Creating a New Virtual Machine
Open VMware Fusion and create a new virtual machine (VM): File - New... This will launch the "New Virtual Machine Assistant". In the "Introduction" screen click on "Continue without disc". Select "Create a custom virtual machine" from the "Installation Media" screen, and click "Continue". In the "Operating System" step, select Linux as the "Operating System" and Ubuntu as the "Version", and click "Continue". The "Finish" screen details the VM settings selected.
Click on "Customize Settings" and indicate where you want to save the new VM (directory and filename, such as "SamuraiWTF-2.0.vmwarevm"). VMware will open the settings window. Click on "Processors & Memory" from the "System Settings" section to change the amount of RAM to 2048 MB or more (by default, 1024 MB). You can also adjust other settings, such as the hard disk size (by default, 20 GB), or the network interface type (by default, NAT).
From the "Removable Devices" section, click on "CD/DVD (IDE)", and select the built-in CD/DVD (such as "SuperDrive"). Click on "Chose a disc or disc image..." and select the ISO file for SamuraiWTF 2.0 ("SamuraiWTF-2.0-i386.iso"). Go back to the the settings window, which can be closed at this point, as the VM is ready to boot.
Booting SamuraiWTF 2.0
Start up the recently created VM, using the default Linux boot option, "Start SamuraiWTF", and wait till the SamuraiWTF desktop shows up.
Installing SamuraiWTF 2.0 to the hard disk
Double click the "Install SamuraiWTF 2.0" icon from the desktop and follow the installation wizard. From the "Language" screen select the language for the installation process and click "Continue".
The "Prepare" step recommends to have more than 15GB of free disk space and Internet connectivity. Select the "Download updates while installing" option to get the latest software, and optionally the "Install this third-party software", and click "Continue".
On the "Disk Setup" window leave the default guided disk layout and click on "Install Now".
On the "Timezone" screen select your timezone and, while the installation process starts copying files (a significant time optimization improvement over previous versions, but take into account that it can consume lots of your computer's resources while following the next installation steps), and click "Continue".
On the "Keyboard" screen select your keyboard layout and click "Continue".
On the "User Info" screen select your username and password, plus the hostname. It is highly recommended to change the default SamuraiWTF password (samurai - www.whatisthesamuraipassword.com) and use a long passphrase instead. It is preferable to select a custom hostname that does not include references to SamuraiWTF (by default "samurai-virtual-machine" is pre-filled). Leave the "Require my password to log in" option, although it won't be applied in version 2.0 due to recent changes to fix a very old bug. Click "Continue".
NOTE: A race condition has been identified (sometimes) depending on the time it takes to reach from the "Disk Setup" screen till the "User Info" screen, where the "Keyboard" step will directly jump into the "Install" step, bypassing the "User Info" screen. Quickly moving through the timezone and keyboard setup seems to help to avoid this unexpected behavior. If you suffer this behavior it is recommended to repeat the setup by booting the VM again from the ISO image.
The process will remain on the "Install" screen while all the files are copied and the different system elements are configured.
Once the installation finishes you will get an "Installation Complete" popup. It is recommended to click the "Restart Now" button to start using the SamuraiWTF instance installed on the hard disk, instead of the live instance from the ISO image.
There is a bug in the reboot/shutdown process of the live CD/DVD version, where the message that suggests the user to eject the CD/DVD and press any key to restart/shutdown does not show up. Once you get the following background SamuraiWTF image, press any key to reboot/shutdown the VM.
After rebooting, the VM CD/DVD is automatically turned off, so the system directly boots from the recently installed hard disk. You can unplug the SamuraiWTF ISO image from the CD/DVD by going to the VM settings window, using the "CD/DVD (IDE)" icon and selecting the physical drive.
Once the new SamuraiWTF VM boots up you will be directly presented with the desktop, where the installation icon is not available anymore, but access to the README and CHANGELOG files, the latest version of the official SamuraiWTF training material in PDF format (as of today, v13 - see more details about upcoming training sessions below) and folders with the output of tools, a few wordlists, and exploit/payloads from several tools.
Updating VMware Tools
VMware Tools are already installed in SamuraiWTF 2.0, thus you can directly copy & paste between the host and the guest operating systems. However, depending on the VMware version you are using you might want to update VMware Tools.
Go to the "Virtual Machine - Update VMware Tools" menu in VMware. Depending on your setup, or if this is the first time you install/update VMware Tools on a Linux VM, VMware might need to download them first. If this is the case, click the "Download" button.
Once they have been downloaded, or if they were already available, click on the "Install" button to connect the VMware Tools CD to the VM. The CD is not automatically mounted on Ubuntu 12.04 if there is no password set for the root user (see related VMware doc), as in SamuraiWTF 2.0, so you need to manually mount the CD and launch the VMware Tools installation process:
$ sudo mount /dev/cdrom /media/cdrom
$ cd /tmp
$ tar xvzf /media/cdrom/VMwareTools-9.2.1-818201.tar.gz
$ cd vmware-tools-distrib/
$ sudo ./vmware-install.pl
Follow the installation process and reply with the default answer to all the questions:
- You have a version of VMware Tools installed. Continuing this install will first uninstall the currently installed version. Do you wish to continue? (yes/no) [yes]
- In which directory do you want to install the binary files? [/usr/bin]
- Thinprint provides driver-free printing. Do you wish to enable this feature? [yes]
Post installation steps
You can clean up the bash command line history by closing all terminals, launching a new one, and running a couple of commands:
$ > $HOME/.bash_history
You can manually remove VMware Tools from /tmp or wait till the next boot for automatic removal.
Your new SamuraiWTF 2.0 VM is ready to run and assist you in your web-app penetration tests! Do not forget to take a VMware snapshot in case you need to restore back to this clean state.
The instructions to create a SamuraiWTF 2.0 virtual machine in VMware Workstation are available on another blog post, as well as for VMware Player.
Shameless Training Plug
This is an introductory guide to the official "Assessing and Exploiting Web Applications with Samurai-WTF" 2-day training I will be running at the BruCON 2012 conference during September 24-25 in Ghent (Belgium). This training session will be based on the latest SamuraiWTF 2.0 version and its new target web-apps and tools. If you are an OWASP member, you can take advantage of a 10% discount on the training fee.