
Building a Home Lab for Offensive Security and Security Research - kungfudoi
https://systemoverlord.com/2017/10/24/building-a-home-lab-for-offensive-security-basics.html
======
tehsurf
There is a whole reddit on homelabs [1]. Always good to get new ideas.

[1] [https://www.reddit.com/r/homelab/](https://www.reddit.com/r/homelab/)

~~~
systemoverlord
Yeah, some of those setups are serious. At a certain point, you're living in a
datacenter instead of having a lab in your home. :) I've seen a couple that
got new 20 amp circuits dropped for their labs.

------
throwaway2016a
I'm curious why in "pre-made VMs" there is no mention of Kali Linux[1]. I was
under the impression it was by far the most robust / mature implementation.

Plus Mr. Robot uses it so that means it's good :p

[1] [https://www.kali.org/](https://www.kali.org/)

~~~
graystevens
It definitely is the most popular OS for security peeps, however those VMs
mentioned in the article are purpose built to be vulnerable. They allow
someone to spin them up and attempt to hack the boxes (likely using Kali) as a
way of honing their offensive security skills.

~~~
fosco
another way is to increase defensive skills by starting with Damn Vulnerable
Linus (DVL) and trying to close all holes and having someone try to crack it.

for fun of course :-)

------
jeffmcjunkin
I'll admit I'm a little biased here (I made the preso), but here are a few
more resources for those interested in building a home lab:

"Building Your Own Kickass Home Lab" \-- bit.ly/kickasslab (or
[https://docs.google.com/presentation/d/1V-mWiyaJ3I6HhXRxH1M5...](https://docs.google.com/presentation/d/1V-mWiyaJ3I6HhXRxH1M5ityWYRqb5PoNHwvWSZaOr_E/edit?usp=sharing))

Recorded webcast version --
[https://youtu.be/uzqwoufhwyk](https://youtu.be/uzqwoufhwyk)

I talk about hardware, software (choose your own host OS, consider VMware
Workstation), operating systems, vulnerable builds, example labs, and some
ideas of what to test.

~~~
systemoverlord
Hi Jeff! I actually hadn't seen your presentation before I wrote the post, I'm
going to take a look at it today and might update some sections based on it.
Thanks for the resource!

~~~
jeffmcjunkin
No problem! Thanks for writing that blog post, there's lots of great stuff
there :)

------
Cieplak
Depending on the threat model, might also want to install RF insulation to
mitigate Van Eck phreaking [1].

[1]
[https://en.wikipedia.org/wiki/Van_Eck_phreaking](https://en.wikipedia.org/wiki/Van_Eck_phreaking)

------
bluedino
>> Hardware Option C: Dedicated Hardware

This is the way I went. You can get a lot of used machine for $300 these days.
A pair of ThinkPads for Windows and Linux, a MacBook for OS X, and a dual quad
Xeon Dell server is plenty and barely cost over $1,000 US.

~~~
insanebits
Why would you really need physical machines for linux and windows, you can
always virtualize clients and run dual boot mac/windows or single thinkpad
with win/linux dual boot.

If budget is tight used servers are great value, for example del R710 is cheap
with plenty of horsepower. Downside being space and sound.

~~~
jeffmcjunkin
I prefer getting a really powerful workstation and doing virtualization from
there. Example: [http://natex.us/enthoo-128kit](http://natex.us/enthoo-128kit)

(No affiliation with Natex, but I've bought that kit and I enjoy the overkill
of 16 cores and 128gb of RAM)

~~~
hackerboos
Price has jumped a bit from your presentation.

------
matt4077
I find the self-importance of these self-anointed "security professionals"
quite annoying.

Case in point: this isn't a "lab". It's a computer running some software. You
could replace this article with "buy a Macbook and install metasploit and
VirtualBox".

(Or the sibling comment recommending tinfoil wallpaper)

~~~
bendews
The author works as a Security Engineer for google, not saying credentials are
the be-all-end-all but I think they are able to claim themselves as a security
professional without too much worry.

