© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Want to break into cybersecurity? Consider building your pentest lab


Many job applicants get rejected due to a lack of experience. One of the ways to break into cybersecurity and build authority is to create your own security lab.

The sentiment highlighted below is very common amongst entry-level cybersecurity aspirants, whether you see it on Stack Overflow, LinkedIn, or random blog posts across the internet. The cybersecurity profession finds itself in a strange place right now. As of 2021, research firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity roles globally, with this trend expected to continue into 2025.

The 10th fastest-growing occupation over the next decade is expected to include security analyst positions which are typically entry-level security roles. Sadly, the below experience is very common across the hiring landscape today. Lots of unfilled security jobs, with many applicants that managers are reluctant to take a chance on.

Entry-level cybersecurity position

When attempting to gain entry-level cybersecurity positions, many job seekers experience rejection from employers without useful feedback on how they can improve their future job prospects in the industry. Questions such as “What Am I doing wrong or what am I not Doing?” along with heavy levels of frustration are common without detailed answers from the gatekeepers – hiring managers and recruiters.

In a May 2022 interview with career development coach Caitlin McGaw, the potential decisions underlying this hiring paradox revealed some telling and interesting insights.

“The monetary cost of hiring a qualified international applicant in the United States who requires either a new or transferred H1B visa is higher than hiring a candidate who does not require a visa. Moreover, the visa process is time-consuming, and there is limited availability of new HIB visas even in the best of times. Those costs are usually prohibitive for smaller Info Sec functions. Finally, companies of all sizes often have a corporate policy that states “No visa sponsorship available,” Caitlin said.

“Some political pressures have reduced VISA availability in the current period as well and smaller IT departments, with even smaller security teams, who are anchored by incredibly large and fast-paced workloads, typically lack time to provide necessary and comprehensive training for inexperienced individuals.” noted Caitlin. “And larger companies, such as banks or insurance institutions, often work to develop security staff using internships or internal career progression programs, as well as internal talent pools (such as IT Audit). The preference for sourcing early-to-mid career candidates in these ways often leaves entry-level external or international candidates out of the hiring loop.”

How to build your own lab

One way to gain the desired experience and cybersecurity skills employers seek is to build, implement and experiment with personal security labs. This article will demonstrate at a high level how to acquire the necessary tools, software, and attack targets which are essential for building a fully functional penetration testing lab.

The article will also detail how to download and install Oracle VirtualBox, the Kali Linux 2022.2 attack platform, and vulnerable virtual machines to probe using Kali. While cloud implementations, including their pros and cons will be covered, this demonstration will assume a hardware installation on personally-owned equipment is happening. These generic, minimum hardware and software requirements are assumed:

  • A modern CPU with a minimum of 6-cores (AMD Ryzen 5 or greater or Intel i7) with speeds of 3.0 GHz.
  • 16 GB of RAM
  • 500GB SATA or solid-state disk drive
  • A modern graphics card (Nvidia, AMD, etc.)
  • 2 Monitors (One for the host and another for the attack machine)

There are various considerations for the deployment of a personal security lab environment. The below table highlights some of the common upsides and negative impacts for owned hardware lab configurations and cloud deployments. Owned hardware labs will require the purchasing and configuration of personal computing equipment, which may include licensing costs for operating systems, electricity costs, hardware replacement, and upkeep costs.

The examples below will leverage Kali Linux as the attacking machine operating system, but ParrotOS or other desktop deployments can be considered. User-owned labs may also come with additional insurance considerations depending on the size and complexity of the devices involved. Cloud service providers and the associated lab deployment types have most of the owned hardware considerations baked into their ‘pay as you go’ pricing structures, transferring much of the risk away from the consumer. The real downside for cloud deployments can be the unexpected and prolonged downtime for the cloud services; such as those AWS experienced in late 2021, undesired monitoring or requirements to abide by certain terms of service which prohibit the ability to conduct some forms of penetration testing activities (e.g., DDoS).

Lab Deployment ModelProsCons
Owned Hardware
  • Full Control over the lab environment
  • Can perform testing procedures without artificial limitations or need for testing permission
  • Higher initial cost to build and license the lab environment
  • Additional concentration is needed to maintain host and overall lab security
Cloud Subscription
  • Lower initial cost of ownership via ‘Pay as You Go’ models
  • Easier to setup, tear down and replace systems or tools
  • Hacking activities may be limited due to provider terms of service
  • Any activity or data stored in the environment is subject to undesired monitoring by providers

The first step in our home pen test lab journey starts with Oracle VirtualBox aka VirtualBox. VirtualBox is a Hypervisor technology that allows the import, integration, and control of downloaded virtual machine files on a single host device for various functions, including penetration testing or network defense training purposes. VirtualBox is completely free to download, free to use, and enjoys widespread adoption, allowing various virtual machine types (Microsoft Windows, Unix, etc.) to be imported. To install VirtualBox, simply click the “Download VirtualBox” button on the main landing page to begin downloading the product. Note that before engaging in any ethical hacking exercises that all such activity is restricted to systems directly owned by individuals engaging in ethical hacking activity, that proper authorizations are obtained from the system or network owners in advance and testing procedures fully abide by local, federal, or international regulations associated to such testing.

Virtual box

Within the Download VirtualBox menu, select the binary packages associated with the host machine you wish to install VirtualBox on. The files will begin downloading, and an installation wizard will assist with setting up the tool for first use. It is a recommended security practice to validate the downloaded file hash against those published on the download page to avoid any use of potentially malicious files.

Virtual box binaries

We now have a blank container to download, install and manage our penetration testing lab virtual machines! Let’s install our primary attacking tool, Kali Linux 2022.2. We will then show how to obtain free virtual machines which can be fully attacked and compromised without restraint or negative consequences.

Virtual box startup
VirtualBox without any VMs installed.

Kali Linux is a divergent of the original ‘Backtrack’ Linux distribution which was developed and released in the early 2000s. Kali Linux was officially released under its own code base and name in 2013 and has enjoyed its place as the most popular penetration testing platform to date without any sign of slowing down. Releases are provided semi-annually, with major updates and the latest penetration testing tool packages installed. Kali Linux is free to use and open-source, allowing full customization of the platform to suit any testing requirements. Simply navigate via web browser to Get Kali, choose the Virtual Machine option, and select the download arrow for the VirtualBox hypervisor. The download will take approximately 5-10 minutes and consume 3.7 GB of hard disk space.

Kali Linux virtual machine
The product selection and download page for Kali Linux. Feel free to experiment with other operating systems for ethical hacking skill-building.
Tutorial on how to start using Kali Linux
A Kali Linux VM is available for use. Clicking “Start” will launch the VM.

The settings menu for individual VMs can be customized based on the physical resources available to our host, such as CPU cores, RAM, or hard disk space. Some settings such as the network configuration can be switched while the VM is running, but it's best to make any changes to VMs while they are powered down to avoid any potential conflicts. Simply click “Settings'' on a highlighted VM and make the desired changes to CPU, Video settings, Disk Files, Memory, etc. Virtual box typically provides color-coded warnings (Green is ok, Red may cause issues) for exhaustive resources types like CPU or memory to indicate if the change being selected will lead to performance problems on the host.

Kali Linux network configurations
For attacking machines and victim machine to be on the same network for simplification purposes, the “NAT Network” type should be used.
Top-Left applications menu

Kali Linux seeks to prepackage all 600 of its individual tools into ordered and specific pen-testing use cases which can be found in the top-left applications menu. Following a general penetration testing methodology, Kali Linux arranges its tool suite along a typical attack kill chain from Information Gathering, Vulnerability Analysis, Password Attacks, Exploitation, Post-Exploitation and Reporting. Clicking on each menu opens up the associated tool menu and allows each tool to be invoked for use.

Covering some of the basic house cleaning items and general use topics, ‘root’ user logins to Kal Linux now ship disabled by default. The default username and password to login is ‘kali:kali’ respectively. After initially logging into Kali, use the ‘passwd’ command to change the default password for the kali user. Once done successfully, elevate to the ‘root’ user using the ‘sudo -s’ command, then supply the same default pwd for the kali user. Repeat the use of the ‘passwd’ command to secure the root account with a complex password.

Kali Linux commands
Using ‘sudoer’ permissions to elevate the kali user to ‘root’ and change the root user password. Exercise caution when leveraging the root account on Linux systems as unexpected system damage or compromise may occur.

It's time to find some vulnerable machines to point Kali Linux at and take it out for its maiden voyage! In this article, we will cover using some of the free victim machines available on VulnHub. Old as dirt, VulnHub has been offering virtual machine downloads for many years and is still a heavily used arena for pen testing and cybersecurity professionals to sharpen their skills. You can download user-created virtual machines and even submit your own for use in the cybersecurity community. As with any other downloaded software, it is highly recommended that any file hashes for these virtual machines are compared to the originals posted by the machine author before downloading and installing them on the host machine.

VulnHub VM menu
The VulnHub Virtual Machine menu, previewing virtual machine victims for download. Click the 4 vertical dots in the bottom right corner to open the Download menu, then click “Download”.

For demonstration purposes, we will download 2 VulnHub virtual machines, import them into VirtualBox, add them to our NAT Network and begin attacking them with Kali Linux. A fictional blog website named ‘Web Machine (N7’) and a ‘Planet: Earth’ will be used for the remainder of the article to demonstrate the basic use of common penetration testing tools and techniques. Similar to how Kali Linux was downloaded and imported into VirtualBox, the same process should be followed for Web Machine (N7) and Planet:Earth VMs. It is strongly encouraged that other vulnerable machines on VulnHub and similar low-cost penetration testing services like TryHackMe or HacktheBox are explored to gain further competency.

Kali Linux attack
The Kali Linux attacking VM and 2 victim VMs have been successfully installed and are ready for use.

Once all three machines are in a running state and on the NAT Network, log back into Kali Linux and let’s determine the network we expect all three machines to be communicating on by running the ‘ip a’ command. We must first know who or where we are before we can start probing other machines in our or other networks. We can then use a tool called the ‘network mapper’ or ‘nmap’ to find the two victim VMs and begin probing them for weaknesses to exploit.

Inspect the inet address value to determine the IP address and network range. In this case, Kali Linux and the two targets we wish to attack are on the 10.0.2.x network as evidenced by the /24 suffix at the end of the inet address. Use the following command to sweep this network to find all of the communicating devices - ‘nmap -sn 10.0.2.0/24’.

IP a command
The ‘ip a’ command reveals the IP address and network assigned to the Kali Linux attacking machine, this data is used as basis to inform the next testing steps.

In this example, the previously mentioned nmap scan produces a simple output, revealing 6 distinct IP addresses which respond to the nmap probes. A review of the initial ‘ip a’ command shows that the Kali Linux IP address is 10.0.2.15. VirtualBox will created QEMU virtual network interfaces to facilitate internal machine communication and back-end network communications, which indicate they are not the Web Service (N7) or Planet:Earth

The Nmap scan

In most penetration tests, discovery scans using tools like nmap may be required against larger sub-networks containing hundreds or even thousands of hosts. The scan would be inefficient and time-consuming, so injecting some efficiency into the command for simplicity’s sake is a necessity. The below example demonstrates an upgraded nmap command which discovers alive network hosts, translates the data into a greppable format, strips out all of the data except for the desired IP addresses and prints them into a file for an easier follow-up service detection scan with nmap.

nmap -n -sn 10.0.2.0/24 --exclude 10.0.2.1-15 -oG - | awk '/Up$/{print $2}' | > /home/kali/Desktop/nmap-targets.txt’

Nmap created file
The previous nmap command successfully creates a file on the desktop containing only the interesting IP addresses that will be fed back into nmap to determine useful information about the targets and their weaknesses.

To perform an nmap service detection and port scan against targets specified in a test file, the below command can be used ‘nmap -A -T4 -p- -iL /home/kali/Desktop/nmap-targets.txt’. This command falls under the ‘Information Gathering’ category and will perform service detection, service fingerprinting, operating system guessing against all 65,000+ TCP ports and an entire battery of machine interrogation steps useful for informing other aspects of penetration testing such as Vulnerability Detection and Exploitation. Nmap can also write scan output to multiple formats using -oN, -oX or other switches similar to how the -iL command was used above to provide input. The scan should be complete within a few minutes and provide a wealth of useful information to continue probing each target.

Nmap scan results
Nmap scan results against two virtual machines, showing useful details to tailor further testing steps (e.g., open ports, service versions, certificate information, etc.

Take note of the following interesting items from the scan results above:

  • It is fair to assume that the Planet:Earth victim resides on the 10.0.2.23 IP addresses given the subject line of the certificate nmap detected.
  • Both victims appear to be web servers given that they both have TCP port 80 open and port 443 on the Planet:Earth machine.
  • Both victims are Linux based devices given they are running Apache webservers on TCP port 80.
  • SSH access is available on the Planet:Earth VM.

This information strongly suggests to us that we should focus attacks on web servers but be on the look for credentials that may allow SSH access to the operating system.

  • From the Kali machine, visit each victim on their open HTTP/HTTPS ports to see what information exists (e.g, - http://10.0.2.22 or https://10.0.2.22)
  • Inspect available menus on any presented pages to determine if they are exploitable menus, file upload options, login pages or other ways to abuse what has been provided.
  • Attempt to perform a web application vulnerability scan using Nikto (nikto -h https://10.0.2.23, etc.) or other tools like OpenVAS.
  • Perform directory busting to find hidden admin portals or web pages containing developer notes and credentials, using tools like dirbuster, dirb, or FFUF.

These are just some general examples of enumeration methodology that should be generally followed when webserver victims are identified. Trying these methods against the Planet:Earth victim is strongly encouraged to gain familiarity with these tools but will not result in further penetration or compromise.

In this example, we need to take the alternate name identified in the digital certificate and add it to the /etc/hosts file on Kali Linux, then browse to the address in a web browser. Here’s the link to a walkthrough for the vulnerable Planet:Earth virtual machine to assist in completing these penetration testing exercises.

Summary

Employers desire demonstrable cybersecurity skills because they show drive, passion for the industry, a willingness to learn, and competency with cutting-edge, industry-relevant tools.

Expanding knowledge through personal home labs will help you build confidence, broaden skills sets, and increase expertise in a high-demand industry that is desperate for workers. Investing a small amount of time today to develop these skill sets can lead to a highly successful cybersecurity career tomorrow.


More from Cybernews:

Tech startup CTO: nobody likes passwords

Apartment scams are on the rise: landlords warned to be on the alert

How ransomware has got more sophisticated, and why you need to worry

Elon Musk faces a $258bn lawsuit for allegedly engaging in a crypto pyramid scheme

Your wedding might turn out to be the happiest day of… a hacker's life

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked