If you have been following along, you have seen a log of posts on various tools, tactical procedures, and systems that I have either built, tested, or recommend. Today I wanted to put some additional context around that and outline my lab architecture for two distinct purposes:
- Malware Research
- Attack Tooling and Testing
My entire lab consists of a collection of virtual guest systems that are isolated from my host and have a shared storage volume for data interchange (if necessary). For the host machine, I’m using OSX with a couple of utilities installed through Homebrew.
Malware Research Lab
As shown above, I have a single victim machine that I can submit samples to from my cuckoo platform. Cuckoo will auto execute the payload and collect a vast amount of artifacts and bring that back and normalize. During the process a memory dump is collected, and I use volatility and Yara to provide further analysis of suspicious artifacts. Additionally I have a couple of standalone apps/scripts on a lightweight utilities server. These includes:
Currently this is a pretty static setup and much isn’t changed, however I am looking at introducing an IDS and Honeypot possibly.
Attack Tooling and Testing
My current penetration testing lab is the exact opposite, it’s a dynamic lab. I’m always adding new virtual (CTF) capture the flag) machines.
I also have the same victim machine in this lab, which is just a copy for testing windows exploits, as well as a basic LAMP server. Kali is my main image for keeping my skill sharp on the various tools available. I do however have a couple of utilities on my OSX device that I use, but not that many.
A lot of good articles can be found online for building these two skill sets, I included a good list in the reference section below and will continue to update these when new articles are found.
Awesome Hacking Tools
Debugging Complex Malware
Penetration Testers’ Guide to Windows 10 Privacy & Security
Windows Privilege Escalation Guide
Building an Analysis Toolkit