How to Build a Computer Security Lab in VMWare Workstation Pro
When working with malware or other offensive cyber tools it’s very important to ensure that malware and other exploits don’t escape to your computer, network, or worse yet, onto the Internet. VMWare Workstation Pro has been my go to desktop virtualization platform for many years. It’s a mature, stable and flexible platform that you can rely on for whatever testing you need to do. When I used a Mac, I used VMWare Fusion, which is essentially the same software and should support the configurations discussed in this article. There are, of course, other desktop virtualization platforms such as VirtualBox. VirtualBox is the closest competitor in my opinion and it’s free! Perhaps I’ll do another article on VirtualBox, but today we’re going to stick with VMWare Workstation Pro. I’m currently running VMWare Workstation Pro v15.5.
Before we build any machines in our lab environment, we need to build our networks. VMWare Workstation Pro makes this very easy. From the “Edit” menu, select the “Virtual Network Editor” as shown in figure 1 below.
My workstation configuration has 5 virtual networks as shown in figure 2 below. You’ll need to decide how you want to use your network and how many networks that will require. A key consideration is which machines you’ll use for each type of project. At the end of a project, I will at the very least roll back to a clean install for each machine. Many times I completely rebuild and update them with new tools, etc. Limiting the scope of each project / network reduces the amount of setup and teardown required.
I have a “Malware Lab” network as shown in figure 2 below, which I use for … malware analysis! My main toolset on this network is a REMnux machine. REMnux is a custom Ubuntu Linux image specifically built for malware analysis. It comes pre-installed with most of the tools that you’ll need. I also have a Windows 10 workstation, a Linux workstation and servers built as required. The two settings that you always want to keep track of are the connection type and whether there is a virtual network adapter on your physical machine. The malware lab is configured as “host-only” and the “Connect a host virtual adapter to this network” checkbox should NOT be checked. This configuration isolates the lab network from your physical machine while still allowing the machines to talk to each other. It’s worth mentioning that vulnerabilities in your virtualization software could potentially allow for malware to escape the virtual machine and infect your system and network. You can implement the same configurations on a stand-alone physical host if you are really paranoid.
The “Forensics Lab” in figure 3 below is configured exactly the same as the “Malware Lab”. Again, this is just a logical grouping of project-related machines. My primary machine on this network is a SANS Investigative Forensics Toolkit (SIFT) workstation. VMWare Workstation will let you clone a machine that you compromised on one of the other networks and bring it into the “Forensics Lab” for investigation.
The “Purple Lab” shown in figure 4 is also configured like the “Malware Lab”. This environment allows me to test offensive and defensive tactics at the same time (purple team). Kali Linux is still the leading distribution for penetration testing, but you may also want to look at Parrot OS and others for this environment. There’s nothing stopping you from running more than one! Obviously, you’ll also need some Windows and Linux systems to target. If you can build a Domain Controller and other enterprise services, that’s even better.
I also have an “Internet” network as shown in figure 5 below. This is all the general purpose stuff that should have free access to the network. I use this network for development and testing security tools like Nessus, Splunk, etc. This network uses Network Address Translation (NAT) to share an IP with my physical machine and you do want to check the box “connect a host virtual adapter”. For systems that need access to the LAN, but not the Internet, I can always restrict access at the firewall.
Finally, we have a host-only network as shown in figure 6 below. This is really a general purpose network. I can share files with these systems and experiment, but I don’t do anything risky here. This network uses the “host-only” connection and we do want to check the box to “connect a host virtual adapter”.
VMWare Workstation Pro provides you with a great deal of flexibility to build new environments and learn safely. I’d say this is step one before you start playing with tools like Kali and the like. The settings can be a little confusing at first, so I hope this helped and possibly gave you some ideas about how to configure your own virtual networks. Until next time, happy hacking!
If you enjoyed this article and want to see more, please let me know in the comments. You can also find me on LinkedIn at https://www.linkedin.com/in/adammunger/.
References: