<nod> True, and likely the best option.  Except that off eBay (going along with your probably,) they're used, so you don't know how close to failure they may already be.  I'm more than happy, personally, to keep using BOTH, until I have a sound-proofed office to run them in, off-hours.

Funny story, to the eBay point, though...  Amazing what NON-configuration-cleared items you can buy from eBay.  I ended up calling an oil company (previous owners who'd gotten rid of them, during a replacement cycle,) after I bought the routers, as they still had SNMP and other wide open configs on them.  Could've heard the guy's head shaking, on the other end of the phone, when I called him, to tell him they should be more careful.  (Turns out, they hadn't, yet, changed their passwords and configs for the systems, so all of it would've been very valuable to the "UN-ethical" hacker community...)

I agree with everything that been said so far my lab has lots VM of live cd in it. But I am hoping to build a new lab that contain hardware / software as never really done this and think it could really help me with pen testing so if anyone can recommend good stuff to read  or where to start be appreciated.

Definitely.  Similar to some the target exercises (except even moreso,) like the targets in some of the PWB labs.

Defiantly hear where you guys are coming from on this. I can tell you what goes through my mind when i've been told i need more experience in different areas:

1. I dont have that kind of time! i'm 20 (something) years old! I'm already behind the guys who started hacking 486's!
2. Read the news! The cyber war is going to start tommorow! if I dont start now, it'll be over by the time i have been is sysadmin for 10 years! (joking aside, this and the next one are probably the biggest)
3. Security is a hot topic right now, its a big industry. In 10 years, who knows where we will be? Maybe organizations will be significantly more secure and they wont need my skills. (Or the field will be over saturated!)
4. Great, I spent all this time and money learning all these skills, and I have to wait 10 years before I can use it. Already many things are being secured or changed, my knowledge will be useless by the time I can use it.
(Very big for me right now, I barely do sysadmin duties at my current job, and while my previous employer had me working with IA  doing security related duties, not here. I'm (supposedly) locked in here for years. Ive got my certs, i've got my lab, but still no experience when I leave here.)

Now that was part rant, but I think we have to be able to tell newbies its okay to wait, the industry wont leave them behind. I just hope that's the case.

Seph makes a good point about scrambling to be in demand when you may have spent much of your time doing other things.  I think that is where community involvement could assist.  Its not always what you know, its who you know.  Eventually you can impress those people in a more laid back environment. 

Now the other part, sure security is big but it has always been there.  It is now gaining visibility due to the unfortunate reports of big companies falling prey to breaches, site defacements and all the other activity floating around out there.  We are in a reactive state right now.  We need to get out of that and move on to proactive measures.  Hopefully in 10 more years we will have a very security aware community from the CEOs down to the shop floor workers.   What we have to do as professionals is to help get there.  You don't necessarily need the technical skills to bust a network, seems like we have plenty of that.  We need defenders and we need spokesmen.  The highly technical message needs to reach the least technical people.  At that point, we need to shore up the defenses and get the last of the attackers out of the networks.  For that we need to ensure that the Sys Admins, network admins are all building systems and networks with security in mind.  Not everyone can be red team and the best way to learn to defend against the attacks is to know how to build your network from the ground up.

What I want to do between eCPPT and work related duties is spend a week on each part of my lab.  This week will be the Cisco pod.  Next will be a host on each side.  Then a server/workstation setup.  Harden each piece as it is built.  Doing what I do now, I am more an analyst and do not get to work directly with the hardware so I want to keep the skills fresh.

Sorry I may have swayed off topic.

Hey, I'm in the process of redoing my lab and relocating my web site internally. Would anyone be interested in a "blog" of what I'm doing?  I can post a new thread on these forums and show what I'm doing... I won't do it if nobody is interested.  LMK.

I think it would be a great idea Grendel!  For those who have never done it, there are limited resources out there to help them build their labs.  Many of the books that require use of a lab simply say "Download your prefered Virtualization software and run these live CDs"  none really go into much detail involving hardware pieces as well as virtual systems.