Creating own Penetration Testing Targets
Apart from practicing the penetration testing skills on the available web applications and vulnerable operating systems, when being in an organization, or teaching information security in an organization, it is sometimes better to create own penetration testing environments, on which the students could practice their skills.
The penetration testing environment could consist of a well set-up lab, including few Virtual Machines, containing different Operating Systems. The students should test penetration testing against both known and unknown OS, and learn the skills of both White-Box and Black- Box penetration testing.
The emphasis while penetration shouldn’t just be limited to getting access to a certain machine, instead it should focus on how deep one could go into an operating system, and how much more information one could get. Also, relying on tools should be avoided unless the user has learnt all the basic skills needed to perform that particular operation. Tools sometimes may speed up the process of penetration testing, but it may also give the user dependency to always use the tools, which is a strict NO while learning.
Following is one of the test setups for a pentest lab under Virtual Environmen
The main machine would be installed with Metasploit and other necessary tools for pentest. A *nux box such as Ubuntu is preferred. Then, the system should be running multiple OSes in Virtualbox. The Operating systems could include Metasploitable (vulnerable target OS by Metasploit), various versions of Windows, such as XP, Server 2000 and a Redhat OS. Make sure the network setup is through “Host Only”, as it will allow both the host and the guest virtual machines to communicate with each other. Also don’t forget to choose the subnet for the network (e.g., 10.0.1.14). The subnet must be within a private range.
The attacker should get familiar with the various exploits and attack methods for each of the different Operating Systems, and should try to get access to that machine.