Many of you reading these articles are new to hacking. If so, I strongly recommend you to set up a "laboratory" to practice your hacks. Just like any other discipline, you need to practice, practice, and practice some more before you take it out to the real world.
The best and most practical solution is to choose free and open source software (I’m a FOSS advocate). Also, there are bootable Linux distros or virtual images that are vulnerable by design and easy to set up. Most of these distros are Ubuntu or Debian based and with that it is easy for you to install packages if you want to customize these distros.
For those who want to learn about computer hacking or improve their skills, the proper learning environment is important. As most of us know, hacking into a computer or network without authorization is a serious crime. Aside from legal issues, the best reason to hack in a virtual environment is security. Not only do you want to keep your own devices safe, but think about your neighbors, friends, and family. It’s easy to do serious damage while experimenting. Properly configured virtual labs keep hacking experiments contained.
As an aspiring ethical hacker and pen tester, you should become capable of building virtual and physical labs for practice. This article will guide you on how to build a virtual lab to practice hacking safely and legally and will provide you with some links for additional resources.
Required Hardware
There’s a number of options for where to run your lab environment, and they all have pros and cons. There’s no single right or wrong answer, because it will depend on a variety of factors:
- Your budget
- What you already have
- How extensive you want your lab to be
- The specific skills you want to work on
CPU
You need support for hardware virtualization (Intel-VT, AMD-V). Most modern CPUs will have it, but if you are using an older computer, you’ll want to be sure it has.
Try to use the best CPU possible. The more powerful the host machine is, the more you can do with your virtual machines.
RAM
You can never have too much RAM, right? It all depends on how many VMs you plan to run simultaneously, what OSs they will run and what you plan to do with them.
I’m using 32 GB on my box and sometimes I would like to have some more…
Storage
There’s not a correct answer as to how much storage you’ll actually need. For a basic pen testing lab 256 GB of storage should suffice. However, if you want your VMs to boot quickly and run smoothly, you should spread them across several drives, is possible all of them SSDs.
I’m currently using 6 drives; 3 SSD and 3 HDD. Not only I’m taking full advantage of all my SATA channels, I’m also using an external USB 3 drive. Therefore, I’m making sure the I/O operations are not occurring all in the same drive.
Display
A second monitor is highly commendable, but not mandatory.
Virtualization
The best way to practice hacking is within a virtual environment. There are several virtualization systems out there, Oracle’s VirtualBox, KVM, Microsoft’s Hyper-V or VMware Player. For a laboratory environment, I strongly recommend using Virtual Box because it is quite versatile and completely free!
I will not explain how to set up and use Virtual Box. If you are still at the level of learning how to create and setup virtual machines and networks, maybe you should stop reading this blog and focus on acquiring some basic skills.
While virtual labs are awesome, there are still some advantages to building a physical lab. One particular benefit that a virtual lab cannot offer is wireless networking. If you want to experiment with Wi-Fi hacks, you need a wireless access point. Physical labs give you not only the opportunity to work with software, but you learn about setting up and troubleshooting hardware.
You can also create a hybrid network by combining physical and virtual network devices and infrastructure. There are several unique hacking approaches to use with hybrid labs. You can build a virtual target network on a desktop and attack it from a separate device. Also, you may want to simulate a complex network, but don’t quite have as many machines as you’d like. Mixing these two approaches for a hacking lab is a fantastic way to build and hone your skills as a hacker and a network technician.
Tools
Essentially, you set up a hacking system and some victims to exploit. Ideally, you would want multiple operating systems, some obsolete other recently updated. And you will also want different applications so that you can try out a variety of hacks.
There are several pentesting distributions, but the main ones are:
You might also want to use a dedicated firewall and for that I would recommend pfSense.
There is a penetration testing repository available on the Internet containing online resources for learning penetration testing, exploit development, social engineering resources, penetration testing tools and scanners, wireless network tools, hex editors, password crackers, reverse engineering tools, references to other important online resources related to penetration testing, etc.
The repository is available at https://github.com/enaqx/awesome-pentest
Targets
For the next step, you need to download and install the target systems. I recommend installing multiple Windows (7 and 10) so that you can compare both systems. You can also install several Linux distros, both workstation or server versions.
There are also lots of other targets for you to install locally or test via the internet, some are listed below:
- Metasploitable 2 and Metasploitable 3
- Hackxor
- NETinVM
- UltimateLAMP
- LAMPSecurity
- Mutillidae II
- OWASP WebGoat
- Damn Vulnerable Web Applications (DVWA)
- OWASP Juice Shop
- WackoPicko
- Hack This Site
- Testfire
Once you have your operating system in place, very often you will need applications to run on these older versions of the Windows and Linux operating systems. You will likely need a browser, Office, Adobe products, etc. These older products have well-known security flaws that you can hone your skills on.
I like the site Old Apps to download many of these.
Network
This is my current setup:
All these VMs are connected in multiple Virtual Box internal networks although some VMs can also connect to the Internet via NAT when required to install software, updates, etc. The routers are Windows 2019 Server machines.
As I mentioned before, I only have 32 GB of RAM. But it is possible to run all these VMs simultaneously by installing them on multiple drives and assigning them minimum specs. Besides, I only run all of them at the same time when I want to test network scanning or mapping tools. If I’m attacking a specific target, the other ones can obviously be offline.
Conclusion
You don’t need to pay a single penny to set up a pentesting lab because you can use a lot of vulnerable distros and web applications that are open source, free and easy to customize. All you need is virtualization software and virtual images in order to run a vulnerable lab.
This lab can be customized as per requirement. You can host other flavors of Operating Systems as virtual machines and try to hack them or you can increase the difficulty of hacks by installing and enabling firewalls or intrusion detection systems.
Next post: Advanced Scanning and Enumeration