CompTIA PenTest+ PT0-001 Home Lab Setup

If you are interested in any pen testing certification, especially CompTIA’s PenTest+ (my cert pick for 2021), you need to be able to practice.

In this home lab setup, I mostly followed guidance from Michael Solomon’s LinkedIn Learning PenTest+ Learning Path and fixing things where necessary. His course is outdated by now, but that’s ok because I have updated the home lab procedure below.

This setup guide should be viewed as a companion to my CompTIA PenTest+ PT0-001 Study Notes post, ordered by the exam objectives. Follow this setup guide by the end of the first section – 1. Planning and Scoping so you can experiment with the labs while you learn the concepts.

System Requirements

You will need a modern Windows 64-bit system with virtualization enabled in your BIOS.

• Windows XP/7/8/10 64-bit.
• At least 4 GB of free disk space. The total space used will be around 24 GB.
• At least 512 MB dedicated RAM. Having at least 4 GB of dedicated RAM is better.

Downloads

First, download VirtualBox (or your favorite VM manager).

Then, you will need to download each of these so we can set each one up in a separate VM within VirtualBox.

• Kali Linux – A collection of free security tools in a Linux package. A great download for your toolbox.
• DVWA – A web application written in PHP that is deliberately vulnerable. Damn vulnerable even.
• Metasploitable – A vulnerable VM. From the makers of Metasploit.

Installation and Setup

You can have dedicated hardware. You can also use virtualization through a virtual machine manager with virtual machine images. You can set up a cloud-based machine, but it is still virtual.

• Focus on a local machine. You can use VMWare or VirtualBox.
• The host is on which you will run the virtualization software.

VirtualBox

1. Install Oracle VirtualBox.
2. Install VirtualBox VM VirtualBox Extension Pack.
3. Run VirtualBox

Change the network to a custom subnet.

1. File > Host Network Manager
2. Properties on default VirtualBox Host-Only Ethernet Adapter.
3. The default is 192.168.56.1. Change to 10.10.1.1 to set up a new subnet.
4. Click on the DHCP Server tab. DHCP Server gives the virtual machines their IP address.
5. The default is 192.168.56.100. Change to 10.10.1.2.
6. The lower Address Bound will be 10.10.1.10.
7. The upper Address Bound will be 10.10.1.254.
8. Click Apply. Now we have a new network.

Kali Linux

Download Kali Linux 64-bit Vbox. It is an OVA file of around 3GB. You don’t have to create and configure a new image. Just use the OVA file to import a predefined appliance.

1. File > Import Appliance.
2. Choose path > Navigate to OVA file > Select OVA file > Click Open > Click Next.
3. Quickly glance at settings > Click Import.
4. Select the machine and Click Start.
5. Dismiss notifications.
6. Update Kali with sudo apt update and sudo apt full-upgrade -y.

Note: Kali’s default credentials have changed. It is no longer root, toor. It is now kali, kali. The documentation is here: https://www.kali.org/docs/introduction/default-credentials/.

After updating Kali, click the Power Button in the top right, then click Power Off to shut off the machine.

Kali Troubleshooting

You try to update Kali and can’t due to this error:

Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)

You simply forgot to run apt with sudo. You may have a stale lock file if this wasn’t the case. Remove it with:

sudo rm /var/lib/apt/lists/lock

DVWA

1. In VirtualBox, click on New.
2. Name it DVWA, Change Type to Linux, Change Version to Ubuntu (64-bit) > Click Next.
3. Since it is based on Ubuntu, the defaults are fine here. Use the default of 1GB (1024MB) memory. Click Next.
4. Ensure the “Create a virtual hard disk now” radio button is selected; click Create.
5. VDI disk type is fine. Click Next.
6. Select Dynamically allocated to save space. Click Next.
7. 10 GB is fine. Click Create.
8. While DVWA VM is selected, go to Click on Settings.
9. Go to General > Advanced > Change Shared Clipboard and Drag’n’Drop to Bidrectional.
10. Go to Storage > Select Empty IDE Drive > Click on the disc icon on the far right of the window > Choose optical virtual disk file > Select DVWA ISO file > Click Open > Click OK.
11. While DVWA is still selected, click Start. Dismiss warnings. Press Enter to boot to the live disk.

To close the machine, select Close and Power off to power down the machine. There are options for it to run in the background (headless), but we don’t need to worry about that now.

Metasploitable

If you open the Metasploitable archive download, you will see a Metasploitable Virtual Machine Disk Format file. It’s the largest one. This is how we will import the machine, but not in the same manner as before.

1. First, go to File > Preferences in VirtualBox.
2. Under General, you will see the Default Machine Folder that VirtualBox uses. This path is C:\Users\%USERPROFILE%\VirtualBox VMs by default. Click Ok to close the preferences window.
3. Click on New to Create a New Virtual Machine. Name it Metasploitable, Type Linux, and Version Ubuntu (64-bit). Click Next. The Metasploitable directory has been created.
4. From here, extract the Metasploitable files and move them to the newly created Metasploitable directory. I made sure the files were at the root of the Metasploitable directory and not under the metasploitable2-Linux directory. The VM Name and folder name must match.
5. Go Back to VirtualBox. The default memory size can be 1GB (1024MB). Click Next.
6. Select Use an existing virtual hard disk file radio button. Click the file button and navigate to C:\Users\%USERPROFILE%\VirtualBox VMs\Metasploitable and select the Metasploitable Virtual Machine Disk Format file.
7. Click Open and Click Create.
8. While the Metasploitable VM is selected, click Start.
9. Dismiss warnings.

Note: We did it in this order because if you create the directory first, VirtualBox cannot create the new VM since the folder already exists. It’s a protection mechanism to keep you from overwriting VMs.

Note 2: The default credentials is msfadmin/msfadmin.

Now we are set up! It involved creating VMs in 3 different ways, but now we have 3 VMs – 2 victims and one attack service.

OpenVAS (Greenbone)

OpenVAS (open vulnerability assessment system), which you hear so much about, is now called GVM (Greenbone Vulnerability Management). To be clear, the company Greenbone has been behind OpenVAS for years. It just wasn’t as apparent. Existing components have been renamed:

• openvas-{nvt,certdata,scapdata}-sync => greenbone-{nvt,certdata,scapdata}-sync
• Openvas Management Protocol (OMP) => Greenbone Management Protocol (GMP)
• Open Vulnerability Assessment System (OpenVAS) => Greenbone Vulnerability Management (GVM)
• OpenVAS Manager Daemon (openvasmd) => Greenbone Vulnerability Management Daemon (gvmd)

Even though it is tough to install the free version of OpenVAS now, you can still install the gvm package in Kali.

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install openvas
sudo gvm-setup

GitLab here: https://gitlab.com/kalilinux/packages/gvm. Note the names of the components in the package:

• create-postgresql-database
• gvm-check-setup
• gvm-feed-update
• gvm-reset-passwd
• gvm-setup
• gvm-start
• gvm-stop
• openvas-9-migrate-to-postgres
• openvas-check-setup
• openvas-feed-update
• openvas-setup
• openvas-start
• openvas-stop

OpenVAS Troubleshooting

If after installation you can’t get setup to run (sudo openvas-setup won’t work), run sudo openvas-start.

If you can’t launch the web interface after installation or get to the web interface by typing the address manually (https://127.0.0.0.1:9392), then you need to run sudo gvm-start.

If it still doesn’t work, wait a few seconds, then run sudo gvm-start again, and try the address in the browser again (https://127.0.0.0.1:9392). You may have to do this 3 times for it to work. It’s super strange, I know, but it works.

Nmap Lab

Nmap Cheatsheets

• https://www.stationx.net/nmap-cheat-sheet/
• https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/
• https://www.tutorialspoint.com/nmap-cheat-sheet
• https://hakin9.org/nmap-cheat-sheet/
• https://github.com/jasonniebauer/Nmap-Cheatsheet
• https://highon.coffee/blog/nmap-cheat-sheet/
• https://www.networkstraining.com/nmap-commands-cheat-sheet/

Adding Vulners Script

cd /usr/share/nmap/scripts
sudo git clone https://github.com/vulnersCom/nmap-vulners.git

Link to vulners depot: https://github.com/vulnersCom/nmap-vulners

sudo git clone https://github.com/scipag/vulscan.git

Link to vulscan depot: https://github.com/scipag/vulscan

Vulscan can take a while.

1. cve
2. openvas
3. scipvuldb
4. securitytracker
5. exploitdb
6. osvdb
7. securityfocus
8. xforce

ls vulscan/*.csv
nmap --script nmap-vulners -sV 10.10.1.10
nmap --script vulscan -sV 10.10.1.10

Another example:

nmap --script vulscan --script-args vulscandb=exploitdb.csv -sV 10.10.1.10

This is to only use 1 csv file instead of all 8.

Pass User ID and Password Lab

THC (The Hacker’s Choice) Hydra – sectools.org.

Pass user id and password lists to try all of them.

cd Downloads
ls -al
hydra -L usernamelist.txt -P passwordlist.txt ftp://10.10.1.11

You have to have a good list, the above command will error out if you don’t have them.

Finding bad usernames – https://nordpass.com/blog/all-time-most-popular-usernames/.

Copy this list, use vi, nano, or leafpad (save in root/Downloads).

In nano, press Ctrl + \, add 4 spaces, replace with nothing, replace all (same in leafpad), Ctrl + X to save, y to confirm save.

Find SecLists, https://github.com/danielmiessler/SecLists, a well known repository for pentesting lists.

Files will determine the quality of your attack.

Metasploitable – msusers.txt – mspass.txt

• user – user
• postgres – postgres
• sys – batman
• klog – 123456789
• service – service

Multiple threats, parallel approach, so order will be different.

SCADA systems are hard to update. Look at layers.

If you don’t have sendmail installed in lab, you can install via kali Linux.

apt-get install sendmail
sendmailconfig

Using USB drives: https://null-byte.wonderhowto.com/how-to/hack-wpa2-wi-fi-passwords-using-jedi-mind-tricks-usb-dead-drops-0185290/

Press tab key as you are typing a directory in Linux to have it completed.

msfconsole
use exploits/unix/ftp/vsftpd_234_backdoor
info
set RHOST 10.10.1.10
run

DVWA Lab

DVWA IP was 10.10.1.11.

DVWA login is admin/password.

Set security to low so you can see stuff.

• ‘, single quote, tells SQL that you terminated the command, this is why there can be injection.
• Union, add command and produce output as the combination of both outputs.

in Kali,

sqlmap -u <website> --cookie="<cookie>"
sqlmap -u "http://10.10.1.11/vulnerabilities/sqli/?id=2&submit=submit#" --cookie="cookie hash"

1. Ctrl + Shift + I for inspector mode. Go to network and reload page.
2. Click on top level that includes command, click on Headers on the right side, click on cookie and copy the cookie and paste it into the cookie quote.
3. Sqlmap checks SQL injection attacks to find ones you can use.
4. Attacking an application can give you direct access to data.
   • XSS attacks the server, CSRF/XSRF attacks the user (uses session).
5. XSS Reflected.
6. Input a name, then type name <script>alert("XSS")</script>.
7. Attack websites by testing. Review source code after changing security levels.
8. Capitalizing Script and adding a body onload tag: <body onload=alert("XSS")> can be ways to beat basic security.

Tricks and Methodology

• It’s like a dance: You try one thing, then something else. The developer probably won’t consider all options.
• The more you know about systems and how developers write code, the better. It’s not just about knowing tools and pentesting methods.
• Windows services should be quoted in the path. Otherwise, Windows will choose the first folder that matches the first word.
• ls to show files in a directory.
• ls -l is a long list.
• ls -al is the list with hidden files included. Hidden files start with a period.
• mv test.txt .test.txt will make it a hidden file. Still shows with -al.
• cat .bash_history shows telnet and command history.