When I started learning cybersecurity, I quickly realized that by just reading the security books, materials, and forums online I cannot remember the concepts I have learnt for too long and with time, they fade away. As you may know, one of the best strategies to learn a subject is to teach it. Realistically, we can argue that active hands-on learning is as effective as teaching the subject (to some extent). Therefore, I decided to dedicate this blog post to the resources that can assist you in designing and developing your own virtual lab, where you can practice all those techniques you learn from the Internet, books, news, going to conferences, and networking with professionals.
First, you would definitely need to learn about how to install a virtual machine (and a hypervisor), which is typically done in Microsoft Hyper-V, Oracle VirtualBox, or VMWare Workstation/Fusion. Second, you can start thinking about developing a networking diagram that will help you keep on track when you start installing virtual machines and connecting them together.
Typically, for the attacking machine, you can set up a Kali box or download a pre-built image from OffensiveSecurity: https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/. You will also need to learn about firewalls and pfSense (https://pfsense.org/download/) can be a good start. Then, you can follow the guides that you can find in the Internet or books to install the other machines that will expand your lab environment. For instance, you could install an Ubuntu virtual machine and set it up as a DNS server. Afterwards, you could install a CentOS virtual machine and use it as your web server with the appropriate Apache (or nginx), MySQL, and PHP/Perl/Python (LAMP stack). The following steps could be grabbing the pre-built images from the web sites listed below or install some of those applications on the newly deployed virtual machines.
Some of the books that may help you in making the offensive-security lab are: “Advanced Penetration Testing for Highly-Secured Environments – Second Edition” (By: Lee Allen, Kevin Cardwell) and “The Hacker Playbook 2: Practical Guide To Penetration Testing” (By: Peter Kim). Some of the common ready-to-use virtual machine (VM) images you can deploy in your lab are:
- Metasploitable3, URL: https://github.com/rapid7/metasploitable3. A Windows-based vulnerable environment with CTF-style flags.
- Metasploitable2, URL: https://community.rapid7.com/docs/DOC-1875. A Linux-based vulnerable environment.
- PentesterLab Exercises, URL: https://pentesterlab.com/exercises/. PentesterLab provides preconfigured VM images and courses that teach how to perform exploitation. There are both free and paid exercises.
- Kioptrix VMs, URL: http://www.kioptrix.com/blog/test-page/. Vulnerable ready-to-go VMs.
- Vulnhub, URL: https://www.vulnhub.com/. Vulnerable ready-to-go VMs.
- OWASP Multillidae, URL: https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project. A vulnerable web-application.
- OWASP WebGoat, URL: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project. A vulnerable web-application.
- OWASP SecurityShepherd, URL: https://github.com/OWASP/SecurityShepherd. A training environment to practice web and mobile application security.
- OWASP GoatDroid, URL: https://github.com/jackMannino/OWASP-GoatDroid-Project. Training for secure android development.
- SuperSecureBank, URL: https://github.com/SecurityInnovation/SuperSecureBank. A vulnerable web-application representing a fictional bank.
Other resources that may help you develop your practical cybersecurity skills:
- Wargames, URL: http://overthewire.org/wargames/. Wargames to learn security concepts.
- Hack-me, URL: https://hack.me/explore/. Mini-challenges built by community contributors.
- Running your own CTF: https://github.com/facebook/fbctf/blob/master/README.md
- DIVA Android, URL: https://github.com/payatu/diva-android. A vulnerable Android app.
- DVIA, URL: http://damnvulnerableiosapp.com/. A vulnerable iOS app.
- Game Hacks, URL: http://www.gameofhacks.com/. Vulnerable code exploitation.
- Hack This Site, URL: https://www.hackthissite.org/. Training for web applications.
References
[1] Free Images: https://pixabay.com/en/monitor-binary-binary-system-1307227/