Juicy

You can quickly test whether your web server is an open door for attackers by breaking into your own system. All you need to do is ... well, what actually? Isn't there this Metasploit tool that you can simply fire against the server? But before you point massive unknown weapons at your own server, you might want to take some time to familiarize yourself with the available tools and their purposes. And the best way to get started is to break into a test system.

The Open Worldwide Application Security Project (OWASP) makes its Juice Shop [1] available for starting pen testers. In addition to offering tasty fruit juices, the Juice Shop also deliberately contains a number of vulnerabilities, providing newcomers with an ideal target for hands-on pen testing practice. You can quickly set up the Juice Shop in a Docker container.

Open for Business

Because the Juice Shop has security vulnerabilities, you will not want to launch it on your own system. Instead, install your favorite distribution on a virtual machine (VM) or on an old laptop. Other services running in the background on your system will not interfere with the analysis. In principle, any distribution can serve as the underpinnings, but it should have the following tools in its repositories: Docker, Nmap, Dirb, and Base64. You can play it safe with Debian or go for the Kali Linux [2] pen testing distribution.

As soon as your distribution is running on the VM or on an old computer, use the package manager to integrate the tools I just mentioned. On Kali Linux, all you need to do is type

All other tools are already in place. The two commands from Listing 1 will download the container with the Juice Shop and launch it.