(For more resources related to this topic, see here.)
To get the best result after setting up your lab, you should plan it properly at first. Your lab will be used to practise certain penetration testing skills. Therefore, in order to properly plan your lab environment, you should first consider which skills you want to practise. Although you could also have non-common or even unique reasons to build a lab, I can provide you with the average list of skills one might need to practice:
Discovery techniques
Enumeration techniques
Scanning techniques
Network vulnerability exploitation
Privilege escalation
OWASP TOP 10 vulnerabilities discovery and exploitation
Password and hash attacks
Wireless attacks
Modifying and testing exploits
Tunneling
Fuzzing
Vulnerability research
Documenting the penetration testing process
All these skills are applied in real-life penetration testing projects, depending on its depth and the penetration tester's qualifications. The following skills could be practised at three lab types or their combinations:
Network security lab
Web application lab
Wi-Fi lab
I should mention that the lab planning process for each of the three lab types listed consists of the same four phases:
Determining the lab environment requirements: This phase helps you to actually understand what your lab should include. In this phase, all the necessary lab environment components should be listed and their importance for practising different penetration testing skills should be assessed.
Determining the lab environment size: The number of various lab environment components should be defined in this phase.
Determining the required resources: The point of this phase is to choose which hardware and software could be used for building the lab with the specified parameters and fit it with what you actually have or are able to get.
Determining the lab environment architecture: This phase designs the network topology and network address space
Now, I want to describe step by step how to plan a common lab combined of all three lab types listed in the preceding section using the following four-phase approach:
Determine the lab environment requirements:
To fit our goal and practise particular skills, the lab should contain the following components:
Skills to practice |
Necessary components |
Discovery techniques |
Several different hosts with various OSs Firewall IPS |
Enumeration techniques |
|
Scanning techniques |
|
Network vulnerability exploitation |
|
OWASP TOP 10 vulnerabilities discovery and exploitation |
Web server Web application Database server Web Application Firewall |
Password and hash attacks |
Workstations Servers Domain controller FTP server |
Wireless attacks |
Wireless router Radius server Laptop or any other host with Wi-Fi adapter |
Modifying and testing exploits |
Any host Vulnerable network service Debugger |
Privilege escalation |
Any host |
Tunnelling |
Several hosts |
Fuzzing |
Any host Vulnerable network service Debugger |
Vulnerability research |
|
Documenting the penetration testing process |
Specialized software |
Now, we can make our component list and define the importance of each component for our lab (importance ranges between less important, Additional, and most important, Essential):
Components |
Importance |
Windows server |
Essential |
Linux server |
Important |
FreeBSD server |
Additional |
Domain controller |
Important |
Web server |
Essential |
FTP Server |
Important |
Web site |
Essential |
Web 2.0 application |
Important |
Web Application Firewall |
Additional |
Database server |
Essential |
Windows workstation |
Essential |
Linux workstation |
Additional |
Laptop or any other host with Wi-Fi adapter |
Essential |
Wireless router |
Essential |
Radius server |
Important |
Firewall |
Important |
IPS |
Additional |
Debugger |
Additional |
Determine the lab environment size:
In this step, we should decide how many instances of each component we need in our lab. We will count only the essential and important components' numbers, so let's exclude all additional components. This means that we've now got the following numbers:
Components |
Number |
Windows server |
2 |
Linux server |
1 |
Domain controller |
1 |
Web server |
1 |
FTP Server |
1 |
Web site |
1 |
Web 2.0 application |
1 |
Database server |
1 |
Windows workstation |
2 |
Host with Wi-Fi adapter |
2 |
Wireless router |
1 |
Radius server |
1 |
Firewall |
2 |
Determine required resources:
Now, we will discuss the required resources:
Server and victim workstations will be virtual machines based on VMWare Workstation 8.0. To run the virtual machines without any trouble, you will need to have an appropriate hardware platform based on a CPU with two or more cores and at least 4 GB RAM.
Windows servers OSs will work under Microsoft Windows 2008 Server and Microsoft Windows Server 2003.
We will use Ubuntu 12.04 LTS as a Linux server OS. Workstations will work under Microsoft Windows XP SP3 and Microsoft Windows 7.
ASUS WL-520gc will be used as the LAN and WLAN router.
Any laptop as the attacker's host.
Samsung Galaxy Tab as the Wi-Fi victim (or other device supporting Wi-Fi).
We will use free software as a web server, an FTP-server, and a web application, so there is no need for any hardware or financial resources to get these requirements.
Determine the lab environment architecture:
Now, we need to design our lab network and draw a scheme:
Address space parameters
DHCP server: 192.168.1.1
Gateway: 192.168.1.1
Address pool: 192.168.1.2-15
Subnet mask: 255.255.255.0
In the first step, we discovered which types of lab components we need by determining what could be used to practise the following skills:
All OSs and network services are suitable for practicing discovery, enumeration, and scanning techniques and also for network vulnerability exploitation. We also need at least two firewalls – windows built-in software and router built-in firewall functions.
Firewalls are necessary for learning different scanning techniques and firewall rules detection knowledge. Additionally, you can use any IPS for practicing evasion techniques.
A web server, a website, and a web application are necessary for learning how to disclose and exploit OWASP TOP 10 vulnerabilities. Though a Web Application Firewall (WAF) is not necessary, it helps to improve web penetration testing skills to higher level.
An FTP service ideally fits to practice password brute-forcing. Microsoft domain services are necessary to understand and try Windows domain passwords and hash attacks including relaying. This is why we need at least one network service with remote password authentication and at least one Windows domain controller with two Windows workstations.
A wireless access point is essential for performing various wireless attacks, but it is better to combine LAN router and Wi-Fi access point in one device. So, we will use Wi-Fi router with several LAN ports. A radius server is necessary for practicing attacks on WLAN with WPA-Enterprise security.
A Laptop and a tablet PC with any Wi-Fi adapters will work as an attacker, and victim in wireless attacks.
Tunnelling techniques could be practiced at any two hosts; it does not matter whether we use Windows or any other OS.
Testing and modifying exploits as well as fuzzing and vulnerability research need a debugger installed on a vulnerable host.
To properly document a penetration testing process, one can use just any test processor software, but there are several specialized software solutions, which make a thing much more comfortable and easier.
In the second step, we determined which software and hardware we can use as instances of chosen component types and set their importance based on a common lab for a basic and intermediate professional level penetration tester.
In the third step, we understood which solutions will be suitable for our tasks and what we can afford. I have tried to choose a cheaper option, which is why I am going to use virtualization software. The ASUS WL-520gc router combines the LAN router and Wi-Fi access point in the same device, so it is cheaper and more comfortable than using dedicated devices. A laptop and a tablet PC are also chosen for practising wireless attacks, but it is not the cheapest solution.
In the fourth step, we designed our lab network based on determined resources. We have chosen to put all the hosts in the same subnet to set up the lab in an easier way. The subnet has its own DHCP server to dynamically assign network addresses to hosts.
Let me give you an account of alternative ways to plan the lab environment details.
It is not necessary to use a laptop as the attacker machine and a tablet PC as the victim – you just need two PCs with connected Wi-Fi adapters to perform various wireless attacks.
As an alternative to virtual machines, a laptop, and a tablet PC or old unused computers (if you have them) could also be used to work as hardware hosts. There is only one condition – their hardware resources should be enough for planned OSs to work.
An IPS could be either a software or hardware, but hardware systems are more expensive. For our needs, it is enough to use any freeware Internet security software including both the firewall and IPS functionality.
It is not essential to choose the same OS as I have chosen in this chapter; you can use any other OSs that support the required functionality. The same is true about network services – it is not necessary to use an FTP service; you can use any other service that supports network password authentication such as telnet and SSH.
You will have to additionally install any debugger on one of the victim's workstations in order to test the new or modified exploits and perform vulnerability research, if you need to.
Finally, you can use any other hardware or virtual router that supports LAN routing and Wi-Fi access point functionality. A connected, dedicated LAN router and Wi-Fi access point are also suitable for the lab.
Here, I want to list some pros and cons of the different virtualization solutions in table format:
Solution |
Pros |
Cons |
VMWare ESXi |
|
|
VMWare workstation |
|
|
VMWare player |
|
|
Micrisoft Virtual PC |
|
|
Oracle Virtual Box |
|
|
Here, I have listed only the leaders of the virtualization market in my opinion. Historically, I am mostly accustomed to VMWare Workstation, but of course, you can choose any other solutions that you may like.
You can find more comparison info at http://virt.kernelnewbies.org/TechComparison.
This article explained how you can plan your lab environment.
Further resources on this subject: