top of page

Penetration Testing Lab Setup on Digital Ocean

Updated: Aug 11

"Security isn’t something you buy, it’s something you do, and it takes talented people to do it right."

You can find a detailed video demonstrating these steps on our official YouTube channel at Penetration Testing Lab Setup on Digital Ocean. Note that this blog is best understood when viewed along with the aforementioned accompanying video.


Introduction

Digital Ocean provides free credits worth $200, an excellent option for creating penetration testing labs. Follow the instructions provided in the video to set up the pentest lab. Sign up and create your Digital Oceans account using the URL https://m.do.co/c/e6a1317eb1d0 and obtain free credits of $200.


Below is a basic flow of what must be done to create your pentest lab.


  • Please create a user on the Digital Ocean platform and configure it to work over SSH.

  • Install essential services such as docker.

  • Install and set up the needed vulnerable services such as DVWA etc.

Setup

Sign-up


  • Login into your newly created digital ocean account using the login page on digital ocean's website. It should look something like this:


Login Page

  • Create a new project (if one doesn't exist already) in the UI post-login, and it should look something like this:


Project Page

  • Create a new "Droplet" under your newly created project and in the submenu, choose the Ubuntu version you wish to create while configuring the various options per your machine's requirements.

  • Please refer to the linked video at the top of this blog to view our recommended configuration, or click here. Once ready, make sure to enable the SSH configurations on your machine ( it's recommended to use the "SSH Keys" instead of "Passwords")

  • If you are not sure how to create and use "SSH Keys," please refer to this link.


Login into your digital ocean account as the root (sudo) user. Please refer to this video if you face any issues logging in.

  • Create a new user and add sudo privileges.

adduser user 
usermod -aG sudo user  

Login as "user" using:

su user 
  • Install docker in the machine using

sudo apt-get update
sudo apt-get install docker.io
sudo systemctl enable docker 
sudo systemctl start docker


Installing vulnerable images

sudo docker pull vulnerables/web-dvwa 
sudo docker run --name web-dvwa -d -p 8080:80 --restart always vulnerables/web-dvwa


sudo docker pull bkimminich/juice-shop 
sudo docker run --name juice-shop -d -p 8081:3000 --restart always bkimminich/juice-shop


Installing other services

 screen
 sudo docker run --name=mailhog -p 2525:1025 -p 8025:8025 --restart always mailhog/mailhog


Press "ctrl+a" and press d to exit the screen.

  • (Optional) Install SNMP - https://github.com/tandrup/docker-snmpsim

screen 
sudo docker run -v /somewhere/with/snmpwalks:/usr/local/snmpsim/data -p 161:161/udp --restart always tandrup/snmpsim

Press "ctrl+a" and press d to exit the screen.


  • (Optional) Install FTP - https://github.com/garethflowers/docker-ftp-server


sudo docker run --detach --env FTP_PASS=123 --env FTP_USER=user --name my-ftp-server --publish 20-21:20-21/tcp --publish 40000-40009:40000-40009/tcp --restart always --volume /data:/home/user garethflowers/ftp-server


Connecting to services


Now you can connect to the services you created and execute penetration tests.


Create SSH key pair for the account user created above and configure the SSH login for the account user. If you are unsure how to create and use "SSH Keys," please refer to this link.


On your Kali terminal, run the below ssh port forwarding commands. Make sure to replace the <sshprivatekey> with your private key and <yourdropletip> with your droplet public IP.

ssh -L 80:127.0.0.1:8080 -i <sshprivatekey> user@<yourdropletip> -fN
ssh -L 81:127.0.0.1:8081 -i <sshprivatekey> user@<yourdropletip> -fN
ssh -L 25:127.0.0.1:2525 -i <sshprivatekey> user@<yourdropletip> -fN
ssh -L 21:127.0.0.1:21 -i  <sshprivatekey> user@<yourdropletip> -fN

The services are now reachable on your localhost 127.0.0.1 for testing.

Example: DVWA can be accessed by using the URL http://127.0.0.1:80

 

Register for instructor-led online courses today!

https://www.darkrelay.com/courses


Check out our free programs!

https://www.darkrelay.com/programs


Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.

Follow us on LinkedIn Twitter Facebook Instagram YouTube Pinterest.

397 views

Recent Posts

See All
bottom of page