This semester I have a great excuse to learn the Metasploit framework since it is a required topic for the course on Penetration Testing I’m taking at Seneca.

I want to document the steps of being introduced to metasploit from a software developer’s point of view.
I've never used metasploit before and the goal by the end of the semester if to be fairly fluent with the framework.

To get started I want to cover the environment installation.

1. Choosing virtualization tool

My dev machine is a mac, I’m running Mavericks.
There are a few options to virtualize an OS on a mac.
You could use Paralles, VMWare or VirtualBox. There is also the possibility of running containers but that’s the topic of another post.
So between the main three virtualization tools, hands down VirtualBox is the best  if you plan to run linux OS. It comes with pointer integration and drag and drop out of the box while Paralles and VMWare don’t. Also we can’t forget the fact that VirtualBox is free which makes even easier to get started with.

VirtualBox website

2. Planning network architecture

Once I had the tools in place to virtualize my environment it was time to plan out the network configuration.
I’m sticking with a very basic setup:
network: 10.10.0.0/24
static pool: 10.10.0.1-100
dhcp pool: 10.10.0.101-254
domain: dpi902.shogun
hosts: {osName}{number}

To create a network on VirtualBox is very simple, only a few steps required:
Screen Shot 2014-01-28 at 9.39.31 PM

Screen Shot 2014-01-28 at 9.39.27 PM

Screen Shot 2014-01-28 at 9.39.19 PM

To get more information on the network types supported by VirtualBox check out their manual:https://www.virtualbox.org/manual/ch06.html

3. Configure Interfaces

With the host-only network created, the next step is to configure the network interfaces of the VMs you’ll be using. I’m starting with Kali and Metasploitable-2

I like to set up as the eth0 the host-only network I’ll be configuring the static IPs.
eth2 I leave for the bridge interface where I’ll get internet connection whenever needed.
Screen Shot 2014-01-28 at 9.44.14 PM

Screen Shot 2014-01-28 at 9.44.08 PM
Since Kali and Metasploitable are debian base we can set static ips the same way we do it on ubuntu:

vim /etc/network/interfaces

 
 $: vim /etc/network/interfaces

 auto eth0  
 iface eth0 inet static  
 address 10.10.0.22  
 gateway 10.10.0.1  
 brodcast 10.10.0.255  
 netmask 255.255.255.0

auto eth1  
 iface eth1 inet dhcp

post-up route add default gw 10.0.0.1 metric 2  
 pre-down route del default gw 10.0.0.1  

A couple of things to note:

  1. By simply adding a virtual interface to VirtualBox doesn’t mean that it will be brought up by default by the network service, it needs to be brought up manually or configure in the interfaces file.
  2. I guess since I’m bridging eth1 the default gateway being used is from eth0, which doesn’t have internet connection. To circumvent the problem I just set the default gateway manually when the network service gets started. One issue I foresee with this is when I use a network with a segment different than 10.0.0.0. I’ll need to do some more readings on this topic but I’m thinking of configuring the gateway dynamically or setting the bridge interface on eth0. We’ll see.

So that’s pretty much it.
An environment to play around with metasploit

TODO:
Use the virtualbox api in conjunction with puppet to orchestrate the deployment/config of VMs in a test environment.