Chapter 3: Exercises — Setting Up Your Hacking Lab

These exercises are highly practical. Most require you to work directly in your lab environment. Complete your lab setup before attempting the intermediate and advanced exercises.

Beginner Exercises

Exercise 3.1: Hardware Verification

Document your lab hardware specifications: a) CPU model and number of cores b) Total RAM c) Available disk space d) Whether hardware virtualization (VT-x/AMD-V) is enabled e) Host operating system and version f) Hypervisor installed and version

Verify that your system meets or exceeds the recommended specifications from Section 3.2.4. If any component falls below the minimum, describe the impact on your lab capabilities and potential workarounds.

Exercise 3.2: Network Mode Comparison

Explain the difference between the following VirtualBox network modes in your own words, using an analogy that a non-technical person could understand: a) NAT b) NAT Network c) Host-Only d) Internal Network e) Bridged Adapter

For each mode, give one appropriate use case in a hacking lab and one situation where that mode would be inappropriate or dangerous.

Exercise 3.3: Kali Linux Familiarization

Complete the following tasks on your Kali Linux VM and document the commands used:

a) Check your IP address on each network interface b) Check your current user and privileges c) Update the package manager and upgrade all packages d) List all tools in the /usr/share/metasploit-framework directory e) Locate the rockyou.txt wordlist and report its size f) Use which to verify that Nmap, Metasploit (msfconsole), Burp Suite, and Hydra are installed g) Check the version of Python 3 installed h) Create the directory structure: ~/labs/chapter-03/{recon,scans,notes}

Exercise 3.4: Snapshot Management

Practice snapshot management on your Kali VM: a) Create a snapshot called "Exercise-3.4-Start" b) Create a file called /tmp/test-snapshot.txt with some content c) Verify the file exists d) Restore to the "Exercise-3.4-Start" snapshot e) Verify the file no longer exists f) Document the time it took to create and restore the snapshot

Exercise 3.5: Basic Connectivity Testing

With your lab network configured (Kali + Metasploitable 2 on Host-Only network):

a) From Kali, ping your Metasploitable 2 VM. Record the IP address and response time. b) From Metasploitable 2, try to ping 8.8.8.8 (Google DNS). Verify this FAILS (confirming network isolation). c) From Kali, try to ping 8.8.8.8 via the NAT adapter. Verify this SUCCEEDS. d) Document the network interfaces on both VMs using ip addr show or ifconfig. e) Draw a network diagram of your lab showing IP addresses, network types, and connectivity.

Intermediate Exercises

Exercise 3.6: Comprehensive Nmap Scanning

Run the following Nmap scans against your Metasploitable 2 VM and compare results. For each scan, document the command, the output, and the scan duration:

a) Default scan: nmap <target-ip> b) Service version detection: nmap -sV <target-ip> c) OS detection: nmap -O <target-ip> d) Aggressive scan: nmap -A <target-ip> e) Full port scan: nmap -p- <target-ip> f) UDP scan (top 100 ports): nmap -sU --top-ports 100 <target-ip> g) Script scan: nmap -sC <target-ip>

Answer these questions: - How many open TCP ports did the default scan find vs. the full port scan? - What additional information did service version detection (-sV) reveal? - What operating system did Nmap identify, and how confident was it? - Which scan took the longest, and why? - Which services look most interesting from a security perspective, and why?

Exercise 3.7: Service Enumeration Deep Dive

Pick three services discovered by your Nmap scan of Metasploitable 2 and perform detailed enumeration of each. For each service:

a) Identify the exact version of the software running b) Search for known vulnerabilities in that version (use searchsploit on Kali: searchsploit <service name> <version>) c) Document what information you can extract without authentication d) Rate the potential severity (Critical/High/Medium/Low) of any findings

Suggested services to start with: FTP (port 21), SSH (port 22), HTTP (port 80), SMB (ports 139/445).

Exercise 3.8: DVWA Configuration and Testing

Set up DVWA (either on Metasploitable 2 or via Docker) and complete the following:

a) Access the DVWA web interface and log in b) Set the security level to "Low" c) Navigate to each vulnerability exercise and read the description d) Complete the SQL Injection exercise on "Low" security (extract the database version) e) Complete the Command Injection exercise on "Low" security (execute id and whoami) f) Take a screenshot of each successful exploitation g) Set the security level to "Medium" and note what changes in the SQL Injection exercise

Exercise 3.9: Docker-Based Target Deployment

Deploy three Docker-based vulnerable targets on your Kali VM:

a) Deploy OWASP Juice Shop: docker run -d -p 3000:3000 bkimminich/juice-shop b) Deploy WebGoat: docker run -d -p 8080:8080 -p 9090:9090 webgoat/webgoat c) Deploy a vulnerable WordPress instance

For each deployment: - Verify the application is accessible via a web browser - Take a screenshot of the landing page - Run Nikto against each application and document the findings - Document how to start, stop, and restart each container

Exercise 3.10: Network Scanner Script Analysis

Read the example-02-network-scanner-basic.py script from this chapter's code directory. Answer:

a) What Python library does the script use for sending and receiving packets? b) What type of packet does the script send for host discovery? c) How does the script determine if a host is "alive"? d) What is the difference between the script's approach and Nmap's default host discovery? e) Modify the script to also display the MAC address of discovered hosts (hint: look at the ARP response fields).

Exercise 3.11: Online Platform Exploration

Create accounts on at least two of the following platforms and complete one introductory exercise on each: - HackTheBox (complete one "Starting Point" machine) - TryHackMe (complete one room in the "Complete Beginner" path) - PortSwigger Web Security Academy (complete one SQL Injection lab) - OverTheWire (complete Bandit levels 0-5)

For each platform, write a brief review: What did you like? What was challenging? How does it compare to working in your local lab?

Advanced Exercises

Exercise 3.12: Custom Vulnerable VM Design

Design (on paper) a custom vulnerable virtual machine that simulates one aspect of the MedSecure environment. Your design should include:

a) The operating system and services to install b) At least five intentional vulnerabilities to introduce, spanning different categories (misconfigurations, outdated software, weak credentials, etc.) c) The difficulty level of each vulnerability (Easy/Medium/Hard) d) A realistic scenario that connects the vulnerabilities (e.g., "This VM simulates MedSecure's legacy radiology server running CentOS 7") e) The ATT&CK techniques a tester would use to exploit each vulnerability

Bonus: Actually build the VM based on your design.

Exercise 3.13: Network Isolation Verification Script

Write a Python script that verifies your lab's network isolation. The script should:

a) Check if target VMs can reach external DNS servers (8.8.8.8) b) Check if target VMs can reach common websites (google.com) c) Verify that target VMs can reach each other on the lab network d) Verify that the Kali VM can reach all target VMs e) Report PASS/FAIL for each check f) Flag any unexpected network connectivity as a security concern

Test your script and document the results.

Exercise 3.14: Automated Lab Deployment

Write a Bash or Python script that automates the deployment of a new target VM in your lab. The script should:

a) Accept parameters for VM name, OS type, RAM, and disk size b) Create the VM using VBoxManage command-line tools c) Configure the network adapter for the Host-Only network d) Create an initial snapshot e) Report the VM's configuration

Document the VBoxManage commands used and explain what each does.

Exercise 3.15: Multi-VM Lab Scenario

Expand your lab to include at least four VMs: 1. Kali (attacker) 2. Metasploitable 2 (Linux target) 3. A VulnHub VM of your choice (target) 4. DVWA on Docker or its own VM (web target)

From Kali, perform a complete reconnaissance sweep of all targets: a) Discover all live hosts b) Perform service enumeration on each c) Identify the top three most promising attack vectors across all targets d) Document everything in a structured format (as if beginning a pentest) e) Create a network diagram that includes all VMs with their IP addresses, open ports, and notable services

Exercise 3.16: Tool Comparison

Pick one of the following tool pairs and compare them in your lab:

a) Nmap vs. Masscan (network scanning) b) Nikto vs. OWASP ZAP (web scanning) c) Gobuster vs. Feroxbuster (directory brute-forcing)

For each tool in the pair: - Scan the same target - Compare scan speed - Compare completeness of results - Compare ease of use - Compare output format and readability - Write a recommendation on when to use each

Exercise 3.17: Lab Backup and Recovery

Develop and test a backup strategy for your lab:

a) Document the total disk space used by your lab VMs b) Export one VM to an OVA file and record the time and file size c) Delete the VM from VirtualBox d) Import the OVA file and verify the VM works correctly e) Compare export/import time with snapshot restore time f) Write a backup procedure document that you could give to a classmate to replicate your lab

Exercise 3.18: Security of Your Lab Environment

Evaluate the security of your own lab setup:

a) Is your host machine patched and up to date? b) Do you have antivirus/EDR on your host? Is it configured to exclude your VM directory (to prevent interference)? c) Are your VM files on an encrypted volume? d) What is your physical security situation? Could someone access your lab VMs without your knowledge? e) If your laptop were stolen, what sensitive data in your VMs could be accessed? f) Document at least three improvements you should make to your lab security

Exercise 3.19: Writing a Lab Setup Guide

Write a concise lab setup guide (1-2 pages) that a fellow student could follow to replicate your exact lab environment. The guide should include: - Hardware requirements - Software to download (with URLs) - Step-by-step installation instructions - Network configuration instructions - Verification steps - Common troubleshooting tips

Have a classmate or friend attempt to follow your guide and incorporate their feedback.

Exercise 3.20: Lab Expansion Planning

Create a lab expansion plan that maps lab additions to each part of this textbook:

Include a plan for managing disk space as your lab grows (which VMs to keep active, which to archive as OVA files, snapshot cleanup schedule).

Coding Exercises

Exercise 3.C1: Enhanced Network Scanner

Modify the example-02-network-scanner-basic.py script to add: a) Port scanning capability (scan top 10 common ports for each discovered host) b) Service banner grabbing for open ports c) Output results to both console and a JSON file d) A summary statistics section (total hosts found, total open ports, etc.)

Exercise 3.C2: Lab Health Monitor

Write a Python script that runs as a continuous health monitor for your lab: a) Checks every 60 seconds that all expected VMs are reachable b) Alerts (prints a warning) if a VM goes offline c) Verifies network isolation is still intact d) Logs all checks and their results to a file with timestamps e) Provides a summary on exit (Ctrl+C)

Exercise 3.C3: Automated Reconnaissance Report

Write a Python script that performs automated reconnaissance against a target IP and generates a formatted text report. The script should: a) Perform a ping sweep to verify the host is up b) Run a port scan (you can use Python's socket library or call Nmap via subprocess) c) For each open port, attempt a banner grab d) Look up known vulnerabilities for identified services (using searchsploit via subprocess) e) Generate a formatted text report with all findings

Solutions to coding exercises are available in the code/exercise-solutions.py file. Solutions to selected non-coding exercises are available in the appendix.