HackerOne Gateway’s Virtual Machine is based on the latest version of Kali Linux. It enables penetration testing teams to thoroughly test internal networks and targets. It seamlessly integrates with the HackerOne Gateway VPN and requires minimal setup.
Prerequisites
HackerOne Customer
An internal network not “air-gapped” (with access to the internet). See External Connection below for more
A Windows machine in the internal network on which to deploy the VM
Hyper-V and related services installed on the Windows machine
External Connection
If isolating the testing machine is unavoidable, please inform HackerOne staff as soon as possible. This will impact launch timelines and impose limitations on the pentesting team.
At a minimum, the testing machine will need to request and receive traffic from external sources to install the tools required to carry out the penetration test and update dependencies. This includes Kali Linux, Debian, and GitHub. During testing, ethical hackers and pentesters may require access to additional tools as information and context are gained during testing. Should they require this, please provide HackerOne staff with a process for hackers to request this.
Additional Requirements (Handled by HackerOne Staff)
An active HackerOne program, most commonly a HackerOne Pentest.*
Gateway V2 enabled for the program.*
Cloudflared internal testing enabled.*
*Included for visibility only. HackerOne customers and testing team members do not need to take any action.
Penetration Testers
The WARP client must be installed on their local machine.
They must have a remote desktop protocol (RDP) client installed.
HackerOne recommends Microsoft Remote Desktop, VNC viewer, or similar, as the Remote Desktop is based on xRDP.
If the machine where WARP and RDP will be installed is not in the Cloud, physical access may be required.
Kali Linux Virtual Machine
The latest HackerOne Gateway VM uses Kali Linux version 2024.1.
Kali in VHDX format, tested with Hyper-V
In addition to the latest updates and default tools, the installation also includes:
Cloudflared pre-installed.
Additional commonly used tools.
5 predefined user accounts:
kali, hackerone, pentester1, pentester2, pentester3
Accounts can elevate to admin/root as required.
Accessible via SSH (default port) and RDP (port 3391) using the internal IP (e.g., 192.168.100.2)
Note: For internal network penetration tests, admin/root is required. An exception may be if the penetration test is objective-based and aims to determine whether the testing team can achieve higher access levels starting from a lower-level role (assumed breach).
Distribution and Deployment
Distribution
The Kali Linux Virtual Machine will be provided via a temporary link to a HackerOne S3 bucket.
It is provided as a VHDX file, allowing the creation of a virtual machine according to specifications. For the best testing results, HackerOne recommends provisioning resources to run the virtual machine to be as performant and practical as possible.
Related passwords, such as those for the users, will be shared using the credential management feature available on our platform.
Minimum Requirements
RAM: 8 GB or more.
Disk: 50 GB or more.
Graphics: A 1920x1080 (1080p) resolution is strongly preferred. Alternatively, please provide a resolution as close to 1080p as possible.
CPU: Minimum quad-core or 8-core processors are strongly recommended.
Along with the virtual machine, HackerOne will provide the initial credentials for the five accounts using a secure method.
Deployment
The method of VM deployment on top of Hyper-V, including networking configuration and machine creation, is up to the customer. However, you can refer to the following parameters used for testing:
New-VM `
-Generation 2 `
-Name "$Name" `
-MemoryStartupBytes <YOUR MEMORY AMOUNT>MB `
-SwitchName "<YOUR SWITCH NAME>" `
-VHDPath ".\kali-linux-2024.1-hyperv-amd64.vhdx"
Set-VM -Name "$Name" -Notes "$Description"
Set-VM -Name "$Name" -EnhancedSessionTransportType HVSocket
Set-VMFirmware -VMName "$Name" -EnableSecureBoot Off
Set-VMProcessor -VMName "$Name" -Count <YOUR PROCESSOR NUMBER>
Enable-VMIntegrationService -VMName "$Name" -Name "Guest Service Interface"
In the case above, we have used a NAT Network. Deploying the machine with a bridged network interface is preferable to increase compatibility with all testing tools.
Instructions for HackerOne Customers
Basic Setup
Once the Kali VM is up and running on Hyper-V, you’ll need to assign the Internal IP to the machine, verify connectivity, authenticate Cloudflared, and create the tunnel.
Assign the Internal IP to the Machine (if not assigned by DHCP/not available):
In Kali, open the UI and manually assign the IP settings (only for the initial configuration).
Configuration example:
IPv4 Settings
IP: 192.168.100.2
Netmask: 24
Gateway: 192.168.100.1
DNS Servers: 8.8.8.8, 8.8.4.4
Note: Adding your internal DNS server to this list helps prevent the pentesters from having to manually modify their /etc/hosts file.
Verify internet connectivity:
Ensure the internet is accessible from the VM.
Authenticate Cloudflared and create the tunnel:
In the HackerOne platform, go to Program > Gateway > Internal testing, as shown in the image below.
Note: Make sure your HackerOne Technical Engagement Manager enables Cloudflared internal testing; see the Prerequisites section.
Upon success, the page will display instructions tailored to your preferred environment.
In the VM, paste and run the command found at the bottom of the page:
sudo cloudflared service install <REDACTED TOKEN>
You should find the following output:
2024-07-23T13:02:31Z INF Using Systemd
2024-07-23T13:02:32Z INF Linux service for cloudflared installed successfullyThe tunnel configuration and related routes will appear to you as the following:
Make sure the Cloudflared status is: HEALTHY
Provide each member of the testing team with:
The IP associated with the VM
Their credentials, obtained from the program under the credentials section (username is pentesterX, where X is a digit, for example: pentester1)
To check whether the tunnel connection is correctly set up, please verify with your penetration testing team after confirming they’ve gone through the steps outlined below.
If you face issues with the connection, please contact your HackerOne Technical Engagement Manager or Solutions Architect.
Please note the tunnel statuses are described here: Cloudflared tunnel status.
Additional Steps
The following steps are advised or required in some circumstances.
Change all five accounts' passwords:
passwd <username>
Since a testing team member may need to open and close the connection several times, we do not advise enforcing temporary passwords.
If there are more than three members of the testing team, you’ll need to create more accounts:
Add user:
useradd -m <username>
Set a password:
passwd <username>
Set user group to sudo:
usermod -a -G sudo <username>
Set the shell:
chsh -s /bin/bash <username>
Instructions for Pentesters
After the customer installation of the HackerOne VM is complete, the testing team will need to follow these instructions to gain and confirm access in preparation for testing:
Get the Cloudflare team name domain for the HackerOne program. Instructions here.
Log in to WARP - As described in Configure Client for a Specific Program
Turn the WARP client on
Retrieve from the customer the following information:
Internal IP associated with the VM
The credentials associated with you, obtained from the program under the credentials section. This will likely be pentester1, pentester2, or pentester3 unless the predefined user accounts were updated.
If the VM machine is correctly running, you should be able to see it
Don’t rely on ping as the ICMP protocol on WARP is not reliable yet
Use nmap instead:
sudo nmap 192.168.100.2
Connect via SSH:
ssh pentester1@192.168.100.2
Connect via RDP; the example below is using Microsoft Remote Desktop on a Mac
PC name:
192.168.100.2:3391
User account: Ask when required
Leave the rest as default