How to use Pwnbox, the cloud-based VM for security testing

What is Pwnbox?

Pwnbox, owned by security training platform Hack The Box, is a VM accessed via the internet. It is a custom installation of Parrot Security Linux, a Debian-derived Linux distribution roughly comparable to Kali Linux. It has more than 600 security utilities preinstalled, including the following top security auditing and hacking tools:

• Metasploit.
• Nmap.
• Burp Suite.
• Tor Browser.

Hack The Box updates the Pwnbox image monthly to keep it current.

Pwnbox enables users to create an environment in which to conduct security tests. Hack The Box handles all the back-end processing, freeing users to focus on what they need to handle: learning security tools. Anyone who has ever built and maintained a local lab environment knows what a huge time-saver Pwnbox represents.

Hack The Box and Pwnbox provide specific learning paths, many of which align with recognized industry standards. The labs provide realistic scenarios for penetration testing, as well as red and blue team activities. The idea is to provide users with a preconfigured environment and semidirected instruction that helps translate theoretical knowledge into practical skills.

Users can also access Pwnbox from their own servers by downloading Parrot Security. While you're at it, check out the other available Parrot distributions, including Home Edition, Cloud Edition (as a Docker container) and Raspberry Pi Images. The Parrot site also lets you download a Pwnbox image.

Cost and subscription information

Hack The Box offers Pwnbox the following three ways:

1. Free. Access to VMs and challenges, with a two-hour free trial of Pwnbox.
2. VIP. For $14 per month, get access to more VMs and challenges, with 24 hours of Pwnbox access monthly.
3. VIP+. For $20 per month, get access to all VMs and challenges, with unlimited Pwnbox access.

A business plan is also available; call Hack The Box for more info.

Launching Pwnbox

After connecting to Pwnbox through your web browser, launch an instance, known as a box.

The following steps outline the general process:

1. Log into your Hack The Box account.
2. Select your location and a VPN server.
3. Select Start Pwnbox.

You now see the Pwnbox desktop. You can open a Virtual Network Computing-based desktop connection or an SSH session to the remote system.

Now, you're ready to learn.

Be sure to select Terminate when you're done. Failing to do so wastes the hours available through your subscription. The Connections Settings window displays relevant information, including the number of hours remaining and your VPN server location.

A noninteractive access method called Spectators enables users to view your sessions. This feature is perfect for training and demonstrations.

Comparing Pwnbox vs. other security platforms

Pwnbox is a significantly different approach from other well-known pen testing distributions. Kali Linux, BlackArch and Parrot Security, for example, assume you install the OS on a bare-metal device or a VM; in other words, it's just another node on your local system or network.

Since Hack The Box is cloud-based, you don't have to install the OS, and you can access its functionality from a relatively low-powered device. This is a huge time-saver, alleviating the frustrations of building and maintaining a lab environment at home or in the office. Moreover, Hack The Box takes Pwnbox beyond the scope of other products by offering challenges and labs.

Today's cybersecurity professionals need more than theoretical knowledge about pen testing and security mitigation techniques. Pwnbox can help new and experienced cybersecurity professionals alike achieve this.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial and CompTIA Blogs.