Monday, September 17, 2012

SamuraiWTF 2.0 SVN Repository & Bug Tracker

With the recent release of SamuraiWTF 2.0 we have introduced significant changes to the official SamuraiWTF SVN repository, available at  http://svn.code.sf.net/p/samurai/code/trunk/ (check the new SourceForge.net project code section). This repository was mainly used in the past by the development team, thus these changes try to open up the repository to any user interested on updating the latest official SamuraiWTF version available from the project downloads section. As part of all these 2.0 related changes, we have also migrated the project to the new SourceForge.net (SF.net) platform, so the project web page look & feel and layout have changed, as well as some project's links (all the links in this post point to the new platform).

The idea is to use the SVN repository to provide fixes for known bugs between major SamuraiWTF releases, as well as updates for new features and tools (in future SVN revisions). Therefore, the current SVN repository contents include fixes for a few well known bugs associated to the SamuraiWTF 2.0 version in the form of individual bash scripts. These fixes will be included in the next SamuraiWTF version, 2.1, but meanwhile you can apply them to your private SamuraiWTF 2.0 instance.

The SVN repository contains a main script to apply all the available fixes ("fix.sh"), and a "fixes" directory. The "fixes" directory contains two types of scripts, those starting with "fix_" and a number, which corresponds to the ID associated to the bug the script fixes from the official SamuraiWTF bug tracker (eg. 25, after the migration), plus a descriptive text at the end of the filename, and those without a number, as the fix applies to a bug that has not been reported through the bug tracker.

In order to apply all the available fixes you simply need to follow these steps:
1. Start with a clean SamuraiWTF 2.0 instance (Live DVD or VM; take a look at the previous blog posts explaining how to create a SamuraiWTF 2.0 virtual machine in VMware FusionWorkstation, and Player).
2. Perform an initial checkout to retrieve the current SVN trunk contents from the official SamuraiWTF repository:
svn co http://svn.code.sf.net/p/samurai/code/trunk samurai
3. Step into the new local SVN copy and run the "fix.sh" script using sudo:
$ cd samurai
$ sudo ./fix.sh

The following screenshot shows the initial SVN process:
The main "fix.sh" script keeps a log of the fixes already applied, with the idea of avoiding applying the same fix every time the "fix.sh" script is executed. Thus, you can periodically update your local SVN copy ("svn up") with the most recent SVN contents and fixes, and run the script again:
$ cd samurai
$ svn up
$ sudo ./fix.sh

The following screenshot shows the SVN update process:
As new bugs are discovered and reported in the official SamuraiWTF bug tracker (please use the "v2.0" group to report all SamuraiWTF 2.0 issues), the plan is to create fix scripts for them and add those to the SVN repository. Bugs (or tickets) will remain in the "open" status till we find a solution for them, and once we have a fix script ready, they will be moved to the "pending" status till they are implemented on the next release, such as 2.1.

Additionally, in a near future we plan to add to SVN a similar "update.sh" script, plus the corresponding "updates" directory, to be able to provide updates for other SamuraiWTF features and tools (that you can request and report via the official SamuraiWTF feature requests tracker). When adding new feature requests use the "Next Release" milestone so that we can evaluate what release it will be added to.

We encourage you to use SamuraiWTF 2.0, apply the fixes from the SVN repository, and help us by reporting bugs and solutions to the mailing-list, and more importantly, though the bug tracker and feature requests tracker. In order to create new bug and feature requests tickets you need to authenticate in the SF.net platform.

An interesting conclusion from the weekly stats download count: Although the SamuraiWTF 2.0 ISO image has been downloaded 1,169 times, the corresponding MD5 file has been downloaded only 19 times. It seems that less than 2% of users check the ISO image MD5 hash (...unless you know it from the top of your head) :o)

Appendix: SVN SamuraiWTF Commands

With the recent project migration to the new SourceForge.net platform it is possible to perform a checkout of the SVN contents using SVN or HTTP (both unencrypted):
$ svn co svn://svn.code.sf.net/p/samurai/code/trunk samurai
$ svn co http://svn.code.sf.net/p/samurai/code/trunk samurai

Unfortunately, there is no encrypted alternative to checkout the SVN contents anonymously, as there was in the past (the command below, based on HTTPS, doesn't work anymore and requests user credentials):
$ svn co https://svn.code.sf.net/p/samurai/code/trunk samurai

However, the encrypted option that still works (I don't know for how long it will be available...) is the one that retrieves the contents from the old SVN repository via HTTPS (I recommend you NOT to use it - I included it here just for documentation purposes):
$ svn co https://samurai.svn.sourceforge.net/svnroot/samurai/trunk/ samurai

Additionally, as a project developer, it is possible to get encrypted and authenticated read-write (RW) SVN checkout access via SVN+SSH (replace USER with your SF.net username; check all these new options in the project code section):
$ svn checkout --username=USER svn+ssh://[email protected]/p/samurai/code/trunk samurai

Friday, September 14, 2012

How to Create a SamuraiWTF 2.0 Virtual Machine in VMware Player


The SamuraiWTF (Web Testing Framework) can be run as a live CD/DVD, although when performing web application penetration tests, I like to run it inside a virtual machine. SamuraiWTF 2.0 is based on Ubuntu 12.04 LTS and uses KDE (by default) - Why there was no SamuraiWTF 1.0 version? The steps below detail how to create a SamuraiWTF 2.0 virtual machine in VMware Player 5 (5.0.0) over Windows 7 (64-bits) and Windows XP (32-bits). The steps required for VMware Player over Linux would be very similar.

Creating a New Virtual Machine

Open VMware Player and create a new virtual machine (VM): [Player] Menu - File - New Virtual Machine... This will launch the "New Virtual Machine Wizard". In the welcome screen select "I will install the operating system later.", and click "Next >". In the "Select a Guest Operating System" select Linux as the "Guest operating system" and Ubuntu as the "Version", and click "Next >".

The "Name the Virtual Machine" window allows you to select the virtual machine name (eg. "SamuraiWTF-2.0"), and indicate where you want to save the new VM (directory, such as "C:\VMWARES\SamuraiWTF-2.0"). Click "Next >". In the "Specify Disk Capacity" screen define the maximum hard disk size (by default, 20 GB). All the other disk capacity options can be left with the default values. Click "Next >".

Finally, the "Ready to Create Virtual Machine" screen details all the VM settings selected, and allows you to modify other settings through the "Customize Hardware..." button. Click this button and access the "Memory" section. Change the amount of RAM to 2048 MB or more from the default of 1024 MB.   Access the "New CD/DVD (IDE)" section, select "Use ISO image file:", and browse to the ISO file for SamuraiWTF 2.0 ("SamuraiWTF-2.0-i386.iso") from the "Browse..." button. Once the amount of RAM and the CD/DVD location have been changed, click "Close".Optionally, you can also adjust other settings, such as the network interface type (by default, NAT). From the "Ready to Create Virtual Machine" screen, as the VM is ready to boot, click the "Finish" button.


You need to click the "Power On" button (or "Play virtual machine" link) to power on the VM after creation.

Booting SamuraiWTF 2.0

The recently created VM will start up, using the default Linux boot option, "Start SamuraiWTF". Wait till the SamuraiWTF desktop shows up.


Installing SamuraiWTF 2.0 to the hard disk

NOTE: The screenshots below correspond to VMware Workstation as they are the same exact ones for VMware Player, so I tried not to duplicate work from the previous blog post :o)

Double click the "Install SamuraiWTF 2.0" icon from the desktop and follow the installation wizard. From the "Language" screen select the language for the installation process and click "Continue".


The "Prepare" step recommends to have more than 15GB of free disk space and Internet connectivity. Select the "Download updates while installing" option to get the latest software, and optionally the "Install this third-party software", and click "Continue".


On the "Disk Setup" window leave the default guided disk layout and click on "Install Now".


On the "Timezone" screen select your timezone and, while the installation process starts copying files (a significant time optimization improvement over previous versions, but take into account that it can consume lots of your computer's resources while following the next installation steps), and click "Continue".


On the "Keyboard" screen select your keyboard layout and click "Continue".


On the "User Info" screen select your username and password, plus the hostname. It is highly recommended to change the default SamuraiWTF password (samurai - www.whatisthesamuraipassword.com) and use a long passphrase instead. It is preferable to select a custom hostname that does not include references to SamuraiWTF (by default "samurai-virtual-machine" is pre-filled). Leave the "Require my password to log in" option, although it won't be applied in version 2.0 due to recent changes to fix a very old bug. Click "Continue".


NOTE: A race condition has been identified (sometimes) depending on the time it takes to reach from the "Disk Setup" screen till the "User Info" screen, where the "Keyboard" step will directly jump into the "Install" step, bypassing the "User Info" screen. Quickly moving through the timezone and keyboard setup seems to help to avoid this unexpected behavior. If you suffer this behavior it is recommended to repeat the setup by booting the VM again from the ISO image.

The process will remain on the "Install" screen while all the files are copied and the different system elements are configured.


Once the installation finishes you will get an "Installation Complete" popup. It is recommended to click the "Restart Now" button to start using the SamuraiWTF instance installed on the hard disk, instead of the live instance from the ISO image.


There is a bug in the reboot/shutdown process of the live CD/DVD version, where the message that suggests the user to eject the CD/DVD and press any key to restart/shutdown does not show up. Once you get the following background SamuraiWTF image, press any key to reboot/shutdown the VM.


After rebooting, the VM CD/DVD is not connected, so the system directly boots from the recently installed hard disk. You can unplug the SamuraiWTF ISO image from the CD/DVD by going to the "[Player] Menu - Removable Devices - CD/DVD (IDE) - Settings..." option and selecting "Use physical drive".

Once the new SamuraiWTF VM boots up you will be directly presented with the desktop, where the installation icon is not available anymore, but access to the README and CHANGELOG files, the latest version of the official SamuraiWTF training material in PDF format (as of today, v13 - see more details about upcoming training sessions below) and folders with the output of tools, a few wordlists, and exploit/payloads from several tools.


If you do not see the desktop icons, simply resize the VM window (this seems to be a bug in VMware Player).

Updating VMware Tools

VMware Tools are already installed in SamuraiWTF 2.0, thus you can directly copy & paste between the host and the guest operating systems. However, depending on the VMware version you are using you might want to update VMware Tools.

Go to the "[Player] Menu - Manage - Update VMware Tools..." menu in VMware. Depending on your setup, or if this is the first time you install/update VMware Tools on a Linux VM, VMware might need to download them first. If this is the case, click the "Download and Install" button.


The CD is not automatically mounted on Ubuntu 12.04 if there is no password set for the root user (see related VMware doc), as in SamuraiWTF 2.0, so you need to manually mount the CD and launch the VMware Tools installation process:

$ sudo mount /dev/cdrom /media/cdrom
$ cd /tmp
$ tar xvzf /media/cdrom/VMwareTools-9.0.2-799703.tar.gz
$ cd vmware-tools-distrib/
$ sudo ./vmware-install.pl
...

Follow the installation process and reply with the default answer to all the questions:
- You have a version of VMware Tools installed. Continuing this install will first uninstall the currently installed version. Do you wish to continue? (yes/no) [yes]
- In which directory do you want to install the binary files? [/usr/bin]
...
- Would you like to enable VMware automatic kernel modules? [yes]
- Thinprint provides driver-free printing. Do you wish to enable this feature? [yes]

Post installation steps

You can clean up the bash command line history by closing all terminals, launching a new one, and running a couple of commands:
$ > $HOME/.bash_history
$ exit

You can manually remove VMware Tools from /tmp or wait till the next boot for automatic removal.

Your new SamuraiWTF 2.0 VM is ready to run and assist you in your web-app penetration tests! The main constraint in VMware Player (hey... it is free :-) is that you cannot take a VMware snapshot in case you need to restore back to this clean state.

The instructions to create a SamuraiWTF 2.0 virtual machine in VMware Fusion or in VMware Workstation are available on previous blog posts.

Shameless Training Plug

This is an introductory guide to the official "Assessing and Exploiting Web Applications with Samurai-WTF" 2-day training I will be running at the BruCON 2012 conference during September 24-25 in Ghent (Belgium). This training session will be based on the latest SamuraiWTF 2.0 version and its new target web-apps and tools. If you are an OWASP member, you can take advantage of a 10% discount on the training fee.

Monday, September 10, 2012

How to Create a SamuraiWTF 2.0 Virtual Machine in VMware Workstation

The SamuraiWTF (Web Testing Framework) can be run as a live CD/DVD, although when performing web application penetration tests, I like to run it inside a virtual machine. SamuraiWTF 2.0 is based on Ubuntu 12.04 LTS and uses KDE (by default) - Why there was no SamuraiWTF 1.0 version? The steps below detail how to create a SamuraiWTF 2.0 virtual machine in VMware Workstation 8 (8.0.4, although version 9 is available) over Windows 7 (64-bits). The steps required for VMware Workstation over Linux would be very similar.

Creating a New Virtual Machine

Open VMware Workstation and create a new virtual machine (VM): File - New Virtual Machine... This will launch the "New Virtual Machine Wizard". In the welcome screen select "Custom (advanced)", and click "Next >". Choose the VM hardware compatibility as "Workstation 8.0" (default), and click "Next >". In the "Guest Operating System Installation" step, select "Installer disc image file (iso)", browse to the ISO file for SamuraiWTF 2.0 ("SamuraiWTF-2.0-i386.iso"), and click "Next >". In the "Select a Guest Operating System" select Linux as the "Guest operating system" and Ubuntu as the "Version", and click "Next >".

The "Name the Virtual Machine" window allows you to select the virtual machine name (eg. "SamuraiWTF-2.0"), and indicate where you want to save the new VM (directory, such as "C:\VMWARES\SamuraiWTF-2.0"). Click "Next >". The "Processor Configuration" screen allows you to select the number of processors and cores, where the default of "1:1" is fine, for a total of 1 processor core. Click "Next >". The next "Memory for the Virtual Machine" screen allows you to change the amount of RAM to 2048 MB or more from the default of 1024 MB. Click "Next >". In the "Network Type" screen it is possible to select the network interface type (by default, NAT). Click "Next >". The "Select I/O Controllers Type" can be left with the default SCSI controller: "LSI Logic". Click "Next >". In the "Select a Disk" screen it is recommended to "Create a new virtual disk", click "Next >", leave the default disk type in the next screen ("SCSI"), click "Next >", and define the maximum hard disk size (by default, 20 GB). All the other disk capacity options can be left with the default values. Click "Next >". The "Specify Disk File" allows you to provide the exact filename to be used for the VM disk (eg. "SamuraiWTF-2.0.vmdk"). Click "Next >". Finally, the "Ready to Create Virtual Machine" screen details all the VM settings selected, and by default will automatically power on the VM after creation.


As the VM is ready to boot, click the "Finish" button.

Booting SamuraiWTF 2.0

The recently created VM will start up, using the default Linux boot option, "Start SamuraiWTF". Wait till the SamuraiWTF desktop shows up.


Installing SamuraiWTF 2.0 to the hard disk

Double click the "Install SamuraiWTF 2.0" icon from the desktop and follow the installation wizard. From the "Language" screen select the language for the installation process and click "Continue".


The "Prepare" step recommends to have more than 15GB of free disk space and Internet connectivity. Select the "Download updates while installing" option to get the latest software, and optionally the "Install this third-party software", and click "Continue".


On the "Disk Setup" window leave the default guided disk layout and click on "Install Now".


On the "Timezone" screen select your timezone and, while the installation process starts copying files (a significant time optimization improvement over previous versions, but take into account that it can consume lots of your computer's resources while following the next installation steps), and click "Continue".


On the "Keyboard" screen select your keyboard layout and click "Continue".


On the "User Info" screen select your username and password, plus the hostname. It is highly recommended to change the default SamuraiWTF password (samurai - www.whatisthesamuraipassword.com) and use a long passphrase instead. It is preferable to select a custom hostname that does not include references to SamuraiWTF (by default "samurai-virtual-machine" is pre-filled). Leave the "Require my password to log in" option, although it won't be applied in version 2.0 due to recent changes to fix a very old bug. Click "Continue".


NOTE: A race condition has been identified (sometimes) depending on the time it takes to reach from the "Disk Setup" screen till the "User Info" screen, where the "Keyboard" step will directly jump into the "Install" step, bypassing the "User Info" screen. Quickly moving through the timezone and keyboard setup seems to help to avoid this unexpected behavior. If you suffer this behavior it is recommended to repeat the setup by booting the VM again from the ISO image.

The process will remain on the "Install" screen while all the files are copied and the different system elements are configured.


Once the installation finishes you will get an "Installation Complete" popup. It is recommended to click the "Restart Now" button to start using the SamuraiWTF instance installed on the hard disk, instead of the live instance from the ISO image.


There is a bug in the reboot/shutdown process of the live CD/DVD version, where the message that suggests the user to eject the CD/DVD and press any key to restart/shutdown does not show up. Once you get the following background SamuraiWTF image, press any key to reboot/shutdown the VM.


After rebooting, the VM CD/DVD is not connected, so the system directly boots from the recently installed hard disk. You can unplug the SamuraiWTF ISO image from the CD/DVD by going to the VM settings window, using the "CD/DVD (IDE)" icon and selecting "Use physical drive".

Once the new SamuraiWTF VM boots up you will be directly presented with the desktop, where the installation icon is not available anymore, but access to the README and CHANGELOG files, the latest version of the official SamuraiWTF training material in PDF format (as of today, v13 - see more details about upcoming training sessions below) and folders with the output of tools, a few wordlists, and exploit/payloads from several tools.


If you do not see the desktop icons, simply resize the VM window (this seems to be a bug in VMware Workstation).

Updating VMware Tools

VMware Tools are already installed in SamuraiWTF 2.0, thus you can directly copy & paste between the host and the guest operating systems. However, depending on the VMware version you are using you might want to update VMware Tools.

Go to the "VM - Update VMware Tools" menu in VMware. Depending on your setup, or if this is the first time you install/update VMware Tools on a Linux VM, VMware might need to download them first. If this is the case, click the "Download" button. Once they have been downloaded, or if they were already available, click on the "Install" button to connect the VMware Tools CD to the VM.

The CD is not automatically mounted on Ubuntu 12.04 if there is no password set for the root user (see related VMware doc), as in SamuraiWTF 2.0, so you need to manually mount the CD and launch the VMware Tools installation process:

$ sudo mount /dev/cdrom /media/cdrom
$ cd /tmp
$ tar xvzf /media/cdrom/VMwareTools-8.8.4-743747.tar.gz
$ cd vmware-tools-distrib/
$ sudo ./vmware-install.pl
...

Follow the installation process and reply with the default answer to all the questions:
- You have a version of VMware Tools installed. Continuing this install will first uninstall the currently installed version. Do you wish to continue? (yes/no) [yes]
- In which directory do you want to install the binary files? [/usr/bin]
...
- Would you like to enable VMware automatic kernel modules? [yes]

Post installation steps

You can clean up the bash command line history by closing all terminals, launching a new one, and running a couple of commands:
$ > $HOME/.bash_history
$ exit

You can manually remove VMware Tools from /tmp or wait till the next boot for automatic removal.

Your new SamuraiWTF 2.0 VM is ready to run and assist you in your web-app penetration tests! Do not forget to take a VMware snapshot in case you need to restore back to this clean state.

The instructions to create a SamuraiWTF 2.0 virtual machine in VMware Fusion are available on a previous blog post, as well as for VMware Player.

Shameless Training Plug

This is an introductory guide to the official "Assessing and Exploiting Web Applications with Samurai-WTF" 2-day training I will be running at the BruCON 2012 conference during September 24-25 in Ghent (Belgium). This training session will be based on the latest SamuraiWTF 2.0 version and its new target web-apps and tools. If you are an OWASP member, you can take advantage of a 10% discount on the training fee.

How to Create a SamuraiWTF 2.0 Virtual Machine in VMware Fusion

The SamuraiWTF (Web Testing Framework) can be run as a live CD/DVD, although when performing web application penetration tests, I like to run it inside a virtual machine. SamuraiWTF 2.0 is based on Ubuntu 12.04 LTS and uses KDE (by default) - Why there was no SamuraiWTF 1.0 version? The steps below detail how to create a SamuraiWTF 2.0 virtual machine in VMware Fusion 5 over Mac OS X Mountain Lion (10.8). The steps required for VMware Fusion 4.x would be very similar, if not the same exact ones.

Creating a New Virtual Machine

Open VMware Fusion and create a new virtual machine (VM): File - New... This will launch the "New Virtual Machine Assistant". In the "Introduction" screen click on "Continue without disc". Select "Create a custom virtual machine" from the "Installation Media" screen, and click "Continue". In the "Operating System" step, select Linux as the "Operating System" and Ubuntu as the "Version", and click "Continue". The "Finish" screen details the VM settings selected.

Click on "Customize Settings" and indicate where you want to save the new VM (directory and filename, such as "SamuraiWTF-2.0.vmwarevm"). VMware will open the settings window. Click on "Processors & Memory" from the "System Settings" section to change the amount of RAM to 2048 MB or more (by default, 1024 MB). You can also adjust other settings, such as the hard disk size (by default, 20 GB), or the network interface type (by default, NAT).


From the "Removable Devices" section, click on "CD/DVD (IDE)", and select the built-in CD/DVD (such as "SuperDrive"). Click on "Chose a disc or disc image..." and select the ISO file for SamuraiWTF 2.0 ("SamuraiWTF-2.0-i386.iso"). Go back to the the settings window, which can be closed at this point, as the VM is ready to boot.


Booting SamuraiWTF 2.0

Start up the recently created VM, using the default Linux boot option, "Start SamuraiWTF", and wait till the SamuraiWTF desktop shows up.


Installing SamuraiWTF 2.0 to the hard disk

Double click the "Install SamuraiWTF 2.0" icon from the desktop and follow the installation wizard. From the "Language" screen select the language for the installation process and click "Continue".


The "Prepare" step recommends to have more than 15GB of free disk space and Internet connectivity. Select the "Download updates while installing" option to get the latest software, and optionally the "Install this third-party software", and click "Continue".


On the "Disk Setup" window leave the default guided disk layout and click on "Install Now".


On the "Timezone" screen select your timezone and, while the installation process starts copying files (a significant time optimization improvement over previous versions, but take into account that it can consume lots of your computer's resources while following the next installation steps), and click "Continue".


On the "Keyboard" screen select your keyboard layout and click "Continue".


On the "User Info" screen select your username and password, plus the hostname. It is highly recommended to change the default SamuraiWTF password (samurai - www.whatisthesamuraipassword.com) and use a long passphrase instead. It is preferable to select a custom hostname that does not include references to SamuraiWTF (by default "samurai-virtual-machine" is pre-filled). Leave the "Require my password to log in" option, although it won't be applied in version 2.0 due to recent changes to fix a very old bug. Click "Continue".


NOTE: A race condition has been identified (sometimes) depending on the time it takes to reach from the "Disk Setup" screen till the "User Info" screen, where the "Keyboard" step will directly jump into the "Install" step, bypassing the "User Info" screen. Quickly moving through the timezone and keyboard setup seems to help to avoid this unexpected behavior. If you suffer this behavior it is recommended to repeat the setup by booting the VM again from the ISO image.

The process will remain on the "Install" screen while all the files are copied and the different system elements are configured.


Once the installation finishes you will get an "Installation Complete" popup. It is recommended to click the "Restart Now" button to start using the SamuraiWTF instance installed on the hard disk, instead of the live instance from the ISO image.


There is a bug in the reboot/shutdown process of the live CD/DVD version, where the message that suggests the user to eject the CD/DVD and press any key to restart/shutdown does not show up. Once you get the following background SamuraiWTF image, press any key to reboot/shutdown the VM.


After rebooting, the VM CD/DVD is automatically turned off, so the system directly boots from the recently installed hard disk. You can unplug the SamuraiWTF ISO image from the CD/DVD by going to the VM settings window, using the "CD/DVD (IDE)" icon and selecting the physical drive.

Once the new SamuraiWTF VM boots up you will be directly presented with the desktop, where the installation icon is not available anymore, but access to the README and CHANGELOG files, the latest version of the official SamuraiWTF training material in PDF format (as of today, v13 - see more details about upcoming training sessions below) and folders with the output of tools, a few wordlists, and exploit/payloads from several tools.


Updating VMware Tools

VMware Tools are already installed in SamuraiWTF 2.0, thus you can directly copy & paste between the host and the guest operating systems. However, depending on the VMware version you are using you might want to update VMware Tools.

Go to the "Virtual Machine - Update VMware Tools" menu in VMware. Depending on your setup, or if this is the first time you install/update VMware Tools on a Linux VM, VMware might need to download them first. If this is the case, click the "Download" button.



Once they have been downloaded, or if they were already available, click on the "Install" button to connect the VMware Tools CD to the VM. The CD is not automatically mounted on Ubuntu 12.04 if there is no password set for the root user (see related VMware doc), as in SamuraiWTF 2.0, so you need to manually mount the CD and launch the VMware Tools installation process:

$ sudo mount /dev/cdrom /media/cdrom
$ cd /tmp
$ tar xvzf /media/cdrom/VMwareTools-9.2.1-818201.tar.gz
$ cd vmware-tools-distrib/
$ sudo ./vmware-install.pl
...

Follow the installation process and reply with the default answer to all the questions:
- You have a version of VMware Tools installed.  Continuing this install will first uninstall the currently installed version.  Do you wish to continue? (yes/no) [yes]
- In which directory do you want to install the binary files? [/usr/bin]
...
- Thinprint provides driver-free printing. Do you wish to enable this feature? [yes]

Post installation steps

You can clean up the bash command line history by closing all terminals, launching a new one, and running a couple of commands:
$ > $HOME/.bash_history
$ exit

You can manually remove VMware Tools from /tmp or wait till the next boot for automatic removal.

Your new SamuraiWTF 2.0 VM is ready to run and assist you in your web-app penetration tests! Do not forget to take a VMware snapshot in case you need to restore back to this clean state.

The instructions to create a SamuraiWTF 2.0 virtual machine in VMware Workstation are available on another blog post, as well as for VMware Player.

Shameless Training Plug

This is an introductory guide to the official "Assessing and Exploiting Web Applications with Samurai-WTF" 2-day training I will be running at the BruCON 2012 conference during September 24-25 in Ghent (Belgium). This training session will be based on the latest SamuraiWTF 2.0 version and its new target web-apps and tools. If you are an OWASP member, you can take advantage of a 10% discount on the training fee.