Penetration Testing: Re: Looking to set up an infosec lab

["Shawn Merdinger" <shawnmer () gmail com>]

Hi John,

imho, the end-point targets for learning are good, but the tools to
facilitate attacking them are refined to the point where it's pretty
much a no-brainer (a la Metasploit por exemplo, or your
run-of-the-mill Romanian zero-day for a couple hundred Euros).  For
the mad Kung-Fu, I suggest going for the real nasty -- routers and
switches -- sure, some enterprise's Oracle DB may be vulnerable, or
even compromised, but if you can Pwn the upstream router, well "all
your packet are belong to us" and you've access to the compromised DB
access _and_ the attacker(s)/remote admins/trusted peers/etc.

Kindest regards,
--scm

Shawn Merdinger
Independent Security Researcher
VoIPninja.com


> ----- Original Message ----
> From: John M. Martinelli <john () martinelli com>
> To: pen-test () securityfocus com
> Hi, list.
>
> A few of the previous e-mails going out on the mailing list got my
> attention - I'm interested in building a moderate hacklab to conduct
> mock attacks, intrusion detection, detection evasion, etcetera. My
> hardware situation allows me to deploy a VMware or Parallels lab -
> what kind of machines would you set up in my situation?
------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------