How to Set Up a Web App Pentesting Lab in 4 Easy Steps
A pentesting lab can be a small entity used by one security tester, consisting of one or two computers; or it could be a larger set of networked computers behind a closed or secured network, used by a group of security testers.
Step 1: Assess Pentesting Needs
Before creating a pentesting lab, it is important to do an assessment. Determine what the needs and goals are, as well as the budget. A few questions to ask are:
- How much money do you have to spend?
- What activities will you perform?
- Will you visit the dark web?
- Do you want to analyze malware?
- Do you plan to perform reverse engineering?
- Do you plan to test mobile apps as well as standard online applications?
- How many people will use this lab?
- Do you need to run multiple operating systems?
- How much memory do you anticipate needing?
Once you answer these questions, you can plan what your lab needs to entail. This article will discuss creating a pentesting lab on a small scale. The following steps detail the items needed to create a standard lab.
Step 2: Determine & Set Up Infrastructure Needs
This depends on the needs and budget for your lab. Some consistent needs include:
- Virtual environment
- Web vulnerability scanner
- Web proxy
- Traffic analyzer
- Browser plugins
A minimalistic lab could be as simple as a laptop running a Windows- or Linux-based operating system and a virtual machine software platform. Kali Linux is currently the best choice as it provides many of the tools you’ll need. It is possible to run Kali Linux on a machine without running a virtual environment, but using virtual machines creates a sandbox. If you are working with potentially malicious software, is much easier to delete an infected virtual machine than to rebuild a computer.
Step 3: Installation & Configuration
Now that you have your hardware selected, you can start installing your software.
- Install virtual machine software: VMware or Virtualbox are a couple of popular options. If you are running a Windows or Linux machine, you can use VMware or Virtualbox. A VMware workstation is a popular choice amongst Windows users. If you are running a Mac OS, you want to consider Virtualbox or VMWare Fusion. VMWare Fusion is not free, but it is handy if you plan on importing other VMWare (.vmdk) machines. This normally happens in labs where multiple operating systems are in use and a VMWare workstation was used. Testers often share virtual machines if one is configured a certain way or has data of interest to their colleagues (though virtualbox is making it easier to import .vmdk files). Installation of virtual machine software is fairly simple. Once you download the installation file and double click on the executable, there should be installation prompts to follow.
- Install a web proxy server: A web proxy can be used as an HTTP proxy server. It acts as an intermediary (in conjunction with your browser) to capture and analyze all of the requests that pass through your browser. Each request can then be examined, manipulated, replayed and basically picked apart to monitor possible injection points. The industry-standard web proxy software is Burp Suite, but other brands have entered the market with positive reviews, such as Netsparker.
- Install a pentesting operating system: Kali Linux has become a staple in pentesting labs. It replaced the BackTrack Linux operating system back in 2013. It is configured with tools specific to performing pentesting activities. Kali Linux is currently the most popular, but is not the only pentesting distribution available. BlackArch is another Linux based distribution. There is also Parrot Security, which is Debian-derived and is used for pentesting and forensics.
Most of these installations are similar. Navigate to the downloads page and download the .iso. You will use this to create a new virtual machine. Open your virtual machine software and use the “create a new virtual machine” option. It will ask for a path to install the installer disk image file, or the .iso. Insert the path for where you have the image downloaded and select the appropriate guest operating system. It will ask for the disk capacity size. This depends on what you plan to do with the virtual machine, but 20GB is the normal recommended size. Once you finish creating the new machine a boot menu will appear. Continue to follow the installation prompts. Once completed, you should see the virtual desktop
- Install an exploitable application: You want to set up a dummy server to help test out your pentesting. There are a few options. Bee-Box provides a way to hack the bWAPP website. bWAPP stands for Buggy Web Application. The bee-box installation is open source. It seems to be one of the most popular, but there are other options available. This includes DVIA (Damn Vulnerable iOS App), Game of Hacks, HackThis!!, Hack This Site, OverTheWire and McAfee HackMe Sites.
Below are a few more tools to consider installing or configuring in the Kali machine. Kali Linux in particular will have most of the pentesting tools you will need, and will definitely include all of the items listed below. If you choose a different pentesting distribution, you may have to install the items discussed below.
- Browser plugins: There are some browser plugins that are useful in a pentesting lab. XSS Me is used to find cross site scripting vulnerabilities. Other plugins that can be used to detect vulnerabilities include Websecurity, Hackbar, Web Developer and Firebug.
- Vulnerability scanner(s), and traffic analyzer(s): You will want to analyze your traffic to see what is happening on your network while in the lab. Wireshark is a great tool for this. It is one of the most popular network protocol analyzers. You will also want to install a web scanner to help identify vulnerabilities. Some popular web vulnerability scanners include:
- Zed Attack Proxy (ZAP)
- Frameworks: Some additional frameworks to consider are Burpsuite and Metasploit. Both have scanning capabilities and are very robust, making them very useful in a pentesting lab.
- Additional tools: Two other tools to consider are Cain and Abel and Jack the Ripper. Both are password crackers.
Step 4: Start Pentesting
You are now prepared to start pentesting web applications, so get started and have fun!