« prev :: next »

The first thing we’ll need to do is set up our secure lab environment. I’ll be using VirtualBox for this tutorial, but you’re welcome to use whichever hypervisor you prefer. By the time we’re finished, our lab will be configured as follows:

  • Attacker VM:
    • OS: Kali Linux (I’m using the 64-Bit VirtualBox OVA.)
    • Software: Python 3.7 (Preinstalled by default.)
    • Networking:
      • eth0: Bridged Adapter
      • eth1: Host-Only Network (vboxnet0)
  • Victim VM:

For simplicity’s sake, I’ll also have a single shared folder visible to both VMs, which will allow me to download software to the victim machine without allowing it access to the internet.

Note: Running multiple VMs simultaneously can be taxing on your computer. I advise at least 8GB RAM and a fairly modern quad-core (or better) processor, otherwise the system’s performance will suffer.

Configuring the Attacker VM

After importing the Kali OVA file into VirtualBox, I open the Settings menu and click to the Network tab. I enable Adapter 1 in Bridged Adapter mode and tell it to use my active wireless interface:

Attacker Adapter 1

I also enable Adapter 2 in Host-only Adapter mode, using the vboxnet0 network. This will enable Kali to target the Victim VM without the Victim VM having access to the internet:

Attacker Adapter 2

Finally, I click the Shared Folders tab and add a shared folder that both VMs will be able to access (for simplicity’s sake):

Attacker Shared Folder

This allows me to develop the PoC scripts on the host machine in my preferred code editor, while actually running the scripts within the Attacker VM.

With all of this complete, I close the Settings menu, turn to the Snapshots menu and take a snapshot of the configured base system:

Attacker Snapshot

This will allow us to return to a pristine state, just in case we mess something up.

Configuring the Victim VM

After importing the Windows 7 OVA file into VirtualBox, I open the Settings menu and click to the Network tab. I enable adapter 1 in the Host-only Adapter mode, using the vboxnet0 network:

Victim Adapter 1

By setting this as the only network adapter available to the VM, I effectively establish a quarantine. This is vital, as we’ll be making the Victim VM intentionally vulnerable, and we don’t want strangers finding and exploiting the vulnerability and gaining access to our network or systems. Practice good VM hygeine: keep your vulnerable VMs off the ‘net.

A few last things before the VM is ready to boot. First, I click to the Display tab and select the Screen submenu. I increase the Video Memory slider to 33MB, then ensure the Enable 2D Video Acceleration check-box is enabled:

Configure Display

Next, I click to the Shared Folders tab and add the same shared folder as I specified in the Victim VM:

Shared Folder

This allows me to download files from the internet from the Attacker VM or the host, then use those files on the Victim VM, without ever allowing the Victim VM to touch the internet. This is the method we’ll use to download and install the vulnerable software in the following tutorials.

Finally, I close the Settings menu, click over to the Snapshots menu, and create a new snapshot of the clean and configured system:

Victim Snapshot

With that, the Victim VM is ready to boot! Which means it’s time to install Immunity Debugger and Mona.py. I download Immunity and Mona to the shared folder I established earlier, so they’ll be available within the VM.

Booting up the Victim VM, I browse to the shared folder, and find Immunity and Mona waiting for me:

Shared Files

I double-click the Immunity installer to begin the installation. When it asks if I want to install Python 2.7.1 on the system, I click “Yes.” I click through the rest of the installation steps, accepting the default values for everything. When the installation completes, I can see the Immunity Debugger icon on the Windows desktop.

Next, I return to the shared folder and extract mona-master.zip, then find the mona.py file:

Mona.py Found

I copy and paste the file into the PyCommands folder within the Immunity Debugger installation:

Mona.py Installed

With this complete, I spin-up Immunity and type !mona in the command-bar:


The response shows that mona.py was installed successfully:

Mona.py Demo

I close Immunity Debugger and shut down the Victim VM. Then, I make a second snapshot called Debugger Installed, so I can return to this configuration quickly and easily:

Final Snapshot

With that, our VMs are set up and ready to roll!

« prev :: next »