.

Network pentest lab setup

<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Jul 20, 2009 10:23 pm

Network pentest lab setup

Video is at the page =)

http://www.securityaegis.com/?p=525

Remember those good ole days in the sandbox?  Where you threw stuff around learned where the sand goes and… doesn’t go? Well we’ve graduated from the sandbox, but hearts and minds are still wired to play there.  Maybe that’s why we love offsec, let’s get to the point though… We made a lab.

We wanted to address pentest labs. In this post in particular, Network pentest labs (webapp will be a separate post, challenge sites will be as well)

We used an existing set of hack challenge ISO’s, sandbox VM’s, vulnerable software, and vulnerable OS’s to create a 6 target lab that can be expanded upon.

Network Pentesting Lab Tutorial

Here is what you need to download:

  1. De-ICE Challenge Disks 1& 2 – Register for the Heorot.net forums to get DL access, http://forums.heorot.net/
  2. pWnOS – Register for the Heorot.net forums to get DL access, http://forums.heorot.net/
  3. Damn Vulnerable Linux – http://www.damnvulnerablelinux.org/ and add-ons at http://www.crackmes.de
  4. BT4 – http://www.remote-exploit.org/backtrack_download.html
  5. Windows XP SP2
  6. Windows Server 2003
  7. VMware Server -  http://www.vmware.com/products/server/

This lab is focused on a virtual environment. Pentesting involves testing many different systems, so we recommend using VMware Server. The flexibility of deploying targets and then saving their default installs as snapshots is absolutely necessary.  In a physical lab with an unconstrained budget we’d use  pre-configured hard drives with images that we’d “hot swap” out depending on the engagement.

In this sandbox we hone our skills with nmap, netcat, metasploit, hydra, nessus, exploit code, pivoting, clientsides, etc. – not necessarily in that order. We decided to keep everything off the interwebs as we did this setup. This way we won’t have to deal with letting our ISP know attack traffic might be coming from a machine or two.

First we Download pWnOS. pWnOS is a VM released by Heorot.net denizen bond00. Since it’s already in VM form we setup its network and launch the machine. This target is exploit centric differing slightly from our next target setups, the De-ICE disks. A quick ping sweep will verify it’s online. This target will require you to search for an exploit, compile it, and up priv.

Second you need to download the De-ICE pentest challenge disks. Thomas Wilhelm has created 3 attack challenge ISO’s .  We’ll let you go about finding the vulnerabilities, but they work very well for showcasing mis-configuration testing and other attacks. We used the two level 1 disks, but he has a level 2 disc available also.  You can expand the network to add that disk later if you chose to, it showcases a harder pentest situation.  The De-ICE disks should be configured and setup as per our video.  After that they just sit there for the plundering.

Next up is Damn Vulnerable Linux. DVL is an interesting platform. Not only is it a target, it’s also a testbed. DVL is very insecure, exploitable, but also contains a tutorial within itself for beginning exploit dev and cracking. Sometimes DVL is frustrating to use due to language barriers, but most of the time you can figure out the kinks. DVL is closely tied to the http://www.crackmes.de/ website where new challenges called “crackmes” and “exploitmes” can be downloaded. The forums there have a lot of info on the distro which is used to teach offensive security and reverse engineering to a broad skill set of Infosec folks in education environments in the EU.

Next up we setup our attack platform, Backtrack 4 (pre release).  I’m pretty sure we all know BT as one of the industry default attack, audit, and testing environments. Some infosec professionals use their own home brewed distros. You could do this too. It’s just a pain to compile and setup all the tools. BT4 does all this for us, its stable, and made by some of the most brilliant minds in infosec.  Regardless of which attack platform you use, we recommend keeping the remote-exploit forums in your links, as it is indispensable in troubleshooting common offsec tools.

Lastly we run some Microsoft boxes. We skipped setting up the 2003 box as a domain controller on the video… because that’s boring. This setup allows us to test software on MS platforms. What we will say is make snapshots of these installs and don’t delete them (after you setup the domain).

-The domain setup allows us to test post exploitation, account hijacking, client server packet sniffing, priv escalation, process migration (meterpreter goodness), pivoting, etc.

-Snapshots give us the capability to test old service packs or security updates on a regular basis, as well as analyze malicious code’s changes to the OS when a new conficker comes slithering around.

-The boxes themselves are also used for deploying vulnerable software to for testing exploits (don’t forget about clientsides) which can be downloaded from:

http://www.oldapps.com/
http://www.oldversion.com/
https://www.securinfos.info/old-softwar ... erable.php

All in all, this setup seemed to support all our needs for a network pentesting lab. It has multiple OS’s, multiple targets, avenues for configuration testing, avenues for exploitation, and post exploitation. It is expandable with extra ISO’s, OS’s, updates, software, etc. We’re still working on adding some virtual devices to play with evasion, but that’s down the road.

We don’t know everything (in fact, we know very little) and we appreciate comments and emails about how to make this setup better. If you know of a testing distro we missed for network pentest labs let us know. Got a trick of the trade to make this better? Hit us up. We give credit.
<<

Laz3r

Post Mon Jul 20, 2009 11:04 pm

Re: Network pentest lab setup

And it's a great video if I do say so myself ;)
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Jul 20, 2009 11:06 pm

Re: Network pentest lab setup

innnndeeeed =)
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Jul 21, 2009 12:19 am

Re: Network pentest lab setup

Thanks both of you. ;)

I am sure that this will help some people to get started.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Jul 30, 2009 2:04 pm

Re: Network pentest lab setup

Thanks Jhaddix and Laz3r

awesec I'm going to use this as a primer for getting me started (at least for building the lab part). Although I'm still not sure I'm in the right place (yes I'm new Hello).

This was just what I was looking for when I used the search box. (See some noobs do use search ;) ).

Is their a way to make this one a sticky for the noobs like me (so they can read it when they first sign up)?

Lastly, if I can ask, is there there reason to go with VM Sever over something else, like Xen?
OSWP, Sec+
<<

Laz3r

Post Thu Jul 30, 2009 5:16 pm

Re: Network pentest lab setup

First off, I'm glad you liked the video and article.
I haven't used Xen, or any other hypervisor for that matter.  I case you don't know, hypervisors are a bit different from something like VMware Server.  A hypervisors is, in a very basic sense, the physical machines OS.  It sits inbetween the hardware and the Guest OS.  Where something like VMware Server sits between a Host OS and a Guest OS.

To use a hypervisor, you should have a separate machine purely for your lab.  I think of it like this: If I were using a hypervisor, I'd end up running at least 2 VM's non-stop; Windows XP and BT4.  With VMware server, I can just park that on top of Windows XP and run only 1 VM.

Another good reason to go with a VMware option is the fact that it's a very widely used product.  If you run into any problems, it would be very easy to find a fix.

Either way, it could work.  I would definitely suggest going with VMware server first.  It's very very easy to install, and equally easy to uninstall.  Where if you used Xen, or VMware ESXi, it's a longer process with a more permanent effect on the machine. (ie reformatting and reinstalling windows if you decide you don't like it).

All of that having been said, our "series" on labs likely isn't over yet.  If you haven't seen the second part, you can find it here.  In that video we expand our lab to include some vulnerable Web Applications.  In roughly a month or two (When I get the machine) we will be expanding our lab even further.  This part of the series will talk about using a hypervisor, and networking it with our current lab machine.  We will likely see 2 VMware Server machines and one machine using a hypervisor. (Most likely VMware ESXi, but we might take a look at Xen.)
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Jul 30, 2009 11:06 pm

Re: Network pentest lab setup

Laz3r,

Mostly right on the Xen stuff. I spent most of last year wrapping my head around Xen for work. So I'm more up on thath then VMWare. I haven't touched VMware since around 1999.

In my setups, it's Xen on top of Linux. Mainly to make it work, you can use a package (I love package management in Linux, but I can build from source when I have to), and it modifies the Kernel, the initrd and a few other things on the box. You can clean up after it by removing the package. It is designed for a bare metal install though, (sitting on the hardware instead of on top of the OS) where as VMware is either Bare Metal, or Hosted. VMware and Xen can do para and full virtualization. It's a little tricky, yeah the DOM0 is technically a VM machine,  but it doesn't quite act like one either. As always, memory is your limiting factor.

Really good book on the topic is http://www.amazon.com/Running-Xen-Hands ... 650&sr=8-1

This weekend I'm thinking of installing a Windows VM and maybe a CentOS test VM on my laptop (runs Debian Testing), bottom OS for the VM server and everyday usage, the VMs for fun and testing.

My goal for a lab is to have 1 box just for the Lab, running Xen, and a couple of older desktops running straight OSes to try and  play with.

User support for Xen isn't that bad either. It has a decent sized user base (probably not as big as VMware though), and I can usually find what I need that way.

I did see the other post, but didn't look at it. I left the tab open on my desktop at work, I'll probably look at that on Monday when I get back.
OSWP, Sec+

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software