Re: Basic facilities required to establish a pen test lab

did someone mention VMare?

On 7/30/07, scott <redhowlingwolves@xxxxxxxxxxxxx> wrote:


Surely you can pull a few boxes together,install different OS'es on each
box,install the same version of apps that the servers you're testing are
running,trying to make sure that the processors are the same,or very
closely related.

The one thing that has stung me in the past was Apache on
Windows.I,foolishly, assumed it was a *nix variant!Blind test,of
course.So why were scans leaning to an OS called Microsoft?Bad recon.
Everything you can do before and after the recon("You did do
this,right?") matters for how you make up your lab for that specific
pen-test.That's my personal method.

IMHO.




Shenk, Jerry A wrote:
I on the otherhand test exploits in my lab all the time. I find it very
useful to have a number of machines set up with a variety of operating
systems. I find that by testing exploits in the lab, prior to
attempting them on-site I know better what results to expect. One of my
goals in pen-testing is to avoid "blowing up" production boxes. By
testing exploits in the lab, I can have a pretty good idea what the
results will be. I also try to avoid getting caught. It mimics an
experienced attacker better to avoid making an insane amount of noise so
if I can find an exploit that will allow me to make a quick clean
attack, I find that going through that in the lab first allows me to do
better on the live test. ....people never watch their logs anyway so
being stealthy isn't normally that big a deal;)

Lot of people use VMware or similar platforms for this and I do also, to
a degree. I most often find myself using a number of old servers
(Compaq & "Intel Whitebox servers) with a variety of drives in hot-swap
trays that I swap in for a particular OS version and patch level. I
don't really use the "hot-swap" feature to swap drives without rebooting
but it is handy to be able to just pull a drive out and stick another
one in.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Jan Heisterkamp
Sent: Sunday, July 29, 2007 10:29 AM
To: Gubir
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: Basic facilities required to establish a pen test lab

Gubir schrieb:

I am CEH. But still I need some suggestion from you guys to setup a

pen test

lab. Please give me some guidance about the basic essential hardware

and

software to make a good pen test lab



A pent test lab; what could this be?
Definition of laboratory: A laboratory (often abbreviated lab) is a
place where scientific research and experiments are conducted. A lab can

hold space for one to thirty, or more, researchers depending on the size

of the room and state mandated maximum occupancy limit.


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • Re: Basic facilities required to establish a pen test lab
    ... Surely you can pull a few boxes together,install different OS'es on each ... I find that by testing exploits in the lab, ... I most often find myself using a number of old servers ... Need to secure your web apps NOW? ...
    (Pen-Test)
  • Re: Run Sun Ray Server on one machine, apps on another
    ... >>I am currently running a SPARC box for apps and SRSS, problem is, it ... Sun RAY a completely stateless ... xremote login to any v210 (except servers). ... or srss on each "workstation". ...
    (comp.sys.sun.hardware)
  • Re: Which is More Powerful
    ... I want tie the DL's together (Parallel Cluster), and use the 5500 as the ... I want the servers to work together, ... No company internal apps will run on these servers. ... Which of the 3 computers is more powerful for web hosting? ...
    (microsoft.public.windows.server.general)
  • Re: [SLE] opteron & SLES enterprise server or Pro?
    ... What kind of applications are going to be deployed on your new servers? ... Opteron is basically x86_64 arch which means all your existing 32bit ... apps can work along with 64bit apps. ... so if you are looking at deploying on production servers for biz ...
    (SuSE)
  • RE: Is VMS losing the Financial Sector, also?
    ... patching, licensing, upgrading) is where the big cost savings ... In small departmental wintel file and print servers maybe. ... Part of the problem in reducing staffing costs further is that there is so much patching, testing and deploying of patches that you need lots of OPS, App QA, Testing staff to keep up. ... the monitor app that monitors the apps. ...
    (comp.os.vms)