Home Lab Setup
Having a home or online lab is crucial for the advancement of your career in information security. It is also a great way to gain experience when employers aren’t giving you a chance. You should be willing to try and even break things in your lab. Troubleshooting constantly is a sure fire way to learn the ins and outs of hardware, software, and networking. Additionally, it will give the ability to speak to tools, techniques and procedures that are being used in the real world. Although most of your tools may be free and have a different name, the concepts of network monitoring and defense will be the same.
Understanding networking is a very valuable skill and over time it will be something you may not have to think about much. It is not a necessity but it is highly recommended to purchase a router and connect that router to the one already given to you by your service provider. This “helps” keep your original home environment separate from your lab environment. By all means, it is highly suggested to get familiar with the service provider’s router. Chances are, you have a default username and password that hasn’t been changed. It is also good to take a look around and view the current settings and options. You may want to customize settings in IPv6, have static IP addresses for you devices, or customize the IP addressing schemes.
The hardware is important because it will contain most if not all of your processing power and memory. To start, you can just use your laptop. Nowadays a normal laptop can host 2-3 virtual machines without any issues. If you want to step it up you can use mac mini’s or Zotac boxes. As always feel free to customize your systems. If you really want to step it up then you can purchase refurbished servers, just keep in mind that they may require additional power sources and/or cooling.
Often referred to as a Hypervisor, it is software that allows you to use the processing power of your hardware (laptop/CPU/server) to create and operate virtual machines (VMs). Think of it as having a computer inside of a computer. Virtualization is great because it allows you to quickly create a VM and save the state of that VM so you can “revert” back to the point if you need to. The is great for testing and/or development environments. The top virtualization software is Virtual Box (Free), VMware Workstation Player (Free), VMWare Fusion ($79) or VMWare Fusion Pro ($159), or Hyper-V (Free Install). All software is created to work on various operating systems. VMware also has available software called ESXi that will allow you to install Virtual Server Software on a physical server. This is great for when the number of required VMs gets too high for your computer/laptop to manage.
Personally, I’m a fan of VMware due to its interface and ease of use of my Mac. Virtual Box has come a long way from what I’m used to and since I create separate networks in my lab, Virtual Box easily allows me to create them and assign my VMs interfaces to them. Virtual Box also allows your VMs into groups in case you need to start and stop multiple VMs at the same time. So, because I like them both I use both of them at the same time J.
Over time, you will notice that the ability to use virtualization with get addictive and you will want more machines. This will require more space and processing power. There are some really good cloud providers that allow you to create VMs with the click of button. The next steps would be to check out Digital Ocean, Amazon AWS, The Google Compute Engine, and Microsoft Azure. I would do some comparison shopping first to find the best service for your needs. Keep in mind that you may to want to scale later … remember it gets addictive.
Network Monitoring and IDS/IPS
It is very important to monitor your network to better understand the types of traffic and information that may flow through it. It is also good to understand “why” everything works the way it does. A really good option, and something we should all be familiar with, is Wireshark. Simply put, Wireshark is amazing! If you’re into network forensics then Wireshark is the way to go.
Another great free option is Security Onion. Doug Burks and the Security Onion Solutions team consistently produce ISOs with updated builds so be sure keep your instance up to date. It runs on Linux, which you can get for free, and includes monitoring and log management tools. You can literally get it up and running in about 8 minutes, just remember to add an extra interface ;-).
Being able to detect vulnerabilities is another crucial part of network defense and exploitation. Just like any other technology there are many tools to choose from. Now, finding vulnerabilities is a little different than finding malware. For that you can use any of the 60 or so antivirus engines out there, we’ll also save that for a later date.
Since we are speaking to the network level a good place to start is with Nmap. It’s free and it contains hundreds of scripts than you can use separately or chained together to serve as your vulnerability scanner. Two more options are Nessus, which is free for a week now and Retina, which is free for the first 256 IPs.
Oh yes … the firewall. Just like signatures, the firewall is only as good as its access control list and attackers will constantly try to work around both. No matter what operating system you are using you should familiarize yourself with your host-based firewall. It is always good to know what ports and services are allowed in and out of your host. For Ubuntu Linux users there’s Iptables. If you wanted to take it a step further I’d invest some time and energy getting familiar with pfSense. Besides being free, pfSense can also server as your router, VPN solution and much much more. The pfSense install and configuration is a bit advanced so be sure to take your time, watch plenty of YouTube tutorials and practice practice practice.
Security Information and Event Management (SIEM) Tools
Lastly, to wrap at all up and have your logs and event data feed one tool then you will want to invest a bit in a SIEM tool. It is perfect for analyzing data in near real time. Also, because most are web-based, with the proper configuration you can monitor your home or work environment from anywhere in the world. Yes, HTTPS is your friend! I’d recommend Splunk, which is free for the for 500MB a day. Depending on your setup, you may be able to get away with this. At a minimum, you send your security and application logs from your Windows 2012 Server to the Splunk box. You can also easily send over your Nessus results. Other options include QRadar, SolarWinds, NetWitness and AlienVault … all of which I’m still evaluating and will report on very soon.
Just keep in mind that as you go up in technological advancements, so does the price. Some tools may require additional information from the vendor.
If you made it this far then great, now you’ll need some virtual machines to add to your lab to increase your testing and hands-on experience.
Kali Linux, by Offensive Security, is an operating system for hackers built by hackers. It has hundreds of different tools that will easily allow you to perform tasks like enumeration, vulnerability scanning, Wi-Fi testing, and exploitation of various types of software and services. Kali is also synced to Exploit-DB, a repository of various of exploits that you should become familiar with if you aren’t already. Keep in mind that Kali, although popular, is not the end all be all tool for exploitation. There are often other ways to exploit a machine that does not require you to use Kali Linux. In short, you shouldn’t become 100% dependent on it.
It is highly recommended that your first target machine is Metasploitable2, aka “The punching bag for pentesters.” It has lots of vulnerable services that allow you to practice various exploitation techniques. There’s also a vulnerability guide that serves as a walkthrough in case you need help compromising this machine. Another great attribute is that it also has a web interface with web app tutorials. It even lets you set different levels of security strength when testing. This is a great operating system for those at the beginning of their enumeration and exploitation journey.
This Operating System is for those that have already familiarized themselves with Metasploitable2 and would like to take it to the next level. The install is little more complex and additional software such Vagrant, Packer is required. It’s also great to acquire some additional hands-on experience because chances are the install will not go as smooth as planned. It will take some time to complete depending on your internet speeds so just be very patient.
It is now time to start learning about Windows Server technology and roles. Microsoft allows you to download various server operating systems. I recommend starting with Windows Server 2012 R2. This will allow you to become familiar with Active Directory, creating Users and Groups, and server roles such as DHCP, IIS, DNS and more. For additional reference material on server roles, you can check out Eli the Computer Guy or other videos on YouTube.
Microsoft allows you to test versions of Internet Explorer 8 all the way to version 11. With that, they provide you with various virtual machines with different operating systems. This is a great way to take an initial look at Windows 7 (x86), Windows 8.1 (x86), and Windows 10 (x64). You will see some text displayed on the desktop of these machines but at least you’ll have a Windows operating system in your lab.
A great repository for vulnerable machines. New machines are put out regularly and the walkthroughs are released soon after. You should always try to exploit the machines on your own or with a group. You can use the walkthrough for hints if you get stuck and to add the techniques to your exploitation database!
Here’s a quick list of sites you can use to research, download, and add vulnerable machines to your lab:
- Kali Linux
- Metasploitable2 (Linux)
- Metasploitable3 (Windows)
- Windows Server Evaluation Center
- Microsoft Edge
- Security Onion
- OWASP Security Shepherd 3.0
- Damn Vulnerable Web Application (DVWA)
- Buscador Investigative Operating System
If you don’t have the hardware just yet and you would still like to practice you can use the following sites:
Books! Here are few books I feel every aspiring #InfoSec professional should have in their library:
- TCP/IP For Dummies
- Wireshark 101 2nd, Troubleshooting with Wireshark, Practical Packet Analysis
- IPv6 Essentials, Practical IPv6 for Windows Administrators, IPv6 Security
- Penetration Testing: A Hands-On Introduction to Hacking
- The Hacker Playbook 1, The Hacker Playbook 2, and The Hacker Playbook 3
- The Web Application Hacker’s Handbook 2
- Practical Malware Analysis, The Art of Memory Forensics
- Learn PowerShell in a Month of Lunches
- Black Hat Python, Violent Python
Resource Repositories … industry professionals have already put in a lot of the work for you and have provided tips, materials and links to help you on your journey!
Bear with me as I’m still compiling a list of repositories and will update this list very soon.