This semester I have a great excuse to learn the Metasploit framework since it is a required topic on the course on Penetration Testing I’m taking at Seneca.
I want to document the steps of being introduced to metasploit from a software developer’s point of view.
I had never used metasploit before and the goal by the end of the semester if to be fairly fluent with the framework.
To get started I want to cover the environment installation.
1. Choosing virtualization tool
My dev machine is a mac, I’m running Mavericks.
There are a few options to virtualize an OS on mac.
You could use Paralles, VMWare or VirtualBox. There is also the possibility of running containers but that’s the topic of another post.
So between the main three virtualization tools, hands down VirtualBox is the best if you plan to run linux os. It comes with pointer integration and drag and drop out of the box while Paralles and VMWare don’t. Also we can’t forget the fact that VirtualBox is free which makes even easier to get started with.
2. Planning network architecture
Once I had the tools in place to virtualize my environment it was time to plan out the network configuration.
I’m sticking with a very basic setup:
static pool: 10.10.0.1-100
dhcp pool: 10.10.0.101-254
To get more information on the network types supported by VirtualBox check out their manual:https://www.virtualbox.org/manual/ch06.html
3. Configure Interfaces
auto eth0 iface eth0 inet static address 10.10.0.22 gateway 10.10.0.1 brodcast 10.10.0.255 netmask 255.255.255.0 auto eth1 iface eth1 inet dhcp post-up route add default gw 10.0.0.1 metric 2 pre-down route del default gw 10.0.0.1
A couple of things to note:
- By simply adding a virtual interface to VirtualBox doesn’t mean that it will be brought up by default by the network service, it needs to be brought up manually or configure in the interfaces file.
- I guess since I’m bridging eth1 the default gateway being used is from eth0, which doesn’t have internet connection. To circumvent the problem I just set the default gateway manually when the network service gets started. One issue I foresee with this is when I use a network with a segment different than 10.0.0.0. I’ll need to do some more readings on this topic but I’m thinking of configuring the gateway dynamically or setting the bridge interface on eth0. We’ll see.
So that’s pretty much it.
An environment to play around with metasploit
Use the virtualbox api in conjunction with puppet to orchestrate the deployment/config of VMs in a test environment.