t409 Step On In The Waters Fine An Introduction To Security Testing Within A Virtualized Environment

you you testing testing no is that better okay all right awesome you hear me now all right so um when you get out of here go over there to hackers for charity and please support that that group of guys who got to see Johnny long’s keynote alright awesome so make sure you guys support support them let’s let’s kick death on sale again alright and and let’s keep that tradition rolling so just an introduction to to what we’re going to do here the goal is to provide meaningful information about testing and virtualized environments what your options are to show you that it’s easily attainable to set up an environment that you can test in and and for some reason this this basic level of the talk is is usually often overlooked and I don’t know why but this talk was actually initially presented at Appalachian asst to digital evidence at Marshall University and for students because year after year they kept asking how do I even get started like what do I do to get into this because I can’t do show to end cuz that’s kind of legal and you know I don’t know really where to get started so that’s that’s who this was initially geared for and and so there’s that disclaimer I have modified that severely so there will be few memes and that’s hopefully to keep you guys awake this early in the morning that being said this is not no day talk all right there’s no advanced exploitation or anything like that it’s going to be taking place here so that’s what you’re looking for you should probably go see Egypt if you link into the the web space go check out the other guys talk this is a this is an introductory talk is to get you started in a virtualized environment hopefully everyone will be able to take something away from it but it’s not it’s not an advanced exploiting it’s not a sexy red teaming talk ok this is this is how to get started I’m big proponent of the path of least resistance so there are multiple multiple ways to do this and everyone has their favorite but the way that we’re going to go is is the way

that I’ve chosen because it’s the easiest to document it’s easiest to be able to replicate easiest for you guys to take home and be able to set up in your own environment okay so quick role playing and and if anyone’s smiling right now that’s not what you’re thinking you’ve been fired okay you’re now getting back into the industry to be able to try to attain new employment or you’re just trying to get into the industry and you’re probably going to go through the interview process several times one of the questions you’re going to be asked is what are you doing to either maintain or increase your relevant skill set what are you doing to make sure that you are keeping yourself relevant and knowing how technologies work you have an answer for that you know what you would answer to that type of question because if you don’t then then this talk should to help you because everyone should have a desire to learn if you’re in the infosec information security field there are only reason I’m here is because i’m addicted to learning and this is a great field for that so hopefully everyone here is geared the same way candidates for employment not only have a degree or relevant certifications also possess a true working knowledge it’s a levers or tool sets is what is needed in today’s environment see people all the time they have great certifications because they’re good at taking tests and they’ve got all kinds of degrees because they’re good at taking tests but what what the infosec community right now needs are people who understand the underlying technologies and can make it work so what can we do to be able to fix that what what what can we do to to actually turn that tide and get people into fields that matter that have that desire to learn and and and one of those is is making sure that you are doing your part to increase your skill set not everything you’re going to see in a sans Coeur for you know in some training is going to be the holistic picture you have to do your own you have to you have to show your own desire and get out there and learn the other pieces of it that make it work you have to do it you just have to get out and do it so I forgot to forgot to change that but here’s a recent article well it’s not to reason I guess it’s been three or four months ago CSO self-taught hackers rule they understand this they you know the people that matter the people that are in charge of hiring understand this they know that people that are driven on their own are better than those that are just good at learning okay goes on better cyber security depends on better white hat hackers and on governments worldwide upping the consequences for flouting rigorous security standards goes on to say what’s it what’s it take to be good hacker you want to be really good at hacking you have to work and learn I’m work and learn all your times behind the keyboard right and and how many of us is that the case hopefully I get quite a few hands all right so that’s the way we should be but you know it’s kind of a you know a demeanor in some places but and others have been in not so much um he goes on to say you know are there any superior programs how many of you have gone through an offensive security course okay LS cpe OSCE great courses offensive security guys he says here basically that these guys don’t compromise their their models try harder if you want something that’s going to challenge you and really get you into the into the field I i recommend the the offensive security courses as well and and they will definitely challenge you so how can you get there practice practice practice and how can you get that practice well hopefully you don’t go park in this parking lot but that could happen what we want to do is we want to set up a virtual lab we want to we want to do this legitimately right we want to do it ethically so let’s let’s set up a virtual lab and and the cost is well worth gain there are many open source solutions out there we’re going to cover a few of those I’ll provide all the resources and everything you need to be able to find them on your own this slide deck has already been uploaded and i’ll have the link to that on the one of the final slides so you don’t have to worry about taking pictures of all the links and everything else okay they’ve already be out there for you and you go and pull down yourself many tool sets

and distributions are out there virtual machines are the primary medium and you can download Isis for cali but you can also download the ends you can download ISOs for her deft and cane and some of the forensics but you can also download them in VMs the ends are starting to become more and more the way that people distribute their their tool sets and given as broad as information security is you need to understand how it works but a wide you know wide variety vulnerable environments are also available so say your tasks how many of your red teamers or pen testers okay few of you how many of you are forensics type folks or want to get into forensics right how many of you are blue team errs alright so good mix crowd there’s something out one I i know that in in the past you know I didn’t have any experience pen testing a sip environment so what i do i went out and i found a vulnerable sip environment vm have booted it up and learned how to pin test fit before i did it in prod right it’s usually a safe bet i didn’t want to take down prod but but those are the those are the kind of use cases that we have another reason everything is going virtual when you look at that you know the way things are going greener environments they’re they’re all going more virtual so if you’re not testing yourself in a virtual environment you’re not testing yourself in what’s what’s coming up and what’s actually being implemented data centers now so quick definitions of terms for those that are not aware and yes I will be reading for the slides for these for just a little bit but we’ll try to try to make sure everyone understands the basic terms before we head on the hypervisor is a virtual machine monitor it’s generally a piece of computer software firmware or hardware that creates some runs virtual machines computer on which a hypervisor is running is defined as a host machine virtual machines around this host I refer to guess machines a virtual machine for those that don’t know is a software-based emulation of a computer and it will it will generally operate on the on based on architects from functions of a real computer you have to tell it how much hard drive space that you wanted to have allocated to how much RAM you want to have allocated how many cpu cores you want to have it allocated to it snapshot of preserves estate and and the other virtual machine including you know pretty much everything related to it at that point in time all the data that’s stored in RAM old is stored on disk it just snapshots it it’s not necessarily you know like a selfie it’s more of a situation where you are you’re creating a restore point that you can come back to you why are those valuable in virtualization yes exactly right so if you have a lab that’s a hardware lab and you screw up one of those boxes it takes a couple hours to get it back up and running right virtualization you can have that snapshot it hit a button River back to that they make our lives much easier so it’s much easier to learn so three different ways that networking is generally configured within within a virtual machine our bridge NAT and host only each one is is configured in a specific way bridge will basically it says it binds the virtual network adapter directly to the physical ethernet adapter the vm will attain th beliefs from the physical network so it will look like you have two separate systems on that on network right that is is network address translation it binds virtual network adapter behind the net environment obtains the DA’s internal dhcp address shares a physical ethernet adapters public IP address for external communication so just like your your home wireless router you you have an internal IP address but you can still communicate internally and externally host only is behind that but you had no egress or ingress with that network okay so you get an internal network communication only dhcp lease is obtained you cannot get out alright so let’s get into the technical of how we’re going to set this up we’re going to we’re going to have a short little structure we’re going to look at hardware considerations what you’re going to think of you’re going to need to be able to set up an environment like this look at the different virtualization platforms that you may want to utilize and then we’re going to set up a vmware esxi server okay offensive and forensics distributions will look at a few of those and get you some some links to those i know most of you probably play with few of those on the list there cali same row WTF set

sift then we’ll look at some virtual appliances and we’ll look at some virtual distribute or vulnerable distributions that will that will help you be able to test metasploit all to know wasp things of that sort alright so hardware considerations this system is what all this is going to be running on today and we will hopefully do a live demo we’ll see how they goes all right but while the CPU speeds do matter that’s one of the things that’s always asks of you know when someone’s wanting to set something off is how much CPU do I need they really don’t matter as much as RAM and and an hard drive space right hypervisors are pretty much all memory hogs there some that are much better than others the hypervisors are generally all memory hogs there they’re going to require a lot of a lot of ram vm she’d written you know very drastically in size you can get very very small like dsl damn small linux or you can go all the way up to having a you know windows 8.1 vm that takes 20 gigs of hard drive space just for the core OS right so you can they very very drastically in size and so that’s a that’s a big consideration sufficient power supply to you don’t want to melt anything down alright so virtualization platforms some of the ones that you’ve heard of my virtualization platform that everything you’ll be seeing on is running on today is is running on top of vmware fusion okay vmware player workstation run windows and mac or windows and linux esxi and ESX are good server environments esxi you can get with the community license so you don’t have to pay anything for it you can use it for educational purposes parallels is another one that people generally like running on a mac so there are strong camps in either direction I don’t want to argue about how that how that goes and which one’s better than the other but they both have their advantages and disadvantages Oracle VirtualBox is a good open source option for you as well let’s cross platform proxmox is another great one and you can you can do a lot of a lot of virtualization with it with less hardware it’s better on memory and so it’s a good one xenserver is another one that you mail them to also consider pretty much all of these out there are are free or at least you know you know the vmware fusion VMware Workstation parallels you’re going to pay for those right the rest of these you can you can pretty much get with our end esxi server but the rest of these you can you can get fairly cheap you just have to register get your get your product key and and register that it’s not all-inclusive there are many many other options you know Red Hat and there are all kinds of different virtualization platforms but what we’re going to cover here is is primarily things that you guys entertain and get fairly cheap okay so what we’re going to do is we’re going to go ahead and set up in the esxi server we’re going to do we’re going to set the esxi hypervisor on top of via web fusion on this macbook pro and the system specs on this system are core i7 2 gigahertz 16 gigs ram 500 gig hard drive ok the esxi again is pre fridge occasional purposes so anyone can pull that down so what we’re going to do is we’re going to be pulled down the vmware esxi ISO image and that is on the host system and we’re going to create a new virtual machine for VMware on top of vmware fusion set the esxi I so as the boot media for the new VM that we just created and then you know just so you know this is this is demonstration purposes only please please do not take out of this room that I want you to set up an esxi server on top of fusion ok go home and do it on bare metal ok it’s like stacking chairs when you could use a ladder it’s not really efficient it’s not really effective but it worked good for demo purposes so that’s why we’re doing it here I don’t want to try to have to get out of the network and get into an external system and and we know everything that’s been hitting the networks recently so that’s why we’re doing it this way but you can set this up on bare metal at home set up a server you can have VMS running all the time they can be things for your lab or they can be things that actually serve a purpose within your environment once you start seeing all the options that are out there you may you may find some things that are useful for your home

environment that that actually you know you can run with so we’re going to get into some screenshots ok it’s going to take a little bit too to go through this if we just installed it during the during the time we have here so I’ve already gone through that process this is what it starts looking like when we boot up we’re going to continue going through and we’re going to hit enter to accept you have to f/11 here to get into accept the defaults but if you hit f11 on your Mac inside of vmware is just going to laugh at you so you have to escape out and use the menu go to virtual machine sinky f11 and that will forward you on to the next one so it’s going to scan through it’s going to look at the hardware you can see right there that I’ve delegated 100 gigs of my 500 gig hard drive to that specific vm said the US default set my root password yes so this is a hundred gigs of space on my physical 500 gig drive but it’s actually setting it within vmware fusion yeah yeah so its segments it out right I mean it’s a bunch of little files but uh but yes it’s a hundred gigs of space that I cannot utilize for anything else alright so we set the root password it goes through scanning again it then wants to validate again that I do want to format this drive so we’re going to go through the menu system again hit f11 and it installs then tells you that you need to remove the cd-rom from the from the system for to reboot again you want to go back out to the menu and go down to your under the virtual machine menu go to your CD DVD I Drive and then tell to disconnect that and then hit enter it’ll reboot takes a little while to boot back up once it gets loaded back up it gives you right here on the screen the IP that you’re going to be connecting to ok so your IP is right there scratch it down because well you’ll have it running anyway but scratch it down because you’re going to need that and a little bit to connect back to it alright so esxi management one of the one of my beliefs is that there’s a one of the problems I have with the esxi is that it requires a windows fat client to manage it I’m not big on running windows within my environment but it’s one of the options here so I don’t need another physical box if I can set up a vm that’s windows to manage my vm hypervisor okay so it’s like again didn’t want to see inception we’ll get into a little bit of that here alright so the esxi management once we get in there what is going on all my pictures are gone oh well anyway so we’re we gone through this part now what we’re going to do is we’re going to set up a windows 8 vm with VMware vSphere client and then the vmware vcenter converter stand alone and and those will help us manage that this will just be our management VN this vm again is sitting on top of our vmware fusion environment okay it’s outside of outside of the hypervisor because it has to manage the hypervisor all of the VMS that we’re setting up our in an added environment so they are able to communicate outside but they are behind on that because we’re going to have virtual machines in here I don’t want them on the edge and and people attacking work stations within my you know gasps workstation is within my machine so make sure you stay at it if you go bridged you’re going to open yourself up and I wish all my memes were showing up that would be much funnier anyway so further information this is how we’re going to set it up we’re going ahead and setting up the windows 8.1 ISO image from the macbook pros hardware we’re going to create a new virtual machine within vmware fusion and then we’re going to go ahead and set that 8.1 I so as the boot media for the vmware server we’re gonna go ahead and beat that up and so we need more screenshots alright so here we go we’re setting up windows it’s all pretty it asks us how much hard drive space we want so goes

through the process vmware fusion works really well with windows it will reboot it once it comes back up it automatically installs vmware tools for us which is awesome saves a step and a reboot again and then you get to back back to being able to log in so not a fan right but we have to do it for this environment so we go ahead and we set that up what i’m doing here is I’ve got the executable for the vSphere client on my core macbook pro and i’m going to drag that over the desk top of this windows 8.1 vm that we just set up it copies in because if vmware tools makes that very very handy so we’re going to go ahead and install that now so next next next next next up you have to accept right read the whole thing and accept right don’t disobey don’t need people like cutting tags off mattresses and stuff alright so keep it next and next finish once it’s done all right yay we’ve got our system pretty much set up to be able to manage this this this esxi server now so what we’re going to do is we’re going to put in our IP address our username and password username again was route because that’s the only count we have on the achi server at this point so put in route the password and we accept the certificate and we boot up and it tells us that we are now in a trial mode okay for 60 days I’m going to show you how you can go in and and put that key in because it is a needle in a haystack if you haven’t done it before it’s it’s a pain to find so yeah I have no idea what I’m doing so what we’re going to do is we’re going to go ahead and and and bring up the esxi so through the vSphere client we’re going to register VMware ESXi server through the vSphere client and then we’re going to again use the key that we got when we registered our esxi executable will be pulled down so when we when we come through first screen up at the top you can’t read it I’m sure but it says the inventory up there you’re going to go ahead and click on that and on the next screen and the menu on the left where the little cursor is if you can see it says licensed features so you go in there and then go to the configuration tab and then the far right side of the configuration tab there’s a little edit link okay how many of you would have found that on the first try probably not many unless you set it up before it is a pain in the tail to find so once we get in there we’re going to go ahead and put in our our product key and no that is not legitimate you can feel free to try but yeah I knew my audience so we yeah that’s not going to work for you you take a picture of that one she just made it say on see all the way across alright so once we once we get that set up we’re logged in and you can look at the bottom right hand corner no longer tells us that we are in a and a trial mode if you look just prior to that it says evaluation mode 60 days remaining that goes the way so we’re in we’re managing it what do we do with it now what we’re going to do is we’re going to set up the vmware vcenter converter stand-alone application on our windows 8.1 vm r management vm and what this will allow us to do is be able to import and convert VM images onto the esxi server okay it will also transfer them over so you can go and and pull down the vcenter converter we’re going to save that and go ahead and run it directly from the system yes next next go back and read that and hit accept and the next next install and we’re going to go through the process it’s almost done and all right so now this is our visa vcenter converter stand-alone application and so what we need now are some distribution is to be able to to be able to either bring into this or two to attack with what we’re going to cover first or offensive offensive VMs so I’m going to be views Khalid all right awesome so there are quite a few very good offensive offensive VMs that you can

pull down our to salt pin to samurai WTF MOBA sack if you like to test mobile applications mocks Lennox back boom to black rmx sift deftly and cane there’s all kinds of them to choose from and again later in the slides there will be direct links to each of those that were valid as it this morning so if you want to go out and pull some of those down you’ll be able to alright so everyone knows the the terminal in cali is a quick screenshot within within samurai WTF every offensive virtual distribution has its strengths and weaknesses so depending on what you’re testing or what you’re wanting to learn will depend on which which distro you’re going to want to run but there are there are many many great tool sets out there that will save you tons of time most of us that do this professionally will modify heavily the distributions that we’re running on to have tool sets that we want to have every time having that a vm with snapshotting makes things much much easier to keep us from having to do that every time so there are virtual appliances that you can pull down as well vieta is a great router that you can pull down want to get in the cisco stuff vieta is great to be able to learn some some acl’s and things of that sort p.s sense how many of you use pfsense awesome firewall there’s I PS SIDS is the security onion anyone used it right alienvault SSN is a great sin so there are all kinds of open source options for us to be able to get out there and utilize those and and be able to play with them in our environment if you don’t have the the understanding of what a sim is and you’re applying for a role that manages a sin then it may be in your best interest pull-down lsm run some junk through your network see what pulls out or there are your point logs to it and run some dug through it I generally always keep security onion on on a vm on my box the reason being is I can use TCP replay throw a pcap through it and watch what all security and then pulls out with snort and all of its predefined rules and things of that sort that got set up in it it’s amazing saves you tons of time of manually picking a part of the end or picking a part of peek at so these things make our lives very very easy if you learn to use them effectively inside the vSphere client I believe there is a VMware virtual appliances marketplace you can go out to and take a look at that I’ve got to also got a couple links to other lists of VMware or virtual appliances that you can utilize on the following slides but virtual appliances are great now for vulnerable distributions this used to be a thorn in my side they were very hard to find they were sparse all over the place and and it was it was hard to know whether or not you were going to get a legitimate one or if you’re gonna get one that someone else had pre-loaded try to you know he goes traffic out of your network because that happened quite a bit thanks to you know many many great people we have some some amazing vulnerable distributions that are out there and and I’d like to give a special thanks specifically to the guys at bowlin hub for being able to put all of these together in one place how many of you gone to Bolam hub awesome so ball knob is an amazing resource put together by got milk who’s in this room I don’t know if he wants to be recognized or not but amazing work by those guys and and and they really have put a ton of work into it and and they deserve around applause for for for putting that together for anyone that does that stop it’s awesome and he’s given me a few stickers I’ll put them up here on the table if anyone wants those during the doing the you into the talk you can feel free to come up and snag them don’t run something like dvo on your on your primary box or as a you know as something that you’re bridged out onto the network make sure you run the stuff responsibly these things are inherently vulnerable they’re made to get popped you put it on the edge and you’re going to get popped so make sure you protect that stuff if you want to set up a honey pot or something for someone to be able to attack do that but make sure that you use something like pfsense to block them from being able to come further into your network all right learning to use virtualization the network and components that are built into most of the hypervisors and being able to you know to manage that stuff

will help so what we’re going to do for this portion of is we’re going to use vuln up we’re going to pull down a copy of metal to as a vulnerable guest distribution and then we’re going to pull that in through the vmware vcenter converter standalone and we’re going to convert that into the esxi server we’re going to attack it okay so basically what we do is we go in we pulled that down it has to be extracted once you get it unzipped you’ve got your vmx file there so we’re going to go into the vc center converter and then import that so we select vmware workstation or other VMware virtual appliance or machine is what it says and as the as the item we’re going to select that vmx file we’re going to go ahead and tell to to convert it and bring it in so we hit next and it starts pulling that in you then have to provide the credentials again for your esxi server once you’ve provided those credentials then it starts the process of transferring this or converting it and getting ready to transfer it up to the network so you name it hit next continue going on and next most of these again are defaults unless it’s something that’s pretty readily known to you already we’re just going to keep hitting next we hit finish and then we’re going to go and look inside the vSphere client ok the vSphere client again is what we’re managing this esxi server with so once we get into the vSphere client we can see that it’s there but not fully yet yeah another one of my image is gone dole alright so anyways so status you can see it’s at seventy-six percent up there it’s it’s currently loading up now and now our our vulnerable vm is now within the esxi server okay so what do we do now we’re going to go ahead and spin it up and once we have the metal to vm powered on we’ll go back into the cali view that we have on vmware fusion and that’s you know i just had that set up already and will scan it enumerated take a look at it okay show you how how you can kind of interact with it when it’s when it’s actually stood up then from the Akali offensive vm will scan the range and just just play around with a little bit so inside the V vSphere client basically you just come in here and you can right click on on the vm select power and tell it’s powered on and it will boot up you can actually see it’ll put a little play symbol on the I Khan for it and at the top left you can also expand the the tree there to be able to see it there as well along with all of your other VMS so let’s actually spin it up and we’ll take a look at you all right so this is the esxi server i’m currently in it i have to escape out of it so there’s again what you sold previously this is running you can see the internal dhcp scope of it this is our windows 8 management system and hopefully i can remember the password to get back into it just loading the inventory and we can look I think I’ve only got a couple VMs in there right now metasploit voules one of those politics is another there are hundreds out there on on Bolin hub that you can get out and learn with so we’re going to right click on that power power on we can also power on this one as well you can power it on just by hitting the play button up top and now we see that both of those have the little play icons on them over here in the left menu so they are they’re both running so temporarily what we’re going to do is I’m just going to kind of shut those

down real fast I want you to see that we scan that internal range there’s nothing there and then when we go back in and scan it once there once they’re booted up we get we get results we get things hopping at us so this is a cali attack vm sitting on top of vmware fusion I’d type that incorrectly we did all right so so we see that we’re 168 or 192 168 66 subnets we’re going to scan that whole subnet just going to use nmap let it run so once this gets through scanning we’ll see we have very little let me run that okay so everything everything finished there we see host down all the way down the list pretty much see nothing right everything’s empty so let’s go back over here and let’s spin these back up and let’s get in just a second to boot and then we’ll do the same scan again and see what more information we come back with things should really light up for us special when it hits metasploit able very inherently vulnerable locks so here we go 8020 2443 8100 we’ve got plenty of ports here lighten up like a Christmas tree so how many of you is scanned a network before just just done a simple scan okay great okay cool if you haven’t you have no reason there’s no no excuse not to now right you don’t have to do it on someone else’s production Network you can set this off on your own system and and play around with it learn the tools that you’re expected to know some of this stuff again I you know is very basic and so it’s it’s often avoided by the infosec community when it comes to these type of conferences and and I honestly you know my outlook on it was that I thought that this talk would be too basic for this conference myself but others felt need to to make sure that that it was given because they think people will benefit from it and I agree with them everyone starts at somewhere right everyone has to has to start somewhere yes ed right basically what was said was you know that every system administrator needs to understand how to run simple things like that like in that to be able to map out your environment see what’s running that you don’t know is there because most the time just simply looking at one or two systems and what services they’re offering is not going to show you the entire environment yes yes so that was make sure you inform your stock when you’re when you’re running scanning across the the environment you could you can trigger some alerts and scare some people so I was going to go through a larger exploit against against the metasploit will be n but we’re running too short a time really for me to be able to go

through that whole process you can see that it’s finished scanning here we have all kinds of information on this guy on these two systems and and we know that that there are some definite vulnerabilities within our environment now now it’s the next step of okay so how do I test this right get out there and learn teach yourself pull down these vulnerable VMs and and do it and and you’ll be amazed at at at what you gain from it so let’s finish this guy up yes no adobe updates right so congratulations you’ve gone through the process of setting up a virtual testing lab an esxi hypervisor you have your windows vm to manage that hypervisor successfully you’ll be able to put it all together and you know where to obtain the offensive appliances and and vulnerable virtual machines or at least you will hear in the next coming slides to be able to build this out on your own and teach yourself and learn it doesn’t matter whether you’re you’re going in the pen testing or blue teaming or forensics or if you want to get into exploit development I everything that you need to learn with an information security you can put into a virtual environment and save yourself tons of time to be able to teach yourself and further your skill set you also know how to convert and transfer them over to your esxi server the vcenter client and then our vmware converter so and then you saw how easy was to numeric guests with and within that environment from your cali bien you know infosec recruiters want people that know the tool sets they don’t just need people out there that that have those certifications and have the degrees any people that can speak intelligibly about how that how that works at a fund a foundational level and and so that’s what we need to do it takes time it’s not easy but it definitely will pay off if it doesn’t pay off monetarily for you at least it will pay off in the long run with your with your skill set in your career and in the words of Rob Schneider that’s going to oh crash nice at least that part of the demo failed not yeah so I have the pinwheel of death all right I want to get the slide back up at least for you guys to to be able to get the link to be able to pull down the slide deck get that back up for you real fast I’m gonna skip Schneider yeah everyone knows it alright so again the links for these are in the in the presentation so yes excited download registration player fusion workstation parallels VirtualBox all of your offensive and and and you know primary viens that you’re going to use as tools with an infosec and then you’ve also got your virtual appliances here again the top three there AR are all your your lists and then some of the bottom ones are the things that I find very very fruitful to learn from and then I’m not going to give any more links for all the vulnerable VMS there’s so many of them it’s a it’s a huge number of them but they’ve all been very well put together the guy’s a bull and hub and so make sure you go there and check it out and pull down some some some vulnerable beams one more thing if you guys are in the area and local go and check out hacker con it’s coming up in just a month or so and it’s in Charleston West Virginia thank you guys very much appreciate the time and good question

okay so the reason so the question again was do i recommend esxi over top of vmware fusion the reason this was presented this way is because i want you to be able to know how you can set this up on an actual physical environment as an esxi server vmware fusion while it can run all the time and have multiple VMS within it is not easily managed without having a display on that system so so if you have a and yes and it’s free okay so that’s a that’s a big consideration but yeah you can have a headless box run esxi on your server manage it remotely do everything you want to do and and and build your skill set effectively all right thanks you guys for coming