Ingredients:

1. Virtualization Softwares - To run different OS on your OS.
2. Kali Linux - Penetration Testing Distrubtion
3. Metasploitable 2 - Vulnerable OS based on Ubuntu linux
4. OWASP Webgoat - Vulnerable Web Application (includes lessons)

• Virtualbox or VMware workstation player can be used for creating the lab since both are free virtualization programs.
• We are using virtualbox here and our base OS is windows and we are installing Kali and Metasploitable 2 on windows through virtual box.

---

Recipe:
Virtual box networking

---

Setup an Internal Network with Virtualbox

On Windows:

Note: Above, Please replace 10.10.10 to 192.168.64

On Linux(Ubuntu):

vboxmanage dhcpserver add --netname mydhcpnetwork --ip 192.168.64.1 --netmask 255.255.255.0 --lowerip 192.168.64.2 --upperip 192.168.64.10 --enable

--netname mydhcpnetwork: The internal network will be named 'mydhcpnetwork'.

• This is the name you should then put inside your VM's Network > Adapter > (Internal network) > Name field.

--ip 192.168.64.1: The IP address of your DHCP server inside the internal network.
--netmask 255.255.255.0: The subnet mask.
--lowerip 192.168.64.2: The lower bound of the IP addresses that can be assigned to network members.
--upperip 192.168.64.10: The upper bound of the same thing.
--enable: Enable the DHCP server.

• To check the configuration in the cmd/terminal type

vboxmanage list dhcpservers

• Netmask is 255.255.255.0 because our virtual and non virtual machine should be on the same subnet.Confirm using ipconfig(windows) and ifconfig (Linux,Mac) commands.

Configuration of Ingredients:

1. Kali linux
   Ram 2GB
   Storage 20GB
   Network Adapter 1 - internal network ,name - mydhcpnetwork (using DHCP server and network created earlier)
   Adapter 2 - NAT (if you want to use the internet on kali)

• Settings>System>Processor> Enable PAE/NX
  You'll need PAE/NX if you are setting up a virtual, 32-bit OS and:

1. you need more than 4GB of memory (RAM)
   OR
2. you need to be able to make it so parts of memory cannot be used for executable code, e.g. if you have security concerns.

*Physical Address Extension (PAE), sometimes referred to as Page Address Extension

• In network configuration section while installing kali linux select the one with NAT interface (2^nd one)

2. Metasploitable 2
   Linux,Ubuntu 32bit
   RAM 512mb
   Storage 8GB
   Network same as above except do not enable NAT only configure network adapter 1.
   After installing and starting metasploit login and see the ip address and to learn more see Metasploit Setup Guide from Rapid7

3. OWASP Webgoat
   (Learn more : https://owasp.org/www-project-webgoat/)
   We are doing this in Kali VM.

Install JAVA and Apache Tomcat (Make Sure Java is in your path This should already be the case after you install Java. If it is not, add it to your path)

Browse and go to http://localhost:8080/WebGoat to get the login screen.

• WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat’s default configuration binds to localhost to minimize the exposure.

• WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.

• Devices > Insert Guest Additions
  Now create shared folders to share files back and forth.

---

Finished Dish:

---

• If your Host OS (base OS) is Kali Linux then use Host Only adapter with Static IP for the vulnerable virtual machines,
  For different VMs you need to create different adapters.

• You can also use lightweight alternatives like Docker (with GUI-Portainer CE or Dockstation ) to build your lab.
  [Use parrot docker images , Kali images are bare bones - without tools]