LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Deliberately insecure Linux distributions as practice targets

April 6, 2011

This article was contributed by Koen Vervloesem

There are a lot of penetration testing (aka pentest) tools, but they are not always easy to learn, so you need practice — a lot of practice. Before using these tools on a live environment, you need to set up a test environment, install some services with vulnerabilities, and then try to break into it. Fortunately, pentesters don't have to do all this preparation themselves, as this is a niche where a couple of Linux distributions can be found. We'll take a look at a few of these deliberately insecure Linux distributions, which can be run on an isolated network or in a virtual machine to be targeted with your pentesting tools or exploits. On the attacker's side, you could use a distribution like BackTrack or a pentesting tool like the Metasploit Framework.

Damn Vulnerable Linux and Metasploitable

Probably the most well-known vulnerable Linux distribution is Damn Vulnerable Linux, but at this moment the website has the message "We are working. DVL 2.0 might appear in summer 2011" and there doesn't seem to be a way to download the most recent release, 1.5 (which dates from January 2009), so your author couldn't review DVL. The idea, however, is simple: DVL is shipped as a distribution that is as vulnerable as possible, for learning and research purposes for security pentesters and students. DVL was built by Thorsten Schneider, a security researcher at Bielefeld University in Germany, as a training system that he could use for his university lectures, to teach topics like buffer overflows, SQL injection, and so on.

Another well-known vulnerable Linux distribution is Metasploitable, an Ubuntu 8.04 server install on a VMWare image. This install includes a number of vulnerable packages, such as a Tomcat 5.5 servlet container with weak credentials, ssh and telnet accounts with weak passwords, along with outdated versions of distcc, tikiwiki, twiki, and MySQL. Metasploitable is meant as a practice target for the Metasploit Framework, but of course you can also use it to test other pentesting tools. Moreover, the virtual disk is non-persistent, so all damage you do to the system while pentesting disappears after a reboot. Metasploitable can easily be installed in VirtualBox: just add the vmdk file as a new virtual hard disk to VirtualBox and create a new Linux VM with this hard disk as the boot disk. Just don't forget to enable IO APIC in the virtual machine.

LAMPSecurity

An especially interesting vulnerable machine (or rather, a set of virtual machines) is LAMPSecurity. There is a CentOS based virtual machine that can be used as the attacker's operating system because it becomes preloaded with many attack tools, and another CentOS based virtual machine as the target, named Capture The Flag. Unfortunately, your author couldn't get these images, distributed as VMware images, to boot on VirtualBox. However, the Capture The Flag image comes with a tutorial PDF that demonstrates how to chain together a series of vulnerabilities to be able to completely compromise the target system. The document describes one possible path to get root, but of course there are other ways to compromise the target, so after reading the document, users can surely apply what they have learned to further explore the target.

The tutorial begins with scanning the target with the vulnerability scanner Nikto, which is specialized in testing web servers for interesting files and directories (e.g. a public /phpmyadmin) and vulnerable web server software. It also identifies the version numbers of Apache and PHP, which are useful to search for vulnerabilities that apply. Then the tutorial shows how to use Paros as a web proxy in the browser, so the pentester can intercept requests to the target: all requests and responses are registered and can be investigated in the Paros program to look for vulnerabilities in a web application.

In the next step of the tutorial, the user is guided to identify an SQL injection vulnerability in the target's web site. This section is a particularly interesting introduction to SQL injections, with a step-by-step explanation spelled out in detail, including how to get access to system files. In the last step, the tutorial builds upon this SQL injection with a local privilege escalation to get an interactive root shell for the attacker.

De-ICE PenTest

The most comprehensive vulnerable distribution project is definitely the De-ICE PenTest Lab, the brainchild of penetration tester Thomas Wilhelm. When he had to learn as much about penetration testing as possible in a short time, he found no usable targets to practice on, so he created his own live CDs: two "Level 1" ISO images and one "Level 2" image. On the attacker's side, Wilhelm recommends BackTrack. Unfortunately, the target machines have an hardcoded IP address, which can conflict with your own network's address range.

Each of the ISO images is meant to be used in a specific real-world scenario: for the first Level 1 image, you are hired by a small company to pentest an old server that has a web-based list of the company's contact information. The scenario for the second Level 1 image is a little tougher: the target system is an FTP server that has been used in the past to maintain customer information but has been sanitized, and you have to show that you can get sensitive information out of the server. In the Level 2 scenario, you should identify any vulnerabilities you can find, and you get the permission to cause damage.

De-ICE PenTest also has a forum, where users can discuss the challenges for the three ISO images and get some help (warning: there are spoilers in the forum). On the wiki, there are also some video walkthroughs. Of course these contain major spoilers, so you probably want to wait for them until you have completed the challenges.

Other projects

There are a lot of other projects. The Virtual Hacking Lab has the same approach as LAMPSecurity: it distributes an ISO image to run on the attacker's side (the security-focused Gentoo derivative live CD Pentoo), and offers some vulnerable images to run as the target machines. For instance, a directory lists quite a few vulnerable distributions. Unfortunately, the project doesn't come with comprehensive documentation.

The OWASP Broken Web Applications Project is, like its name says, focused on vulnerable web applications. OWASP is the Open Web Application Security Project, a community that works to create freely available documentation, methodologies, and tools concerning web application security. The OWASP Broken Web Applications Project is distributed as a virtual machine in a VMware image. It's running outdated, vulnerable versions of some real-life web applications, such as phpBB and WordPress, but also some intentionally vulnerable applications created by OWASP and other projects.

Holynix is an Ubuntu Server install on a VMware image, which also runs on VirtualBox or Qemu. According to the README, the image requires a specific network configuration with a static IP address, which is cumbersome if the required network mask conflicts with your own network. Your author downloaded version 2 and ran it in VirtualBox. The project has a forum with help, including instructions about importing the distribution's image in VMware or VirtualBox. Just don't forget to enable PAE/NX and IO APIC in the virtual machine, or it won't boot.

Practice

If you start digging, you'll easily find a dozen vulnerable Linux distributions that you can use to practice on. However, none of these distributions really stands out from the crowd. Many of them are already old —although that's not bad in this case, as it improves the chance of finding vulnerabilities. An somewhat more painful issue is that many of these distributions require a specific network configuration, which is a barrier to quickly test them in an arbitrary network. Along the same line, many of these projects are distributed as VMware images, which are not always easy to run in other hypervisors. Documentation is also an issue with many of these projects: while one could say that good pentesters will always have to be able to find their way on a foreign system, a little guidance could make these vulnerable distributions a more efficient tool for testing these tools and techniques. However, one thing is sure: pentesters that jump through all these hoops will be able to practice their techniques on a lot of different test targets.

(Log in to post comments)

DVL 1.5

Posted Apr 8, 2011 9:59 UTC (Fri) by tsr2 (subscriber, #4293) [Link]

DVL 1.5 seems to be available at http://www.computerdefense.org/dvl/

Deliberately insecure Linux distributions as practice targets

Posted Apr 14, 2011 11:49 UTC (Thu) by jnareb (subscriber, #46500) [Link]

There is also Google's Gruyere deliberately insecure web app:
http://google-gruyere.appspot.com/

Deliberately insecure Linux distributions as practice targets

Posted Apr 20, 2011 6:37 UTC (Wed) by robbe (subscriber, #16131) [Link]

The nitpick being, that real (Swiss) Gruyère cheese has no holes...

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds