Penetration Testing Lab Setup
Build your own practice environments for penetration testing. From online platforms to home lab setups with vulnerable VMs and Active Directory networks.
🐉
Kali Setup
Attack machine
💿
Vulnerable VMs
Practice targets
🌐
Web App Lab
Docker web apps
🏰
AD Lab
Windows domain
🦠
Malware Lab
Analysis sandbox
☁️
Cloud Lab
AWS, Azure, GCP
Online Learning Platforms
Hack The Box
Active machines to hack, both Windows and Linux. Pro Labs for enterprise environments.
- ✓ 200+ retired machines
- ✓ Active Directory labs
- ✓ Starting Point for beginners
- ✓ Academy for structured learning
TryHackMe
Beginner-friendly with guided rooms. Learning paths from basics to advanced.
- ✓ Guided walkthroughs
- ✓ Learning paths
- ✓ Browser-based AttackBox
- ✓ Great for beginners
PentesterLab
Web application security focused. Excellent for learning specific vulnerabilities.
- ✓ Web app focused
- ✓ Badge system progression
- ✓ Real-world scenarios
- ✓ API security labs
Building a Home Lab
Hardware Requirements
Minimum: 16GB RAM, SSD storage, quad-core CPU. Recommended: 32GB+ RAM, 500GB+ SSD.
More RAM = more VMs running simultaneously.
Virtualization Setup
Choose a hypervisor that suits your operating system and needs:
VMware Workstation Pro
Paid (Free for personal use). Best compatibility, snapshots, and networking.
DownloadNetwork Configuration
Proper network isolation is crucial. Configure your hypervisor with the following networks:
- NAT Network: VMs can reach the internet but are isolated from your host LAN.
- Host-Only Network: VMs communicate with each other and the host, but no internet.
- Internal Network: Completely isolated VM-to-VM communication.
Kali Linux Attack Machine
Download the official VM image from kali.org. Once installed, run the following commands to set up your environment:
bash
# Update system
sudo apt update && sudo apt upgrade -y
# Install additional tools
sudo apt install -y \
gobuster feroxbuster \
bloodhound neo4j \
crackmapexec evil-winrm \
seclists \
docker.io docker-compose
# Enable services
sudo systemctl enable ssh
sudo systemctl start ssh
sudo systemctl enable postgresql
sudo systemctl start postgresql
# Initialize Metasploit database
sudo msfdb init
# Create directory structure
mkdir -p ~/engagements/client_name/{recon,scans,exploits,loot,notes}
# Clone useful repos
git clone https://github.com/danielmiessler/SecLists ~/tools/SecLists
git clone https://github.com/carlospolop/PEASS-ng ~/tools/PEASS-ng
git clone https://github.com/samratashok/nishang ~/tools/nishang
# Install Python tools
pip3 install impacket crackmapexec
# Start BloodHound (default pass: neo4j/neo4j)
sudo neo4j console &
bloodhoundRecommended Vulnerable VMs
Linux VMs
- Metasploitable 2/3
Classic intentionally vulnerable VM
- DVWA (Damn Vulnerable Web App)
Web vulnerabilities - SQLi, XSS, etc.
- bWAPP
100+ web vulnerabilities
- VulnHub Machines
Kioptrix, Mr. Robot, Stapler
Windows VMs
- Windows 10/11 Eval
90-day evaluation licenses from Microsoft
- Windows Server Eval
180-day eval for AD labs
- Yourcomputer (VulnHub)
Vulnerable Windows machine
- YOURCOMPANY
HTB-style Windows targets
bash
# Quick Vulnerable Web App Setup with Docker
# DVWA
docker run -d -p 80:80 vulnerables/web-dvwa
# Access at http://localhost
# Login: admin/password
# bWAPP
docker run -d -p 8080:80 raesene/bwapp
# Access at http://localhost:8080/install.php
# OWASP Juice Shop
docker run -d -p 3000:3000 bkimminich/juice-shop
# Access at http://localhost:3000
# WebGoat (OWASP)
docker run -d -p 8081:8080 -p 9090:9090 webgoat/webgoat
# Access at http://localhost:8081/WebGoat
# SQLi-labs
docker run -d -p 8082:80 acgpiano/sqli-labs
# Access at http://localhost:8082
# NodeGoat
docker run -d -p 4000:4000 owasp/nodegoat
# Access at http://localhost:4000
# Run multiple with docker-compose
cat > docker-compose.yml << 'EOF'
version: '3'
services:
dvwa:
image: vulnerables/web-dvwa
ports:
- "80:80"
juiceshop:
image: bkimminich/juice-shop
ports:
- "3000:3000"
webgoat:
image: webgoat/webgoat
ports:
- "8080:8080"
- "9090:9090"
EOF
docker-compose up -dActive Directory Lab Setup
Lab Requirements
- Domain Controller: Windows Server 2019/2022 (4GB RAM)
- Workstations: 2x Windows 10/11 (2GB RAM each)
- Attacker: Kali Linux (4GB RAM)
- Total RAM: ~12GB minimum
Network Configuration
Use a static IP scheme on an isolated network:
- DC01: 10.0.0.1
- WS01: 10.0.0.10
- WS02: 10.0.0.11
- Kali: 10.0.0.100
powershell
# ==========================================
# Step 1: Domain Controller Setup
# ==========================================
# Open PowerShell as Admin
# Set computer name
Rename-Computer -NewName DC01 -Restart
# Install AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
# Promote to Domain Controller
Install-ADDSForest -DomainName "lab.local" -DomainNetbiosName "LAB" -InstallDns
# After restart, create users and groups
Import-Module ActiveDirectory
# Create OUs
New-ADOrganizationalUnit -Name "Lab Users" -Path "DC=lab,DC=local"
New-ADOrganizationalUnit -Name "Lab Computers" -Path "DC=lab,DC=local"
New-ADOrganizationalUnit -Name "Lab Groups" -Path "DC=lab,DC=local"
# Create users with weak passwords (for testing)
$users = @(
@{Name="John Smith"; SamAccountName="jsmith"; Password="Password123!"},
@{Name="Jane Doe"; SamAccountName="jdoe"; Password="Summer2024!"},
@{Name="Admin User"; SamAccountName="admin.user"; Password="Admin@123"},
@{Name="Service Account"; SamAccountName="svc_sql"; Password="SQLService1!"}
)
foreach ($user in $users) {
New-ADUser -Name $user.Name -SamAccountName $user.SamAccountName -UserPrincipalName "$($user.SamAccountName)@lab.local" -AccountPassword (ConvertTo-SecureString $user.Password -AsPlainText -Force) -Enabled $true -PasswordNeverExpires $true -Path "OU=Lab Users,DC=lab,DC=local"
}
# Create groups
New-ADGroup -Name "IT Admins" -GroupScope Global -Path "OU=Lab Groups,DC=lab,DC=local"
New-ADGroup -Name "HR" -GroupScope Global -Path "OU=Lab Groups,DC=lab,DC=local"
# Add users to groups
Add-ADGroupMember -Identity "IT Admins" -Members "admin.user"
Add-ADGroupMember -Identity "Domain Admins" -Members "admin.user"
# ==========================================
# Step 2: Configure Vulnerabilities
# ==========================================
# Kerberoastable user (SPN)
setspn -a MSSQLSvc/dc01.lab.local:1433 svc_sql
# AS-REP Roastable user
Set-ADAccountControl -Identity jdoe -DoesNotRequirePreAuth $true
# SMB Signing disabled (via Registry for lab simplicity)
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\LanmanServer\Parameters" -Name "requiresecuritysignature" -Value 0
# ==========================================
# Step 3: Join Workstations (Run on Workstation)
# ==========================================
# Set DNS to DC IP
Set-DnsClientServerAddress -InterfaceAlias "Ethernet0" -ServerAddresses "10.0.0.1"
# Join Domain
Add-Computer -DomainName "lab.local" -RestartAutomated Lab Deployment
GOAD (Game of AD)
Full AD lab with multiple forests, trusts, and vulnerabilities. Deploy with Vagrant.
GitHub: Orange-Cyberdefense/GOAD →DetectionLab
AD lab with logging and detection. Great for blue team practice too.
GitHub: clong/DetectionLab →GOAD Installation
Requires Vagrant and a provider (VirtualBox, VMware, etc.).
bash
# Clone GOAD repository
git clone https://github.com/Orange-Cyberdefense/GOAD.git
cd GOAD
# Install python dependencies
pip install ansible pywinrm
# Deploy with Vagrant (VirtualBox provider)
cd ad/GOAD/providers/virtualbox
vagrant upDetectionLab Installation
bash
# Clone DetectionLab
git clone https://github.com/clong/DetectionLab.git
cd DetectionLab/Vagrant
# Deploy
vagrant up --provider=virtualboxLab Best Practices
Always use isolated networks for vulnerable VMs. Take snapshots before testing so you can
easily restore. Document your lab setup for reproducibility. Consider using Infrastructure
as Code (Vagrant/Terraform) for easy rebuilds.