Monday, December 21, 2009

The SynJunkie Lab - Part 1

I've been asked a couple of times recently how I have my lab set up, in this post I'll provide a brief overview.

Just quickly I want to say that if you have the time and resources to create a lab I thoroughly recommend doing so. I use my lab for testing configurations that I wouldn't want to try on a production network, applying policies and testing the effects on servers and clients and learning new software. Primarily I like to use the my lab for learning and using security tools in an environment that will allow me to have a complete view of the effects of the tools from both an attackers and defenders perspective where they won't damage anyone's network.

Setting up a lab is a really useful learning exercise in itself. For example, I haven't had the opportunity to use virtualisation in the workplace yet but because of my lab I have experience using VMWare, Xen, Parallels and Virtualbox.

One tip I would give to anyone setting up a lab is this, approach the project as if you were designing a real network. Plan it, document it and maintain it. A few years ago I heard an interview with Mike Poor, one of the tips he gave was to know your network. In real life that might not be possible, you might be working the helpdesk or in IT Support and not have access to servers and switches, But in your lab you can be in control of every area of the network, the servers, the network, the clients. You really are God, so use those god-like powers to know your network inside out. Use the functionality offered in the virtualisation tools, if you are going to make a major change or you are going to perform a particular attack, back up the necessary hosts firsts or take snapshots so you can roll back, just like you would on a real network. There's nothing worse than having to rebuild servers of your network just because you didn't take 5 minutes to do a snapshot first.

Finally, give thought to segmentig your lab from the rest of your network, realising you have DOS'd you wife as you refine your ARP poisoning attack is not a good thing!

With that said, here's a few details of my lab. The physical hardware I have is as follows:

1 x Dell laptop
1 x MacBook
1 x Acer netbook
2 x wireless routers
1 x Cisco 2950 switch
1 x Cisco 800 series router

I use a combination of Parallels, Xen and Dynamips to virtualise about 5 servers, some workstations and as many routers as I need. The Dell laptop is a pretty beefy laptop that I used as my primary PC before I got the Mac. I wiped off the OS which was Vista and installed the free Xen Server hypervisor. This allows me to use all the memory for servers and PC's as the hypervisor runs on next to nothing. These are the primary servers and workstations that I attack in my lab.

On my mac I have another DC, a member server and a few VM clients. Having the DC allows me to perform some tests if I'm away from home and I don't have access to the xen server.

The Switches and routers are from a bin (yes people really do just throw out perfectly good hardware) and from ebay.

For OS's for the VM's I'll either use the 180 day eval versions or whatever else I can find, there are plenty of Linux distros about that can be downloaded. Or if you are limited on bandwidth Go down to the newsagents and grab a linux magazine, there are always Cover CD's which have distributions included.

Building a lab can be done for very little cost. With Virtualbox for virtualisation, eval versions of OS's available from Microsoft and more free Linux distros than you can shake a big stick at there's really no excuse. I guess the only outlay is going to be hardware and at the moment hardware is pretty cheap. One thing I do to make the most of my hardware is after building a host, I get it up and running and then look at the resources (memory and CPU) it's using. Then I tweak the resources available to the VM down as much as I possibly can. This allows me to get more VM's up and running on my Xen laptop at the same time. However, if the role of the VM changes make sure you review the resources so it has enough power to do it's new job. And once again, document the lab so if you don't get chance to use it for a while you can easily review your network diagrams and pick up where you left off. Kivio is a free network diagramming tool for the Linux platform. If your a Windows only type of guy then give www.gliffy.com a try, you need to register but after that you'll have access to pretty snazzy network planning tools.

I hope this has been useful to someone.

All the best

Syn

6 comments:

ipolar said...

Fantastic! So do you use your Acer netbook as your main attacking machine? If so, would you be able to explain a bit about your setup? Do you use Backtrack 4 etc?

Andy

SynJunkie said...

Hi Andy, Thanks for the comment. I forgot to add that in didn't I. I have the netbook set up to dual boot between XP and BT4. Within the context of my lab I use it as an attacking host mainly. Occasionally I have issues attempting to exploit a server which is a VM from an attacking host which is also a VM, so I like to troubleshoot the issue with the netbook. Often I find that attacking a VM from a physical host works just fine.

I'm also planning to have it set up acting as a Web Server in the DMZ for future Bob posts.

I hope that helps explain.

Cheers

vuln said...

Hi,

Thanks for the great blog. I've followed it since first day I found it and keep it on google reader. I have a few question and suggestion

1. It would be better if you could share the network diagram of your lab setup.

2. I'm planning to build my own pentest & testing lab. Before this I'm using vmware workstation and I just realised there is another great tool from vmware which is called ESXi. What do you think about it?

http://seclists.org/pen-test/2009/Nov/96

Keep up the good job,
Mike

SynJunkie said...

Hi Mike, thanks for he suggestion. I'll sanitise my diagram a little and update the post in the next few days.

I also looked at ESXi but decided upon Citrix Xen server as they also gave away Xen Center which allowed me to Manage my VM's from another PC. At the time I couldn't find a tool to do this with ESXi that was as good as Xen Center.

I've been really happy with Xen but I will probably give VMWare another look in the new year to see whats changed.

Regarding the post on Seclists, my requirements are not as intensive as the Macubergeek's. I didn't want to buy a server for this when I had a perfectly good laptop to use. The RAM could be upgraded (Currently only 2GB) if I need to but in all honesty I can run 2 servers and 2 clients at the same time without any real problems. When doing so I just set my expectations accordingly. I guess it depends on what you want. I just want to have the servers and clients up, compromise them and then look at the effects of the compromise to see what I can learn from both an attacking and defending perspective. None of that requires any significant horsepower.

I really hope this helps and good luck. I beleive Irongeek has done something recently on a hack lab as has Pauldotcom in a recent episode (maybe 175 or around then).

All the best.

Dave said...

Hi Syn

I'd concur with the idea to post a network diagram. I don't know if you have access to Cisco's Packet Tracer or some other utility to create the diagram.

As far as ESXi is concerned, the guys at Hak5 did a great episode and subsequent series of posts about building hardware specifically for ESXi and they demonstrated the installation and initial configuration. I can retrieve the exact episode and url, if needed. Granted, their system has lots of "oomph" (i.e. 12GB RAM!) and as far as I recall it was for their real network in the HakHouse but they also use virtualisation in their episodes.

I plan to follow their guide (in terms of basic hardware) but it's unlikely that I'll need all that RAM, particularly as you can manage quite happily with 2GB.

The reason that I mentioned it is that the ESXi server is accessed from another PC or laptop which downloads the client application from the ESXi server. The only time that a KB and monitor are connected to the ESXi box is during the initial installation and configuration.

SynJunkie said...

Dave - Thanks for the tip regarding Packet Tracer. I already have the diagrams in Visio but I just want to take a few details out that aren't necessary for the blog.

I did see a few of the the Hak5 episodes when they were looking at VMWare but I could do with re-watching them. I have a VMWare course coming up in Jan so hopefully I'll be a lot more clued up with the latest and greatest on offer from them. I have used, VM Server, Workstation and Player but not ESXi so it'll be fun to see what i'm missing.