Thursday, May 4, 2017

Pentest Home Lab - 0x0 - Building a virtual corporate domain

Whether you are a professional penetration tester or want to be become one, having a lab environment that includes a full Active Directory domain is really helpful. There have been many times where in order to learn a new skill, technique, exploit, or tool, I've had to first set it up in an AD lab environment.

Reading about attacks and understanding them at a high level is one thing, but I often have a hard time really wrapping my head around something until I've done it myself.  Take Kerberoasting for example: Between Tim's talk a few years back,  Rob's posts, and Will's post, I knew what was happening at a high level, but I didn't want to try out an attack I'd never done before in the middle of an engagement. But before I could try it out for myself, I had to first figure out how to create an SPN. So off to Google I went, and then off to the lab:

  • I set up MSSQL on a domain connected server in my home lab
  • I created a new user in my AD
  • I created a SPN using setspn, pairing the new user to the MSSQL instance
  • I used Empire to grab the SPN hash as an unprivileged domain user (So cool!!)
  • I sent the SPN hash to the password cracker and got the weak password     
THAT was a fun night!

So back to the goal of this blog series. I'll share what I've learned while building my own lab(s), I'll share some of the things I've done in my lab to try and improve my skills, and for every attack I cover, I'll also cover how to set up your lab environment.

Selecting Your Virtualization Stack

QUESTION: Should I build this in the cloud or on premises?

Before we can get to any of the hacking, we need to talk about where you are going to install your virtual environment.  In fact, your home lab doesn't even need to be located within your home. I'll give an overview of each option, but the decision will likely be influenced by what hardware you having lying around, how much you want to spend up front, and how much you will be using your lab. In the end, you might even want to try more than one option, as they all have distinct benefits.

Cloud Based

Often, building a home lab using dedicated hardware is cost prohibitive. In addition to hardware costs, if you add windows licensing costs, a traditional home lab can get really expensive. The good news is these days you don't need to buy any hardware or software (OS). You can build your lab using AWS, Azure, Google, etc. In addition to not having to purchase hardware, another major advantage of building your lab in the cloud is that the Windows licensing costs are built into your hourly rate (at least for AWS -- I'm not as familiar with Azure or Google). 


  • Hardware
    • No hardware purchases
  • OS Licensing
    • No Windows OS software purchases
    • No expiring Windows eval licenses
  • Hourly Pricing
    • You only pay for the time you use the lab machines
  • Education
    • You will learn a lot about the cloud stack you are building on

  • Cost
    • Leaving your instances running gets pretty expensive. Four windows servers (t2.micro) running 24/7 will put you at around 45 bucks a month
  • Keeping track of instances
    • If you don't want them running all the time, you will have to remember to shut down instances when not in use or configure CloudWatch to do that for you
  • You can't pause instances
    • In AWS at least, you can't pause VMs like you can with virtualization software.  This is pretty annoying if you are used to pausing your VM's at the end of each session and picking up where you left off
  • Limited Windows OS Support
    • No Windows 7/8/10 images (might be AWS specific)
  • Some testing activities need to be approved
    • You'll have to notify the cloud provider if you want to attack your instances from outside your virtual private cloud (VPC)

AWS Math

AWS can be reasonable for home use, or it can get very expensive, depending on how you use it. The key here is to think about how much you will be using your lab.  If you think you will play in your lab around 3 hours a night about 10 nights a month, AWS makes a lot of sense. If you are going to be running your hosts permanently, it will probably be more cost effective to run your lab on premises.

Here are some cost estimations using AWS's cost estimator:

Update (5/8/2017):  I previously did not include EBS volume costs in the tables below. I've updated the tables to include EBS volume costs (30GB for each windows volume, 20GB for Kali).  You are charged for provisioned EBS volumes whether the instance is running or stopped.

2 Windows instances, 1 Kali instance

Annual cost if you use your lab 30 hours a month on average: $112/year.

4 Windows instances, 1 Kali instance

Annual cost if you use your lab 30 hours a month on average: $196/year

These are just estimations.   You can save money by choosing a smaller volume size at instance creation, keeping your Kali instance local, and by tearing down and rebuilding some or part of the environment if you feel like you don't need it for a few months.

Also, as you can see, the difference in EC2 costs is pretty extreme if you leave your instances running all the time. Remember to turn off those instances when not in use!

One caveat with building your lab entirely in the cloud, at least with AWS, is that AWS does not offer an AMI for Windows 7/8/10. While it appears possible to use your own Windows7/8/10 image, now you are back to either using eval licenses or paying for them. While doing research for this blog series, I came across something called AWS workspaces, and even that does not use 7/8/10. It simulates a desktop environment using Microsoft's Desktop Experience via Windows Server 2012. 

After playing around with Amazon Workspaces, I realized it is not the best option for a pentest lab due to monthly costs ($7 per month per workstation), but I did learn you don't really NEED Windows 7/8/10 in your pentest home lab to do most of what we will want to do, which was a good lesson.

In an upcoming post, I will write in detail about Building your AD lab on AWS.

On Premises

If you are going to build the lab on your own hardware, the next decision you need to make is: Do I use dedicated hardware and a hypervisor, or do I run software that sits on top of my host OS like VMware Workstaion Pro, Workstation Player, VMware Fusion (Mac), or Virtualbox?

Using your Desktop/Laptop

If you have a desktop/laptop that has plenty of resources to spare, there is no reason you can't set this entire environment up on your OS of choice using either VMware or VirtualBox. On my laptop, I use VMware Workstation and have a test domain with 1 domain controller, 1 additional Windows server, and 1 Windows7 host. With a 1TB HDD and 16GB of RAM, I can run all three if I need to, and Kali at the same time. If you can swing 32GB and a bigger SSD, that would give you even more flexibility. As I mentioned in the cons above, you might be limited. My current laptop can't take more than 16GB.


  • Mobility
    • Take your lab with you wherever you go (if you have a laptop)
  • Easy entry
    • You probably already have a Desktop/Laptop that you can use
  • Free Options
    • VirtualBox and VMware Workstation Player are free


  • Cost
    • VMware Workstation Pro (windows) and VMware Fusion (mac) are not free
  • Hardware Limitations 
    • Your current desktop/laptop might be limited in how much memory you can add to it
  • Shared Resourcing
    • You are competing for shared resources on your host OS. This might not be acceptable
    • Every time you need to reboot your host OS, you have to stop/pause all of your VMs

Using a Hypervisor

Most penetration testers that I know still keep it traditional and use dedicated hardware combined with a Hypervisor for their home lab. There are plenty of great articles that talk about hardware requirements and options. I have friends who prefer to go the route of buying old enterprise software on ebay, but I have always just used consumer hardware.  Either way, between the RAM and fast disks, it can get expensive. On my server, I have an AMD 8 core chip circa 2015, and I just upgraded from 16 to 32GB of RAM, and from a 512 SSD to a 1TB SSD.  If you can afford it, avoid the mistake I made and just go right to 32RAM and a 1TB SSD. That will give you more than enough room to grow your lab, make templates, take lots of snapshots, etc.


  • Flexibility
    • With dedicated hardware, you can isolate the lab on it's own network, VLAN, etc. 
  • Software cost
    • There are plenty of free options when it comes to Hypervisors
  • Options
    • You can take advantage of things like KVM, containers, and thin provisioning  
  • Portability
    • If you use something small like an Intel NUC, your lab can be portable


  • Energy Inefficient
    • The last thing anyone who reads this post needs is yet another computer running 24/7 ;)
  • Cost
    • Unless you have something laying around already, you'll have to buy new hardware
  • Vendor Specific Knowledge
    • Do you have the time and desire to learn all of the hypervisor specific troubleshooting commands when something breaks?  

Great Home Lab Resources

Home Lab Design by Carlos Perez
My new home lab setup by Carlos Perez
Building an Effective Active Directory Lab Environment for Testing by Sean Metcalf
Intel NUC Super Server by Mubix

Over the years I've played with a few of the popular Hypervisors, and here are my thoughts:

Vmware ESXi - My first lab was ESXi. If you've never used it, I recommend using this as your Hypervisor if for no other reason than it is ubiquitous in the enterprise. You will find ESX on every internal pentest, and having experience with it from your home lab will help you one day.

Citrix Xen - Eventually my ESX hard drive failed. After reading this post by Mubix, when I rebuilt, I tried Citrix's Xen Server. I liked Xen, but I quickly ran out of space on my 512G SSD, and when I added a second drive it started to freak out.  The amount of custom Xen commands I had to learn was getting out of control, and I didn't feel like the experience was going to help me all that much so I pulled the plug and looked for something new.

Proxmox VE - For my third iteration, I'm using Proxmox VE, after my friend @mikehacksthings gave a presentation on it at a recent @IthacaSec meeting. I really like it! Thin provisioning means it uses a lot less resources, and it seems lightning fast compared to ESXi and Xen. It definitely has my stamp of approval so far.

In an upcoming post, I'm going to write in detail about building your AD lab on premises using Proxmox.

Getting Windows Server Software

If you are going to build your lab in the cloud, you can just relax and skip this section. If you are going to build on premises, you will need to get your hands on the following software:
  • Required - Windows Server (2012 or 2016)
  • Optional - Windows 7 (or 8 or 10)   
In terms of getting the software, there are a few options: 
  1. Download evaluation versions, which are good for 180 days.
  2. See if your workplace has a key/iso that can be used in a lab environment.
  3. Go with a cloud solution like AWS or Azure where the licensing costs are built into your hourly rate.
  4. I think if you are a student you can get the OS's for free.
For more detail on these options, check out Sean Metcalf''s blog post: Building an Effective Active Directory Lab Environment for Testing. You will also notice that Sean gives some really useful breakdowns of what he feels you need in an AD lab.  I'm going to keep this series more basic than that, but I encourage you to read his post.

Let's create a Domain

Once you have selected your virtualization stack, it is time to configure it. The following two posts take you through setting up two AD Lab environments. One in the cloud using AWS, and another on premises using Proxmox VE.

Pentest Home Lab - 0x1 - Building Your AD Lab on AWS
Pentest Home Lab - 0x2 - Building Your AD Lab on Premises (Coming Soon)


Feedback, suggestions, corrections, and questions are welcome!

1 comment:

Rajganesh (Raj) pandurangan said...

Nice article. if I want to create a pentest lab for multiple students, primarily Windows machines, any idea what ts the best way to do it? if I install Hypervisor and provision multiple VMs like Windows 2012, Windows 7 and Windows 10, do I need license for each VM? Not sure how MS licensing works.