Build A Professional Practice Lab – 101

---

Table of Contents

• General Info
• Virtual Machines
• Installing/Configuring Active Directory
• Building a Pentest Lab
• Infrastructure Automation
• To Do
  • Building a Defensive Lab
  • Infra Automation

---

General

• This page is supposed to be a collection of resources for building a lab for performing various security-related tasks. Generally, the idea is that you set up a local VM hypervisor software(VMware, Virtualbox) and then install a virtual machine to perform testing and analysis without any impact on your “physical” machine.

---

Virtual Machines

• 101
  • Virtual Machine – Wikipedia
• VM Hypervisor Software
  • Desktop
    • Oracle VirtualBox – free
    • VMware Workstation – paid
  • Server
    • Proxmox – free
    • VMware vSphere – free
    • Xen – free
• Obtaining VMs
  • Internet Explorer Windows Vista through 10 Virtual Machines
  • Windows Server Evaluation ISOs
  • Vulnhub
    • Vulnhub is a website dedicated to cataloging various vulnerable VMs from across the web. It also has a healthy community that creates and submits new VMs on a regular basis. As I write this now, I believe there are around 100 or so different VMs on Vulnhub, so you have a bit of variation.
  • macOS-Simple-KVM
    • Documentation to set up a simple macOS VM in QEMU, accelerated by KVM.
  • unlocker
    • VMware Workstation macOS
  • Running macOS Catalina Beta on VirtualBox Linux – Astr0baby
• Automated Lab/Machine Creation Tools
  • Security Scenario Generator (SecGen)](https://github.com/cliffe/SecGen)
    • SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events.
  • Detection Lab
    • Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices. This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
  • Set up your own malware analysis lab with VirtualBox, INetSim and Burp – Christophe Tafani-Dereeper
  • CyRIS: Cyber Range Instantiation System
    • CyRIS is a tool for facilitating cybersecurity training by automating the creation and management of the corresponding training environments (a.k.a, cyber ranges) based on a description in YAML format. CyRIS is being developed by the Cyber Range Organization and Design (CROND) NEC-endowed chair at the Japan Advanced Institute of Science and Technology (JAIST).
  • DockerSecurityPlayground
    • A Microservices-based framework for the study of Network Security and Penetration Test techniques
• VMs/Apps Designed to be Attacked
  • List of VMs that are preconfigured virtual machines
  • The Hacker Games – Hack the VM before it hacks you
    • I have talked about counterattacks here before, and this system has implemented a number of aggressive anti-hacker measures. In fact, this VM is downright evil. I am probably legally obligated to tell you that it will try to hack you. So if a calculator or message declaring your pwnedness pops up or shows up on your desktop, you asked for it. But don’t worry, it won’t steal your docs or rm you, it will just demonstrate compromise for the game. To save precious bandwidth, this has been implemented in a minimal tinycore-based VM and will require VirtualBox to run.
  • AWS
    • AWS Well-Architected Security Labs – Amazon(Official)
      • This repository contains documentation and code in the format of hands-on labs to help you learn, measure, and build using architectural best practices. The labs are categorized into levels, where 100 is introductory, 200/300 is intermediate and 400 is advanced.
    • CloudGoat
      • CloudGoat is Rhino Security Labs’ “Vulnerable by Design” AWS deployment tool. It allows you to hone your cloud cybersecurity skills by creating and completing several “capture-the-flag” style scenarios. Each scenario is composed of AWS resources arranged together to create a structured learning experience. Some scenarios are easy, some are hard, and many offer multiple paths to victory. As the attacker, it is your mission to explore the environment, identify vulnerabilities, and exploit your way to the scenario’s goal(s).
    • CloudGoat 2: The New & Improved “Vulnerable by Design” AWS Deployment Tool – Jeffrey Anderson
    • CloudGoat 2 Walkthrough – Part One – thetestlabs.io
    • OWASP Mutillidae II
      • OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application that provides a target for web security enthusiasts. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiasts, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web security training courses, and as an “assess the assessor” target for vulnerability assessment software.
    • Lambda
      • lambhack
        • A vulnerable serverless lambda application. This is certainly a bad idea to base any coding patterns on what you see here. lambhack allows you to take advantage of our tried and true application security problems, namely arbitrary code execution, XSS, injection attacks, and more. This first release only contains arbitrary code execution through the query string. Please feel free to contribute new vulnerabilities.
  • Docker
    • Down by the Docker
      • Ever fantasized about playing with docker misconfigurations, privilege escalation, etc. within a container? Download this VM, pull out your pentest hats and get started
    • Vulhub – Some Docker-Compose files for vulnerabilities environment
    • Vulnerable Docker VM – notsosecure
  • Exploit Development
    • exploit_me
      • Very vulnerable ARM application (CTF style exploitation tutorial for ARM, but portable to other platforms)
  • Git Repo
    • Leaky Repo
  • Router
    • iv-wrt
      • An Intentionally Vulnerable Router Firmware Distribution
  • Thick Client
    • Damn Vulnerable Thick Client Application – Part 1 – Setup – Parsia’s Den
  • Web Application Focused
    • OWASP
      • OWASP Vulnerable Web Applications Directory Project/Pages/Offline
      • OWASP Broken Web Applications Project
        • OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.
      • OWASP Juiceshop
        • OWASP Juice Shop(Github)
        • OWASP Juice Shop is an intentionally insecure web application written entirely in Javascript which encompasses the entire range of OWASP Top Ten and other severe security flaws.
        • OWASP JuiceShop Gitbook walkthrough
        • Video Walk through by Sunny Wear
        • Pwning OWASP Juice Shop
      • OWASP Damn Vulnerable Web Sockets
        • OWASP Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application that works on web sockets for client-server communication. The flow of the application is similar to DVWA. You will find more vulnerabilities than the ones listed in the application.
      • NodeGoat
        • Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP’s Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
      • OWASP DevSlop Project
        • collection of DevOps-driven applications, specifically designed to showcase security catastrophes and vulnerabilities for use in security testing, software testing, learning and teaching for both developers and security professionals.
    • General
      • Damn Vulnerable Web App
        • Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications, and aid both students & teachers in learning about web application security in a controlled classroom environment.
      • Damn Small Vulnerable Web
        • Damn Small Vulnerable Web (DSVW) is a deliberately vulnerable web application written in under 100 lines of code, created for educational purposes. It supports the majority of (most popular) web application vulnerabilities together with appropriate attacks.
      • File scanner web app (Part 1 of 5): Stand-up and webserver
      • Xtreme Vulnerable Web Application (XVWA)
        • XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in a local/controlled environment and sharpening your application security ninja skills with any tools of your own choice.
      • Hackazon
        • Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows, and RESTful APIs used by a companion mobile app providing uniquely effective training and testing ground for IT security professionals. And, it’s full of your favorite vulnerabilities like SQL Injection, cross-site scripting, and so on.
      • Vulnerable Web applications Generator
        • This is the Git repo of the VWGen, which stands for Vulnerable Web Applications Generator.
      • secDevLabs
        • By provisioning local environments via docker-compose, you will learn how the most critical web application security risks are exploited and how these vulnerable codes can be fixed to mitigate them. woman_technologist
    • API
      • vulnerable-api
      • How to configure Json.NET to create a vulnerable web API
    • Django
      • django.nV
        • django.nV is a purposefully vulnerable Django application provided by nVisium.
    • JSP
      • MoneyX
        • MoneyX is an intentionally vulnerable JSP application used for training developers in application security concepts.
    • Node.js
      • node.nV
        • Intentionally Vulnerable node.js application
      • goat.js
        • Tutorial for Node.js security
      • Damn Vulnerable NodeJS Application(DVNA)
        • Damn Vulnerable NodeJS Application (DVNA) is a simple NodeJS application to demonstrate OWASP’s Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities. The fixes branch will contain fixes for the vulnerabilities. Fixes for vulnerabilities OWASP Top 10 2017 vulnerabilities at fixes-2017 branch.
    • Ruby
      • grails_nV
        • grails_nV is a vulnerable job listing website.
      • RailsGoat
        • RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some “extras” that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
    • SSRF
      • SSRF Vulnerable Lab
        • This repository contains PHP codes that are vulnerable to Server-Side Request Forgery (SSRF) attacks.
    • SSO
      • Vulnerable SSO
        • Vulnerable SSo is focused on single sign-on-related vulnerabilities. If you want to learn, you should check this and contribute to this project. VulnSSO tool is focused on SSO attacks. Nowadays most of the company use their own implementation for sso solutions. Some of the bug hunters found a really good vulnerability in the big company. There are some tools(dvwa and others .. ) that contain vulnerability. They don’t have any support for sso vulnerability. Our focus is only sso related bugs. VulnSSO is a training tool. It will contain redirect uri vulnerability, XXE on Saml request, and many others.
    • Web Cache Poisoning
      • Web Cache Poisoning Lab
        • Welcome to the Cache Poisoning Lab. In this lab, you will have the opportunity to experiment with some of the vulnerabilities presented in the brilliant paper Practical Web Cache Poisoning by James Kettle.

---

Setting up ActiveDirectory Focused Labs

• Official Documentation
  • Install AD DS using Powerhsell
  • Active Directory Domain Services Overview
  • Understanding Active Directory – docs.ms
  • Windows Server 2016: Build a Windows Domain Lab at Home for Free – social.technet
• Guides
  • Building an Effective Active Directory Lab Environment for Testing – adsecurity.org
  • Step-By-Step: Setting up Active Directory in Windows Server 2016 – blogs.technet
  • Pentest Home Lab – 0x2 – Building Your AD Lab on Premises-SethSec
  • Building and Attacking an Active Directory lab with PowerShell – 1337red
  • DarthSidious
    • Building an Active Directory domain and hacking it
  • Creating a SCCM Lab: Part 1 – Setting up AD
  • Build a new Windows Domain with a (semi) easy button – Craig Bowser
  • Introducing the Active Directory Learning Lab – @jckhmr_t
    • I’m a big fan of automation with tools such as Ansible, Vagrant and Terrorm now being put to regular use by me. Also, as a Red Team Operator I spend a lot of time modelling attacks up, trying new ideas out and generally keeping myself ‘sharp’. I wanted to create something that help me to scratch all of these itches. The research and development culminated in my BSides Belfast 2019 presentation: Offensive Ansible for Red Teams (Attack, Build, Learn).
  • AWS
    • Active Directory Domain Services on the AWS Cloud: Quick Start Reference Deployment – docs.aws
    • Active Directory Domain Services on AWS
      • This Quick Start deploys Microsoft Active Directory Domain Services (AD DS) on the AWS Cloud. AD DS and Domain Name Server (DNS) are core Windows services that provide the foundation for many Microsoft-based solutions for the enterprise, including Microsoft SharePoint, Microsoft Exchange, and .NET Framework applications.
  • Azure
    • Disruption
      • Disruption is a code for Terraform to deploy a small AD domain-based environment in Azure. The environment contains two domain controllers (Windows Server 2012), Fileserver + Web server (Windows Server 2019), Windows 7 client, Windows 10 client, and kali Linux machine. They are connected to the same subnet. Each windows machine has some packages being installing during deployment (the list can be viewed and modified here: chocolist). All the needed configurations (Domain creation, DC promotion, joining the machines to the domain and more are automated and part of the deployment. However, there are more improvments to be added (creating OUs, Users, and stuff like that. I’ll might get to it in the future, or, you will submit a pull request :))
• Tools
  • Lab Generation
    • WSLab – Official Microsoft Stuff
      • Windows Server rapid lab deployment scripts
    • AutomatedLab
      • AutomatedLab is a provisioning solution and framework that lets you deploy complex labs on HyperV and Azure with simple PowerShell scripts. It supports all Windows operating systems from 2008 R2 to 2016 including Nano Server and various products like AD, Exchange, PKI, IIS, etc.
    • Automated-AD-Setup
      • A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening.
    • Invoke-ADLabDeployer
      • Automated deployment of Windows and Active Directory test lab networks. Useful for red and blue teams.
      • Blogpost)
  • User Generation
    • ADImporter
      • When you need to simulate a real Active Directory with thousands of users you quickly find that creating realistic test accounts is not trivial. Sure enough, you can whip up a quick PowerShell one-liner that creates any number of accounts, but what if you need real first and last names? Real (existing) addresses? Postal codes matching phone area codes? I could go on. The point is that you need two things: input files with names, addresses etc. And script logic that creates user accounts from that data. This blog post provides both.
    • youzer
      • Fake User Generator for Active Directory Environments
  • User Simulation
    • sheepl
      • sheepl is a tool that aims to bridge the gap by emulating the behaviour that people normally undertake within a network environment. Using Python3 and AutoIT3 the output can be compiled into a standalone executable without any other dependancies that when executed on an Windows endpoint, executes a set of tasks randomly over a chosen time frame.

---

Building a Pen test lab

• Guides
  • DarthSidious
    • To share my modest knowledge about hacking Windows systems. This is commonly refered to as red team exercises. This book however, is also very concerned with the blue team; the defenders. That is, helping those who are working as defenders, analysts and security experts to build secure Active Directory environments and monitor them for malicious activity.
  • SANS Webcast: Building Your Own Super Duper Home Lab
  • Home Lab with pfSense & VMware Workstation – sysadmin perspective
    • I wanted to build a virtual lab environment at home that would emulate an office environment. My requirements were to have separate network segments for Clients & Servers, and two DMZ networks. I also wanted my home network, which is external to the virtual lab environment, to emulate the Internet, even though it really isn’t. The following is how I created multiple “named” LAN segments within VMware Workstation, and routed between them using a VM running pfSense, which is an open source firewall.
  • Setting Up a Pentest/Hacking Lab with Hyper-V
  • Hack Yourself: Building a Test Lab – David Boyd
  • Hack-Yourself: Building a pentesting lab for fun & profit
  • Setting up a Windows Lab Environment
  • Setting Up A Penetration Testing Lab – Rapid7
  • Building a Pentest Lab – stan.gr
• Tools
  • DumpsterFire
    • Slides
    • The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Turn paper tabletop exercises into controlled “live fire” range events. Build event sequences (“narratives”) to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
  • Pentest Environment Deployer
    • This repo provides an easy way to deploy a clean and customized pentesting environment with Kali linux using vagrant and virtualbox.
• In the Clouds
  • AWS
    • Official Documentation
      • Getting Started with AWS Managed Microsoft AD – docs.aws
      • Active Directory Domain Services on the AWS Cloud: Quick Start Reference Deployment
    • Un-Official
      • Building A Lab on AWS – 0x1 SethSec
      • Pentesting In The Cloud – primalsecurity
  • Azure
    • Building a security lab in Azure – blogs.technet
  • GCP– GitHub – iknowjason/Awesome-CloudSec-Labs

---

Building a Defensive Lab

• Guides
• Tools
• In the Clouds
  • Securing Azure Infrastructure – Hands on Lab Guide – Adam Raffle, Tom Wilde

---

Infrastructure Automation 

• Articles/Blogposts
  • PhoenixServer – Martin Fowler
  • An introduction to immutable infrastructure – Josh Stella
  • An Introduction to the /opt Directory – Nick Sweeting
  • Automation Testing With Ansible, Molecule, And Vagrant – Mike Spitzer
• Infrastructure Automation
  • An Intro to Terraform with Azure, PFSense, and Windows 10 – FortyNorth Security
  • Automating Red Team Homelabs: Part 2 – Build, Pentest, Destroy, and Repeat – Alex Rodriguez
  • Self-Installing Windows OVA
    • This is a Virtual Machine in OVA format that will install Windows on top of itself. I wrote this as an alternative to the packer. This OVA basically downloads the evaluation version of the Windows version you select to one drive as installation media and then installs onto the primary drive. After this is done, the smaller secondary drive can be discarded to save disk space.
  • Modern C2 Infrastructure with Terraform, DigitalOcean, Covenant and Cloudflare – Riccardo
  • Automating Red Team Homelabs: Part 1 – Kali Automation – Alex Rodriguez
• Sort
  • Building a scalable, highly available, and portable web server – Surya Dantuluri
  • Containerised Home Server With Docker Compose and Traefik – Kristian Glass
  • Modern Windows Attacks and Defense Lab
    • This is the lab configuration for the Modern Windows Attacks and Defense class that Sean Metcalf (@pyrotek3) and I(Jared Haight) teach.