Do you remember those good old days in the sandbox? Where did you throw stuff, learn where the sand goes and… doesn’t go? Well, we’re out of the sandbox, but our hearts and minds are still hardwired to play it. Maybe that’s why we like offsec, but let’s get to the point… We did a lab.

We wanted to address the pentest labs. In this particular post, Network pentest labs (webapp will be a separate post, challenge sites will be too)

We used an existing set of hack challenge ISOs, sandbox VMs, vulnerable software, and vulnerable operating systems to create a 6-target lab that can be expanded.

Props to @laz3r for the video and research he did for the project. You’re no longer a trainee, that didn’t last long, did it? ;P

Here is what you need to download:

De-ICE Challenge Disks 1 & 2 – Join forums to get DL access,
pWnOS – Sign up to forums to get DL access,
Damn Vulnerable Linux – and add-ons at
BT4 –
Windows XP SP2
Windows Server 2003
VMware Server –
This lab is focused on a virtual environment. Pentesting involves testing many different systems, so we recommend using VMware Server. The flexibility to deploy targets and then save their default installations as snapshots is badly needed. In a physical lab with an unlimited budget, we were using hard drives preconfigured with images that we “hot swap” based on commitment, but we decided to go virtual to save a lot of headaches and make it more modular.

In this sandbox we hone our skills with nmap, netcat, metasploit, hydra, nessus, exploit code, pivoting, clientsides, etc. – not necessarily in that order. We decided to keep everything off the interwebs as we did this setup. This way we won’t have to let our ISP know that the attack traffic could be coming from one or two machines.

First we download pWnOS. pWnOS is a virtual machine published by denizen bond00. Since it is already in VM form, we configure its network and launch the machine. This target is exploit-centric and slightly different from our upcoming target setups, the De-ICE discs. A quick ping scan will verify that it’s online. This target will ask you to find an exploit, compile it, and set up priv. pWnOS is older and we could not verify if the project is still maintained but we would like to see someone take up the torch.

Second, you need to download the De-ICE pentest challenge discs. Thomas Wilhelm has created 3 attack challenge ISOs. We’ll leave you to scan for vulnerabilities, but they work great for highlighting misconfiguration testing and other attacks. We used both level 1 disks, but it also has a level 2 disk. You can expand the network to add this disk later if you want, this presents a more difficult pentest situation. De-ICE drives need to be setup and configured according to our video. After that, they sit there plundering.

Next up is Damn Vulnerable Linux. DVL is an interesting platform. Not only is it a target, it’s also a test bed. DVL is very insecure, exploitable, but also contains a tutorial in itself to start developing and cracking exploits. Sometimes DVL is frustrating to use due to language barriers, but most of the time you can figure out the issues. DVL is closely linked to the website where new challenges called “crackmes” and “exploitmes” can be downloaded. The forums contain a lot of information about the distribution that is used to teach offensive security and reverse engineering to a wide range of Infosec skills in EU educational environments.

Next, we configure our attack platform, Backtrack 4 (pre-release). I’m pretty sure we all know BT as one of the industry’s default attack, audit, and test environments. Some infosec professionals use their own in-house distributions. You could do that too. It’s just a pain to compile and configure all the tools. BT4 does all of that for us, it’s stable and made by some of the brightest minds in infosec. Regardless of the attack platform you use, we recommend keeping remote exploit forums in your links, as they are essential for troubleshooting common offsec tools.

Finally, we run some Microsoft boxes. We skipped setting up the 2003 box as a domain controller on the video…because it’s boring. This configuration allows us to test software on MS platforms. What we will say is to make snapshots of these installs and not delete them (after setting up the domain).

-Domain configuration allows us to test post-exploitation, account hijacking, client-server packet sniffing, private escalation, process migration (meterpreter goodness), pivoting, etc.

-Snapshots allow us to regularly test old service packs or security updates, as well as analyze changes made by malicious code to the operating system when a new conficker arrives.

– The boxes themselves are also used to deploy vulnerable software to test exploits (don’t forget the clients) which can be downloaded from:

Overall, this setup seemed to meet all our needs for a network pentesting lab. It has multiple operating systems, multiple targets, configuration testing capabilities, exploitation and post-exploitation capabilities. It is expandable with additional ISOs, operating systems, updates, software, etc. We’re still working on adding some virtual devices to play with evasion, but it’s on the way. Remember that within a given engagement you can just add another operating system like CentOS or Redhat to model your target.

We don’t know everything (in fact, we know very little) and we welcome feedback and emails on how to improve this setup. If you know of a test distribution that we missed for Network Pentest Labs, let us know. Do you have a trick of the trade to improve this? Hit us. We give credit.

The post office Network Pentest Lab appeared first on Security Aegis.

*** This is a syndicated blog from the Security Bloggers Network of Security Aegis Written by Security Aegis. Read the original post at: