I on the otherhand test exploits in my lab all the time. I find it very
useful to have a number of machines set up with a variety of operating
systems. I find that by testing exploits in the lab, prior to
attempting them on-site I know better what results to expect. One of my
goals in pen-testing is to avoid "blowing up" production boxes. By
testing exploits in the lab, I can have a pretty good idea what the
results will be. I also try to avoid getting caught. It mimics an
experienced attacker better to avoid making an insane amount of noise so
if I can find an exploit that will allow me to make a quick clean
attack, I find that going through that in the lab first allows me to do
better on the live test. ....people never watch their logs anyway so
being stealthy isn't normally that big a deal;)
Lot of people use VMware or similar platforms for this and I do also, to
a degree. I most often find myself using a number of old servers
(Compaq & "Intel Whitebox servers) with a variety of drives in hot-swap
trays that I swap in for a particular OS version and patch level. I
don't really use the "hot-swap" feature to swap drives without rebooting
but it is handy to be able to just pull a drive out and stick another
one in.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Jan Heisterkamp
Sent: Sunday, July 29, 2007 10:29 AM
To: Gubir
Cc: pen-test@securityfocus.com
Subject: Re: Basic facilities required to establish a pen test lab
Gubir schrieb:
> I am CEH. But still I need some suggestion from you guys to setup a
pen test
> lab. Please give me some guidance about the basic essential hardware
and
> software to make a good pen test lab
>
>
A pent test lab; what could this be?
Definition of laboratory: A laboratory (often abbreviated lab) is a
place where scientific research and experiments are conducted. A lab can
hold space for one to thirty, or more, researchers depending on the size
of the room and state mandated maximum occupancy limit.
**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use
of the individual or entity to which they are addressed and may contain
information that is privileged, proprietary and confidential. If you are not
the intended recipient, you may not use, copy or disclose to anyone the message
or any information contained in the message. If you have received this
communication in error, please notify the sender and delete this e-mail
message. The contents do not represent the opinion of D&E except to the extent
that it relates to their official business.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
|