Setting up a pen test lab

If you Google for this very same topic, you will be rewarded with a dozen different ways to do this.  My goal here is not to add to the collection of articles on the web with an ideal setup for you.  The purpose of this post is to show you how I setup my own pen testing lab for my purposes.

First things first, when setting up a lab, I determine what my goal for the lab will be.  In this case, pen testing.  Pen testing what?  Great question, glad you asked.  My goal with this lab setup is to create an environment that is extremely similar to what you may find in the wild within any organization’s infrastructure.  This includes a mix of Windows servers and workstations, Linux, Oracle Application Servers, Databases and the like.  Luckily it is pretty easy to do this, and can be done extremely cheap, if not for free.

My first step would be to download and install the latest virtualization software.  In the past I used to use an offering from VMware, however, for quick setup and maintenance, I find Oracle’s Virtualbox to be my cup of tea.  After installing Virtualbox, my next step is to create virtual machines that will serve as my attack targets.

Here’s a brief listing of places I use to find my possible targets:

• Ubuntu Desktop
• Ubuntu Server 
• Fedora
• Apache HTTP Server
• Apache Tomcat
• PHP - Various versions
• MySQL
• Microsoft IIS Server (v6.0 - 7.5)
• Windows 2003 Server - MSDN subscription
• Windows 2008 Server - MSDN subscription
• Windows XP SP3 - Buy an OEM install disc ~$100
• Windows 7 - Buy an OEM install disc ~$100 or MSDN subscription
• Windows 8 Developer Preview - Free
• ASP.NET
• Oracle 10g - Express Edition
• Oracle 11g - Express Edition
• SAN resources* - different vendors will allow you to evaluate their offerings and provide images (search!)

For my testing purposes, I will always download the 32-bit architecture (unless it’s a 64-bit only server) of an image and load it into Virtualbox.  Using the aforementioned ground breaking internet search engine, Google…you can find tutorials on how to do such a thing.

After creating the virtual machine and installing my images, I want to also create an attack machine(s) to be used against these targets.  Keep in mind, every virtualization software is different, in Virtualbox, we want to make sure that all our targets and attack machines are set to use the ‘Internal Network’ only.  This way they can all communicate with each other within the virtual environment.  If you don’t adjust this setting you will find very quickly that you won’t be able to test properly.

My attack machines include:

• Dedicated BackTrack 5 R1 VM - this comes with the metasploit framework (don’t forget to msfupdate!)
• Dedicated WinXP VM to run windows only tools such as Cain & Abel
• Dedicated Web App Testing VM - contains Burp, Firefox w/ specific pen testingaddons and more, Nessus, skipfish, etc
• OS X running another instance of Virtualbox w/ BackTrack 5 R1
• a great list of more live CD’s for pen testing attack machines

My recommendations:

1. Virtualize everything if you can, sometimes you can’t virtualize it all, but it cuts costs down.
2. Make sure the host computer you are using has plenty of hard drive space and plenty of RAM.  (I highly suggest 8GB of memory)
3. Dual monitor setups are your friend.  You can do more, however, I find 2 works nicely.
4. "A penetration tester is only as good as his/her tools" is only partly true.  Compiling a great collection of tools and other resources is extremely helpful, however, being able to master them is what separates script kiddies from true professionals; and
5. Knowledge of scripting languages is extremely helpful: Perl, Python, Ruby, and Tcl are great!
6. If you run into problems or have questions, search for answers!  Don’t give up, and if all else fails, ask me a question (see the link on the sidebar to the right)

Keep in mind this is not an exhaustive ‘tutorial’ or ‘guide’.  This should merely server as a launching point for you to start your adventures.  As with any ‘guide’, your mileage may vary, and you should adopt and adapt any of the information within this post as you see fit that suits your needs.  There is a myriad of different ways to setup a lab, there is no ‘right way.’