How To Perform Penetration Testing On A Virtual Machine




Data analysis, storage and virtual machine deployments have become in-house terms for most large organizations around the world. Why is that? Why is it that more and more IT professionals are seeking cloud certification and training? As cloud computing becomes more and more popular, organizations around the world have started to acknowledge the immense benefits the format can bring to them in terms of cost and increased productivity.

In response, the demand for individuals who can deploy most workload on a virtual machine and maintain it successfully has increased considerably. With the transfer of most company data on virtual machines, there arises a need of successful penetration testing in the field of cloud computing. Since most data is sensitive and company owned, it is better to be safe than sorry. A cloud computing certification can help individuals become professional penetration testers for organizations shifting their workload on a virtual platform.

Let’s look at the process of setting up a successful penetrations testing system for your virtual machines:

Required Software

  • Windows XPOS virtual image
  • Kali Linux Virtual Image
  • VMware Workstation

Once the VMware workstation has been installed, your next step will be to download a VMware image of your windows OS which will be used to practice the attacks. The Windows XP or Vista server 2003 can be used for this purpose as they have a lot of security issues.

After the image file has been downloaded, you will find it in the .iso format, open the VMware workstation, and go to file and select “New virtual machine.” Select the .iso file for your windows to continue.

Follow the instruction on the screen to install Windows XP on your current workstation.

In the new virtual machine wizard window, you will see the “Customize Hardware” button on the lower left side. Click it to use custom settings for USB settings, memory, RAM allocation, etc.

You can select the preferred power options on the virtual machine after its creation, and then click next, your virtual machine will be up and running.

Configuring Vulnerable Web Apps

Numerous web applications are available actual testing can be performed for training purposes.

Applications include:

Damn Vulnerable Web Applications (DVWA): it is a PHP, MySQL and PHP based app. It needs to be hosted locally.

OWASP WebGoat:J2EE based web application also needs to be hosted locally.

Now let’s begin with hosting an application on a virtual machine. Do the following to set up a web server to host the application:

  1. Download XAMPP and install.
  2. After the installation is complete, click the start button in the control panel to start MySQL and Apache services.
  3. Dowload and Extract DVWA and name it as “dvwa.” Go to the folder “C:\xampp\htdocs” and shift the contents folder to a different place.
  4. Copy the previously created “dvwa” folder to “C:\xampp\htdocs.”
  5. Access http://127.0.0.1/dvwa/login.php from the Address bar.

After these steps, the database setup page will be displayed,

  1. Access the config folder and open the “config.inc” file through notepad.
  2. Look for the value “$_DVWA[ ‘db_password’ ] = ;” and remove its value.
  3. Refresh your browser.
  4. Enter credentials “admin/password” to log in.

With these steps you have successfully configured your web browser by hosting an application on it. Now the application can be accessed using Kali Linux or BackTrack and practice the attacks.

In the case you are shown the access forbidden page, go to the dvwa folder and open “HTACCESS FILE.” Find the “allow from” line and enter the same IP address used for the Kali Linux Machine here. This will allow you to access the page and you are ready to practice penetration attacks on your virtual machine

When you receive your cloud computing training, you will be taught different methods to create virtual machines and practice different types of known attacks, when you are out in the field, your cloud certification will allow you a significant advantage when it comes to detecting or in a better case preventing penetration attacks.

About The Author
Dennis
Enterprise Account Manager at QuickStart

Dennis Tello

Dennis is a passionate individual with eight years of experience in the industry. He loves working with organizations large and small, helping them train their technology teams. He specializes in DevOps training and has helped a number of organizations turn their IT teams into game-changers.