Is dual-boot as secure as a VM, and is VM that secure?

[minusTempo]

Hi there, I'm a computer science student at university and I'm looking to start getting into pen testing and ethical hacking, just as a hobby. I've signed up for hackthebox.eu and was advised to use a VM for security reasons, I understand that they are more secure, but I wondered to what extend, and why? on top of that would dual booting not be just as if not more secure? why or why not? and could I just boot from an encrypted external SSD and then plug that in to my computer which I want to pen test, which of these options would be the most secure. Thanks for the help, temp0

[chrizree]

If you only have access to one (1) physical computer, then I would go with an environment of VMs. If you are afraid of "polluting" your ordinary installation, then I would get an alternative hard drive and change the drive when pentesting. If that is too much work, then you can isolate both attacking and victim virtual machines in a virtual network on the PC. The risk all depends on what you are about to do. If it is things that wouldn't harm your host, then I would go virtual. I haven't dual booted since the 90's. There's potential risk of the guest breaking out and accessing the host when running VMs, but it all depends what you are doing. If you want to really isolate it, then put some money in a used desktop or laptop PC, install some variant/distro built on Linux, use VirtualBox and then create a pentesting environment that is isolated. Needs some RAM, but it will work. In either way, I would separate what is "production" for you (your ordinary PC) and the environment you use for your pentesting labs. Things can happen and it would be a shame if your school work got lost due to some of your testing. You could also skip the need for local equipment (other than your PC) and use services online like you have already mentioned, TryHackMe is another one https://tryhackme.com/ Using a VM to access such services are just related to every persons individual level of paranoia. It's good practice though. I would most likely use a VM for online cybersec services or a totally separate machine that could evaporate at any time without me shedding any tears.

[digininja]

If you want to try an environment were you don't have to worry about doing anything on your own machine, try Pentester Academy, you do all their stuff through a browser. They give you access to a test machine which then has access to the vulnerable targets.

A very good setup and easy to use but I'm biased as I'm one of their course authors.

[minusTempo]

1 hour ago, chrizree said:

If you only have access to one (1) physical computer, then I would go with an environment of VMs. If you are afraid of "polluting" your ordinary installation, then I would get an alternative hard drive and change the drive when pentesting. If that is too much work, then you can isolate both attacking and victim virtual machines in a virtual network on the PC. The risk all depends on what you are about to do. If it is things that wouldn't harm your host, then I would go virtual. I haven't dual booted since the 90's. There's potential risk of the guest breaking out and accessing the host when running VMs, but it all depends what you are doing. If you want to really isolate it, then put some money in a used desktop or laptop PC, install some variant/distro built on Linux, use VirtualBox and then create a pentesting environment that is isolated. Needs some RAM, but it will work. In either way, I would separate what is "production" for you (your ordinary PC) and the environment you use for your pentesting labs. Things can happen and it would be a shame if your school work got lost due to some of your testing. You could also skip the need for local equipment (other than your PC) and use services online like you have already mentioned, TryHackMe is another one https://tryhackme.com/ Using a VM to access such services are just related to every persons individual level of paranoia. It's good practice though. I would most likely use a VM for online cybersec services or a totally separate machine that could evaporate at any time without me shedding any tears.

What does an "environment of VMs" mean, becaue I have the one Oracle VirtualBox on my pc, and your suggestion is to just get a used laptop, put a VM on it, and then use that? as it would be the most secure? Also, what is so secure about VMs? I don't doubt their security, but what about them makes them secure?

[minusTempo]

1 hour ago, digininja said:

If you want to try an environment were you don't have to worry about doing anything on your own machine, try Pentester Academy, you do all their stuff through a browser. They give you access to a test machine which then has access to the vulnerable targets.

A very good setup and easy to use but I'm biased as I'm one of their course authors.

Unfortunately I'm very against paying for any form of online resource, because when it comes to programming, most of these things can be sourced for free, but thank you for the suggestion!

[digininja]

You are paying for convenience vs effort and quality.

If you want to build it all yourself, you'll have to put the time in, you'll probably learn more about building machines in the long term, which is good, but it will be a very slow start if as you are starting with very little knowledge of the area.

[minusTempo]

2 minutes ago, digininja said:

You are paying for convenience vs effort and quality.

If you want to build it all yourself, you'll have to put the time in, you'll probably learn more about building machines in the long term, which is good, but it will be a very slow start if as you are starting with very little knowledge of the area.

I think even if I was so inclined as to pay, I don't really have the spare cash at the minute anyway, and I feel like the slow start is what's going to really help me

[digininja]

Get VMware or VirtualBox installed then, download some Linux ISOs and do some installations.

Learn what they do, how the VM process works, how different types of networking affect things, how to communicate effectively between the VMs, and how to troubleshoot all the issues that come up as you go along. That will probably keep   you busy for a while and give you a good idea of basic networking and virtualisation.