6

I was watching an ethical hacking course where the tutor taught me to hack into different virtual machines and also machines from Hack The Box.

In the real world, how are these practices of hacking virtual machines useful? What do these virtual machines represent: a webserver, someone's PC, phone, any kind of server, or something else?

Andrew T.
  • 563
  • 5
  • 14
  • 10
    Practice, simply put. –  Jun 03 '20 at 12:55
  • Dude i know it helps to practice and increase your skill ,it helps to learn different way of exploitation ....i was asking these machines from hack the box represent what?webserver ,phones or pc –  Jun 04 '20 at 09:30
  • Each hackable VM may represent any of those things. Hack The Box even explains the types of boxes it hosts: https://www.hackthebox.eu/individuals – schroeder Jun 04 '20 at 11:33
  • @kraci Given that your question was widely misunderstood then, I would suggest you to change the question then. A title like "Do hackable VMs simulate real assets?" gets the point across better. –  Jun 04 '20 at 11:42

4 Answers4

15

Think of hacking virtual machines to be the equivalent of being in a shooting range but for pentesting/offsec. It is all about practice.

In the real world, how are these practices of hacking virtual machines useful?

  • Learning & Testing of exploits/tools
  • Understanding, Finding risks and vulnerabilities
  • Also, the legality of these practices, you won't have to worry much about legal problems as these boxes are set up in a way primarily for hands-on experiences & education purposes.

What do these virtual machines represent: a webserver, someone's PC, phone, any kind of server, or something else?

If I didn't understand wrongly, these VMs can be made in a way where they serve a purpose, like a database, webserver, and or someone's phone. Different functionalities, different ways of cracking.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
mallocation
  • 1,668
  • 5
  • 20
  • No i meant to say these machines are supposed work like a webserver or other people's pc or something else?what does these exploitable vm represent? –  Jun 03 '20 at 12:16
  • 12
    They can represent anything that they were designed to represent, to train specific skills. – not my real name Jun 03 '20 at 17:54
  • @kraci yes. it can be a webserver; it can be a workstation; it can be a router; it can be a mail server; it can be a domain controller; it can be a mobile phone; it can be a 'smart' lightbulb, it can be a SCADA controller; it can be a drone; it can be designed to be any device that can be virtualized which is (with some effort) pretty much every device. But usually it does mean either a webserver or someone's pc, as those are the most common devices. – Peteris Jun 04 '20 at 11:30
  • @kraci In addition to the existing comments, you will likely find virtual machines everywhere. On server hostings, you find a physical rack server with virtual machines/containers, where all the websites are then stored in those virtual machines/containers. My testing server is a Debian PC running Virtual Box with a Debian install that's serving as host for the websites. This isn't an uncommon setup. – Ismael Miguel Jun 04 '20 at 11:32
4

The purpose isn't to hack into a virtual machine but to hack into a machine.

It's a great way to learn real pentesting and offensive security, with examples that are more or less realistic. HackTheBox, for instance, even have a "Real-world like" criteria for rating boxes.

Thryn
  • 301
  • 1
  • 7
  • No i meant to say these machines are supposed work like a webserver or other people pc or something else?what does these exploitable vm represent? –  Jun 03 '20 at 12:16
  • 2
    @kraci Sorry I didn't understand your question :) Those VM works like actual real-life server :) They use the same software, often the same architecture, and sometime the same vulnerabilities :) Speaking for Hack The Box, again. – Thryn Jun 03 '20 at 13:47
3

Think of these virtual machines as targets at a shooting range (example stolen from mallocation's answer).

Each virtual machine can be prepared to train different skills much like the targets at a range.

For example, you can have a very small target to train accuracy, a hiding/reappearing target to train speed, a target surrounded by non-targets to train target identification.

Likewise, your virtual machine can run a webserver to train remote service exploitation for example, or an intrusion detection software to train stealth etc etc. Virtual machines do not differ much from real machines so the skills learned are transferable, though they are easier to train on VMs as no hardware needs to be bought and no permission asked.

Hacking into virtual machines itself is also done however for non-training purposes. If you have ever heard of Virtual Personal Servers (VPS) - those are virtual machines which are used to split up a server's resources between different users. They aren't necessarily as temporary as virtual machines on one's home computer and can also contain valuable data.

user9123
  • 563
  • 3
  • 10
3

The virtual machines are supposed to be equivalent to a physical machine.

The virtual machines run on virtual hardware, so the operating system and programs behave as if they are running on an actual physical machine.

Why do we utilize virtual machines for this? A few reasons are:

  • Repeatability (If a virtual machine gets trashed, reset it to a known point.)
  • Adaptability (You don't need to set up an entire office worth of computers in your basement, you can virtually network them and achieve the same result... or mimic a typical SOHO setup.)
  • Cost (Same as above, virtualize a whole network, don't build one from hardware.)

Why does this matter?

  • Compromising a virtual webserver, file server, or host system is essentially the same as doing it on a physical host

  • A lot of networks utilize some form of virtualized infrastructure

Remember, these introductory exercises are straight forward. Putting it all together is not. You might need a simple SQL injection to dump a poorly secured file that contains user credentials, and then use those credentials to SSH into a system, from there you continue exploring and advancing through a network.

In closing, the exploitable VM can represent anything. It might be designed with a user's system in mind, or a webserver, or a file server. In real-life penetration testing, you might not know what the system you're trying to break into does.

Ramrod
  • 206
  • 1
  • 5