Penetration testing

How to make your own penetration testing lab

Howard Poston
July 31, 2018 by
Howard Poston

If you want to go into penetration testing, a home lab is a must. In this article, we’ll discuss why a home lab can be useful, the pros and cons of virtualization and the cloud for a lab environment, and the tools and devices that a pentesting lab can and should include.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Why set up a home pentesting lab?

The obvious reason for setting up a home pentesting lab is to provide a convenient way to test new pentesting skills and software. But beyond convenience, there are several reasons why setting up your own isolated lab is a good idea.

A home pentesting lab is a good way to hone skills while staying out of legal trouble. Hacking into other people’s computers and networks is illegal without prior consent, but it’s perfectly legal to set up your own lab that mimics someone else’s environment and then pentest your copy.

Penetration testing in an isolated lab is also good from a security standpoint. Some penetration-testing tools and techniques have the potential to damage or destroy the target computer or network. If malware is used in testing, there is the potential for infection and spread if testing in an Internet-connected testbed. A standalone, isolated testbed guarantees that the effects of the testing are limited to the lab hardware and software.

Finally, setting up a home pentesting lab can be useful for research and development of new pentesting tools and techniques. An isolated lab provides a controlled environment for testing and the ability to configure the target to the exact specifications needed for the test.

Virtualization and cloud technology

A major decision to make when setting up a pentesting environment is whether to use physical hardware, virtualization or a mix. Both approaches have their advantages and disadvantages.

Some of the main advantages of virtualization are cost and scalability: a single physical machine can host one or more pentesting machines and the entire target network. Virtual machines also provide snapshot functionality, making it trivial to save the current state of a machine and clean up an infected machine.

The main advantages of physical devices are simulation accuracy and the types of devices available. Virtual machines do not always accurately mimic the functionality of a physical machine, so techniques that work on a physical machine may not work on a virtual machine and vice versa. The Apple OS can only legally be run on Apple hardware and WiFi is currently only available with physical appliances.

To start, a fully or primarily virtualized environment is probably the best way to go for a pentesting environment. Cheap hardware may be available secondhand to increase testbed capacity and realism. Over time, a hybrid testbed taking advantage of the scalability of virtualization and the authenticity of physical hardware is the best design.

Getting started with virtual machines

Virtualization technology is a huge force multiplier, allowing a single host machine to support several different virtual machines. With the advent of cloud computing and Infrastructure as a Service (IaaS), the options have expanded further to allow virtual machines to be hosted on the cloud rather than on owned physical devices. In this section, we’ll explore how to set up a virtual machine locally or on the cloud and how to install software on a VM.

Cloud-based

Cloud technology has made it possible to offload virtual machine hosting to external servers. Providers also make certain hardware available on demand, which can be useful for penetration testers. For example, GPU access can be rented to speed password-cracking operations.

Amazon EC2 is a commonly used service for cloud-based virtual machines. After registering for an EC2 account, users can find Amazon-provided walkthroughs for setting up an instance of a Windows or Linux virtual machine.

Locally-hosted

Locally hosting virtual machines is also an option using VMware or Virtualbox. Once the hosting software is installed, creating a new virtual machine can be accomplished either through importing an existing VM image or creating one from an installation disk.

Virtual machines can be saved to a file for duplication or transfer between computers. Both VMware and Virtualbox have their own proprietary formats (which tools exist to convert between), but the OVA file format can be used in either. Instead of creating a new virtual machine, choose to import one and point the software to the OVA file to load an existing VM.

Virtual machines can also be set up from an installation disk just like installing a new operating system on a physical computer. Disk files are usually stored in the ISO file format. Linux distributions are freely available for download, including the Ubuntu and Kali variants. Windows offers downloads of its operating system ISOs with a valid product key. Unfortunately, Apple does not allow its operating system to be run on anything except Mac hardware.

Installing software on the VM

Installing software on a virtual machine works the same way as installing it on a normal computer. Software can either be downloaded from the Internet from within the VM or downloaded to the host computer and transferred to the VM from there. Virtualbox and VMware even have the functionality to allow the VM to use the host machine’s CD/DVD drive and USB ports to allow programs to be installed from removable media.

What do I need for my lab?

For the beginning pentester, a pentesting lab only needs to include a vulnerable target computer and a pentesting computer. However, as skill levels and the need for realism increase, the number and complexity of the targets will need to grow, and more components will be added to the target network. In this section, we’ll talk about setting up basic targets, how to grow the complexity of the target network, and what a good pentesting machine looks like.

The target

The design of the target environment in a pentesting lab should depend on the skill level of the pentester and the goal of the pentesting exercise. A beginning pentester should start with a simple environment and add complexity as needed. A pentester preparing for an engagement or testing a new tool or technique should design the lab network to mimic the target as closely as possible. By starting with a vulnerable target and adding complexity as needed, a pentester can design an environment with exactly the right level of complexity to suit their needs.

Getting started with vulnerable targets

If you’re just starting as a pentester, you may not know what makes a target vulnerable or not or how to configure a target to be vulnerable to a given type of attack. Luckily, several individuals and organizations have done most of the work for you and provide downloadable vulnerable target machines.

Setting up a computer to be vulnerable can be a lot of work. Several websites offer free downloads of preconfigured vulnerable targets. The following examples are “whole packages,” including a virtual machine image preconfigured to be vulnerable. A quick web search will reveal other packages that require installation on an existing VM or computer.

As its name suggests, DVWA (Damn Vulnerable Web Application) is a web application designed to have built-in vulnerabilities. It is written in PHP and MySQL and is designed to be vulnerable to cross-site scripting, SQL injection and other web-based attack vectors.

Metasploitable is a virtual machine created by Rapid7, the developers of the pentesting tool Metasploit. Metasploitable is designed to be vulnerable to the attacks included in the Metasploit framework.

The Web Security Dojo by Maven Security is another web security pentesting target. Built on Xubuntu, it also includes the tools necessary to exploit it, combining the roles of target and pentesting machine.

Google Gruyere is a vulnerable web application hosted online. Using it requires Internet access for the pentesting machine; this separates it from the others listed here, which should be run in a sandboxed environment.

Target network upgrades

The simplest pentesting network is a target machine and a pentesting machine (which may both be the same computer). However, as a pentester’s skills and needs increase, a larger, more complex network will be needed.

The simplest way to increase the complexity of a pentesting network is to increase the number of targets in the network. By setting up a variety of machines with different operating systems and services, a pentester can gain familiarity with how different computers look from an attacker’s perspective.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Another simple way of increasing difficulty is upgrades to services installed on target machines. Vulnerable machines like Metasploitable are intentionally running versions of software known to be vulnerable to certain types of attacks. Incremental upgrades to installed software and researching the vulnerability reports associated with the given version of the software provides an in-depth understanding of the software’s internals and a walk through increasingly difficult types of attacks.

Finally, the complexity of a pentesting target environment can be increased by expanding the threat surface of the network. This can be accomplished by expanding the types of service running, including email, web, FTP, database and file servers. Network-level modifications like adding routers and services like DHCP and DNS change the landscape of the target network. Including firewalls and other security measures like PKI, IDS/IPS and SIEM increases the difficulty of the pentesting exercise. Finally, the type of networking can be expanded by adding WiFi, Bluetooth and Near Field Communications (NFC) functionality.

The pentesting machine

Now that we’ve covered how to design a good target environment, it’s time to consider the pentesting machine. In general, it’s best to have both a Windows and a Linux box for pentesting as different tools and functionality are available on each. There are two methods for setting up a pentesting machine: downloading a preconfigured machine or building your own.

For a novice pentester, downloading a preconfigured pentesting machine is probably the better choice. The Kali distribution of Linux (formerly called Backtrack) is freely available and comes with many of the common Linux-based pentesting tools built-in. Download Kali Linux here.

If you choose to setup your own pentesting machine, there are a few basic types of pentesting tools that should be included.

Basic network utilities

Basic network utilities are a must-have on a pentesting machine. Examples include FTP for file transfer, SSH for interacting with a target machine and Telnet for manually interacting with available services.

Metasploit

Metasploit is an exploit framework with many built-in exploits and payloads. A GUI frontend for Metasploit, called Armitage, is also available.

Notepad application

When performing a penetration test, it is important to keep track of previous stages and collected information. For this reason, a pentesting machine should include an easy-to-use notepad application that the pentester is familiar and comfortable with.

Packet capture

Observing the network traffic of a target network is a vital part of both the reconnaissance and attack phases of a pen test. Wireshark is a commonly-used and powerful packet capture utility.

Password cracker

In most cases, passwords retrieved during a pentesting engagement are stored in a hashed format. In order to determine the true password, a password cracker like John the Ripper is necessary.

Port scanner

A port scanner is used to identify open ports and services running on a target computer. A simple and widely-used port scanner is Nmap, which is also available in a GUI-based form called Zenmap.

Scripting environment

Automation is a penetration tester’s best friend. During and between engagements, it may be helpful to automate a simple or repetitive task. Having an environment setup for developing simple scripts in Python or Ruby can save time in the long run.

Vulnerability scanner

A vulnerability scanner is an automated solution for finding potential security vulnerabilities in a target machine. Tools like Nessus, Nikto and OpenVAS perform a scan of a target and provide a human-readable report about potential security holes.

Web proxy

When pentesting web applications, the ability to view and modify traffic between the browser and the server can be invaluable. Web proxies like the Burp Suite intercept web traffic for a computer, allowing it to be dropped or modified before forwarding.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Conclusion

Whether you’re a novice or an experienced professional pentester, having a home lab is essential. At some point, everyone is going to come across a new situation or have a cool idea and need to do some testing. For reasons of ethics and security, that testing needs to be done in an isolated environment like a pentesting lab.

Building a pentesting lab is fairly easy, as it’s possible to start small and build up over time. The simplest lab can be created using a couple of virtual machine images available as a free download and complexity can be added as it becomes necessary. If you’re interested in getting started in penetration testing, set up a simple lab, find a website with a couple of sample exercises and start playing around!

Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.