Opening a Can of Active Defense and Cyber Deception to Confuse and Frustrate Attackers



As Cybersecurity/Infosec Professionals we know that all you have to do is wait 30 seconds and someone else has been breached and two new vulnerabilities have been discovered (hypothetically of course). There are few jobs on Earth that see the constantly evolving challenges that we get the privilege to deal with. This constant state of flux and learning has been what has kept me interested in this field as there are no shortages of challenges to counter. With an ever-growing list of Nation State attackers, organized criminals, hacktivist groups, and every other threat out there, no organization is safe. When you look across all industries in the private sector as well as government organizations at all levels, we are all getting attacked constantly.



Active Defense: Any defensive activity that is not simply installing a product or waiting for an IDS/firewall alert

- Proactive and anticipatory (hunt teaming, software restriction polices, and Internet whitelisting)

Cyber Deception: The deliberate and calculated process of deceiving attackers in an effort to wage a better defense (“Honey” things placed in your network which wouldn’t normally be accessed)

“All warfare is based on deception. There is no place where espionage is not used. 
Offer the enemy bait to lure him.” ~Sun Tzu”



  • The tactics covered here are meant to augment existing defensive techniques and technologies; not replace them
  • Before employing these tactics, you must make sure you have the ability to ingest and analyze the additional alerts that could arise
  • Make sure you vet all tactics with your legal team, human resources, and upper management first


Reducing Blind Spots in your Network

Many organizations today have solid defensive capabilities and monitoring at their network boundary, but once an attacker is within the network their activities and movements they often go unnoticed. One of the goals of implementing Active Defense and Cyber Deception is to reduce blind spots within the network by essentially setting up virtual trip-wires within the network. More specifically, it involves strategically deploying honeypots, honeyports, and honeyobjects. These “honey” things serve no legitimate purpose, so anytime they are interacted with it needs to be investigated. The tools and tactics that I am covering in this post utilize built-in capabilities within the operating system or free open-source software.

There are a few key things to keep in mind as you deploy a honeypot, honeyport, or any form of honeyobject. First anything you deploy should be done in such a way that it is believable, and secondly, you must ensure that you can receive alerts when the honeypot, honeyport, or honeyobject is interacted with. By doing these things you will greatly increase your chances of identifying anomalous activity within the lower areas of your network.

In addition to these capabilities custom IDS signatures should be created to identify unique strings or port access across your network. With this in mind, let’s look at a couple common honeypots in use today.

The goal of all Active Defense and Cyber Deception techniques is to disrupt the attack cycle to give defenders a better chance of early detection. The earlier in the attack cycle we detect anomalous/malicious activity, the greater our chances of stopping an attacker from establishing long term persistence and/or exfiltrating sensitive data.




There are many different honeypots available today both in the open-source and commercial software arenas. There is definitely no one-size fits-all solution out there. With this being said, I am going to cover two common open-source honeypots that have very specialized functions. The two that I am going to discuss here are Dionaea and Conpot. Dionaea is a honeypot that is focused on malware collection, but is also capable of logging information pertaining to server-side attacks. Conpot is a ICS/SCADA honeypot that is able to mimic a wide variety of different control systems.

I chose these two honeypots to discuss because they provide an excellent example of why you should not deploy a honeypot in its default configuration, and you must put some thought into how and where the system is deployed.



One of the first steps most attackers are going to take will be to scan your environment to identify the systems and services available within your network. For this example I have deployed Dionaea in its default configuration and have run a nmap service scan against the system. As you can see in the scan results below, there are three ports that have services being identified as Dionaea honeypot.


If an attacker was to discover this they will likely change their tactics to be more careful and they will definitely avoid this system. As defenders we don’t want any type of active defense measure to be able to be identified this easily; so we should investigate the tool prior to deploying it and try to make some subtle modifications to help avoid detection. This is essentially the same thing attackers do by utilizing measures to avoid detection of A/V, IDS, and other traditional defense products.

To help avoid easy detection of the Dionaea honeypot I needed to find out what nmap was using to fingerprint these services. I started doing the research and code analysis to determine this, but during the course of my investigation I discovered that Jose Manuel Fernandez had already done this research and had published it on

When nmap is working to fingerprint a service, it simply compares the strings coming back to it against the nmap-service-probes file, which contains a listing of known strings along with their corresponding service identifier. To help Dionaea avoid detection by nmap, we simply need to change the strings that it is sending in response to the probes sent by nmap. As I stated earlier, we want to make sure that this is believable, so we want to pick service fingerprints that make sense for our environment and ideally aren’t too far out of date.

For the FTP service I did a little research on vulnerable FTP services that were relatively current. In addition to making the service current, I also wanted to find a vulnerable FTP service, so I did some research on the site; and chose to mimic VsFTPD 3.0.2.


To make the changes for Dionaea’s responses I had to modify the script being used for the service. The exact location will vary depending on where you install, but for my instance it was located in



Once I opened the file in a text editor, I needed to find the string being used to fingerprint it, which is highlighted below.


To complete the modifications, I updated the SMB and MSSQL files so that they wouldn’t match the nmap-service-profiles definitions for the SMB and MSSQL services as shown below.








Once all of these changes were complete and the Dionaea honeypot was restarted, you can see that the scan results no longer scream “I’m a Honeypot!



Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend to mimic a wide variety of devices/infrastructures. There has been some interesting research on Conpot with regards to its default configuration and deployment. Specifically, Darren Martyn documented a significant amount of data for Conpot on

Conpot can be easily identified by a series of default values set within its configuration file simply named default.xml. On my installation it is located here:



Below are two excerpts from the default.xml file with specific values pointed out that can be used to identify the presence of Conpot.



With these values in mind, I went to Shodan to demonstrate how you can do a search on these values and get quite a few responses back. In the graphic below, you can see that I did a search on the device serial number and got back 206 results. If you take a look at the results you can see that they all have the same Module Type, Module name, and serial number. Additionally, if you were to run this same search in Shodan, you will find a number of these Conpot systems hosted by Cloud based providers. This ties in with my earlier statement on deploying systems in a way that is believable. You should not see ICS systems running in the cloud! Could it happen, sure, you could theoretically virtualize a PLC and host it in the cloud, but just because you can, doesn’t necessarily mean you should.


From this result, I picked one IP and did another search in Shodan’s experimental site Honeyscore to see if the IP could be identified as a honeypot. As you can see in the following graphic, Honeyscore identified the IP as a honeypot.




As an alternative to deploying full honeypot systems, we can always stand-up a handful of decoy ports that serve no legitimate purpose. Personally, honeyports are something I believe are best used within your network and should mimic services that attackers will use to move laterally. They can be extended well beyond this of course, and their implementation is only limited by the creativity of the defender. There are numerous FREE tools and methods available for honeyports, so it is recommended to try a few and see what works best for your environment. A few examples are:

  • Honeyports python script by Paul Asadorian:
    • is a simply python script that will establish a set of honeyports, monitor for connections, and automatically enter firewall block rules to block attacker IPs from connecting to the system again.
  • Artillery by Dave Kennedy:
    • Artillery is an open source project aimed at the detection of early warning indicators and attacks. The concept is that Artillery will spawn multiple ports on a system giving the attacker the idea that multiple ports are exposed. Additionally, Artillery actively monitors the filesystem for changes, brute force attacks, and other indicators of compromise. Artillery is a full suite for protection against attack on Linux and Windows based devices. It can be used as an early warning indicator of attackers on your network. Additionally, Artillery integrates into threat intelligence feeds which can notify when a previously seen attacker IP address has been identified. Artillery supports multiple configuration types, different versions of Linux, and can be deployed across multiple systems and events sent centrally.

Or, we can simply use some good old fashioned command-line kung-fu to accomplish the same thing. Just like with the above-mentioned tools, the goal is to have a port or ports which will show up in port scan results that are not meant for a legitimate purpose. When anyone interacts with them it is automatically considered suspicious, and a firewall block is put in place. When setting up a honeyport, remember that it should mimic a vulnerable service or one that an attacker would use to move laterally.

On Windows XP and later, we can set-up a Windows batch file to set-up our honeyport and to automatically create a firewall rule if it is accessed. In the example below, the firewall syntax is for Window 7 and above, but it could be changed to simply use the netsh firewall command if you were using this on an XP machine.

To make this work, we would simply enter the commands below into a .bat file and set it to run on system start.


You will want to ensure that you are logging firewall events, and you can then set to forward and monitor for Event ID’s 2002 & 2010. Event ID 2002, indicates that firewall rules were changed, and Event ID 2010 indicates that the network profile has been changed. In situations where we are deploying honeyports or honeyobjects, we really need to be forwarding logs to a central log management server and monitoring from there.

An example of how this could be deployed, would be for us to set-up a Honeyport on TCP port 5900 to mimic a listening VNC server across many, or even all systems in the network. Legitimate users should never touch this, but it would be an attractive port to an attacker seeking to move laterally throughout the network. When the attacker attempts to access the port, they are blocked and the event gets logged. The way this would look on the local event viewer is shown in the graphic below.



The goal with a honeyobject is to simply have some files or folders in a place where typical users are never going to access them, and if someone does it would be deemed suspicious. For files and folders being used as a honeyobject, you could apply the hidden attribute to help ensure that casual users don’t interact with them. Once the honey file/folder is created, you will need to have object access auditing enabled. For an example, I created the following scenario:

1. Established object auditing on the C:\Users\zander\Wicked Stuff directory
2. Applied hidden attribute, so that an average user won’t know the file is there

To enable object auditing you need to do the following:

Step 1: From the Security Policy Editor, Select Local Policy > Audit Policy > Audit Object Access > Select success & failure


Step 2: Go into Advanced properties for the folder you want to monitor


Step 3: Select Auditing Tab


Step 4: Add the user accounts you want to track usage for


Once this was completed, I ran a recursive directory listing in the same fashion that a bad guy would comb your file system looking for interesting files.


The result will be a number of entries in the Security log under Event ID 4663.




Active Defense and Cyber Deception capabilities provide a serious force multiplier for those trying to defend their networks. Determined attackers will find a way in, and you must be able to detect them once they do. Incident response is not an if it is going to happen situation, it is a when. Everyone is a target, and statistics show that attackers definitely have the advantage in this fight. Active Defense and Cyber Deception techniques can help you disrupt the attack cycle to disrupt and frustrate attacker activities. The tools and techniques discussed above are not meant to replace anything, they are meant to augment your existing defense capabilities. When deployed strategically and methodically they can greatly increase your chances of detection thereby reducing attacker dwell time within your environment. Take your network back!

I am teaching SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling  at many events in 2018 and 2019.

Chris Pizor, SANS Certified Instructor

Upcoming SANS Special Event – 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen

DNS Anomaly Analysis Tips: Did you put a new cover sheet on that DDD report?

By Chris Crowley

“What is a DDD report?” you’re wondering.  That’s my pet name for a Daily DNS Delta.

You see, human beings are creatures of habit. Some have excellent habits, some have gross habits, some actually wear habits, but whatever works for you, we all are creatures of habit. We can use this feature of humanity to identify behavior to investigate within our network.

Short story is that most people go to the exact same websites every day. Every single day of their lives, they go to the exact same sites…so a request to a new site is essentially an anomaly, worthy of investigation. If a user goes to a really weird website in some strange location, as a security person, I’d like to know so I can follow up.  I really like daily reports that are actionable.

So, how do you know what sites users are going to? DNS query logs are a fantastic source of this information. I’ve created a         script to         help you generate DDDs for your network.  The script is at the end of this blog post… simply copy and paste it into your machine, mark it as readable and executable, provide it a data source, and it’s ready to roll.  Below, I’ll show  you how to configure your DNS servers to generate data for it to analyze, and then walk you through some of my analytic steps.

To use this script, you’ll need a source of data from your DNS server.  For that, you’ll need to enable query logging if you don’t do it already. I’m going to use BIND as an example here, but I could probably be convinced to adapt this script to MS DNS server. Or, someone out there can take that as an exercise left to the reader and enhance this script to pull logs from your MS DNS servers

The first step is to be sure you’re logging DNS queries. In your BIND config you would set something like:

       channel "querylog" {
               file "/var/log/bind/query.log";
               print-time yes;
      category queries { querylog; };

Additionally, some other BIND reference info can be found  here.

You’ll also need to make sure you have DBD for SQLite installed in your Perl environment. We’re going to use SQLite to store our records over time:

$ sudo perl -MCPAN "install DBD::SQLite"
## I know, I know Mark & Josh
## One day I won't be in a hurry and I'll learn Python and can rattle off scripts in Python like the rest of the cool kids. For now, it is my creaking bones Perl foo

You’ll also need Whois parser for perl:

$ sudo perl -MCAP "install Net::Whois::Parser"

because the script also includes the creation date of the domain gathered from whois.

Are there domains out there that are terrible and old? Sure. Are there domains that are brand new and totally legit? Yes. But a domain that is relatively new, and being accessed for the first time in your network, is definitely worthy of investigation. You could extend this script to include whatever relevant information you are interested in. You could even include a link to a Spam reputation site, for example.

Ah, so we have a bit of a problem here. You apparently didn’t read the script before running it so you didn’t change the necessary lines.

my $send_from = '';
my $send_to = '';
### Set this to the correct directory
my $database = "/var/log/bind/tps_dns.db";

I’ll get you a copy of that memo.

There are a couple of things that will happen if you run this in your environment. First, you’ll learn about a lot of new sites that people are going to on the internet. Seriously, that’s good for you…most of the time.

Second, you’ll see domains that use DNS queries for interesting purposes. For example, check out here how Sophos uses the domain to validate web sites… ). How do I know about this? Well, I was looking at the logs:


…and I noticed that the was consistently including lots of new domains every day. I plan to add a capability to suppress items from the report based on an array specified in the script itself.

Another thing I noticed in review of a couple of weeks worth of data was the presence of unqualified host lookups. This is kind of weird, and I’ve sent it to the network manager indicating that this is something that definitely needs to be investigated. This data set is for a network that I don’t manage so there is some blindness to my knowledge of the data that I’m parsing and reviewing but that isn’t uncommon when dealing with DNS data because you honestly have no idea what people are browsing.


After a bit of research and testing, I believe these unqualified DNS requests are associated with Google Chrome startup, cache priming, and Chrome’s attempt to identify malicious DNS responses as you can see in this Chrome discussion post. In my next blog post, I plan to explore the techniques for correlating processes with the DNS queries that those processes make.

The script is yours to reuse, manipulate, and update. If you do add some cool enhancement, or fix my terribly hackish Perl code, please email me and let me know. If you find a problem in your network with this, I would be very interested in hearing about that as well. You don’t need to give me specifics, but I look forward to your TPS report. You will need to use the new coversheet.

Thank you very much to Johannes Ullrich for the DNS query logs found here that I used in testing this script.


  • Customize queries for creation dates for country codes, since they can (and do) use alternate fields than creation date
  • Add an array and code that eliminates some domains from the report – perhaps auto populated with and
  • Care about record types (A, AAAA, etc)
  • MS DNS query log parsing
  • Figure out DBI selectall_hashref
  • Learn python in SANS SEC573

-Chris Crowley
SANS Instructor

P.S. In addition to the mobile stuff I do, I have a lot of tips and tricks for Incident Response. You can catch more of them when I teach SEC504 Hacker Techniques, Exploits & Incident Handling or check out the course that I author: MGT535  Incident Response Team Management.

The DDD Script


## @CCrowMontance 2015
## all wrongs reversed
## not necessarily fit for any purpose whatsoever, use at your own risk

#It's like this
scalar(@ARGV) == 1 or die "Usage $0 dns_log_file\n";

use Time::ParseDate;
use DBI;
##use strict;
##use warnings;
use Net::Whois::Parser;
$Net::Whois::Parser::GET_ALL_VALUES = 1;

my $send_from = '';
# ### CHANGE THIS EMAIL ADDRESS!!!!!!!!!!!!!
my $send_to = '';
# If quiet=1, don't print results to screen when script runs.
my $quiet=0;
my $nowhois=0; ## Default is 0
##my $email=1;
my $email=1; ## Default is 1

my @d_ary = ();
my $d="";
my $mailfile = '/tmp/DDD_report.eml';
my $line = "";
my $record = "";
my $driver = "SQLite";
my $database = "/var/log/bind/tps_dns.db";
my $tablename= "DDD";
my $dsn = "DBI:$driver:dbname=$database";
my $userid = "";
my $password = "";
my $dbh = DBI->connect($dsn, $userid, $password, { RaiseError => 1 }) or die $DBI::errstr;
print "Opened $database successfully\n";
## Check DNS TPS table exists format

my %new_q = {};
my %created = {};
# $new_q{""}=1;

# from
## But, beware, there is a typo on the code on that page. ;-) cc

sub table_exists {
    my $db = shift;
    my $table = shift;
    my @tables = $db->tables('','','','TABLE');
    if (@tables) {
        for (@tables) {
              next unless $_;
              return 1 if $_ eq $table
   else {
       eval {
          local $db->{PrintError} = 0;
          local $db->{RaiseError} = 1;
          $db->do(qq{SELECT * FROM $table WHERE 1 = 0 });
     return 1 unless $@;
   return 0;

if (table_exists( $dbh, "$tablename")) {
    print "$tablename is there!\n";
else {
    print "$tablename table not found!\n Creating it now.\n";
       my $create_query = qq(CREATE TABLE $tablename
              LASTSEEN DATE NOT NULL););

        $dbh->do( $create_query );


my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );

my $key_field="RECORD";
my $all= "SELECT * FROM $tablename";
my $rec_ary = $dbh->selectall_arrayref($all); ## Yes, I know I should be able to do this with selectall_hashref. But it wasn't working for me.

# so I did this:
foreach my $row (@$rec_ary) {
     my ($id, $first, $last) = @$row;
     $rec_ref{$id} = $first;

while (<>) {
   $line = $_;
my @temp=split(/ /,$_);
 #### Expected space delimited fields:
 # date
 # time
 # "queries:" seems to be logging tag
 # "info:" log level
 # "client"
 # ip#port
 # "query:" - query type
 # query made
 # "IN" -
 # record type
 # (DNS Server)

my $count=0;
if ( $temp[6] eq "query:" ) {


     if ( $rec_ref{$record} ne "" ) {
            if ( $new_q{$record} ne "" ) {
     } else {
              my $insert_query = qq(INSERT INTO $tablename VALUES ("$record","$temp[0]","$temp[0]") );
              $dbh->do( $insert_query );
              ## update indexed array
              $rec_ref{$record} = $temp[0];
              ## push onto new array for this report, and initialize

              my $d_tmp=pop(@d_ary);
              if ( length($d_tmp) == 2 ) {
               } else {

               if ( $nowhois == 0) {
                   my $whois = parse_whois(domain => $d);
                   if ( $whois->{creation_date}[0] eq "") {
                   $whois->{creation_date}[0] = "creation date unknown";
                } else {

       #my $ary = $dbh->selectrow_arrayref("SELECT * FROM $tablename WHERE RECORD = $record");
       #print join(" ", @$ary), "\n";

  } ## end if query

} ## end while (<>)

## Report

#foreach $key (sort(keys %$rec_ref)) {
# print $key, '=', $rec_ref{$key}, "\n";
my $newcount = scalar(keys(%new_q));
if ( $newcount > 1 ) {
      die "failed to open $mailfile" unless (open (INFILE, '>', "$mailfile"));
      print INFILE "From: TPS <$send_from>\n";
      print INFILE "Subject: DDD Report\n\n";
      ## header must have blank line after it
      if ($quiet == 0) {
               print "\n\n\n\n\nNew Records in this batch:\n";
      print INFILE "\n\nNew Records in this batch:\n";
      foreach $key (sort(keys %new_q)) {
          if ($quiet == 0) {
               print "$key count: $new_q{$key}\t\tdomain created: $created{$key}\n";
      print INFILE "$key count: $new_q{$key}\t\tdomain created: $created{$key}\n";
   close (INFILE);
   # Ya, not the right cover sheet at all
   if ($email == 1) {
   system ("cat $mailfile | /usr/lib/sendmail $send_to");


SANS Checklist for Securing Mobile Devices in the Enterprise

[Editor’s Note: Lee Neely has developed a very useful spreadsheet checklist to help organizations better plan and mitigate security risks associated with mobile devices, including phones and tablets.  It’s really handy stuff, and I strongly recommend you check it out!  –Ed.]

By Lee Neely

To help organizations better understand, manage, and mitigate risks associated with mobile devices and their infrastructures, we’ve released an updated  SANS SCORE Mobile Device Checklist.  This checklist is designed to provide a repeatable approach to adding mobile devices to your environment in a secure fashion. The intent is to be device agnostic, to support long-lasting results, and to provide a basis for making consistent decisions around having these devices in your environment, as well as proper protection of the information on and around them. Too often, I’ve seen instances where mobile devices were brought into the workplace without consideration of all of the aspects of safely incorporating these devices.  Disaster often ensues.

I have a bias around both physical use and disposition (lifecycle) of mobile devices, due to my background in U.S. Government Cyber Security. For the public sector, consider these devices as an uncleared visitor in the room who is listening and recording.  This analogy, though, useful elsewhere.  For private sector, consider mobile devices as a live webcam in the closed session of your board meeting.  Ask yourself what (unauthorized) information is leaving the room and where it is being stored. There are ways to mitigate this risk, depending on your risk appetite. We’ve provided the checklist to help you think through these issues.  We also hope the checklist helps inspire conversations with management and users to aid management in making a conscious decision that will achieve necessary protections, while allowing the devices to remain useful.

In this case, by mobile devices, I am referring to smartphones and tablets rather than laptops. I see tremendous growth in technology and capabilities for these devices.
This checklist is designed to be simple, non-threatening, and easy to use. It is organized into tabs related to various aspects of mobile devices including Policies, Lifecycle, Security Settings, Applications, COPE, BYOD and References. Each tab has a list of areas to consider such as: understanding use cases, performing risk assessments, policy, training, operational models, physical presence, etc. with the intent of recording decisions on each as a basis to plan your adoption and implementation. Some of the tabs are linked together where more in-depth consideration is warranted. These items are also intended to encourage thoughts about anything else that should be included in the list. I’d love to get feedback on ways to make this tool more useful.

This update also includes a new tab relating to COPE, more application security and device forensic information, as well as updated references. This version doesn’t cover Samsung KNOX or BlackBerry Balance. Both are forms of sandboxing, which is covered in a more general way, and whose specific future is unclear right now. Time will help. I’m not sure when it will be time to address NFC, or the larger question of using these as payment devices, particularly in a corporate environment.

Many thanks to all who contributed to the checklist, and I am looking forward to your comments.

You can download the checklist here:  SANS SCORE Mobile Device Checklist

-Lee Neely

p.s., If you really want to take a deep dive into mobile device attacks and defenses, please check out the excellent SANS SEC 575 course, which provides in-depth, hands-on experience in securing Android, Apple iOS, and other related technologies.  There are sessions upcoming on the following dates and locations:

April 28 in Austin, Texas

May 8 in San Diego, CA

June 16 in Berlin, Germany

Building a Pen Test Lab – Hardware for Hacking at Home on the Cheap

[Editor’s Note: Jeff McJunkin shares some insight into building a good virtualization infrastructure for practicing your pen test skills, evaluating tools, and just plain becoming a better penetration tester, all without breaking the bank.  Nice!  –Ed.]

By Jeff McJunkin

Practical, hands-on experience is a good thing, right? As good as it is though, it doesn’t excuse accidentally taking down your employer’s production environment while doing some testing.

While NetWars (obligatory plug for my new employer) is great for getting this experience, it doesn’t fit every situation. For example, if one of your servers crashed while being scanned by Nessus, you might want to isolate exactly which plugin is causing the crash, while avoiding future production outages.

Having a home lab with a trial version of the software creates a safe environment for otherwise disruptive testing and facilitates fast learning. It’s hard to beat not only learning the attacks, but observing the artifacts those attacks leave behind, defending against them, and creating signatures to detect further attempts!

In this post, we’ll discuss several hardware options for home labs at different price points. Since many employers don’t have test labs, it often falls on the employee to keep up-to-date on the latest operating systems, software, and offensive/defensive techniques.

Depending on interest, we might do a follow-up post with a comparison of different virtualization software. Because many people already have some experience with it, though, VMware products are tough to beat. For dedicated machines, people often use VMware vSphere Hypervisor (ESXi), which is free.

Depending on your price point, there are a few approaches.

Price point: $0 – Re-Use Existing Hardware

At this price point, of course, you’ll need to re-use existing hardware. Depending on the horsepower behind your personal computers, though, this might be enough. The main bottlenecks for virtual machines are, in order, memory, hard disk, and then CPU. With 8GB of RAM, you should be able to run 2-3 VM’s in VMware Workstation / Player, which is sufficient for many labs. With 16GB, you’ll be able to run enough VM’s that your new bottleneck will be a single hard drive, if that’s what you have. Replacing it with an SSD (such as the Samsung model recommended below) will allow you to scale to 5-7 simultaneous VM’s, though hosted virtualization platforms (Type 2) tend to be less efficient than a bare-metal (Type 1) hypervisor such as ESXi or Xen.

Price point: ~$300 – HP N54L G7

Though you won’t be able to get a system capable of running more than a couple of VM’s at this price point, by getting the N54L you’ll have a system you can upgrade over time. The rig I’ve linked to below comes with a 250GB hard drive and 2GB of RAM. Though not listed as compatible, there are many 16GB (2x8GB) memory kits that are compatible, including the link listed below.

When combined with a local SSD and several spinning disks (from the Storage section), the N54L can run quite a few VM’s simultaneously, and should meet the needs of almost all virtual labs.

Amazon link: HP N54L G7

Amazon link: Kingston 16GB (2x8GB) memory kit

Price point: $600+ – Build Your Own

At this price point you can build an increasingly powerful home server. The trick in building your own virtualization host from scratch is normally finding a combination that works with the limited hardware compatibility of ESXi, but luckily this recommendation is well-vetted.

The advantage of this build compared to the N54L is the long-term upgradeability and increased capacity (32GB memory, six 3.5″ drives and two 2.5″ drives, more PCI-e slots, etc.).

You’ll need to add some local storage from the below section or elsewhere, but these parts get you a working installation. You can re-use existing drives if you have them available, of course, which further reduces your initial costs.

Amazon link: Antec Three Hundred Two Case

Amazon link: Rosewill CAPSTONE-550 Power Supply

Amazon link: ASRock 970 EXTREME3 Motherboard

Amazon link: AMD FX-8320 Processor

Amazon link: Kingston Hyper-X 16GB Memory Kit (2x8GB) (The motherboard supports two of these kits, but you can buy one at first if you need to spend the money elsewhere)

Amazon link: SanDisk Cruzer Fit 16GB USB drive (you’ll install ESXi on a USB drive so other drives can be fully utilized for VM’s)


Depending on your needs and budget, there are a lot of options for VM storage. Though you may need to stick with spinning drives at first for cost reasons, I’d recommend purchasing a solid-state drive as soon as you can. Prices have been coming down, and $500 for one terabyte of SSD should fulfill nearly all VM storage requirements.

Amazon link: Samsung 840 Series 1TB SSD (smaller sizes available)

Amazon link: Western Digital Red 4TB Hard Drive (smaller sizes available)

Amazon link: Icy Dock EZConvert 2.5″ to 3.5″ Drive Tray (for putting an SSD into the N54L – the Antec case can fit two SSD’s without this adapter)

Webcast: Jeff recorded a SANS Webcast about Building your Own Home Lab. Available now on YouTube:

-Jeff McJunkin
Counter Hack
SANS Instructor


Upcoming SANS Special Event – 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen