To conduct a hacking test of
a network, it is necessary to have various PCs. For the Web hacking test in
particular, it is necessary to build a Web server and a database. It is
somewhat expensive to invest in such equipment for only a hacking study. Therefore,
virtualization technology and open source software can be used to resolve this
issue. First, let's examine the virtualization technology that we will use.
Oracle provides a software utility called Virtual Box that is free for use on
your PC. Virtual Box can be used to install various operating systems on a
virtual machine, which can be used to operate as a separate PC.
7-1 the Concept of Virtual Box
Install Apache and Mysql to use the Web server and the
DB. You can use them for free because they are open source. Install a PHP-based
open source WordPress site for hacking. This software supports blogging
features.
7-2 Concept of Test Environment
1. Virtual Box installation
Let's install Virtual Box. Connect to the home page
(https://www.virtualbox.org/wiki/Downloads) and download the installation file.
Installation is simple. It is automatically installed only by pressing the
“next” button.
7-3 VirtualBox download site
Create three Virtual PCs, “server”, “client” and
“hacker”. Build a website to hack on the server PC and develop a program to
hack the website on the hacker PC. Perform normal operations of a normal user
on the client PC.
7-4 Creating Virtual PCs
After creating the virtual PCs, install the operating
system (for Windows). Virtual Box supports the ISO format but can also
recognize normal installation files as follows.
7-5 Windows Installation
Once Windows is installed, it can be used to boot the
Virtual PC. One issue is that the clipboard cannot be shared. In order to test
for hacking, the data needs to be frequently copied from the host computer and
pasted into the Virtual PC. In Virtualbox, the Guest extension installation
supports clipboard functions.
7-6 Installing the Guest Extensions
If you click on “Device > Install guest extensions”, the expansion modules can be installed in the Virtual
PC. Data can be freely copied and pasted in both directions by setting the “Device
> Sharing clipboard” settings.
2. APM Installation
Download the installation file for APM in order to set up
your development environment. APM is a collection of web system development
tools that are provided free of charge. APM is an abbreviation for Apache (Web
server), PHP (Web development language) and Mysql (database).
7-7 APM Download
The Soft 114 web site provides an executable file that
can easily install APM (http://www.wampserver.com/en/). Download and run the
installation file to server PC. If you see an error related to “MSVCR110.dll”,
install “VSU_4\vcredist_x86.exe” from the “http://www.microsoft.com/en-us/download/details.aspx?id=30679”
site.
7-8 APM completed installation
If you enter the address (http://localhost) in the Explorer address bar, you can see the above
screen. Click on phpMyAdmin (http://localhost/phpmyadmin) to enter the Mysql
Manager screen.
7-9 Mysql Administrator Screen
Click the “New” tab on the left menu and click the
“Users” tab in the upper right corner. When you click “Add user” at the bottom
of the window, this screen allows you to enter the user information.
7-10 Add User
For convenience, set the same account name and password as
“python”. After installing WordPress, you can log in without additional work. Do
not run “Generate Password”. Click “Check All” in “Global password” item.
7-11 Add User
Click the “Database” tab and let's create a new database.
Enter the database name as “wordpress”. Clicking the “Check Privileges” entry
at the bottom, you can see that permission was given to the “python” account by
default.
7-12 Database Creation
3. WordPress
Installation
Now, since the APM
installation is complete, let's install the applications that will run on the
Web server. I installed WordPress
(https://wordpress.org/download/release-archive/), which provides blogging
functions. For WordPress it is necessary to download the 3.8.1 version.
7-13 WordPress Download
Unzip the file that has been
downloaded and copy it to the “c:\wamp\www” folder. The folder is a Document
Root directory that is basically recognized by Apache. You can change the
document root directory, but accept the default settings for the test.
7-14 Apache Document Root
When you create a file or folder to the
document root, it can be recognized by the Web server. If you enter an “http://localhost/wordpress”
in the address bar, it is possible to see a screen similar to the following.
7-15 The Initial WordPress Screen
In
order to set the WordPress preferences, let's click on “Creating a
configuration file” button. If you specify a Mysql account and a database the
related tasks will be automatically performed.
Use
the default values for the database name and database host. Enter the database
account and password that was set in Mysql as the “username” and “password”
items. The “Submit” button should then be pressed to perform the tasks. After
completion, the next screen can be seen.
7-17 Completion of WordPress Preferences
Click [Run
the install] button to continue the installation. Use “python” as the user name
and password as was previously set for convenience. Pressing the [Install
Wordpress] button will start the installation
7-18 Enter the WordPress Installation Information
The
next screen can be seen after completing a successful installation. This simple
process can be used for WordPress to provide various functions to create and
manage blogs. It is also possible to extend the functionality through various
plug-ins.
7-19 Complete WordPress installation
4. Virtual PC
Network Preferences
To
establish a connection for a Virtual PC, the network settings should be
changed. The NAT, which is set by default, allows a connection to the Internet
via a host PC. However, it is impossible to interconnect Virtual PCs, so the
network settings in “Internal Network” should be changed, and the “Promiscuous
Mode” is selected as “Allow All”. The internal network settings are then set to
NAT when the Internet connection is needed
7-20 Setting of the Internal Network of Adapter 1
Let's
change the server PC environment to invoke the Web service that has been
installed on the server PC. First, turn off the Windows Firewall Settings to
ensure a smooth test. Next, change the Wordpress settings, and enter “server”
instead of “localhost”.
7-21 Change the WordPress settings
The “server”
has a computer name that is still unknown. You need to register the IP and the
name of server PC in all virtual PCs (server PC, client PC, hacker PC). Windows
provides a local DNS function by using the hosts file. First, let's check the
IP address of the server PC.
7-22 Check IP
Let's
first run the cmd program. If you enter the “ipconfig –all” command, you can
see the IP. Now register the IP in the “hosts” file. The “hosts” file is
located in the “C:\Windows\system32\drivers\etc” folder. Let's open it with the
Notepad program. Register an IP in the form of “IP name”. It is always
necessary to set it in the same manner for all three virtual PCs.
7-23 IP registration in the hosts file
Now
that all of the necessary settings have been set, open a browser on the client
PC and enter the WordPress address of the server PC (http://server/wordpress). When
you see the following screen, it is a sign that the test environment has been
successfully set. If the screen does not appear correctly, you must confirm
once again that the firewall of the server PC has been disabled.
7-24 Client PC Execution result
Let's
now create full-scale hacking programs. First, start with conventional web
hacking and then increase the scope to network hacking.
No comments:
Post a Comment