[Chugalug] Looking for advice / fun discussion: Setting up a Pen Testing lab

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[Chugalug] Looking for advice / fun discussion: Setting up a Pen Testing lab

Lisa Harrison Ridley
Hey Chugalugers…..

I’m looking to add some penetration testing skillsets to my repertoire (mainly because it’s of interest to me, but also because I’m becoming bored with my current position).

I just downloaded the latest version of Kali Linux and set up a Virtualbox VM with Vagrant on my work machine, and I’m looking to set up a pen testing lab.  

I believe I have plenty of equipment here (I think, a lot of it is Apple centric):
* a MacBook Pro Quad core (my daily work machine), 
* an Asus Windows 10 Pro laptop quad core with 16G RAM (a work machine used for client developer training when the workforce uses Windows),
* a NetGear Nighthawk X6 R8000 router (my main router here for internet connectivity),
* a few Mac minis (two Core2Duos with 8G RAM, one dual core with 8G RAM, and there may two or three be some older 4G minis in the garage in a box),
* a quad core 32 GB linux laptop running Ubuntu 16.04 LTS, 
* a MacBook Pro dual core, 
* an iMac quad core with 32g RAM, 
* one or two MacBooks (plastic cases) with Core2Duos and 4G RAM,
* a 15” MacBook Pro Dual Core with 8G RAM,
* a second generation MacBook Air, dual core with 4G RAM,
* two or three retired Apple routers (all in working condition, but needed something to take advantage of GB internet),
* a couple of AppleTVs (one I use),
* an Amazon Fire device,
* an old Linksys router (has an older version of OpenWRT on it, currently retired),
* a couple of old Dells with Windows XP, Celeron machines with 4G RAM (I used them for browser testing IE 6/7 for a couple of years, haven’t been turned on in at least 4 years),
* 3 Intel Dual Core NUCs (two i5s and one i7) with 16G RAM running a couple of different versions of Debian, with SSDs in all of them,
* a cluster of 6 Raspberry Pi 3s (currently running Kubernetes and Docker with a Drupal / MySQL cluster install), networked with a Netgear gigabit 5 port switch), hooked to the Nighthawk router,
* Several different older Android and iOS devices (phones (iPhone 3S, 4, 6S) and tablets (some iPads, some older Samsung tables, and a Motorola tablet).

I think I have an old liquid cooled tower gaming machine with 8G RAM and a Pentium IV here somewhere too, in a box in the garage, that may or may not run.

(It’s ridiculous how much hardware you can accumulate, isn’t it?)

I can do pretty much what I want with all of the routers except the Netgear Nighthawk, and all of the machines except the MacBook Pro Quad Core and the Windows 10 Pro laptop, which belong to my employer. (I work from home and want to leave the Netgear router alone as it’s my primary internet connection).

For a good pen testing lab, given the equipment list above:

* what software would you install
* which machines would you use for what, and how would you configure them?  
* What hardware/software you would add to this, 
* What VMs you would set up in a cloud environment (I have active accounts Digital Ocean, Linode and RamNode).

(Let’s have some fun with this, go easy on my cloud pocketbook).




_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Looking for advice / fun discussion: Setting up a Pen Testing lab

Stephen Kraus
Find a semi recent Xeon/Opteron machine and build a Xen or ESXi box, roll VMs, setup a basic network with firewall and router (pfsense is your friend here) and start building some target VMs.

On Mon, Jun 18, 2018, 12:41 AM Lisa Harrison Ridley <[hidden email]> wrote:
Hey Chugalugers…..

I’m looking to add some penetration testing skillsets to my repertoire (mainly because it’s of interest to me, but also because I’m becoming bored with my current position).

I just downloaded the latest version of Kali Linux and set up a Virtualbox VM with Vagrant on my work machine, and I’m looking to set up a pen testing lab.  

I believe I have plenty of equipment here (I think, a lot of it is Apple centric):
* a MacBook Pro Quad core (my daily work machine), 
* an Asus Windows 10 Pro laptop quad core with 16G RAM (a work machine used for client developer training when the workforce uses Windows),
* a NetGear Nighthawk X6 R8000 router (my main router here for internet connectivity),
* a few Mac minis (two Core2Duos with 8G RAM, one dual core with 8G RAM, and there may two or three be some older 4G minis in the garage in a box),
* a quad core 32 GB linux laptop running Ubuntu 16.04 LTS, 
* a MacBook Pro dual core, 
* an iMac quad core with 32g RAM, 
* one or two MacBooks (plastic cases) with Core2Duos and 4G RAM,
* a 15” MacBook Pro Dual Core with 8G RAM,
* a second generation MacBook Air, dual core with 4G RAM,
* two or three retired Apple routers (all in working condition, but needed something to take advantage of GB internet),
* a couple of AppleTVs (one I use),
* an Amazon Fire device,
* an old Linksys router (has an older version of OpenWRT on it, currently retired),
* a couple of old Dells with Windows XP, Celeron machines with 4G RAM (I used them for browser testing IE 6/7 for a couple of years, haven’t been turned on in at least 4 years),
* 3 Intel Dual Core NUCs (two i5s and one i7) with 16G RAM running a couple of different versions of Debian, with SSDs in all of them,
* a cluster of 6 Raspberry Pi 3s (currently running Kubernetes and Docker with a Drupal / MySQL cluster install), networked with a Netgear gigabit 5 port switch), hooked to the Nighthawk router,
* Several different older Android and iOS devices (phones (iPhone 3S, 4, 6S) and tablets (some iPads, some older Samsung tables, and a Motorola tablet).

I think I have an old liquid cooled tower gaming machine with 8G RAM and a Pentium IV here somewhere too, in a box in the garage, that may or may not run.

(It’s ridiculous how much hardware you can accumulate, isn’t it?)

I can do pretty much what I want with all of the routers except the Netgear Nighthawk, and all of the machines except the MacBook Pro Quad Core and the Windows 10 Pro laptop, which belong to my employer. (I work from home and want to leave the Netgear router alone as it’s my primary internet connection).

For a good pen testing lab, given the equipment list above:

* what software would you install
* which machines would you use for what, and how would you configure them?  
* What hardware/software you would add to this, 
* What VMs you would set up in a cloud environment (I have active accounts Digital Ocean, Linode and RamNode).

(Let’s have some fun with this, go easy on my cloud pocketbook).



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Looking for advice / fun discussion: Setting up a Pen Testing lab

Aaron welch
Yeah, I would follow Stephens suggestion and go the VM route.  I can even do some trading for a nice server for you to play with. ;-P

Using VMware will not only give you another set of skills, it can also allow you to replicate whole setups across virtual LAN/WAN links to really see how nasty you can get in a controlled space.

-Aaron

This was sent from my iPhone, so I apologize for any brevity or spelling errors. Siri also hates the southern accent and autocorrect is on a mission to give me an aneurysm.

On Jun 18, 2018, at 12:49 AM, Stephen Kraus <[hidden email]> wrote:

Find a semi recent Xeon/Opteron machine and build a Xen or ESXi box, roll VMs, setup a basic network with firewall and router (pfsense is your friend here) and start building some target VMs.

On Mon, Jun 18, 2018, 12:41 AM Lisa Harrison Ridley <[hidden email]> wrote:
Hey Chugalugers…..

I’m looking to add some penetration testing skillsets to my repertoire (mainly because it’s of interest to me, but also because I’m becoming bored with my current position).

I just downloaded the latest version of Kali Linux and set up a Virtualbox VM with Vagrant on my work machine, and I’m looking to set up a pen testing lab.  

I believe I have plenty of equipment here (I think, a lot of it is Apple centric):
* a MacBook Pro Quad core (my daily work machine), 
* an Asus Windows 10 Pro laptop quad core with 16G RAM (a work machine used for client developer training when the workforce uses Windows),
* a NetGear Nighthawk X6 R8000 router (my main router here for internet connectivity),
* a few Mac minis (two Core2Duos with 8G RAM, one dual core with 8G RAM, and there may two or three be some older 4G minis in the garage in a box),
* a quad core 32 GB linux laptop running Ubuntu 16.04 LTS, 
* a MacBook Pro dual core, 
* an iMac quad core with 32g RAM, 
* one or two MacBooks (plastic cases) with Core2Duos and 4G RAM,
* a 15” MacBook Pro Dual Core with 8G RAM,
* a second generation MacBook Air, dual core with 4G RAM,
* two or three retired Apple routers (all in working condition, but needed something to take advantage of GB internet),
* a couple of AppleTVs (one I use),
* an Amazon Fire device,
* an old Linksys router (has an older version of OpenWRT on it, currently retired),
* a couple of old Dells with Windows XP, Celeron machines with 4G RAM (I used them for browser testing IE 6/7 for a couple of years, haven’t been turned on in at least 4 years),
* 3 Intel Dual Core NUCs (two i5s and one i7) with 16G RAM running a couple of different versions of Debian, with SSDs in all of them,
* a cluster of 6 Raspberry Pi 3s (currently running Kubernetes and Docker with a Drupal / MySQL cluster install), networked with a Netgear gigabit 5 port switch), hooked to the Nighthawk router,
* Several different older Android and iOS devices (phones (iPhone 3S, 4, 6S) and tablets (some iPads, some older Samsung tables, and a Motorola tablet).

I think I have an old liquid cooled tower gaming machine with 8G RAM and a Pentium IV here somewhere too, in a box in the garage, that may or may not run.

(It’s ridiculous how much hardware you can accumulate, isn’t it?)

I can do pretty much what I want with all of the routers except the Netgear Nighthawk, and all of the machines except the MacBook Pro Quad Core and the Windows 10 Pro laptop, which belong to my employer. (I work from home and want to leave the Netgear router alone as it’s my primary internet connection).

For a good pen testing lab, given the equipment list above:

* what software would you install
* which machines would you use for what, and how would you configure them?  
* What hardware/software you would add to this, 
* What VMs you would set up in a cloud environment (I have active accounts Digital Ocean, Linode and RamNode).

(Let’s have some fun with this, go easy on my cloud pocketbook).



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Looking for advice / fun discussion: Setting up a Pen Testing lab

Stephen Haywood
In reply to this post by Lisa Harrison Ridley
Lisa,

  Start here: 

Before he released it as a full book it was in PDF and called AVATAR. You may be able to find the free version still.

I’m a penetration tester by trade and would be happy to answer any questions about pentesting. You can email me off list.

Once you get your bearings, I would highly recommend the OSCP course from Offensive Security.

Thanks,
Stephen

On Mon, Jun 18, 2018 at 12:41 AM Lisa Harrison Ridley <[hidden email]> wrote:
Hey Chugalugers…..

I’m looking to add some penetration testing skillsets to my repertoire (mainly because it’s of interest to me, but also because I’m becoming bored with my current position).

I just downloaded the latest version of Kali Linux and set up a Virtualbox VM with Vagrant on my work machine, and I’m looking to set up a pen testing lab.  

I believe I have plenty of equipment here (I think, a lot of it is Apple centric):
* a MacBook Pro Quad core (my daily work machine), 
* an Asus Windows 10 Pro laptop quad core with 16G RAM (a work machine used for client developer training when the workforce uses Windows),
* a NetGear Nighthawk X6 R8000 router (my main router here for internet connectivity),
* a few Mac minis (two Core2Duos with 8G RAM, one dual core with 8G RAM, and there may two or three be some older 4G minis in the garage in a box),
* a quad core 32 GB linux laptop running Ubuntu 16.04 LTS, 
* a MacBook Pro dual core, 
* an iMac quad core with 32g RAM, 
* one or two MacBooks (plastic cases) with Core2Duos and 4G RAM,
* a 15” MacBook Pro Dual Core with 8G RAM,
* a second generation MacBook Air, dual core with 4G RAM,
* two or three retired Apple routers (all in working condition, but needed something to take advantage of GB internet),
* a couple of AppleTVs (one I use),
* an Amazon Fire device,
* an old Linksys router (has an older version of OpenWRT on it, currently retired),
* a couple of old Dells with Windows XP, Celeron machines with 4G RAM (I used them for browser testing IE 6/7 for a couple of years, haven’t been turned on in at least 4 years),
* 3 Intel Dual Core NUCs (two i5s and one i7) with 16G RAM running a couple of different versions of Debian, with SSDs in all of them,
* a cluster of 6 Raspberry Pi 3s (currently running Kubernetes and Docker with a Drupal / MySQL cluster install), networked with a Netgear gigabit 5 port switch), hooked to the Nighthawk router,
* Several different older Android and iOS devices (phones (iPhone 3S, 4, 6S) and tablets (some iPads, some older Samsung tables, and a Motorola tablet).

I think I have an old liquid cooled tower gaming machine with 8G RAM and a Pentium IV here somewhere too, in a box in the garage, that may or may not run.

(It’s ridiculous how much hardware you can accumulate, isn’t it?)

I can do pretty much what I want with all of the routers except the Netgear Nighthawk, and all of the machines except the MacBook Pro Quad Core and the Windows 10 Pro laptop, which belong to my employer. (I work from home and want to leave the Netgear router alone as it’s my primary internet connection).

For a good pen testing lab, given the equipment list above:

* what software would you install
* which machines would you use for what, and how would you configure them?  
* What hardware/software you would add to this, 
* What VMs you would set up in a cloud environment (I have active accounts Digital Ocean, Linode and RamNode).

(Let’s have some fun with this, go easy on my cloud pocketbook).



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
--
--
Stephen Haywood
CISSP, OSCP, OSCE
423.305.3700

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Looking for advice / fun discussion: Setting up a Pen Testing lab

Stephen Kraus
Also: Start watching DEFCON videos. Good primers on security exploits and can help you find common issues that can be exploited/avoided.

On Tue, Jun 19, 2018 at 10:06 AM Stephen Haywood <[hidden email]> wrote:
Lisa,

  Start here: 

Before he released it as a full book it was in PDF and called AVATAR. You may be able to find the free version still.

I’m a penetration tester by trade and would be happy to answer any questions about pentesting. You can email me off list.

Once you get your bearings, I would highly recommend the OSCP course from Offensive Security.

Thanks,
Stephen

On Mon, Jun 18, 2018 at 12:41 AM Lisa Harrison Ridley <[hidden email]> wrote:
Hey Chugalugers…..

I’m looking to add some penetration testing skillsets to my repertoire (mainly because it’s of interest to me, but also because I’m becoming bored with my current position).

I just downloaded the latest version of Kali Linux and set up a Virtualbox VM with Vagrant on my work machine, and I’m looking to set up a pen testing lab.  

I believe I have plenty of equipment here (I think, a lot of it is Apple centric):
* a MacBook Pro Quad core (my daily work machine), 
* an Asus Windows 10 Pro laptop quad core with 16G RAM (a work machine used for client developer training when the workforce uses Windows),
* a NetGear Nighthawk X6 R8000 router (my main router here for internet connectivity),
* a few Mac minis (two Core2Duos with 8G RAM, one dual core with 8G RAM, and there may two or three be some older 4G minis in the garage in a box),
* a quad core 32 GB linux laptop running Ubuntu 16.04 LTS, 
* a MacBook Pro dual core, 
* an iMac quad core with 32g RAM, 
* one or two MacBooks (plastic cases) with Core2Duos and 4G RAM,
* a 15” MacBook Pro Dual Core with 8G RAM,
* a second generation MacBook Air, dual core with 4G RAM,
* two or three retired Apple routers (all in working condition, but needed something to take advantage of GB internet),
* a couple of AppleTVs (one I use),
* an Amazon Fire device,
* an old Linksys router (has an older version of OpenWRT on it, currently retired),
* a couple of old Dells with Windows XP, Celeron machines with 4G RAM (I used them for browser testing IE 6/7 for a couple of years, haven’t been turned on in at least 4 years),
* 3 Intel Dual Core NUCs (two i5s and one i7) with 16G RAM running a couple of different versions of Debian, with SSDs in all of them,
* a cluster of 6 Raspberry Pi 3s (currently running Kubernetes and Docker with a Drupal / MySQL cluster install), networked with a Netgear gigabit 5 port switch), hooked to the Nighthawk router,
* Several different older Android and iOS devices (phones (iPhone 3S, 4, 6S) and tablets (some iPads, some older Samsung tables, and a Motorola tablet).

I think I have an old liquid cooled tower gaming machine with 8G RAM and a Pentium IV here somewhere too, in a box in the garage, that may or may not run.

(It’s ridiculous how much hardware you can accumulate, isn’t it?)

I can do pretty much what I want with all of the routers except the Netgear Nighthawk, and all of the machines except the MacBook Pro Quad Core and the Windows 10 Pro laptop, which belong to my employer. (I work from home and want to leave the Netgear router alone as it’s my primary internet connection).

For a good pen testing lab, given the equipment list above:

* what software would you install
* which machines would you use for what, and how would you configure them?  
* What hardware/software you would add to this, 
* What VMs you would set up in a cloud environment (I have active accounts Digital Ocean, Linode and RamNode).

(Let’s have some fun with this, go easy on my cloud pocketbook).



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
--
--
Stephen Haywood
CISSP, OSCP, OSCE
423.305.3700
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Looking for advice / fun discussion: Setting up a Pen Testing lab

Lisa Harrison Ridley
Thanks Stephen!  I have access to this book at no cost through my Amazon Prime membership as a Kindle Unlimited publication.  I also found it in PDF format on LeanPub (https://leanpub.com/avatar)  From some of the reviews on Amazon, the PDF may be valuable simply because of the cross referencing from chapter to chapter.

I’ll download this and start reading hopefully tonight.
On Jun 19, 2018, at 11:38 AM, Stephen Kraus <[hidden email]> wrote:

Also: Start watching DEFCON videos. Good primers on security exploits and can help you find common issues that can be exploited/avoided.

On Tue, Jun 19, 2018 at 10:06 AM Stephen Haywood <[hidden email]> wrote:
Lisa,

  Start here: 

Before he released it as a full book it was in PDF and called AVATAR. You may be able to find the free version still.

I’m a penetration tester by trade and would be happy to answer any questions about pentesting. You can email me off list.

Once you get your bearings, I would highly recommend the OSCP course from Offensive Security.

Thanks,
Stephen

On Mon, Jun 18, 2018 at 12:41 AM Lisa Harrison Ridley <[hidden email]> wrote:
Hey Chugalugers…..

I’m looking to add some penetration testing skillsets to my repertoire (mainly because it’s of interest to me, but also because I’m becoming bored with my current position).

I just downloaded the latest version of Kali Linux and set up a Virtualbox VM with Vagrant on my work machine, and I’m looking to set up a pen testing lab.  

I believe I have plenty of equipment here (I think, a lot of it is Apple centric):
* a MacBook Pro Quad core (my daily work machine), 
* an Asus Windows 10 Pro laptop quad core with 16G RAM (a work machine used for client developer training when the workforce uses Windows),
* a NetGear Nighthawk X6 R8000 router (my main router here for internet connectivity),
* a few Mac minis (two Core2Duos with 8G RAM, one dual core with 8G RAM, and there may two or three be some older 4G minis in the garage in a box),
* a quad core 32 GB linux laptop running Ubuntu 16.04 LTS, 
* a MacBook Pro dual core, 
* an iMac quad core with 32g RAM, 
* one or two MacBooks (plastic cases) with Core2Duos and 4G RAM,
* a 15” MacBook Pro Dual Core with 8G RAM,
* a second generation MacBook Air, dual core with 4G RAM,
* two or three retired Apple routers (all in working condition, but needed something to take advantage of GB internet),
* a couple of AppleTVs (one I use),
* an Amazon Fire device,
* an old Linksys router (has an older version of OpenWRT on it, currently retired),
* a couple of old Dells with Windows XP, Celeron machines with 4G RAM (I used them for browser testing IE 6/7 for a couple of years, haven’t been turned on in at least 4 years),
* 3 Intel Dual Core NUCs (two i5s and one i7) with 16G RAM running a couple of different versions of Debian, with SSDs in all of them,
* a cluster of 6 Raspberry Pi 3s (currently running Kubernetes and Docker with a Drupal / MySQL cluster install), networked with a Netgear gigabit 5 port switch), hooked to the Nighthawk router,
* Several different older Android and iOS devices (phones (iPhone 3S, 4, 6S) and tablets (some iPads, some older Samsung tables, and a Motorola tablet).

I think I have an old liquid cooled tower gaming machine with 8G RAM and a Pentium IV here somewhere too, in a box in the garage, that may or may not run.

(It’s ridiculous how much hardware you can accumulate, isn’t it?)

I can do pretty much what I want with all of the routers except the Netgear Nighthawk, and all of the machines except the MacBook Pro Quad Core and the Windows 10 Pro laptop, which belong to my employer. (I work from home and want to leave the Netgear router alone as it’s my primary internet connection).

For a good pen testing lab, given the equipment list above:

* what software would you install
* which machines would you use for what, and how would you configure them?  
* What hardware/software you would add to this, 
* What VMs you would set up in a cloud environment (I have active accounts Digital Ocean, Linode and RamNode).

(Let’s have some fun with this, go easy on my cloud pocketbook).



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
--
--
Stephen Haywood
CISSP, OSCP, OSCE
423.305.3700
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug