Cross-Site Request Forgery
The course is part of this learning path
This course talks about Cross-Site Request Forgery (CSRF) and covers how to install a vulnerable machine called Metasploitable and how to start using it.
Hi. Within this section, we're going to cover CSRF and cookies. But in order to do that, we're going to install some other vulnerable machine in order to work with variety of tools and learn new stuff. So, we're going to work with something called the Metasploitable. So, this is one of the most popular tools in order to learn about ethical hacking, weapon testing, system hacking, and stuff. So, it doesn't only contain a website, but it also contains vulnerable machine, vulnerable Linux server, and so much more stuff. But of course, we're going to focus on the weapon testing side of the things, and also we have two websites embedded in Metasploitable. So, it would be good for us to see the different examples as well.
So, all you have to do is just write it like this Metasploitable 2 download to Google. Of course, I'm going to share the link with you as well, but I just wanted to let you know how I did find it. So, as you can see, there is a SourceForge.net download link as we have seen in the Bbox as well, and a rapid7.com download link. So over here, the SourceForge.net is also again the choice for us because Metasploitable 2 in the Rapid7, I believe, it also leads us to SourceForge.net. Here we go, it also leads us to SourceForge.net. Rapid7 is the company that produced Metasploitable 2, so I just wanted to show you this official website as well. But they also let us download this from SourceForge.net. So, I'm going to share this link with you, and all you have to do is just come over here and download the ZIP file. So, that's the one; it's around one gigabyte, like 67 or 865 MB I believe, to be exact. You can just download it and make sure yours is Metasploitable 2 as well. I'm going to share this link with you. If you find something like this, make sure it's Metasploitable 2, not other versions like 1 or 3 or something like that because we're going to be focusing on the weapon testing side of the things and Metasploitable 2 is the most suitable choice for us right now.
So, I'm going to just download this and of course, I'm not going to download this because I have already downloaded it in order not to make you wait. So, pause the video and just download this and come back when it's done. So, I'm going to show you how to install it. So, it's basically the same thing with the Bbox, so all you have to do is just find the ZIP and just open it with any ZIP program or ZIP software that you have on your computer, like WinRAR, WinZip. Just delete the ZIP afterwards, we don't need this. And you will be presented with a folder like this. So, if you open it, you will see the same VMDK file that we have seen in the Bbox. So, we cannot just double-click on it like we did in the Kali Linux and just try to install this. Rather than that, we're going to install it in the way that we have done before, we're going to find this New button. And I'm going to cancel this because again, if you click on here, the New button won't be over there, but I believe you can find this at this point. So, just click on the New button, and I'm going to call this Metasploitable 2 or anything you want actually can just call this Metasploitable, Metasploitable 2, vulnerable machine, we're just giving names and the type. So, let me call this Metasploitable 2, and the type will be Linux, and the version will be again, so let me find Ubuntu, so 64 bit for me. If you're using 32-bit computer, you can go for 32 bits. So, I'm going to go like this. So, this is exactly the same thing that we have done in Bbox. So, Memory Size, it really doesn't matter over here; the one gigabyte at most will be more than enough. So, I'm just going to leave this at one gigabyte. If you have more, I have 32 GB on this computer, but I'm using it at one because it doesn't even have a UI like we have seen in Bbox. So, over here in the Hard disk, we're going to choose an existing virtual hard disk file like we have done before. So, make sure you choose this option and over there, I'm going to click on the Folder. And yeah, here we go, we do not see it over there because we need to edit manually. So, what we're going to add is the VMDK file itself. So, make sure you find the Metasploitable 2. I believe that's not it, let me go back to here and find the Metasploitable 2, like this, here you go.
So, find your folder and just choose the VMDK file from there. So, after you open this, it will be presented to you like that, and you can just choose it and continue building this. And you can say 'Create', but we're not done here. Again, we need to change the settings. So, make sure Metasploitable 2 is chosen from there and click on 'Settings'. And in here, we don't have to change anything related with the system because we already have the RAM allocation. We don't need to increase the Processor as well. So, make sure you just like one or two maybe, at most. You don't need to give so much allocation in this case. So, in Display, it really doesn't matter. I'm just leaving as this is. Storage, Audio, they're all done. In Network, it's important, make sure you just take it to the NAT Network, and just choose the Promiscuous Mode to be 'Allow All' in the Advanced section. So, they will be on the same network with Kali Linux, and we would have the chance to reach that using our NAT Network, like we did in the Bbox as well. So, I'm going to come over here to Kali Linux and see the NAT Network is chosen as well. So, they are all okay. Now, before we run the Kali Linux, I want to run the Metasploitable 2 to show you how it looks like. It actually doesn't have a user interface as I said before, it runs on a terminal like this. And we don't even have to use the Metasploitable in this case. We will only log into the Metasploitable once in order to correct bug in here, and then we will be ready to use it anytime we want. So, this is Metasploitable 2 machine. So, log in and password are given here. So, it's msfadmin and msfadmin. Again, we don't need to log in later on, but for once we're going to do this in this lecture and in the next lecture as well. So, type msfadmin and hit 'Enter', and for the password, you will type the same thing but it won't show up on your screen. It will be censored in order for security reasons. Just type it and hit 'Enter'. Once you do that, you will be entered, you will be administered into here. So, this is Metasploitable machine. This is a server running right now on your NAT Network. You can reach it by typing the IP Address of the Metasploitable machine. And I believe, at this point, you don't know the IP Address. We're going to see how to find it in the next lecture. Of course, you will have to just type ifconfig, you know that by now. We're going to do that in the next lecture along with the other configurations as well.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.