Building a Lab


Table of Contents


  • To Do
    • Building a defensive Lab
    • Infra Automation

General


Virtual Labs/Machines

  • 101
  • VM Hypervisor Software
  • VirtualBox
  • VMware(Workstation/vSphere/ESXi)
  • Xen
  • Obtaining VMs
  • Automated Lab/Machine Creation Tools
    • Talks/Videos
      • Windows Server 2016 AutoLab Setup - Jason Helmick(2016)
        • Join Pluralsight author Jason Helmick as he walks through his automated lab setup for use in our Windows Server 2016 content. Check out how to build your lab environment so you can follow along with our authors as you learn the ins and outs of Windows Server 2016.
    • General
      • Security Scenario Generator (SecGen)](https://github.com/cliffe/SecGen)
        • SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events.
    • Malware
    • Windows
      • PSAutoLab
        • This project serves as a set of "wrapper" commands that utilize the Lability module which is a terrific tool for creating a lab environment of Windows based systems. The downside is that it is a difficult module for less experienced PowerShell users. The configurations and control commands for the Hyper-V virtual machines are written in PowerShell using Desired State Configuration (DSC) and deployed via Lability.
      • Lability
        • The Lability module enables simple provisioning of Windows Hyper-V development and testing environments. It uses a declarative document for machine configuration. However, rather than defining configurations in an external custom domain-specific language (DSL) document, Lability extends existing PowerShell Desired State Configuration (DSC) configuration (.psd1) documents with metadata that can be interpreted by the module. By using this approach, it allows the use of a single configuration document to describe all properties for provisioning Windows-centric development and/or test environments.
      • Detection Lab
        • Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices. This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
      • DetectionLabELK
        • DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.
  • VMs/Apps Designed to be Attacked
    • List of VMs that are preconfigured virtual machines

    • The Hacker Games - Hack the VM before it hacks you

      • I have talked about counterattacks here before, and this system has implemented a number of aggressive anti-hacker measures. In fact, this VM is downright evil. I am probably legally obligated to tell you that it will try to hack you. So if a calculator or message declaring your pwnedness pops up or shows up on your desktop, you asked for it. But don’t worry, it won’t steal your docs or rm you, it will just demonstrate compromise for the game. To save precious bandwidth, this has been implemented in a minimal tinycore-based VM, and will require VirtualBox to run.
    • Android

      • EVABS (Extremely Vulnerable Android Labs)
        • An open source Android application that is intentionally vulnerable so as to act as a learning platform for Android application security beginners. The effort is to introduce beginners with very limited or zero knowledge to some of the major and commonly found real-world based Android application vulnerabilities in a story-based, interactive model. EVABS follows a level-wise difficulty approach and in each level, the player learns a new concept. This project is still under progress and aims at incorporating as many levels as possible.
    • AWS

      • AWS Well-Architected Security Labs - Amazon(Official)
        • This repository contains documentation and code in the format of hands-on labs to help you learn, measure, and build using architectural best practices. The labs are categorized into levels, where 100 is introductory, 200/300 is intermediate and 400 is advanced.
      • CloudGoat
        • CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool. It allows you to hone your cloud cybersecurity skills by creating and completing several "capture-the-flag" style scenarios. Each scenario is composed of AWS resources arranged together to create a structured learning experience. Some scenarios are easy, some are hard, and many offer multiple paths to victory. As the attacker, it is your mission to explore the environment, identify vulnerabilities, and exploit your way to the scenario's goal(s).
      • CloudGoat 2: The New & Improved “Vulnerable by Design” AWS Deployment Tool - Jeffrey Anderson
      • CloudGoat 2 Walkthrough - Part One - thetestlabs.io
      • Damn Vulnerable Cloud Application
        • This is a demonstration project to show how to do privilege escalation on AWS. DO NOT deploy this on an AWS account unless you know very well what you are doing!
      • Lambda
        • lambhack
          • A vulnerable serverless lambda application. This is certainly a bad idea to base any coding patterns of what you see here. lambhack allows you to take advantage of our tried and true application security problems, namely arbitrary code execution, XSS, injection attacks aand more. This first release only contains arbitrary code execution through the query string. Please feel free to contribute new vulnerabilities.
    • Docker

    • Exploit Development

      • exploit_me
        • Very vulnerable ARM application (CTF style exploitation tutorial for ARM, but portable to other platforms)
    • Git Repo

    • Router

      • iv-wrt
        • An Intentionally Vulnerable Router Firmware Distribution
    • Serverless

      • ServerlessGoat
        • This serverless application demonstrates common serverless security flaws as described in the Serverless Security Top 10 Weaknesses guide https://github.com/puresec/sas-top-10.
    • Terraform

      • TerraGoat
        • TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
    • Thick Client


Web Applications

  • OWASP
    • OWASP Vulnerable Web Applications Directory Project/Pages/Offline
    • OWASP Broken Web Applications Project
      • OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.
    • OWASP Juiceshop
    • OWASP Damn Vulnerable Web Sockets
      • OWASP Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication. The flow of the application is similar to DVWA. You will find more vulnerabilities than the ones listed in the application.
    • NodeGoat
      • Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
    • OWASP DevSlop Project
      • collection of DevOps-driven applications, specifically designed to showcase security catastrophes and vulnerabilities for use in security testing, software testing, learning and teaching for both developers and security professionals.
    • OWASP Mutillidae II
      • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.
  • General
    • Damn Vulnerable Web App
      • Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
    • Damn Small Vulnerable Web
      • Damn Small Vulnerable Web (DSVW) is a deliberately vulnerable web application written in under 100 lines of code, created for educational purposes. It supports majority of (most popular) web application vulnerabilities together with appropriate attacks.
    • File scanner web app (Part 1 of 5): Stand-up and webserver
    • Xtreme Vulnerable Web Application (XVWA)
      • XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice.
    • Hackazon
      • Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app providing uniquely-effective training and testing ground for IT security professionals. And, it’s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on.
    • Vulnerable Web applications Generator
      • This is the Git repo of the VWGen, which stands for Vulnerable Web applications Generator.
    • secDevLabs
      • By provisioning local environments via docker-compose, you will learn how the most critical web application security risks are exploited and how these vulnerable codes can be fixed to mitigate them. woman_technologist
    • LKWA
      • Lesser Known Web Attack Lab is for intermediate pentester that can test and practice lesser known web attacks such as Object Injection, XSSI, PHAR Deserialization, variables variable ..etc.
    • One Random Insecure Wep Application Please (ORIWAP) - Nancy Snoke(NolaCon2019)
      • You may need an insecure web application as part of yearly developer compliance training. You may need an insecure web application for a companywide contest for cyber security awareness month. Perhaps you just like playing with insecure web applications on the weekend. There are a variety of insecure web applications out there. If you have specific needs -- maybe XSS in VBScript as opposed to JavaScript --, or regular use-case where you want something similar to showcase the OWASP top 10 yet different topics and look every time. Then what is out there may not work for you. This talk introduces a new tool -- ORIWAP (One Random Insecure Web Application Please), which can randomly generate an insecure web application (the security features, visual style, and data -- users, passwords, forum postings, about page). If you don't like randomness you can specify some or all of the settings and an application will be generated. The talk will demo creating several new applications, and show the variety of options for creating the perfect insecure web application for you. This talk will also discuss how the code works for each area: security features, visual style, and data.
    • Damn Small Vulnerable Web in Docker
  • Specific
    • API
    • Django
      • django.nV
        • django.nV is a purposefully vulnerable Django application provided by nVisium.
    • HTTP Smuggling
    • JSP
      • MoneyX
        • MoneyX is an intentionally vulnerable JSP application used for training developers in application security concepts.
    • Node.js
      • node.nV
        • Intentionally Vulnerable node.js application
      • goat.js
        • Tutorial for Node.js security
      • Damn Vulnerable NodeJS Application(DVNA)
        • Damn Vulnerable NodeJS Application (DVNA) is a simple NodeJS application to demonstrate OWASP Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities. The fixes branch will contain fixes for the vulnerabilities. Fixes for vunerabilities OWASP Top 10 2017 vulnerabilities at fixes-2017 branch.
    • Ruby
      • grails_nV
        • grails_nV is a vulnerable jobs listing website.
      • RailsGoat
        • RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
    • SSRF
      • SSRF Vulnerable Lab
        • This repository contain PHP codes which are vulnerable to Server-Side Request Forgery (SSRF) attack.
    • SSO
      • Vulnerable SSO
        • Vulnerable SSo is focused on single sign on related vulnerabilities. If you want to learn, you should check this and contribute this project. VulnSSO tool is focused on sso attacks. Nowadays most of the company uses their own implementation for sso solutions. Some of the bug hunters found really good vulnerability on the big company. There are some tools(dvwa and others .. ) that contains vulnerability. They don't have any support for sso vulnerability. Our focus is only sso related bugs. VulnSSO is training tool.It will contain redirect uri vulnerability , XXE on saml request and many others.
    • Web Cache Poisoning
      • Web Cache Poisoning Lab
        • Welcome to the Cache Poisoning Lab. In this lab you will have the opportunity to experiment with some of the vulnerabilities presented in the brilliant paper Practical Web Cache Poisoning by James Kettle.
  • Making One
    • clicker-service
      • Docker container that intakes post with the following form data and then "clicks" the link. Intentionally vulnerable. To be used with vulnerable by design web apps to realistically simulate XSS and XSRF (CSRF). Service runs flask to receive the post requests, and runs on the default port of 5000.

Setting up ActiveDirectory Focused Labs


Building a Pentest Lab


Building a Defensive Lab


Building a VM/Machine for Remote Testing


Other Labs

  • DanderSpritz Lab
    • The goal of DanderSpritz lab is to allow researchers and defenders to quickly stand up a fully functional version of DanderSpritz - The Equation Group's Post exploitation tool-set and a Windows Server 2008 Domain and client as targets. The Windows target have some reverse engineering tools that I found useful while investigating DanderSpritz and it's capabilities.
  • deploy-your-own-saas
    • 'List of "only yours" cloud services for everyday needs'
  • Access Methods
    • RDP
      • Apache Guacomole
        • Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH. We call it clientless because no plugins or client software are required. Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.
        • Apache Guacamole: How To Install and Configure - FortyNorth Security
      • xrdp
        • xrdp provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp accepts connections from a variety of RDP clients: FreeRDP, rdesktop, NeutrinoRDP and Microsoft Remote Desktop Client (for Windows, Mac OS, iOS and Android).
    • SSH
    • VPN
      • Wireguard
        • Wireguard - Wikipedia
          • WireGuard is a free and open-source software application and communication protocol that implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations. It is run as a module inside the Linux kernel, and aims for better performance and more power saving than the IPsec and OpenVPN tunneling protocols. It was written by Jason A. Donenfeld and is published under the GNU General Public License (GPL) version 2.
        • wg-access-server
          • wg-access-server is a single binary that provides a WireGuard VPN server and device management web ui. We support user authentication, 1 click device registration that works with Mac, Linux, Windows, Ios and Android including QR codes. You can configure different network isolation modes for better control and more. This project aims to deliver a simple VPN solution for developers, homelab enthusiasts and anyone else feeling adventurous.
  • Containers/Related
    • Docker
    • Kubernetes
      • Instances
        • Simulator
          • A distributed systems and infrastructure simulator for attacking and debugging Kubernetes: simulator creates a kuberntes cluster for you in your AWS account; runs scenarios which misconfigure it and/or leave it vulnerable to compromise and trains you in mitigating against these vulnerabilities.
        • k3s
          • Lightweight Kubernetes. Easy to install, half the memory, all in a binary less than 40mb.
        • k3d
          • Little helper to run Rancher Lab's k3s in Docker
        • kube_security_lab
          • The goal of this project is to make use of Docker and specifically kind to create a lab environment for testing Kubernetes exploits and security tools entirely locally on a single machine without any requirement for remote resources or Virtual Machines being spun up.
        • kind
          • kind is a tool for running local Kubernetes clusters using Docker container “nodes”. kind was primarily designed for testing Kubernetes itself, but may be used for local development or CI.
      • Vulnerable
        • Bust-a-Kube
        • Kubernetes Goat
          • The Kubernetes Goat designed to be intentionally vulnerable cluster environment to learn and practice Kubernetes security.
  • Development
    • Callback Catcher
      • Callback Catcher is a multi-socket control tool designed to aid in pentest activities. It has a simple web application with an backend API that allows the user control what TCP and UDP sockets should be opened on the server. It records any and all data send to the exposed sockets and logs it to a database which can be easily accessed via it's backend API. Itís kind of intended to be like the love child of Burp Collaborator and Responder. Alternatively think of it like a low/medium interactive honeypot. Its been coded on top of the Django REST framework, which offers a number of benefits , primarily being able to create your own client scripts and tools and quickly searching and filtering of data. Opening of sockets is built on top of Python's ServerSocket library. Upon spinning up a socket a user is given the option to assign a handler to the socket, which is affectively user defined code that overwrites the handler function within the SocketServer.TCPServer and SocketServer.UDPServer classes. This code tells the socket how to handle the incoming data and what to respond with. Each connection to the socket is recorded to a database.
  • Mail Servers
    • Hosting
    • Local
  • Mobile Device Management
    • macOS
      • MicroMDM
        • MicroMDM is a project which provides an open source Mobile Device Management server for Apple devices. Our goal is to create a performant and extensible device management solution for enterprise and education.
  • Defensive CI/CD
  • Offensive CI/CD

Infrastructure Automation