If you are new to penetration testing or just starting out, you will want to read through this information and watch the included video. In order to become a better penetration tester, you need a lot of practice. In order to practice and hone your skills, you need to build a penetration testing lab first. Thanks to virtualization software, you can build a very simple lab and begin testing the concepts that you are learning about. Once you learn the basic concepts, you can add more complexity to your penetration testing lab. As you start out though, you will want to keep your lab setup fairly simple.
The first thing you will need is virtualization software:
- Virtualbox (Windows/Mac/Linux)
- VMware Workstation (Windows)
- VMware Fusion (Mac)
- VMware Player (Windows/Mac/Linux)
Next, you will need a minimum of two virtual machines (VM’s)
- One VM to be used as the attacking machine
- One VM to be used as the victim/target machine
Once you have the minimum requirements to set up your simple penetration testing lab, you should diagram or draw out your lab setup. Make sure to include IP addresses and hostnames if you are just starting out. That way you can have a quick reference point handy. As you gain more experience, you can hide the hostnames and IP addresses on your diagram. You can also leverage DHCP to “hide” your hosts within your lab setup. This will insure you know how to do the proper recon! 😉
The 23 minute video that’s included in this post starts off with a discussion and overview of how to build a simple lab. Since there is not really that much detail to discuss in my simple lab setup, I will save the more detailed information when we discuss the complex lab setup below.
My simple lab setup in the video consists of:
- VMware Workstation running on Windows 10
- Cisco VIRL
- Kali Linux 2.x VM
- Windows XP VM
- Windows 2003 VM
Diagram A. Simple Penetration Testing Lab
My complex lab setup includes:
- Everything that the simple lab has listed above
- Multiple Windows 2003 Server VM’s
- Multiple Windows 2012 Server VM’s
- Multiple Windows XP, 7 and 10 VM’s
- Multiple Linux VM’s
- A fully functional Windows Active Directory (AD) setup (Multiple AD Domain Controllers, Standalone DHCP Servers, and DNS Servers)
- A fully functional PKI infrastructure (Certificates)
- Microsoft Exchange Email Servers
- Linux Sendmail Email Servers
- Microsoft SQL Database servers
- Linux MySQL Database Servers
- Multiple File and Print Servers (Windows and Linux based)
- Multiple FTP Servers (Windows and Linux based)
- Multiple Web Servers (Windows and Linux based)
Diagram B. Complex Penetration Testing Lab
I designed my complex lab to truly emulate most real-world environments that I might encounter. You will notice that I designed and built the complex lab using a layered security approach. In most mid-sized and large enterprise environments, you can expect to encounter multiple layers of security. As your skill-level increases, you will want to add layers of security to your lab. In my setup, I have a DMZ tier that has Internet exposed servers and an Internal network where I have my inside user/host VM’s and internal servers. All my client VM’s are joined to the Windows 2012 AD environment that I have built. The domain policies have been designed to provide additional layers of security, such as forcing Windows VM’s to have the Windows Firewall enabled among other security features.
The DMZ is designed to allow certain traffic from some of the DMZ servers to Internal servers. For example, the database server in the DMZ is allowed bi-directional replication. There is also a FTP server that also is allow to do data transfers between the FTP server in the DMZ and the Internal network. Lastly, there is also other basic and common services running on the DMZ servers that are allowed to communicate with some of the internal servers. The Cisco ASAv firewall in the diagram is locked down and only allows Layer-3 IP address and associated port numbers. In other words, the firewall is configured to be most restrictive manner by require specific IP and port number connectivity.
All outbound connectivity is left with the default firewall filtering policy. By default, the Cisco ASA firewall does not restrict traffic when it goes from a more secure/trusted interface to a less secure/trusted interface. For example, traffic sourced from the Internal network will be allowed to flow to the DMZ and Internet with no restrictions (no access-lists are required by default). The beauty of a virtual lab setup is that you can substitute or swap out the virtual network gear with other virtual manufacture equipment.
You will want to swap out different virtual appliances to gain a better understanding of how each virtual security appliance operates. For example, Juniper has the concept of zone security. By default, one zone cannot talk to another zone without a policy being created first. One could argue that this concept is inherently more secure because you have to create policies for one network to talk to another network. In other words, there is no concept of allowing outbound traffic to go unfiltered by default unless you specifically configure it that way. Some of the most common network security technologies you will come across are Cisco, Palo Alto, Checkpoint, Fortinet and Juniper. Heck, you may even come across environments that have open-source solutions in place, such as iptables, smoothwall, etc. Like I said though, get to know how each vendor functions and operates. Yes, it is quite time consuming but if you want to set yourself apart from the rest of the pentesters, you need to go this extra mile. No network is the same so you need to be prepared for anything!
If you want to take your learning to the next level, you can set up packet-captures on both ASA’s. Other virtual network security appliances may offer something similar. You can export the packet-capture (.pcap) file and open it up in WireShark and begin analyzing the TCP conversations/sessions/flows. Why would you want to do this you may ask? Packet capture provides tremendous details and understanding of how TCP/IP sessions/flows are built and established. You will also learn a great deal about different flags and other options that can be set when you launch certain attacks. You will want to become very familiar with TCP/IP and this is a perfect way to dive into the details and learn how it works.
As you first get started with penetration testing, your goal may not be to focus on evading security controls (flying under the radar). However, as you advance your skills, you will absolutely want to learn how to adjust your attack methods and tools to evade/elude security mechanisms that an administrator might be utilizing, such as a Firewall/IPS/SIEM, etc. Again, it’s extremely important to fully understand how TCP/IP works so you can be stealthy and avoid detection. 😉
In summary, as you begin, you will want to start off by building a simple penetration testing lab. As your skills progress and become stronger, you can increase the complexity of your lab setup. To be a good penetration tester, you will need plenty of practice along with your other studies and research. There are literately dozens of different ways that you can build your own lab. Watch the video that is included in this post to get a few ideas on how to build your own penetration testing lab.
As a final note, penetration testing will take you out of your comfort zone. You should expect to to learn and become proficient with the following:
- Learning the various techniques and process
- Learning how to effectively use different tools
- Learning multiple Operating Systems (OS’s) that are commonly found in the real-world (Yes, that means you need to become VERY familiar with the CLI)
- Learning networking concepts (including becoming very familiar with TCP/IP)
- Learning to love network security and commonly deployed countermeasures that administrators rely on when protecting against attacks
Watch the 23 minute video to view how my simple and complex labs are built.