Review: Penetration Testing – Setting Up a Test Lab How-To

Penetration Testing Book CoverI’m just back from an Easter break with $WIFE and $KIDS but it does not mean that I was completely disconnected. Between familly activities, I read some items pending in my todo list. One of them was the book called “Penetration Testing – Setting Up a Test Lab How-To” from Packt Publishing. This is the second book I read from their “Instant” collection.

The book, written by Vyacheslav Fadyushin, has only 88 pages but  goes straight to the point: Helping you to set up your home lab to learn (or improve) your penetration testing skills. Building your own lab is a critical step. Most pentesting actions being against the law (wherever you are living), it is important to have safe (read: private) environments to test new tools, new attacks or exploits. Note that the targeted audience can be extended to security researchers, developers, etc. Everybody needs a lab!

The first part of the book describes the different pieces of software that will be used by the author. Today, it’s impossible to work without virtualization and the author covers briefly the pros and cons of most common virtualization solutions. His recommended list of software includes:

  • Microsoft Windows Server 2003 & 2008
  • Microsoft Windows XP & 7
  • Ubuntu Server 12.04LTS
  • Common web browsers (Mozilla, Chrome, Safari & IE)

Note that some of those softwares are commercial and require a valid license to work (temporary or permanent). The pentester is of course responsible to buy them (or to find them by its own mean – no more comments). What about the hardware?

  • One “big” PC with many CPUs and memory
  • One Wireless router
  • One laptop
  • One Android mobile device

The author talks about a PC with “at least 4 GB RAM“. With today’s prices, my suggestion is to start directly with 16 GB RAM! More you have more smoothly will run your guests. Of course, your future lab will depend on your requirements. To help you in this way, the author in the next chapter describes briefing what are the goals of pentesting and then gives interesting tables with the different skills you would like to practice and the required components. A few examples:

Skills to practice Required components
Discovery techniques Several different hosts with various operating systems
Scanning techniques Firewall
OWASP Top-10 vulnerabilities Web server, database server and Web Application Firewall
Wireless attacks Wireless router, RADIUS server, laptop
Tunneling Several hosts

The next chapters cover how to deploy your lab in different scenarios, again depending on your needs. Configurations are reviewed step by step with multiple screenshots. Finally, the author describes some online services to practice your skills based on websites or specific virtual machines ready to be downloaded and exploited. The examples described in the book will address most of the requirements for standard pentesting projects but some configurations or architecture will be simply impossible to reproduce at home.

More information about the book is available here.

3 comments

  1. I have no doubt that the book it’s a good reading. Regarding setting up a pentest lab where you can try everything, you can always use HackaServer project with our training arena where you have over 40 machines up and running Matasploitable included. And it free.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.