[Article]-A Rant About Hacking Labs

This topic contains 30 replies, has 16 voices, and was last updated by  Michael J. Conway 12 months ago.

  • Author
    Posts
  • #7336
     Don Donzal 
    Keymaster

    Tom is back with us for some thoughts and suggestions on hacking labs, education and career pen testing. Let us know what you think, if you agree and especially if you don’t.

    Be sure to join in by sharing your lab experiences and setups.

    Permanent link: [Article]-A Rant About Hacking Labs

    By Thomas Wilhelm, ISSMP, CISSP, SCSECA, SCNA

    One of the more frequent questions I see on EH-Net pertains to creating pentest labs. Individuals new to the topic of hacking often have a limited understanding of what type of equipment is required, or how to go about setting up a lab to practice all of the cool attacks they have watched on YouTube. Details on how to get started using a single system and virtual machines are numerous – including some I have done. However, I think there is one question not being asked enough when discussing hacking labs… “Why do you want a lab?”

    Most people create a lab containing a single host system and include virtual images of various Operating Systems. Unknowingly they have just restricted themselves to a very finite portion of real-world hacking – system attacks. I’m not even sure I can classify these “system attacks” as internal (within the corporate network) or external (Internet-facing services), due to a lack of support systems typically found in corporate networks. Absent are the routers, firewalls, IDS/IPSes, windows networks, switches, etc. Without these, we don’t really have a good example of what someone might face during a real pentest, nor do we create an effective learning environment. 

    Don

    • This topic was modified 12 months ago by  Don Donzal. Reason: Updated link
  • #45835
     MaXe 
    Participant

    Great article  ;D Even though, I know that it’s not anyone who can afford a lab of 600$, and in some cases perhaps not even 300$ if their budget doesn’t allow it. Some newbies, that wants to learn infosec might be young, and I think it’s more attractive to play with system attacks that are free, compared to buying real hardware equipment.

    Of course, with young people getting iphones and other expensive gear, perhaps they should put cisco routers and switches on their wishlist instead  ;D

    I do agree that many, including me doesn’t get that much exposure to network attacks, even though I have tested arp spoofing, isr evilgrade (it’s a tool), and setting up a rogue dhcp server, on quite a few occasions, where it was multiple computers on a network, even used the default password on a real hardware switch once to get info about another network, but that was because I was lucky to have the opportunity to play with these things in real life, as not every newbie is.

    Hacking a switch, with community strings, and perhaps tftp is quite fun, and I’m glad I have the opportunity to play with these things at the hacking dojo too.  🙂

  • #45836
     impelse 
    Participant

    This is a great article.

  • #45837
     Anonymous 
    Participant

    Good read I am in the process of updating my lab as it was just all live cd before. I want add some more hardware and try get a lab that is as similar to a corporate network as possible without breaking the bank.

    So far I have
    Cisco 2610 Ethernet  Serial Routers 32Mb Dram / 8mb flash IOS 12.3
    Cisco 2610 Ethernet  Serial Routers 32mb Dram / 8mb flash IOS 12.3
    Cisco 2501  Router with 2 serial Ports Interfaces + Ethernet AUI Port
    Cisco WS-c2912-XL-EN Switch upgraded latest Cisco IOS
    2 x WIC-1T for the 2600 routers (100% Genuine Cisco)

    But I am  not sure where to start never really hand any hands on experience with setting up corporate so hope it be steep learning curve. I hope I can mix the hardware with Vm images of xp and some servers etc

    If anyone can recommended any good books or any advice where to start would love some help 🙂

  • #45838
     TheXero 
    Participant

    I might purchase some used Cisco equipment off ebay soon 🙂

    My lab currently is mostly System based with 1 router (running DD-WRT) connecting the lab to my normal network.

  • #45839
     alucian 
    Participant

    Very interesting, thank you!

    Me too, I will add soon some network equipment to my lab. A
    nd, I am interested in learning this type of hacking.

  • #45840
     hayabusa 
    Participant

    As Tom said in the article, network equipment can be nice and affordable, on eBay or other places.  In fact, I picked up 2 – Cisco 2501 routers, a Cisco 24 port catalyst switch and an HP DL380G3 with 12 GB of RAM, ALL for under $650, a couple of years ago, from eBay.

    Just gotta watch and find the deals.

  • #45841
     SephStorm 
    Participant

    Quite true. I have lab equipment I have bought over the years, cisco routers and switches, and even an ASA. The problem is not having the knowledge or experience to properly build this network, or to intergrate it into your existing real network (It would be nice but I cant put 2 network connections in my room. And I quickly realized I need the internet to download software, update my host machine, view tutorials, ect. and while there are short term solutions, like using a usb stick. not very good idea to mix media between trusted and untrusted computers once you introduce new tools, or malware into the mix…) And a big issue for me has been the physical setup. Network hardware is not designed to connect to home internet connections.

    So I think that we need to have some training on network connections, ect.

  • #45842
     pharmerjoe 
    Participant

    Could be a good business idea for someone to set up large hacking labs and offer it as a service to people, for x amount of dollars per month. I realise OffSec have this, but its only available when you buy their course.

  • #45843
     dynamik 
    Participant

    @pharmerjoe wrote:

    Could be a good business idea for someone to set up large hacking labs and offer it as a service to people, for x amount of dollars per month. I realise OffSec have this, but its only available when you buy their course.

    Tom does this with Hacking Dojo. eLearn has their Coliseum labs, and The Hacker Academy may have something as well.

    I think the article is well-written, and I agree with most of the points made, but I’m not sure why virtualization is so heavily discouraged. On a single ESXi box (QX9550/16GB RAM/6x160GB HDs), I have two AD sites (SQL Server, Exchange, DCs, client systems, etc.), a DMZ, IDS (Snort), and a few other random/non-MS systems. Check out Vyatta or XORP if you have an interest in more advanced routing, and PF and/or iptables can do your firewalling.

    I think it’s a very close to a real-world configuration, and you only really lose out on anything that is vendor-specific. It’s obviously good to get your hands on some Cisco gear and other prevalent hardware that you’ll come across in real-world situations, but I think you can construct a very accurate real-world lab in a virtual environment. Also, ARP poisoning attacks do work in a virtual environment (I just verified this in Workstation 7, but I’m pretty sure I’ve done this in ESX/ESXi as well — virtual switches have to be configured to allow these types of activities though).

    I think the best route is a blend of virtual and physical equipment. I actually have several NICs in that ESXi box that connect to a 3550 and ASA5505, which does indeed allow more opportunities for fun. I just like to contain things as much as possible because of power, space, and aesthetics.

  • #45844
     hayabusa 
    Participant

    @dynamik- you’re correct in that ARP attacks generally work fine in ESX/ESXi.  I test them there, all the time.  But I agree with you, that MOST (not all, but most) can be simulated, reasonably, with VM’s, if you have the proper time and can set things up accordingly.

    I run a couple of different IDS / IPS configurations in VM’s, and I’ve looked at Vyatta in the past, but not XORP (so thanks for something else to add to my list of things to research and play with, after I finish CTP / OSCE…) ;D

  • #45845
     dynamik 
    Participant

    @hayabusa wrote:

    I run a couple of different IDS / IPS configurations in VM’s, and I’ve looked at Vyatta in the past, but not XORP (so thanks for something else to add to my list of things to research and play with, after I finish CTP / OSCE…) ;D

    Full Disclosure: I only learned about XORP when I made that post :-[ I was trying to figure out why it appears that you can only get a 30-day trial of Vyatta now (they used to have a free virtual appliance). I guess they used XORP up to v3, but then they went to something proprietary starting in v4.

    The more you know ===★

  • #45846
     hayabusa 
    Participant

    Understood.  Still… thanks!

  • #45847
     Triban 
    Participant

    So I think Dynamik is volunteering to setup a VPN to his lab for all of us to use 😀

    As for the article, I certainly agree that you cannot adequately simulate a full pen test by just having your two VMs running a victim OS and an Attacker OS.  But for those new to the field it is enough to give them a taste. 

    I think we do a good job though letting folks know there is more a pen test than simply popping the single victim system.  eLearning and OSCP cover the in’s and out’s of the pen test from the recon, enumeration and finally to the report.  The report I think is probably the most valuable piece to learn.  Like Tom had mentioned, you need to be able to explain to the client about the findings and that is where the report comes in. 

    With regards to the experience portion, I think we here at EH-Net do a decent job at letting the newbies know that Ethical Hacking and Pen Testing are not entry level areas.  Many of us have backgrounds in System/Network Administration and/or programming.  It is important to be able to explain “here is why your box got popped, here is why we were able to get that data.  This is how you fix it…”  And being able to explain in non-robot speak is key.  If you can show the dollars flying out the cable modem that is even better.

    Overall the article is great and I think we can all agree that the simple victim/attacker setup is really not enough.  But I think for a little taste to see if its something you want to do, it will suffice.  Then like all hobbies that become careers, you can invest more into it.  Throw in more layers to better challenge yourself.  This made me want to fire up the Cisco kit I have (two 2600 router and an 1850 catalyst) configure it and use it!  Two bad they are loud, guess I need to build a case 😀

  • #45848
     hayabusa 
    Participant

    3xban – good post,and I agree on all fronts. 

    Tom’s logic is well-grounded, and his reasonings are completely valid.  As you noted, the issue really lies on what you plan to do with it.  If it’ll be your career, then the hardware, eventually, WILL become a necessary purchase.  Sooner or later, you’ll need knowledge, specific to a certain router or configuration, and it just comes in handy to have at least a low-end model available, if not something more robust.  Thankfully, my past employers (and current) have had equipment I can move up to, if there’s something I don’t have, but need to validate on.

    And I agree on the noise, from the Cisco gear.  For any of you who live in a house (as I do) where you can’t adequately control sound levels, and where much of your training or testing time and effort come when wife and kids are sleeping, that’s when the software routers come in handy.  (Thus my having BOTH physical and virtual / software routers.)

    In my case, I’m working on relocating, soon, to a house (new city, hopefully, about 1200 miles south) with more space, and a home office that WILL accommodate my running what I want, when I want.  Thankfully, my current job allows me to work from my home, so I have flexibility on where I want to be, although the planned move would put me within close proximity to the company’s headquarters.  😉

  • #45849
     dynamik 
    Participant

    I think the deeper issue is simply that many people don’t know how to setup an enterprise network to begin with. It’s the same old story of people rushing into the exciting material before developing a foundation. Most people with this experience would naturally create a lab similar to what Tom diagrammed and not be content with BackTrack vs. Vulnerable Distro. I think this article underscores the fact that if you don’t have the knowledge to set something like that up yourself, you’re not going to do well in an actual pen test that will likely be of a much larger scale.

    Also, if your routers/switches aren’t in a confined area, you can (probably ;)) disconnect the fans without causing any harm. They’re designed to withstand being packed tightly into racks, so a couple out in the open (probably ;)) won’t explode.

  • #45850
     hayabusa 
    Participant

    @dynamik wrote:

    Also, if your routers/switches aren’t in a confined area, you can (probably ;)) disconnect the fans without causing any harm. They’re designed to withstand being packed tightly into racks, so a couple out in the open (probably ;)) won’t explode.

    True, and likely the best option.  Except that off eBay (going along with your probably,) they’re used, so you don’t know how close to failure they may already be.  I’m more than happy, personally, to keep using BOTH, until I have a sound-proofed office to run them in, off-hours.

    Funny story, to the eBay point, though…  Amazing what NON-configuration-cleared items you can buy from eBay.  I ended up calling an oil company (previous owners who’d gotten rid of them, during a replacement cycle,) after I bought the routers, as they still had SNMP and other wide open configs on them.  Could’ve heard the guy’s head shaking, on the other end of the phone, when I called him, to tell him they should be more careful.  (Turns out, they hadn’t, yet, changed their passwords and configs for the systems, so all of it would’ve been very valuable to the “UN-ethical” hacker community…)

  • #45851
     Triban 
    Participant

    Interesting note about the fans.  Maybe I’ll try that or build a cabinet with sound proofing/muffling. 

    I agree with you Dynamik, how could you hope to breach something that you have never built?  I suppose guess work and luck and lots of googling but a solid foundation is key.  I think a majority of the posts we receive, we do make it a point to tell the soon-to-graduate folks that this field is not entry level and to start at the bottom to get the most experience possible.  Most of what I know came from the last 10 or so years.  Out of college I managed/maintained IT an 11 site school district.  Got to build networks from the ground up, build system images and of course build and deploy servers, migrate Exchange servers and configure Citrix boxes.  Put out some switches and configured firewalls.  Since its a school district, it was lower on funding so much of the work was done by us.  Then took that experience into the consulting world and helped numerous clients build, upgrade and maintain their systems.  Now is the time that I am putting all that knowledge to analyzing and responder to security threats for a large global enterprise.  What have I learned?  Same problems, just bigger and you have more funding 😀 

    Not understanding the foundational material could really hinder my analysis.  Like if I didn’t know the purpose of proxy servers or gateways, I wouldn’t think anything of a system going directly to the firewall on port 80 and attempting to bypass the proxy.  If I didn’t understand the OSI model and TCP traffic, port numbers would mean nothing to me.  Granted I am on the defending side of things, but if you know how to build it, you know how to break it.  If you know how to defend it, you will know how to penetrate it.

  • #45852
     Anonymous 
    Participant

    I agree with everything that been said so far my lab has lots VM of live cd in it. But I am hoping to build a new lab that contain hardware / software as never really done this and think it could really help me with pen testing so if anyone can recommend good stuff to read  or where to start be appreciated.

  • #45853
     Grendel 
    Participant

    @dynamik wrote:

    I think the article is well-written, and I agree with most of the points made, but I’m not sure why virtualization is so heavily discouraged.

    I’m a big fan of virtualization, and it is definitely used extensively in corporate environments. However, virtualized systems are usually limited to servers, and only makes up a small portion of systems found in the network. To make it more realistic, hacking labs should have both workstations, and servers.

    Doing a little brainstorming, it would be a good idea for someone to develop scripts and/or De-ICE discs that would make workstations talk with the servers, similar to what admins currently do in the real world.

  • #45854
     hayabusa 
    Participant

    @grendel wrote:

    Doing a little brainstorming, it would be a good idea for someone to develop scripts and/or De-ICE discs that would make workstations talk with the servers, similar to what admins currently do in the real world.

    Definitely.  Similar to some the target exercises (except even moreso,) like the targets in some of the PWB labs.

  • #45855
     dynamik 
    Participant

    @grendel wrote:

    I’m a big fan of virtualization, and it is definitely used extensively in corporate environments. However, virtualized systems are usually limited to servers, and only makes up a small portion of systems found in the network. To make it more realistic, hacking labs should have both workstations, and servers.

    Doing a little brainstorming, it would be a good idea for someone to develop scripts and/or De-ICE discs that would make workstations talk with the servers, similar to what admins currently do in the real world.

    I personally include workstations in my virtual lab, but I completely agree with the point you’re making. It’s absolutely essential to test client-side exploits, social engineering attacks (i.e. SET), etc. in order to simulate a real-world pen test. I think people are more limited by their imagination than by physical/virtual though.

    Hopefully I didn’t come off as too critical; I definitely feel the article contains important advice for those starting to build (or improving) their personal labs.

  • #45856
     SephStorm 
    Participant

    Defiantly hear where you guys are coming from on this. I can tell you what goes through my mind when i’ve been told i need more experience in different areas:

    1. I dont have that kind of time! i’m 20 (something) years old! I’m already behind the guys who started hacking 486’s!
    2. Read the news! The cyber war is going to start tommorow! if I dont start now, it’ll be over by the time i have been is sysadmin for 10 years! (joking aside, this and the next one are probably the biggest)
    3. Security is a hot topic right now, its a big industry. In 10 years, who knows where we will be? Maybe organizations will be significantly more secure and they wont need my skills. (Or the field will be over saturated!)
    4. Great, I spent all this time and money learning all these skills, and I have to wait 10 years before I can use it. Already many things are being secured or changed, my knowledge will be useless by the time I can use it.
    (Very big for me right now, I barely do sysadmin duties at my current job, and while my previous employer had me working with IA  doing security related duties, not here. I’m (supposedly) locked in here for years. Ive got my certs, i’ve got my lab, but still no experience when I leave here.)

    Now that was part rant, but I think we have to be able to tell newbies its okay to wait, the industry wont leave them behind. I just hope that’s the case.

  • #45857
     kerpap 
    Participant

    there are a lot of great attacks that target layer 2. this can be challenging to setup as a lab as you would need several switches and need to know how to configure them. I have found a lot of networks don’t protect against these attacks and this creates a huge vulnerability as it is very easy from the inside to attach a switch to the network and configure it so that all traffic on the network can get forwarded to your attack-PC thus you are able to sniff all the traffic and can enumerate great info on the network.

    it is very hard to detect these attacks. some IPS sensors can detect these anomalies but most of the time you can get away with it.

    great stuff to know as a pen tester IMO.

  • #45858
     Triban 
    Participant

    Seph makes a good point about scrambling to be in demand when you may have spent much of your time doing other things.  I think that is where community involvement could assist.  Its not always what you know, its who you know.  Eventually you can impress those people in a more laid back environment. 

    Now the other part, sure security is big but it has always been there.  It is now gaining visibility due to the unfortunate reports of big companies falling prey to breaches, site defacements and all the other activity floating around out there.  We are in a reactive state right now.  We need to get out of that and move on to proactive measures.  Hopefully in 10 more years we will have a very security aware community from the CEOs down to the shop floor workers.  What we have to do as professionals is to help get there.  You don’t necessarily need the technical skills to bust a network, seems like we have plenty of that.  We need defenders and we need spokesmen.  The highly technical message needs to reach the least technical people.  At that point, we need to shore up the defenses and get the last of the attackers out of the networks.  For that we need to ensure that the Sys Admins, network admins are all building systems and networks with security in mind.  Not everyone can be red team and the best way to learn to defend against the attacks is to know how to build your network from the ground up.

    What I want to do between eCPPT and work related duties is spend a week on each part of my lab.  This week will be the Cisco pod.  Next will be a host on each side.  Then a server/workstation setup.  Harden each piece as it is built.  Doing what I do now, I am more an analyst and do not get to work directly with the hardware so I want to keep the skills fresh.

    Sorry I may have swayed off topic.

  • #45859
     24772433 
    Participant

    There are some very interesting comments from a thought provoking article.

    The increase of virtualisation in corporate networks and the growth of cloud based services provide challenges to the security community to adapt to these changes. Server virtualisation is now commonplace and so too will be desktop virtualisation, along with switch virtualisation (Cisco Nexus 1000).

    In response to what seems to be the general question of the value of a virtual only lab versus physical hardware; I was wondering if anyone had any experience of GNS3 which is a graphical network simulator that can simulate networks of switches and routers; of all flavours, such as Cisco and Juniper. My experience has been very positive and I have found it reasonably easy to integrate with my VMWare lab.
    http://www.gns3.net/

    Another option I have found that works well, if your looking practice against a Check Point firewall is to install their SPLAT OS as two virtual guest and configure a policy server and firewall – which Check Point will allow for 15 days unlicenced.

    Steve.

  • #45860
     Grendel 
    Participant

    Hey, I’m in the process of redoing my lab and relocating my web site internally. Would anyone be interested in a “blog” of what I’m doing?  I can post a new thread on these forums and show what I’m doing… I won’t do it if nobody is interested.  LMK.

  • #45861
     hayabusa 
    Participant

    I think it might be a welcome addition, Grendel.

    For a lot of the newer folks (and even some of the seasoned ones, as a refresher,) it might be nice to see what type of effort someone puts in, in order to better their labs, etc.  I know, in another post, Jamie.R was feeling frustrated with various things, such as having to go back a notch, jobwise, and motivate himself again.  I think it would be good for others to see that, sometimes, even building a new lab, or adding to an existing, is a good way to learn and grow, especially if you point out benefits and learning experiences along the way.

    Additionally, it’s always nice to know what you’ve got going on, so when time and money permit, down the road, I know what I’m spending on, when I take your courses.  😉

  • #45862
     Triban 
    Participant

    I think it would be a great idea Grendel!  For those who have never done it, there are limited resources out there to help them build their labs.  Many of the books that require use of a lab simply say “Download your prefered Virtualization software and run these live CDs”  none really go into much detail involving hardware pieces as well as virtual systems.

  • #45863
     charliemong 
    Participant

    For Newbbies like me that work in a Support function It may well be worth asking the management for any spare kit laying around. I currently have a few Cisco 2501 routers knocking about and a couple of 48 port Cisco Switches that were (No longer required) going begging so to speak. My Server side labs are on laptops mainly with 3 HP Micro servers (Bought these myself)

    Hayabusa gave me some good advise many moons ago. Learn about the infrastructure first and the testing stuff second. So now having spent the last 3 years learning MS *Nix and Cisco and HP networking am now going to start on the testing learning. So far am just doing a Udemy course as a pre course to a CSTM course am booked on in April. Its recognised by CESG and Crest so should be a good foot hold into the learning process.

  • #169321
     Michael J. Conway 
    Participant

    Hey Don,

    I know its been a while since anyone said anything here so I figured I’d give my 2 cents since I am in the process of building a lab.
    1. The link to the original article is broken so can’t really comment on that.
    2. I love virtual machines for all the ways you can muck them up and then reset them.
    3. Is a virtual lab ideal? No, but it beats the more costly alternative. I would love to be able to afford a router, a real (not SOHO one) switch, a dedicated firewall, and the other network support equipment found in the “wild”. Heck I would love to have a bunch of bare metal sitting around waiting for a use.
    4. Virtual is a cost effective way to play though.

    So how do we build a virtual lab that is more than just for system attacks:

    * Find vulnerable applications
    * Find or write your own web apps (good practice for the coders out there)
    * Use clones to create different instances of a VM
    * Do system hardening (DISA STIG or other secure configuration guidance)
    * Do your own thing – What are you seeing in your organization or in the news that you want to try?

    May not be the best virtual lab and you can’t really do attacks against the hypervisor unless you are feeling really daring and nest hypervisors but you should be able to do more than just system attacks.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?