Level Up Your Lab: PT3

You’ve built the attack tools. You’ve built the defences. Now it’s time to make them fight each other — and automate the whole thing.

This is Part 3 of our home lab series, and it’s where things get genuinely interesting. The first post gave you weapons. The second gave you walls. This post gives you the intelligence to simulate sophisticated real-world attacks, the automation to manage your growing lab, and the forensics capability to tear apart malware and build detection rules that actually work.

The tools in this post are what separate a casual home lab from one that builds real, transferable skills. If you’re pursuing a career in threat hunting, detection engineering, incident response, or purple teaming, this is your toolkit.

1. Vulnerable-AD — Attack Active Directory Like a Real Red Teamer

Active Directory is the backbone of nearly every corporate Windows network, and it’s also one of the most commonly exploited attack surfaces in the world. Vulnerable-AD is a PowerShell script that builds a deliberately misconfigured Active Directory environment — complete with weak passwords, excessive privileges, Kerberoastable service accounts, and insecure ACLs. It’s the AD attack lab you’d spend days building manually, automated into a single script.

How to Get It

Clone the repository from GitHub.

How to Install It

You need a Windows Server VM with Active Directory installed first:

1. Set up Windows Server: Create a VM with Windows Server 2019 or 2022 (evaluation editions are free for 180 days from Microsoft). Allocate at least 4GB RAM and 2 CPUs.
2. Install Active Directory: In Server Manager, add the “Active Directory Domain Services” role and promote the server to a domain controller. Create a domain like lab.local.
3. Run Vulnerable-AD: After the domain is set up, download the script:

IEX((New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/safebuffer/vulnerable-AD/master/vulnad.ps1"))
Invoke-VulnAD -UsersLimit 100 -DomainName "lab.local"

This creates 100 users with randomised names and introduces a range of vulnerabilities into the domain. (As with any script you download and execute directly, it’s good practice to review the source on GitHub before running it.)

How to Use It

From your Kali machine, join the attack. The script introduces vulnerabilities that map to real-world AD attack paths:

• Password Spraying: Several accounts share the same weak password. Use CrackMapExec to find them:

crackmapexec smb 192.168.1.10 -u users.txt -p 'Password1!' --continue-on-success

• Kerberoasting: Service accounts have SPNs set, making their tickets requestable and crackable offline:

impacket-GetUserSPNs lab.local/founduser:Password1! -dc-ip 192.168.1.10 -request

Then crack the ticket hash with Hashcat.

• AS-REP Roasting: Some accounts have pre-authentication disabled.
• ACL Abuse: Certain users have GenericAll, WriteDACL, or ForceChangePassword permissions on other accounts — allowing privilege escalation without any exploits.
• DCSync: At least one account can replicate domain data, meaning you can dump every password hash in the domain.

Use BloodHound (another free tool) to visualise the attack paths. Import its data and you’ll see a graph showing exactly how a compromised low-privilege user can chain permissions all the way to Domain Admin. This is exactly how real-world AD compromises happen.

2. GOAD (Game of Active Directory) — A Full Multi-Domain AD War Zone

If Vulnerable-AD is the appetiser, GOAD is the seven-course meal. Built and maintained by Orange Cyberdefense, GOAD (Game of Active Directory) deploys an entire multi-forest, multi-domain Active Directory environment with five virtual machines, complete with domain trusts, Group Policy misconfigurations, MSSQL servers, ADCS (certificate services), SCCM, and attack paths that mirror the complexity of real enterprise networks. It’s widely considered the gold standard for AD attack labs.

How to Get It

Clone from GitHub. Full documentation lives at orange-cyberdefense.github.io/GOAD.

How to Install It

GOAD uses Vagrant to spin up free Windows Server evaluation VMs and Ansible to provision all the vulnerabilities automatically. It’s a heavier setup than Vulnerable-AD, but the payoff is enormous.

Prerequisites:

• VirtualBox (or VMware Workstation, now free for personal use)
• Vagrant
• At least 20GB of RAM for GOAD-Light (3 VMs), or 24GB+ for the full GOAD lab (5 VMs)
• ~115GB of free disk space

Installation:

# Install dependencies (Ubuntu/Debian)
sudo apt install virtualbox
sudo apt update && sudo apt install vagrant
vagrant plugin install vagrant-reload vagrant-vbguest winrm winrm-fs winrm-elevated
sudo apt install sshpass lftp rsync openssh-client python3.10-venv
# Clone and launch
git clone https://github.com/Orange-Cyberdefense/GOAD.git
cd GOAD
./goad.sh -t check -l GOAD -p virtualbox
./goad.sh -t install -l GOAD -p virtualbox

Now grab a coffee — or several. The full installation downloads Windows Server images, creates five VMs, installs Active Directory forests, configures trusts, deploys vulnerable services, and provisions dozens of misconfigurations. It can take a couple of hours depending on your hardware. If you get errors (often caused by Windows latency during provisioning), just re-run the install — it’s idempotent.

If your machine can’t handle the full lab, use GOAD-Light instead (3 VMs, 1 forest, 2 domains):

./goad.sh -t install -l GOAD-Light -p virtualbox

How to Use It

The full GOAD lab deploys the domain sevenkingdoms.local with subdomains north.sevenkingdoms.local and essos.local — yes, it’s Game of Thrones themed. The attack surface is massive:

• Cross-forest trust abuse: Compromise one domain and pivot into the other forest through trust relationships.
• ADCS attacks: The lab includes Active Directory Certificate Services with misconfigured templates — practice ESC1 through ESC8 attacks using Certipy.
• MSSQL exploitation: Linked SQL servers allow you to chain impersonation and command execution across domains.
• Kerberos attacks: Kerberoasting, AS-REP Roasting, delegation abuse, constrained and unconstrained delegation — all present and exploitable.
• GPO abuse: Group Policy misconfigurations allow privilege escalation through scheduled tasks and startup scripts.
• SCCM attacks (SCCM lab variant): If you deploy the SCCM lab, you get a full Microsoft Configuration Manager environment with NAA credential harvesting and PXE boot attacks.

Use BloodHound to map the environment first — the attack graphs are sprawling and genuinely complex. Then work through the official writeups on mayfly’s blog for guided walkthroughs of each attack path.

GOAD is the closest thing to a real corporate AD environment you’ll find for free. If you’re targeting OSCP, CRTP, CRTE, or any AD-focused certification, this lab alone is worth hundreds of hours of practice.

3. Vulnerable WP — Hack WordPress the Right Way

WordPress powers over 40% of the web, which makes it one of the most targeted platforms on the planet. Damn Vulnerable WordPress (DVWP) is a Docker-based WordPress installation pre-loaded with vulnerable plugins and themes. It gives you a safe, legal environment to practise WordPress-specific attacks.

How to Get It

Clone from GitHub.

How to Install It

Docker Compose makes this effortless:

git clone https://github.com/vianasw/dvwp.git
cd dvwp
docker-compose up -d

Wait for the containers to spin up, then browse to http://localhost:8080. Complete the WordPress installation wizard (pick any admin username/password — you’ll be breaking into it anyway).

After WordPress is running, install the vulnerable plugins:

docker-compose run --rm wp-cli install-wp

This installs plugins with known vulnerabilities — SQL injection, file inclusion, remote code execution, and more.

How to Use It

Start by scanning the installation with WPScan from your Kali machine:

wpscan --url http://localhost:8080 --enumerate vp,vt,u

WPScan will identify the installed plugins and cross-reference them against its vulnerability database. From there, try:

• SQL Injection in a plugin: Many WordPress plugins pass user input directly into database queries. Use Burp Suite to intercept requests and inject SQL payloads.
• Local File Inclusion (LFI): Some plugins allow you to include arbitrary files by manipulating URL parameters. Try traversing to /etc/passwd.
• Authenticated RCE: Log in as admin and use the Theme Editor to inject PHP code into a template file. This is a common post-compromise technique.
• XML-RPC Brute Force: WordPress exposes an XML-RPC endpoint that can be abused for credential stuffing with multiple username/password pairs in a single request.

This is practical, directly applicable knowledge. WordPress vulnerabilities show up in bug bounty programmes constantly, and understanding how to find and exploit them (and how to fix them) is a valuable skill.

4. Ansible — Automate Your Lab So You Can Break It Faster

As your lab grows, manually configuring VMs becomes tedious. You spin up a fresh Ubuntu server, install Wazuh agent, configure Sysmon, set up logging… and then you break something and need to rebuild from scratch. Ansible eliminates this pain. It’s an agentless automation tool that lets you define your infrastructure as code and deploy it consistently, every time.

How to Get It

Ansible is available from GitHub or via pip.

How to Install It

On your Kali machine or a dedicated management VM:

sudo apt install ansible

Alternatively, install via pip inside a virtual environment:

python3 -m venv ~/ansible-env
source ~/ansible-env/bin/activate
pip install ansible

(On modern Debian and Ubuntu systems, pip install outside a virtual environment will fail with an “externally-managed-environment” error. Using a venv or the system package avoids this.)

Ansible connects to target machines over SSH (Linux) or WinRM (Windows), so you don’t need to install anything on the targets themselves.

Create an inventory file at /etc/ansible/hosts:

[targets]
metasploitable ansible_host=192.168.56.101 ansible_user=msfadmin
ubuntu-server ansible_host=192.168.56.110 ansible_user=admin
windows-target ansible_host=192.168.56.120 ansible_user=Administrator

[targets:vars]

ansible_ssh_common_args=’-o StrictHostKeyChecking=no’

Test connectivity:

ansible all -m ping

How to Use It

Ansible uses “playbooks” — YAML files that describe the desired state of your systems. Here’s a playbook that installs and configures a Wazuh agent on all your Linux targets:

---
- name: Deploy Wazuh Agent
  hosts: targets
  become: yes
  vars:
    wazuh_manager: "192.168.56.100"
    wazuh_version: "4.9.0-1"  # Update to match your Wazuh server version
  tasks:
    - name: Download Wazuh agent
      apt:
        deb: "https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_{{ wazuh_version }}_amd64.deb"
      environment:
        WAZUH_MANAGER: "{{ wazuh_manager }}"
    - name: Start Wazuh agent
      service:
        name: wazuh-agent
        state: started
        enabled: yes

Run it:

ansible-playbook deploy-wazuh.yml

Every target in your inventory gets the Wazuh agent installed and configured in seconds. The version is defined as a variable at the top of the playbook, so when you upgrade your Wazuh server, you only need to change it in one place.

The real power shows when you need to rebuild your lab: tear everything down, spin up fresh VMs, run your playbooks, and you’re back to a fully configured lab in minutes instead of hours.

Build playbooks for common tasks: deploying monitoring agents, hardening baseline configurations, setting up vulnerable services, and resetting lab environments. Your future self will thank you.

5. MITRE Caldera — Automate the Adversary

MITRE Caldera is an adversary emulation platform developed by MITRE (the same organisation behind the ATT&CK framework). It lets you run automated attack campaigns against your lab machines using real-world tactics, techniques, and procedures (TTPs) mapped to the ATT&CK matrix. Instead of manually running tools from Kali, Caldera deploys agents on target systems and executes attack chains automatically.

How to Get It

Visit caldera.mitre.org or clone from GitHub.

How to Install It

git clone https://github.com/mitre/caldera.git --recursive
cd caldera
python3 -m venv caldera-env
source caldera-env/bin/activate
pip install -r requirements.txt
python server.py --insecure --build

(Caldera has a number of Python dependencies, so running it inside a virtual environment keeps things clean and avoids conflicts with your system packages.)

Caldera’s web interface starts on http://localhost:8888. Default credentials are red / admin for the red team interface and blue / admin for the blue team interface.

How to Use It

The workflow has three phases:

1. Deploy Agents: Caldera generates agent payloads that you run on your target machines. These agents (called “Sandcat” for the default agent) phone home to the Caldera server and await instructions. Generate a payload from the web UI and execute it on your Windows or Linux targets.

2. Run an Operation: Choose an “Adversary Profile” — a collection of ATT&CK techniques that simulate a specific threat actor. Caldera ships with several built-in profiles, or you can build your own. Start an operation and watch as Caldera automatically:

• Discovers the system (hostname, users, network)
• Enumerates credentials
• Moves laterally to other machines
• Establishes persistence
• Exfiltrates data

3. Analyse Results: Every action Caldera takes is logged and mapped to an ATT&CK technique. You can see exactly which techniques were used, which succeeded, and which were detected by your defences.

The purple team magic: run a Caldera operation and then check your Wazuh dashboard. How many of Caldera’s techniques generated alerts? Which ones flew under the radar? This gap analysis tells you exactly where your detection coverage is weak — and that’s where you write new Sigma rules (tool #9 on this list).

6. Wireshark — See Every Packet, Understand Every Protocol

Wireshark is the world’s most widely used network protocol analyser. It captures packets off the wire and lets you inspect them at every layer of the network stack — from Ethernet frames to TCP handshakes to HTTP headers to application-layer data. If you’ve never used Wireshark, you’re about to gain X-ray vision for your network.

How to Get It

Download from wireshark.org or install from your package manager.

How to Install It

# On Kali/Ubuntu
sudo apt install wireshark
# Allow non-root capture
sudo usermod -aG wireshark $USER

Log out and back in for the group change to take effect.

On Windows or macOS, download the installer from the website and run it. It includes the Npcap packet capture driver.

How to Use It

Launch Wireshark and select a network interface to start capturing. The screen floods with packets immediately. Here’s how to make sense of it:

Display filters are your best friend:

• http — Show only HTTP traffic
• ip.addr == 192.168.56.101 — Traffic to/from a specific host
• tcp.port == 4444 — Traffic on Metasploit’s default reverse shell port
• dns.qry.name contains "evil" — DNS queries containing a string
• tcp.flags.syn == 1 && tcp.flags.ack == 0 — SYN packets only (spot port scans)

Practical exercises for your lab:

1. Capture a Metasploit session: Exploit Metasploitable from Kali while capturing on either side. Follow the TCP stream to see the exploit payload, the shell prompt, and every command the attacker types — all in cleartext.
2. Spot a port scan: Run Nmap against a target while capturing. Filter for SYN packets and watch the systematic sweep across port numbers.
3. Examine DNS exfiltration: If you set up a DNS tunnelling exercise, Wireshark shows the encoded data inside DNS query names.
4. Analyse credential theft: Capture traffic while brute-forcing an FTP or HTTP login. The credentials fly across the wire in plaintext — a visceral reminder of why encryption matters.

Right-click any packet and choose Follow → TCP Stream to reconstruct the entire conversation. This single feature has solved more incidents than probably any other tool in the analyst’s arsenal.

7. Zeek — Network Forensics at Scale

Wireshark is perfect for deep-diving into individual packets. Zeek (formerly Bro) operates at a higher level — it watches all your network traffic and generates structured logs that describe what happened without drowning you in raw packets. Every connection, every DNS query, every HTTP request, every file transfer, every SSL certificate gets its own log entry with extracted metadata.

How to Get It

Visit zeek.org/get-zeek or install from packages.

How to Install It

# On Ubuntu (adjust the repository URL to match your Ubuntu version —
# replace "xUbuntu_22.04" with your actual version, e.g. "xUbuntu_24.04")
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/zeek.list
sudo apt update
sudo apt install zeek-lts
# Add to PATH
export PATH=$PATH:/opt/zeek/bin

To make the PATH change permanent, add the export line to your ~/.bashrc or ~/.profile.

Configure the monitoring interface in /opt/zeek/etc/node.cfg:

[zeek]
type=standalone
host=localhost
interface=eth1

Start Zeek:

sudo zeekctl deploy

How to Use It

Zeek generates log files in /opt/zeek/logs/current/. The key ones:

• conn.log: Every network connection — source, destination, port, protocol, bytes transferred, duration. This is your network’s heartbeat.
• dns.log: Every DNS query and response. Attackers use DNS for command-and-control and data exfiltration — this log catches it.
• http.log: Every HTTP request with method, URI, user-agent, referrer, and response code.
• files.log: Every file transferred over the network, with MIME type and hashes.
• ssl.log: Every TLS handshake with certificate details — catch self-signed certs that might indicate malicious infrastructure.
• notice.log: Zeek’s built-in anomaly detection — it flags things like SSL certificates with unusual properties or connections to known-bad addresses.

To hunt through Zeek logs:

# Find all connections to port 4444 (common Metasploit port)
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p | grep 4444
# Find all DNS queries for suspicious domains
cat dns.log | zeek-cut query | sort | uniq -c | sort -rn | head 20
# Find large file transfers
cat files.log | zeek-cut source tx_hosts rx_hosts total_bytes mime_type | sort -t$'\t' -k4 -rn | head 10

When integrated with Security Onion or your SIEM, Zeek logs become the foundation of your network forensics capability. They give you the timeline of an incident: when the attacker connected, what they queried, what they downloaded, where they moved.

8. REMnux — A Malware Analysis Laboratory in a VM

When your honeypot catches a malware sample, or your IDS flags a suspicious download, you need somewhere safe to tear it apart. REMnux is a Linux distribution specifically designed for reverse-engineering and analysing malicious software. It comes pre-loaded with tools for static analysis, dynamic analysis, memory forensics, network analysis, and document examination.

How to Get It

Download from remnux.org.

How to Install It

The easiest approach is the pre-built OVA:

1. Download the REMnux OVA file from the website.
2. Import it into VirtualBox or VMware.
3. Critical: Set the network adapter to Host-Only or disconnect it entirely. You do not want malware samples phoning home through your real network.
4. Boot it up. Default credentials are remnux / malware.

Alternatively, install on top of a fresh Ubuntu system (check the REMnux documentation for the currently supported Ubuntu version):

wget https://REMnux.org/remnux-cli
mv remnux-cli /usr/local/bin/remnux
chmod +x /usr/local/bin/remnux
sudo remnux install

How to Use It

REMnux is packed with tools organised by analysis phase:

Static Analysis (without running the malware):

• file malware.exe — Identify file type
• strings malware.exe — Extract readable text (URLs, IP addresses, error messages, registry keys)
• peframe malware.exe — Analyse PE headers, imported functions, and suspicious indicators
• yara -r /path/to/rules malware.exe — Scan against YARA rules to match known malware families

Dynamic Analysis (running the malware in a controlled environment):

• FakeDNS / INetSim: These tools simulate internet services. When malware tries to resolve a domain or connect to a C2 server, these tools answer instead of the real internet, allowing you to observe the malware’s network behaviour without letting it actually communicate.
• Wireshark / tcpdump: Capture network traffic generated by the running malware.

Document Analysis:

• olevba suspicious.docm — Extract and analyse VBA macros from Office documents
• pdfid suspicious.pdf — Identify suspicious elements in PDF files (JavaScript, launch actions, embedded files)
• pdf-parser suspicious.pdf — Deep-dive into PDF object structures

Memory Forensics:

• Volatility: Analyse memory dumps to find hidden processes, injected code, and network connections that don’t show up in normal tools.

A typical workflow: your Cowrie honeypot catches an attacker downloading a suspicious script. You copy the file to REMnux (via a shared folder, never through the network). Run strings to find hardcoded IPs. Run yara to check against known malware signatures. Use FakeDNS and execute the script in a sandboxed environment to watch its behaviour. Document everything — this is incident response practice.

9. Sigma — Write Detection Rules That Work Everywhere

You’ve built your lab, you’ve run attacks, you’ve watched alerts fire (and not fire). Now comes the critical question: how do you write better detection rules? Sigma is a generic signature format for SIEM systems. Think of it as YARA rules, but for log events instead of files. Write a Sigma rule once, and it can be converted to work in Wazuh, Splunk, Elastic, QRadar, Microsoft Sentinel, Graylog, and dozens of other platforms.

How to Get It

Visit sigmahq.io for the rule repository and tools, or clone the GitHub repository.

How to Install It

Install the Sigma CLI tools inside a virtual environment:

python3 -m venv ~/sigma-env
source ~/sigma-env/bin/activate
pip install sigma-cli
# Install backends for your SIEM
pip install pySigma-backend-opensearch
pip install pySigma-backend-splunk

Clone the Sigma rules repository for a massive library of community-written detections:

git clone https://github.com/SigmaHQ/sigma.git

How to Use It

A Sigma rule is a YAML file that describes a log event pattern. Here’s a simple example that detects Mimikatz execution (a common credential-dumping tool):

title: Mimikatz Execution Detected
status: experimental
description: Detects execution of Mimikatz based on process command line
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'sekurlsa::logonpasswords'
            - 'lsadump::sam'
            - 'privilege::debug'
    condition: selection
level: critical
tags:
    - attack.credential_access
    - attack.t1003

Convert it to a Wazuh/OpenSearch query:

sigma convert -t opensearch -p sysmon rule.yml

This outputs a query you can paste directly into your Wazuh dashboard to start detecting this behaviour.

Building your own rules from lab observations:

1. Run MITRE Caldera with a credential-dumping technique against your Windows target.
2. Check Sysmon logs in Wazuh to see what events were generated.
3. Identify the fingerprint — maybe it’s a specific process name, a command-line argument, or a sequence of registry accesses.
4. Write a Sigma rule that matches that fingerprint.
5. Test it by running the attack again and confirming your rule fires.
6. Convert it for your SIEM and deploy it.

This is detection engineering — arguably the most in-demand skill in cybersecurity right now. The SigmaHQ repository contains over 3,000 community rules that you can deploy immediately, and writing your own rules against attacks you’ve observed in your lab is the best possible training.

The Complete Picture

Across all three posts, we’ve built something substantial. Here’s the full architecture:

Attack Surface: Metasploitable 2, Vulnserver, WebGoat, Juice Shop, Vulnerable-AD, GOAD, and Vulnerable WP give you targets across network services, binary exploitation, web applications, single-domain and multi-forest Active Directory environments, and CMS platforms.

Offensive Tools: Kali Linux, GoPhish, PortSwigger Web Security Academy, and CTFlearn provide your weapons and training grounds.

Network Security: pfSense segments the network, Suricata and Security Onion monitor traffic, and Zeek generates forensic network logs.

Endpoint Security: Sysmon captures everything on Windows endpoints, and Wazuh agents report from every machine.

Central Intelligence: Wazuh and OpenSearch aggregate, correlate, and visualise everything in one place.

Adversary Emulation: MITRE Caldera automates realistic attack campaigns mapped to the ATT&CK framework.

Automation: Ansible lets you rebuild and reconfigure the entire lab in minutes.

Forensics: Wireshark provides packet-level analysis, REMnux handles malware analysis, and Cowrie records attacker behaviour.

Detection Engineering: Sigma rules codify your detection knowledge into portable, testable, deployable formats.

Remote Access: WireGuard keeps it all accessible from anywhere.

Twenty-five tools. Zero cost. One home lab that will teach you more about cybersecurity than most university programmes. The only thing left is to build it.

Go lab something.