# Lab Setup Guide Guide for setting up penetration testing practice environments. > **Skill Level**: Beginner to Intermediate ## Quick Start Labs ### Kali Linux Setup ```bash # Download from https://www.kali.org/get-kali/ # VMware/VirtualBox settings: # - 4GB+ RAM # - 2+ CPU cores # - 80GB disk # - NAT + Host-Only network adapters # Post-install updates sudo apt update && sudo apt full-upgrade -y # Install additional tools sudo apt install -y seclists wordlists feroxbuster bloodhound ``` ### Parrot OS Alternative ```bash # Download from https://www.parrotsec.org/ # Security Edition includes most tools # Lighter than Kali on resources ``` ## Docker-Based Labs ### Vulnerable Web Applications ```bash # OWASP Juice Shop (Modern vulnerable app) docker run -d -p 3000:3000 bkimminich/juice-shop # DVWA (Classic vulnerable app) docker run -d -p 80:80 vulnerables/web-dvwa # WebGoat (OWASP training) docker run -d -p 8080:8080 -p 9090:9090 webgoat/webgoat # Mutillidae II docker run -d -p 8081:80 citizenstig/nowasp # bWAPP docker run -d -p 8082:80 raesene/bwapp # Damn Vulnerable GraphQL Application docker run -d -p 5013:5013 dolevf/dvga ``` ### Multiple Apps with Docker Compose ```yaml # docker-compose.yml version: '3' services: juice-shop: image: bkimminich/juice-shop ports: - "3000:3000" dvwa: image: vulnerables/web-dvwa ports: - "80:80" webgoat: image: webgoat/webgoat ports: - "8080:8080" - "9090:9090" hackazon: image: ianwijaya/hackazon ports: - "8081:80" ``` ```bash # Start all docker-compose up -d # Stop all docker-compose down ``` ### Vulnerable APIs ```bash # OWASP crAPI (Completely Ridiculous API) git clone https://github.com/OWASP/crAPI cd crAPI docker-compose up -d # Damn Vulnerable RESTaurant API docker run -d -p 8088:8080 theowni/damn-vulnerable-restaurant-api # vAPI (Vulnerable API) docker run -d -p 8089:80 roottusk/vapi ``` ### Container Security Labs ```bash # Contained.af (Container escape challenges) docker run -d -p 8090:80 genuinetools/contained.af # Kubernetes Goat git clone https://github.com/madhuakula/kubernetes-goat cd kubernetes-goat bash setup-kubernetes-goat.sh ``` ## Active Directory Lab ### Automated Setup with DVAD ```bash # Damn Vulnerable Active Directory (Azure) git clone https://github.com/WazeHell/vulnerable-AD cd vulnerable-AD # Follow setup instructions for Azure/local deployment ``` ### Manual AD Lab (VirtualBox/VMware) ``` Requirements: - Windows Server 2019/2022 (Domain Controller) - Windows 10/11 (Client machines) - 16GB+ RAM total Network Setup: 1. Create internal network "ADLab" 2. DC: 192.168.10.1 3. Clients: 192.168.10.x (DHCP from DC) Domain Controller Setup: 1. Install Windows Server 2. Add AD DS role 3. Promote to Domain Controller 4. Create domain: lab.local 5. Create users and groups 6. Configure vulnerable settings (see below) ``` ### Vulnerable AD Configurations ```powershell # On Domain Controller (PowerShell as Admin) # Create users New-ADUser -Name "john.doe" -SamAccountName "john.doe" -UserPrincipalName "john.doe@lab.local" -AccountPassword (ConvertTo-SecureString "Password123!" -AsPlainText -Force) -Enabled $true # Create admin user with weak password New-ADUser -Name "svc_backup" -SamAccountName "svc_backup" -UserPrincipalName "svc_backup@lab.local" -AccountPassword (ConvertTo-SecureString "backup2024" -AsPlainText -Force) -Enabled $true Add-ADGroupMember -Identity "Domain Admins" -Members "svc_backup" # Create SPN for Kerberoasting setspn -A MSSQLSvc/sql.lab.local:1433 svc_backup # Enable LLMNR (for poisoning) # Default on, verify it's not disabled # Disable SMB signing (for relay) Set-SmbServerConfiguration -RequireSecuritySignature $false -Force # Create file share with weak permissions New-Item -Path "C:\Shares\Public" -ItemType Directory New-SmbShare -Name "Public" -Path "C:\Shares\Public" -FullAccess "Everyone" ``` ### DVAD Automated Setup ```bash # Detailed vulnerable AD automation git clone https://github.com/Orange-Cyberdefense/GOAD cd GOAD # Supports VirtualBox, VMware, Proxmox, Azure ./goad.sh -t check -p virtualbox ./goad.sh -t install -l GOAD -p virtualbox ``` ## Cloud Labs ### AWS Free Tier Lab ```bash # Create free tier account at aws.amazon.com # Practice with: # CloudGoat (Vulnerable by design AWS) git clone https://github.com/RhinoSecurityLabs/cloudgoat cd cloudgoat pip3 install -r requirements.txt ./cloudgoat.py config profile default ./cloudgoat.py create ec2_ssrf # Choose scenario ``` ### Azure Lab ```bash # Create free account at azure.com # Practice with: # PurpleCloud - Vulnerable Azure lab git clone https://github.com/iknowjason/PurpleCloud cd PurpleCloud # Follow Terraform setup instructions ``` ### GCP Lab ```bash # Create free account at cloud.google.com # Practice with: # GCPGoat git clone https://github.com/ine-labs/GCPGoat cd GCPGoat # Follow setup instructions ``` ## Network Labs ### VulnHub VMs ```bash # Download from vulnhub.com # Popular machines: # - Metasploitable 2/3 # - Kioptrix series # - Mr. Robot # - DC series (DC-1 to DC-9) # Import .ova into VirtualBox/VMware # Set network to Host-Only or NAT Network ``` ### HackTheBox/TryHackMe ``` HackTheBox (https://hackthebox.com): - Active machines for practice - Retired machines for learning - Pro Labs for advanced scenarios TryHackMe (https://tryhackme.com): - Guided learning paths - Browser-based machines - Beginner-friendly ``` ### Local Network Lab ```yaml # docker-compose.yml for network testing version: '3' services: router: image: alpine cap_add: - NET_ADMIN command: sh -c "apk add iptables && tail -f /dev/null" networks: internal: ipv4_address: 10.0.0.1 external: target1: image: vulnerables/web-dvwa networks: internal: ipv4_address: 10.0.0.10 target2: image: tleemcjr/metasploitable2 networks: internal: ipv4_address: 10.0.0.11 networks: internal: driver: bridge ipam: config: - subnet: 10.0.0.0/24 external: driver: bridge ``` ## Mobile Testing Lab ### Android ```bash # Android Studio Emulator # Download Android Studio # Create AVD (Android Virtual Device) # Use older API levels for more vulnerabilities # Genymotion (faster emulator) # Commercial but has free personal use # Physical device (recommended) # - Enable Developer Options # - Enable USB Debugging # - Root if possible (Magisk) # Vulnerable apps # DIVA (Damn Insecure and Vulnerable App) # InsecureBankv2 # OWASP MSTG apps ``` ### iOS ```bash # iOS Simulator (macOS only) # Xcode → Simulator # Physical device (recommended for full testing) # - Jailbreak if possible (checkra1n, unc0ver) # Corellium (cloud iOS devices) # Commercial but powerful for testing ``` ## CTF Platforms ``` PicoCTF - Beginner friendly https://picoctf.org/ OverTheWire - Linux/Security basics https://overthewire.org/wargames/ HackTheBox - Professional practice https://hackthebox.com/ TryHackMe - Guided learning https://tryhackme.com/ Root-Me - Various challenges https://root-me.org/ CryptoHack - Cryptography https://cryptohack.org/ PortSwigger Web Academy - Web security https://portswigger.net/web-security ``` ## Tool Installation Scripts ### Kali Tool Update ```bash #!/bin/bash # Update all tools sudo apt update && sudo apt full-upgrade -y # Install additional tools sudo apt install -y \ seclists \ feroxbuster \ nuclei \ httpx \ amass \ subfinder \ naabu \ bloodhound \ neo4j \ crackmapexec \ evil-winrm # Update Go tools go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest go install github.com/projectdiscovery/httpx/cmd/httpx@latest go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest # Update pip tools pip3 install --upgrade \ impacket \ pwntools \ bloodhound ``` ## Related Topics * [Tool Index](/others/tool-index.md) - Complete tool list * [Learning Path](/others/learning-path.md) - Study progression * [Wordlist Reference](/others/wordlist-reference.md) - Wordlists for practice --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pentest-book.com/others/lab-setup-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.