Portable Web Application Penetration Testing Lab

This posting is the first in a series that will talk about building a portable web application penetration testing (WAPT) lab. After lab setup I may continue the series on attacking the lab. The first part will cover the reasons why I am trying this, hardware and software used in building a portable WAPT lab. FYI to the reader, I have not done this yet, so consider this a work in progress and will be blogging through the process of building this lab.

This started because of challenges I have with WAPT lab access. I have VPN access to my home network but sometimes I don’t have Internet access, such as when on planes and trains. In the past I have loaded my lab on one system, but I tend to change systems often. Depending on the situation I will switch from various laptops, desktops and operating systems.  To overcome this challenge I have decided to build a portable lab that I can access from any system. This lab must be accessible from a computer with a USB port and works with Windows, Linux and Mac OSX.

To accomplish the portability requirement I bought a Western Digital 500 GB My Passport USB drive. This drive is able to support both USB 2.0 and 3.0. Although firewire is quicker, one of my systems doesn’t have a firewire port. If speed does become an issue I will consider replacing the USB drive.

For virtualization software my choice is VMWare. I have no problems with the others like VirtualBox, I just happen to use VMWare.  I use three different VMWare products, Workstation on Windows, Fusion on Mac and Player on Windows and Linux.  Although I am doing this on VMWare, this concept should theoretically work with other virtualization software.

My original WAPT lab is based on a blog article from securityaegis.com, which I highly recommend the blog to anyone interested in pentesting.  For my portable lab I plan on the same concept, however I plan to have more targets.

My targets will consist of two systems, one prebuilt VM’s with lots of targets and one VM I will build. The prebuild VM’s are the OWASP Broken Web Application.  The VM that I will build is for the Foundstone Hacme Series (Hacme Bank, Hacme Books, Hacme Casino, Hacme Shipping and Hacme Travel). I may add additional VM’s and applications at a later date.

For the attacking VM I will be using Samurai WTF 2.0 from Kevin Johnson and crew. For web application pentesting, this is my preferred platform and if you have not checked it out I highly recommend it. If you download it and don’t know the user name and password please checkout this web site. 

Next posting I will talk about setting up VMWare, the target VM’s and the Attacking VM. As I work on this lab, I may come back and change things as I try them.