUTO_DETECT=OFF <–changing this to ON allows SET to automatically set the lhost value for your listeners.
Save your changes. If you’re using nano, this is done by pressing ctrl+x, and then pressing y to confirm and enter to save the file with the original name.
Now that we have changed SET’s config we can clear up the dependencies. On a base installation of Ubuntu on a Digital Ocean droplet pycrypto is not installed and is needed by SET in order for the pyinjector payloads to work.
- sudo apt-get install python-dev
- sudo apt-get install python-crypto
If you’re a Kali user, the lack of tools at your disposal so far may be a bit unsettling. Luckily, there are many PPAs available that make the installation of other tools a simple task. I’ll paste the command output for some of the PPAs I’ve found below, so you can install extra tools from them as needed.
- Dual Certification - CEH and CPT
- 5 days of Intensive Hands-On Labs
- Expert Instruction
- CTF exercises in the evening
- Most up-to-date proprietary courseware available
- apt-get install software-properties-common ← Needed for the following commands to work.
- add-apt-repository ppa:wagungs/kali-linux
- add-apt-repository ppa:wagungs/kali-linux1
- add-apt-repository ppa:wagungs/kali-linux2
- apt-get update ← To refresh your package lists and you can set about installing whatever you wish.
0 nhận xét:
Đăng nhận xét