HOWTO: Build a Pentest Network in ESXI (Part 1)

If you have ever been interested in learning about Penetration Testing, or generally just network / information system security then you would most likely have seen the Kali Linux distribution online (or even whilst watching Mr. Robot). Whilst Elliot in Mr Robot was using Kali Linux on live systems, I am going to walk through how to build an insulated penetration testing environment which will segregate your logical operating systems, as well as allow for operation on live devices (e.g target tested hardware).

Metasploit Framework

Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. It provides the infrastructure, content, and tools to perform penetration tests and extensive security auditing and thanks to the open source community and Rapid7’s own hard working content team, new modules are added on a regular basis, which means that the latest exploit is available to you as soon as it’s published.

Nmap - Network mapping and security auditing

Nmap (Network Mapper) is a free and open source application which is used for network mapping and security auditing. Nmap will sweep network ranges, and port ranges to determine which services are open or responding on ports attached to hosts.


Kali Toolset comes preloaded with Wireshark, one of the world's most popular and most recognisable packet sniffing application which can allow a penetration tester to evaluate a network at a microscopic level. Many businesses the world over recognise the importance of Wireshark and often deem it's use and expertise as paramount in determining appropriate hires for network security positions.

Searching Metasploit for port exploits

The Metaspolit Framework Console boasts over 1,700 exploits written into the database, but searching through those exploits to find the right one for your target can be daunting... except if you know how to drive the search parameters.

Post-Exploitation of Windows XP Host

In the two previous articles, we have created a Meterpreter Listener, and generated a Windows Payload which has created a reverse_shell to our listener. Now we are going to exploit that reverse_shell connection to establish a toehold in the compromised system.

Configuring a Meterpreter Listener

Meterpreter is a dynamically configurable payload which enables encrypted communications between target systems, and the payload listener. Compromised hosts on which Meterpreter have been executed may reverse_tcp to a command and control node, from which a malicious actor may communicate with the infected host to load further payloads, or explot the targetted system further.

Creating a Windows Meterpreter Reverse Connection

Now that we have a Meterpreter Listener on our Kali box, now we need to generate the payload to connect to the Windows Reverse TCP listener. This will take the form of an executable which will be run on the target system, which will in turn connect to our listener and allow further functions to be performed from within the infected host.

How WannaCrypt propagates across a network

WannaCrypt which has been in the media recently (May 2017) has been determined to be a very quick spreading malware featuring a Cryptolocker payload. The spread of the current variant has been stemmed through the seemingly innocent actions of a security researcher. The researcher in question registered a domain name which the payload was attempting to contact, on detection of the server the payload would cease and the malware would effectively be killswitched.

Installing ESXI for Virtualisation of Penetration Testing

I am going to walk you through the installation of the VMWare product ESXI Hypervisor which is available for free from the VMWare online site. Or at least version 6.5.0 which I am currently demonstrating this presentation on.