Virtual Pentest Laboratory

Formulation of the problem

Some time ago I decided to update my knowledge in pentest .

He made a plan that included both a theoretical aspect and a practical one: the application of the knowledge gained in practice and its consolidation. Everything was clear from the theoretical part: books, courses, etc., there is a mass of materials and resources on the Internet - I don’t want to read.

The practical part should be in the form of pentest labs with blackjack and indecency from several machines with different vulnerabilities.

With practice, it turned out to be more difficult because of the limitations that I personally have - there is no possibility to make a test stand at home / at work.
')
Thinking over the problem from different angles again, I turned Austerlitz into the sky in the clouds ... I used to use the Microsoft Azure cloud resource.

A quick search on Google gave a good catch: Google Cloud, Microsoft Azure, AWS Amazon, Oracle Ravellosystems.

These services are conditionally free to use their resources, there is even the possibility of raising a Kali Linux machine from a prepared image (from Amazon, Microsoft).

The first approach to the projectile

Since, in the context of creating a virtual laboratory, none of the resources was used, I started on the list:

Candidate # 1: Google, a statement about $ 300 for free, looked tempting, but it ended badly at the registration stage - we work only with legal entities. The face did not come out.



Candidate # 2: Microsoft Azure is also $ 300 to try the service, but not for me, these loans were previously spent on other projects, so I had to pay for a virtual machine with my own money.



In addition, like Amazon, Microsoft provides 750 hours of work every month for a year from the date of registration.

There is an image of the Kali Linux machine.

Candidate # 3: Amazon AWS - gives 750 hours of work every year for a year for free, but with heavily trimmed machines, there is an image of the Kali Linux machine.



Candidate # 4: Oracle - $ 300 for 1 month, the ability to upload your own image.

Crocodile is longer than wide

Microsoft Azure

Since Google didn’t work out right away, we’ll go straight to candidate No. 2 Microsoft.

check in
The account has already been additional registration is not required.

Interface
The control panel is quite visual and informative, although in my opinion, it is somewhat overloaded with details that allow you to configure what you need.

The picture is clickable

MS Azure interface screenshot

Create a virtual machine
Virtual machine picked up quickly and effortlessly.
Here is a link to the manual.

Cost control
In various information sections, it is clearly seen where and how the money was spent.

AWS Amazon

check in
Registration is not difficult, you will need to additionally check your bank card and telephone.

Interface
The interface is simpler than, in MS Azure, all the necessary settings are available.

The picture is clickable.

AWS Amazon Screenshot Screenshot

Create a virtual machine
Virtual machine picked up quickly standard distribution. The virtual machine can also be run from its own distribution.

It is worth noting that in order to access a virtual machine, you need to create a pair of keys; an administrator password will be obtained on the basis of the private key.

Cost control
I will say this: without features.

Oracle Ravellosystems

check in
Registration is similar to previous members.

Interface
Much attention is paid to the visual component, while there are the necessary settings, although it is not always obvious where the item is located and how it works.

The picture is clickable.

Screenshot Oracle Ravello interface

Create a virtual machine
You can use an already pre-configured image or download your own distribution.
Virtual machine picked up quickly from its own distribution.
Instructions for deploying a virtual machine.

Cost control
The most important thing is clear - how much and for what should money

Special features
Good visual component. All data centers are located in the USA, so communication is not instantaneous.

I have to tell you

The final choice fell on Oracle. Uploaded and installed the image of Kali Linux in the Oracle cloud. Since I also needed RDP in Kali, I used the commands from the configuration instructions .

Summary table

Service	Terms of payment	Interface	Other
MS Azure	$ 300 when registering for the first time	Quite difficult	not
AWS Amazon	750 working hours monthly for a year	Relatively simple	not
Oracle	$ 300 per month at registration	Plain / visual	Data Centers in the USA

Conclusion

In conclusion, the following should be noted. If you just need a virtual machine for pentest, the difference between the services is not great, I personally liked MS Azure.

If you need to create a lab of several virtual machines on your own images, then you should pay attention to Oracle with the service bring your own image, but MS Azure and Amazon AWS have similar capabilities for loading images.

There are already prepared images of vulnerable systems for training, for example,
Metasploitable

There is a good book: “Professional Penetration Testing: Creating and Learning in a Hacking Lab” by Thomas Wilhelm.

Please note that some companies that provide machine images for pentesters require permission for such activities. Here is Amazon's AWS policy as an example.

In addition, there are paid pentest laboratories for both companies and individuals.

PS In the process of searching for material for the article I found a good comparison of cloud services . The publication dates from July 2016, but in any case it may be useful to read.