A secure testing lab is an essential tool for a security analyst. It’s a controlled environment that closely mimics a potential target’s real infrastructure but is completely isolated from production systems and the internet.
In a testing lab, you can:
- Learn and practice new ethical hacking techniques without risking damage to production
- Test public and custom exploits
- Check pentesting toolchains and frameworks before using them on real projects
- Prepare clear and safe proof-of-concepts (PoCs) for vulnerabilities found
- Study malware behavior and defense evasion techniques
In this article, we’ll review different options for setting up a testing lab, necessary tools and platforms, and key security recommendations.
Depending on available resources, the required level of matching the production environment, and personal preferences, you can implement a testing lab in one of the following ways.
1. Virtual machines
The simplest and most cost-effective option is to deploy tested systems and services as virtual machines on local hardware. For this, you’ll need a sufficiently powerful computer or server with at least 16 GB of RAM and a CPU with hardware virtualization support.
Required components:
- Hypervisor for managing virtual machines:
- VMware Workstation Pro (paid) or VMware Player (free)
- Oracle VirtualBox
- Microsoft Hyper-V
- OS distributions for tested systems:
- Windows Server 2016/2019, Windows 10/11
- Ubuntu Server, CentOS, Debian
- Specialized distributions for pentesting: Kali Linux, Parrot OS
- Prebuilt vulnerable images and virtual appliances:
- Metasploitable 2/3
- OWASP Broken Web Applications (BWA)
- Vulnhub machines
- Network switch for connecting VMs into an isolated network. Can be implemented in software using Virtual Network Editor in VMware Workstation or alternatives.
Setup recommendations:
- Disable internet access and host system access for VMs. In VMware Workstation, use the “Host-only” network adapter mode for this. In Hyper-V, create an isolated Private virtual switch without external network access.
- Segregate test machines into virtual networks according to security levels and required segmentation. For example, allocate separate segments for admin workstations, application servers, client machines.
- Set up static routing between virtual networks based on the logical topology and necessary interactions.
- Limit VM resources (CPU, RAM) according to real system specifications.
- Don’t connect shared folders or removable media to VMs.
- Create VM snapshots before conducting destructive tests. This way you can quickly roll back the system to its initial state.
Pros of virtual labs – low cost, ease of deployment, ability to quickly revert changes. Cons – limited performance, difficulty emulating specific hardware.
2. Cloud-based labs
If you don’t have suitable on-premises equipment, you can set up a test environment using public cloud services – Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP).
For this, you’ll need:
- An account in the chosen cloud and permissions to create resources
- Set up a virtual private cloud (AWS VPC, Azure VNET, GCP VPC) or take a dedicated isolated region
- Create necessary VMs, network components, data stores, containers in the cloud network
- Configure network interactions (security groups, access lists) according to the logical topology
Security recommendations:
- Use a separate account for the test lab not linked to production resources.
- Restrict access to the cloud management console (AWS IAM, Azure RBAC) – grant minimum necessary permissions.
- Disable internet access for lab machines. Use a bastion host or site-to-site VPN between the office and cloud for access.
- Encrypt data in cloud storage and in transit. Use your own managed encryption keys (AWS KMS, Azure Key Vault), not provider-managed ones.
- Enable logging and monitoring of cloud activity. Watch for anomalies in resource usage, unauthorized access attempts.
- Automate test infrastructure deployment in the cloud using IaC tools (Terraform, AWS CloudFormation, Azure Resource Manager Templates). Describe configurations as code and store in version control.
- Don’t store real client data used for testing in the cloud. Only use synthetic datasets and anonymized dumps.
Pros of cloud labs – scalability, accessibility from anywhere, similarity to real-world conditions. Cons – relatively high cost, management complexity, potential security risks.
3. On-premises labs with physical hardware
The most expensive, but maximally realistic option is to create a testing lab using physical hardware. Purchase or rent servers, storage, networking equipment, engineering infrastructure – and deploy target systems and services on them.
Required components:
- Space for equipment (server room, datacenter)
- x86 servers for deploying hypervisors and container platforms
- Storage systems of the appropriate class – entry-level, midrange or high-end
- Physical network switches, routers, firewalls
- Uninterruptible power supplies (UPS), air conditioning systems
Organization recommendations:
- Build a dedicated physical network for the test environment. Ensure network isolation from corporate and guest segments.
- Allocate a separate subset of hosts and devices that won’t be connected to management and monitoring VLANs. Use them to practice persistence, lateral movement, collection techniques when legitimate admins are absent.
- Emulate real user traffic and behavior on some hosts. For this, you can use frameworks like VDBench, load testing systems like JMeter, Gatling.
- Where possible, use real versions and builds of OS, applications, hardware that your clients have. Request information about the target environment at the pre-engagement stage.
- Restrict physical access to the test lab server room. Keep an access log, use video surveillance, badge-based access control.
Pros of physical labs – complete infrastructure modeling, ability to connect specific devices (ICS, IoT), independence from compute power. Cons – high purchase and maintenance costs, need for physical space, inability to quickly revert changes.
Specialized distributions and platforms
To simplify initial test lab setup and get to practicing techniques faster, use ready-made distributions and platforms. Here are some of the most popular:
- Kali Linux – Debian-based distribution optimized for penetration testing tasks, developed by Offensive Security. Contains preinstalled and preconfigured toolkits for different pentest stages.
- Parrot OS – Debian-based distribution for penetration testing, vulnerability analysis, digital forensics and reverse engineering.
- AttifyOS – distribution for IoT device security analysis. Comes with firmwares, toolchains, SDKs for various embedded platforms.
- Metasploitable – intentionally vulnerable Linux VM. Includes common services with known vulnerabilities. Great for practicing exploitation techniques.
- OWASP Broken Web Applications (BWA) – collection of purposefully insecure web apps (sites, blogs, e-commerce). Allows training in web service pentesting.
- Vulnhub – open resource with a large collection of VMs for practicing ethical hacking techniques. Machines vary in difficulty, vendor, vulnerability types.
- Hack The Box – online platform where you can test your pentest skills in a safe virtual environment. Includes vulnerable system VMs, CTF challenges, realistic scenarios.
Use these resources as a foundation for your testing lab. Supplement them with your own VMs and configurations maximally close to the target environment.
Tester’s toolkit
For a testing lab to work effectively, properly configured systems and networks aren’t enough. You also need specialized software to automate routine actions, gather and organize information, emulate malware behavior:
Security and vulnerability scanners
- Nessus, OpenVAS – scanning hosts and network services
- Burp Suite, OWASP ZAP – scanning web applications and APIs
- Acunetix, ImmuniWeb – scanning websites
- Qualys, MaxPatrol – comprehensive infrastructure scanning
Exploitation frameworks
- Metasploit – environment for developing and executing exploits
- Core Impact – commercial platform for penetration testing
- CANVAS – framework for writing and running exploits
- ExploitPack – tool for creating client-side and server-side exploits
Enumeration and post-exploitation tools
- Impacket – collection of Python classes for working with network protocols
- PowerSploit – set of modules for post-exploiting Windows hosts
- BloodHound – utility for analyzing attack paths in Active Directory
- BeEF – framework for testing via browser
Traffic analyzers
- Wireshark – decoding network protocols, detecting anomalies
- Tcpdump – capturing and analyzing network traffic
- Fiddler – debugging proxy for intercepting HTTP/HTTPS
- Netcat – Swiss Army Knife for working with network connections
Reverse engineering and malware analysis
- IDA Pro – interactive disassembler and debugger
- OllyDbg – assembler level debugger for Windows
- radare2 – framework for reverse engineering and binary analysis
- GDB – debugger for Unix systems
Compromise detection tools
- Volatility – memory dump analysis
- Autopsy – digital forensics and data recovery
- OSSEC – log analysis, suspicious activity detection
- GRR – rapid hunt for indicators of compromise across many hosts
Test management systems
- Faraday – environment for pentest data management, report generation
- Dradis – platform for aggregating and organizing test results
- Lair – server for collaborating on penetration testing projects
Integrate your chosen toolkit into your lab, set up automatic launch, centralized data collection, incident alerting.
