How we build our penetration testing servers


In this 5 part series, I will be running through how to go about building a pentest server. This is one of the modules I cover with students and interns and I often find myself surprised at how uneasy people feel when they have no GUI.

How we build our penetration testing servers

Posted on 2020-10-05 by Peter Bassill in category Guides.


Guides   News  


In this 5 part series, I will be running through how to go about building a pentest server. This is one of the modules I cover with students and interns and I often find myself surprised at how uneasy people feel when they have no GUI.


So, why would you be building a pentest server? The most obvious answer is when you want something on the internet. Possibly hosted in a cloud environment, to help you with engagements.


First things first. It does not matter which provider you use. Some are better, some are cheaper. I user Digital Ocean. Find one you like. In this series, we are using Ubuntu 20.04 LTS. It isour base operating system and we join this series with a fresh install.


Building a Pentest Server - The Steps


Step 1 - Get up to date


When building a pentest server we want everything up to date. So the very first thing we want to do is bring the server up to date. We can do this very simply, by running the update function:


apt updateapt upgrade

Next we set the hostname. This is because we like to keep things logical. For our server, it is called bumblebee.


hostname bumblebeeecho "bumblebee" > /etc/hostname

Step 2 - Adding user groups


We are going to have some users who can use sudo to run with root permissions and we are going to have some users who can not. All users will need to be able to SSH onto the server, so the easy way to facilite this is to have a SSH group. We shall create that group very easily with the addgroup command:


addgroup sshusers

Of course, you can use whatever group name you like.


Step 3 - Add the users


This is really important. You do not want to be connecting with the root user, as we will be effectively disabling root in a moment. So, we add our users. Add yours as you wish, just change thing to the right name.


adduser thing

You will be prompted through the user setup and will be asked to enter the password twice. Be darn sure to add a very strong password.


With the user set up, we need to add that user to the sudoers file. We can do this very easily with usermod. While we do this we can add the user to the ssh users group too:


usermod -a -G sudo thingusermod -a -G sshusers thing

Now would be a great time to SSH to your server with your new user, use sudo -s to gain root permissions and then continue with this Building a Pentest Server guide.


Step 4 - Adding a webserver


Next step is to add a web server. We wont be using the webserver all the time but it can be helpful for people you are testing to know that the server belongs to you. We install apache2 on our systems. To do this is simplicity. Simply use the following command to install it:


apt install apache2

And that is it. When building a pentest server, we will always add an explanatory splash page.


Our server will be exposed on the internet. This means that it will certainly be probed by automated scripts and curious people. So lets make it nice and secure.


Security Step 1 - Secure SSH


To secure SSH, first backup the sshd_config that is within the /etc/ssh directory:


cp sshd_config sshd_config.orig
Now you can replace the sshd_config file with the following:


Port 22KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256Ciphers aes256-ctrMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256Protocol 2HostKey /etc/ssh/ssh_host_ed25519_keyHostKey /etc/ssh/ssh_host_ecdsa_keyHostKey /etc/ssh/ssh_host_dsa_keyHostKey /etc/ssh/ssh_host_rsa_keyUsePrivilegeSeparation sandboxKeyRegenerationInterval 3600ServerKeyBits 1024SyslogFacility AUTHLogLevel INFOLoginGraceTime 60PermitRootLogin noAllowGroups sshusersStrictModes yesRSAAuthentication yesPubkeyAuthentication yesIgnoreRhosts yesRhostsRSAAuthentication noHostbasedAuthentication noPermitEmptyPasswords noChallengeResponseAuthentication noX11Forwarding noX11DisplayOffset 10PrintMotd yesPrintLastLog yesTCPKeepAlive yesAcceptEnv LANG LC_*Subsystem sftp /usr/lib/openssh/sftp-server

Now, make very sure that you update the line AllowGroups sshusers with the name of the usergroup you created for all your ssh users. If you do not then when you come to log back in you will find you cant. Following this, it is a very good idea to restart ssh. Then log in using a different terminal. If it works, you are good to continue.


Security Step 2 - Kill root


We dont like root. Root is evil. Lets disable root. So the best way to do this is to reset the root password. While we are at it, lets have the root password change every day. That sounds difficult to do but it is in fact very simple.


To do this, simple run the following command:


RPASSWD=`openssl rand -base64 32`echo "root:$RPASSWD"|chpasswd

To make the root password update every day, we need to add this to root's crontab. We do this by using the crontab command when we are root or using sudo. As with the last time, use your favourate editor when prompted.


0 2 * * * RPASSWD=openssl rand -base64 32 && echo "root:$RPASSWD"|chpasswd > /dev/null 2>&1

What we have done above is set the root password to change to a 32 character password at 2am every day.


Security Step 3 - Add a firewall


You all know that someone at somepoint will try an break in, so lets use UFW. UFW is the Uncomplicated Firewallwall.


ufw default deny incomingufw default allow outgoingufw allow sshufw allow httpufw enable

We it comes to test time, all you need to do is open the inbound ports you want. It is very easy:


ufw allow 2222

Replacing 2222 with the port you want to allow inbound.


Finish


There we go, a server all set up on the internet ready for you to test from. Our next article will be on installing Metasploit. Enjoy.


Remember, for all your Penetration Testing requirements, Hedgehog Security is here to help.



Get in Touch

Kindly fill the form and we will get back to you.

Contact us if you are experiencing a Cyber IncidentHaving a Cyber Incident?