Understanding what tasks your lab should fulfill

Under this topic, we are going to help you to determine your needs and what you want to achieve with your lab. After understanding your needs, you will be able to set requirements for your lab—stating what should it contain and how should its components interact. This step allows you to prepare the basis of the next step—deciding which lab components do you need to include in a lab and which roles to assign them.

Objectives of a lab

Let's start from listing the typical purposes for having a lab:

• Learn practical penetration testing: It is essential for a beginner to have an environment where they can practice penetration testing techniques they learn and consolidate newly learned information. During this education, you most likely will want to have a model of a real-world corporate network and you can emulate it in a lab.
• Improve and maintain penetration testing skills: Experienced professionals also need a lab to periodically try some new attack techniques, research vulnerabilities, or refresh their knowledge. Penetration testing knowledge and hacking skills tend to be forgotten or go extinct without regular practical exercises and this is equally true for pentesters and all other professions and specialties.
• Evaluate penetration testing tools and frameworks: You can use a lab to quickly deploy new penetration testing frameworks and attack suites, test their capabilities and convenience, their effectiveness, and result quality. It can be especially helpful when dealing with one or more commercial tools or frameworks and you need to understand is it is worth paying for, do you get what you expect from that tool, and compare several tools to decide which one you are going to buy and use. Even black-hat hackers are interested in testing various security solutions to tweak their attack tools, develop or modify malware which is not supposed to be detected or beaten by security solutions, or perform a research for the purpose of identifying and abusing new vulnerabilities in security solutions.
• Evaluate security tools and solutions: Normally, almost all penetration testing projects include not only hacking activities, but also a phase of developing security recommendations based on results of a test. To be able to provide deep and qualitative recommendations, a security professional has to be familiar with the recommended solutions and one of the opportunities to do so is to try security solutions himself.
• Demonstrate attacks and security risks: Sometimes, a customer or a company management (who is also a customer for a security specialist, but an internal one) wants to better understand risks associated with certain vulnerabilities to be able to make a correct risk-management decision. Attack demonstrations can also be very helpful in an education process when teaching other people while giving security testing classes. Various attack techniques can be demonstrated in real time or can be recorded in a lab environment and then shown in a class. As it was already mentioned earlier, seeing in an example how does an attack works increases the education quality significantly. A lot of companies worldwide maintain awareness programs to educate their employees in security to reduce the risks associated with the so-called "human factor." A lot of awareness programs face the same problem: it is hard to realize the security risks for non-security professionals, thus it is hard for them to remember and follow security rules and recommendations. Using a lab in an awareness program to demonstrate to employees the risks helps them to better understand and remember them, because they already understand what and how can happen. Another example is when a security specialist needs to demonstrate attacks and associated risks for marketing purposes.

Although there are some other very specific reasons why one needs to have a lab, most of the cases usually fit into the purposes listed above and can be categorized this way.

Lab tasks

Now it is time for you to determine what you want to improve, test, research, or demonstrate with your lab; which areas of security testing; and which skills are your main points of interest. To simplify our list, we combine them by areas.

Note

Sometimes, it could seem odd why we refer to IT-infrastructure hacking in a book about a wireless lab, but we would like to clarify this point: when we talk about corporate networks (where penetration testing makes sense), we should keep in mind, that wireless networks have their own underlying network infrastructure, and they are usually connected to other networks with important corporate IT resources. This is what we want to emulate in a lab—having WLANs protected in a different way for practicing wireless penetration testing and at the same time providing wireless access to a model of a real-world network for other types of hacking.

Network reconnaissance

To perform a successful penetration test, it is essential to understand a target of an attack and a network reconnaissance is the basis for that purpose. As probably the most important stage of the penetration testing, network reconnaissance is basically gathering and processing all the available information about an attack target, its features, and capabilities. Network reconnaissance can be:

• Active: This involves interactions with a target, by sending a specially crafted packet and the subsequent analysis of the target reaction to external impact
• Passive: This does not require any interaction, and it is performed by listening to the radio and wired network traffic

The goals of an activity could be:

• To collect sensitive data, which is being transmitted unencrypted, for example, the content of network frames
• To collect information about a target network topology and network protocols in use (including obsolete and dangerous protocols detection)
• To obtain versions of network services, system software, and applications
• To identify vendors and models of hardware in use

The final part of a network reconnaissance is a comprehensive analysis of the gathered information suggesting potential vulnerabilities and misconfigurations of a target environment that can be exploited in order to develop an attack plan.

Thus, the more information you collect, the more chances of success you will have.

Web application hacking

Probably, the most popular and one of the most demanded topics nowadays as more and more desktop software and old-fashioned static websites migrate into web applications. That is why web application hacking became a must-have skill for professional penetration testers.

The list of web application attacks includes but is not limited to cross-site scripting, injection attacks, cross-site request forgery, application logic attacks, fuzzing parameters, authentication bypass, session management attacks, and more.

Tip

If you want to have a look at the currently most critical web security vulnerabilities, you can refer to the OWASP Top 10 list at https://www.owasp.org/index.php/Top_10_2013-Top_10.

Hacking and researching network services

Network services (SMB, FTP, and SSH) along with their vulnerabilities and misconfigurations usually serve as gates to operating systems and not only for legitimate users. They also have their own specifics and an understanding of their operation can lead an attacker from anonymous access to control over a whole system. Improperly configured integrated OS mechanisms and permissions can also serve that purpose.

With network services, you can practice overflow vulnerabilities exploitation, attacking weak cryptography and weak permissions, privilege escalation, authentication bypass, credentials guessing, network reconnaissance, and other skills.

AD hacking

Microsoft Active Directory is the key to owning a whole enterprise network and as with any technology it also has its own specifics and flaws. AD is usually very complicated to integrate and maintain in complex enterprise networks what leads to numerous misconfigurations, so it is always a juicy target for penetration testers and hackers. But some of its flaws and misconfigurations are not easy to abuse without detailed understanding of how it works and can be attacked.

This category implies network reconnaissance techniques, abusing group policies, stealing credentials, pass-the-hash and hash cracking attacks, and so on.

DBMS hacking

DBMS surely overlaps with web application and network service hacking in some aspects, but it's a huge separate topic which includes much more than just interacting with web applications and listener security. If you want to go deeper into database hacking, there are plenty of things to research and practice.

DBMS hacking includes classic vulnerability exploitations, authentication bypass, and so on, but it goes deeper into DB specifics taking into account various levels of permissions, various roles, and other DBMS specifics.

Network layer attacks

Network layer attacks are definitely a less popular topic, because network technologies develop less rapidly than web topics and there is an opinion that almost everything was already researched and hacked in this topic. But it is a must for every penetration tester and most of the security specialists.

Attacks of this group include bypassing firewalls and access control lists, breaking out of VLANs, man-in-the-middle attacks, DoS-attacks, and so on.

Bypassing firewalls and breaking out of VLANs have slightly different underlying attack techniques, but the goal is the same—to bypass existing access control rules and measures in order to reach normally unreachable network elements (network services, subnets, network segments, and so on) and attack or misuse them.

Wi-Fi penetration testing

As we are building a lab accessible via Wi-Fi, it would be wise to get additional benefits from it by practicing Wi-Fi penetration testing among the other tasks, especially since Wi-Fi became widespread and firmly entrenched as one of the most important enterprise technologies.

In the Wi-Fi topic, the following skills can be practiced: attacking WPA-PSK, attacking WPA-Enterprise, flooding, de-authentication attacks, attacking weak cryptography, WEP cracking, man-in-the-middle attacks, and sniffing attacks.

Man-in-the-middle attacks

Man-in-the-middle (MiTM) attacks are a subtype of network layer attacks, but they should be reviewed separately for wireless network connections. The first thing we should understand is that MiTM attacks make it possible to intercept network traffic by physically or virtually placing an attacking machine between a source and a target of network traffic.

In case of 802.11, a wireless network is a public network, and if it is unencrypted or if it has weak encryption, an attacker can intercept all data on the target wireless network, even without a logical connection. But if attackers set a rogue access point, they are able to read and modify other clients' network traffic and directly attack them (evil-twin attack) regardless of the WLAN protection type.

MiTM attacks in wireless networks are performed through monitoring and injecting wireless communication traffic. Thus, it is possible to attack WLANs on the first and the second levels of the OSI model. MiTM attacks are often used in conjunction with de-authentication attacks, to make a participant disconnect from the network on behalf of an access point. De-authentication attacks are also often used to carry out Denial-of-Service (DoS) attacks.

In the case of wireless networks, DoS attacks can be a part of complex attacks on a WLAN along with social engineering attacks, MiTM attacks, attacks on authentication, and so on. But an attacker can perform a pure DoS attack intended to interrupt a WLAN service, for example, flooding a WLAN with jamming signals or garbage traffic. We have listed only the most common areas of practical security and of course, you can have your own specific tasks which you would like to perform in a lab, but in almost all cases they could be referred to one or several categories in our list.