Setting up a Virtual Hacking Lab

Many of you reading these articles are new to hacking. If so, I strongly recommend you to set up a "laboratory" to practice your hacks. Just like any other discipline, you need to practice, practice, and practice some more before you take it out to the real world.

The best and most practical solution is to choose free and open source software (I’m a FOSS advocate). Also, there are bootable Linux distros or virtual images that are vulnerable by design and easy to set up. Most of these distros are Ubuntu or Debian based and with that it is easy for you to install packages if you want to customize these distros.

For those who want to learn about computer hacking or improve their skills, the proper learning environment is important. As most of us know, hacking into a computer or network without authorization is a serious crime. Aside from legal issues, the best reason to hack in a virtual environment is security. Not only do you want to keep your own devices safe, but think about your neighbors, friends, and family. It’s easy to do serious damage while experimenting. Properly configured virtual labs keep hacking experiments contained.

As an aspiring ethical hacker and pen tester, you should become capable of building virtual and physical labs for practice. This article will guide you on how to build a virtual lab to practice hacking safely and legally and will provide you with some links for additional resources.

Required Hardware

There’s a number of options for where to run your lab environment, and they all have pros and cons. There’s no single right or wrong answer, because it will depend on a variety of factors:

  • Your budget
  • What you already have
  • How extensive you want your lab to be
  • The specific skills you want to work on

CPU

You need support for hardware virtualization (Intel-VT, AMD-V). Most modern CPUs will have it, but if you are using an older computer, you’ll want to be sure it has.

Try to use the best CPU possible. The more powerful the host machine is, the more you can do with your virtual machines.

RAM

You can never have too much RAM, right? It all depends on how many VMs you plan to run simultaneously, what OSs they will run and what you plan to do with them.

I’m using 32 GB on my box and sometimes I would like to have some more…

Storage

There’s not a correct answer as to how much storage you’ll actually need. For a basic pen testing lab 256 GB of storage should suffice. However, if you want your VMs to boot quickly and run smoothly, you should spread them across several drives, is possible all of them SSDs.

I’m currently using 6 drives; 3 SSD and 3 HDD. Not only I’m taking full advantage of all my SATA channels, I’m also using an external USB 3 drive. Therefore, I’m making sure the I/O operations are not occurring all in the same drive.

image

Display

A second monitor is highly commendable, but not mandatory.

Virtualization

The best way to practice hacking is within a virtual environment. There are several virtualization systems out there, Oracle’s VirtualBox, KVM, Microsoft’s Hyper-V or VMware Player. For a laboratory environment, I strongly recommend using Virtual Box because it is quite versatile and completely free!

I will not explain how to set up and use Virtual Box. If you are still at the level of learning how to create and setup virtual machines and networks, maybe you should stop reading this blog and focus on acquiring some basic skills.

While virtual labs are awesome, there are still some advantages to building a physical lab. One particular benefit that a virtual lab cannot offer is wireless networking. If you want to experiment with Wi-Fi hacks, you need a wireless access point. Physical labs give you not only the opportunity to work with software, but you learn about setting up and troubleshooting hardware.

You can also create a hybrid network by combining physical and virtual network devices and infrastructure. There are several unique hacking approaches to use with hybrid labs. You can build a virtual target network on a desktop and attack it from a separate device. Also, you may want to simulate a complex network, but don’t quite have as many machines as you’d like. Mixing these two approaches for a hacking lab is a fantastic way to build and hone your skills as a hacker and a network technician.

Tools

Essentially, you set up a hacking system and some victims to exploit. Ideally, you would want multiple operating systems, some obsolete other recently updated. And you will also want different applications so that you can try out a variety of hacks.

There are several pentesting distributions, but the main ones are:

You might also want to use a dedicated firewall and for that I would recommend pfSense.

There is a penetration testing repository available on the Internet containing online resources for learning penetration testing, exploit development, social engineering resources, penetration testing tools and scanners, wireless network tools, hex editors, password crackers, reverse engineering tools, references to other important online resources related to penetration testing, etc.

The repository is available at https://github.com/enaqx/awesome-pentest

Targets

For the next step, you need to download and install the target systems. I recommend installing multiple Windows (7 and 10) so that you can compare both systems. You can also install several Linux distros, both workstation or server versions.

There are also lots of other targets for you to install locally or test via the internet, some are listed below:

Once you have your operating system in place, very often you will need applications to run on these older versions of the Windows and Linux operating systems. You will likely need a browser, Office, Adobe products, etc. These older products have well-known security flaws that you can hone your skills on.

I like the site Old Apps to download many of these.

Network

This is my current setup:

Network

All these VMs are connected in multiple Virtual Box internal networks although some VMs can also connect to the Internet via NAT when required to install software, updates, etc. The routers are Windows 2019 Server machines.

As I mentioned before, I only have 32 GB of RAM. But it is possible to run all these VMs simultaneously by installing them on multiple drives and assigning them minimum specs. Besides, I only run all of them at the same time when I want to test network scanning or mapping tools. If I’m attacking a specific target, the other ones can obviously be offline.

Conclusion

You don’t need to pay a single penny to set up a pentesting lab because you can use a lot of vulnerable distros and web applications that are open source, free and easy to customize. All you need is virtualization software and virtual images in order to run a vulnerable lab.

This lab can be customized as per requirement. You can host other flavors of Operating Systems as virtual machines and try to hack them or you can increase the difficulty of hacks by installing and enabling firewalls or intrusion detection systems.


Next post: Advanced Scanning and Enumeration

Introduction to Scanning

General Scanning Concepts

After identifying the target system and performing the initial reconnaissance as discussed in the previous post about Footprinting or Reconnaissance, it’s time to begin searching for an entry point into the target system.

Keep in mind that the scanning itself is not the actual intrusion, but an extended form of reconnaissance in which we learn more about the target, including information about operating systems, services, and any configuration lapses. The information gleaned from this reconnaissance helps us select strategies for the attack on the target system or network.

This is just an overview of network scanning and provides an insight into various techniques that can be used to check for live systems and open ports. There are many scanning techniques and all should be used as steps that an ethical hacker should follow during the penetration testing process to perform the security assessment of the target.

As already discussed, footprinting is the first phase of hacking, in which the attacker gains primary information about a potential target. This information is then used in the scanning phase in order to gather more details on the target.

Scanning is the process of gathering additional detailed information by using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. It is one of the most important phases of intelligence gathering for an attacker because it enables the creation of the target organization’s security profile. In the process of scanning, the attacker tries to gather information, including the specific IP addresses that can be accessed over the network, the target’s operating systems and system architecture, and the services running on each computer.

Types of Scanning

The purpose of scanning is to discover exploitable communications channels, probe as many listeners as possible, and keep track of the ones that are responsive or useful to the attacker’s specific needs. In the scanning phase of an attack, the attacker tries to find various ways to intrude into a target system. The attacker also tries to discover more about the target system to find out if there are any configuration lapses in it. The attacker then uses the information obtained during the scan to develop an attack strategy.

Network Scanning

Network scanning is a procedure for identifying active hosts on a network, either to attack them or to assess the security of the network.

Basically, it lists IP addresses.

Port Scanning

Port scanning is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in. Port scanning involves connecting to or probing TCP and UDP ports on the target system to determine if the services are running or are in a listening state. The listening state provides information about the operating system and the application currently in use. Sometimes, active services that are listening may allow unauthorized user access to misconfigured systems or to run software with vulnerabilities.

It lists open ports and services

Vulnerability Scanning

Vulnerability scanning is a method used to check whether a system is exploitable by identifying its vulnerabilities. A vulnerability scanner consists of a scanning engine and a catalog. The catalog includes a list of common files with known vulnerabilities and common exploits for a range of servers. A vulnerability scanner may, for example, look for backup files or directory traversal exploits. The scanning engine maintains logic for reading the exploit list, transferring the request to the Web server, and analyzing the requests to ensure the safety of the server. These tools generally target vulnerabilities that secure host configurations can fix easily, updated security patches, and a clean Web document.

Shows the presence of known weaknesses.

Vulnerability Scanning vs Compliance Management

A compliance check scans the target and returns results based on the level of the target’s compliance with the standards selected for the scan. This allows an administrator to see if the organization’s systems are configured in accordance with the legal and required standards.

On the other hand, a vulnerability scan offers information pertaining to the existence of known vulnerabilities. However, the lack of vulnerabilities does not mean a server is configured correctly. Having knowledge of how a server is configured, how it is patched, and which vulnerabilities it has can help to prioritize systems for mitigating risk.

Scanning Techniques

Scanning is the process of gathering information about systems that are "alive" and responding on the network. Port scanning techniques help an attacker to identify the open ports on a targeted server or host. Administrators often use port scanning techniques to verify security policies of their networks, whereas attackers use them to identify running services on a host with the intent of compromising the network.

A general rule for computer systems is that the more the number of open ports on a system, the more vulnerable is the system. However, there are cases, in which a system has fewer open ports compared to another machine, but the open ports present a much higher level of vulnerability.

The first step in scanning networks is to check for live systems. I will show you how to check for live systems with the help of ICMP scanning, how to ping a system and various ping sweep tools.

The next step in the scanning process involves checking for open ports in the discovered live systems. Sometimes users unknowingly keep unnecessary open ports on their systems and it might be possible to exploit of such open ports to launch attacks. I will also show you the tools and techniques used by an attacker to do so.

Once the open ports are identified, the final step is to find vulnerabilities associated with the applications or services running in those ports. I’ll introduce you to some free but very powerful and reliable tools used to find the target’s vulnerabilities.

Scanning techniques are further split into three categories as shown below; this is according to the type of protocol used for communication at the transport layer of the network.

Scanning ICMP Network Services:

  • ICMP Scanning
  • Ping Sweep
  • ICMP Echo Scanning

Scanning TCP Network Services:

  • Open TCP Scanning Methods
    • TCP Connect Full Open Scan
  • Stealth TCP Scanning Methods
    • Half-open Scan
    • Inverse TCP Flag Scanning
      • Xmas Scan
      • FIN Scan
      • NULL Scan
    • ACK Flag Probe Scanning
  • Third Party and Spoofed TCP Scanning Methods
    • IDLE IP ID Header Scanning

Scanning UDP Network Services:

  • UDP Scanning

Scanning Tools

These tools scan and identify live hosts, open TCP/UDP ports, running services on a target network, location-info, and NetBIOS info. Information obtained from these tools will assist an ethical hacker in creating the profile of the target organization and in finding entry points to the network. More advanced and specialized scanning tools will find system vulnerabilities and possible remediations.

Network/Port Scanning Tools

All these tools are multi-functional so there is no sense in separating the two different categories.

Nmap

Nmap is a security scanner for network exploration and hacking. It allows you to discover hosts and services on a computer network, thus creating a "map" of the network. It sends specially crafted packets to the target host and then analyzes the responses to accomplish its goal. Attackers use Nmap to extract information such as live hosts on the network, services (application name and version), type of firewalls, operating systems, and OS versions.

It is the de facto standard tool for most security professionals.

Hping3

Hping3 is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It performs network security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, and other functions.

Unicornscan

While Nmap is the most widely used port scanner for pentesters and hackers, it does have some shortcomings. First, it doesn't do OS fingerprinting very well. Second, it can be relatively slow; and lastly, it uses the TCP/IP stack of the underlying operating system for sending packets making easy for the target to determine the attacker's OS.

Unicornscan is an asynchronous network stimulus delivery/response recording tool. Meaning it sends out broken/unorganized/fragmented packets (without a regular pattern unlike other port scanning tools) to a host and waits for the target’s response. After getting the response the TTL value is calculated for each port and thereby identifying the operating system. For example, if the TTL=128, the operating system is Windows and so on.

Pentesters use this tool when regular port scanning doesn’t work as the target might have enabled port scanning detection or has enabled IDS/IPS or honeypots. One cool feature of Unicornscan is that it uses different threads to send out packets and to receive them, unlike other port scanners.

Masscan

Large ranges are a pain to scan, but this is where Masscan comes into play. Similar to Nmap (it even has similar flags), Masscan uses its own custom TCP/IP stack for speed and efficiency. Internally, it uses asynchronous transmissions and it’s very flexible, allowing arbitrary port and address ranges. This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine.

There are many other network scanning tools out there, some are listed below:

Vulnerability Scanning Tools

Every day, security researchers and hackers discover new vulnerabilities, augmenting the tens of thousands of known holes in applications, services, operating systems, and firmware.

Vulnerability assessment enables recognizing, categorizing and characterizing the security holes among computers, network infrastructure, software, and hardware systems.

Vulnerability scanners automate security auditing and can play a vital part in your IT security by scanning your network and websites for different security risks. These scanners are also capable of generating a prioritized list of those you should patch, and they also describe the vulnerabilities and provide steps on how to remediate them. It is also possible for some to even automate the patching process.

OpenVAS

The Open Vulnerability Assessment Scanner is a free full-featured vulnerability scanner that relies on tests feed with a long history and daily updates. OpenVAS serves as a central service that provides tools for both vulnerability scanning and vulnerability management.

OpenVAS is a complete vulnerability assessment tool that is used to spot issues related to security in the servers and other devices of the network. The scanner will look for an IP address and check for any open service by scanning through the open ports, misconfiguration, and vulnerabilities in the existing facilities.

Zed Attack Proxy

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications during its developing and testing stages and is both flexible and extensible.

ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as a stand-alone application, and as a daemon process.

Nikto

Nikto is a simple, open-source web server scanner that examines a webserver for thousands of vulnerabilities and other known issues. It is very easy to use and does everything itself, without much instructions.

Also, it's one of the most widely used website vulnerabilities tools in the industry, and is extremely effective. However, it's not stealthy at all. Any site with an intrusion-detection system or other security measures in place will detect that it's being scanned. Initially designed for security testing, stealth was never a concern.

There are many other vulnerability scanners, some are listed below:


Next post: Setting up a Virtual Hacking Lab