This blog post is designed to be an ongoing project and will be regularly updated as features are added to my lab. Having spoken to my colleagues about setting up a homelab for pen testers it seems like there are a ton of great articles out there but it’s difficult to find a guide on setting up a homelab from start to finish. This is what I hope to achieve with this project. Fully featured, fun to build and frequency updated! Ambitious… I know.
The plan is to build a home lab that mimics the layout of a typical internal network of an organisation that can be used for practice, training for any pen tester or company to setup. This lab will be configured with typical misconfigurations that would allow a pen tester to gain a foothold within a network. Eventually i’d love to develop some training material for the lab or even roll it out as a CTF. The design will be heavily influenced from my Real life experiece and other lab envrionments like Hack The Box Pro Labs or TryHackMe Networks I have done over my short career in pen testing.
With this project I have a few key goals I’d like to achieve.
Self Contained Environment
Working in Cyber Security. I realise how crazy it sounds to create a whole network of vulnerabilities at home. The vulnerable network will be isolated from my home network and firewall rules in place to prevent any chance of a foothold leading to my home network becoming compromised.
Logging and Monitoring
As someone working in pen testing, I have very little experience and knowledge of what certain attacks look like to a SOC. I’ll be implementing a SIEM so that I can learn what can be detected and learn methods for trying to go undetected.
The vast majority of the network must remain patched at all times to try and keep my tooling and techniques current. As fun as popping a shell with MS17-010 is, it’s not really relevent to real life…most of the time..I’d like to implement a system that will auto patch and snapshot the network.
Multiple Attack Paths
Setting up the network yourself is great. You get to learn how to work with the technology and I guess it helps when talking to clients if you have an understanding of the other side. The downside to this is you know what misconfigurations you’ve put in place, making attacking the network a bit too easy. I’ll be deploying some scripts that auto-populate the AD with misconfigurations to add even more attack chains.
I have a few stretch goals in mind with this lab.
- Web Control panel to restore/rebuild the lab
- Auto regenerating AD lab every month/3 months.
So here is where I’m at currently with this lab project. Currently I have:
- ASUS PN50 running ESXi 7.0U2
- pfsense Firewall (FW01)
- Single Active Directory forest
- Domain Controller (DC01)
- Workstation (WS01)
- Kali Box (KALI01)
As the lab is going to contain a number of Virtual Machines we will need a decent amount of RAM available. I would recommend at an absolute minimum 16GB. If you want to bring some logging and multiple subnets into the mix then I’d suggest upping this to 32GB-64GB.
When designing my lab I opted to go for a MiniPC style hardware. Space is limited at home and I need to keep my IT projects as minimal as possible so I opted for the ASUS PN50. This beast fits in the palm of my hand and has an 8-Core Ryzen 7! For now I’ve equipped this with 32GB of RAM and a 512GB NVMe SSD.
The vast majority of this lab will be done in Software.
Host Operating System
For this project. I have opted to use ESXi 7.0 as my host operating system. You could use any OS you like as long as you are able to run Virtual machines. This is totally do-able with ProxMox, QEMU, VirtualBox or VMWare Workstation. Why ESXi? This is what’s most commonly found in corporate networks. I’m trying to keep things as real as possible. All instructions will be for setting up ESXi but they should be easy enough to adjust for any other VM platfom.
A number of ISO’s will need to be downloaded to create our Virtual Machines. I would suggest grabbing the Following:
- Windows Server 2019
- Windows 10 Enterprise
- Windows Server 2016
- Windows 7 Pro
- Ubuntu 20.04
- Ubuntu 18.04
Lets get this project started! First things first, we need to download ESXi and create a bootable USB drive. In setting up this lab I ran into a few issues with getting my hardware to run ESXi 6.7. The version of my Asus PN50 has the newer, better(?) and less common RTL8125 2.5Gbps network chipset installed. Unfortunately this chipset is not supported officially by VMWare and the community VIB’s for the card are sadly not stable (yet). Still wanting to go for ESXi, I looked for options.
I discovered that I had a USB network card that is supported using ESXi 7.0’s Community flings. To set this up I first had to download the ESXi image and modify it to include these additional drivers. To do this I used VMWare’s PowerCLI Powershell module.
First task is to install PowerCLI. Open up a PowerShell shell as an Administrator user on a Windows machine or Virtual Machine. Let’s first make a working folder and switch to this directory and install our PowerShell Module.
mkdir ~/ESXi cd ~/ESXi Install-Module VMWare.PowerCLI
Give this a few moments as PowerShell installs the module. Allowing any prompts that appear. Once completed, add the VMWare software repo and query the available ImageProfiles.
Add-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml Get-ESXImageProfile
Grab the image name for the most recent version of ESXi and paste this in the
Export-ESXImageProfile -ImageProfile "ESXi-7.0U2a-17867351-standard" -ExportToBundle -filepath ESXi-7.zip Remove-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml Add-EsxSoftwareDepot .\ESXi-7.zip New-EsxImageProfile -CloneProfile "ESXi-7.0U2a-17867351-standard" -name "ESXi-7-0xJordan" -Vendor "0xJordan.com"
If you need to add third party USB drivers like I did. Grab the relevant version for your version of ESXi from here and copy them to your ESXi working folder and rename to
community.zip and run the following commands pasting your image profile in the
cloneprofile parameter. If your hardware is supported natively. Skip these two commands.
Add-EsxSoftwareDepot .\community.zip Add-EsxSoftwarePackage -ImageProfile "ESXi-7-0xJordan" -SoftwarePackage "vmkusb-nic-fling"
Then finally generate the ISO!
Export-ESXImageProfile -ImageProfile "ESXi-7-0xJordan" -ExportToIso -filepath ESXi-7.iso
Give this a few minutes and eventually you should have an
ESXi-7.iso in your working folder.
My preferred method of copying this ISO to USB is using Rufus. Download a run the portable EXE (Or install if you want to). Run the executable as Administrator.
If the following prompt appears. Select No. You do not want to overwrite the ESXi boot menu. This will probably prevent it from booting.
After a minute or two depending on your USB speeds the ISO will be copied to the USB.