RE: setting up a lab

["Shenk, Jerry A" <jshenk () decommunications com>]

One thing that I personally like is having a bunch of drives with
different operating systems.  For the testing you're talking about, 20
gig drives would be fine....even some 10 gig drives.  5 gigs is a little
small but they would work in some cases as well....particular for
workstations and older servers.

What you can do is start with a basic install of a particular OS (lets
say W2003 server) and then image the drive and apply patches to the
copy.  At this point, you'll have two drives with this OS.  Now, you can
try things like the RPC DNS exploit on the original drive (vulnerable)
and on the fully patched version (not vulnerable).  You'll want to get a
label machine and lay out some good documentation.  I record how the
drive was initially set up and what patches and applications were
applied.  So, in this example, I'd record that drive TEST1 was a W2003
Std Server.  Then drive TEST2 would be "drive TEST1 with all current
patches as of 9/8/2008".  Now, in practice, I would NOT jump straight
from the drive TEST1 to a fully patched OS in one shot....I'd want as
many interim stops as I could get.

You'll notice that I didn't just label the drive 1 but TEST1.  In this
case, TEST is the name of a machine.  This is assuming that eventually
you'll have more than one test box.

Now, to make the images, I use dd.  This command-line will work if you
are using IDE drives and you have two IDE channels and the original
drive is the first IDE drive on one channel with the CD-Rom drive also
on that channel.  And, the destination is the first IDE drive on the 2nd
channel.  (Using the channels like this is handy 'cuz it avoids the need
to play with jumpers).

--dd if=/dev/hda of=/dev/hdc bs=4096

And, there are MANY variations of this!!;)

Good luck - setting up a lab is a GREAT idea!

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Michael Kitange
Sent: Sunday, September 07, 2008 1:07 PM
To: pen-test () securityfocus com
Subject: setting up a lab

hi guys,
i am looking for tips on creating my own pen-test lab. i've got two
computest. one xp and the other one zenwalk. i've got a router
(d-link) and an internet connection on the router.
i'd also like to know what tools should i use to test and some good
vulnerable servers. i'm currently downloading backtrack3.
thanks for help in advance.

--
Sent from Gmail for mobile | mobile.google.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------