However many books youβve read or courses youβve taken, you know nothing beats hands-on practice. Obviously, attacking random systems is out of the question (ethical hackers avoid legal trouble), and paid services can be pricey. The obvious alternative is to build the lab yourself, right?
Good news, weβre going to show you how to do exactly that! In fact, weβll show you four levels of difficulty and complexity for your home lab.
First, weβll cover a basic setup that has your attack box and a vulnerable machine to work on. Second, weβll chain vulnerable machines together, so you have a virtual lab network to practice pivoting through. Thirdly, weβll get you going on an Active Directory domain controller. Finally, help you build your own vulnerable, multi-machine, Active Directory network to really hone those hacking skills.
So get your fingerless gloves, baggy black hoodie, and energy drink ready because youβre about to learn how to create a virtual hacking lab for pentesting.
What Is a Virtual Hacking Lab?
If this is old news, feel free to jump down to the Preparation section. Otherwise, we encourage you to read on.
A virtual hacking lab is a simulated environment with intentionally vulnerable machines for you to attack within your home network. These vulnerable hosts will be run through virtualization software, allowing them to run inside your current host machine as if they were their own physical computer. We are basically creating computers within your computer - no need for additional physical hardware.
Once set up, you will use your attacking machine to scan these targets for vulnerabilities and attempt to break into them. There are benefits and downsides to a setup like this.
The biggest benefit is cost. All the examples we will be showing you are absolutely free! You can start right now without a credit card. You also have the ability to customize your lab however you like, so long as you have the technical skills. Finally, you have unlimited time to work on a target. You can leave these machines open or save their state and shut them down until later.
Itβs not perfect, however. You need to have the physical resources to handle your lab. This means a CPU capable of virtualization (you probably have this, but itβs not a guarantee) and enough RAM to partition out. It also means you are handling technical issues and troubleshooting on your own.
Paid vulnerable-systems-as-a-service, such as HackTheBox, handle all of this for you (at a cost, of course).
Despite this, a home lab remains a great option for hacking in a virtual environment. Being forced to troubleshoot is a great learning experience, and with our walkthrough, you shouldnβt have much issue. Now, letβs talk about preparation.
Preparation
Letβs make sure you have what you need to get started before building out the labs.
What Hardware Do I Need?
Firstly, letβs talk about hardware. You will need a CPU that can handle virtualization. If youβre on Windows, hit ctrl+shift+esc to open the task manager and click the Performance tab. If it says βVirtualization: Enabledβ, youβre good to go.
Alternatively, you can check your CPU online to see if it qualifies. Most modern CPUs (made in the last five years) wonβt have any issues.
Youβll also need sufficient RAM. For our Level 1 build, you can probably get away with 6GB on the low end (8GB preferred). When you start running multiple machines (three or more), youβll want to have at least 16GB to run the machines and your host system. For our last build in the list, youβll need a lot of resources, but weβll explain that more when we get there.
Now letβs get you the software.
What Software Do I Need?
Youβll need your hypervisor - the virtualization software weβll use to run the machines. There are many opens, including HyperV and VMWare (learn how to install Kali Linux on VMWare here), but we will install VirtualBox by Oracle in this article.
Visit the VirtualBox website and download the latest version for your operating system. They have versions for Windows, macOS, Linux, and Solaris systems. The standard installation options will be fine (we trust this isnβt your first time installing a program, so weβll leave you to it).
Once you have VirtualBox installed, weβll need an attack box. There are several operating systems designed for this purpose, such as ParrotOS and BlackArch Linux, but we will be installing Kali Linux, as it still holds the greatest market share.
To install Kali Linux, go to the Kali Linux website and select βVirtual Machines.β
You will want to download the VirtualBox 64-bit image file. This one is already pre-configured for VirtualBox, so you donβt have to go through the trouble of installing it as a fresh image.
Your download will finish as a zipped file. Double-click the downloaded file to open it with your default zip program. (Donβt have one? Try 7zip.) Once opened, drag the compressed file to a location of your choice and wait for the extraction to complete.
Navigate to the extracted folder and double-click on the .vbox file.
Once you click open, it will launch VirtualBox and the virtual machine will appear listed in the left panel of your VM manager.
With your Kali Linux instance highlighted, click on βSettingsβ (the yellow gear icon), and go to Network. Make sure that Adapter 1 is set to NAT.
Then move over to the Adapter 2 tab and select Host-only Adapter.
Click βOKβ to close the settings box. You can now launch Kali Linux by clicking the Start button with the green arrow up top. The default login credentials are
- Username kali
- Password kali
You should now have access to your Kali Linux attack box.
If you want a more in-depth tutorial on setting up Kali on VirtualBox, you can see our article here.
Level One: Single Target
There are many famous vulnerable virtual machines on the internet, including OWASP Broken Web Application, Damn Vulnerable Web App, and Metasploitable 1-3. These and more can be found on VulnHub, a massive collection of different vulnerable VMs free for download.
Which new virtual machine you start with will depend on your skill level and what types of attacks and vulnerabilities you want to practice. Since this is a beginner-level lab, weβll use Metasploitable 2 for our example.
Download and Install Metasploitable 2
In VulnHub, search Metasploitable 2, and download. As of the time of writing, the direct download link for Metasploitable 2 is here, but this can change without notice.
Many of the machines on VulnHub will come as VirtualBox Machine Image files that only require a double-click to import. Metasploitable, however, only comes as a .vmdk file, which will take a few extra steps to set up.
- In VirtualBox Manager, select New
- Fill in the βNameβ you want to call this VM (weβll call it metasploitable2)
- Choose a folder to save the VM to (we suggest keeping all your VMs together in one place)
- Select the Type of system (in this case, Linux)
- Choose the Version (we will simply select Other Linux 64-bit)
- Click Next
- You can leave the default RAM allocation as-is and click Next again.
- When you reach the Hard Disk screen, choose βUse an existing virtual hard disk fileβ and click the folder icon. A Hard Disk Selector screen will open up. Click Add.
- Navigate to the location of the .vmdk file and choose it.
- It will then be added to the Selector List. Select it and click Choose.
- Finally, click βCreateβ and the machine will appear in VirtualBox Manager underneath your Kali Linux VM.
- Follow the steps in the Preparation section to set Metasploitableβs Network Adapter to Host-only (not NAT).
Booting the Lab
To boot a virtual machine, highlight it in the manager and click start. Boot both up now. You will have your Kali Linux instance and the Metasploitable VM open.
All you need to do now is discover Metasploitableβs IP address, and you can start hacking away. Note that this Vm has no graphical user interface.
Since you are both on the same network, you use a tool like Netdiscover or Nmap to scan the network. You can also go the quick route and log in to Metasploitable with the credentials username msfadmin and password msfadmin, and use the ifconfig command to get the IP address.
Weβve gone through the two primary ways you will have to install a vulnerable machine; .vbox and .ovf files only need to be double-clicked while .vmdk requires extra steps. Weβve also seen what we consider the best source for vulnerable hacking machines on the web, VulnHub. There are lots of machines to keep you busy with your favorite pentesting tools, but if you want to add to your challenge, letβs talk pivoting.
Level Two: Pivoting Lab
The level one lab is great to practice attacks on websites, databases, email servers, and other services that are typically exposed to the internet. In reality, the target youβre after is likely within a network you cannot access directly. What you need to do is find an exposed machine or service, hack into it, and use the newly compromised machine as your entryway.
This system would connect to both the network we have access to, such as the public internet and to the targetβs internal network, which we cannot access. By compromising this machine, we can pass our traffic through it and continue our attack. Letβs set this up now.
Adapter Settings
We need to make once changes to our network. Go to the preferences menu in your VirtualBox manager.
Select Network and click the button with the plus sign on the far right to add a NAT Network adapter.
We will be adding two adapters. The first we will call External with a Network CIDR of 192.168.100.0/24, and the second we will call βInternalβ with a Network CIDR of 10.10.3.0/24. Note that it really doesnβt matter what IP ranges you use so long as they are valid internal IP CIDRs with different ranges.
With both of these adapters ready, we can set up our boxes.
Virtual Machines
For this lab environment, we will require three machines.
- Our attack box
- Our pivot box
- Our internal target machine
We already have our attack box, and we can use Metasploitable as our internal target machine. All we need is one more machine to act as a pivot point. For this demonstration, I will be using a simple Ubuntu instance. You donβt need to follow along with this section, this is just to demonstrate the proof-of-concept.
Go into the settings for each box as we did in Level One. We will use the following network settings.
Kali Linux | Pivot Box | Target | |
---|---|---|---|
Adapter 1 | NAT | NAT NetworkExternal | NAT Network Internal |
Adapter 2 | NAT Network External | NAT Network Internal |
Now we can launch all three machines to see what has happened to their network settings.
You can use either the βip a
β or βifconfig
β commands in a terminal to see your current IP address.
Our Kali Linux box has two IP addresses. The 10.0.2.15 address is from the standard NAT adapter. The 192.168.100.5 address is part of the βExternalβ network we created. Your IP addresses will be different but will fall within the same networks.
In our lab, we ended up with the following
Our attacker computer is capable of seeing and attacking our pivot machine but cannot see the Metasploitable VM. So what now?
We wonβt be covering a detailed lesson on lateral movement and pivoting in this article. But this lab will allow you to practice using tools and techniques like Metasploitβs autoroute feature, SSH tunneling, port forwarding, and Chisel.
Now itβs your turn. Pick two different boxes from VulnHub. Make one your pivot and one your internal target. Hack the first and once youβve gained root access, scan the internal network for your next target and tunnel your attacks through the pivot machine.
VulnHub has a section called βseriesβ, where several machines by the same author share a theme, often meant to be done one after the other. Try chaining two or more of those together and see how you do. Consider Empire, Harry Potter, or SickOS as series worth trying.
Almost all practical exams now require a basic to intermediate understanding of network pivoting. Get used to the way port forwards and tunneling work. See how some tools (such as Nmap) operate differently through a tunnel.
When youβre done having fun with pivoting, letβs talk about Active Directory.
Level Three: Active Directory Server
The first two levels of the lab are great practice for Linux systems. The vast majority of the internet runs on Linux. Websites, mail servers, databases, and other infrastructure are typically built on Linux systems. Inside a network, however, Windows holds the market share.
Itβs estimated that over 90% of global fortune 1000 companies use Microsoft Active Directory for their networks. While βpopping boxesβ from the previous sections is a great way to learn how to breach the perimeter through a forward-facing machine, you need to know AD to be a great hacker.
You wonβt find many Windows-based vulnerable machines for free on the internet because, unlike Linux, Windows isnβt free. Any service that provides vulnerable Windows machines (such as Offsecβs Proving Grounds or Hack The Box) has to pay Microsoft licensing fees. Fortunately, there is still a way to practice at home.
Setting Up Windows Server 2019
Microsoft offers free evaluation versions of Server 2019 and Windows 10 Workstations. You can download the .iso file, launch it in a virtual machine, and play with it as much as you like at no cost to you. Of course, it is a base system with no vulnerabilities⦠yet.
Letβs start by getting an evaluation copy of Windows Server 2019. Click βDownload the .iso.β It will take you to a page where you are asked to fill out your name, company information, and contact details. There is no email confirmation or account registration, so you can simply fill in junk information if you want. Once the required fields are filled in, click the βDownload nowβ button.
You have two options for a home lab - the .iso file, which is the same format as an installer disk, and the .vhd file, which is already configured for a hypervisor. While installing Server 2019 from an ISO is great practice and something I strongly recommend learning, today we will work smarter, not harder. Download the VHD.
Once downloaded, we will follow similar steps to set up this VM as we used with Metasploitable.
In your VirtualBox manager, click New. Give your OS a name, choose Microsoft Windows as the Type and Windows 2019 (64-bit) as the version. Click Next.
You can keep the RAM at 2048MB if you want, though I recommend going higher to speed things up during installation. If you have the memory to spare, you should double it to 4,096. Click Next.
Once again, you will be asked if you want to create a hard disk or use an existing virtual disk file. Select the option to use an existing disk and navigate to the file you downloaded.
You will now be ready to create. Once it is in your VirtualBox Manager pane, click Start.
After the machine boots, you must go through the typical Windows installation process.
Choose your keyboard and country. Agree to the license agreement. When asked to choose a password, you can pick anything so long as you can remember it. Since this will not be running an actual network, a simple Password123! will be enough.
For those who have never used Windows Server, you need to press ctrl+alt+del to open the login screen. You cannot use that particular command in VirtualBox without your computer assuming youβre trying to end a task. Instead, click Input, Keyboard, and Insert ctrl+alt+del.
Sign in. If you are asked if you want to allow this PC to be discoverable by other PCs and devices on the network, say βYes.β
Before moving forward, be sure to create a snapshot. This will allow us to roll back to this fresh install should we wish to start over. Choose Machine, Take Snapshot. Pick a name like βFresh Installβ and click OK.
Lastly, open a command prompt by clicking the windows icon in the taskbar, typing βcmdβ and pressing enter. Test your internet connection by trying to ping google with the command:
ping google.com
If you get a reply, you are good to go. If not, try changing the network adapter settings in VirtualBox. For this, you will want to be on NAT.
We also recommend installing guest additions so you can cut and paste to and from the VM.
Your Windows Server 2019 is ready. Now letβs give it some vulnerabilities.
Vulnerable Scripts
A Google search for βvulnerable Active Directory Githubβ or a similar phrase will return several great options for us to use. These different scripts were written by pentesters and enthusiasts who wished to give back to the InfoSec community.
By running one of these PowerShell scripts on our server, user accounts, poor passwords, and different misconfigurations will be put into place. This will make our machine vulnerable to many of the common attacks you might see in a real environment, such as pass-the-hash, kerberoasting, and golden ticket attacks.
We have no connection with any of the individuals who have created these vulnerable systems and no involvement in the development or maintenance of any scripts we mention in this article. They have been created by generous and talented individuals for anyone to use and enjoy.
We are choosing one as an example to walk you through the setup process, as most will function in a similar fashion.
Under NO CIRCUMSTANCES should you run this on an actual Active Directory network.
For the purpose of this walkthrough, we will be using Vulnerable AD Plus by WaterExecution. The README file lists a wide range of attack vectors and vulnerabilities, and the repo contains a walkthrough and password list to use in your practice.
Installing it requires running some commands in PowerShell. Letβs start by opening PowerShell as an Administrator.
Click on the Windows icon in the taskbar and type PowerShell. Right-click on Windows PowerShell and select βRun as administrator.β
To run PowerShell scripts from sources outside of Microsoft, we need to set the Execution Policy to bypass using this command:
Set-ExecutionPolicy -ExecutionPolicy Bypass
See our PowerShell Cheat Sheet for a list of useful commands applicable to network administration and ethical hacking.
Following the guidelines in the GitHub, we can run their script to establish this server as the primary domain controller for our Active Directory domain.
First, we install Active Directory Domain Services
Install-windowsfeature AD-domain-services
Then import ADDSDeployment
Import-Module ADDSDeployment
Now we can run their script
Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath
"C:\\Windows\\NTDS" -DomainMode "7" -DomainName "change.me"
-DomainNetbiosName "change" -ForestMode "7" -InstallDns:$true -LogPath
"C:\\Windows\\NTDS" -NoRebootOnCompletion:$false -SysvolPath "C:\\Windows\\SYSVOL" -Force:$true
Note: The -DomainName flag is currently set to βchange.meβ and -DomainNetbiosName is βchangeβ. You can be creative if you want, but the domain βchangeβ is hard-coded and invoked in the PowerShell script weβll be downloading.
Either you can leave it as βchangeβ and βchange.meβ or copy the raw file, save it as a .ps1 on your virtual machine, edit the last line of the code with your custom domain name, and invoke it from there.
If that sounds way more technical than youβre ready for, just leave it as βchange.meβ for now, and weβll do the same for this walkthrough.
It will ask you for a Safe Mode Administrator Password. We can keep our trusty Password123! for this one as well.
When completed, the system will sign us out and applies the changes. This can take a while, so grab a coffee or another energy drink.
You will notice that the login is for your newly created domain.
Now we can upload the invoke the Vulnerable AD Plus script. The GitHub instructions say to run one command to download and another to invoke with flags to state the domain name and limit the number of users created. However, examining the script, the invoke command and flags are already hard coded, so we can skip that part.
All we need to do is open PowerShell as Administrator again, set ExecutionPolicy to bypass, then run the following
IEX((new-object
net.webclient).downloadstring("https://raw.githubusercontent.com/WaterExecution/vulnerable-AD-plus/master/vulnadplus.ps1"));
Once the script finishes, the server will reboot, and itβs ready for hacking. The write-up by WaterExecution states initial access is attained through anonymous LDAP query and kerberoasting. Explaining these methods is beyond the scope of this article, but you now have a playground to practice those attacks and many other Active Directory hacking techniques.
You can also take a look at the following labs:
Of course, understanding the misconfigurations of a lone domain controller is one thing, but what about having an entire Active Directory network to play in?
Level Four: Creating an Entire Active Directory Network Lab
Much like the previous lab, some passionate and generous hackers have assembled complete vulnerable networks for download, free of charge to you.
Usually, paid access to something like this can run $30 to $60 USD per month for shared lab access; this means others will be hacking the lab, modifying files, and possibly taking down machines that will need to be reset by moderators.
If you have the system for it, you can avoid the cost and have a dedicated lab to yourself.
This walkthrough will cover the setup of βGame of Active Directory v2.β GOAD is a multi-domain and multi-forest network inspired by Game of Thrones, which will allow you to test an impressive list of hacking techniques to take over the network.
Taken from the Game of Active Directory GitHub
What Kind of System Do I Need to Run This?
This next activity is extremely resource heavy. The virtual network lab alone, without consideration of the host operating system or attack box, requires roughly 20GB of RAM. A Windows 10 system without superfluous software running will usually use 6-7GB of RAM (you can view this in your task manager), while a low-resource Linux system, like Mint, will only use about 2.5GB.
If you are running your Kali Linux instance on the same system, remember it needs a minimum of 2GB of RAM to run smoothly. Usually, people will up the RAM to anywhere between 4GB and 8GB depending on the software they intend to run at once (Burp Suite, Wireshark, Metasploit, etc.).
If youβre using a Windows system with 32GB of RAM and a Kali Linux instance using 2GB of RAM, you should be okay, though you may experience some lag on the systems.
Alternatively, if you have a retired gaming PC with a significant amount of RAM, you can install a low-resource Linux system on it and make it a dedicated hacking lab. This will save you about 5GB of RAM by ditching Windows and allow you to provision more resources to your Kali Linux instance if you run it on a different physical machine.
What Software Will I Need for this?
The virtual machines themselves will still use VirtualBox as their hypervisor. However, they will be provisioned with Vagrant and configured with Ansible.
Vagrant is a free software used to manage virtual environments. It will allow us to launch all of our machines at once and run them in the background.
According to its website, Ansible is βan open source, command-line IT automation software application written in Python. It can configure systems, deploy software, and orchestrate advanced workflows to support application deployment, system updates, and more.β We will use it to apply the AD settings and misconfigurations to the entire network.
Ansible does not play very well with Windows, but we got it to properly configure our vulnerable network using Windows Subsystem for Linux (WSL). WSL allows users to run a Linux environment within their Windows system without the need for another virtual machine.
We will run you through the setup of WSL and make sure it can communicate with VirtualBox on the main Windows system. After that, the screenshots you will see will be taken from a Linux system we tested this lab build on. All commands will be the same, and we can confirm successful installation both ways.
Windows Subsystem for Linux
Begin by opening up PowerShell as Administrator.
Run the following command
Enable-WindowsOptionalFeature -Online -featureName
Microsoft-Windows-Subsystem-Linux
You will be prompted to restart the computer. Agree.
You now need to install the Ubuntu app from the Microsoft store. Press the Windows icon in the taskbar, type store, and hit enter. You can search βUbuntuβ in the search bar. Alternatively, you can go to the Microsoft store website and download it from there.
Once it begins installing, it will prompt you to create a username and password. Once it completes, you will be presented with a bash terminal.
As with any new Linux install, we recommend immediately running
sudo apt-get update
Once updated, you can close the terminal anytime and open it again by typing βwslβ in a command prompt and hitting βEnter.β You can navigate back to the home directory by typing
cd /home
Installing Our New Tools
There is absolutely no difference between running these commands on a bare metal Linux machine or in a WSL terminal unless otherwise stated.
We want to make sure we have the latest Python package manager installed
sudo apt-get install python3-pip
Then install Vagrant
sudo apt-get install vagrant
And finally Ansible
pip3 install ansible
If you are using WSL, you will need to take one extra step before moving forward. Run the following three commands in this order
echo 'export VAGRANT_WSL_ENABLE_WINDOWS_ACCESS="1"' >> ~/.bashrc
echo 'export PATH="${PATH}:/mnt/c/Program Files/Oracle/VirtualBox"' >> ~/.bashrc
source ~/.bashrc
This will tell our Ubuntu system that it can call our VirtualBox software on the Windows system.
Game of Active Directory
Now, navigate to whatever directory you would like to store the GOAD repository in.
We clone the repo with the following command
git clone https://github.com/Orange-Cyberdefense/GOAD.git
Navigate into the new folder with
cd GOAD
And type
vagrant up
This command will launch the new virtual machines in VirtualBox. They will run in the background, so you wonβt see any VM windows pop up. This process can take some time, so be patient. If it completes with no errors, we can move on. If there are any failures, you can run the following to stop and restart
vagrant halt
vagrant up
Navigate to the ansible folder within the repo with the following command
cd ansible
Run the following commands
python3 -m pip install virtualenv .venv
source .venv/bin/activate
python3 -m pip install pywinrm
ansible-galaxy install -r requirements.yml
And finally
ansible-playbook main.ylm
Ansible is now creating the AD network, setting the correct IP addresses, creating users and groups, and adding the various vulnerabilities you will be exploiting. This is a long process, and it may fail more than once. We had to run it three times on the Linux system before everything came back successful. If it fails, simply retype ansible-playbook main.ylm again and hit enter.
Once this completes with no errors, youβre ready to start scanning and hacking. The IPs on this network are static, and you can view them on the GitHub page.
You can shut down the network anytime with
vagrant halt
Restart it with
vagrant up
And if you wish to get rid of the entire network and virtual machines, you can clear it all with
vagrant destroy
Note that if you do this and want to use the network again, you will have to run ansible again to reconfigure it.
Now that you know how to set up a network lab, you can also try the following:
Conclusion
Weβve covered a lot of information here. You already know real practice is essential to learn hacking. The theory is great, but without actually doing it, you wonβt know what challenges you can face and wonβt gain the experience of troubleshooting, reevaluating, and trying again.
Paid services have their benefits, but youβd be denying yourself some important skills by not trying your own labs. Setting them up yourself gives you a better understanding of how networks operate, which you can then apply to your hacking.
All practical exams now require pivoting and most Active Directory; this includes OSCP. So take advantage of the free resources available to you. For an added experience, review the vulnerable Active Directory scripts, see how they work and what theyβre doing, and try creating your own vulnerable machines to share with the hacker community.
To learn network hacking, try the following courses
And for more experience in building your own labs, we offer the following
OMG. I have rarely seen such detailed and generously delivered hacking tool. You really took the time to give us all we need to get started. Thank you again.
Really a great layout. A noob like me got so much outta this..
[…] Source: https://www.stationx.net/how-to-create-a-virtual-hacking-lab/ […]
Will this lab work on VMWare Workstation Pro? If so, does it require changes/adjustments, particularly to the network setup (i.e. NAT)? Thanks for providing such a great resource.