Mike here – I am going to pull some tidbits from the Mastering Kali for Web Pen Test book to help get things rolling – we’ll mix up the content between topics, but I wanted to give you something to chew on 😉
So you are probably asking, When can we have some pen testing fun? Let’s just say soon. We have to establish a safe yet representative environment that can provide ripe targets for the various tests we’d like to run. We also want to push the limits without impacting the performance of some real production applications or their underlying systems or supporting networks. As variety is the spice of life, it also holds true in penetration testing.
Your efficacy in testing will be greatly improved with some exposure and knowledge of a variety of platforms. There are some great resources such as Packt’s own Building Virtual Pentesting Labs for Advanced Penetration Testing – Second Edition by Kevin Cardwell (Building Virtual Pentesting Labs for Advanced Penetration Testing, if you would like to dive into a more rigorous all-purpose pen testing range. In this section, we’ll briefly discuss the sandbox or laboratory that we’ll be using in this book to rehearse our pen testing approaches.
For reference, my lab for this book looked similar to the following diagram:
You’ll want a desktop or laptop running some flavor of Microsoft Windows, Mac OS (X or Sierra), or Linux/BSD (Ubuntu/Debian, Fedora/RedHat, SUSE, FreeBSD, and so on). Don’t sweat the small stuff – so long as it is a fairly new and well-provisioned laptop or desktop (4 CPU modern cores, Ethernet and wireless, some USB (version 2 or 3) sockets, and 16 GB RAM minimum), it should at least get you started.
At the risk of opening yet another fanatical debate, we’ll want to select a virtualization platform to run on the top of this (sorry!). Virtualization helps us level the playing field and actually improve our lab’s versatility by employing a virtualization platform to establish a virtual network segment and install and access virtual machines (VMs) for Windows and Linux desktop and server variants. Choose what fits within your budget and preference.
Options such as Oracle’s Virtual Box, VMWare’s Workstation or Fusion, Citrix Xen, or even Parellels (on the Mac) are popular. Performance in web application penetration testing isn’t as big a deal as in some other forms, as we won’t be doing real-time cracking or hashing in most of our work.
It should be noted that you can certainly use dedicated servers or barebones (physical) hosts and network equipment to build a lab, but we’ll be able to do everything in this book using our virtual sandbox. In actual practice, it is more common to see professional pen testers use virtual machines to perform their testing, as it helps assure customers that proper sanitization and isolation are occurring. The tester can merely host the VM on a removable or networked drive and delete the VM when the project is complete.
We’ll talk in my next post about what to do with all of this fine hardware!