Question regarding setting up home lab for Pen testing etc.

[DamonX]

Hi,


I did a research on this topic and found out that pretty much all suggest using either VM or another box when setting up home test lab.  On the other hand, most people say pen testing should be performed from other network.  Now is there any way to emulate so it looks like your other PC is on other network while connected to the same home network?


I have couple PCs, 1 linksys router, 2 Cisco routers, 1 Cisco 24 port switch and VMs are available online.    I can also other other devices if needed like firewall etc.


Is there anyway I can setup a home lab and make it so it looks like 2 PCs are on different network?


Thanks

[RedBullAddicted]

What kind of Cisco switch do you have? Is it a catalyst and managed and which software version is installed on it (Base image, Enterprise image ...). If the switch is managed and provides vlan and routing capabilities I can help you to make the configuration needed.

Cheers,
RBA

[DamonX]

Its a layer 2 switch (2950 - 24 ports) which doesn't provide routing but can do vlan and stuff.  I will have to double check as I don't think I ever checked or upgraded ios of switch.  The Cisco router (2600 XML) and is running latest ios.

[AnarchyAngel]

couldnt you just set a virtual server to use the nat network config, then it should be on a different network then everything else.

[RedBullAddicted]

So you need help with the configuration? You already did something? Can you post your running-config from the switch and the router?

Code: [Select]

Password:
CiscoSW>en
Password:
CiscoSW#show run
For the Switch configuration this might help (shamless plug):
http://evilzone.org/tutorials/networking-the-basics-part-12/msg26855/#msg26855
http://evilzone.org/tutorials/networking-the-basics-part-22/msg27653/#msg27653

Cheers,
RBA

[DamonX]

I think you misunderstood my question.  I just want to know if there is a way I can have 2 computers in my home in a way that each thinks other computer is on a different network.  I can probably use vlans but it won't be same i guess?

[proxx]

Well VLAN would effectively do something like that.
You could setup a box that would NAT the machine either with a linux box and iptables or something like an old router.

[RedBullAddicted]

like proxx said vlans would definitely do it. Sure you could use one switch for every host and connect them to a router. This would mean you have different hardware for each subnet you want to use. Just imagine we wouldn't have vlans. A bit more complex network has a lot of different subnets and if you would need a switch (maybe more for different buildings) for every one of them you would have to spend a lot of money and you will be running into space issues.. lol. VLANs is a common standard for separating network parts and it is what you should use for your test environment (As you already have the required hardware). If you need help setting this up just let me know

Cheers,
RBA

[Mordred]

Coming from Rapid7 cause I had to talk to them about my project, and when I saw this I directly made the following association:

https://community.rapid7.com/docs/DOC-2196

Off-topic: In case you don't know, Rapid7 is the company that develops Metasploit and NeXpose, and I'm lucky enough to have the privilege of working in the same environment as them which means I go ask for advice and help like bunch of times  Super chill guys tbh... at least the ones who work here.

[DamonX]

Coming from Rapid7 cause I had to talk to them about my project, and when I saw this I directly made the following association:

https://community.rapid7.com/docs/DOC-2196

Off-topic: In case you don't know, Rapid7 is the company that develops Metasploit and NeXpose, and I'm lucky enough to have the privilege of working in the same environment as them which means I go ask for advice and help like bunch of times  Super chill guys tbh... at least the ones who work here.

Bookmarked .. thanks.  I think I read this article before but I wanted lil more than that but I guess if that works, then why bother doing more work 

[proxx]

Yeah and as for scenario its fun to have something like this:


**************************Term-svr*******Clients*************
***********************************\*****/********************
************************************\***/*********************
WWW----------FW-----------------------------Switch------DC---------DB-svr*
**************\***********************\***********************
***************\***********************\**********************
****************\***********************Mail-svr**************
***************Web-svr on DMZ******************************


Isnt that ascii art

[DamonX]

Yeah and as for scenario its fun to have something like this:


**************************Term-svr*******Clients*************
***********************************\*****/********************
************************************\***/*********************
WWW----------FW-----------------------------Switch------DC---------DB-svr*
**************\***********************\***********************
***************\***********************\**********************
****************\***********************Mail-svr**************
***************Web-svr on DMZ******************************


Isnt that ascii art

hmmm .  fascinating .. that doesn't make any sense tho 

[proxx]

Why not?

[RedBullAddicted]

I think it makes sense too If you have different subnets the switch could do the routing (if it is a Layer 3 switch) or you could do the routing on the firewall. Only thing I would change is that the db server is directly connected to the domain controller. Maybe it makes sense in a special scenario but tbh I can't think of one at the moment. But it is early and I haven't had enough sleep.. lol

[DamonX]

Why not?

Probably because its too complicated for me