Know Your Enemy

September 13, 2020 |
Image taken by @kihomizuno from the Amtrak Pacific Surfliner train

Today I will run through installing VirtualBox, the Kali distribution of Linux, and Metasploitable, the intentionally vulnerable virtual machine (VM) that you will use to learn more about hacking. 

 

Why Learn About Hacking

 

Check out the “The Cyberwire Daily” (apple podcast | Spotify) podcast and you’ll hear weekly news of cyber security threats. Listen to The Cyberwire Daily enough and it’ll have you believing that you’re always under attack. That statement is not too far from the truth. Whether through your job or a personal account, the chances are high that you’ve already been a victim of hacking or you’ll be targeted in the future. 

 

In the famous Sun Tzu book, “The Art of War,” the author writes, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

 

A good way to know the enemy and know yourself when it comes to your cyber security is to get inside the brain of the enemy, the hacker. You’ll be able to do this by learning and practicing hacking. In doing so, you will also learn about any of your negligent behavior and how to best protect yourself. With so much of our communications happening online, it would be wise to learn about its dangers. 


 

Know Your Enemy

 

Let’s start by creating an environment where you can practice. 

 

Head over to virtualbox.org, where you can download the free virtualization product we will use to install Kali Linux and Metasploitable, the two virtual machines that you’ll be using for practice. According to the VirtualBox site, “Oracle VM VirtualBox enables you to run more than one OS at a time. This way, you can run software written for one OS on another, such as Windows software on Linux or a Mac, without having to reboot to use it. Since you can configure what kinds of virtual hardware should be presented to each such OS, you can install an old OS such as DOS or OS/2 even if your real computer's hardware is no longer supported by that OS.” 

 

I will be doing my installation on my MacBook, but if you are using a different OS, the steps will be similar. On the downloads page, select the appropriate platform and once downloaded start the VirtualBox installation.

 

 

Once VirtualBox is installed, you’ll see the VirtualBox Manager.

 

 

Now we will install your virtual machines, starting with Kali

 

To download Kali, go to the Offensive-Security Download Site, select the  “KALI LINUX VIRTUALBOX IMAGES” dropdown and select the 64-Bit version. 

 

Once finished, you’ll have a file with an .ova extension, double click that and you’ll see a popup in the VirtualBox Manager.

 

 

 

The only change I made was a change to the “Name” field, giving a more succinct name of “Kali-Linux.”

 

To get the VM working correctly we have to install the “Oracle VM VirtualBox Extension Pack.”

 

 

Double-click the downloaded extension pack file to begin installation and follow the prompts. 

 

We’re almost done but we have one more thing… 

 


 

My VM kept crashing when booting up so I put my google skills to work and was advised to disable the audio:

 

Select the Kali VM > Go to Settings > Audio and uncheck "Enable Audio"

 

Congratulations, you have now installed your  hacking VM. In case you missed it on the Offensive Security site, the login credentials are kali/kali. Please be mindful that you can’t go trying to hack any and everything. You will get yourself in trouble. 

 

Fun fact, the name “Kali” comes from the Hindu Goddess of Time, Creation, Destruction and Power. You now have control over an Operating System that possesses the same qualities. 

 

Now let’s install something you can legally destroy. Remember, this is so you can learn to protect yourself, not to mess with others and land yourself in jail. So the last thing we will do is download Metasploitable

 

Once downloaded, unzip the file. 

 

Let’s pop open the Oracle VM VirtualBox Manager and create a new VM. Click the New symbol at the top of the Manager. 

 

 

Name the VM whatever your heart desires, and use the following settings for Type and Version. 

 

 

The default memory size should suffice.

 

Select the folder to navigate to the Metasploitable.vmdk file location (where it was extracted).

 

 

Similar to what we did when installing Kali, disable the audio by:

 

Selecting the Metasploitable VM > Go to Settings > Audio and uncheck "Enable Audio"


 

And just like that, you have completed your environment for testing. The credentials for Metasploitable are msfadmin/msfadmin.


 

Now in order for the two machines to communicate, we will connect them to the same network.

 

For both VMs, go to Settings > Network > and select ‘Host-only Adapter’ (you can Bridge them as well, but for testing, this should work).

 

 

Get Practicing

 

Now with Metasploitable running and you’re authenticated using the credentials above, type the command ‘ifconfig’ to determine the IP address.

 

 

Now in Kali, open the browser and type: http://[ip_of_Metasploitable_VM]/dvwa/login.php

 

The default credentials are admin/password

 

Thanks for stopping by!

 

 

Login and have at it! Try your best to go through the different modules. If you get stumped, shoot me an email at mj@igobymj.com and/or use your favorite search engine to look up DVWA tutorials.