# Vulnerable network labs Hereโ€™s a comprehensive list broken into: * ๐Ÿงจ **Vulnerable network labs/systems** * ๐Ÿ› ๏ธ **Key tools to master** * ๐ŸŒ **Online platforms for hands-on training** * ๐Ÿงญ **Structured learning paths** *** ### ๐Ÿงจ Vulnerable Labs for Network Penetration Testing #### 1. **Metasploitable 2 & 3** * **What it is:** A deliberately vulnerable VM built for network exploitation. * **Covers:** Open ports, weak services, misconfigurations, buffer overflows. * **Great for:** Practicing with Nmap, Metasploit, manual exploits. * **Download:** * Metasploitable 2: * Metasploitable 3: *** #### 2. **VulnHub Machines** * **What it is:** A huge archive of vulnerable VMs (CTF-style and realistic). * **Use for:** Local/offline network attacks, pivoting, privilege escalation. * **Many scenarios:** Windows, Linux, Active Directory. * **Link:** [https://www.vulnhub.com](https://www.vulnhub.com/) *** #### 3. **Active Directory Labs (e.g., Attack-Defense AD Lab)** * **Great for:** Practicing internal network attacks, password spraying, Kerberoasting, etc. * **Options:** * **HackTheBox - AD Labs** * **TryHackMe - Attacktive Directory Room** * **Pentester Academy AD Lab (paid)** *** #### 4. **De-ICE Pen Test Live CDs** * **What it is:** Bootable ISO targets designed to simulate real networks. * **Scenario-based:** Simulates corporate networks you can attack from a separate machine. * **Link:** *** #### 5. **Security Onion Practice Setup** * **What it is:** Network monitoring platform that you can use to analyze attacks. * **Reverse engineering + detection + blue teaming** side of pentesting. * **You can attack it or analyze captured network traffic.** * **Link:** [https://securityonion.net](https://securityonion.net/) Absolutely โ€” hereโ€™s **even more vulnerable labs, tools, and resources** specifically for **network penetration testing**, with a focus on **enterprise-level simulation**, **protocol-specific testing**, and **realistic attack chains** (including pivoting, lateral movement, and post-exploitation). Letโ€™s take it up a level. *** ### ๐Ÿงจ **More Vulnerable Network Environments & Labs** #### 6. **PurpleLabs by TCM Security** * **What it is:** A full-scale Active Directory lab you can deploy locally. * **Great for:** AD enumeration, password attacks, lateral movement, bloodhound. * **Runs on:** VMware or VirtualBox * **GitHub:** *** #### 7. **Red Team Attack Lab (by RangeForce / GitHub community)** * **Enterprise-style internal network simulation.** * Includes: * Windows domain controller * Workstations * Vulnerable services like SMB, RDP, and misconfigured GPOs * Good for: Credential abuse, Golden Ticket, Kerberoasting * GitHub: *(used for attacking)* *** #### 8. **Proving Grounds (by Offensive Security)** * Hosted vulnerable machines maintained by OffSec (creators of OSCP). * Machines vary in difficulty and realism. * Comes with Kali + in-browser console. * *** #### 9. **Amun Honeypot or Dionaea (Defensive but useful)** * Use these to simulate services like SMB, HTTP, FTP and then attack them yourself. * Good for creating a bait network to practice detection evasion. * GitHub: *** #### 10. **DetectionLab by Chris Long** * **Full enterprise logging lab** with Splunk, Winlogbeat, and preconfigured AD. * Great for learning both attack and detection. * **Attack Tools:** RDP, PowerShell abuse, LLMNR, etc. * GitHub: *** *** ### ๐Ÿง  Protocol-Specific Labs & Practice Areas | Protocol | Resource to Practice | | ---------- | --------------------------------------- | | **SMB** | VulnHub: "SickOs", THM: "Ignite" | | **FTP** | Metasploitable 2, VulnHub: "Bashed" | | **LDAP** | TryHackMe: "AD Lab", HTB: "Forest" | | **DNS** | THM: "DNS Enumeration", HTB: "Resolute" | | **RDP** | HTB: "Blue", Proving Grounds | | **SNMP** | VulnHub: "SkyDog Con" | | **Telnet** | Metasploitable, De-ICE CDs | *** ### ๐Ÿ“ฆ Pre-Built Attack & Lab Environments #### ๐Ÿ”น **AttackBox (TryHackMe)** * Browser-based Kali Linux instance * Good for quick-start labs โ€” no local VM setup required #### ๐Ÿ”น **Kali Linux + Vagrant Lab Setup** * Set up a lab with vulnerable VMs using a single command: * `vagrant up metasploitable` * `vagrant up windows-server-2016` * Bonus: Combine with VPN or host-only network to practice real lateral movement #### ๐Ÿ”น **pwnbox (HackTheBox)** * In-browser Kali environment with tools preinstalled * Ideal for corporate firewalled environments or portable testing ### *** ### ๐Ÿ› ๏ธ Tools Every Network Pentester Should Master | Tool | Use Case | | ----------------------------------------------- | ------------------------------------------------------ | | **Nmap** | Network scanning, service detection, vuln detection | | **Netcat / Ncat** | Port listening, reverse shells | | **Wireshark / tcpdump** | Network sniffing, packet analysis | | **Hydra / Medusa** | Brute force login attacks (FTP, SSH, RDP) | | **Metasploit Framework** | Exploitation, post-exploitation | | **Impacket (Python)** | Advanced AD exploitation: smbclient, secretsdump, etc. | | **Responder + NTLMRelayX** | LLMNR poisoning and credential relay attacks | | **CrackMapExec** | Swiss army knife for Active Directory | | **Enum4linux / smbclient / rpcclient** | SMB enumeration | | **Burp Suite** (for proxying internal web apps) | | *** ### ๐ŸŒ Online Platforms for Network Pentesting #### ๐Ÿ”น **TryHackMe** * **Labs for all levels**: Basic enumeration to AD attacks. * Top rooms: * *"Network Services"* * *"Attacktive Directory"* * *"Red Team Path"* * [https://tryhackme.com](https://tryhackme.com/) *** #### ๐Ÿ”น **Hack The Box** * **More realistic than THM**, used for OSCP prep. * Includes: * *Retired machines* for practicing with walkthroughs * *Active Directory networks* * *"Pro Labs"* like Offshore and Dante for enterprise-grade simulations * [https://hackthebox.com](https://hackthebox.com/) *** #### ๐Ÿ”น **RangeForce / CyberDefenders / Blue Team Labs** * Mostly blue teaming but useful for understanding detection and logging. * **Great for Red vs Blue scenarios.** * [https://cyberdefenders.org](https://cyberdefenders.org/) *** #### ๐Ÿ”น **Immersive Labs (Enterprise)** * Scenario-based labs that include recon, scanning, privilege escalation, and report writing. * [https://www.immersivelabs.com](https://www.immersivelabs.com/) *** #### ๐Ÿ”น **Pentester Academy (now INE)** * Paid platform with great labs for AD exploitation, packet analysis, and network attacks. * [https://ine.com](https://ine.com/) *** ### ๐Ÿงญ Structured Roadmap: Beginner to Advanced Network Pentesting | Phase | Skills | Labs / Tools | | ----------------------------------- | ---------------------------------------------------- | ----------------------------------------- | | ๐Ÿ”น **Phase 1:** Recon & Scanning | `Nmap`, `netcat`, `ping`, `traceroute`, `Wireshark` | THM: Network Services, VulnHub | | ๐Ÿ”น **Phase 2:** Service Enumeration | `smbclient`, `ftp`, `ssh`, `enum4linux`, `rpcclient` | HTB easy machines, DVWA (network exposed) | | ๐Ÿ”น **Phase 3:** Exploitation | `Metasploit`, manual exploits, brute force | Metasploitable 2/3, THM: Daily Bugle | | ๐Ÿ”น **Phase 4:** Lateral Movement | `CrackMapExec`, `Impacket`, `NTLMRelayX` | THM: Attacktive Directory, HTB: Forest | | ๐Ÿ”น **Phase 5:** Post-Exploitation | Privilege escalation, pivoting, data exfil | LinPEAS/WinPEAS, PowerUp, BloodHound | | ๐Ÿ”น **Phase 6:** Reporting & Cleanup | Evidence collection, logs, screenshots | TryHackMe: Final Challenge Rooms |