全部博文(1159)
分类: 网络与安全
2015-08-04 23:41:19
If you don’t have access to a live test environment or cannot find systems to run penetration tests against, you will to need to learn how to set up your own penetration testing lab. Since resources will vary from user to user, we’ve provided instructions for setting up a test lab on a single box and on multiple boxes.
Before you get started, let’s take a look at what you will actually need to create your own lab environment.
If you do not have the Metasploit, you can download it
If you have limited resources, the best way thing to do is use a single machine to set up your virtual machines and Metasploit Framework box.
These steps will vary depending on the operating system and the virtualization software you are using.
Once you’ve set up your virtual network, you can set up the network individually for each virtual machine – just simply assign the network to the host-only network you’ve just created. Setting up a test lab on multiple machines
In this type of test lab environment, you will want to keep your vulnerable machines unavailable to any machine except for your penetration testing box; therefore, it’s important to make the vulnerable machine dependent on the Metasploit Framework box for connectivity. In the section below, we’ll show you how to set up the access to go out on eth0 for the Metasploit Framework box and access to go to the target box on eth1.
These steps are based on a Linux system, so they will vary depending on the operating system you are using.
Once you’ve done this, you will need to make sure that your virtual machines are assigned IP addresses that are on the same subnet as the Metasploit Framework box. To do this, you should bridge the connections to share the same connection as the target box but assign them IP addresses from the Metasploit Framework box. After you’ve set up the connections for the Metasploit Framework box and the target boxes, you’re ready to start your penetration testing with the Metasploit Framework.
You will need to configure a target network before penetration testing can begin. Rapid7 provides vulnerable virtual machines you can install as a guest system on your local machine for testing purposes. The Metasploitable and UltimateLAMP vulnerable VMs are an Ubuntu machines running vulnerable services and containing weak accounts.
The Metasploitable VM focuses on network-layer vulnerabilities, while the UltimateLAMP VM is primarily focused on web vulnerabilities.
If you’re familiar with VMWare and have a workstation or, server already installed, that can be used as a VM host. Alternatively, you can get the free VMWare Player
The Metasploitable vulnerable VM runs the following services:
The Metasploitable VM also contains a weak system account with the username user and the password user. The default login is msfadmin:msfadmin. Several vulnerable applications have been installed on the VM.
Additionally UltimateLAMP runs older and vulnerable versions of the following applications:
The UltimateLAMP VM's default credentials are: root:vmware. Each application is available by browsing to :80 on the VM's assigned IP address.
By the way, this test lab setup works just as well for Metasploit Pro. 管理员在2009年8月13日编辑了该文章文章。