Build A Professional Practice Lab – 101

All Blog

Table of Contents


  • This page is supposed to be a collection of resources for building a lab for performing various security related tasks. Generally, the idea is that you setup a local VM hypervisor software(VMware, Virtualbox) and then install a virtual machine to perform testing and analysis without any impact to your “physical” machine.

Virtual Machines

  • 101
  • VM Hypervisor Software
  • Obtaining VMs
  • Automated Lab/Machine Creation Tools
    • Security Scenario Generator (SecGen)](
      • SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events.
    • Detection Lab
      • Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices. This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
    • Set up your own malware analysis lab with VirtualBox, INetSim and Burp – Christophe Tafani-Dereeper
    • CyRIS: Cyber Range Instantiation System
      • CyRIS is a tool for facilitating cybersecurity training by automating the creation and management of the corresponding training environments (a.k.a, cyber ranges) based on a description in YAML format. CyRIS is being developed by the Cyber Range Organization and Design (CROND) NEC-endowed chair at the Japan Advanced Institute of Science and Technology (JAIST).
    • DockerSecurityPlayground
      • A Microservices-based framework for the study of Network Security and Penetration Test techniques
  • VMs/Apps Designed to be Attacked
    • List of VMs that are preconfigured virtual machines
    • The Hacker Games – Hack the VM before it hacks you
      • I have talked about counterattacks here before, and this system has implemented a number of aggressive anti-hacker measures. In fact, this VM is downright evil. I am probably legally obligated to tell you that it will try to hack you. So if a calculator or message declaring your pwnedness pops up or shows up on your desktop, you asked for it. But don’t worry, it won’t steal your docs or rm you, it will just demonstrate compromise for the game. To save precious bandwidth, this has been implemented in a minimal tinycore-based VM, and will require VirtualBox to run.
    • AWS
      • AWS Well-Architected Security Labs – Amazon(Official)
        • This repository contains documentation and code in the format of hands-on labs to help you learn, measure, and build using architectural best practices. The labs are categorized into levels, where 100 is introductory, 200/300 is intermediate and 400 is advanced.
      • CloudGoat
        • CloudGoat is Rhino Security Labs’ “Vulnerable by Design” AWS deployment tool. It allows you to hone your cloud cybersecurity skills by creating and completing several “capture-the-flag” style scenarios. Each scenario is composed of AWS resources arranged together to create a structured learning experience. Some scenarios are easy, some are hard, and many offer multiple paths to victory. As the attacker, it is your mission to explore the environment, identify vulnerabilities, and exploit your way to the scenario’s goal(s).
      • CloudGoat 2: The New & Improved “Vulnerable by Design” AWS Deployment Tool – Jeffrey Anderson
      • CloudGoat 2 Walkthrough – Part One –
      • OWASP Mutillidae II
        • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an “assess the assessor” target for vulnerability assessment software.
      • Lambda
        • lambhack
          • A vulnerable serverless lambda application. This is certainly a bad idea to base any coding patterns of what you see here. lambhack allows you to take advantage of our tried and true application security problems, namely arbitrary code execution, XSS, injection attacks aand more. This first release only contains arbitrary code execution through the query string. Please feel free to contribute new vulnerabilities.
    • Docker
    • Exploit Development
      • exploit_me
        • Very vulnerable ARM application (CTF style exploitation tutorial for ARM, but portable to other platforms)
    • Git Repo
    • Router
      • iv-wrt
        • An Intentionally Vulnerable Router Firmware Distribution
    • Thick Client
    • Web Application Focused
      • OWASP
      • General
        • Damn Vulnerable Web App
          • Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
        • Damn Small Vulnerable Web
          • Damn Small Vulnerable Web (DSVW) is a deliberately vulnerable web application written in under 100 lines of code, created for educational purposes. It supports majority of (most popular) web application vulnerabilities together with appropriate attacks.
        • File scanner web app (Part 1 of 5): Stand-up and webserver
        • Xtreme Vulnerable Web Application (XVWA)
          • XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice.
        • Hackazon
          • Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app providing uniquely-effective training and testing ground for IT security professionals. And, it’s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on.
        • Vulnerable Web applications Generator
          • This is the Git repo of the VWGen, which stands for Vulnerable Web applications Generator.
        • secDevLabs
          • By provisioning local environments via docker-compose, you will learn how the most critical web application security risks are exploited and how these vulnerable codes can be fixed to mitigate them. woman_technologist
      • API
      • Django
        • django.nV
          • django.nV is a purposefully vulnerable Django application provided by nVisium.
      • JSP
        • MoneyX
          • MoneyX is an intentionally vulnerable JSP application used for training developers in application security concepts.
      • Node.js
        • node.nV
          • Intentionally Vulnerable node.js application
        • goat.js
          • Tutorial for Node.js security
        • Damn Vulnerable NodeJS Application(DVNA)
          • Damn Vulnerable NodeJS Application (DVNA) is a simple NodeJS application to demonstrate OWASP Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities. The fixes branch will contain fixes for the vulnerabilities. Fixes for vunerabilities OWASP Top 10 2017 vulnerabilities at fixes-2017 branch.
      • Ruby
        • grails_nV
          • grails_nV is a vulnerable jobs listing website.
        • RailsGoat
          • RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some “extras” that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
      • SSRF
        • SSRF Vulnerable Lab
          • This repository contain PHP codes which are vulnerable to Server-Side Request Forgery (SSRF) attack.
      • SSO
        • Vulnerable SSO
          • Vulnerable SSo is focused on single sign on related vulnerabilities. If you want to learn, you should check this and contribute this project. VulnSSO tool is focused on sso attacks. Nowadays most of the company uses their own implementation for sso solutions. Some of the bug hunters found really good vulnerability on the big company. There are some tools(dvwa and others .. ) that contains vulnerability. They don’t have any support for sso vulnerability. Our focus is only sso related bugs. VulnSSO is training tool.It will contain redirect uri vulnerability , XXE on saml request and many others.
      • Web Cache Poisoning
        • Web Cache Poisoning Lab
          • Welcome to the Cache Poisoning Lab. In this lab you will have the opportunity to experiment with some of the vulnerabilities presented in the brilliant paper Practical Web Cache Poisoning by James Kettle.

Setting up ActiveDirectory Focused Labs

Building a Pen test lab

Building a Defensive Lab

Infrastructure Automation 

Leave a Reply

Your email address will not be published.