I’ve always wanted like online ‘memo-to-self’ stuff to stop forgetting how to set things up, so I’ve decided to create a category for it. These posts will contain rambling, snippets and links on how to do stuff. Mostly intended for my own use so they won’t contain extensive instructions on every configuration detail.
I’ve always wanted a virtual lab which is easy to bring along and somewhat secure. Just to be clear here are some definitions of the words portable & secure as I see them:
- Portable
- easy to transfer
- minimum amount of files
- Secure
- easy to encrypt
- easy to delete
- network segmentation
- central firewall
Secure is a relative term, since it all depends on how much you harden the setup. To achieve the above mentioned points I’ve chosen to use vmware workstation and vmware esxi as the virtualization software. If you ever decide to spend money on software, vmware workstation surely deserves it!
Since this post is partially a little idea on creating a portable lab and partially a reminder for myself, I’ll take a shortcut in explaining how to set it up. Like you all know the internet is full of really nice guides on how to set stuff up, so why duplicate?
Here is the full list of software we will be using and if applicable a link to an installation howto:
- vmware workstation (trial will probably also work)
- vmware esxi
- vyatta (routing and firewalling)
- http://www.sonoracomm.com/support/19-inet-support/233-vyatta-cable (some outdated commands)
- ubuntu
Here are some quirks and nice to know commands that I encountered while setting it all up:
vmware esxi – setup quirks
The workstation virtual CPU might not be recognized correctly, this URL provides the needed adjustments for your vmx file which look like this:
cpuid.1.eax = “0000:0000:0000:0001:0000:0110:1010:0100”
cpuid.1.ecx = “0000:0000:1001:1000:1110:0010:0011:1101”
cpuid.1.edx = “1000:1111:1010:1011:1111:1011:1111:1111”
cpuid.7.ebx = “0000:0000:0000:0000:0000:0000:0000:0000”
Registering esxi with the license isn’t like the email tells you you’ll actually have to(courtesy of this thread):
You only have to license the host. From the vSphere client go to Configuration and then select Licensed Features. Click Edit and you’ll then get a screen upon which you can enter your license key.
vyatta – setup quirks
- install system
- to install the system to the virtual disk
- configure
- enter configuration mode
- commit
- apply configuration changes
- save
- actually write configuration to filesystem
- show
- delete <exact line>
- edit firewall (you need to be in configuration mode)
- rename name <text> to name <text>
- NAT masquerade (updated command)
- set nat source rule <num> translation address masquerade
Firewall example for one segment
Just one example that can be applied to the IN-instance of one interface. You’ll have to apply more rules to the LOCAL and OUT instances and of course to any other interfaces that you use. The goal of course to segment and separate the different networks and only allow the traffic that is really needed.
name in_dev_fw {
default-action drop
rule 100 {
action accept
destination {
group {
network-group !denied-segments
}
port 80,443
}
protocol tcp
}
rule 200 {
action accept
destination {
group {
address-group dns-external
}
port 53
}
protocol udp
}
}
DiabloHorn 
3 thoughts on “Portable (secure) (pen)test virtual lab”