A Rant About Hacking Labs

rant.png

One of the more frequent questions I see on EH-Net pertains to creating pentest labs. Individuals new to the topic of hacking often have a limited understanding of what type of equipment is required, or how to go about setting up a lab to practice all of the cool attacks they have watched on YouTube. Details on how to get started using a single system and virtual machines are numerous – including some I have done. However, I think there is one question not being asked enough when discussing hacking labs… “Why do you want a lab?”

Most people create a lab containing a single host system and include virtual images of various Operating Systems. Unknowingly they have just restricted themselves to a very finite portion of real-world hacking – system attacks. I’m not even sure I can classify these “system attacks” as internal (within the corporate network) or external (Internet-facing services), due to a lack of support systems typically found in corporate networks. Absent are the routers, firewalls, IDS/IPSes, windows networks, switches, etc. Without these, we don’t really have a good example of what someone might face during a real pentest, nor do we create an effective learning environment.


Asking the Right Question

“Why?” If we start with that simple question, we can better define exactly what we need to do when building a lab. Even the answer “to learn” is insufficient to truly understand how we need to build out our lab. For example, if we start with the idea of external pentesting, we have to discuss firewall rules. If we jump into internal pentesting, we need to talk about ARP spoofing. Neither of these is valid or available in a single host system using virtual images.

So let’s approach this topic a little differently (but I should warn you first… I’m putting on my “professor’s cap” soon). Instead of answering questions such as “what do I need in order to create a pentest lab,” let’s help newcomers rephrase the question to “what do I need to create an (external|internal) pentest lab.” If we start with the concept of an external pentest, we need to inject some sort of firewall into our configuration; whether it is software or hardware-based is immaterial at this point. Also, to add realism, we should create a DMZ subnet and place our target there. If we start with the concept of an internal pentest, we need to include subnets and windows domains, switches and routers… and we need to configure them just like a real-world corporation would.

Sounds like a lot of work and cost? Well, it certainly can be, but doesn’t have to be. Ok, so let me put on my “professor’s cap” and espouse the virtues of setting up a proper lab by asking a few rhetorical questions:

• First Question – What if you could reconfigure the packet routing within the entire network (think “private community strings”)… would that be a “game over” in a pentest?
• Second Question –What if you could simply sniff usernames and passwords on the subnet, which gave you access to a financial system with no known exploitable vulnerabilities? Again, game over?
• Last Question – What’s more likely to be exploitable on an internal subnet, a system or ARP caches? Based on experience, it’s definitely ARP.

If we don’t include (at a minimum) these types of scenarios in our lab, we are missing out on the opportunity to learn how to exploit systems and grab sensitive data using trivial attacks. In addition, we are doing the heavy lifting first, by targeting the systems instead of the infrastructure that supports those systems. We also don’t practice or preach to newcomers the use of a solid methodology either, when we tell them to jump directly into system attacks. It almost feels like we are making newcomers learn the harder stuff first.

NOTE: I have to admit, however, I am just as guilty of pushing system-based attacks first on students. It’s easier to teach how to run Nmap than it is to set up an ARP-spoofing scenario. It’s quicker to demonstrate a password brute force attack than it is to walk through reconfiguring a router using an SNMP private community string. Perhaps it’s not the right thing to do, but it is certainly easier. Maybe we should approach things differently.

Answering the Right Question

So, how should we respond to the question, “What do I need to create an (external|internal) pentest lab?” Let’s start with the foundation – the network. In Figure 1, we have the HackingDojo.com remote pentest lab. If we look at it closely, we see that the network closely simulates a real-world scenario along with some unrealistic scenarios. Realistically, we have a dedicated firewall (PIX), a couple screening routers, internal networks, and a DMZ network. Unrealistically, we also have a VMware server outside of any firewall. Functionally, this provides the students with multiple scenarios from which to learn.

pic1.jpg
Figure 1 – HackingDojo.com Remote Lab

Additionally, this lab configuration gives students an opportunity to learn the details behind the different attack scenarios. Let me give an example.

In some classes at the Hacking Dojo, we talk about SNMP and private community strings, and how to use them to modify the exploitable router. This means that the students can (and should) modify the device however they desire (thankfully, we have configuration backups). In the higher level classes, students are given admin access to the routers, so they can see how to configure them. By understanding how to configure a network device, they can better understand how to exploit it. Thus they can better talk to their clients (when they move into a pentest job) on how to mitigate the vulnerabilities found on their network appliances.

So, should we push this type of configuration on those individuals new to pentesting? I would say “yes” for a couple reasons. First is what I mentioned before, there are a lot of trivial attacks that are not possible in a simple “host / VM” solution. Second is that it forces the student to make a serious effort into the realm of pentesting through a commitment of time, money, and training.

As many in the field can attest, pentesting is not a casual profession, and it isn’t something that can be learned in a weekend. Professional pentesters are constantly exposed to new systems, applications, and vulnerabilities; and to properly understand how to exploit them takes time and effort. We also spend our own money on books, software, and courses, so that we can improve our skills and add value to ourselves and our clients. Arguments against spending the time and money to learn how to conduct a proper pentest in a proper lab, should be met with concern by professional penetration testers, since it risks increasing the misconceptions of what pentesting really is, and how a pentest project should be conducted.

It’s NOT about the Money…

So, am I saying newcomers need to break the bank getting set up with a lab? Absolutely not. Figure 2 is a picture of the network devices I have in the Hacking Dojo lab. The total cost of these network devices was $600 and was purchased second-hand. If there is a need to be more frugal, I could easily have spent half that amount and obtained (again, just the network devices) what is shown in Figure 1 in red, which would have been just as effective as a pentest lab. Besides eBay, there are numerous CCNA certification kits you can buy, such as the one at the following URL: http://www.certificationkits.com/ccna-certification-kits/. Throw in a low-end system or two, loaded with a virtual engine, and you can replicate what is seen in Figure 1. Again, if you want to keep it cheap, it’s amazing what can be accomplished with only a few hundred dollars. I’ve used eeePCs as host systems, and see PCs at BestBuy for two to three hundred dollars frequently, especially on the “returns” table.

pic2.jpg
Figure 2 – Snapshot Taken During Deployment of Network Devices for the HackingDojo.com Lab

Is $600 dollars for network devices and a couple systems too expensive? It depends. If the newcomer has a casual interest in hacking, then it probably is. If the newcomer is serious about being a professional, who requires a broader and deeper understanding of vulnerability exploitation, $600 is just getting started. Just like most other activities, the equipment costs money. As a reality check, I spend more money on my daughter’s swimming lessons in a year than I did on the lab in Figure 1. In short, cost should not be an issue.

It’s NOT about the Time…

Once we get past the concept of cost, we are faced with the amount of time it takes to get everything setup in the lab. The network devices are not preconfigured, leaving us to configure it ourselves. Unless we have some sort of background in network administration, this alone could be a daunting task. However, like I mentioned earlier, how would you explain mitigation to a client, if you don’t know how to configure the appliance in the first place?

Pentesting is not simply hacking and producing a report – we have to interact with clients. Oftentimes, the pentest engineer is the front-man when explaining how to conduct attacks and what options exist to secure the client’s network. Without that ability to convey both the offensive and defensive side of security, you may leave your client’s security posture in a weak state. This means, we need to set up an effective lab. I cannot count the number of times I heard a speaker at DefCon describe their attack by starting out with a description of what they did to set up their lab beforehand. Every organization I’ve been in had a lab as well. It’s simply a requirement, and setting one up, along with all the additional functionality (SNMP, Dynamic Arp Inspection (DIA), LDAP server, DNS server, etc.) is an enormous training opportunity, despite the time it takes to learn them.

Even though it doesn’t seem like hacking, learning how to deploy systems and devices is a necessary requirement. Just like it is necessary to know SQL database commands before you can conduct effective SQL injections on a web system, it is necessary to understand all the protocols and applications within the network to be effective pentesters even before a single attack. Otherwise we simply waste our time and the time of our clients.

It’s ALL About the Training

One of my sayings I constantly convey to my students is “pentesting is 90% learning and 10% doing.” This is a stark contrast to when I was a system administrator, when the percentages were reversed. Every day I come across something new, and, in order to learn how to conduct an effective attack, I often need to do research. In some cases, I need to set up a system with a specific type of software to see what happens when I launch an exploit. Other times, I need to read white papers to see the purpose behind an implementation in a hardware device, so I understand whether or not it will cause problems during my attack or ways to avoid the device altogether. And I still ask questions of others with more experience in a topic than I have. It’s all about learning new skills and becoming a more effective pentester. And to learn new skills, I need the right equipment and software… there just isn’t any way around it.

Conclusion

Hacking has become a profession, and as such we should treat it as one. When newcomers enter the field asking what they need with regards to a lab, we should be honest and explain the end-goal first, so they can better understand exactly what is required of them long-term. Starting with a single system loaded with a virtual engine is an option, but newcomers should be aware of the limitations of that configuration. As a community, we should be forthcoming of all that will be required in order to become a professional in this field and not be shy to say what the costs are.

We should also practice what we preach. There have been many threads on discussion boards talking about different attacks at an almost academic level, but few of them show details and specifics. If we are asked “how does one use a community string to attack a router,” we should be able to provide screenshots or snippets of exactly how it’s done via our own labs. Simply too many discussions are limited to system attacks, which are oftentimes the more difficult attack vectors during a pentest. We should also be sharing our configurations, especially those created on network devices. When I set up the Hacking Dojo lab, I simply could not find a single configuration example on how to do so, and had to create it from scratch.

Another milestone we need to reach as a community is creating “network hacking” scenarios with different configurations that can be dropped into devices. That will provide a challenge to those who are interested in learning new techniques which require network devices to be navigated or hacked. Similar to the De-ICE discs, we need to share network / system configurations whose hacking solutions are unknown and can be simply uploaded into a detailed, prescribed lab.

By treating hacking as a profession, practicing what we preach, and extending our knowledge to others, we can make serious advances in both our own skills as professional pentesters, and improve the skills of the community as a whole. When confronted with the question “what do I need to create a pentest lab,” we should give a complete answer, provide some direction, and offer challenges that are realistic – not simply give them a myopic view of pentesting by telling them to create a virtual lab on a single system. If we give a complete answer, we all come out ahead.


About the Author

Thomas Wilhelm has been involved in Information Security since 1990, where he served in the Army for eight years as a Signals Intelligence Analyst / Russian Linguist / Cryptanalyst, and is a Doctoral student who holds Masters Degrees in both Computer Science and Management. Thomas founded the HackingDojo.com hacker training program, and has written numerous articles and books; the latest being “Ninja Hacking” published by Syngress. A new publication is in the works that will include downloadable network device configurations that can be used to practice network hacking techniques, similar to those mentioned in this article.

 

Tags:

This topic contains 30 replies, has 16 voices, and was last updated by  Michael J. Conway 9 months, 4 weeks ago.

  • Author
    Posts
  • #7336
     Don Donzal 
    Keymaster

    Tom is back with us for some thoughts and suggestions on hacking labs, education and career pen testing. Let us know what you think, if you agree and especially if you don’t.

    Be sure to join in by sharing your lab experiences and setups.

    Permanent link: [Article]-A Rant About Hacking Labs

    By Thomas Wilhelm, ISSMP, CISSP, SCSECA, SCNA

    One of the more frequent questions I see on EH-Net pertains to creating pentest labs. Individuals new to the topic of hacking often have a limited understanding of what type of equipment is required, or how to go about setting up a lab to practice all of the cool attacks they have watched on YouTube. Details on how to get started using a single system and virtual machines are numerous – including some I have done. However, I think there is one question not being asked enough when discussing hacking labs… “Why do you want a lab?”

    Most people create a lab containing a single host system and include virtual images of various Operating Systems. Unknowingly they have just restricted themselves to a very finite portion of real-world hacking – system attacks. I’m not even sure I can classify these “system attacks” as internal (within the corporate network) or external (Internet-facing services), due to a lack of support systems typically found in corporate networks. Absent are the routers, firewalls, IDS/IPSes, windows networks, switches, etc. Without these, we don’t really have a good example of what someone might face during a real pentest, nor do we create an effective learning environment. 

    Don

    • This topic was modified 9 months, 4 weeks ago by  Don Donzal. Reason: Updated link
  • #45835
     MaXe 
    Participant

    Great article  ;D Even though, I know that it’s not anyone who can afford a lab of 600$, and in some cases perhaps not even 300$ if their budget doesn’t allow it. Some newbies, that wants to learn infosec might be young, and I think it’s more attractive to play with system attacks that are free, compared to buying real hardware equipment.

    Of course, with young people getting iphones and other expensive gear, perhaps they should put cisco routers and switches on their wishlist instead  ;D

    I do agree that many, including me doesn’t get that much exposure to network attacks, even though I have tested arp spoofing, isr evilgrade (it’s a tool), and setting up a rogue dhcp server, on quite a few occasions, where it was multiple computers on a network, even used the default password on a real hardware switch once to get info about another network, but that was because I was lucky to have the opportunity to play with these things in real life, as not every newbie is.

    Hacking a switch, with community strings, and perhaps tftp is quite fun, and I’m glad I have the opportunity to play with these things at the hacking dojo too.  🙂

  • #45836
     impelse 
    Participant

    This is a great article.

  • #45837
     Anonymous 
    Participant

    Good read I am in the process of updating my lab as it was just all live cd before. I want add some more hardware and try get a lab that is as similar to a corporate network as possible without breaking the bank.

    So far I have
    Cisco 2610 Ethernet  Serial Routers 32Mb Dram / 8mb flash IOS 12.3
    Cisco 2610 Ethernet  Serial Routers 32mb Dram / 8mb flash IOS 12.3
    Cisco 2501  Router with 2 serial Ports Interfaces + Ethernet AUI Port
    Cisco WS-c2912-XL-EN Switch upgraded latest Cisco IOS
    2 x WIC-1T for the 2600 routers (100% Genuine Cisco)

    But I am  not sure where to start never really hand any hands on experience with setting up corporate so hope it be steep learning curve. I hope I can mix the hardware with Vm images of xp and some servers etc

    If anyone can recommended any good books or any advice where to start would love some help 🙂

  • #45838
     TheXero 
    Participant

    I might purchase some used Cisco equipment off ebay soon 🙂

    My lab currently is mostly System based with 1 router (running DD-WRT) connecting the lab to my normal network.

  • #45839
     alucian 
    Participant

    Very interesting, thank you!

    Me too, I will add soon some network equipment to my lab. A
    nd, I am interested in learning this type of hacking.

  • #45840
     hayabusa 
    Participant

    As Tom said in the article, network equipment can be nice and affordable, on eBay or other places.  In fact, I picked up 2 – Cisco 2501 routers, a Cisco 24 port catalyst switch and an HP DL380G3 with 12 GB of RAM, ALL for under $650, a couple of years ago, from eBay.

    Just gotta watch and find the deals.

  • #45841
     SephStorm 
    Participant

    Quite true. I have lab equipment I have bought over the years, cisco routers and switches, and even an ASA. The problem is not having the knowledge or experience to properly build this network, or to intergrate it into your existing real network (It would be nice but I cant put 2 network connections in my room. And I quickly realized I need the internet to download software, update my host machine, view tutorials, ect. and while there are short term solutions, like using a usb stick. not very good idea to mix media between trusted and untrusted computers once you introduce new tools, or malware into the mix…) And a big issue for me has been the physical setup. Network hardware is not designed to connect to home internet connections.

    So I think that we need to have some training on network connections, ect.

  • #45842
     pharmerjoe 
    Participant

    Could be a good business idea for someone to set up large hacking labs and offer it as a service to people, for x amount of dollars per month. I realise OffSec have this, but its only available when you buy their course.

  • #45843
     dynamik 
    Participant

    @pharmerjoe wrote:

    Could be a good business idea for someone to set up large hacking labs and offer it as a service to people, for x amount of dollars per month. I realise OffSec have this, but its only available when you buy their course.

    Tom does this with Hacking Dojo. eLearn has their Coliseum labs, and The Hacker Academy may have something as well.

    I think the article is well-written, and I agree with most of the points made, but I’m not sure why virtualization is so heavily discouraged. On a single ESXi box (QX9550/16GB RAM/6x160GB HDs), I have two AD sites (SQL Server, Exchange, DCs, client systems, etc.), a DMZ, IDS (Snort), and a few other random/non-MS systems. Check out Vyatta or XORP if you have an interest in more advanced routing, and PF and/or iptables can do your firewalling.

    I think it’s a very close to a real-world configuration, and you only really lose out on anything that is vendor-specific. It’s obviously good to get your hands on some Cisco gear and other prevalent hardware that you’ll come across in real-world situations, but I think you can construct a very accurate real-world lab in a virtual environment. Also, ARP poisoning attacks do work in a virtual environment (I just verified this in Workstation 7, but I’m pretty sure I’ve done this in ESX/ESXi as well — virtual switches have to be configured to allow these types of activities though).

    I think the best route is a blend of virtual and physical equipment. I actually have several NICs in that ESXi box that connect to a 3550 and ASA5505, which does indeed allow more opportunities for fun. I just like to contain things as much as possible because of power, space, and aesthetics.

  • #45844
     hayabusa 
    Participant

    @dynamik- you’re correct in that ARP attacks generally work fine in ESX/ESXi.  I test them there, all the time.  But I agree with you, that MOST (not all, but most) can be simulated, reasonably, with VM’s, if you have the proper time and can set things up accordingly.

    I run a couple of different IDS / IPS configurations in VM’s, and I’ve looked at Vyatta in the past, but not XORP (so thanks for something else to add to my list of things to research and play with, after I finish CTP / OSCE…) ;D

  • #45845
     dynamik 
    Participant

    @hayabusa wrote:

    I run a couple of different IDS / IPS configurations in VM’s, and I’ve looked at Vyatta in the past, but not XORP (so thanks for something else to add to my list of things to research and play with, after I finish CTP / OSCE…) ;D

    Full Disclosure: I only learned about XORP when I made that post :-[ I was trying to figure out why it appears that you can only get a 30-day trial of Vyatta now (they used to have a free virtual appliance). I guess they used XORP up to v3, but then they went to something proprietary starting in v4.

    The more you know ===★

  • #45846
     hayabusa 
    Participant

    Understood.  Still… thanks!

  • #45847
     Triban 
    Participant

    So I think Dynamik is volunteering to setup a VPN to his lab for all of us to use 😀

    As for the article, I certainly agree that you cannot adequately simulate a full pen test by just having your two VMs running a victim OS and an Attacker OS.  But for those new to the field it is enough to give them a taste. 

    I think we do a good job though letting folks know there is more a pen test than simply popping the single victim system.  eLearning and OSCP cover the in’s and out’s of the pen test from the recon, enumeration and finally to the report.  The report I think is probably the most valuable piece to learn.  Like Tom had mentioned, you need to be able to explain to the client about the findings and that is where the report comes in. 

    With regards to the experience portion, I think we here at EH-Net do a decent job at letting the newbies know that Ethical Hacking and Pen Testing are not entry level areas.  Many of us have backgrounds in System/Network Administration and/or programming.  It is important to be able to explain “here is why your box got popped, here is why we were able to get that data.  This is how you fix it…”  And being able to explain in non-robot speak is key.  If you can show the dollars flying out the cable modem that is even better.

    Overall the article is great and I think we can all agree that the simple victim/attacker setup is really not enough.  But I think for a little taste to see if its something you want to do, it will suffice.  Then like all hobbies that become careers, you can invest more into it.  Throw in more layers to better challenge yourself.  This made me want to fire up the Cisco kit I have (two 2600 router and an 1850 catalyst) configure it and use it!  Two bad they are loud, guess I need to build a case 😀

  • #45848
     hayabusa 
    Participant

    3xban – good post,and I agree on all fronts. 

    Tom’s logic is well-grounded, and his reasonings are completely valid.  As you noted, the issue really lies on what you plan to do with it.  If it’ll be your career, then the hardware, eventually, WILL become a necessary purchase.  Sooner or later, you’ll need knowledge, specific to a certain router or configuration, and it just comes in handy to have at least a low-end model available, if not something more robust.  Thankfully, my past employers (and current) have had equipment I can move up to, if there’s something I don’t have, but need to validate on.

    And I agree on the noise, from the Cisco gear.  For any of you who live in a house (as I do) where you can’t adequately control sound levels, and where much of your training or testing time and effort come when wife and kids are sleeping, that’s when the software routers come in handy.  (Thus my having BOTH physical and virtual / software routers.)

    In my case, I’m working on relocating, soon, to a house (new city, hopefully, about 1200 miles south) with more space, and a home office that WILL accommodate my running what I want, when I want.  Thankfully, my current job allows me to work from my home, so I have flexibility on where I want to be, although the planned move would put me within close proximity to the company’s headquarters.  😉

  • #45849
     dynamik 
    Participant

    I think the deeper issue is simply that many people don’t know how to setup an enterprise network to begin with. It’s the same old story of people rushing into the exciting material before developing a foundation. Most people with this experience would naturally create a lab similar to what Tom diagrammed and not be content with BackTrack vs. Vulnerable Distro. I think this article underscores the fact that if you don’t have the knowledge to set something like that up yourself, you’re not going to do well in an actual pen test that will likely be of a much larger scale.

    Also, if your routers/switches aren’t in a confined area, you can (probably ;)) disconnect the fans without causing any harm. They’re designed to withstand being packed tightly into racks, so a couple out in the open (probably ;)) won’t explode.

  • #45850
     hayabusa 
    Participant

    @dynamik wrote:

    Also, if your routers/switches aren’t in a confined area, you can (probably ;)) disconnect the fans without causing any harm. They’re designed to withstand being packed tightly into racks, so a couple out in the open (probably ;)) won’t explode.

    True, and likely the best option.  Except that off eBay (going along with your probably,) they’re used, so you don’t know how close to failure they may already be.  I’m more than happy, personally, to keep using BOTH, until I have a sound-proofed office to run them in, off-hours.

    Funny story, to the eBay point, though…  Amazing what NON-configuration-cleared items you can buy from eBay.  I ended up calling an oil company (previous owners who’d gotten rid of them, during a replacement cycle,) after I bought the routers, as they still had SNMP and other wide open configs on them.  Could’ve heard the guy’s head shaking, on the other end of the phone, when I called him, to tell him they should be more careful.  (Turns out, they hadn’t, yet, changed their passwords and configs for the systems, so all of it would’ve been very valuable to the “UN-ethical” hacker community…)

  • #45851
     Triban 
    Participant

    Interesting note about the fans.  Maybe I’ll try that or build a cabinet with sound proofing/muffling. 

    I agree with you Dynamik, how could you hope to breach something that you have never built?  I suppose guess work and luck and lots of googling but a solid foundation is key.  I think a majority of the posts we receive, we do make it a point to tell the soon-to-graduate folks that this field is not entry level and to start at the bottom to get the most experience possible.  Most of what I know came from the last 10 or so years.  Out of college I managed/maintained IT an 11 site school district.  Got to build networks from the ground up, build system images and of course build and deploy servers, migrate Exchange servers and configure Citrix boxes.  Put out some switches and configured firewalls.  Since its a school district, it was lower on funding so much of the work was done by us.  Then took that experience into the consulting world and helped numerous clients build, upgrade and maintain their systems.  Now is the time that I am putting all that knowledge to analyzing and responder to security threats for a large global enterprise.  What have I learned?  Same problems, just bigger and you have more funding 😀 

    Not understanding the foundational material could really hinder my analysis.  Like if I didn’t know the purpose of proxy servers or gateways, I wouldn’t think anything of a system going directly to the firewall on port 80 and attempting to bypass the proxy.  If I didn’t understand the OSI model and TCP traffic, port numbers would mean nothing to me.  Granted I am on the defending side of things, but if you know how to build it, you know how to break it.  If you know how to defend it, you will know how to penetrate it.

  • #45852
     Anonymous 
    Participant

    I agree with everything that been said so far my lab has lots VM of live cd in it. But I am hoping to build a new lab that contain hardware / software as never really done this and think it could really help me with pen testing so if anyone can recommend good stuff to read  or where to start be appreciated.

  • #45853
     Grendel 
    Participant

    @dynamik wrote:

    I think the article is well-written, and I agree with most of the points made, but I’m not sure why virtualization is so heavily discouraged.

    I’m a big fan of virtualization, and it is definitely used extensively in corporate environments. However, virtualized systems are usually limited to servers, and only makes up a small portion of systems found in the network. To make it more realistic, hacking labs should have both workstations, and servers.

    Doing a little brainstorming, it would be a good idea for someone to develop scripts and/or De-ICE discs that would make workstations talk with the servers, similar to what admins currently do in the real world.

  • #45854
     hayabusa 
    Participant

    @grendel wrote:

    Doing a little brainstorming, it would be a good idea for someone to develop scripts and/or De-ICE discs that would make workstations talk with the servers, similar to what admins currently do in the real world.

    Definitely.  Similar to some the target exercises (except even moreso,) like the targets in some of the PWB labs.

  • #45855
     dynamik 
    Participant

    @grendel wrote:

    I’m a big fan of virtualization, and it is definitely used extensively in corporate environments. However, virtualized systems are usually limited to servers, and only makes up a small portion of systems found in the network. To make it more realistic, hacking labs should have both workstations, and servers.

    Doing a little brainstorming, it would be a good idea for someone to develop scripts and/or De-ICE discs that would make workstations talk with the servers, similar to what admins currently do in the real world.

    I personally include workstations in my virtual lab, but I completely agree with the point you’re making. It’s absolutely essential to test client-side exploits, social engineering attacks (i.e. SET), etc. in order to simulate a real-world pen test. I think people are more limited by their imagination than by physical/virtual though.

    Hopefully I didn’t come off as too critical; I definitely feel the article contains important advice for those starting to build (or improving) their personal labs.

  • #45856
     SephStorm 
    Participant

    Defiantly hear where you guys are coming from on this. I can tell you what goes through my mind when i’ve been told i need more experience in different areas:

    1. I dont have that kind of time! i’m 20 (something) years old! I’m already behind the guys who started hacking 486’s!
    2. Read the news! The cyber war is going to start tommorow! if I dont start now, it’ll be over by the time i have been is sysadmin for 10 years! (joking aside, this and the next one are probably the biggest)
    3. Security is a hot topic right now, its a big industry. In 10 years, who knows where we will be? Maybe organizations will be significantly more secure and they wont need my skills. (Or the field will be over saturated!)
    4. Great, I spent all this time and money learning all these skills, and I have to wait 10 years before I can use it. Already many things are being secured or changed, my knowledge will be useless by the time I can use it.
    (Very big for me right now, I barely do sysadmin duties at my current job, and while my previous employer had me working with IA  doing security related duties, not here. I’m (supposedly) locked in here for years. Ive got my certs, i’ve got my lab, but still no experience when I leave here.)

    Now that was part rant, but I think we have to be able to tell newbies its okay to wait, the industry wont leave them behind. I just hope that’s the case.

  • #45857
     kerpap 
    Participant

    there are a lot of great attacks that target layer 2. this can be challenging to setup as a lab as you would need several switches and need to know how to configure them. I have found a lot of networks don’t protect against these attacks and this creates a huge vulnerability as it is very easy from the inside to attach a switch to the network and configure it so that all traffic on the network can get forwarded to your attack-PC thus you are able to sniff all the traffic and can enumerate great info on the network.

    it is very hard to detect these attacks. some IPS sensors can detect these anomalies but most of the time you can get away with it.

    great stuff to know as a pen tester IMO.

  • #45858
     Triban 
    Participant

    Seph makes a good point about scrambling to be in demand when you may have spent much of your time doing other things.  I think that is where community involvement could assist.  Its not always what you know, its who you know.  Eventually you can impress those people in a more laid back environment. 

    Now the other part, sure security is big but it has always been there.  It is now gaining visibility due to the unfortunate reports of big companies falling prey to breaches, site defacements and all the other activity floating around out there.  We are in a reactive state right now.  We need to get out of that and move on to proactive measures.  Hopefully in 10 more years we will have a very security aware community from the CEOs down to the shop floor workers.  What we have to do as professionals is to help get there.  You don’t necessarily need the technical skills to bust a network, seems like we have plenty of that.  We need defenders and we need spokesmen.  The highly technical message needs to reach the least technical people.  At that point, we need to shore up the defenses and get the last of the attackers out of the networks.  For that we need to ensure that the Sys Admins, network admins are all building systems and networks with security in mind.  Not everyone can be red team and the best way to learn to defend against the attacks is to know how to build your network from the ground up.

    What I want to do between eCPPT and work related duties is spend a week on each part of my lab.  This week will be the Cisco pod.  Next will be a host on each side.  Then a server/workstation setup.  Harden each piece as it is built.  Doing what I do now, I am more an analyst and do not get to work directly with the hardware so I want to keep the skills fresh.

    Sorry I may have swayed off topic.

  • #45859
     24772433 
    Participant

    There are some very interesting comments from a thought provoking article.

    The increase of virtualisation in corporate networks and the growth of cloud based services provide challenges to the security community to adapt to these changes. Server virtualisation is now commonplace and so too will be desktop virtualisation, along with switch virtualisation (Cisco Nexus 1000).

    In response to what seems to be the general question of the value of a virtual only lab versus physical hardware; I was wondering if anyone had any experience of GNS3 which is a graphical network simulator that can simulate networks of switches and routers; of all flavours, such as Cisco and Juniper. My experience has been very positive and I have found it reasonably easy to integrate with my VMWare lab.
    http://www.gns3.net/

    Another option I have found that works well, if your looking practice against a Check Point firewall is to install their SPLAT OS as two virtual guest and configure a policy server and firewall – which Check Point will allow for 15 days unlicenced.

    Steve.

  • #45860
     Grendel 
    Participant

    Hey, I’m in the process of redoing my lab and relocating my web site internally. Would anyone be interested in a “blog” of what I’m doing?  I can post a new thread on these forums and show what I’m doing… I won’t do it if nobody is interested.  LMK.

  • #45861
     hayabusa 
    Participant

    I think it might be a welcome addition, Grendel.

    For a lot of the newer folks (and even some of the seasoned ones, as a refresher,) it might be nice to see what type of effort someone puts in, in order to better their labs, etc.  I know, in another post, Jamie.R was feeling frustrated with various things, such as having to go back a notch, jobwise, and motivate himself again.  I think it would be good for others to see that, sometimes, even building a new lab, or adding to an existing, is a good way to learn and grow, especially if you point out benefits and learning experiences along the way.

    Additionally, it’s always nice to know what you’ve got going on, so when time and money permit, down the road, I know what I’m spending on, when I take your courses.  😉

  • #45862
     Triban 
    Participant

    I think it would be a great idea Grendel!  For those who have never done it, there are limited resources out there to help them build their labs.  Many of the books that require use of a lab simply say “Download your prefered Virtualization software and run these live CDs”  none really go into much detail involving hardware pieces as well as virtual systems.

  • #45863
     charliemong 
    Participant

    For Newbbies like me that work in a Support function It may well be worth asking the management for any spare kit laying around. I currently have a few Cisco 2501 routers knocking about and a couple of 48 port Cisco Switches that were (No longer required) going begging so to speak. My Server side labs are on laptops mainly with 3 HP Micro servers (Bought these myself)

    Hayabusa gave me some good advise many moons ago. Learn about the infrastructure first and the testing stuff second. So now having spent the last 3 years learning MS *Nix and Cisco and HP networking am now going to start on the testing learning. So far am just doing a Udemy course as a pre course to a CSTM course am booked on in April. Its recognised by CESG and Crest so should be a good foot hold into the learning process.

  • #169321
     Michael J. Conway 
    Participant

    Hey Don,

    I know its been a while since anyone said anything here so I figured I’d give my 2 cents since I am in the process of building a lab.
    1. The link to the original article is broken so can’t really comment on that.
    2. I love virtual machines for all the ways you can muck them up and then reset them.
    3. Is a virtual lab ideal? No, but it beats the more costly alternative. I would love to be able to afford a router, a real (not SOHO one) switch, a dedicated firewall, and the other network support equipment found in the “wild”. Heck I would love to have a bunch of bare metal sitting around waiting for a use.
    4. Virtual is a cost effective way to play though.

    So how do we build a virtual lab that is more than just for system attacks:

    * Find vulnerable applications
    * Find or write your own web apps (good practice for the coders out there)
    * Use clones to create different instances of a VM
    * Do system hardening (DISA STIG or other secure configuration guidance)
    * Do your own thing – What are you seeing in your organization or in the news that you want to try?

    May not be the best virtual lab and you can’t really do attacks against the hypervisor unless you are feeling really daring and nest hypervisors but you should be able to do more than just system attacks.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?