vSphere

This is an extremely powerful continuation of the capabilities discussed with the VMware Hypervisor; the added capabilities and features make it well worth the investment to deploy sophisticated and complex virtual architectures. The tool provides so many additional options above and beyond the free variant. These options are as follows:

As you can see, there are many optimization options with the tool; however, unless you are building a complex and sophisticated testing lab, this tool goes beyond what we need as a solution. If you do find yourself running large global teams, then it is definitely an option that you should consider if it is within your budget.

VMware Player Plus

As of this writing, VMware Player Plus is a relatively new offering from the group at VMware. We have already discussed the VMware Player tool. What this version does is provide an additional functionality. The tool is intended to provide the capability to deliver a managed desktop by allowing you to ship Player Plus with a virtual machine that is configured with your desktop image. This alleviates any requirement for shipping hardware to your clients or any other groups.

An additional feature of VMware Player Plus is that it can be used to run restricted virtual machines that have been created by other commercial VMware products. This means you can password protect machines, and if the user does not have the password, then they cannot run the machine. An example of a password-protected machine is shown in the following screenshot:

At the time of writing this book, the tool does not provide a trial download, but you can read more information about it from http://www.vmware.com/products/player/.

XenServer

The group at Citrix has developed a powerful competitor to the solutions offered from VMware, and this is evident in their XenServer offering. They make the statement that they are the leading data center platform for cloud and desktop solutions; furthermore, according to their claims, four out of five of the largest hosting clouds are hosted by XenServer, and this is quite a claim indeed. Some examples of what the product can provide solutions for are as follows:

As with the vSphere commercial solution, this is not something we really require for building our labs, but it is a possibility for those who want to use something other than a VMware offering. You can find out more and also download it from http://www.citrix.com/products/xenserver/how-it-helps.html.

VMware Workstation

The team at VMware has been in the virtualization game for some time, and it shows when you use their Workstation product. The thing that separates VMware Workstation from the masses to me is the fact that you can integrate with most, if not all, devices you plug into your host machine relatively seamlessly. While it does cost to use VMware Workstation, the cost is relatively cheap, and it provides so much power to create extremely diverse and complex architectures. It is, by far, my favorite tool, and I will be using it in the next chapter and the consecutive ones as well. As I have mentioned, the Microsoft offering, having only been on the scene for a short period, is definitely improving, and it will make an interesting race as they continue to mature their product. This is a good thing for us! As consumers, we can only benefit from these vendors each trying to outdo each other.

As mentioned, it is highly recommended that you consider purchasing the software. You can download the latest version of VMware Workstation from http://www.vmware.com/products/workstation/workstation-evaluation. As with other versions of software, you have to register and obtain a key to be able to power on virtual machines.

Once you have downloaded it, you can install the software, and it is pretty straightforward. If you do have any questions, the VMware Workstation user guide is well written and is an excellent reference for you. You can also download it using the following link:

http://www.vmware.com/pdf/desktop/ws1001-using.pdf

There is a large community forum that is also an excellent reference for information about the tool. Support is another reason why VMware continues to lead in the major categories of virtualization. Once you have installed the program and opened it, you should see a display on your screen similar to that shown in the following screenshot:

As you can see in the preceding screenshot, there are a number of options for us to start with. As we have used ISO images earlier, we will continue that trend here and also add another task of creating a virtual machine. For simplicity, we will use the same ISO Samurai WTF image that we used earlier, but you are welcome to download an ISO image of your choice and create the machine from this. Once you have made your choice of the ISO image to be used, we are ready to begin the installation. To start using this virtual machine, we will execute the following steps:

Now, we are going to create a virtual machine for one of the machines that we will use in other chapters in the book. The machine we are going to use is already created and available as a virtual machine in the VMware VMDK file format. We will cover more on the different formats for virtual hard drives later in the chapter. We want to download the Broken Web Application Project virtual machine from Open Web Application Security Group (OWASP) available at www.owasp.org. The virtual machine has been sponsored by Mandiant and is an excellent tutorial to practice web application testing. You can download the VM from http://sourceforge.net/projects/owaspbwa/files/.

Once the VM is downloaded, extract the VM to a folder on your machine. Once the files have been extracted, we need to start VMware Workstation and start the access process. The following are the steps that need to be executed:

The information that we want here is the IP address that is assigned to the VM so that we can access it and check it out! Open the browser of your choice and enter the IP address that is shown and bring up the web interface to the Broken Web Application Project VM. An example of the web page that is presented to you is shown in the following screenshot:

As the screenshot shows, there are many tools located in this VM distribution, and it is something that any tester can benefit from. The tutorials and applications that are contained here allow a user to practice their skills and the challenges, which are set up at different skill levels. You are encouraged to spend a lot of time here and come back often. We will be using it throughout the book as and when the situation requires it. Again, since the sponsorship of Mandiant, the VM has added a number of additional challenges. Some of you reading this book might be familiar with the OWASP's excellent tutorial Web Goat. This project is just an extension of this tutorial, and it has also added the Irongeek tool Mutillidae. You can read more about Mutillidae at http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 or even watch some of the informative videos at www.irongeek.com.

We have one more topic to look at before we continue on with this chapter; it is the power of networking within VMware Workstation. This is one of the main reasons why I paid for and continue to pay for VMware Workstation. In your VMware Workstation, navigate to Edit | Virtual Network Editor. When the window opens, you will see the current switches that are configured in VMware. By default, VMware configures three virtual switches, and they are Vmnet0 for the bridged interface, Vmnet1 for the host only interface, and Vmnet8 for the NAT interface. We will not go into detail here as there are many sources from which we can learn more about the networks and what they mean, and one of the best is the VMware Workstation user guide we mentioned earlier in this chapter. The power of VMware Workstation is that we can have up to 10 virtual switches! What this means is that we can effectively architect 10 different network segments. The VMware network configuration allows us to set the IP address ranges that we want and also provides a DHCP server. For the most part, 10 is more than we need, and with Version 10x and higher, we can now have 20 and 255 network segments on Windows and Linux hosts, respectively. That is a lot of networks! It is this and other factors that make it our software of choice. We need the switching capability when we build layered and segmented architectures. An example of the network configuration on my machine is shown in the following screenshot:

In the preceding screenshot, you can observe that in my machine, most of the 10 possible networks are visible. I have built numerous complex architectures over a period of time and have added more than one custom network.

It is more than likely that you have the three default switches that are installed by the software. Feel free to add a switch if you want to see how the process is done. This is what allows us to build a true layered architecture that emulates something we could see in an engagement. In fact, it is rare to have a single segment or flat architecture you are testing, especially in any type of external testing. Therefore, it is imperative as we build and test advanced techniques that we have the ability to provide layers of protection so that we can either hack through or get around in some way to achieve a compromise.