Establish Your Own Penetration Testing Lab

RESEARCH AND DEVELOPMENTCYBERSECURITY

Ismail Ahmed

1/26/20249 دقيقة قراءة

QUESTIONS

You want to get started in pentesting, but you:

1. Don't have a victim, er, target machine that is safe to test (testing the targets you know is unethical and could get you jail time).

2. Think that setting up a vulnerable lab is expensive.

3. Don’t have a clue where to even start.

Penetration Testing can mean all kinds of things, depending on all kinds of factors. Let’s see if we can help you get started.

PENTEST LAB COMPONENTS

Of course, you need hardware and software, and we’ll get to more specifics in a few minutes. But to satisfy the curious, for the bare minimum to get it all going, you should have at least 16 GB RAM and 256 GB space.

Before launching into potential gear and software, it’ important to know what you’re looking to test and learn.

Which of the following do you want to test (these are just sample categories; too many to list here!):

Networks
Malware Analysis, Countermeasures, Threats and Concepts
Social Engineering
Evading IDS, Firewalls, and Honeypots
Web Servers
Web Applications
Wireless Networks
Mobile Platform
Cloud

The more and the more complex your goals, the greater your hardware specs (and price) will be. In this article, I’ll cover some basics that cover a wide variety of pentesting areas, but no article, tool, concept, or approach will fit all ideas. A major part of testing is learning, learning, learning.

Persevering in learning is probably the main character quality in pentesting. Sometimes called “wetware,” the brain is the primary component in this field.

OTHER GOALS TO CONSIDER

Just like with building blueprints, you can’t build an adequate lab until you have a better idea of your goals than just the above categories.

Ask yourself:

What are the scope and goals of my testing?
How much money and time do I have?
What gear do I already have access to? (remember, friends can loan you things!)
Is my testing going to include only local things? Or would it encompass someone else's assets?
If the latter, then you have to have permission and you need to make them aware of your testing.

HARDWARE REQUIREMENTS

This article focuses on building a lab using physical hardware to install virtual machines.

Some testers would prefer to use a cloud environment. A cloud lab is much different than an on-prem home lab because it incurs a consistent (usually monthly) cost, whereas a home lab can often be created using current equipment. Also, the cloud provider may disallow certain activities even with a subscription, so an onsite home lab allows much more flexibility and capability.

But for those wishing to explore hacking in a cloud lab, here's Microsoft’s guidance (need Azure subscription):

https://learn.microsoft.com/en-us/azure/lab-services/class-type-ethical-hacking?tabs=windows

Here's a way to set it up in Google Cloud:

https://medium.com/dark-roast-security/dark-side-120-cybersecurity-lab-setup-on-google-cloud-ccfb3a01f076

Here's a way to use set it up in AWS:

https://blog.focal-point.com/how-to-build-a-cheap-active-directory-pen-test-lab-in-aws-without-any-effort

You have to consider at minimum 2 machines: Attacker and Target. It doesn’t matter whether one or both are virtual or physical but take stock of your resources to see what you want to use. Two physical machines will likely require more cables; two virtual machines will require the host machine to have more RAM, CPU, and space than if it were physical.

Refer back to your primary goals in your testing to find out what you might need.

In general, you want to focus on The Big Three: RAM, Storage, CPU

If you’re going virtual and you have to ditch one, then let that be CPU. Virtual focuses on RAM and Storage/space. While there are lots of factors, if you have 16 GB RAM and 128 GB SSD, then you'll be OK, though you may have to close other apps, tabs, and services to give the VM the max output from RAM and Space.

Other handy hardware to have, even if just virtual, is:

An ethernet cable and
A spacious USB drives

There always seems to be a need to plug in somewhere and have a place to store files or images.

On a related testing environment and equipment note: If you’re want to try your hand at simply installing Kali NetHunter Linux on an Android phone (makes it nice to have a smaller and ore portable device for testing), David Bombal has a great video on setting this up. Works really well! https://www.youtube.com/watch?v=KxOGyuGq0Ts

SOFTWARE REQUIREMENTS (VIRTUALIZATION SOFTWARE, OPERATING SYSTEMS, ETC.)

There are 2 widely used virtual environments: VMWare and VirtualBox

Documentation for each is here:

VirtualBox:

https://www.virtualbox.org/wiki/Documentation

VMWare:

https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

Another one is QEMU:

https://www.qemu.org/

While I haven't tried this, I see it more and more and it appears to be a great option for virtualization. More information here:

https://linuxconfig.org/qemu-vs-virtualbox-whats-the-difference

VIRTUALIZATION – NEXT STEPS

After you’ve chosen the platform, you want to set it up properly. If you want to perform real testing on specialized environments, you will want to choose advanced security options that could include VPNs, firewalls, etc.

But in general, in virtual environments, many settings are self-explanatory in setting up the RAM, CPU, storage space, IP addressing, et al. One area that can be tricky is the network adapter. Here are common options and their meanings (what you pick will depend on how far you want to go in testing using your setup):

• Bridged: In a bridged network, the guest VM shares the host network adapter for connecting to the physical network. The VM will appear as a separate machine in the network. This allows the virtual machine to share the network resources. The guest and host share the same DHCP and DNS servers.

• NAT: In a NAT (Network Address Translation) network, the VM lives behind the host and connects to the network through the host’s default connection. The traffic will appear as coming from the host. While the VM should be able to access the network and internet, it won’t be able to share the network’s resource. The DHCP server assigns the IP, and this perhaps the most common and default configuration for newly created virtual machines.

• Host-only: This option network is the most private and most restrictive configuration. Being private, it doesn’t provide access to the outside world or internet because there is no default gateway. The IP is assigned via DHCP.

MACHINES

What virtual machine to install for the Attacker and Target systems? There’s a lot out there! Here are some options (but always feel free to choose and use what you know or find or like – this is only to assist if you’re stuck):

ATTACKER

The machines listed below have tools already installed. Always do your research, testing, and decision-making to determine what you’d like to actually use. But these distros have plenty of tools to get started, and one can always add or take away as needed.

KALI

This is probably the most well-known pentesting distro because of all the tools.

https://www.kali.org/get-kali/#kali-platforms

Ac couple things thing I like about Kali:

A lot of tools
Kali Purple is set out for Purple Teaming and has the tools categorized according to NIST Cybersecurity Framework

Parrot

https://www.parrotsec.org/

I haven’t used this but have come across it many times in research and learning.

PentestBox

https://pentestbox.org/

This is designed for Windows and contains a large number tools often only used in Kali. It will be flagged as malware because many of these tools are considered a no-no by many antimalware programs and will get stripped out. Be ready to whitelist the programs in your antimalware.

BLACKARCH

https://www.blackarch.org/

I haven’t used this, but have come across it many times in research and learning.

CSI LINUX

https://csilinux.com/csi-linux-downloads/

CSI Linux is designed for forensics, investigations, analysis, and response. And you can download any other tools you need.

A couple things thing I like about CSI Linux:

• CSI TorVPN and other tools for navigating the Dark Web

• Sock Puppet generator

TRACELABS VM

https://www.tracelabs.org/initiatives/osint-vm

This VM is designed for OSINT and includes scripting designed for that.

TARGET MACHINES

If you don’t have a physical target machine, here are several options to get you going. Install as much as you like depending on your goals and gear.

WINDOWS 11

https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

WINDOWS EVAL MACHINES

https://www.microsoft.com/en-us/evalcenter/

METASPLOITABLE

https://information.rapid7.com/download-metasploitable-2017.html

VULNHUB

VulnHub has a lot of vulnerable Target machines to choose from, but remember to a) check the specs before downloading and b) clean up each machine when completed since they take up precious space)

https://www.vulnhub.com/

BWAPP (BUGGY WEB APP)

Here's a guide on how to install it from VulnHub: https://infosecwriteups.com/bwapp-a-vulnerable-web-application-for-practicing-vulnerabilities-installation-guide-146637e2da92

SELECTING PENTESTING TOOLS

As with choosing the hardware and platform, consider upfront what technical activities you want to do (again, these are just some of the many options; try things out, adjust, learn, and you’ll find out along the way what it is you really like to do):

• Footprinting and reconnaissance

• Scanning physical networks (e.g., threat hunting)

• Enumeration of people, technology, open ports, attack surface

• Vulnerability analysis of internal resources

• System Hacking

• Web app hacking

• Mobile app testing

• Malware analysis

Here’s a short list of potentially useful tools for penetration testing. There are SO MANY tools, but starting with the right distribution, the right focus, the right basic tools (make sure to combine their results and effects – there’s no one single tool to do it all), and a proxy (next section), you’ll be set up for an immediate way to get going.

Nmap: command-line network mapper, security scanner; a classic tool.

https://nmap.org/

CURL: short for “client URL”, this is command-line application for transferring data with URLs.

https://curl.se/

Wireshark: a network protocol analyzer.

https://www.wireshark.org/

John the Ripper: password cracker.

https://www.openwall.com/john/

Nikto: web server scanner.

https://github.com/sullo/nikto

Nessus: Technical compliance checks and audits. The Essentials version is free and scans up to 16 endpoints.

https://www.tenable.com/products/nessus/nessus-essentials

Metasploit: the “world’s most used penetration testing framework,” Metasploit combines the ability to find vulnerabilities and also provide the capabilities to exploit those vulns. https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html

Free training from Offensive Security (OffSec), here:

https://www.offsec.com/metasploit-unleashed/

Armitage: This is the GUI version of Metasploit and is found here:

https://www.kali.org/tools/armitage/

Angry IP Scanner: An IP address and port scanner.

https://angryip.org/download/

One of my favorites from my sysadmin days, and is available for Linux, MacOS, and Windows. Is it like nmap? If so, which is better? Yes, it's like nmap. Better? nmap has a LOT more features and flexibility. But it's all about the end result, not the tool. It's an alternative that may provide something for those who like a GUI interface with fewer options to start with. One thing I like about Angry IP is the ability to right-click on the IP and choose Open selections such as Ping and Trace Route.

PROXY

For many testing encounters, capturing, analyzing, and manipulating the web calls and traffic is vital. This is where a proxy comes in.

Burp Suite (free Community Edition (CE) ): https://portswigger.net/burp/communitydownload
OWASP ZAP:

https://www.zaproxy.org/

If you’re into mobile app testing then a great free and open-source software is MobSF, which comes in 2 flavors:

Online:

https://mobsf.live/

Docker:

https://github.com/MobSF/Mobile-Security-Framework-MobSF

NOTE KEEPING

Even non-professional testers need to take notes – configs, screenshots, what it looked like before you ran the test, etc.

When taking notes, it’s important to consider the use. Often, you’ll want something that allows images/screenshots/screen captures. Also, you might want it available online for backup and availability purposes. But you also may want something that is only local for security purposes.

I prefer Microsoft’s OneNote (free with a free Microsoft account) because I'm able to copy text from images/screenshots, which saves me a lot of time not having to transcribe all the text in an image.

Two other good ones are: