Testing Lab

• Setting Up A Penetration Testing Lab

Setting up a test lab on a single machine
If you have limited resources, the best way thing to do is use a single machine to set up your virtual machines and Metasploit Framework box.

Setting up a test lab on multiple machines

In this type of test lab environment, you will want to keep your vulnerable machines unavailable to any machine except for your penetration testing box; therefore, it’s important to make the vulnerable machine dependent on the Metasploit Framework box for connectivity. In the section below, we’ll show you how to set up the access to go out on eth0 for the Metasploit Framework box and access to go to the target box on eth1.

The Metasploitable and UltimateLAMP vulnerable VMs are Ubuntu machines running vulnerable services and containing weak accounts.
The Metasploitable VM focuses on network-layer vulnerabilities, while the UltimateLAMP VM is primarily focused on web vulnerabilities.
The Metasploitable VM also contains a weak system account with the username user and the password user.
The default login is msfadmin:msfadmin. Several vulnerable applications have been installed on the VM.


The UltimateLAMP VM's default credentials are: root:vmware. Each application is available by browsing to :80 on the VM's assigned IP address.

https://kb.help.rapid7.com/v1.0/docs/setting-up-a-penetration-testing-lab

• Features

UltimateLAMP includes a long list of popular LAMP stack applications. For more information take a look a the UltimateLAMP products list.
With the success of this first product, research has already commenced in our next two products UltimateLAMJ (Open Source Java Based Applications) and UltimateLAMR (Open Source Ruby Applications).
https://www.vulnhub.com/entry/ultimatelamp_02,36/

• Metasploitable is a virtual machine based on Linux that contains several intentional vulnerabilities for you to exploit. Metasploitable is essentially a penetration testing lab in a box, available as a VMware virtual machine (VMX). (The Metasploitable login is “msfadmin”; the password is also “msfadmin”.)

https://information.rapid7.com/metasploit-framework.html

• Metasploit and Metasploitable 2 installation

Username: msfadmin
Password: msfadmin
Metasploitable 2 is an intentionally vulnerable Linux machine which can be downloaded and setup as a virtual machine in any hypervisor such as VMware Player and Virtual box. In the Metasploitable 2 tutorial we will be setting up the vulnerable Linux machine in VMware Player.
https://www.hackingtutorials.org/metasploit-tutorials/metasploit-metasploitable-2-installation/

• The Samurai Web Testing Framework is a virtual machine, supported on VirtualBox and VMWare, that has been pre-configured to function as a web pen-testing environment. The VM contains the best of the open source and free tools that focus on testing and attacking websites.

We have included the tools used in all four steps of a web pen-test.
reconnaissance tools such as the Fierce domain scanner and Maltego.
mapping tools such as WebScarab and ratproxy.
discovery
w3af and burp
exploitation
BeEF, AJAXShell
http://www.samurai-wtf.org/

• Emulab is a network testbed, giving researchers a wide range of environments in which to develop, debug, and evaluate their systems.

https://www.emulab.net

• ORBIT is a two-tier wireless network emulator/field trial designed to achieve reproducible experimentation, while also supporting realistic evaluation of protocols and applications. 

http://www.orbit-lab.org/

• PlanetLab is a global research network that supports the development of new network services.

https://www.planet-lab.org/

• These virtual machine hacking challenges, more commonly known as boot2roots, are relatively easy to make

It begins with an idea; think of a challenge (or a set of challenges), that you’d like a player to solve. A goal should be set, such as obtaining root access on the virtual machine, or getting access to a flag. The challenges that you come up with, will define the difficulty level of the boot2root
I prefer creating my boot2roots using VMware ESXi and exporting it into an OVA file. OVAs can be imported by all incarnations of VMware, and by VirtualBox
Whatever hypervisor you choose, you should try to test it on the popular ones such as VMware Player and VirtualBox - both of which are free.
When you’re satisfied with everything, it’s time to make your boot2root public! Announce it on Twitter, your blog, IRC, whatever. VulnHub makes a slew of boot2roots available so you should definitely consider having it hosted there.
https://blog.techorganic.com/2013/12/10/creating-a-virtual-machine-hacking-challenge/

• when we connect to an IP address, the device provides a banner identifying itself and some of its parameters.

This information can be VERY useful for searching for vulnerable or unprotected devices.
It was developed by John Matherly in 2009 and it is named Shodan. You can find it at www.shodan.io
Matherly's crawler scans each IP address (there are 4.3B IPv4 IP addresses) and attempts to pull and collect the banner information from each device.
This information in the banner usually includes the manufacturer of the device and some key parameters.
It's important to note here that Shodan indexes the data that is presented in the banner.
It has no way of knowing whether the banner is accurate.
Some firms that are vigilant about security actually replace these banners with fake or bogus banners to throw off Shodan or attackers.
https://www.hackers-arise.com/single-post/2016/06/22/Using-Shodan-The-Worlds-Most-Dangerous-Search-Engine

• CHECK POINT THREAT ALERT: SHODAN

Shodan can identify the physical location of any Internet-connected equipment, as well as its IP address, and often even what type of software it’s running.. This provides sufficient information for hackers to carry out targeted attacks.
https://blog.checkpoint.com/2016/01/04/check-point-threat-alert-shodan/

• information disclosure in server banner. In Apache 2.4, there is a default setting “ServerTokens Full” which means Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

To prevent the disclosure of configuration information by your Apache instance, the best general-purpose strategy is to implement the CIS Benchmark for establishing a secure configuration posture for Apache HTTP Server. In CIS Apache HTTP Server 2.4 Benchmark, more than 15% of the recommendations relate to prohibiting unnecessary but sensitive information disclosure, and provide a good baseline for most environments
https://blog.qualys.com/securitylabs/2015/01/26/protect-your-applications-from-hacker-research