Easy Penetration Testing Lab Setup on Our Computer

"Practice makes Perfect".

Practicing of an activity or skill is the best way to become pro in it. It is applicable on any field. This is also applicable for cybersecurity and bug bounty. But here we got a problem.

We can not test our penetration testing skills anywhere, because attacking any system or website without proper permission is illegal. The solution is we can host our own website/server on our localhost system and practice there. Means we need to create our own penetration lab and practice there.

We can practice our skills and try to find bugs on our localhost web application. Many web applications are available in the market with bugs. They put bugs intentionally so that we can practice our skills. We have already discussed these on our DVWA and bWAPP tutorial. Not only two there are more buggy web applications available.
Easy Penetration Testing Lab Setup on Our Kali Linux

For better practice we need to use them but installing and configuring different vulnerable web applications on our system is a lengthy and boring process.

In this tutorial we are going to learn how we can easily manage these web applications on our localhost system and make a better penetration testing lab.

We use a GitHub tool called "pentestlab". This bash script is used to install and manage those buggy web applications automatically on our localhost system.

Let's open the terminal in our Kali Linux system and clone pentestlab from it's GitHub repository by using following command:

git clone https://github.com/eystsen/pentestlab
The screenshot of the command is following:
clonning pentestlab on our system
After it cloned in our machine we need to navigate to it's directory by using cd command:

cd pentest lab
Then we need to install docker in our system.

Now what is docker and how it works? We have a detailed article on it for beginners, check it out now. We are not going in depth in this article.

We use the following command to install docker in our system:
sudo apt install docker.io -y
This command will install docker in our system.

Now after this installation we are ready to use this pentestlab in our system.
Let's start by using the list of vulnerable web apps we are getting with this tool.

For this we use following command:
./pentestlab.sh list
The screenshot is following:

list of web application
We can see in the screenshot that we are getting lots of vulnerable webapps. The list is following:
  1. bwapp -- bWAPP
  2. webgoat7 -- WebGoat 7.1
  3. webgoat8 -- WebGoat 8.0
  4. dvwa -- Damn Vulnerable Web App
  5. mutillidae -- Mutillidae II
  6. juiceshop -- OWASP Juice Shop
  7. vulnerablewordpress -- WPScan Vulnerable WordPress
  8. securityninjas -- OpenDNS Security Ninjas
  9. altoro --Altoro Mutual
Now we can start any of the above web application on our system. For an example we start bwapp on our machine. To start bwapp on our machine we use following command:
./pentestlab.sh start bwapp
For the first run it will download the bwapp docker image and store in our machine and then start it. It will take a minute depending on our internet speed.

After downloading it will start bwapp on our machine.

We already downloaded bwapp and running for second time so we don't need to wait, we can see that bwaap is started on our docker in the following screenshot.
started bwapp in docker using pentestlab

Now in the following screenshot we can see that we have started bwapp on our system using this time saving way without any error. It also shows us the default credentials of bwapp. Also pentestlab tool set a host name in our /etc/hosts configuration, also given instruction that we need to go to http://bwapp/install.php for first time one click installation. To do this manually we need to go through a lengthy process. To check that process go to our bwapp installation tutorial.
bwapp on Kali Linux
We just need a click to install it

Now for another example we start OWASP WebGoat 8.0 on our system. To do this we apply following command in our terminal:
./pentestlab.sh start webgoat8
In the following screenshot we can see that our pentestlab tool is downloading webgoat8 on our system.
downloading webgoat8 docker image on local machine
After the download complete it will start webgoat8 on our system as we can see in the following screenshot.
webgoat8 install with one command
Webgoat8 download and started in one command
We can see that it mapped webgoat8 docker in or we can simply open http://webgoat8 on our browser.

We are starting a lab using start command and when we need to stop it we can use stop command. If we want to stop webgoat8 then we need run following command:
./pentestlab.sh stop webgoat8
After this command WebGoat8 will stop and the host name is removed from /etc/hosts file, as we can see it on following screenshot.
webgoat8 stopping

This way we can easily host our vulnerable web server on our system by using docker. This is a very efficient way to set up our penetration testing laboratory and practice more. Practicing more will improve our skills also visiting our website regularly will show the way of improvement 😎.

Also don't forget to follow us on Medium and Twitter we post updates about our articles there. Got trouble to set own penetration testing lab ? Comment below we always happy to help everyone.

No comments:

Please do not spam here. It is comment box not a spambox. Promotional links are not allowed.

Powered by Blogger.