This article will show you how to set up a $5 VPS for penetration testing with Digital Ocean. Having a hack box in the cloud is useful in numerous ways. My initial idea was to have an affordable box somewhere that I could use to catch shells when I’m on an engagement. It’s not always practical or even possible to configure port forwarding on a per port basis when you are expecting shells. However after I configured a VPS with Metasploit I quickly found other uses which I’ll cover throughout the article.
To begin, let’s cover some of the advantages of a VPS hack box. The first major advantage is connection speed, the national average broadband speed is in the 16 Mb/s range, any reasonable VPS you purchase will give you a 100 Mb/s symmetric connection. Having the extra speed and low latency is important in cases where you find yourself on an engagement and need to download a large amount of files, and need it done quickly. Secondly, if you’re like me and have issues with shells being blocked upstream by your provider, having a box where you can return your shells is invaluable.
It’s also important to cover the downsides of a VPS hack box. A considerable downside is that confidential data is possibly being stored in non-optimal conditions, therefore heavily securing the VPS before launching any attacks or handling customer data is crucial. It pays to be responsible when it comes to client data, so I would definitely recommend taking the necessary steps to ensure client data is as secure as possible, and wipe the VPS to start anew after each engagement.
Having said all that, let’s get on with it. The first step is obtaining the VPS. Digital Ocean has a super simple sign-up process, and VPS creation is done quickly (mine was ready in 50 seconds), so wait time is painless. To sign-up, go to https://www.digitalocean.com and click the sign-up button. You’ll be asked to enter a valid e-mail address and a password.
Once logged in, click the green “Create” button to begin configuring your droplet.
You’ll need to give your droplet a hostname, as you would in any Linux based system.
After you’ve given the droplet a hostname, you’ll need to select the size you want for your droplet.
I opted for the firstt option, which is 512 MB RAM, 1 CPU core, 20GB SSD Disk, and 1TB transfer. This configuration is more than enough for a basic set of tools, but if you’re going to be using tools like Zmap or Team Servers with Armitage/Cortana, you’ll need to select option two or higher, as Zmap will simply not run on 512 MB of RAM, and you’ll need extra responsiveness for a Team Server.
Next, you’ll need to select the region closest to you from the four options given.
Now, we get to select our OS. Only *nix based OSes are available, but the choices are pretty broad. You have the option to select from Ubuntu 10.04 – 13.10 in both x32 and x64 flavors. You can also opt for versions of Debian, CentOS, Arch Linux, and Fedora. For this article I will be using Ubuntu 12.10 and installing tools from there, but you’re free to choose a Debian distro and install tools from the Kali repos or PPAs. Tutorials for doing that are available via a quick Google search and are relatively painless.
The last thing we need to do is select VirtIO, or Private Networking. For this scenario you’ll want to leave VirtIO checked, and steer clear of Private Networking. To wrap things up and get the ball rolling, we’ll click the green “Create Droplet” button, and wait for our root password to be e-mailed.
Once we have our root password, we’re ready to log in and begin our set up. So fire up your favorite SSH client, and connect to your Droplet. If you’ve never tried it, I would recommend giving Remmina a try for the easy to use GUI and quick connect capabilities. On Ubuntu based systems, running the following command will grab it for you.
sudo apt-get install remmina
If you don’t wish to use Remmina, you can use any SSH client software of your choice. Since I’m using a Linux machine, I’ll just use the SSH client included with my distro.
<–Replace with the IP of your VPS from the e-mail you received.
After you’ve logged in via SSH, you can of course use ssh-keygen to generate a keypair, so you can login quickly without the need for a password by doing the following on your local machine.
Hit enter to accept the default location for the key (/home/username/.ssh/id_rsa).
Enter a password, or leave the password field blank.
This will generate your key and place it in /.ssh
Now you need to copy your public key to paste on your VPS by entering:
cd /home/username/.ssh cat id_rsa.pub
Copy the entire output, and go back to your SSH terminal and type:
cd .ssh echo paste_output_here > authorized_keys
Now, subsequent logins will no longer require copy and pasting your root password into the terminal.
We’re now ready to start installing our sec tools. Since Metasploit is the logical place to start, we’ill tackle that first. Carlos “DarkOperator” Perez has created a fantastic script to automate the msf install process. It’s in my experience the easiest way to quickly install the framework, nmap, postgresql, and all of Metasploits dependencies in a quick fashion. You can grab the script off of Github with the following commands:
# Install git first. Apt-get install git # Grab the script from Github. Git clone https://github.com/darkoperator/MSF-Installer.git # Move to the directory and list contents. cd /MSF-Installer;ls # Run the installer ./msf_install.sh -i -p -r -i == Install Metasploit -p == password to use for database (-p pass will set the password to pass, -p alone will generate a random pass) -r == Install necessary Ruby Gems through RVM.
You’ll need to reload your bash profile after the script is finished by typing:
Once the script has completed and your bash profile has been reloaded, Metasploit should be installed and ready to go. To verify you can launch msfupdate or msfconsole. the script installs Metasploit in /usr/local/share/metasploit-framework. So if you’re a Kali user, it’s important to note the different installation location, as you’ll likely need to update the config files for any tools that integrate directly with Metasploit. All of the framework tools are linked though, so you can launch msfupdate, msfconsole, msfvenom, etc. from anywhere. The installer script also installs Armitage for us. Note however, that in order for Armitage to run you’ll need to install whatever VNC software you like on the VPS.
Now, since I really only needed a VPS to catch shells and launch attacks that typically required forwarded ports, the next tool I installed was the Social Engineer Toolkit from the folks at TrustedSec. SET is an amazing tool and I honestly believe it should be a part of every pentester’s arsenal. You can grab it from Github as well. You can install SET wherever you like, but I recommend installing it in /usr/local/share, to make it a bit easier to keep track of where your tools are located. To launch it, enter:
Git clone https://github.com/trustedsec/social-engineer-toolkit/ /usr/local/share/set/ cd /usr/local/share/set;setoolkit
Before SET will be ready to use, we’ll need to clear up some dependencies, and edit the set_config file to update the Metasploit location. We’ll take care of set_config first.
Move to SET’s config folder:
Use whatever text editor you fancy to edit the set_config file. I’m a nano guy, so I will be using that.
Look for the following line:
### Define the path to MetaSploit, for example: /pentest/exploits/framework3 METASPLOIT_PATH=/opt/metasploit/apps/pro/msf3
Now, we can change METASPLOIT_PATH to the location we installed the framework.
### Define the path to MetaSploit, for example: /pentest/exploits/framework3 METASPLOIT_PATH=/usr/local/share/metasploit-framework
I also recommend changing a few other lines in set_config as well.
### How many times SET should encode a payload if you are using standard MetaSploit encoding options ENCOUNT=4 <--change this value for better A/V bypass.
### Auto detection of IP address interface utilizing Google, set this ON if you want.
AUTO_DETECT=OFF <–changing this to ON allows SET to automatically set the lhost value for your listeners.
Save your changes. If you’re using nano, this is done by pressing ctrl+x, and then pressing y to confirm and enter to save the file with the original name.
Now that we have changed SET’s config we can clear up the dependencies. On a base installation of Ubuntu on a Digital Ocean droplet pycrypto is not installed and is needed by SET in order for the pyinjector payloads to work.
sudo apt-get install python-dev sudo apt-get install python-crypto
SET is now ready to handle all your social engineering needs.
If you’re a Kali user, the lack of tools at your disposal so far may be a bit unsettling. Luckily, there are many PPAs available that make the installation of other tools a simple task. I’ll paste the command output for some of the PPAs I’ve found below, so you can install extra tools from them as needed.
apt-get install software-properties-common ← Needed for the following commands to work. add-apt-repository ppa:wagungs/kali-linux add-apt-repository ppa:wagungs/kali-linux1 add-apt-repository ppa:wagungs/kali-linux2 apt-get update ← To refresh your package lists and you can set about installing whatever you wish.
In this article, we covered the basics of setting up a $5 VPS with Digital Ocean and outfitting it with the tools we need to aid us in both engagement, and our research. The droplets we created for this article are easily expandable if more resources are required, and are rather versatile in the variety of ways they can be put to use.