Building virtual penetration testing environment
Kauramäki, Aleksi (2017-05-16)
Building virtual penetration testing environment
Kauramäki, Aleksi
(16.05.2017)
Tätä artikkelia/julkaisua ei ole tallennettu UTUPubiin. Julkaisun tiedoissa voi kuitenkin olla linkki toisaalle tallennettuun artikkeliin / julkaisuun.
Turun yliopisto
Kuvaus
Siirretty Doriasta
Tiivistelmä
Penetration testing is a form of security auditing that attempts to measure both the target organizations skill in detecting security incidents, and their ability to respond to them. Penetration testing is also a much needed skill in today’s corporate world. As cyber threats become more dangerous, organizations need to find ways outside traditional attack prevention methods to increase the level of their information security. Penetration testing can be used to find weaknesses in organizations information security, and in this way help to allocate money into the right kind of security updates.
This thesis studies how to build a virtual penetration-testing environment that is to be used for educational purposes. The virtual environment and the challenges created in this thesis will be used as a basis for a university level course on information security and penetration testing. The challenges work as hands on exercises for students participating in the course. This will work as an introduction to the topic and prepare students with skills and understanding needed in work life.
In this thesis the topic of penetration testing is introduced first. Next a step by step explanation of necessary configuration tasks that were required for building the environment is presented. Capture the flag style challenges that simulate the work of a penetration tester are discussed, and one possible way to solve the designed challenges is presented. These challenges were designed purely for this thesis to educate students. Additionally, some technologies behind the challenges are also described, such as ARP spoofing in MITM attack. The challenges include password guessing, network scanning, Linux command line usage, file extension modification and cryptology.
In order to receive real feedback and to measure how well the environment and challenges work, a test of the environment was arranged with two students. There were some technical problems during the testing process, which resulted in negative feedback. However, the feedback was mostly good and the challenges were considered by the testers to be educational and interesting. Some changes to the challenges were also suggested by the testers.
The most important result of this thesis is the built environment, but also some improvements are suggested to further develop the environment. It was also learned that there are easier ways to build such an environment, but these ways are not customizable to meet specific needs. The challenges one, four and six were determined to be especially good for an environment targeted for students. Nevertheless, more content needs to be included and some technical problems need to be fixed before the environment can be used for teaching.
This thesis studies how to build a virtual penetration-testing environment that is to be used for educational purposes. The virtual environment and the challenges created in this thesis will be used as a basis for a university level course on information security and penetration testing. The challenges work as hands on exercises for students participating in the course. This will work as an introduction to the topic and prepare students with skills and understanding needed in work life.
In this thesis the topic of penetration testing is introduced first. Next a step by step explanation of necessary configuration tasks that were required for building the environment is presented. Capture the flag style challenges that simulate the work of a penetration tester are discussed, and one possible way to solve the designed challenges is presented. These challenges were designed purely for this thesis to educate students. Additionally, some technologies behind the challenges are also described, such as ARP spoofing in MITM attack. The challenges include password guessing, network scanning, Linux command line usage, file extension modification and cryptology.
In order to receive real feedback and to measure how well the environment and challenges work, a test of the environment was arranged with two students. There were some technical problems during the testing process, which resulted in negative feedback. However, the feedback was mostly good and the challenges were considered by the testers to be educational and interesting. Some changes to the challenges were also suggested by the testers.
The most important result of this thesis is the built environment, but also some improvements are suggested to further develop the environment. It was also learned that there are easier ways to build such an environment, but these ways are not customizable to meet specific needs. The challenges one, four and six were determined to be especially good for an environment targeted for students. Nevertheless, more content needs to be included and some technical problems need to be fixed before the environment can be used for teaching.