Contents

Lab0: Setup Pentesting Lab in GNS3

Overview

This document will guide you through the process of designing and implementing a pentesting laboratory using GNS3 as the primary tool.

Network Architecture

For the network design, we will consider a small organization that requires:

Subnets
  • A network for servers exposed to the internet
  • A public network where clients can connect to the internet via cable or Wi-Fi
  • A network for administrative personnel
  • A network for developers

As seen, we have 4 groups or subnets. Some additional conditions are:

Conditions
  • From the server network, there should be no connectivity to other networks except to the internet
  • The other networks can have connectivity to the servers
  • The public, administrative, and developer networks should not have connectivity between them except to the internet, for security reasons
  • Use appropriate devices to add future subnets

Diagram

We create a simple diagram with the requirements for each network:

/pentesting/lab/lab0/images/diagram1.png
Figure 1: Draft of the 4 networks

Explanation:

  • The public network or for clients offers connectivity via cable Ethernet and Wi-Fi
  • The developer, administrative, and server networks will use the same type of topology and connectivity via cable Ethernet

Devices:

In all networks, we implement:

  • A router
  • A switch
  • In the case of the public network, a Wi-Fi access point
Wi-Fi Access Point
If we look at the diagram for the public network, we are connecting the access point to the switch and not to the router. This is so that clients on the Wi-Fi network are on the same segment as the users of the wired network. However, it is possible to configure another segment only for clients on the Wi-Fi access point. If necessary, it will also be possible to connect a Wi-Fi acces s point to the other networks directly to the switch.

Internetwork

The diagram of how the networks will connect:

/pentesting/lab/lab0/images/diagram2.png
Figure 2: Interconnection of networks

As we see in the diagram, from left to right, first, we use a firewall, in this case, Pfsense, which will prevent possible intrusions from the server network. Remember that these servers are production servers, have a public IP, and could be, for example, a registration system. The firewall is connected to the server router, and this area is known as the DMZ (demilitarized zone). After the firewall, we have the internal network, which consists of:

  • R1, the main router that connects all the other networks
  • R2, the router of the public network
  • R3, the router of the administrative network
  • R4, the router of the developer network

IP Segmentation

Now that we have the network design, we can establish the addresses that each network will have. The private range for the internal network will be:

Segment Network Gateway DHCP
172.16.20.0/24 public 172.16.20.1 yes
172.16.30.0/24 administrative 172.16.30.1 yes
172.16.40.0/24 developers 172.16.40.1 yes
Why use a /24 mask and a distance of 10 between each network?

For scalability:

  • The distance of 10 is to add and/or segment more networks within that subnet. For example, if we wanted to add a network for administrators with high privileges, we could create a network 172 .16.31.0/28, so we clearly identify that this network belongs to the administrative network (range 30-39).
  • The /24 mask is just for convenience in this laboratory; obviously, there won’t be 254 machines in each subnet.
Subnetting

A detailed explanation of addressing and subnetting can be found in Chapter 3 of the book:

Routers and Firewall

We must consider that only 2 IP addresses will be used between routers, so:

Segment Device IP Device IP DHCP
10.0.1.0/30 Pfsense 10.0.1.1 R1 10.0.1.2 no
10.0.2.0/30 R1 10.0.2.1 R2 10.0.2.2 no
10.0.3.0/30 R1 10.0.3.1 R3 10.0.3.2 no
10.0.4.0/30 R1 10.0.4.1 R4 10.0.4.2 no
10.10.10.0/29 Pfsense (DMZ) 10.10.10.1 servers (DMZ) 10.10.10.0/29 no

The DMZ zone will only have a switch that will be connected directly to Pfsense. There is no need to use a router for now, and there will only be addresses for a maximum of 6 servers (due to th e /29 mask).

Implementing NAT

Why use NAT? Is it really necessary? Yes, looking at Figure 2, especially R1, we can use this router to:

  • Control which network can have connectivity to the internet
  • DHCP server for all networks

This would be convenient, as we would have a single point to control the connectivity of the networks. Now, what type of NAT to use? Since between Pfsense and R1, there are only 2 unique IP addresses, the type of NAT to use is overloading (or PAT), which is a one-to-many connection:

The graph means that all internal networks can only have connectivity via the IP address of R1 (10.0.1.2), and Pfsense will only recognize that single IP address.

More about NAT

A more detailed explanation and examples can be found in Chapter 11 of the book:

Final Diagram

The final design with everything mentioned is:

/pentesting/lab/lab0/images/diagram3.png
Figure 3: Final design

GNS3

GNS3 Installation/Configuration

This guide assumes that the reader already has GNS3 installed and configured on their device. A very detailed guide can be found in the book:

GNS3 Appliances
Different Appliances will be used throughout these guides. It is recommended to read the description of these carefully, as most cases contain details about their installation/configuration or special options.

The devices used and available for download from the GNS3 Marketplace are:

ISP

Like VirtualBox, we need to choose an interface to allow connectivity to the internet. This part is similar to the “bridge mode” section, but in GNS3, all external devices are represented by a cloud, which can be configured in the “Edit > Preferences > Cloud nodes” section:

  • Click on New
  • Select “Run the cloud node on your local computer” and then Next
  • In “Name”, type WAN or ISP, and then click Finish
  • Select the created cloud and then click Edit
  • In “Ethernet interfaces”, select the physical network card through which we will obtain connectivity to the internet, and click Add
  • Finally, click OK, Apply, and OK
External Devices
In the third part of this guide, a real Openwrt router will be used as an access point for the public network, and its connection to GNS3 will be via this method.

In the “End devices” section, we can already see our cloud, and we just need to drag it to the central panel of GNS3.

Pfsense and DMZ Configuration

Pfsense must be installed before it can be used. A video of the Pfsense installation can be found on the REeset2099 channel.

And the configuration of the DMZ network and LAN:

Router Configuration

R1

We drag the CISCO router to the GNS3 panel and, by right-clicking and going to “Configure > Slots”, we add 4 Gigabyte interfaces as seen in the following image:

/pentesting/lab/lab0/images/R1Conf.png
Figure 4: R1 Configuration

Table for R1 addressing:

Device1 Interface IP Device2 Interface IP
R1 GigabitEthernet1/0 10.0.1.2 Pfsense em2 10.0.1.1
R1 GigabitEthernet2/0 10.0.2.1 R2 GigabitEthernet1/0 10.0.2.2
R1 GigabitEthernet3/0 10.0.3.1 R3 GigabitEthernet1/0 10.0.3.2
R1 GigabitEthernet4/0 10.0.4.1 R4 GigabitEthernet1/0 10.0.4.2

Table of services for R1:

Device Service Interface Segment
R1 DHCP GigabitEthernet2/0 172.16.20.0/24
R1 DHCP GigabitEthernet3/0 172.16.30.0/24
R1 DHCP GigabitEthernet4/0 172.16.40.0/24
R1 NAT GigabitEthernet2/0 172.16.20.0/24
R1 NAT GigabitEthernet3/0 172.16.30.0/24
R1 NAT GigabitEthernet4/0 172.16.40.0/24

Addressing R1

Now that we have everything defined, we configure the interfaces on the router by right-clicking and going to the console. The commands are:

1
2
R1# enable
R1# configure t
CISCO Commands

An introduction to using CISCO commands and their modes can be found in the book:

The following commands are performed for each interface, only changing the corresponding IP address and interface:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
R1(config)#interface GigabitEthernet 1/0 
R1(config-if)#ip address 10.0.1.2 255.255.255.252 
R1(config-if)#no shutdown
R1(config-if)#exit 
R1(config)#interface GigabitEthernet 2/0
R1(config-if)#ip address 10.0.2.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface GigabitEthernet 3/0      
R1(config-if)#ip address 10.0.3.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface GigabitEthernet 4/0
R1(config-if)#ip address 10.0.4.1 255.255.255.252
R1(config-if)#no shutdown                        
R1(config-if)#exit
R1(config)#

The result should be:

1
2
3
4
5
6
7
R1(config)#do show ip interface brief 
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES unset  administratively down down    
GigabitEthernet1/0         10.0.1.2        YES manual up                    up      
GigabitEthernet2/0         10.0.2.1        YES manual up                    up      
GigabitEthernet3/0         10.0.3.1        YES manual up                    up      
GigabitEthernet4/0         10.0.4.1        YES manual up                    up   

DHCP on R1

Following the segmentation table, we first separate the gateways for each network:

1
2
3
R1(config)#ip dhcp excluded-address 172.16.20.1
R1(config)#ip dhcp excluded-address 172.16.30.1
R1(config)#ip dhcp excluded-address 172.16.40.1

Then we configure the pools for each network:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
R1(config)#ip dhcp pool publicNet
R1(dhcp-config)#network 172.16.20.0 255.255.255.0
R1(dhcp-config)#default-router 172.16.20.1
R1(dhcp-config)#dns-server 1.1.1.1
R1(dhcp-config)#exit
R1(config)#ip dhcp pool adminNet
R1(dhcp-config)#network 172.16.30.0 255.255.255.0
R1(dhcp-config)#default-router 172.16.30.1
R1(dhcp-config)#dns-server 1.1.1.1
R1(dhcp-config)#exit
R1(config)#ip dhcp pool devNet
R1(dhcp-config)#network 172.16.40.0 255.255.255.0
R1(dhcp-config)#default-router 172.16.40.1
R1(dhcp-config)#dns-server 1.1.1.1
R1(dhcp-config)#exit
R1(config)#

NAT on R1

First, we create a global pool and the IP address that will be used:

1
R1(config)#ip nat pool globalNet 10.0.1.2 10.0.1.2 netmask 255.255.255.252

Then we create a rule that allows only the IP addresses that are in list 1 to access the globalNet pool:

1
R1(config)#ip nat inside source list 1 pool globalNet overload

Now we add the networks to the access list 1 (ACL):

1
2
3
R1(config)#access-list 1 permit 172.16.20.0 0.0.0.255
R1(config)#access-list 1 permit 172.16.30.0 0.0.0.255
R1(config)#access-list 1 permit 172.16.40.0 0.0.0.255

To verify the access lists:

1
2
3
4
5
R1(config)#do show access-list
Standard IP access list 1
 10 permit 172.16.20.0, wildcard bits 0.0.0.255
 20 permit 172.16.30.0, wildcard bits 0.0.0.255
 30 permit 172.16.40.0, wildcard bits 0.0.0.255

As we see, all LAN networks are in ACL 1. Finally, we establish the interfaces as outside and inside:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
R1(config)#inter gigabitEthernet 1/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#inter gigabitEthernet 2/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#inter gigabitEthernet 3/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#inter gigabitEthernet 4/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#
Save Configuration

All the configuration above must be saved to memory to prevent loss at device restart. The command is:

1
R1(config)#do write memory

Routes on R1

The routes are:

1
2
3
R1(config)#ip route 172.16.20.0 255.255.255.0 10.0.2.2
R1(config)#ip route 172.16.30.0 255.255.255.0 10.0.3.2
R1(config)#ip route 172.16.40.0 255.255.255.0 10.0.4.2

Default route or gateway for R1:

1
R1(config)#ip route 0.0.0.0 0.0.0.0 10.0.1.1

To see the routes:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
R1(config)#do show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.1.1 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 3 subnets
S       172.16.40.0 [1/0] via 10.0.4.2
S       172.16.30.0 [1/0] via 10.0.3.2
S       172.16.20.0 [1/0] via 10.0.2.2
     10.0.0.0/30 is subnetted, 4 subnets
C       10.0.2.0 is directly connected, GigabitEthernet2/0
C       10.0.3.0 is directly connected, GigabitEthernet3/0
C       10.0.1.0 is directly connected, GigabitEthernet1/0
C       10.0.4.0 is directly connected, GigabitEthernet4/0
S*   0.0.0.0/0 [1/0] via 10.0.1.1
R1(config)#

Up to this point, if we are already connected to Pfsense, we should have connectivity from R1 to the outside:

1
2
3
4
5
6
R1(config)#do ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/64/84 ms
R1(config)#

The most complex configuration is done!!!

Routing in CISCO

More information about routing in CISCO can be found in Chapter 5 of the book:

Routers R2, R3, and R4

Similar to R1, each router must have an interface added in their configuration options:

/pentesting/lab/lab0/images/R2Conf.png
Figure 5: R2 Configuration

Table of addresses for routers R2, R3, and R4:

Device Interface 1 IP Interface 2 IP
R2 GigabitEthernet1/0 10.0.2.2 FastEthernet0/0 172.16.20.1
R3 GigabitEthernet1/0 10.0.3.2 FastEthernet0/0 172.16.30.1
R4 GigabitEthernet1/0 10.0.4.2 FastEthernet0/0 172.16.40.1

Only the commands for R2 will be shown, as the commands for R3 and R4 are similar, just changing the corresponding IP address:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
R2#enable
R2#configure t
R2(config)#interface GigabitEthernet 1/0
R2(config-if)#ip address 10.0.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface FastEthernet 0/0
R2(config-if)#ip address 172.16.20.1 255.255.255.0
R2(config-if)#ip helper-address 10.0.2.1
R2(config-if)#no shutdown R2(config-if)#exit

The line in blue allows this interface to obtain an IP address via DHCP from R1.

Then we add the routes:

1
2
R2(config)#ip route 10.0.1.0 255.255.255.252 10.0.2.1
R2(config)#ip route 0.0.0.0 0.0.0.0 10.0.1.0

If we try to ping an external IP address, we won’t have a response, as the router IP address 10.0.2.2 is not in the ACL of the NAT pool:

1
2
3
4
5
6
R2(config)#do ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
....
Success rate is 0 percent (0/4)
R2(config)#

Hosts

Now that we have everything configured, we must add the CISCO IOSVl2 switch to the public network. This switch does not require configuration for now. We connect an interface of the switch to the FastEthernet0 interface of the R2 router and leave the rest for the hosts.

At this point, we should connect a machine to verify connectivity, as seen in this video:

Connectivity Test

Up to this point, we should already be able to reach the IP address of the R1 router 10.0.1.2 from R2:

1
2
3
4
5
R2(config)#do ping 10.0.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/15/24 ms

And from R1 to the IP address 172.16.20.1 (R2):

1
2
3
4
5
R1#ping 172.16.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/15/28 ms

Final Diagram in GNS3

After applying all the configuration, the final diagram in GNS3 is:

/pentesting/lab/lab0/images/lab0Final.png
Figure 6: Final diagram

Weak Points/Failures

Although the diagram above is functional, the weak points are:

In the following posts, these points will be addressed.