2024: COMP9050 Lab Setup

BRIEF
The purpose of this document is to set up the environment you will need on your
laptop/pc for the try-it-yourself slides (i.e. labs) and assignments for this
module. You will create a sandboxed/isolated environment which will enable you
to practice and experiment with the tools/attacks described in the lectures
without damaging your host machine. To do this, you need to install
virtualisation software. Virtualisation software allows you to install multiple
operating systems (as virtual machines - VMs) inside your current OS, one of
the most common hosted hypervisors for x86 computers (a.k.a virtualisation
software) is Virtualbox. VirtualBox is free, recommended and supported in this
module. It has the advantage of being able to take snapshots.

Each VM operates like a real machine and has its own resources. As a result,
you need to ensure sufficient hard-drive capacity is available on your host
machine (or external hard-drive). It is recommended you have 150GB minimum (80GB
for your pen testing machine and 70GB for target machines) is recommended for
this module.

Kali

Metasploitable Metasploitable
2 3

Host Machine

The components you will need to download and install are as follows:
 ● VirtualBox - the hypervisor for your VMs to sandbox your testing
environment from your host machine.
● Kali Linux - a Linux distribution designed for digital forensics and
offensive security (this module!). Within Kali, we will do some
configuration and also install Terminator (a nifty terminal console ideal
for displaying multiple terminals) & atom (a simple code editor). Kali
can be installed as a host OS or as a VM. In this module, it will be
installed within VirtualBox as a VM. Kali is the machine that will launch
attacks on the other VMs.
● Metasploitable 2 - an intentionally vulnerable Linux VM.

TASK(S)

1. Download and Install Virtualbox

The latest version of VirtualBox can be downloaded here:

https://www.virtualbox.org/wiki/Downloads

Choose the platform package that corresponds to your host machine (i.e. Windows,
OSx, Linux etc). If your host machine is Linux, you need to choose the
distribution that your Linux OS is based on (e.g. if your OS is Linux Mint
Sylvia 18.3, you would choose Ubuntu 16.04, etc).

Verify the SHA256 checksum and install by following the prompts.

https://www.virtualbox.org/download/hashes/7.0.12/SHA256SUMS

2. Download Kali Linux

This will be the VM you use to attack other VMs.

This can be downloaded using the following link (using Chrome and Firefox: you
click to download or using Edge: you need to right-click to “save target as”).
Ensure you select the correct VirtualBox image that is compatible with your
computer (64-bit is recommended if compatible with your host machine) and not
the VMware image:
 https://www.kali.org/get-kali/#kali-virtual-machines

Verify the SHA256 checksum.

3. Download Metasploitable 2

An easy way to set up a target machine is to use Metasploitable 2. This is an

intentionally vulnerable Ubuntu Linux VM that is used to test common
vulnerabilities.

Metasploitable 2 can be downloaded here:

https://sourceforge.net/projects/metasploitable/

4. Install Kali Linux

Begin the installation process as follows:

● Double-click on the .ova file you have downloaded to launch the following
window:

● Click Import to import the VM.

● Select the VM you have imported and click Settings. Layout may differ
between OSs but the functionality is the same.
● Click System and depending on your host machine capability it is
recommended you use the default of 2GB of RAM but you can reduce it to
1GB if you have less than 8GB RAM on your host machine.

● Click Processor tab. Default number of CPUs is 2. If you have less than
8 CPUs, you can reduce this to 1 CPU.
● Select Network tab and ensure NAT Network is selected.

● Usually VirtualBox will automatically create a NAT Network. If it doesn’t

automatically create it, then in the Oracle VirtualBox Manager, click on
File, select Preferences and click on Network:
● CLick on ‘+’ symbol to add a new NAT Network. Click OK to create the NAT
Network.

● Go back to Kali Linux. Go to Settings, go to Network and select the NAT

Network you have created, e.g. NatNetwork (if it wasn’t created
automatically by Virtual Box).
● Start up the Kali VM. Username is kali and password is kali.
● Change the default root password to avoid getting hacked! Type the
following:

passwd root
● Add a new lower privileged user account (replace useracc with your name)
so that if anything goes wrong with some of the tools you are using you
do not allow full control of your machine. This will be your day-to-day
account. Give this account sudo permissions also. Run the following
commands (skip the additional info requested):

adduser useracc

usermod -aG sudo useracc

● Logout as root and log back in as the new user useracc (the one you
created).
● Click the top icon on the sidebar (Firefox ESR) and search for CIT website
(www.cs.cit.ie). If everything is correctly configured this should
resolve. Close Firefox ESR.
● Within the Kali VM, open up the terminal window to update the repo list
and upgrade the installed repos as follows (note: always run these
commands before installing a package into Kali):

sudo apt-get update

sudo apt-get upgrade

● Install git (we will need this later) with the following command:

sudo apt-get install git

● Install terminator by running the following command (icon second from top
icon below):

sudo apt-get install terminator

● Terminator is very powerful. Commonly used keyboard shortcuts:
○ Ctrl-Shift-E: Split screen Vertically.
○ Ctrl-Shift-O: Split screen horizontally.
○ Ctrl-Shift-P: Focus on previous view.
○ Ctrl-Shift-N: Focus on Next view.
○ Ctrl-Shift-W: Close the view where the focus is on.
○ Ctrl-Shift-Q: Exit terminator.
○ Ctrl-Shift-X: Enlarge the active window
● More terminator shortcuts can be found here:

https://linux.die.net/man/1/terminator

● Install atom dependencies by running the following command:

sudo apt-get install gvfs gvfs-common gvfs-daemons gvfs-libs gconf-

service gconf2 gconf2-common gvfs-bin psmisc

● If a warning appears during this installation, enter q to exit

documentation and proceed with installation.
● Get the latest debian installer by downloading:

https://atom.io/download/deb

● Install atom by running the following command:

sudo dpkg -i ~/Downloads/atom-amd64.deb

5. Install Metasploitable 2

Begin the installation process as follows:

● In Virtual Box, click New, enter details as follows and click Next:

● Leave memory size as the default recommendation (1GB) and click Next
● Select “Use an existing hard disk file” and navigate to the .vmdk file in
the Metasploitable download folder. Click Create.

● Start Metasploitable VM. Login and password are both:

msfadmin
 6. Check network connection between Kali and Metasploitable

In Metasploitable, use the following command to determine the IP address of the

VM:

ifconfig

● The ip address of the Metasploitable VM is 10.0.2.4. This will most likely

be different for your VM. Note: Kali and Metasploitable should have two
different ip addresses. Ensure they are both using NatNetwork connection.
● To verify the network connectivity between the two VMs, we need to ping
the Metasploitable VM from the Kali VM.

Success! We are good to go!

ADDITIONAL INFORMATION (new)
● For Kali 2020: username and password is kali and kali. To gain root access
in terminal window, you will need to use sudo in front of command or sudo
-i to switch to root access in terminal.
● When you have used ping to check connectivity, on your Kali VM navigate
to the web browser. Enter the ip address of your Metasploitable VM in the
web address field and you should see a screen similar to the following:

In Metasploitable you need to change the configuration file:

● In Metasploitable command line terminal type:

sudo nano /var/www/mutillidae/config.inc

● Scroll through document and change db from ‘metasploit’ to ‘owasp10’

● Save and exit.

In Metasploitable if the window is too small you can press CTRL (on right hand
side of keyboard) & c to change this.

RESOURCES
1. Further reading on Metasploitable 2:

https://medium.com/@chandrapal/history-of-metasploitables-af318e0954b1
https://metasploit.help.rapid7.com/docs/metasploitable-2

2. Further reading on Kali:

https://docs.kali.org/