Remember those good ole days in the sandbox? Where you threw stuff around learned where the sand goes and… doesn’t go? Well we’ve graduated from the sandbox, but our hearts and minds are still wired to play there. Maybe that’s why we love offsec, let’s get to the point though… We made a lab.
We wanted to address pentest labs. In this post in particular, Network pentest labs (webapp will be a separate post, challenge sites will be as well)
We used an existing set of hack challenge ISO’s, sandbox VM’s, vulnerable software, and vulnerable OS’s to create a 6 target lab that can be expanded upon.
Props to @laz3r for the video and research he did for the project. No longer an intern, that didn’t last long did it? ;P
Here is what you need to download:
De-ICE Challenge Disks 1& 2 – Register for the Heorot.net forums to get DL access, http://forums.heorot.net/
pWnOS – Register for the Heorot.net forums to get DL access, http://forums.heorot.net/
Damn Vulnerable Linux – http://www.damnvulnerablelinux.org/ and add-ons at http://www.crackmes.de
BT4 – http://www.remote-exploit.org/backtrack_download.html
Windows XP SP2
Windows Server 2003
VMware Server – http://www.vmware.com/products/server/
This lab is focused on a virtual environment. Pentesting involves testing many different systems, so we recommend using VMware Server. The flexibility of deploying targets and then saving their default installs as snapshots is absolutely necessary. In a physical lab with an unconstrained budget we’d use pre-configured hard drives with images that we’d “hot swap” out depending on the engagement but we decided to go virtual to save a lot of headache and make it more modular.
In this sandbox we hone our skills with nmap, netcat, metasploit, hydra, nessus, exploit code, pivoting, clientsides, etc. – not necessarily in that order. We decided to keep everything off the interwebs as we did this setup. This way we won’t have to deal with letting our ISP know attack traffic might be coming from a machine or two.
First we Download pWnOS. pWnOS is a VM released by Heorot.net denizen bond00. Since it’s already in VM form we setup its network and launch the machine. This target is exploit centric differing slightly from our next target setups, the De-ICE disks. A quick ping sweep will verify it’s online. This target will require you to search for an exploit, compile it, and up priv. pWnOS is older and we couldn’t verify if the project is still maintained but we’d like to see someone pick up the torch.
Second you need to download the De-ICE pentest challenge disks. Thomas Wilhelm has created 3 attack challenge ISO’s . We’ll let you go about finding the vulnerabilities, but they work very well for showcasing mis-configuration testing and other attacks. We used the two level 1 disks, but he has a level 2 disc available also. You can expand the network to add that disk later if you chose to, it showcases a harder pentest situation. The De-ICE disks should be configured and setup as per our video. After that they just sit there for the plundering.
Next up is Damn Vulnerable Linux. DVL is an interesting platform. Not only is it a target, it’s also a testbed. DVL is very insecure, exploitable, but also contains a tutorial within itself for beginning exploit dev and cracking. Sometimes DVL is frustrating to use due to language barriers, but most of the time you can figure out the kinks. DVL is closely tied to the http://www.crackmes.de/ website where new challenges called “crackmes” and “exploitmes” can be downloaded. The forums there have a lot of info on the distro which is used to teach offensive security and reverse engineering to a broad skill set of Infosec folks in education environments in the EU.
Next up we setup our attack platform, Backtrack 4 (pre release). I’m pretty sure we all know BT as one of the industry default attack, audit, and testing environments. Some infosec professionals use their own home brewed distros. You could do this too. It’s just a pain to compile and setup all the tools. BT4 does all this for us, its stable, and made by some of the most brilliant minds in infosec. Regardless of which attack platform you use, we recommend keeping the remote-exploit forums in your links, as it is indispensable in troubleshooting common offsec tools.
Lastly we run some Microsoft boxes. We skipped setting up the 2003 box as a domain controller on the video… because that’s boring. This setup allows us to test software on MS platforms. What we will say is make snapshots of these installs and don’t delete them (after you setup the domain).
-The domain setup allows us to test post exploitation, account hijacking, client server packet sniffing, priv escalation, process migration (meterpreter goodness), pivoting, etc.
-Snapshots give us the capability to test old service packs or security updates on a regular basis, as well as analyze malicious code’s changes to the OS when a new conficker comes slithering around.
-The boxes themselves are also used for deploying vulnerable software to for testing exploits (don’t forget about clientsides) which can be downloaded from:
All in all, this setup seemed to support all our needs for a network pentesting lab. It has multiple OS’s, multiple targets, avenues for configuration testing, avenues for exploitation, and post exploitation. It is expandable with extra ISO’s, OS’s, updates, software, etc. We’re still working on adding some virtual devices to play with evasion, but that’s down the road. Remember that in any given engagement you can just add another OS like CentOS or Redhat to model your target.
We don’t know everything (in fact, we know very little) and we appreciate comments and emails about how to make this setup better. If you know of a testing distro we missed for network pentest labs let us know. Got a trick of the trade to make this better? Hit us up. We give credit.