SANS Penetration Testing

Building a Pen Test Lab - Hardware for Hacking at Home on the Cheap

[Editor's Note: Jeff McJunkin shares some insight into building a good virtualization infrastructure for practicing your pen test skills, evaluating tools, and just plain becoming a better penetration tester, all without breaking the bank. Nice! -Ed.]

By Jeff McJunkin

Practical, hands-on experience is a good thing, right? As good as it is though, it doesn't excuse accidentally taking down your employer's production environment while doing some testing.

While NetWars (obligatory plug for my new employer) is great for getting this experience, it doesn't fit every situation. For example, if one of your servers crashed while being scanned by Nessus, you might want to isolate exactly which plugin is causing the crash, while avoiding future production outages.

Having a home lab with a trial version of the software creates a safe environment for otherwise disruptive testing and facilitates fast learning. It's hard to beat not only learning the attacks, but observing the artifacts those attacks leave behind, defending against them, and creating signatures to detect further attempts!

In this post, we'll discuss several hardware options for home labs at different price points. Since many employers don't have test labs, it often falls on the employee to keep up-to-date on the latest operating systems, software, and offensive/defensive techniques.

Depending on interest, we might do a follow-up post with a comparison of different virtualization software. Because many people already have some experience with it, though, VMware products are tough to beat. For dedicated machines, people often use VMware vSphere Hypervisor (ESXi), which is free.

Depending on your price point, there are a few approaches.

Price point: $0 - Re-Use Existing Hardware

At this price point, of course, you'll need to re-use existing hardware. Depending on the horsepower behind your personal computers, though, this might be enough. The main bottlenecks for virtual machines are, in order, memory, hard disk, and then CPU. With 8GB of RAM, you should be able to run 2-3 VM's in VMware Workstation / Player, which is sufficient for many labs. With 16GB, you'll be able to run enough VM's that your new bottleneck will be a single hard drive, if that's what you have. Replacing it with an SSD (such as the Samsung model recommended below) will allow you to scale to 5-7 simultaneous VM's, though hosted virtualization platforms (Type 2) tend to be less efficient than a bare-metal (Type 1) hypervisor such as ESXi or Xen.

Price point: ~$300 - HP N54L G7

Though you won't be able to get a system capable of running more than a couple of VM's at this price point, by getting the N54L you'll have a system you can upgrade over time. The rig I've linked to below comes with a 250GB hard drive and 2GB of RAM. Though not listed as compatible, there are many 16GB (2x8GB) memory kits that are compatible, including the link listed below.

When combined with a local SSD and several spinning disks (from the Storage section), the N54L can run quite a few VM's simultaneously, and should meet the needs of almost all virtual labs.

Amazon link: HP N54L G7

Amazon link: Kingston 16GB (2x8GB) memory kit

Price point: $600+ - Build Your Own

At this price point you can build an increasingly powerful home server. The trick in building your own virtualization host from scratch is normally finding a combination that works with the limited hardware compatibility of ESXi, but luckily this recommendation is well-vetted.

The advantage of this build compared to the N54L is the long-term upgradeability and increased capacity (32GB memory, six 3.5" drives and two 2.5" drives, more PCI-e slots, etc.).

You'll need to add some local storage from the below section or elsewhere, but these parts get you a working installation. You can re-use existing drives if you have them available, of course, which further reduces your initial costs.

Amazon link: Antec Three Hundred Two Case

Amazon link: Rosewill CAPSTONE-550 Power Supply

Amazon link: ASRock 970 EXTREME3 Motherboard

Amazon link: AMD FX-8320 Processor

Amazon link: Kingston Hyper-X 16GB Memory Kit (2x8GB) (The motherboard supports two of these kits, but you can buy one at first if you need to spend the money elsewhere)

Amazon link: SanDisk Cruzer Fit 16GB USB drive (you'll install ESXi on a USB drive so other drives can be fully utilized for VM's)

Storage

Depending on your needs and budget, there are a lot of options for VM storage. Though you may need to stick with spinning drives at first for cost reasons, I'd recommend purchasing a solid-state drive as soon as you can. Prices have been coming down, and $500 for one terabyte of SSD should fulfill nearly all VM storage requirements.

Amazon link: Samsung 840 Series 1TB SSD (smaller sizes available)

Amazon link: Western Digital Red 4TB Hard Drive (smaller sizes available)

Amazon link: Icy Dock EZConvert 2.5" to 3.5" Drive Tray (for putting an SSD into the N54L - the Antec case can fit two SSD's without this adapter)

-Jeff McJunkin
Counter Hack
SANS Instructor

 

SANS Note:

Jeff McJunkin is teaching SANS SEC560: Network Penetration Testing and Ethical Hacking at SANS Charlotte 2017 in June 2017.

Learn more: https://www.sans.org/event/charlotte-2017/course/network-penetration-testing-ethical-hacking

SANS OnDemand - Online Training:

OnDemand

  • 4-months of access to course materials, taught by authors of the course
  • Pause | Play | Rewind
  • Hands-on labs
  • Support from subject-matter-experts in case of questions
  • Checkpoint quizzes to help you better grasp the material
  • Learn more about SANS OnDemand Training: https://www.sans.org/ondemand/

13 Comments

Posted February 27, 2014 at 2:33 PM | Permalink | Reply

Jim C

Great post ''" I wish I had these recommendations before I built my last machine. It would have saved me a lot of time.
By the way ''" the link for the HP N54L G7 on Amazon also links to the memory. But I think most people know how to search Amazon.

Posted February 27, 2014 at 2:49 PM | Permalink | Reply

Ed Skoudis

Thanks, Jim! We're fixing the links now. Much appreciated.

Posted February 27, 2014 at 3:08 PM | Permalink | Reply

Igor

This is great information, thanks a lot.
Now it would be great to get something similar but about software to test against.
I know this is the Pen Test blog, but do you have any recommendations for Home made Honey Pots?
Cheers,
Igor

Posted February 27, 2014 at 4:28 PM | Permalink | Reply

Taylor

Great article Ed! Keep these coming. I have used VirtualBox for a number of years with success. Question: Do you use the machine as a dedicated virtual server for test VM's or test the virtual machines from the host?
This may not be the place to put this, but I would like to see an article from you that outlines the top 5 or 10 tools that every InfoSec professional should know and why. I would also like to see a post about how to get started in the InfoSec community and what you need to know to be relevant in the field. And finally, I would like you do an article that outlines a successful Pentest attack in a lab environment speaking specifically as to why you did it and what it accomplished.
As you can tell, I am a noob and respect the knowledge that you have attained over the years. It is hard to start out because very few people believe in the concept of security by offense. Schools don't teach it and it makes for an unprepared and irrelevant security professional that can spit out theory as if it was application.
Thanks again Ed! I look forward to your next post!

Posted February 28, 2014 at 3:39 PM | Permalink | Reply

Jeff McJunkin

Igor,
I don't believe honeypots have been covered on this blog before. I've thought about setting all my "spare" public IP addresses to point to a few different honeypots, but haven't yet implemented it.
For maximum interaction you can connect an unpatched XP SP0 workstation to the Internet (isolated from other systems, and with nothing sensitive, of course!) to see who takes it over first, and what they do with it. It'd be a very good forensics/IR challenge, as well!
We'll definitely take a look at writing a blog post on honeypots, in the next few weeks. Thanks for your suggestion! Our friends at the Internet Storm Center would appreciate more people running DShield, as well!

Posted February 28, 2014 at 3:42 PM | Permalink | Reply

Jeff McJunkin

Taylor,
As for whether I use the host as a dedicated machine or not, it depends on what hardware you have available. If I'm mocking up a lab on my laptop using VMware Workstation, for example, I'll also be using the laptop to interact with the VM's.
If I'm building something on my home lab, however, I'll interact with the VM consoles through the vSphere Client, usually from my laptop.
In short ''" if you can spare it and it makes sense, I prefer to dedicate a machine entirely to virtualization, and do my management elsewhere.

Posted February 27, 2014 at 8:36 PM | Permalink | Reply

Matt

Thanks for this post! We are in process of building our lab now, and this is great information. We are also trying to find some older networking gear that is not being used, so we can test against that as well.
Thanks again!

Posted February 28, 2014 at 12:54 PM | Permalink | Reply

Ed Skoudis

Thank you, Taylor''. but please remember that I'm just the humble little editor of this blog. The article was written by the amazing and talented Jeff McJunkin. I _really_ like your article idea about the top 5 or 10 tools and will work on it. Very nice! Thanks a bunch.

Posted February 28, 2014 at 3:33 PM | Permalink

Jeff McJunkin

Matt, As far as networking gear goes, you can go a long way without physical gear. You can make a virtual router (I like pfSense) and connect any number of virtual network cards to it, then have a number of isolated networks (think DMZ, intranet, server subnet, workstation subnet). Without physical networking gear, though, you'll only be able to access them through the host. Make sense? Of course, if you do have physical networking gear (like a Cisco 2960G), you can set up a trunk group between it and the ESXi host. In that case, your virtualization host can interact with multiple existing networks, which is ideal for some situations ''" like having a lab at work, for example.

Posted March 3, 2014 at 4:35 PM | Permalink | Reply

Taylor

Jeff,
Thanks for the follow up! I had assumed it would be dependent on resources. I am in the process of setting up a ESXi server so that I can host a number of VM's. I too like the idea of dedicated resources for the host machine and for the victims. I just wanted to make sure that I wasn't geeking out and wasting money unnecessarily.
I also saw your comment to another poster in regards to the virtual router'' I have not used a virtual router before and I will certainly be looking into it.
Thanks again Jeff!

Posted March 1, 2014 at 12:01 AM | Permalink | Reply

Marius Corici

No need to build your own system anymore. You can start use CTF365.com as a PenTest Lab. Metasploitable in the cloud included. Another great advantage is that there are already over 90 servers up and running build by user so you'll compete against real users.

Posted May 16, 2016 at 5:00 PM | Permalink | Reply

Kevin Neely

Ongoing cost should also be a concern, and I'd look at some low-power options. A nice Intel NUC (expandable up to 32GB RAM now, making it okay for ESX) and some raspberry pis can make for a fairly robust testing network with very little power consumption over the long haul.

Posted May 17, 2016 at 7:07 PM | Permalink | Reply

Jeff McJunkin

Kevin,
Since the NUC does support 32GB now, relatively inexpensively (around $120 from Amazon), it can make sense for a lightly-loaded home lab. Prior to the 6th generation NUC, the only way to get 32gb was unsupported and fairly recent, with 16gb DDR3 modules that are fairly expensive. Being limited to only two cores (four with hyperthreading) is problematic for labs with more than a few VM's, though.
Adding Raspberry Pi's for specific items of interest can work well ''" good point! I'm thinking specifically of projects like Rapid SCADA (http://rapidscada.org/). Thanks for writing in, Kevin!

Post a Comment






Captcha


* Indicates a required field.