Budget Pentesting Environment?

[Listrix]

Hey Everyone,

I've just started getting in to pentesting and although watching videos on how to do pentesting, I'd prefer to have my own machine with Kali installed that I can practice different stuff with. The problem is I'm a student with a very tight budget and don't have heaps of money to buy a brand-new, i7 8gb ram computer. (I can't use my current computer because it's a school-issued laptop and I don't have admin access to install VirtualBox. I've installed Qemu but I'm not too sure how to use it yet, I'll research a bit more before purchasing something).

These are my options:
1. I've got a spare computer with a broken screen, it will cost about $100 to get it fixed. I can just use a monitor but the problem is I can't access the bios when using a monitor to install Kali and it's only an i3 with 4gb ram, probably not enough to run a decent vm.

2. Purchase a second-hand laptop. I've been searching around, found a few good laptops that are equal specs as my spare laptop and cost the same. I'm just very cautious when I'm buying second-hand tech stuff because I'm not sure how the other people have used them in the past.

3. Buying a brand-new android tablet. I've heard of people using android tablets for pentesting so I was wondering if it was worth it to get an android tablet and install Kali or whatever on to it to practice pentesting.

What do you guys think?

[digip]

QEMU is fine, if you can run it on the school machine, you should be able to make a new VM and install Kali via QEMU, but ideally, the VMware would be my first choice, even over VBox. Vmware player only lets you run one machine at a time though, vs something like Vmware Workstation, where you can run multiples at the same time. Workstation is what I use at home so I can run multiple VM's at the same time when I practice in my own lab.

You could always try booting off a live disc of Kali and attack other lab machines over the network, which give you more of a real world feel for using it though.

Hooking up a monitor to something like a laptop with a broken screen, you should see the bios on the external screen, just hit the keyboard shortcut for the second monitor or projector(if connected via VGA) which should do the same thing. Kali in a VM will be fine on a 4gb machine, so long as you aren't running lots of multiple VM's together. a CTF VM along with Kali running at the same time, should be fine, but I'd use the student laptop from school while live booted into Kali, and then on the spare machine, setup some VM's with CTFs to attack from vulnhub or such.

The Kali tablet, I'd say save your money till you learn to use Kali. Also, you need specific tablet hardware that supports it, using Kali NetHunter on them. You could go your own route and build kali to run on any supported tablet based hardware, but with Kali NetHunter, you at least get images built for specifically tested hardware on those Android based devices. Don't just buy a tablet without knowing what is supported first.

 

 

[Dave-ee Jones]

For a modular pentesting environment you can buy a Pi/Pi Zero which are really cheap, tiny computers on a circuitboard and they allow you to modulate your environment (you can hook up a screen to them and install Kali, Raspbian etc. - they do have desktop environments) and you can also connect LED boards, cameras, microphones etc. onto them. Bit of fun, but can get boring if you don't have a project to focus on.

The cheapest way (and most efficient) is to install Kali on a VM. This allows you to delete the VM if you mess it up (can't just delete a PC..) or install a different OS and you can mess around as much as you want without hurting your actual PC. VMware Player will get you by just fine (I use it myself).

[digip]

Pi would make a decent Kali box as an attacker, but you're not going to run a bunch of VM's for CTF on them. Builds on a Pi specifically as a victim machine sure, but I don't see them being used as hosts for CTF VM's 

[Listrix]

Thanks for the responses guys, due to the amount of people telling me to get a Raspberry Pi I've been looking in to it. I'm just curious about how much RAM they have and what's required for Kali. The Pi 3 B only has 1gb of ram yet Kali (last time I checked) says it recommends minimum 2gb of ram.

As for CTFs, I might get more in to online and web-based CTFs instead due to them being easier. What kinds of tools do you think I'll need for web-based CTFs? I've been watching videos and I see a lot of python and burpsuite but not much else. Since I've only got the 1gb of ram do you think it would be better to get something like Lubuntu and manually install what I need as I need it or download Kali which has everything installed and probably never use 80% of it.

[0phoi5]

Kali + RPi = match made in heaven. With a bit of leg work, but nothing drastic. I'd recommend.

[digip]

The amount of tools installed don't have any issue with the amount of ram you have, but if you have low disk space, like a small 16GB SD card, then you will want to use a smaller Kali footprint, which can be widdled down quite a bit.

Kali has various desktop environments and meta packages to achieve a smaller install, which limit tools to specific areas in categories, or leave them all out with a base install, and then only install the tools you want/need later on. You probably won't need the full install suite either, and you can always install individual tools as needed.

Gnome is pretty heavy(default desktop manager) but so is KDE(which is what I am using), but there are lxde and such desktop environments as well that you can use sddm with to lessen resources on 1GB of ram. 

If HDD isn't an issue, then a normal install is fine and you can always remove tools you don't need as well from a base install.

This blog post explains the various packages - https://www.kali.org/news/kali-linux-metapackages/

If RAM is an issue, then try a lighter desktop package like MATE, LXDE, e17, and Xfce.

 

 

 

 

 

[undersc0re]

  If it is an option you could get yourself a decent usb stick and install kali on it with persistence so it saves your settings and files, once set up you just boot the computer from usb stick. As long as the stick has half decent speed and amount of memory it should work great. When you mess it up just download the latest weekly kali image and start over! I have not tried booting it on different computers all of the time, I just use my one cheap laptop, so not sure if changing computers messes up the settings or drivers somehow. If your new at it just google videos on how to make a kali persistence stick in a windows environment. I am assuming you have some sort of computer already.

[Listrix]

I've spent quite a few hours rigorously researching the Raspberry Pi and operating systems that are supported and have decided that Parrot Security OS would be a better alternative. It's fully supported for the Raspberry Pi and after watching some more videos about it, I've found out that it is more streamlined/lighter than Kali and overall has a better feel. The Raspberry Pi version comes with only a few pentesting tools but due to them being the basics I doubt I'll need much more. Plus their normal versions have different distros for the full version, a light version with no pentesting tools installed and even a media version that comes with tools designed for video and photo editing as well as programming. Overall it just looks like a better operating system than Kali

[digip]

I'll admit I'm a bit biased, mainly because I use kali, but also because I work for offsec and help contribute to it. They do make ARM based images for kali and specific ones for Raspberry devices. These are the pre-built images for various ARM hardware, so you're not limited to Raspberry Pi's either, if DIY budget machines are your thing, there are other ARM based devices you can run it on for the cheap.

https://www.offensive-security.com/kali-linux-arm-images/

The USBArmory had images for 2016.1 if I recall, but seems we're updating the page for 2017.1 builds still.

[Forkish]

Get a gently used Acer CB3-431 on ebay. Install kali or the like. I believe They can have upwards of 200gb hd and 4+ ram. Not sure if their bios are the easily replaced ones but for a 14" <4lbs laptop with 10+ hours for less then $200 it'a not a shabby deal. 

Also

Dell e6330 are small and can be extremely cheap for a nice little laptop. Right now there are several 13" i7 128gb HD 6gb ram ones for less then $40 bucks. Plus they often have windows 7 with I consider a better OS then most out there.

[Dave-ee Jones]

On 6/4/2017 at 8:23 AM, Spoonish said:

Get a gently used Acer CB3-431 on ebay. Install kali or the like. I believe They can have upwards of 200gb hd and 4+ ram. Not sure if their bios are the easily replaced ones but for a 14" <4lbs laptop with 10+ hours for less then $200 it'a not a shabby deal. 

Also

Dell e6330 are small and can be extremely cheap for a nice little laptop. Right now there are several 13" i7 128gb HD 6gb ram ones for less then $40 bucks. Plus they often have windows 7 with I consider a better OS then most out there.

That's seems hugely overpriced for something with those specs. Even a small Lenovo consumer-grade laptop is cheaper than that and they have better specs...Also Chromebook. They aren't powerful enough to run Notepad on Windows XP. 

And the Dell - are you sure you're not looking at battery prices? I had a quick Google of those and even the batteries for that model are more expensive than you say...Where are you getting your prices from?!
 

Edited June 9, 2017 by Dave-ee Jones

[digip]

ebay bids are not buy now prices, if that's where you were getting those $40 laptops from. Many of them are also parts laptops, ie: no HDD, dead screens, no battery and no power cables, just the boards and shell and you have to buy the rest of the parts.

[drbombay]

I had the same problem.

I watched a guy on You Tube who does repair videos and one was one the 14" Lenovo Thinkpad T430. After watching a bunch of other videos on this line, and looking at the specs, I started shopping New Egg and Ebay.

Long story short, I ended up finding a used T430 | i5-3320M 2.6GHZ, 8GB DDR3, 240GB SSD with Windows 10 with not much wear at all for $190. Only issue, no power cord. 
I added a second SSD (dual boot) in the DVD drive bay ( $16 for the adapter, $58 for 128G ADATA SSD) on which I installed Kali Linux . And then $20 for the power cord.

All spent $284. I may spend a few bucks more on the back-lit replacement keyboard and 16GB RAM, but not pressing at the moment. Works awesome! Built like a tank. Great machine.

Assuming you don't need to add the extra drive, $190+$5 shipping+20 power cord for a very nice used laptop with a 240G SSD to run straight Kali on (and a Windows 10 license) is pretty good, and pretty budget.

You can find them, refurbished from authorized Windows refurbishers for $200-$250 with varying specs. With or without SSDs. Some only have Windows 7. Gotta shop around.

I took a chance and DIDN'T buy from an "authorized" refurbisher, expecting to do some repairs on it, but didn't have to. I would actually by another one of these.
I highly recommend it.

Edited June 11, 2017 by drbombay

[Dave-ee Jones]

Some people prefer Windows 7 :P (I'm not really one of them - but it can be more powerful for a more techy end-user).

That is a pretty good price for something of those specs. Where did you get the idea of a Leno-

On 6/9/2017 at 3:49 PM, Dave-ee Jones said:

Even a small Lenovo consumer-grade laptop is cheaper than that and they have better specs..

-Ahhh...:P

Those things are really handy to just pull out and do some quick stuff on - especially with an SSD as it can boot in less than 7 seconds or so. :)