There are a lot of penetration testing (aka pentest) tools, but they are not always
easy to learn, so you need practice — a lot of practice. Before
using these tools on a live environment, you need to set up a test
environment, install some services with vulnerabilities, and then try to
break into it. Fortunately, pentesters don't have to do all this
preparation themselves, as this is a niche where a couple of Linux
distributions can be found. We'll take a look at a few of these
deliberately insecure Linux distributions, which can be run on an isolated
network or in a virtual machine to be targeted with your pentesting tools or exploits. On the attacker's side, you could use a distribution like BackTrack or a pentesting tool like the Metasploit Framework.
Damn Vulnerable Linux and Metasploitable
Probably the most well-known vulnerable Linux distribution is Damn Vulnerable Linux, but
at this moment the website has the message "We are working. DVL 2.0
might appear in summer 2011" and there doesn't seem to be a way to
download the most recent release, 1.5 (which dates from January 2009), so your author couldn't review DVL. The idea, however, is simple: DVL is shipped as a distribution that is as vulnerable as possible, for learning and research purposes for security pentesters and students. DVL was built by Thorsten Schneider, a security researcher at Bielefeld University in Germany, as a training system that he could use for his university lectures, to teach topics like buffer overflows, SQL injection, and so on.
Another well-known vulnerable Linux distribution is Metasploitable,
an Ubuntu 8.04 server install on a VMWare image.
This install includes a number of vulnerable packages, such
as a Tomcat 5.5 servlet container with weak credentials, ssh and telnet
accounts with weak passwords, along with outdated versions of distcc, tikiwiki, twiki, and MySQL. Metasploitable is meant as a practice target for the Metasploit Framework, but of course you can also use it to test other pentesting tools. Moreover, the virtual disk is non-persistent, so all damage you do to the system while pentesting disappears after a reboot. Metasploitable can easily be installed in VirtualBox: just add the vmdk file as a new virtual hard disk to VirtualBox and create a new Linux VM with this hard disk as the boot disk. Just don't forget to enable IO APIC in the virtual machine.
An especially interesting vulnerable machine (or rather, a set of virtual machines) is LAMPSecurity. There is a CentOS based virtual machine that can be used as the attacker's operating system because it becomes preloaded with many attack tools, and another CentOS based virtual machine as the target, named Capture The Flag. Unfortunately, your author couldn't get these images, distributed as VMware images, to boot on VirtualBox. However, the Capture The Flag image comes with a tutorial PDF that demonstrates how to chain together a series of vulnerabilities to be able to completely compromise the target system. The document describes one possible path to get root, but of course there are other ways to compromise the target, so after reading the document, users can surely apply what they have learned to further explore the target.
The tutorial begins with scanning the target with the vulnerability scanner Nikto, which is specialized in testing web servers for interesting files and directories (e.g. a public /phpmyadmin) and vulnerable web server software. It also identifies the version numbers of Apache and PHP, which are useful to search for vulnerabilities that apply. Then the tutorial shows how to use Paros as a web proxy in the browser, so the pentester can intercept requests to the target: all requests and responses are registered and can be investigated in the Paros program to look for vulnerabilities in a web application.
In the next step of the tutorial, the user is guided to identify an SQL
injection vulnerability in the target's web site. This section is a particularly interesting introduction to SQL injections, with a step-by-step explanation spelled out in detail, including how to get access to system files. In the last step, the tutorial builds upon this SQL injection with a local privilege escalation to get an interactive root shell for the attacker.
The most comprehensive vulnerable distribution project is definitely the
PenTest Lab, the brainchild of penetration tester Thomas Wilhelm. When
he had to learn as much about penetration testing as possible in a short
time, he found no usable targets to practice on, so he created his own live
CDs: two "Level 1" ISO images and one "Level 2" image. On the
attacker's side, Wilhelm recommends BackTrack. Unfortunately, the target
machines have an hardcoded IP address, which can conflict with your own
network's address range.
Each of the ISO images is meant to be used in a specific real-world scenario: for the first Level 1 image, you are hired by a small company to pentest an old server that has a web-based list of the company's contact information. The scenario for the second Level 1 image is a little tougher: the target system is an FTP server that has been used in the past to maintain customer information but has been sanitized, and you have to show that you can get sensitive information out of the server. In the Level 2 scenario, you should identify any vulnerabilities you can find, and you get the permission to cause damage.
De-ICE PenTest also has a forum, where users can discuss the challenges for the three ISO images and get some help (warning: there are spoilers in the forum). On the wiki, there are also some video walkthroughs. Of course these contain major spoilers, so you probably want to wait for them until you have completed the challenges.
There are a lot of other projects. The Virtual Hacking
Lab has the same approach as LAMPSecurity: it distributes an ISO image
to run on the attacker's side (the security-focused Gentoo derivative live
CD Pentoo), and offers some vulnerable
images to run as the target machines. For instance, a directory lists quite a few vulnerable distributions. Unfortunately, the project doesn't come with comprehensive documentation.
The OWASP Broken Web Applications Project is, like its name says, focused on vulnerable web applications. OWASP is the Open Web Application Security Project, a community that works to create freely available documentation, methodologies, and tools concerning web application security. The OWASP Broken Web Applications Project is distributed as a virtual machine in a VMware image. It's running outdated, vulnerable versions of some real-life web applications, such as phpBB and WordPress, but also some intentionally vulnerable applications created by OWASP and other projects.
Holynix is an Ubuntu Server install on a VMware image, which also runs on VirtualBox or Qemu. According to the README, the image requires a specific network configuration with a static IP address, which is cumbersome if the required network mask conflicts with your own network. Your author downloaded version 2 and ran it in VirtualBox. The project has a forum with help, including instructions about importing the distribution's image in VMware or VirtualBox. Just don't forget to enable PAE/NX and IO APIC in the virtual machine, or it won't boot.
If you start digging, you'll easily find a dozen vulnerable Linux
distributions that you can use to practice on. However, none of these
distributions really stands out from the crowd. Many of them are already
old —although that's not bad in this case, as it improves the chance
of finding vulnerabilities. An somewhat more painful issue is that many of
these distributions require a specific network configuration, which is a
barrier to quickly test them in an arbitrary network. Along the same line,
many of these projects are distributed as VMware images, which are not always easy to run in other hypervisors. Documentation is also an issue with many of these projects: while one could say that good pentesters will always have to be able to find their way on a foreign system, a little guidance could make these vulnerable distributions a more efficient tool for testing these tools and techniques. However, one thing is sure: pentesters that jump through all these hoops will be able to practice their techniques on a lot of different test targets.
to post comments)