(For more resources related to this topic, see here.)

Getting ready

To get the best result after setting up your lab, you should plan it properly at first. Your lab will be used to practise certain penetration testing skills. Therefore, in order to properly plan your lab environment, you should first consider which skills you want to practise. Although you could also have non-common or even unique reasons to build a lab, I can provide you with the average list of skills one might need to practice:

• Essential skills

  • Discovery techniques

  • Enumeration techniques

  • Scanning techniques

  • Network vulnerability exploitation

  • Privilege escalation

  • OWASP TOP 10 vulnerabilities discovery and exploitation

  • Password and hash attacks

  • Wireless attacks

• Additional skills

  • Modifying and testing exploits

  • Tunneling

  • Fuzzing

  • Vulnerability research

  • Documenting the penetration testing process

All these skills are applied in real-life penetration testing projects, depending on its depth and the penetration tester’s qualifications. The following skills could be practised at three lab types or their combinations:

• Network security lab

• Web application lab

• Wi-Fi lab

I should mention that the lab planning process for each of the three lab types listed consists of the same four phases:

1. Determining the lab environment requirements: This phase helps you to actually understand what your lab should include. In this phase, all the necessary lab environment components should be listed and their importance for practising different penetration testing skills should be assessed.

2. Determining the lab environment size: The number of various lab environment components should be defined in this phase.

3. Determining the required resources: The point of this phase is to choose which hardware and software could be used for building the lab with the specified parameters and fit it with what you actually have or are able to get.

4. Determining the lab environment architecture: This phase designs the network topology and network address space

How to do it…

Now, I want to describe step by step how to plan a common lab combined of all three lab types listed in the preceding section using the following four-phase approach:

1. Determine the lab environment requirements:

   To fit our goal and practise particular skills, the lab should contain the following components:

   Skills to practice	Necessary components
   Discovery techniques	Several different hosts with various OSs Firewall IPS
   Enumeration techniques
   Scanning techniques
   Network vulnerability exploitation
   OWASP TOP 10 vulnerabilities discovery and exploitation	Web server Web application Database server Web Application Firewall
   Password and hash attacks	Workstations Servers Domain controller FTP server
   Wireless attacks	Wireless router Radius server Laptop or any other host with Wi-Fi adapter
   Modifying and testing exploits	Any host Vulnerable network service Debugger
   Privilege escalation	Any host
   Tunnelling	Several hosts
   Fuzzing	Any host Vulnerable network service Debugger
   Vulnerability research
   Documenting the penetration testing process	Specialized software

   Now, we can make our component list and define the importance of each component for our lab (importance ranges between less important, Additional, and most important, Essential):

   Components	Importance
   Windows server	Essential
   Linux server	Important
   FreeBSD server	Additional
   Domain controller	Important
   Web server	Essential
   FTP Server	Important
   Web site	Essential
   Web 2.0 application	Important
   Web Application Firewall	Additional
   Database server	Essential
   Windows workstation	Essential
   Linux workstation	Additional
   Laptop or any other host with Wi-Fi adapter	Essential
   Wireless router	Essential
   Radius server	Important
   Firewall	Important
   IPS	Additional
   Debugger	Additional

2. Determine the lab environment size:

   In this step, we should decide how many instances of each component we need in our lab. We will count only the essential and important components’ numbers, so let’s exclude all additional components. This means that we’ve now got the following numbers:

   Components	Number
   Windows server	2
   Linux server	1
   Domain controller	1
   Web server	1
   FTP Server	1
   Web site	1
   Web 2.0 application	1
   Database server	1
   Windows workstation	2
   Host with Wi-Fi adapter	2
   Wireless router	1
   Radius server	1
   Firewall	2

3. Determine required resources:

   Now, we will discuss the required resources:

   • Server and victim workstations will be virtual machines based on VMWare Workstation 8.0. To run the virtual machines without any trouble, you will need to have an appropriate hardware platform based on a CPU with two or more cores and at least 4 GB RAM.

   • Windows servers OSs will work under Microsoft Windows 2008 Server and Microsoft Windows Server 2003.

   • We will use Ubuntu 12.04 LTS as a Linux server OS. Workstations will work under Microsoft Windows XP SP3 and Microsoft Windows 7.

   • ASUS WL-520gc will be used as the LAN and WLAN router.

   • Any laptop as the attacker’s host.

   • Samsung Galaxy Tab as the Wi-Fi victim (or other device supporting Wi-Fi).

   We will use free software as a web server, an FTP-server, and a web application, so there is no need for any hardware or financial resources to get these requirements.

4. Determine the lab environment architecture:

   Now, we need to design our lab network and draw a scheme:

   

   Address space parameters

   • DHCP server: 192.168.1.1

   • Gateway: 192.168.1.1

   • Address pool: 192.168.1.2-15

   • Subnet mask: 255.255.255.0

How it works…

In the first step, we discovered which types of lab components we need by determining what could be used to practise the following skills:

• All OSs and network services are suitable for practicing discovery, enumeration, and scanning techniques and also for network vulnerability exploitation. We also need at least two firewalls – windows built-in software and router built-in firewall functions.

• Firewalls are necessary for learning different scanning techniques and firewall rules detection knowledge. Additionally, you can use any IPS for practicing evasion techniques.

• A web server, a website, and a web application are necessary for learning how to disclose and exploit OWASP TOP 10 vulnerabilities. Though a Web Application Firewall (WAF) is not necessary, it helps to improve web penetration testing skills to higher level.

• An FTP service ideally fits to practice password brute-forcing. Microsoft domain services are necessary to understand and try Windows domain passwords and hash attacks including relaying. This is why we need at least one network service with remote password authentication and at least one Windows domain controller with two Windows workstations.

• A wireless access point is essential for performing various wireless attacks, but it is better to combine LAN router and Wi-Fi access point in one device. So, we will use Wi-Fi router with several LAN ports. A radius server is necessary for practicing attacks on WLAN with WPA-Enterprise security.

• A Laptop and a tablet PC with any Wi-Fi adapters will work as an attacker, and victim in wireless attacks.

• Tunnelling techniques could be practiced at any two hosts; it does not matter whether we use Windows or any other OS.

• Testing and modifying exploits as well as fuzzing and vulnerability research need a debugger installed on a vulnerable host.

• To properly document a penetration testing process, one can use just any test processor software, but there are several specialized software solutions, which make a thing much more comfortable and easier.

In the second step, we determined which software and hardware we can use as instances of chosen component types and set their importance based on a common lab for a basic and intermediate professional level penetration tester.

In the third step, we understood which solutions will be suitable for our tasks and what we can afford. I have tried to choose a cheaper option, which is why I am going to use virtualization software. The ASUS WL-520gc router combines the LAN router and Wi-Fi access point in the same device, so it is cheaper and more comfortable than using dedicated devices. A laptop and a tablet PC are also chosen for practising wireless attacks, but it is not the cheapest solution.

In the fourth step, we designed our lab network based on determined resources. We have chosen to put all the hosts in the same subnet to set up the lab in an easier way. The subnet has its own DHCP server to dynamically assign network addresses to hosts.

There’s more…

Let me give you an account of alternative ways to plan the lab environment details.

Lab environment components variations

It is not necessary to use a laptop as the attacker machine and a tablet PC as the victim – you just need two PCs with connected Wi-Fi adapters to perform various wireless attacks.

As an alternative to virtual machines, a laptop, and a tablet PC or old unused computers (if you have them) could also be used to work as hardware hosts. There is only one condition – their hardware resources should be enough for planned OSs to work.

An IPS could be either a software or hardware, but hardware systems are more expensive. For our needs, it is enough to use any freeware Internet security software including both the firewall and IPS functionality.

It is not essential to choose the same OS as I have chosen in this chapter; you can use any other OSs that support the required functionality. The same is true about network services – it is not necessary to use an FTP service; you can use any other service that supports network password authentication such as telnet and SSH.

You will have to additionally install any debugger on one of the victim’s workstations in order to test the new or modified exploits and perform vulnerability research, if you need to.

Finally, you can use any other hardware or virtual router that supports LAN routing and Wi-Fi access point functionality. A connected, dedicated LAN router and Wi-Fi access point are also suitable for the lab.

Choosing virtualization solutions – pros and cons

Here, I want to list some pros and cons of the different virtualization solutions in table format:

Here, I have listed only the leaders of the virtualization market in my opinion. Historically, I am mostly accustomed to VMWare Workstation, but of course, you can choose any other solutions that you may like.

You can find more comparison info at http://virt.kernelnewbies.org/TechComparison.

Summary

This article explained how you can plan your lab environment.

Resources for Article :

Further resources on this subject:

• FAQs on BackTrack 4 [Article]
• CISSP: Vulnerability and Penetration Testing for Access Control [Article]
• BackTrack 4: Target Scoping [Article]