How To Set Up A Penetration Testing Lab??

☠ Danger: Do it at your own risk. I am not responsible for any problem you face. This is for Education purposes. ☠

Penetration Testing Lab Set-Up.

Before we can start attacking Secure Universal Cyber Kittens, Inc. (SUCK), we need to build our testing lab to test our attacks, develop our attacking machines, and understand how our exploits work. Practice and testing are invaluable when it comes to running a full-scale invasion. You don’t want to be the average Joe on a test using untested exploits which inadvertently takes down a critical system, getting you identified and tossed out of the company.

Building A Lab

It might be hard to build a full lab with all the applications, operating systems, and network appliances, but you must ensure you have the core components. These include bare Linux servers and Windows systems. Since Microsoft Windows operating systems aren’t free, you may have to purchase some software. If you are a student, you can generally get free software through your school. You can also check Microsoft DreamSpark (https://www.dreamspark.com/) to see if you qualify. I think with a default .edu email address you can get Windows 2012 and other software for free.

Building Out A Domain

In the example provided below, I will install a Windows Domain Environment using Windows 2012 R12, Windows 8, and Windows 7.

You can also consider also the latest version of your operating system. “ In my opinion, you better do these things on Virtual Machines if you have only one computer or machine.”

Building Out Additional Servers

Below are the vulnerable virtual machines I recommend. In many of the labs, we will use these two frameworks for testing. For your own practice, you should also look at the other test servers.

Metasploitable2

This is a great vulnerable Ubuntu Linux virtual machine that intentionally contains common vulnerabilities. This is great for testing security tools, such as Metasploit, and demonstrating common attacks. It is relatively easy to set up as you just need to download the virtual machine (VM) and boot it into a Virtual Platform.

OWASPBWA (OWASP Broken Web Applications Project)

While Metasploitable2 focuses on services, OWASPBWA is a great collection of vulnerable web applications. This is one of the most complete vulnerable web application collections in a single VM. As with Metasploitable2, just download the vulnerable VM and boot it up.

Practice

Penetration testing is like any other profession and needs to be second nature. Every test is completely different and you need to be able to adapt to the changing environment. Without adequate practice, trying multiple different tools, and exploiting systems using different payloads, you won’t be able to adapt if you ever run into a brick wall.

Building Your Penetration Testing Box

I received some comments on why I have you build and install the tools instead of creating one script to automate it all. The main reason I have my readers manually go through these steps is that these are extremely important tools and this will help you remember what is available in your own arsenal. Kali Linux, for example, has tons of tools and is well organized, but if you don’t know the tool is installed or you haven’t played around with the individual attacks, then it won’t really be helpful in that dire need situation.

Setting Up A Penetration Testing Box

As you know, I always like bringing two different laptops to an engagement. The first is a Windows box and the second is either an OS X or Linux host. The reason I bring two laptops is that I have been on penetration tests where, on very specific networks, the OS X host would not connect to the network. Instead of spending hours trying to figure out why I just started all of my attacks and scanning from my Windows host and fixed the OS X issue during my free time. I cannot tell you the countless times having two laptops has saved me.

It doesn’t matter if you run Windows, OS X, or some Linux flavor on your base system, but there are a few musts. First, you need to install a Virtual Machine (VM) platform. You can use Virtual Box (https://www.virtualbox.org) or VMWare Player (https://my.vmware.com/web/vmware/downloads) or any others of your choice. Both are free on Windows and only Virtual Box on OS X is free. I would highly recommend getting commercial versions for your VM platform as they have a wealth of extra features, such as encryption, snapshots, and much better VM management.

Since we are going to install most of our tools on our VMs, the most important step is to keep your base system clean. Try not to even browse personal sites on the base image. This way, your base system is always clean and you won’t ever bring malware onto a client site (I have seen this many times before), or have unknown vulnerable services listening. After configuring my hosts, I snapshot the virtual machine in the clean and configured state. This way, for any future tests, all I need to do is revert back to the baseline image, patch and update tools, and add any additional tools I need. Trust me, this tactic is a lifesaver. I can’t count the number of past assessments where I spent way too much time setting up a tool that should have already been installed.

Hardware

Penetration Testing Laptop

For your basic penetration laptop requirements.

Basic recommendations:

● Laptop with at least 8GB of RAM

● 500GB hard drive (solid state is highly recommended)

● Intel Quad Core i7 Processor

Password Cracking Desktop

Password Cracking/Multi-purpose Hacking Box

● Case: CORSAIR Vengeance C70

● Video Card: SAPPHIRE 100360SR Radeon R9 295x2 8GB GDDR5

● Hard Drive: SAMSUNG 840 EVO MZ-7TE500BW 2.5" 500GB SATA III TLC Internal SSD

● Power Supply: SILVERSTONE ST1500 1500W ATX

● RAM: CORSAIR Vengeance Pro 16GB (2 x 8GB) 240-Pin DDR3 SDRAM DDR3 1600

● CPU: CORE I7 4790K 4.0G

● Motherboard: ASUS MAXIMUS VII FORMULA

● CPU Cooler: Cooler Master Hyper 212 EV

This is definitely overkilled for just password cracking since the only thing that really matters is the GPUs; but, again, I still wanted to use this as an additional system in my arsenal.

Open Source Versus Commercial Software

Here, I thought it would be beneficial to include a comparison of open-source and commercial software. Although not everyone has the funds to purchase commercial software, it is very important to know what is available and what an attacker might use. Both as a defender and someone who runs offensive plays, having the right tools can definitely make a difference. In this book, I will show you several different commercial software tools that I find very useful, which can assist in various types of offensive situations. With every commercial software, I will try to provide an open-source companion, but it may not always be available.

Commercial Software is:

● Burp Suite Pro

● Canvas

● Cobalt Strike

● Core Impact

● Nessus

● Nexpose

Kali Linux (https://www.kali.org/)

For those who have never used Kali Linux, it is often seen as the standard in offensive penetration testing. This Debian-based Linux distro contains a wealth of different security tools all preconfigured into a single framework. This is a great starting point for your offensive security platform and the book mainly builds off of this Linux distribution. I highly recommend that you download the virtual machine and use this for your testing.

Back Box (http://www.backbox.org/)

Although Kali Linux is seen as the standard, it is best to not ever rely on a single tool/OS/process — this will be a constant theme throughout the book. The developers could stop supporting a certain tool or, even worse, you begin to experience tunnel vision and rely on old methods. The guys over at Back Box are doing great work building and supporting another security platform. The main difference I can see is that Back Box is based on Ubuntu and more importantly, comes with default user rights management (instead of everyone running as root in Kali Linux). Some people are more comfortable with Ubuntu and I have gotten into situations where specific tools are developed for and run more stable on Ubuntu versus Kali. Again, it should be just another tool available at your reach and it is good to know what is out there.

Next, We will see Setting Up Black Boxes and the Kali Linux