So welcome to today's deep dive. I'm really glad you're joining us for this one because we are getting into something incredibly cool today.
Yeah, we're basically looking at how to safely play with fire exactly.
I mean, if you want to learn how to fuse a bomb, you practice on a dummy, right, Yeah, you build this controlled environment where you know, clipping the wrong wire just triggers a loud buzzer instead of doubling a city.
Block, right, which makes sense. But in the realm of professional cybersecurity and ethical hacking, people constantly try to learn their trade by just poking around on live critical networks, which is terrifying. It's completely terrifying. So today we're digging into this customized, exclusive exploration of Kevin Cardwell's comprehensive guide. It's called building Virtual pen Testing Labs for advanced penetration testing.
And the mission for this deep dive isn't just learning how to hack. It's about how to actually think like a professional security tester, understand their exact systematic methodology, and discover how to build a safe virtual playground to practice these dark arts.
Yeah, without going to jail or you know, accidentally taking down a hospital's database.
Right, But before we can build that sandbox, we have to fundamentally understand what a professional tester is actually trying to achieve in the first place.
And more importantly, what they're trying to break. Because the industry throws the term penetration testing around quite loosely.
Oh totally. They treat security like it's a product you can just buy and install exactly.
But Cardwell's entire thesis rests on the fact that security is a process. It's a methodology, not a product.
Okay, let's unpack this because we all know the standard basics, right, authentication, authorization, confidentiality, integrity, availability, and non repudiation, right, the.
Core components of security testing.
But the source material makes this fascinating point about confidentiality. It's incredibly hard to protect because of the Internet's Bedrock protocol TCPIP.
Yeah, the Transmission Control Protocol and Internet Protocol Suite, which.
Is built back in the early nine teen seventies, right.
For Arpinett, which was essentially just this tiny network connecting a few academic institutions and military researchers.
Or everyone inherently trusted each other exactly.
The foundational assumption baked into The actual mathematics of TCPIP was inherent trust.
Wow.
It was assumed that if you received a packet of data, it came from a reliable, friendly source. It wasn't designed for secrecy.
So we basically took a protocol designed for a friendly neighborhood block party and used it to build a highly hostile global metropolis.
That's a great way to put it. What's fascinating here is how that inherent trust issue completely undermines non repudiation, right.
The idea that you can mathematically prove a specific person sent a specific.
Message exactly, because all it takes is one compromised machine to throw that ole concept out the window. If a machine has a remote access trojan on it, you can't guarantee its state because.
You can't prove the human sitting at the keyboard actually like send rather than like a malicious script running in the background.
Precisely, and that shaky foundation brings up this massive corporate myth that Cardwall talks about.
Oh, the vulnerability assessment versus pen testing thing.
Yeah, most clients do not know what a penetration test actually is. They sign a contract for one, but they really just want a vulnerability assessment.
I mean, a vulnerability assessment is basically like walking around a house checking if the windows are unlocked.
Right, it's just a mapping exercise.
But a true penetration test is actually climbing through the window, walking into the living room and seeing if you can carry out the TV.
Yes. True penetration testing involves actual exploitation to validate the vulnerability, and clients usually panic when they realize you intend to climb through the window.
Wait, there was that amazing anecdote in the book.
About this, right, Oh, the Foreign stock market it director. Yeah, so Cardwell recalls meeting with this director outlining the methodology.
And he gets to the validation phase.
Right, he explains they'll run real exploit code, and the director just haddocks and says, that is my stockbroker records, and if we lose them, we lose a lot of money.
Oh, man, I bet they skip the validation step.
They absolutely skip the validations.
Because proving the windows unlocked isn't worth the risk of accidentally burning the house down exactly. But okay, armed with this knowledge that true pen testing requires exploitation, how does a professional systematically get to that point?
Well, we have to look at the hackers blueprint, and card Well notes the crucial difference in the planning phase between a pro and a malicious hacker.
Right time and legality. A malicious hacker has what six to nine months to plan, yeah.
Six to nine months to passively stalk a target, and they can break the law. A professional tester bound by ethics has a two week contract and strict legal lines.
Which means the pro has to rely heavily on ocentth right open source intelligence that non intrusive target.
Search exactly, gathering public info without sending a single packet directly to the target's internal network use tools like end slook up or server sniff.
Oh. Server sniff is so clever because Microsoft servers often block standard icmpping requests by default.
Right, so a normal trace road just dies at the firewall.
But Servicesniff gets around that by doing a TCP trace rope.
Yes, it sends a tcps yn packet, usually to port eighty or four to forty three, and if they're hosting a public web server, the firewall has to let.
That packet through or their website wouldn't work.
Exactly, so you bypass the block by exploiting the ports that the business requires to be open.
That's brilliant. And then there's the whole wayback machine strategy.
Oh yeah, finding deleted tools.
The specific example he gave was wild. He was looking for this stiganography tool called infistago right.
From anti Labs. They had pivoted to antivirus software and completely scrubbed infistago from their site.
But Cardwell just used the two thousand and eight archives on the way back Machine to find the old site and download the executable.
Anyway, because the Internet never really forgets see.
That is amazing. But then we get to Showdan and this is where I have to push back a little bit.
Okay, lay it on me.
Showdan is basically this massive cloud scanner. Right, Cardwell searches for like iPhone RU and instantly gets a list of specific vulnerable servers in Russia.
Yeah, with IP addresses and open ports.
Right. So, if tools like showdan are publicly indexing vulnerable servers globally, isn't that blurring the line between passive research and handing a loaded gun to the bad guys.
Well, that's exactly why the methodology is so rigid. Showdowan is doing the active scanning as user, You're just reading a public database. The progression from passive observation to active probing. That's where the legal and ethical lines are drawn.
Ah okay, so looking at Shrodan is just reading the phone book exactly.
But the moment you direct your own machine to interact with those ips, you enter the intrusive target search phase. You're dialing the numbers.
And that requires authorization.
Explicit written authorization. Once you have that, you start finding live systems with en mapping sweeps, checking open ports, and.
The OS numeration is wild. Using the n.
Map a command, Yeah, it analyzes the microscopic quirks in how the server's TCPIP stack responds to guess the OS version. Then you bring in a vulnerability scanner like nexpos.
And finally exploitation.
Right cardwill uses metasploit exploiting the MS zero eight zero six seven vulnerability as his example to get a command shell.
But getting there means analyzing the data correctly, like reading wire shark packet capture.
Oh, the ICLC type three code thirteen example, that's a classic, Yeah.
Walk us through that because to an untrained eye it just looks like a connection error.
Right, So type three means destination unreachable, but the specific code thirteen means the communication is administratively.
Filtered, meaning it's not a broken network exactly.
It alerts the tester that a router explicitly blocked it because there is an access control list and ACL in place.
It's like navigating a maze by tapping a cane against the wall and listening to the echo.
That's a perfect analogy.
But executing a buffer overflow or probing an ACL on a live corporate network is exactly what caused that stock market director.
To panic, which is why you have to build the matrix.
The virtual sandbox.
Yes, choosing your virtual environment is critical, and Cardwall breaks it down into type one versus type two virtualization.
Okay, here's where it gets really interesting because using a type one hypervisor like vSphere Hypervisor or esen, it rides directly on the hardware. Right, it's incredibly powerful, but it's basically like demolishing a house to the foundation just to build a custom recording studio. It dictates the OS directly, which is terrible for a.
Laptop because you still need to write reports and check emails.
Exactly, So use a type two hypervisor like virtual Box, hyper v or VMware Workstation, which.
Rides on top of your existing operating system.
It's like putting up soundproof partition walls in your existing spare bedroom. You still get the studio, but you don't have to wreck the house.
I love that, but the tool nuances matter here. Virtual Box is great and it's free, but Cardwell notes it suffers from keyboard input.
Glitches, yeah, requiring special extensions to fix. And then Microsoft's hyper V.
Hyper v is tricky. It requires a sixty four bit OS and a CPU that supports.
Sell it second level address translation.
Right, And even if you have that, it historically struggles with Linux networking, which is a huge problem since so many pen testing tools are Linux based.
So the winner is VMware Workstation.
Yes, it costs money, but it is the winner, and.
It's the winner because of the virtual switches. Right. It allows for up to ten virtual switches on Windows.
And up to two hundred and fifty five on Linux hosts. If we connect this to the bigger picture, the reason those ten virtual switches matter so much is because real world corporate networks are never flat.
They aren't just one router with everything plugged in exactly.
They are segmented. You have firewalls, DMZs, internal routing rules. If you can't simulate those complex, multi layered architectures, your practice lab is useless. For advanced testing.
You can't practice pivoting from a web server to an internal database if everything's on a single flat network.
Precisely, VMware Workstation gives you the infrastructure to build the actual maze.
The room is useless if it's empty, right, how do we put realistic targets inside it?
Well, you can populate it using pre built vulnerable ISOs. The security community has great options.
Like the Samurai Web Testing Framework Samurai WTF.
Yeah, or the oas Broken Web Application Project, which is actually sponsored by Mandian and.
That includes tools like webgoat and Mutility.
Exactly, you just mount the ISO, boot it up, and you have a target rich environment.
But what about the format problem? Like what if a client gives you a VMware image a VMDK format but you only have Microsoft hyperv which uses VHD.
That happens a lot. You can use conversion tools like the Starwin vtwov converter.
Although the author notes of funny quirk about that.
Oh yeah, He mentions that FreeBSD Systems old version nine point x usually just break during the.
Conversion, just completely bricked.
Yeah, totally unusable. But for modern Windows and Linux it works great.
But the coolest thing in this whole section has to be P two V Physical to virtual.
Oh absolutely, using tools like v center converter or even a feature built right into VMware workstation.
So what does this all mean for the listener? I mean, imagine the power of this. You can literally take a chaotic, terrifyingly fragile server from a client's physical.
Office like that's stock market server.
Yes, you digitally clone it, trap it in your VMware matrix, and hit it with exploits all day long without ever risking their actual business.
It is incredible. P TWOV is basically the ultimate bridge between theoretical lab practice and high stakes real world consulting. You are hacking an exact digital replica.
It's just brilliant. So to recap our journey today, we went from understanding the true nature of the CIA triad and why confidentiality is so hard on the Internet, to breaking down the hacker's osent methodology.
From passive reconnaissance to active exploitation.
Right, and then we learn how to construct a multi switched virtual battleground and populate it with clone physical servers.
It's an entire ecosystem for ethical hacking.
It really is. But before we sign off, I want to leave you with a final thought. We talked early on about how Cardwell mentioned TCPIP being incredibly hard to secure because it was built in the nineteen seventies on inherent trust, right arpin net think about this. Yeah, all of this pen testing, all these complex virtual labs, this entire multi billion dollar cybersecurity industry, it all exists simply because we are trying to bolt security onto a foundation that was never meant to be secure.
We're constantly patching a leaky ship exactly.
So if the Internet eventually undergoes a foundational rewrite to replace TCPIP with a protocol built on zero trust by default, oh wow. Well, penetration testing as we know it simply cease to exist. Or will human error just find a brand new way to leave the virtual window open?
That is a fascinating question, Tom.
All Over, I think we all know the answer is usually human error. But anyway, thank you so much for taking this deep Doug with us. We'll catch you on the next one.