Vulnerable network labs
Here’s a comprehensive list broken into:
🧨 Vulnerable network labs/systems
🛠️ Key tools to master
🌐 Online platforms for hands-on training
🧭 Structured learning paths
🧨 Vulnerable Labs for Network Penetration Testing
1. Metasploitable 2 & 3
What it is: A deliberately vulnerable VM built for network exploitation.
Covers: Open ports, weak services, misconfigurations, buffer overflows.
Great for: Practicing with Nmap, Metasploit, manual exploits.
Download:
Metasploitable 2: https://sourceforge.net/projects/metasploitable/
Metasploitable 3: https://github.com/rapid7/metasploitable3
2. VulnHub Machines
What it is: A huge archive of vulnerable VMs (CTF-style and realistic).
Use for: Local/offline network attacks, pivoting, privilege escalation.
Many scenarios: Windows, Linux, Active Directory.
Link: https://www.vulnhub.com
3. Active Directory Labs (e.g., Attack-Defense AD Lab)
Great for: Practicing internal network attacks, password spraying, Kerberoasting, etc.
Options:
HackTheBox - AD Labs
TryHackMe - Attacktive Directory Room
Pentester Academy AD Lab (paid)
4. De-ICE Pen Test Live CDs
What it is: Bootable ISO targets designed to simulate real networks.
Scenario-based: Simulates corporate networks you can attack from a separate machine.
5. Security Onion Practice Setup
What it is: Network monitoring platform that you can use to analyze attacks.
Reverse engineering + detection + blue teaming side of pentesting.
You can attack it or analyze captured network traffic.
Absolutely — here’s even more vulnerable labs, tools, and resources specifically for network penetration testing, with a focus on enterprise-level simulation, protocol-specific testing, and realistic attack chains (including pivoting, lateral movement, and post-exploitation). Let’s take it up a level.
🧨 More Vulnerable Network Environments & Labs
6. PurpleLabs by TCM Security
What it is: A full-scale Active Directory lab you can deploy locally.
Great for: AD enumeration, password attacks, lateral movement, bloodhound.
Runs on: VMware or VirtualBox
7. Red Team Attack Lab (by RangeForce / GitHub community)
Enterprise-style internal network simulation.
Includes:
Windows domain controller
Workstations
Vulnerable services like SMB, RDP, and misconfigured GPOs
Good for: Credential abuse, Golden Ticket, Kerberoasting
GitHub: https://github.com/mandiant/commando-vm (used for attacking)
8. Proving Grounds (by Offensive Security)
Hosted vulnerable machines maintained by OffSec (creators of OSCP).
Machines vary in difficulty and realism.
Comes with Kali + in-browser console.
9. Amun Honeypot or Dionaea (Defensive but useful)
Use these to simulate services like SMB, HTTP, FTP and then attack them yourself.
Good for creating a bait network to practice detection evasion.
GitHub: https://github.com/rep/honeyd
10. DetectionLab by Chris Long
Full enterprise logging lab with Splunk, Winlogbeat, and preconfigured AD.
Great for learning both attack and detection.
Attack Tools: RDP, PowerShell abuse, LLMNR, etc.
🧠 Protocol-Specific Labs & Practice Areas
SMB
VulnHub: "SickOs", THM: "Ignite"
FTP
Metasploitable 2, VulnHub: "Bashed"
LDAP
TryHackMe: "AD Lab", HTB: "Forest"
DNS
THM: "DNS Enumeration", HTB: "Resolute"
RDP
HTB: "Blue", Proving Grounds
SNMP
VulnHub: "SkyDog Con"
Telnet
Metasploitable, De-ICE CDs
📦 Pre-Built Attack & Lab Environments
🔹 AttackBox (TryHackMe)
Browser-based Kali Linux instance
Good for quick-start labs — no local VM setup required
🔹 Kali Linux + Vagrant Lab Setup
Set up a lab with vulnerable VMs using a single command:
vagrant up metasploitablevagrant up windows-server-2016
Bonus: Combine with VPN or host-only network to practice real lateral movement
🔹 pwnbox (HackTheBox)
In-browser Kali environment with tools preinstalled
Ideal for corporate firewalled environments or portable testing
🛠️ Tools Every Network Pentester Should Master
Nmap
Network scanning, service detection, vuln detection
Netcat / Ncat
Port listening, reverse shells
Wireshark / tcpdump
Network sniffing, packet analysis
Hydra / Medusa
Brute force login attacks (FTP, SSH, RDP)
Metasploit Framework
Exploitation, post-exploitation
Impacket (Python)
Advanced AD exploitation: smbclient, secretsdump, etc.
Responder + NTLMRelayX
LLMNR poisoning and credential relay attacks
CrackMapExec
Swiss army knife for Active Directory
Enum4linux / smbclient / rpcclient
SMB enumeration
Burp Suite (for proxying internal web apps)
🌐 Online Platforms for Network Pentesting
🔹 TryHackMe
Labs for all levels: Basic enumeration to AD attacks.
Top rooms:
"Network Services"
"Attacktive Directory"
"Red Team Path"
🔹 Hack The Box
More realistic than THM, used for OSCP prep.
Includes:
Retired machines for practicing with walkthroughs
Active Directory networks
"Pro Labs" like Offshore and Dante for enterprise-grade simulations
🔹 RangeForce / CyberDefenders / Blue Team Labs
Mostly blue teaming but useful for understanding detection and logging.
Great for Red vs Blue scenarios.
🔹 Immersive Labs (Enterprise)
Scenario-based labs that include recon, scanning, privilege escalation, and report writing.
🔹 Pentester Academy (now INE)
Paid platform with great labs for AD exploitation, packet analysis, and network attacks.
🧭 Structured Roadmap: Beginner to Advanced Network Pentesting
🔹 Phase 1: Recon & Scanning
Nmap, netcat, ping, traceroute, Wireshark
THM: Network Services, VulnHub
🔹 Phase 2: Service Enumeration
smbclient, ftp, ssh, enum4linux, rpcclient
HTB easy machines, DVWA (network exposed)
🔹 Phase 3: Exploitation
Metasploit, manual exploits, brute force
Metasploitable 2/3, THM: Daily Bugle
🔹 Phase 4: Lateral Movement
CrackMapExec, Impacket, NTLMRelayX
THM: Attacktive Directory, HTB: Forest
🔹 Phase 5: Post-Exploitation
Privilege escalation, pivoting, data exfil
LinPEAS/WinPEAS, PowerUp, BloodHound
🔹 Phase 6: Reporting & Cleanup
Evidence collection, logs, screenshots
TryHackMe: Final Challenge Rooms
Last updated
Was this helpful?