How to Build Your Own Pentesting/Hacking Lab
If you’re interested in a career in penetration testing then testing your skills is a must. Having your own home penetration test lab is a great way to test new pentesting skills and penetration testing software.
Practicing is always the best way to improve your skills, however, the problem with hacking is that any real-world practicing on live systems could land you in legal trouble that will damage your future cybersecurity career more than lacking a few skill points here and there.
The solutions to this problem is a home penetration testing lab. In this article, I’ll tell you how to build your own lab so you can improve your hacking and penetration testing skills. There are several different options to having your own pentest lab, they all have their pros and cons so we’ll explore some options below.
SOLUTION 1: EXPENSIVE AND NOT ADVISED FOR BEGINNERS: CLOUD
Having a pentest lab in the cloud has several advantages; it takes up no space on your machine, the initial investment is small, and it’s easy to set up and begin using almost immediately. This option is great for beginners. You need to consider which provider you’re going to go with and what operating system you can do to your testing on. The cons to using the cloud are that if you want to use some weirder and more complex configurations this can be problematic, and you also might be limited by the cloud company’s terms of service.
You can use this free site as a start but it is really limited and their Kali Linux OS is really old. Check it out here: Linuxzoo.net . Just register for an account and you can start.
SOLUTION 2: BEST AND RELATIVELY CHEAP: VIRTUAL MACHINES
If you decide to do it on your own and avoid the cloud, then here’s what you should look out for. You need a laptop or computer with a decent amount of memory, think 16GB RAM upwards. This is because if you are running several VMs they will eat up a lot of memory. It’s also advisable to have an SSD/HDD of 320GB minimum, but more is definitely better. This option is cheap if you already have a laptop lying around, but expensive if you don’t.
Some great resources:
– Vulnhub’s HackinOS is a beginner level CTF style vulnerable machine. You can download it here.
– Security infrastructure: Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. You can download it here.
– Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. Download it here
– Practical Pen Test Labs: A hands-on practical penetration testing course that uses virtual environments. There are free labs available as well as premium ones – great for some low cost and easy to set up pen testing. You can check it out here.
– XAMPP development environment: XAMPP is the most popular PHP development environment. XAMPP is a completely free, easy to install Apache distribution containing MariaDB, PHP, and Perl. You can download it here.
Many of you here are new to hacking. If so, I strongly recommend that each of you set up a “laboratory” to practice your hacks. Just like any discipline, you need to practice, practice, and practice some more before you take it out to the real world.
In many disciplines, if you don’t practice, you fall victim to failure. In our discipline, if you don’t practice and fail, you may be serving years behind bars. This makes practice and a dedicated practice lab an even more compelling argument than with other disciplines.
Many of you have been having difficulty setting up your hacking environment to practice your hacks. In this tutorial, I will show you the simplest and fastest way to set up a lab to practice your hacks before taking them out into the real world where any slip-ups could be devastating!
Download VMware Workstation or Player
The best way to practice hacking is within a virtual environment. Essentially, you set up a hacking system, such as Kali Linux, and some victims to exploit. Ideally, you would want multiple operating systems (Windows XP, Vista, 7, and 8, as well as a Linux flavor) and applications so that you can try out a variety of hacks.
Virtual machines and a virtual network are the best and safest way to set up a hacking lab. There are several virtualization systems out there, including Citrix, Oracle’s VirtualBox, KVM, Microsoft’s Virtual PC and Hyper-V, and VMware’s Workstation, VMware Player and ESXi. For a laboratory environment, I strongly recommend VMware’s Workstation or Player. Workstation is commercial product that costs under $200, while Player is free. You can also get a free 30-day trial of Workstation.
Player is limited to just playing VMs, while Workstation can both create and play VMs. Let’s download VMware’s Workstation or Player here.
Download Kali VMware Images
Once you have downloaded and installed your virtualization system, our next step is to download the VMware images of Kali provided by Offensive Security. With these images, you won’t have to create the virtual machine, but simply run it from Workstation or Player—Offensive Security has already created this image for you. This means that once you have downloaded the VM of Kali, you can then use it in either Workstation or Player.
Unzip Images
Once you have completed the download, you will need to unzip the files. There are numerous zip utilities available for free including 7-Zip, WinZip, WinArchiver, etc. Download and install one and unzip the files. In the screenshot below, I have downloaded the free trial of WinZip and have used it to unzip the Kali files.
Open VMware Image
Once all the files have been unzipped, our next step is to open this new virtual machine. Make note of the location where you have unzipped the virtual machine image. Then, go to either VMware Workstation or Player and go to File -> Open like in the screenshot below.
This will open a window like that in the screenshot below. You can see that my Kali image was stored under documents, so I browse there and double-click on the folder.
When you do so, VMware will start your virtual machine and greet you with a screen like below.
Click on the green button in the upper left below “Kali-Linux-1.0.9-vm-amd64” that says “Power on this virtual machine.” You should be greeted by the now familiar Kali screen.
Simply use the user “root” and password “toor” to get started hacking! Happy Hunting!
Download & Install Targets
For the next step, you need to download and install a target system. Of course, you could use your own host Windows 7 or 8 system, but since this is practice, you might want to use an older, easier to hack system. In addition, hacking your own system can leave it unstable and damaged.
I recommend installing a Windows XP, Vista, Server 2003, or an older version of Linux. You can also check above for great resources such as Damn Vulnerable Machines. These systems have many known security flaws that you can practice on and, then when you become more proficient at hacking, you can then upgrade to Windows 7 and 8 and newer versions of Linux.
If you or your friends don’t have a copy of these older operating systems, you can purchase them very inexpensively many places on the Internet.
Of course, you can also obtain these operating systems for free on many of the torrent sites, but BEWARE… you will likely be downloading more than just the operating systems. VERY often, these free downloads include rootkits that will embed in your system when you open the file.
Download Old Applications
Once you have your operating system in place, very often you will need applications to run on these older versions of the Windows and Linux operating systems. You will likely need a browser, Office, Adobe products, etc. These older products have well-known security flaws that you can hone your skills on.
I like the site Old Apps to download many of these. Of course, once again, you can obtain these from many of the torrent sites with the same caveat as above of you might get more than you bargained for.
I’ll do a video tutorial on this. Stay tuned.