1. Use the free tech support included with the virtualization product to address the specific networking issues we looked at in the meeting. We're an open source club and although it's possible that we have members familiar with almost any technology, the product was from a company with which our experience was limited. Unless I and others were missing something, it seems to me that a virtualization product (Virtual Box, VM Ware's latest chopdown version, Parallels, Hyper-V, whatever) should provide a basic network out of the box. Just add an assortment of OS's plus one pentesting specialist linux distro and you're done.
2. Guaranteed: most people will hate this suggestion with a murderous passion, but if it were me, I'd eliminate the virtual layer and simply get a switch and three or four separate desktops and/or laptops. For real; no VMs. I'd hook up a Windows box, attach a Mac, add one with OpenSUSE or any general purpose distro in the top 20 over at Distrowatch (right column under the ad block for latest rankings), and the last box would run Kali. Along with a nice Network+ class over at udemy.com, this would be what I'd think would teach network penetration best. After all, building a network is what you'd need to do by yourself first, in order to understand what you propose to penetrate. To keep the electricity bill down, I wouldn't run everything at the same time. I also benefit from not currently being married, so that would get me around the exclamatory reactions surrounding all the wiring and equipment laying everywhere.
3. I only wish, when the user's question originally arose, that I'd had a particular book to hold up in my non-virtual hand: Michael Gregg's "The Network Security Test Lab: A Step By Step Guide". It goes from the physical arrangement (either real or virtual) in the vein mentioned above to dozens of additional topics that flow naturally from the reasons one builds such a capability in the first place. He understands that pen testing is not an isolated capability. One needs an initial and intimate familiarity with the real estate that one proposes to explore.
This review is a preliminary one; it will provoke further articles from me. The book constitutes a syllabus for a class that universities should be giving if they aren't already. Of eleven chapters, 'constructing the lab' is confined to Chapter One. Further chapters address the whys and hows of using what Chapter One allows you to assemble. Passive Information Gathering is given its own chapter, discussing methods from banner grabbing to dumpster diving, in order to drive home the point that all information is not on the network - or perhaps ANY network, and the point that the more noninvasive the surveillance, the better. At least at first. Results from passive gathering will tell a tester how exposed the client is, which will make important reading in the results report. Properly, network traffic analysis and system identification are given separate chapters and the analysis chapter comes first, as the questions will occur on the way in. In the traffic chapter (chapter 3) you'll find Gregg is big on Wireshark as a main tool, wireless or wired as the problem may be. He quickly proceeds from packet basics to real-world examples involving tricks like VLAN hopping and different types of LAN taps. The System Detection and Analysis chapter (4) starts with a hex refresher and proceeds to discussions of services that different OS's tend to implement differently (this is the way nmap and other tools try to ID boxes on the fly). A basic example is the TTL: Linux time-to-live for packets is 68, Windows' is 128 and many hardware devices put it out to 255 (unrestricted). But later, System Enumeration is given its own separate chapter (5). There are further ones for Encryption and Tunneling (6), Automated Tools (7), security problems peculiar to wireless networking (8), malware (9), Intrusion Detection and more malware analysis from a post-intrusion perspective (10) and Forensics (11).
Some high points of those last chapters include discussions of password tools like PassTheHash (yuk yuk) and crackers that take slang like Klingon into account (chapter 6), assessment tool scriptability as with Nessus (NASL), metasploit (ruby or perl), nmap (lua/NSE) and point/click tools like BeEF and Core Impact (chapter 7), and resources on how various entities like retailers look for your phone in order to track you within their stores (chapter 8). I should note that Chapter 9 and 10 overlap; 9 is the introductory level of Malware discussion (using tools like Rootkit Hunter, virustotal.com, etc.) and 10 gets into the heavier stuff like IDS tuning (he prefers Snort since their maintenance site has many preconfigured rules and signatures to get you started).
My compliments to the chef. This is a well-written and current resource that I'll be turning to again and again (I require much repetition to learn and Gregg repeats what I need repeated). He also writes for the Huffington Post website; check him out there.
