Wednesday, March 12, 2014

Setting up Ubuntu as a Penetration Testing and Development environment

Few activities that happened recently spiked my interest in Penetration Testing of systems and as a long term perspective I want to focus on developing this as an alternate skill.

In order to practice penetration testing I installed Kali Linux on my machine, which now had three operating systems multi-booting.
  1. Windows - just for my office work and Outlook email. I aim not to use this OS for anything more.
  2. Ubuntu - My OS of choice for development work (coding etc). In general I want this to be my OS for daily use.
  3. Kali Linux - My penetration testing practice host, because of all the cool tools that come pre-installed with it.
I am also severely starved on disk space so I wanted to avoid the duplicity introduced due to Kali and Ubuntu both being Linux platforms.Moreover Kali has a whole lot of tools - and I do agree that each may be needed - but it was not possible to learn everything at the same time nor use it.

So I thought, if it was possible to selectively and manually install the needed Kali Linux tools on my OS platform of choice Ubuntu, that would give me the best of both worlds. A quick google search and I was sure it was possible. So started this mini project of getting my Ubuntu configured for my needs.

Considerations
  • Ubuntu - I did not want to get the reminder to upgrade my system every six months. So I decided to go for the LTS (Long Term Support) version of Ubuntu, so 12.04 was the reasonable choice.
  • From a development perspective I definitely needed Eclipse, Maven, MySQL and Glassfish to start with. This was my bare minimum requirement from a development standpoint. This also means that I will need JDK. I decided to use Oracle JDK as compared to OpenJDK.
  • From a penetration testing standpoint, Virtualbox is essential because you will need a target system to test your penetration testing skills against. 
  • Additionally we will manually install selected Kali Linux tools.
So this is how i went about doing it. Lets first setup the development part as it is mostly straight forward.
  1. So I first started with repartitioning my HDD. I did not have a spare disk to backup my entire HDD contents. I am a big for of Eseaus Partition Master Home Edition. It helps me alter the size of Windows as well as Linux partitions on the fly, without needing to backup the data, which one should ideally, but not mandatory as the data is still preserved post partition. I kept about 25 GB for my Ubuntu Partition.
  2. I used the method described at http://www.ubuntu.com/download/desktop/install-desktop-long-term-support to install Ubuntu 12.04 LTS
  3. Then I installed Ubuntu Tweak as mentioned at http://www.noobslab.com/2012/11/install-ubuntu-tweak-082-in-ubuntu.html
  4. Install Oracle JDK 7 as mentioned at http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html
  5. Downloaded the latest Apache maven tarball from http://maven.apache.org/download.cgi and extracted it as /opt/apache-maven-3.1.1
  6. Downloaded the eclipse Linux tarball from http://www.eclipse.org/downloads/ and extracted it as /opt/eclipse. The step that follows is optional, but I like having the eclipse icon in the unity sidebar for easy access. To add the same I executed /opt/eclipse/eclipse. Once eclipse starts, I right clicked the icon in the side bar and selected lock to sidebar option. This will ensure that eclipse icon will be available in the sidebar.
  7. To install Mysql, I used the command apt-get install mysql-server.
  8. To install Glassfish, I preferred to download the native installer than to use apt to install the same. Go to https://glassfish.java.net/download.html  and use the section on the right hand side to create a native installer per your need. I selected Full Java EE platform, Native Installer, Linux, English which resulted in t a link to glassfish-4.0-unix.sh. I preferred to install it in /opt/glassfish4 directory.
  9. Create the following three files in the /etc/profile.d directory to ensure that the environment variables and paths are properly set each time. These are bash specific.
jdk.sh 
export J2SDKDIR=/usr/lib/jvm/java-7-oracle
export J2REDIR=/usr/lib/jvm/java-7-oracle/jre
export PATH=$PATH:/usr/lib/jvm/java-7-oracle/bin:/usr/lib/jvm/java-7-oracle/db/bin:/usr/lib/jvm/java-7-oracle/jre/bin
export JAVA_HOME=/usr/lib/jvm/java-7-oracle
export DERBY_HOME=/usr/lib/jvm/java-7-oracle/db


maven.sh 
export M2_HOME=/opt/apache-maven-3.1.1
export M2=$M2_HOME/bin
export PATH=$PATH:$M2


glassfish.sh 
export GLASSFISH_HOME=/opt/glassfish4/glassfish
export PATH=$PATH:$GLASSFISH_HOME/bin

  1. Re login and open a terminal and use the 'env' command to ensure that the environment variables and PATH is set appropriately.
With this step we have completed the setup if the system from a development perspective. Now we will start setting up the system to be used as a penetration testing platform.
  1. The exact steps to follow are available at http://www.fileswap.com/dl/X8gJZ7XxB/Kali_Linux_&_BackTrack_Tools_on_Ubutnu.txt.html. The entire process can also be seen in the following video too. Credits go to iExploit. While this video talks about installing both Kali and Backtrack tools, for now I plan to only install the Kali tools selectively.
  1. We will need a system to practise our learning on the security front. If you have a spare machine on your network, it is the best, if not, as in my case, we will revert to creating a virtual machine. For the same let us first install virtualbox in Ubuntu (our host OS). I downloaded the appropriate virtualbox installer from https://www.virtualbox.org/wiki/Linux_Downloads. The installer will be a deb file. to install in Ubuntu simply double click the deb file and the installation process will start. While starting virtual box you may notice an error reported. It is a known issue, refer to https://help.ubuntu.com/community/VirtualBox#Common_issues to know more about the issue and the resolution.
  2. While Ubuntu comes pre-installed with Firefox, there is a special version of Firefox created for Penetration Testers called OWASP Mantra. You can go ahead and install Mantra if you want. Optionally you can select the required Firefox plugins to get the same functionality as provided by OWASP Mantra in the existing Firefox browser. To get a list of all Firefox extensions that are part of the OWASP Mantra suite see the following Firefox addon list - https://addons.mozilla.org/en-US/firefox/collections/dennis_groves/owa/ 
So now we are set with the tools that we can use to do development (based on my need) and also practise some penetration testing.

To aid you in your work and to help you locate the Kali Linux tools in Unity desktop refer to my other post, Kali Linux Menu in Ubuntu Unity desktop .

In future posts we will try to download some vulnerable systems and try the tools out and also do some development.

3 comments:

  1. The URL
    http://www.fileswap.com/dl/X8gJZ7XxB/Kali_Linux_&_BackTrack_Tools_on_Ubutnu.txt.html
    and the embedded video are broken link.
    Please, could you fix it?

    ReplyDelete
  2. I really like your article about "Penetration testing ",..Thanks for sharing with us,.

    ReplyDelete
  3. i was searching for such type of blog that tells about penetrating testing,
    It's really nice,
    Cybersecurity

    ReplyDelete