Creating a virtualized environment

White hats, just like any IT professionals, often have zealous allegiance to a specific platform and operating system. I fully expect that readers of this book will be using a laptop running some flavor of Microsoft Windows, Mac OS (X or Sierra), or Linux/BSD (Ubuntu/Debian, Fedora/RedHat, SUSE, FreeBSD, and so on). Don't sweat the small stuff - so long as it is a fairly new and well-provisioned laptop or desktop (4 CPU modern cores, Ethernet and wireless, some USB (version 2 or 3) sockets, and 16 GB RAM minimum), it should at least get you started.

At the risk of opening yet another fanatical debate, we'll want to select a virtualization platform to run on the top of this (sorry!). Virtualization helps us level the playing field and actually improve our lab's versatility by employing a virtualization platform to establish a virtual network segment and install and access virtual machines (VMs) for Windows and Linux desktop and server variants. Choose what fits within your budget and preference. Options such as Oracle's Virtual Box, VMWare's Workstation or Fusion, Citrix Xen, or even Parellels (on the Mac) are popular. Performance in web application penetration testing isn't as big a deal as in some other forms, as we won't be doing real-time cracking or hashing in most of our work.

It should be noted that you can certainly use dedicated servers or barebones (physical) hosts and network equipment to build a lab, but we'll be able to do everything in this book using our virtual sandbox. In actual practice, it is more common to see professional pen testers use virtual machines to perform their testing, as it helps assure customers that proper sanitization and isolation are occurring. The tester can merely host the VM on a removable or networked drive and delete the VM when the project is complete.