🛠️ Ubuntu Penetration Testing Environment Setup

A comprehensive bash automation script to set up a full-fledged penetration testing environment on Ubuntu/Debian systems. The script installs and configures 70+ essential security tools, organized under /opt/ and symlinked for easy CLI usage.

---

🎯 Overview

This script automates the installation of tools for:

• 🔍 Network reconnaissance & enumeration
• 🌐 Web application testing
• 🧠 Active Directory attacks & analysis
• 🔑 Password cracking & credential recovery
• 🧰 Post-exploitation (Linux & Windows)
• 🕳️ Tunneling and pivoting
• 🧱 Containerized frameworks (Docker-based)

---

📋 Prerequisites

• OS: Ubuntu 20.04+ or Debian 11+
• User: Non-root user with sudo permissions
• Internet: Stable connection for downloading packages
• Disk space: ~10 GB free recommended
• Estimated time: 30–60 minutes (depends on connection & CPU)

---

🚀 Quick Start

# Download the script
wget https://raw.githubusercontent.com/Heisenbergg4/pentest-setup/refs/heads/main/ubuntu_pentest_setup.sh

# Make it executable
chmod +x ubuntu_pentest_setup.sh

# Run it
./ubuntu_pentest_setup.sh

---

📦 Installed Components

System Packages (core)

• Network Tools: nmap, wireshark, fping
• Remote Access: freerdp2-x11, rdesktop, smbclient
• Password Cracking: hashcat, john (John the Ripper Jumbo)
• Utilities: curl, git, rlwrap, tree, bat, plocate, libimage-exiftool-perl
• Time Sync: ntpsec-ntpdate, rdate
• Kerberos: krb5-user, libkrb5-dev
• Dev libraries: python3-dev, build-essential, autoconf, automake, libtool, pkg-config, yasm, libgmp-dev, libpcap-dev, libffi-dev, libssl-dev, zlib1g-dev, libbz2-dev
• LDAP: libldap2-dev, libsasl2-dev, ldap-utils, samba-common-bin
• Certificates & security utils: ca-certificates, gnupg

Programming Languages & Package Managers

• Go (golang-go)
• Ruby (ruby-full)
• Rust (installed via rustup)
• Python UV (modern Python package manager used in script)

Go Tools

• ffuf — Fast web fuzzer
• gobuster — Directory & DNS brute-forcing
• kerbrute — Kerberos username enumeration

Ruby Gems

• evil-winrm — Windows Remote Management shell
• wpscan — WordPress vulnerability scanner

Rust Tools

• rusthound-ce — AD data collector (community edition)

Python / UV Tools (Active Directory & Network)

• NetExec (formerly CrackMapExec) — Network service exploitation
• Impacket — Python classes for network protocols
• evil-winrm-py — Python implementation of evil-winrm
• BloodHound.py — AD reconnaissance (CE)
• bloodyAD — AD privilege escalation helpers
• Certipy — AD certificate abuse toolkit
• powerview.py — PowerView (Python port)
• smbclient-ng — Enhanced SMB client
• ghauri — SQL injection tool
• adidnsdump — AD DNS dump tool
• dnsrecon — DNS enumeration
• pypykatz — Mimikatz implementation in Python
• ntdissector — NT structure parser
• Responder — LLMNR/NBT-NS/MDNS poisoner
• windapsearch — LDAP enumeration utility
• Pcredz — Network credential sniffer
• XSStrike — XSS detection suite

Exploitation Frameworks

• Metasploit Framework
• sqlmap — Automatic SQL injection tool

Web Tools

• feroxbuster — Fast content discovery
• ffuf, gobuster (from Go tools) also available

Tunneling / Pivoting

• ligolo-ng — Proxy + Linux/Windows agents for tunneling and pivoting

Containers

• Docker CE — Container platform
• BloodHound CE — Active Directory visualization (runs via Docker Compose on port 8088)

Wordlists (installed to /opt/wordlist/)

• rockyou.txt
• directory-list-2.3-small.txt
• directory-list-lowercase-2.3-medium.txt
• web-extensions.txt
• subdomains-top1million-5000.txt
• subdomains-top1million-20000.txt
• burp-parameter-names.txt
• raft-medium-directories.txt
• raft-large-directories.txt
• common.txt
• big.txt

Linux Post-Exploitation Tools (/opt/linux/)

• linpeas.sh — Linux privilege escalation checker
• pspy (small & static) — Process snooper without root
• ligolo-linux-agent — Ligolo agent for pivoting
• LaZagne (Linux port) — Credential recovery

Windows Post-Exploitation Tools (/opt/windows/)

• adPEAS.ps1 / adPEAS-Light.ps1 — AD enumeration
• LaZagne.exe — Windows credential dumper
• winpeas.exe — Windows privilege escalation enumerator
• SharpHound.exe — BloodHound data collector
• ligolo-win-agent.exe — Ligolo Windows agent
• syslifters (compiled C# tools) — assorted offensive helpers

---

📂 Directory Structure (after install)

/opt/
├── john-jumbo/
├── bloodhound/
├── sqlmap/
├── XSStrike/
├── Responder/
├── windapsearch/
├── wordlist/
│   ├── rockyou.txt
│   ├── directory-list-*.txt
│   ├── subdomains-*.txt
│   └── ...
├── linux/
│   ├── linpeas.sh
│   ├── pspy-static
│   ├── pspysmall
│   ├── ligolo-linux-agent
│   └── lazagne/
└── windows/
    ├── winpeas.exe
    ├── LaZagne.exe
    ├── SharpHound.exe
    ├── adPEAS.ps1
    ├── ligolo-win-agent.exe
    └── syslifters-compiled-tools/

/usr/local/bin/  # symlinked executables
├── john
├── sqlmap
├── responder
├── windapsearch
├── Pcredz
├── xsstrike
├── proxy (ligolo-ng)
└── feroxbuster

---

🔧 Post-Installation Steps

1. Apply group changes (Docker):

# log out & back in, or run:
newgrp docker

2. Restart your terminal to apply PATH changes (Go, Rust, Python UV).

3. Verify installations (examples):

uv tool list
nmap --version
john --version
ffuf -V
impacket-secretsdump -h
docker --version

4. Start BloodHound CE (example):

cd /opt/bloodhound
docker compose up -d
# then open: http://127.0.0.1:8088/ui/login

5. Initialize Metasploit database:

msfdb init
msfconsole

---

📝 Wordlists (location) - Currently Not There

All wordlists are installed under /opt/wordlist/. Files included (representative list):

• rockyou.txt
• directory-list-2.3-small.txt
• directory-list-lowercase-2.3-medium.txt
• web-extensions.txt
• subdomains-top1million-5000.txt
• subdomains-top1million-20000.txt
• burp-parameter-names.txt
• raft-medium-directories.txt
• raft-large-directories.txt
• common.txt
• big.txt

---