Portable (secure) (pen)test virtual lab

Posted: December 8, 2012 in general, MemoToSelf
Tags: , , , , ,

I’ve always wanted like online ‘memo-to-self’ stuff to stop forgetting how to set things up, so I’ve decided to create a category for it. These posts will contain rambling, snippets and links on how to do stuff. Mostly intended for my own use so they won’t contain extensive instructions on every configuration detail.

I’ve always wanted a virtual lab which is easy to bring along and somewhat secure. Just to be clear here are some definitions of the words portable & secure as I see them:

  • Portable
    • easy to transfer
    • minimum amount of files
  • Secure
    • easy to encrypt
    • easy to delete
    • network segmentation
    • central firewall

Secure is a relative term, since it all depends on how much you harden the setup. To achieve the above mentioned points I’ve chosen to use vmware workstation and vmware esxi as the virtualization software. If you ever decide to spend money on software, vmware workstation surely deserves it!

Since this post is partially a little idea on creating a portable lab and partially a reminder for myself, I’ll take a shortcut in explaining how to set it up. Like you all know the internet is full of really nice guides on how to set stuff up, so why duplicate?

Here is the full list of software we will be using and if applicable a link to an installation howto:

Here are some quirks and nice to know commands that I encountered while setting it all up:

vmware esxi – setup quirks

The workstation virtual CPU might not be recognized correctly, this URL provides the needed adjustments for your vmx file which look like this:

cpuid.1.eax = “0000:0000:0000:0001:0000:0110:1010:0100”
cpuid.1.ecx = “0000:0000:1001:1000:1110:0010:0011:1101”
cpuid.1.edx = “1000:1111:1010:1011:1111:1011:1111:1111”
cpuid.7.ebx = “0000:0000:0000:0000:0000:0000:0000:0000”

Registering esxi with the license isn’t like the email tells you you’ll actually have to(courtesy of this thread):

You only have to license the host.  From the vSphere client go to Configuration and then select Licensed Features.  Click Edit and you’ll then get a screen upon which you can enter your license key.

vyatta – setup quirks

  • install system
    • to install the system to the virtual disk
  • configure
    • enter configuration mode
  • commit
    • apply configuration changes
  • save
    • actually write configuration to filesystem
  • show
  • delete <exact line>
  • edit firewall (you need to be in configuration mode)
    • rename name <text> to name <text>
  • NAT masquerade (updated command)
    • set nat source rule <num> translation address masquerade

Firewall example for one segment
Just one example that can be applied to the IN-instance of one interface. You’ll have to apply more rules to the LOCAL and OUT instances and of course to any other interfaces that you use. The goal of course to segment and separate the different networks and only allow the traffic that is really needed.

name in_dev_fw {
     default-action drop
     rule 100 {
         action accept
         destination {
             group {
                 network-group !denied-segments
             }
             port 80,443
         }
         protocol tcp
     }
     rule 200 {
         action accept
         destination {
             group {
                 address-group dns-external
             }
             port 53
         }
         protocol udp
     }
 }
Advertisements
Comments
  1. […] bug, yet a fun journey to approach things from a different perspective. After my last post about a portable virtual lab I wondered what the vvc used as a protocol to communicate with the esxi server and if it could […]

  2. […] setup a little lab which roughly looks like […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s