or he may have static IPs and have no DHCP what so ever

i have DHCP i was thinking of putting a fedora box running snort as that seems to be a common platform for snort i will add a kerberos box later if only there was a way to make virtual telephone networks (i don't mean voip) but that would be extremely difficult oh well but yeah i have a lot to keep me busy.

thanks i will add a exchange server and i may go the office communicator route for VOIP and have clients with softphones running traffic generation scripts and a MSSQL server i don't have much experience with sharepoint so it would make a good learning experience i may also add a VPN server as that is always a good way into a network.

no

i would go with the AWUS036NHA it has a atheros card that works better with linux and can go into MASTER mode for AP attacks much easier something alot of other alfa and cards in general can't do in linux

based on the resources available to me and my goal to stick to M$ products i will go with MS SQL server may add fake spoils as entries in the database now that i think about it, i also will add a fedora Snort box because from what i understand that is a common IDS setup, and how could i forget? a Mail server?!!  i may add actual mail accounts and internal emails for lulz and realism sake maybe a sharepoint like you said any one else have any ideas?

Ok, so i have used linux based labs to practice network hacking for a while now. But now i want to build a virtual network that will emulate a windows enterprise network, i currently have set up a DC/DNS server a web server i intend to put vulnerable asp web apps on i also set up a SMB share server all in Windows 2003 R2 and i will add clients varying from XP SP3 to Windows 7 and vista (to simulate the ever changing landscape of a large network) i will add Cisco IOS gns3 vms and i may add a UC/VOIP system running traffic generation scripts. My question is what other services or network appliances should  i add to make this as realistic a lab as possible, keep in mind that while i can run VMs of alot of things i am on a student budget so alot of hardware components are not available to me. Thanks in advance for what ever advice you may give.

i just finished writing another article on wifi OSINT and preperation for wifi pen tests on the infosec institute's resources section here is a link tell me what you think
http://resources.infosecinstitute.com/wlan-penetration-test/

sil, to be honest that has little to do with the OP other then the fact that it makes more sense to go physical if there are NATs making external attacks more dificult and with the lack of static IPs some  networks use a client system's hostname as a sub domain i don't know why but it does happen so you can find targets that way and static IPed systems such as DNS servers or FTP servers are often vulnerable targets.

about EAP-TTLS and EP-TLS yes they are more secure but PEAP is much more common becuase it uses already available credentials and infrastructure most companies already have RADIUS servers and not as many AP vendors sell devices that support or are optimized for  TLS or TTLS so PEAP is the de facto standard for WPA enterprise and the most common implementation of 802.11X and about the recon aspects if you read the wikipedia article on APTs it reads and i bet the FSB, PLA or Iranian Revolutionary Guard could easily and have gotten people into the U.S. or Europe to do B&E so this is just taking it a step forward (or in some cases a step back) and a lot of that recon can be done with OSINT sources, a lot not all. and NACing or DMZing is not a 100% fix all they have to do is pop a computer connected to the wifi but also has a Ethernet connection to pivot and if they use PEAP (which most of the companies where i live do) they already have a set of credentials for the other machine on the network not just the wifi, remember most PEAP implementations use the same RADIUS servers as windows login and even if they don't there is password re-use and derivable attacks. also most APTs have access to HUMINT resources so paying a janitor to re-arrange a few cables to create a bridge into the internal network would not be to hard albeit risky and i don't think they would trust a janitor perhaps a crooked IT person, that is another thing APTs could recruit insiders to do the B&E work as 3xban mentioned and for the being stealthy part some one sitting in a van  down the street is pretty common place where i live and most cities. also most IDS and IPS excluding WIDS/WIPS solutions focus on connections inbound from external sources and in  some government and intelligence agencies i would imagine they could not sniff or log traffic for sensitive departments or projects making a physical access or wireless attack even more stealthy. one of the main problems i have with the infosec and physical security departments in most organizations is they don't work together when they should what good is a strong network based camera and door swipe card system if its control computer can be found via shodan (http://www.shodanhq.com/search?q=GoAhead+Webs+login.asp+no+cache%2C+must+revalidate) and uses ancient software? whats the point of having a multi thousand dollar IDS/IPS solution if its host box's power source can be cut from outside the building? we need to start working with the physical security people more then we do right now, the navy and the army have the marines for a reason.

so i have had an idea recently, so in my experience wifi security is one of the easiest ways into a network just ask Albert Gonzalez and TJ Max so if a nation state or another APT has the resources to get operatives into the target's city wouldn't their Wifi network be a easy way in. i mean all they would have to do is if they have WEP crack it WPA/WPA2 personal crack it or if they have PEAP do what i call a kick-and-call: figure out which client on the network has which phone number deuath them or deauth the network wholesale  repeatability and then call them up and ask if they  are having network trouble and get them to connect to a honey pot, crack the MS-CHAPv2 hash and you are in, i digress but wifi security in many ways is the poor relations of computer security so what is there to stop APTs from exploiting it?  in my opinion this is something governments and other high risk targets need to take into consideration: beef up your wifi security and get a WIDS!!!

http://emkei.cz/

my personal favorite

OWASP is your friend
https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
https://www.owasp.org/index.php/OWASP_Java_Project

i am personally against web vulnerability scanners  they are noisy, blocked/detected by most WAFs/IDS/IPSes and often generate false positives or miss things  for a vulnerability assessment they are ok but for a pen test they are stupid and sometimes a game ender i personally do all my assessments by hand with firefox, tamper data and firebug, my logic behind that is i get a better idea how the application works and an attacker is going to use a setup that maximizes his or her anonymity and also its easier to look like a legitimate user if i am using a web browser then if i am sending huge numbers of packets with a automated tool and hoping the WAF only checks user agents. if i where doing a whitebox/vulnerability assessment type thing i use nikto/W3af community tools generally have more frequent updates in my experience. but for a pen test i suggest you all do your tests by hand, they are paying you not the tool :-p

i use linux as a base and the linux 7zip client could not open it and the ability to open a archive does not mean you can hack a web app or a windows 2003 box both of which i can do