Jump to content

Request for Input: Building a simple Windows based pentest lab for school


Recommended Posts

So here is the low down: I am a first year CS student trying to make an impression on our campus's computer security club. Essentially this is going to be in preparation for a summer "pre-college" program our campus is hosting to some local high school students, this summer, and there is an opportunity to win some grant money for the club if all goes well.

I do not have too much information regarding the specifics of the program or the requirements of the pentest lab that is required to be built, but I am looking to get ahead of the game on this one and start by figuring out how to set up a basic lab.

The initial request was to create a VM with "vulnerable services" that exploits can be demonstrated against. My understanding is that VirtualBox allows for networking between VMs as with VMware which requires a paid version of the software. I have access to essentially any windows operating systems through the university. I am choosing a Windows based lab over Linux simply because I feel the students will be more familiar with windows networking/services. I assume we will be loading some instance of Kali for which to perpetrate the attacks against the machines. Or possibly even a custom distro designed specifically for this event to attack the targets.

At this point, I would like to go ahead and request some input regarding my next steps.

- What types of exploits do you feel a group of high schoolers would be interested in learning via a step-by-step process?

- When building the VM with vulnerable services, is it best to work backwards? For example, start with a fully up-to-date system and work backwards, installing older, more vulnerable versions of software onto the system? Perhaps uninstalling individual security updates from the system?

That is about it for now. While my main focus was for this pre-college program, the club council has also requested members create similar VMs for vulnerable services, that can be used as demonstrations for group meetings. So any additional ideas, that may go over the high schoolers heads, but would be understood by an undergraduate student (not all members are CS major, but are certainly computer enthusiasts). I would appreciate those as well, perhaps I could create some test VMs before the project is due for the summer program.

Thanks in advance folks, and if there is anything I have missed or you feel would help in my endeavor, please feel free to tune in.

Link to comment
Share on other sites

Don't build one yourself, grab one it more of the many that are out there already where people have put all the effort in for you.

The obvious one that come to mind is Metasploitable which is a very vulnerable Linux install. It has everything from simple netcat to a listening port for root, through vulnerabilities which need Metasploit to web apps. There is also a fairly detailed write up on exploiting it.

If you want to do some web app then look at DVWA which covers all the major issues.

If you do want to build one then check exploit db which as well as holding loads of exploit code also links to downloadable versions of the vulnerable app where possible. In one place you get the exploit and app to try it on.

You mention wanting windows as the target but if you are covering the concepts of exploitation then target doesn't really matter as the steps are the same, recon, scan, exploit, extract data and pivot.

One other thing to look at, check out prebuilt CTF rigs which might give you options for problem solving challenges rather than just exploitation.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...