Vulnerable network labs

Here’s a comprehensive list broken into:

🧨 Vulnerable network labs/systems
🛠️ Key tools to master
🌐 Online platforms for hands-on training
🧭 Structured learning paths

🧨 Vulnerable Labs for Network Penetration Testing

1. Metasploitable 2 & 3

What it is: A deliberately vulnerable VM built for network exploitation.
Covers: Open ports, weak services, misconfigurations, buffer overflows.
Great for: Practicing with Nmap, Metasploit, manual exploits.
Download:
- Metasploitable 2: https://sourceforge.net/projects/metasploitable/
- Metasploitable 3: https://github.com/rapid7/metasploitable3

2. VulnHub Machines

What it is: A huge archive of vulnerable VMs (CTF-style and realistic).
Use for: Local/offline network attacks, pivoting, privilege escalation.
Many scenarios: Windows, Linux, Active Directory.
Link: https://www.vulnhub.com

3. Active Directory Labs (e.g., Attack-Defense AD Lab)

Great for: Practicing internal network attacks, password spraying, Kerberoasting, etc.
Options:
- HackTheBox - AD Labs
- TryHackMe - Attacktive Directory Room
- Pentester Academy AD Lab (paid)

4. De-ICE Pen Test Live CDs

What it is: Bootable ISO targets designed to simulate real networks.
Scenario-based: Simulates corporate networks you can attack from a separate machine.
Link: https://www.vulnhub.com/series/de-ice,10/

5. Security Onion Practice Setup

What it is: Network monitoring platform that you can use to analyze attacks.
Reverse engineering + detection + blue teaming side of pentesting.
You can attack it or analyze captured network traffic.
Link: https://securityonion.net

Absolutely — here’s even more vulnerable labs, tools, and resources specifically for network penetration testing, with a focus on enterprise-level simulation, protocol-specific testing, and realistic attack chains (including pivoting, lateral movement, and post-exploitation). Let’s take it up a level.

🧨 More Vulnerable Network Environments & Labs

6. PurpleLabs by TCM Security

What it is: A full-scale Active Directory lab you can deploy locally.
Great for: AD enumeration, password attacks, lateral movement, bloodhound.
Runs on: VMware or VirtualBox
GitHub: https://github.com/tcm-sec/PurpleLabs

7. Red Team Attack Lab (by RangeForce / GitHub community)

Enterprise-style internal network simulation.
Includes:
- Windows domain controller
- Workstations
- Vulnerable services like SMB, RDP, and misconfigured GPOs
Good for: Credential abuse, Golden Ticket, Kerberoasting
GitHub: https://github.com/mandiant/commando-vm (used for attacking)

8. Proving Grounds (by Offensive Security)

Hosted vulnerable machines maintained by OffSec (creators of OSCP).
Machines vary in difficulty and realism.
Comes with Kali + in-browser console.
https://www.offensive-security.com/labs/individual/

9. Amun Honeypot or Dionaea (Defensive but useful)

Use these to simulate services like SMB, HTTP, FTP and then attack them yourself.
Good for creating a bait network to practice detection evasion.
GitHub: https://github.com/rep/honeyd

10. DetectionLab by Chris Long

Full enterprise logging lab with Splunk, Winlogbeat, and preconfigured AD.
Great for learning both attack and detection.
Attack Tools: RDP, PowerShell abuse, LLMNR, etc.
GitHub: https://github.com/clong/DetectionLab

🧠 Protocol-Specific Labs & Practice Areas

Protocol

Resource to Practice

SMB

VulnHub: "SickOs", THM: "Ignite"

FTP

Metasploitable 2, VulnHub: "Bashed"

LDAP

TryHackMe: "AD Lab", HTB: "Forest"

DNS

THM: "DNS Enumeration", HTB: "Resolute"

RDP

HTB: "Blue", Proving Grounds

SNMP

VulnHub: "SkyDog Con"

Telnet

Metasploitable, De-ICE CDs

📦 Pre-Built Attack & Lab Environments

🔹 AttackBox (TryHackMe)

Browser-based Kali Linux instance
Good for quick-start labs — no local VM setup required

🔹 Kali Linux + Vagrant Lab Setup

Set up a lab with vulnerable VMs using a single command:
- vagrant up metasploitable
- vagrant up windows-server-2016
Bonus: Combine with VPN or host-only network to practice real lateral movement

🔹 pwnbox (HackTheBox)

In-browser Kali environment with tools preinstalled
Ideal for corporate firewalled environments or portable testing

🛠️ Tools Every Network Pentester Should Master

Tool

Use Case

Nmap

Network scanning, service detection, vuln detection

Netcat / Ncat

Port listening, reverse shells

Wireshark / tcpdump

Network sniffing, packet analysis

Hydra / Medusa

Brute force login attacks (FTP, SSH, RDP)

Metasploit Framework

Exploitation, post-exploitation

Impacket (Python)

Advanced AD exploitation: smbclient, secretsdump, etc.

Responder + NTLMRelayX

LLMNR poisoning and credential relay attacks

CrackMapExec

Swiss army knife for Active Directory

Enum4linux / smbclient / rpcclient

SMB enumeration

Burp Suite (for proxying internal web apps)

🌐 Online Platforms for Network Pentesting

🔹 TryHackMe

Labs for all levels: Basic enumeration to AD attacks.
Top rooms:
- "Network Services"
- "Attacktive Directory"
- "Red Team Path"
https://tryhackme.com

🔹 Hack The Box

More realistic than THM, used for OSCP prep.
Includes:
- Retired machines for practicing with walkthroughs
- Active Directory networks
- "Pro Labs" like Offshore and Dante for enterprise-grade simulations
https://hackthebox.com

🔹 RangeForce / CyberDefenders / Blue Team Labs

Mostly blue teaming but useful for understanding detection and logging.
Great for Red vs Blue scenarios.
https://cyberdefenders.org

🔹 Immersive Labs (Enterprise)

Scenario-based labs that include recon, scanning, privilege escalation, and report writing.
https://www.immersivelabs.com

🔹 Pentester Academy (now INE)

Paid platform with great labs for AD exploitation, packet analysis, and network attacks.
https://ine.com

🧭 Structured Roadmap: Beginner to Advanced Network Pentesting

Phase

Skills

Labs / Tools

🔹 Phase 1: Recon & Scanning

Nmap, netcat, ping, traceroute, Wireshark

THM: Network Services, VulnHub

🔹 Phase 2: Service Enumeration

smbclient, ftp, ssh, enum4linux, rpcclient

HTB easy machines, DVWA (network exposed)

🔹 Phase 3: Exploitation

Metasploit, manual exploits, brute force

Metasploitable 2/3, THM: Daily Bugle

🔹 Phase 4: Lateral Movement

CrackMapExec, Impacket, NTLMRelayX

THM: Attacktive Directory, HTB: Forest

🔹 Phase 5: Post-Exploitation

Privilege escalation, pivoting, data exfil

LinPEAS/WinPEAS, PowerUp, BloodHound

🔹 Phase 6: Reporting & Cleanup

Evidence collection, logs, screenshots

TryHackMe: Final Challenge Rooms

PreviousChecklist NextMobile Penetration testing

Last updated 6 months ago

hashtag🧨 Vulnerable Labs for Network Penetration Testing

hashtag1. Metasploitable 2 & 3

hashtag2. VulnHub Machines

hashtag3. Active Directory Labs (e.g., Attack-Defense AD Lab)

hashtag4. De-ICE Pen Test Live CDs

hashtag5. Security Onion Practice Setup

hashtag🧨 More Vulnerable Network Environments & Labs

hashtag6. PurpleLabs by TCM Security

hashtag7. Red Team Attack Lab (by RangeForce / GitHub community)

hashtag8. Proving Grounds (by Offensive Security)

hashtag9. Amun Honeypot or Dionaea (Defensive but useful)

hashtag10. DetectionLab by Chris Long

hashtag🧠 Protocol-Specific Labs & Practice Areas

hashtag📦 Pre-Built Attack & Lab Environments

hashtag🔹 AttackBox (TryHackMe)

hashtag🔹 Kali Linux + Vagrant Lab Setup

hashtag🔹 pwnbox (HackTheBox)

hashtag

hashtag🛠️ Tools Every Network Pentester Should Master

hashtag🌐 Online Platforms for Network Pentesting

hashtag🔹 TryHackMe

hashtag🔹 Hack The Box

hashtag🔹 RangeForce / CyberDefenders / Blue Team Labs

hashtag🔹 Immersive Labs (Enterprise)

hashtag🔹 Pentester Academy (now INE)

hashtag🧭 Structured Roadmap: Beginner to Advanced Network Pentesting