PenTest Lab: keeping lab and home network separate

I want to build my own PenTest lab and I have only one machine available (with enough memory and disk space resources). My machine is a desktop connected to my Internet router. In my own home network there are only 2 other PCs which are connected to the same Internet router.

I installed VMWare Workstation Player and I have also the following VMWare virtual machines:
1x Kali Linux (= attacker machine)
and
1x Windows XP, 1x Windows 7, 1x Metasploitable (all as victim machines).

I am looking for the best setting for the Network Adapter for each VM. Because the VM machines are located on my own PC desktop, I really don't want to create any damage to my PC and I really don't want that the vulnerable machines are an attack point for my own network.
The PenTest course trainer suggested to have the entire virtual environment contained within the host with only one way (gateway) to the internet, which will be the virtual Kali Linux host. That means that the Kali Linux machine will have 2 NICs:
- 1x set as NAT to allow the guest system to access the broader internet through my host’s connection.
- the other NIC will be set as Host-Only to access the guests from the Kali machine but nothing outside the private network can get into the machines.

All the vulnerable machines should be setup as Host-Only. He explained that in this way it will be created an entirely separate network for the vulnerable machines to sit on where only my host can see them. Only the Kali Linux machine will have a connection to the Internet, all the other vulnerable machines will have no access to the Internet.

I found out that the setup of a PenTest lab could also include a Firewall as per information about "Create a virtual network with a firewall using VMware player":
https://www.youtube.com/playlist?list=PLndqfxA_9SWFGC3uQ6JLOZH-w2FJlvtJP

Unfortunatelly, I could not get the Endian firewall working, i.e. if you choose for the RED interface the routed option (which includes the Ethernet DHCP option). I tried the setup several times with the same result: after I have done all the settings as per video, after you click on "OK, apply configuration" button and the firewall rebooted you are not able to connect to the firewall, i.e. the web interface does not appear any more and you get an error in the browser. I found a lot of similar cases in Internet forums but no solution.

To move further I found out that you could also use another firewall, e.g. from pfSense as per Setting Up a Pentest Lab with pfSense in VirtualBox
I have not tried until yet with pfSense FW and yet my question is:
- Is the setting suggested by the trainer from PenTest course the best in this case or it is more secure to have a firewall involved in the PenTest lab architecture?

Thanks in advance!

Find more posts tagged with

Comments

xxxkaliboyxxx

I ended up having to use two computers with two routers (one public, one private) as I could not accomplished what your trying to do all from one host. I tried the VM apps for DD-wrt and could not config it correctly where to have my host only network secure.

My question would be, do you actually need internet access on your pen test lab? You can do most of your exploits offline. Look at WebGoat and Bee-Box for vulnerable servers you can play with offline.

636-555-3226

just bridge them & let them live on your network as standard devices with normal 192.168.x.x addresses. if you're the only one compromising your network machines, then what's the big deal? even if you pivot from metasploitable to your personal real-use desktop and get shell on it, you know not to muck anything up.

Cora_Pan

Thanks for your response. I would only need Internet access for the Kali machine. So all the exploits could be done offline. So having a firewall in the Pentest lab architecture is not essential. I will look at WebGoat and Bee-Box.

BlackBeret

The way you have it set up is how I do it when working locally with a few VM's. If you really want to get involved with the lab network setup you can install VMware's esxi on the desktop you use for labbing then create VLAN's to keep things separated. I did this at home with an old dual-nic server. The esxi server holds my lab machines, the second NIC is used to route traffic out to the rest of my network. On the esxi box I have pfSense running and configured for all traffic to pass through it. I also set a tap on my lab network and one on my second NIC. I use Security Onion to monitor what's going on in each network. I'm bad at explaining it but,

(Cable modem) -> (esxi box (VLAN1 (pfSense)) -> (VLAN2 (Lab Machines))

................................................................|-> (VLAN3 (Out NIC 2) -> Router for home network)

................................................................|-> (Virtual Tap (Security Onion - local management only))

Ertaz

Good link to building one from my SANS instructor:

https://www.dropbox.com/s/j19qejuvycwaycq/Building%20Your%20Own%20Kickass%20Home%20Lab.pptx?dl=0

Cora_Pan

@ BlackBeret and @ Ertaz
Thanks for your valuable inputs. A very good information for the case when the pentest lab should be extended and have more hosts invloved in the lab architecture.

gwood113

@Ertaz
Thanks for sharing that pptx; great info!

temuchin

I built a pentesting lab. I'll give you access to it if you want. PM me.

you'd ssh into a kali box. From there you would only be able to attack all the vuln machines in the pentesting vlan 10.0.60.x
I'm studying OSCP stuff so i built it. figured i practice in my own lab before paying for the OSCP lab access.