Whether you're a specialized security admin or an IT operations professional who needs to bolster workload security, it's important to know the appropriate tools and setup for a vulnerability assessment.
Typically performed with automated testing tools, vulnerability assessments aim to identify potential software security risks or misconfigurations before they make it to production. Usually, assessments also include the assignment of risk levels to identified threats to help IT teams prioritize and address critical issues first.
Build a home lab for controlled vulnerability tests
A home lab enables an IT professional to learn and experiment with a vulnerability assessment before conducting one inside the enterprise.
To follow along with this vulnerability assessment tutorial, presented by Christopher Blackden of TechSnips, use the Chocolately package manager to install VirtualBox, which will act as the host environment. Then, through VirtualBox Manager, install two VMs: one based on Kali Linux, which uses a Linux distribution that's catered toward vulnerability assessments and penetration testing specifically, and another based on Ubuntu Server, a common OS for web application hosting.
For the Kali Linux VM, download a pre-built image from Offensive Security, an IT security training company and creator of Kali Linux. Scan the image for proper configurations and specs, and then import it. Next, create the Ubuntu Server VM, and name it Ubuntu. VirtualBox will recognize that name, and automatically change the installation type to a 64-bit version of Ubuntu. Configure the VM to have two gigs of memory and a 10-gig virtual hard drive. Attach the Ubuntu ISO disk image to the VM, specify the host name and user account name, and follow the other necessary installation steps outlined in the video.
For the purposes of this vulnerability assessment tutorial, do not encrypt the home directory. Also, to save disk space on the host machine, don't enable automatic updates. To test web applications in the home lab, set up a LAMP server and OpenSSH to ensure you can access one VM from the other VM for troubleshooting purposes.
Before setting up an application, ensure that both guest VMs run on the same internal network and that the network has the same name across both VMs. This enables the two VMs to communicate with each other, but not with the host VM, as that can interfere with application testing. As part of this vulnerability assessment tutorial, conduct a port scan of the Ubuntu Server VM from the Kali Linux VM, using the ifconfig command to identify the relevant IP address.
Editor's note: Alyssa Fallon, assistant site editor for SearchITOperations, furnished the writing of this video tutorial.
Transcript - Mitigate IT risks with this vulnerability assessment tutorial
Today we're going to talk about how to set up a home lab for vulnerability assessment. And we're going to do this with a couple of different pieces of software.
So first, we're going to set up VirtualBox to host our virtual machines. And the two virtual machines we're going to be setting up today are Kali Linux, which is typically a distribution that's geared towards penetration testing or application vulnerability testing. And we're also going to be setting up Ubuntu Server virtual machine, which is typically what you'll find a lot of these web apps hosted on.
So, to start off, I'm going to go ahead and install VirtualBox with the Chocolatey package manager. First, just to make sure I have my package name right, choco search VirtualBox, and we see that first one right there is the one we want. Now if you're more comfortable going online and finding an exida download, be my guest. This is how I'm more comfortable doing it, so, I'm going to do it this way.
Yep, I cheated a little bit. I already had this installed to make the demo a little bit easier. So, let's go over to it now. Okay, so this is the VirtualBox interface. We're going to go ahead and add two virtual machines to this, but first, we need to go out and get our virtual machine images. So, let's do that next. So, the two virtual machines we're going to be using, like I mentioned earlier, are Kali Linux and Ubuntu Server. Kali Linux is maintained by Offensive Security. They've got a really great team over there. And they've made our job a little bit easier; they actually have a pre-built VirtualBox image. So, all we have to do is download this and open it directly into VirtualBox, and all the setup configuration should be taken care of for us. So, I'll go ahead and do that in the background. And the next one we have to do is Ubuntu Server. Now, Ubuntu Server does not have a pre-built VirtualBox image. So, we're going to go through and install this one from scratch.
Okay, so I've done all the downloads in the background, I've gone ahead and opened up VirtualBox again and I'm going to go ahead and start with Kali Linux. And like I said, Kali Linux has a pre-built image. So, we're going to go ahead and import that. This is my downloads folder and as soon as I select it, it says this is the Kali Linux image pre-built from Offensive Security, here are the maintainers, this is the version -- just a sanity check to make sure you've got the right specs for the virtual machine you're working with. So, I'll go ahead and click "import" on that and then we're going to let this run; this is going to take a while. So, we will let this run in the background and return to the video when it's done.
All right, now that that's imported, we've got our Kali Linux virtual machine here and we're going to go ahead and start that. Okay, so I've turned on my Kali Linux machine and, by default, when you download these from Offensive Security, they do come with a root account. And the password is toor, and there we go.
We've now got a Kali Linux virtual machine running and we can go on to getting our Ubuntu Server set up. So, I'm back in my VirtualBox manager. Like I mentioned earlier, we do have to set up Ubuntu from scratch. So, let's go ahead and do that now. I'm going to create a new virtual machine and I'm going to call it Ubuntu because why not? Now, because I called it Ubuntu, that's something VirtualBox recognizes and it's already changed my installation type to Linux and a 64-bit Ubuntu version. And just because I want this to actually run well, I'm going to change it to two gigs of memory and then I'll stick with the default hard disk settings. And I'm going to go ahead and give it a 10 gig virtual hard drive, and let's go ahead and dynamically allocate that. What that means is, if you need to take up more than 10 gigs of space on this virtual machine, it will go ahead and dynamically scale that hard drive for you. Whereas fixed size, once you reach that 10 gigs, you're cut off. So, let's go ahead and hit "Create."
Now, this is powered off right now. Let's go ahead and there's one more change we have to make before we can start installing, and that's we go into settings. Now, this is where you change the settings for the individual virtual machine itself. This is where you can change things like your networking from virtual machine to virtual machine, or guest to guest, or guest to host, depending on what you want to test. In my case, in order to do this installation, I have to go ahead and attach the Ubuntu ISO disk image to this virtual machine so it'll boot from it. So, I'm going to go into the storage controller here and add an optical drive and I'll go ahead and choose "Disk," where I've already downloaded this Ubuntu ISO image here. So, I'm okay with all of that, I'll click "Okay," and then start the virtual machine.
Alright, so we've got our Ubuntu virtual machine, we've got to do all the setup first time around. We'll go ahead and select my language and then "Install Ubuntu Server." I will choose English as my language, I am in the U.S. -- does a pretty good job at detecting keyboard layout. But let's go through this English U.S. keyboard.
Now I'm at the point where I need to add a hostname. I'll keep it simple -- use the same name I used for the virtual machine VirtualBox. And I need a full name for a user account that's not the root user. So I'm going to keep it simple here again. And because I'm going to be doing vulnerability testing here, I do not want to encrypt my home directory. It's got the time zone right, so I will select "yes." I'm going to go ahead and hit the default option. It's worth noting here that it's only taking up the amount of space in my virtual hard drive; it's not getting anything on my host machine. So, I can format this drive, I can delete it, I can do whatever I like with this, as long as I'm sure I'm running inside my virtual machine, inside my guest machine and not on my host machine.
So, when you're doing this part for http proxy, we typically don't want to use one, but depending on what you're testing, you might leave this up to your use case to set up. Okay, again, we are going to say "no automatic updates" because this is a home lab -- a guest machine running in a home lab. So we don't necessarily want to take up all of the disk space on our host machine. Now, this is going to be case by case. Because I'm assuming most of you are going to want to test web applications, I'd go ahead and recommend to set up a LAMP server and also open SSH. And this is just so you can get inside of this machine from the other virtual machine in case you need to do any troubleshooting. We'll go ahead and select those two and then hit "Continue." Alright, so this is a MySQL root user, we're going to go ahead and just keep it consistent with what we've been doing in this demo so far. Okay, now, remember we are installing this instead of a virtual machine, a guest operating system on a host operating system. So, it thinks that this is the only operating system on this computer because in VirtualBox's mind, this is a separate computer. So I'm okay installing the GRUB loader here. Okay, so it looks like the installation is complete. We finished our Ubuntu Server. It says to go ahead and remove the installation media before we boot in so it doesn't restart the installation.
VirtualBox will usually take care of this for you, but it's good to go back to settings and confirm it just in case. Now, one last thing you want to do before you go and start setting up applications is make sure that these guest VMs are on the same network. And this can be very tricky, I almost missed it this time around. But the way you do that is you select one of these machines and go into "settings," "network," and then in my case, I have attached them both to an internal network adapter. Now, you want to make sure that your internal network has the same name across all of your guest VMs. What this means is that they'll be able to talk to each other but not to your host VM, which is what you want because you're testing applications and testing between these two servers. You don't want any interference from your host machine. So, I've set this on my Ubuntu Server and I'm going to verify that it's done on my Kali Linux server. Great, I'm all set and ready to start.
So, I'm back on my Ubuntu machine. And one of the things that you might run into while you're doing vulnerability scans on a server or an application is port scanning. So, let's go ahead and open up a port on this machine that we can scan with the Kali Linux machine. Alright, I've allowed that on my firewall, let's switch back and scan it now. Okay, so I'm back on my Kali Linux machine and the next thing I wanna do is I want to scan the ports on the Ubuntu VM. Now, off screen, I got the IP address for that VM but the way you do that is ifconfig, and you run that on each server, and this inet number here, the ipv4 address is going to be where you're targeting. So, I want to run a vulnerability scan, a port scan on the Ubuntu Server. So I'm going to go to nmap and type in the IP address for the Ubuntu machine, and this will just take a second to run. Great, we see that we have two ports on our nmap report, the Port 22 which is SSH, I did that in the configuration while I was installing the Ubuntu Server. And we have Port 443, which nmap is listening to but it's closed because we're not currently using it.
All right, that's all for today. Thanks for watching.