A quick Google search for “Penetration Testing Lab” results in ads for pentesting services, tutorials on how to set up a pentest lab at home, and a couple websites where you can purchase lab access or practice hacking on the website itself. In general, the current offerings leave a lot to be desired and have some disappointing characteristics: publicly shared lab environments, static lab boxes, “courses” with basic or outdated content, etc. Most of the time, a lab is simply a collection of “boxes” the student must “root” without any inherent relationship between machines.
We feel a little differently about things…
After years of pentesting real companies across a variety of industries (pharma, retail, finance, etc.) we can definitively say that the current approach to pentest labs is NOT the best way to prepare your new resources for a real engagement, or to provide an environment for developing and testing new tradecraft. A real penetration testing lab should help new hackers and consultants learn what it’s like to be on an internal environment, in production, performing a penetration test; not how to exploit CVE-XXXX. It should mirror closely the real thing. To this end, we’ve decided to fill this gap in the industry and offer our own take on a penetration testing lab. Here’s what we’re all about.
Ubeeri Penetration Testing Labs:
Our labs have a number of characteristics which we feel puts them an order of magnitude above the current standard for training and testing new techniques. In general, these traits are aimed at mirroring real production environments as accurately as possible.
Windows Active Directory - In our opinion the single biggest missing piece of the puzzle for most current pentest labs is a working and configured Windows AD. As penetration testers, abusing Active Directory and going from a member of the ‘Domain Users’ group to a member of the ‘Domain Admins’ group is the number one way we escalate our privileges and gain widespread privileged access. From here, we can usually gain access to whatever we want across the environment, sometimes with a little extra effort required. Being comfortable navigating the Windows AD structure and trusts between domains is one of the most important skills an attacker can have in order to be successful on an engagement.
In our penetration testing labs, you’ll find multiple AD structures; from a single domain, to multiple domains with varying trusts and levels of privilege associated with each. This should help new pentesters become adept at escalating privileges throughout the Windows domain and leveraging that access to infiltrate privileged areas of the network and gain access to sensitive data.
Simulated User Traffic - Every corporate network has active users which perform various day to day tasks, creating traffic on the network. This traffic can be exploited in a variety of ways by attackers in order to gain entry into the environment. Accessing file shares, browsing the internet, and opening email can send user credentials over the network and expose users to client side attacks such as spear phishing campaigns. Traditional lab environments are radio silent, and lack the ability to simulate these types of user activities that are vital parts of the penetration testing process.
We’ve developed a PowerShell tool which we deploy in our labs that currently simulates these common user behaviors. This allows the Ubeeri lab environment to play host to a number of additional attack scenarios which are increasingly relevant for today’s penetration testers.
Configurable Difficulty Levels - Not every corporate network is going to take the same amount of effort to infiltrate. We have experienced varying levels of maturity in organizations across industries in our penetration tests. Sometimes we have Domain Admin in under an hour, and sometimes it takes several days. Some networks are flat and unmonitored, while others have legitimate segmentation and advanced defensive monitoring and controls.
Ubeeri labs can be configured at a variety of difficulty levels without standing up an entire new lab environment! We accomplish this by tweaking a number of security related configurations within the environment. Network The Ubeeri segmentation levels, Active Directory sophistication, and Group Policy settings exist in different combinations to provide users the variability they need to be prepared for clients with different maturity levels.
In addition to these core lab traits, we strive to maintain a level of realism in our labs that surprasses what you can currently find. Each lab is unique, and contains multiple methods of escalating privileges to Domain Admin and gaining access to sensitive portions of the environment. We truly feel that our labs will provide users with the skills and practice they need to feel confident on their internal penetration tests and red team engagements.