AppSecLive.org

Note: I'm using Ubuntu for this tutorial, if you have questions specific to your OS, post it in the forums. Here:

http://appseclive.org/forum/6

Installing the OWASP Live CD into a virtual environment is useful for many reasons, but I tend to find that a few are the most useful.

 

1. Preserving settings. Lets face it, getting your web app sec testing environment up and set just the way you like it is a chore. Thats one of the reasons the OWASP Live CD is so useful, it has all the tools you need in a compact, portable package, but loosing your custom settings each time you reboot can be a hassle. Installing the Live CD into VirtualBox solves this problem!
2. Running in parallel. Unfortunately, everything else you use is in your main operating system. Things such as reporting tools, client programs, bookmarks, etc. Having to reboot out of the Live CD to access these resources is a pain. Running the Live CD in VirtualBox allows you to share resources such as files and the clipboard with your host operating system, whatever it may be.

Now this setup isn't all daises and dandelions. There are a few drawbacks... The main drawback that we see is performance. Most guests (the OS running inside the main OS) run slower and have less memory and less processing power at their disposal. As a general rule, I find that performing web application security reviews is not all that bad of a hardware resource hog. Your experience may be different, but we figured we'd mention this just in case. The other drawback is that this setup requires pretty hefty hardware. We recommend at least 3 GB of RAM and a 2 Ghz processor. You'll need around 5 GB of storage space above and beyond what it takes to install VirtualBox and everything else your host (the main OS) needs. There can also occasionally be complications with network card drivers, but we won't get into that here, its usually an issue with the Operating System or VirtualBox.

Ok, lets get started.

First things first, we need to download the .VDI file, and thankfully, its compressed to around 458.8 MB (481052985 bytes) as of this posting. Get it here:

http://mtesauro.com/files/owasp-livecd-AustinTerrier-Feb2009.vdi.rar

While your there, grab this file too:

http://mtesauro.com/livecd-md5sum.txt

You'll need to verify your download after its finished.

While you wait, lets get VirtualBox installed.

Typically, in an Ubuntu environment, I'd say to just “apt-get” it. In this case, there are some issues that I've found with the repository version of the VirtualBox that you won't want to deal with. I'd suggest downloading it yourself and compiling it.

Everything you need to do this, including download and install on other Operating Systems such as Windows, can be found here:

http://www.virtualbox.org/

Assuming you are able to download the compressed .VDI file, and VirtualBox is installed, we are ready to move forward.

Lets make sure that your download isn't corrupt before wasting our time:

brad@brad-laptop:~$ cd Desktop

brad@brad-laptop:~/Desktop$ md5sum owasp-livecd-AustinTerrier-Feb2009.vdi.rar

99e2de8103107d4e6888d40c5c0e20b8 owasp-livecd-AustinTerrier-Feb2009.vdi.rar

 

brad@brad-laptop:~/Desktop$ cat livecd-md5sum.txt | grep .vdi.rar

99e2de8103107d4e6888d40c5c0e20b8 owasp-livecd-AustinTerrier-Feb2009.vdi.rar

 

Make sure your hashes match. If they do, great, move on. If not, try downloading the file again, maybe with wget, or a different browser.

Next, we need to extract the .VDI file so we can use it as a virtual hard drive.

You can either use unrar or the built-in “archive manager”. (unrar does not come installed by default on Ubuntu)

brad@brad-laptop:~/Desktop$ sudo apt-get install unrar

 

brad@brad-laptop:~/Desktop$ unrar e owasp-livecd-AustinTerrier-Feb2009.vdi.rar

 

UNRAR 3.71 beta 1 freeware Copyright (c) 1993-2007 Alexander Roshal

Extracting from owasp-livecd-AustinTerrier-Feb2009.vdi.rar

Extracting owasp-livecd-AustinTerrier-Feb2009.vdi OK

All OK

 

Now that is extracted, we are ready to move into VirtualBox.

You can launch it from the Menu by clicking Applications-->System Tools-->Sun xVM VirtualBox

or you can launch it from the command line.

brad@brad-laptop:~/Desktop$ VirtualBox

 

Note: This command is case sensitive. Typing “virtualbox” will trigger the apt repository error that says it isn't installed.

 

VirtualBox guest systems are created in two parts, a configuration file and a virtual hard drive. The hard drive is already created for you so all you need to do is create the guest configuration file and add in the existing virtual hard drive.

Click “New”, and then “Next”.

 

Give your VM an appropriate name, such as “OWASP Live CD” and set the Operating System to “Linux” and “Other Linux”.

Click “Next”.

 

We suggest 512 MB of memory or more. The more you give it, the better your performance. I am going for 1024 MB.

 

Click “Next”.

 

On the “Virtual Hard Disk” screen, click “Existing...”.

 

You should get the “Virtual Media Manager”. Just click “Add” and browse to your extracted .VDI file.

 

 

Once you've opened it. You should see it listed in the “Virtual Media Manager” dialog.

Click “Select” with your newly added hard drive selected.

 

Click “Next”, then “Finish”.

 

You should now have an OWASP Live CD virtual machine listed.

 

With your OWASP Live CD virtual machine selected, click “Start”.

 

Your virtual machine should begin the boot process.

 

Soon after, you should be looking at the deskop of the Live CD.

 

If you have problems or questions, direct them to the Live CD VM Forum here:

http://appseclive.org/forum/6