The Samurai Web Testing Framework is a virtual machine, supported on VirtualBox and VMWare, that has been pre-configured to function as a web pen-testing environment.
The VM contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This VM also includes a pre-configured wiki, set up to be the central information store during your pen-test.
- Vagrant – https://www.vagrantup.com/
- Virtualization Software – The base vagrant box used supports virtualbox, vmware, and parallels, but testing at this time has been solely on virtualbox – https://www.virtualbox.org/
- vagrant-vbguest plugin for vagrant (virtualbox only) – this automatically installs guest extensions which provide support for higher display resolutions, as well as other conveniences like clipboard sharing – https://github.com/dotless-de/vagrant-vbguest
- Make sure you have the prereqs listed above. Webpwnized has made some helpful YouTube video instructionals for getting Vagrant and VirtualBox with vbguest plugin installed in case you have not done so before.
- Clone this repository.
- From a command-line terminal in the project directory, run the command
vagrant up. Then sit back and wait for it to finish. Immediately after the first time start up it is recommend you do a restart using
vagrant reload. Just running the
vagrant upwill build the primary target, which is a single VM with both the user environment and the targets. You can run
vagrant up userenvand
vagrant up targetto build seperate virtual machines for those purposes. NOTE: The Guest VM’s window will open with the CLI while provisioning is still ongoing. It’s best to leave it alone until the
vagrant upcommand fully completes.
The main Vagrant provisioning script for SamuraiWTF is install/userenv_bootstrap.sh. A standalone targets provisioning script is in install/target_bootstrap.sh. Changes for the system, targets, or tools installation or initialization for SamuraiWTF are all handled within these scripts.
Production VM Notes:
Once you load the VM, the username and password are:
- Username: samurai
- Password: samurai
The menus are available via a right click on the desktop.
Once you log in the target systems need to be provisioned. (Working on doing this during the build!)
First, load the Chrome bookmarks by starting Chrome. Then select the three dots menu and select Bookmarks. From the sub menu, select Import bookmarks and settings. In the window that opens, select Bookmarks HTML File. A file selector window will open. Select the chrome_bookmarks.html file in the samurai home directory.
Some of the target environments need to be initialized before use. Use their setup or Reset DB links to do this.