Andrew Douma

CyberSecurity Expert at

Buying a professional penetration testing laptop for 2017

Free stock photo, credit Picjumbo.com

I need to place my bet on a new pentesting laptop that will get me further into the 21st century.

This article discusses some of my considerations when faced with this decision. All prices listed are from early August 2016.

www.securitystreak.com

About the Author

Andrew Douma is a vendor-neutral consultant. Who performs professional audits, penetration tests, and risk assessments. He designs secure networks and engineers resilient high assurance systems in the Cloud.

You can connect with him on LinkedIn, GoodReads, and Twitter.

More stories by Andrew

Evaluating QubesOS as a Penetration Testing Platform | Finding the right exploit code| Antivirus in 2017: Why? Which? How? | Penetration Testers’ Guide to Windows 10 Privacy & Security | Full Disk Encryption with VeraCrypt | On the Shoulders of #InfoSec Giants: ‘Hacker to Security Pro’ | Securing an Android Phone or Tablet

Brand choice

Amongst my peers, there are four favorite brands: Apple, Dell, HP and IBM/Lenovo. I also reviewed all major “Linux laptop” resellers but found they are all based on one of these brands.

These last eight years, I have been using OS X/MacOS as my base operating system. But my current souped-up MacBook Pro (MBP) model seems on track for its planned obsolescence.

The Dell XPS line has gotten some traction in the Linux community. However having owned the XPS 13 (9343) for over a year, I would argue it failed to run anything glitch free that wasn’t the latest version of Ubuntu. But what a beautiful design…

HP will not be making the cut as any customized model that fits my needs has an almost Apple-like price tag. I’ve never enjoyed their plastic-fantastic form-factor either. My mom keeps buying them, perhaps that factors in.

I will be returning to my roots and wager my money on another Thinkpad. The first great laptop I owned was an IBM ThinkPad X40. The perfect 12.1" hacker laptop which ran Fedora Core Linux and is still in working order until this day.

Memory & Storage

As security professionals, we run many virtualized operating systems (guest VMs). This gobbles up RAM, CPU cores and hard disk space. Virtualization has made our work safer and far more efficient, it is here to stay.

Whichever model I end up with I will upgrade to 32GB of Random Access Memory (RAM) ($0.27/GB) and preferably a SATA III Internal Solid State Drive (SSD) (~$0.35/GB). Capability to upgrade to 64GB of RAM in the future would be “nice”.

When possible, I buy waterproof and shockproof electronics. I am a huge fan of the durable Adata HD720 product line ($0.065/GB) for secure project archival and system backups. It is the only external Hard Drive brand I’ve owned of which the drives outlasted other brands, generation upon generation.

Chipsets

Strong support for virtualization is an absolute need. I frequently work with VMWare Fusion/Workstation/ESXi, as well as Xen, and KVM. It is also the future of computing. Hardware supported security would be superb.

Taking a page out of the Qubes 4 suggested hardware:

  • Intel® Virtualization Technology (VT-x)
  • Intel® Virtualization Technology for Directed I/O (VT-d)
  • Intel® Extended Page Table (EPT = SLAT)
  • Intel® Trusted Platform Module (TPM)

At the time of writing, 113 Intel CPUs match my criteria.

Threat Model

State-sponsored cyber attacks are not my immediate concern. I’m well aware of the internet war (1) (2) that is playing out between friend and foe alike. I know all things I do are being captured and stored indefinitely.

That said, Lenovo, please don’t let us down (again). China + Superfish + Lenovo Service Engine + Lenovo Customer Feedback Program. If I were considering Windows as my base operating system, you would not have made the cut.

I also enjoy reading comebacks for terrible arguments:

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say”
Edward Snowden

However, I am much more concerned with my professional responsibility towards my clients and keeping my sanity. I’ve come across (intentional?) backdoors left behind and malware introduced by other testers.

Security professionals never pirate right? Do you analyze malware on the same machine you store client results? Every vendor solution that can effectively keep up with Endpoint Intrusion Prevention, Detection, and Remediation, relies heavily on virtualization to do so.

“Just because you’re paranoid doesn’t mean they aren’t after you.”
Joseph Heller

I am opting not to concern myself with impractical paranoia surrounding Intel ME/FSP, and for that matter Intel vPro. This is a penetration testing laptop, not an “off-the-grid” laptop. The overly paranoid can sink their bitcoins into CrowdSupply campaigns like ORWL or look into disabling Intel ME.

I also choose to rely on the security features provided by IBM’s BIOS. Installing an open-source Basic Input Output System (BIOS) like Coreboot isn’t an option for newer ThinkPad models.

Graphics

To achieve the greatest compatibility, I will opt for an Intel GPU. In most cases, we offload all password cracking to cloud-based Linux GPU instances. No single laptop GPU could ever compete with that.

Obscure Linux and BSD distributes may react poorly to HiDPI screen resolutions. That said, screen real estate is king, and I cannot drag my external monitor with me to engagements.

Base Operating System (Dom0)

I plan to install Red Hat Fedora Linux, or in this case, the Qubes 4 “distribution” expected at the end of this year. Currently, Qubes 3 is a Fedora 23/Xen PV based system, but kind of different. With the upcoming release, they will move to hardware-enforced memory virtualization (Intel EPT).

For backups and project archiving, I am a huge fan of the durable Adata HD720 product line ($0.065/GB). The only brand I have owned during my lifetime of which the drives did not suddenly fail.

Using Linux as my everyday desktop does not make me that enthusiastic.

I love working with Red Hat Enterprise Linux (RHEL) / CentOS when engineering cloud-based environments. However, I abandoned Fedora 10 for OS X as weekly updates would break something essential.

Qubes-OS is a young distribution. There has been criticism over the prioritization of desktop bugs and choosing Xen over KVM. At the end of the day, it is their project; they are calling the shots.

My primary aim is to challenge myself to further improve my security posture and routines. Usable security is an often overlooked factor in managing IT risk. I have traced several incidents to malware brought into the network by third party penetration testers.

It will not hurt that I know the Red Hat distributions inside and out. The odds of success increase through my familiarity with preventing and detecting intrusions. I can only hope I do not lose time to debugging and reporting issues on a weekly basis.

Qubes appears well-documented. Should it for any reason not work out as planned I am likely to install a BSD based operating system and run KVM — but that’s a story for another day.

Virtual Guest Machines (DomU)

Qubes allows you to spin up persistent and disposable VMs based on Fedora, Debian, and Whonix.

It is reportedly easy to create templates for pentesting distributions BlackArch (Arch) and Kali (Debian). Installing a cloud-oriented pentesting distribution such as BackBox (Ubuntu) or Parrot (Debian) is an option.

With the release of Qubes 4, I expect better support for Windows and BSD. I will look into documenting the template creation for Alpine Linux.

ThinkPad Models

Only the T- and P-series support 32GB of RAM.

Though I might end up paying to have the SSD drive installed by the manufacturer, I am not paying $400 for a RAM upgrade to 32GB.

The P-series has absorbed the old W-series line and support up to 64GB of RAM and a 1TB SSD. But every model sports a NVIDIA GPU which guarantees issues due to its proprietary drivers.

Which leaves us with the T560, T460, T460p, and the T460s.

Please do your research into FHD (1920x1080) and WQHD (2560x1440) resolutions. Linux compatibility with HiDPI varies from application to application (Qt vs GTK). For some models, there no longer is a choice.

For several CPU upgrades other components, such as the NVIDIA GPU, are mandated. I did opt for Windows Pro, backlit keyboard, fingerprint, and smart card reader, and the large capacity battery (when available).

Using the RetailMeNot SAV30THINKPAD coupon, I managed an extra $75 in savings above the normal internet discount.

Note that

  • only the T460s supports a 1TB PCIe-NVMe SSD; the others tap out at 512GB.
  • 32GB DDR4–2133 currently costs about €130 or $120 whereas the older DDR3L-1600 costs €360 or $330. (Tweakers.net, NewEgg, Amazon)
  • only the T560 has hardware supported security through dTPM; all other systems have the Simulated Software TPM. (Note: upon receiving my model it does have Software TPM&Hardware dTPM)
  • all systems have Intel based Wireless radio cards (preferable addition when auditing WiFi/RF networks and not dealing with Broadcom-required binary blobs)

IBM ThinkPad T560 @ $955

http:/shop.lenovo.com/us/en/laptops/thinkpad/t-series/t560/

ThinkPad T560 misaligned keyboard, credit IBM.com

Specs:

  • Processor: Intel Core i7–6600U Processor (4MB Cache, up to 3.40GHz)
    Operating System: Windows 10 Pro 64
    Operating System Language: Windows 10 Pro 64 English
    Display Panel:
    15.6" FHD IPS (1920x1080),No Touch,WWAN
    Memory: 4GB PC3–12800
    DDR3L 1600MHz SODIMM
    Graphics:
    Intel HD Graphics 520
    Security Chip:
    Software TPM & Hardware dTPM
    Keyboard: Backlit Keyboard with Number Pad — English
    Pointing Device: UltraNav (TrackPoint and TouchPad) with Fingerprint Reader
    TPM Setting: Software TPM Enabled
    Camera: 720p HD Camera
    Hard Drive: 128 GB Solid State Drive, SATA3
    System Expansion Slots: Smart Card Reader
    Front Battery: ThinkPad Battery 3 cell Li-Polymer (44Whr) Front
    Rear Battery: 6 Cell Li-Ion Battery 72WH Cylindrical Rear
    Power Cord: 45W AC Adapter — US(2pin)
    Wireless: Intel Dual Band Wireless-AC(2x2) 8260, Bluetooth Version 4.1 vPro
    Integrated Mobile Broadband: Integrated Mobile Broadband upgradable
    Language Pack: Publication — English
    Warranty: 1 Year Depot or Carry-in

Pros and cons:
- Terrible keyboard!!!
+ i7 processor
+ 15.6" screen
+ FHD resolution
- up to 32GB DDR3L RAM (expensive stuff!)
~ max 512GB SATA3 SSD
+ Hardware dTPM

IBM ThinkPad T460p @ $915

http://shop.lenovo.com/us/en/laptops/thinkpad/t-series/t460p/

Specs:

  • Processor: Intel Core i5–6440HQ MB
    Operating System: Windows 10 Pro 64
    Operating System Language: Windows 10 Pro 64 English
    Display: 14.0 WQHD(2560 x 1440) IPS Non-Touch (only option)
    Graphics: Intel HD Graphics 530
    Memory: 4GB DDR4–2133 SODIMM
    Camera: 720p HD Camera
    Keyboard: Keyboard Backlit — English
    Pointing Device: UltraNav (TrackPoint and TouchPad) with Fingerprint Reader
    Security Chip: Software TPM Enabled
    First Hard Drive: 128 GB Solid State Drive, SATA3
    System Expansion Slots: Smart Card Reader
    Battery: ThinkPad Battery 6 cell Li-Ion (72Wh) Cyl HC Rear
    Power Cord: 90W AC Adapter (2pin) — US
    Wireless: Intel Dual Band Wireless-AC(2x2) 8260, Bluetooth Version 4.1 vPro
    Integrated Mobile Broadband: Integrated Mobile Broadband upgradable
    Display Panel: T460p WQHD IPS AG WW PAINT
    Language Pack: Publication — English
    Warranty: 1 Year Depot or Carry-in

Pros and cons:
- i5 processor (i7 forces NVIDIA)
~ 14" screen
- WQHD screen (FHD currently unavailable)
+ up to 32GB DDR4 RAM
~ max 512GB SATA SSD
+ Hardware dTPM (even if not listed in product description)

IBM ThinkPad T460 @ $1061

http://shop.lenovo.com/us/en/laptops/thinkpad/t-series/t460/

Specs:

  • Processor: Intel Core i7–6600U Processor (4MB Cache, up to 3.40GHz)
    Operating System: Windows 10 Pro 64
    Operating System Language: Windows 10 Pro 64 English
    Display: 14.0" FHD IPS (1920 x 1080),No Touch,No WiGig,WWAN,WLAN
    Graphics: Intel HD Graphics 520
    Memory: 4GB PC3–12800 DDR3L SDRAM 1600MHz SODIMM
    Camera: 720p HD Camera
    Keyboard: Keyboard Backlit — English
    Pointing Device: UltraNav (TrackPoint and TouchPad) with Fingerprint Reader
    Security Chip: Software TPM Enabled
    Hard Drive: 128GB Solid State Drive, SATA3
    System Expansion Slots: Smart Card Reader
    Front Battery: ThinkPad Battery 3 cell Li-Ion (23.2Whr) Front
    Rear Battery: ThinkPad Battery 6 cell Li-Ion (72Wh) Cyl HC Rear
    Power Cord: 45W AC Adapter — US(2pin)
    Wireless: Intel Dual Band Wireless-AC(2x2) 8260, Bluetooth Version 4.1 vPro
    Integrated Mobile Broadband: Integrated Mobile Broadband upgradable
    Language Pack: Publication — English
    Warranty: 1 Year Depot or Carry-in

Pros and cons:
+ i7 processor
~ 14" screen
+ FHD screen
- up to 32GB DDR3L RAM (expensive stuff!)
~ max 512GB SATA SSD
+ Hardware dTPM (even if not listed in product description)

IBM ThinkPad T460s @ $983

https://shop.lenovo.com/us/en/laptops/thinkpad/t-series/t460s/

Specs:

  • Offering Model: Transactional Model
    Processor: Intel Core i7–6600U Processor (4MB Cache, up to 3.40GHz)
    Operating System: Windows 10 Pro 64
    Operating System Language: Windows 10 Pro 64 English
    Display: 14.0 FHD(1920x1080) IPS Non-Touch
    Graphics: Intel HD Graphics 520
    Memory: 4GB DDR4–2133 4GB Onboard
    Camera: 720p HD Camera with MIC
    Keyboard: Keyboard — English
    Pointing Device: UltraNav (TrackPoint and TouchPad) with Fingerprint Reader
    Security Chip: Software TPM Enabled
    Hard Drive: 128 GB Solid State Drive, SATA3
    System Expansion Slots: Smart Card Reader
    Front Battery: 3 Cell Li-Ion Battery 23.5WH Front
    Rear Battery: 3 Cell Li-Ion Battery 26WH Rear (no upgrade available)
    Power Cord: 45W AC Adapter — US(2pin)
    Wireless: Intel Dual Band Wireless-AC(2x2) 8260, Bluetooth Version 4.1 vPro
    WWAN Selection: WWAN
    Integrated Mobile Broadband: Integrated Mobile Broadband upgradable
    Display Panel: 14.0" FHD IPS 250nit (1920 x 1080),No Touch,720p HD Camera,Mic,WWAN,No WiGig,WLAN
    Language Pack: Publication — English
    Warranty: 1 Year Depot or Carry-in

Pros and cons:
+ i7 processor
~ 14" screen
+ FHD screen
+ DDR4 RAM
- only up to 20GB :(
+ max 1TB PCIe-NVMe SSD ($500 upgrade)
- no large capacity battery
+ Hardware dTPM (even if not listed in product description)

Decision

If I would choose today, it would be the T460p. $812 on checkout with the stock HD and coupon.

Upgrading it myself to a 512GB SATA SSD will run me $220, $70 cheaper than Lenovo’s upgrade. Assuming I spend $120 on the 32GB of RAM, I will own a laptop capable of running my digital toolkit, for $1152.

ThinkPad T460 award-winning keyboard, credit IBM.com

Compare that to the $3200 I would need to shell out for a 15" Macbook Pro that maxes out at 16GB of RAM!

Buying a ThinkPad doesn’t always grant immediate gratification. Most modifications to the configuration trigger a 3–5 week delivery time.

September 2016 update

To conclude this article I will share with you, my final decision and remaining thoughts:

I ordered the T460p when it came back on the weekly sale, apparently the only time the coupon works. I opted for the 14.0 FHD IPS Non-Touch Display and with additional warranty and taxes paid $866.48.

Warning: do not get a model with “Windows Signature Edition”.

I grabbed the G.SKILL Ripjaws Series 32GB (F4–2133C15D-32GRS) for $119.99 and the SAMSUNG 850 PRO 2.5" 1TB SSD (MZ-7KE1T0BW) for $422.66. Pushing my total amount wagered to $1409.13.

It was easy to opt for Samsung as they build the entire SSD themselves, it was harder to decide between their EVO and PRO line. I did end up going over my budget for that component; to guarantee sufficient disk space, I/O performance, and longevity.

If you are willing to spend $2500 or more, I recommend taking a closer look at the HP Zbook. This model is currently listed three times on NotebookCheck’s “Top 10 Workstation Laptops”. Furthermore, they allow customers to have an Intel GPU, opt out of vPro, Windows licenses, having a webcam or even a hard-drive!

Continue reading my follow-up article: evaluating Qubes OS as a penetration testing platform.

Do you have any advice? Corrections or additions?

Please do not hesitate to reply! Feel free to share your experiences, advice, and questions in private or through the comments section.

Click the ♡ to recommend this article.

More by Andrew Douma

More Related Stories