Penetration Testing mailing list archives
RE: Lab OS Choices
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Mon, 13 Aug 2007 10:05:42 -0400
I've found a few tests that worked against virtual machines but did not work against real machines. I agree, in most cases, there really is no difference. I also have some routers in my lab. That way, I can set up egress filtering between the servers and the attackers in the lab. That will help you get some realism about some things, particularly local exploits of machines inside the network (like an Exchange client attack). I think that also increases your credibility when talking with clients...for example, "In the lab, we set up egress filtering...blah, blah, blah...and with the filtering enabled, the remote exploit of the Exchange client worked in that it crashed the client but it made it much more difficult to get to a command-prompt on that box." That's not really part of the pen-test itself but the real goal of the pen-test is to make the network more secure and it definitely goes toward explaining to the client how to make their network more secure. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Peter Manis Sent: Saturday, August 11, 2007 11:41 PM To: Shenk, Jerry A Cc: pen-test () securityfocus com Subject: Re: Lab OS Choices Is there a benefit to performing pen tests on physical machines vs virtual machines? I was under the impression that for the most part the differences are very slim. Shaon you mentioned that you thought I wanted to test remotely. It isn't that I don't want to I just figured for a lab it would be fine to do it internal. Is there a learning benefit to working remotely vs locally? I don't mean local like attack ip = 10.0.10.1 and victim ip = 10.0.10.2 both with a 24 bit subnet I mean with routers in between and subnet changes, etc. Thanks. PM On 8/11/07, Shenk, Jerry A <jshenk () decommunications com> wrote:
You definitely want something that you can exploit so that you can
lean
how the exploits work. You also want to have a variety of operating systems with a variety of patch levels. I'd also recommend having enough stuff so that you can test a lot of the operating system that you'll run into. Having said that, you also need to start somewhere...then you lab can grow. I think I'd start with an unpatched Windows 2000 server. There are a ton of exploits and you can get a good handle on how stuff works. Honestly, you aren't gonna run into too many unpatched W2K boxes out there so once you have that box set up, image the drive and start applying service packs. You will run into W2K boxes with a couple service packs but not all of them. You'll also want to have a box set up that is fully patched so that you can understand how your exploits work against a patched OS. Another really nice, fun system is a Windows 2003 server without any patches. You'll also want to take that unpatched W2003 server and
take
an image of that up to the end of March. That's fairly current but still vulnerable to some REALLY nasty exploits - RPC/DNS for one lets you own the box and in most cases, the box you'd be owning would be
the
DNS server which also has AD so you can create a user and make them an enterprise admin...definitely a HUGE hole for a relatively recent OS. BTW, you can also play with that same exploit on any other DNS server that's a DC....really nasty! You want to play with some workstation-class exploits too. Set up a mail server and an exchange client so you can do some of the exchange client exploits. When I'm talking about "setting up a box", I have a couple old servers with drives that I swap around for this type of stuff....stuff people were throwing out. So for me, "a box" is really just a single drive. If you get used equipment, wipe the drives before you mess with 'em. You really don't want to accidently leak somebody else' data. I know this is a lab environment and it shouldn't "leak" but still...they probably didn't wipe the drive or I certainly wouldn't trust 'em. VMware is also very popular. Each individual machine also fits my definition of "a box". I would recommend that you have at least a couple "real machines" that you use but VMware is a really slick way
to
test things out. There are some attacks that act differently on
VMware
and a "real machine"....that's why you have a lab, so you can learn those differences. -----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
On Behalf Of Peter Manis Sent: Saturday, August 11, 2007 6:40 PM To: pen-test () securityfocus com Subject: Lab OS Choices I am new to the world of pen testing and am working on building a lab. What operating systems and versions do you recommend for a good all around lab. Windows of course is a big one, but do you go back to 98? Being a beginner I would think having all the patches on XP or Vista might make it difficult to learn. I would also think adding a secure OS like openbsd would be a waste of time for a beginner to try to gain access to. All advice is appreciated.
------------------------------------------------------------------------
This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads
------------------------------------------------------------------------
**DISCLAIMER This e-mail message and any files transmitted with it are intended for
the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Lab OS Choices Peter Manis (Aug 11)
- Re: Lab OS Choices Deepak Parashar (Aug 12)
- RE: Lab OS Choices Shenk, Jerry A (Aug 12)
- Re: Lab OS Choices Peter Manis (Aug 12)
- Re: Lab OS Choices Peter Manis (Aug 12)
- RE: Lab OS Choices Shenk, Jerry A (Aug 13)
- Re: Lab OS Choices Pete Herzog (Aug 15)
- Re: Lab OS Choices Peter Manis (Aug 15)
- Re: Lab OS Choices Pete Herzog (Aug 16)
- Re: Lab OS Choices Peter Manis (Aug 15)
- Re: Lab OS Choices Pete Herzog (Aug 16)
- Re: Lab OS Choices Peter Manis (Aug 16)
- Re: Lab OS Choices Pete Herzog (Aug 17)
- Re: Lab OS Choices Peter Manis (Aug 12)
- Re: Lab OS Choices M . B . Jr . (Aug 17)
- <Possible follow-ups>
- Re: Lab OS Choices Shaon Diwakar (Aug 12)