Skip to content
/ VirtualBox-Security-Lab Public

This is where I’ll be documenting my Security Lab setup for my future reference. Visitors are welcome!

benheater.com/building-a-security-lab-in-virtualbox/
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

LandonTrev/VirtualBox-Security-Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

61 Commits
configs
configs
 
 
diagrams
diagrams
 
 
notes
notes
 
 
playbooks
playbooks
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

VirtualBox Security Lab

This repository documents my VirtualBox-based security lab, built to simulate a small enterprise network for hands-on learning in both offensive and defensive security.

The lab is intentionally segmented, monitored, and attackable. It allows me to practice realistic workflows such as network enumeration, Active Directory attacks, and detection using SIEM and NIDS tooling, without exposing my home network.

The overall architecture and learning approach are inspired by Ben Heater (0xBen) and his security lab guide: https://benheater.com/building-a-security-lab-in-virtualbox/

Lab Objectives

The goals of this lab are to:

  • Gain hands-on experience with enterprise-style network segmentation
  • Practice penetration testing against intentionally vulnerable systems
  • Explore common Active Directory attack paths
  • Understand how attacks generate detectable telemetry
  • Build familiarity with SIEM and NIDS tooling
  • Document repeatable attack, detection, and response workflows

This is a learning environment and evolves over time as new techniques and tools are introduced.

High-Level Architecture

The lab is built around a central pfSense firewall that routes and filters traffic between multiple internal networks (VLANs). Each network serves a specific purpose and is isolated by default.

All systems run on private IP address space (RFC 1918). Internet access is tightly controlled and only permitted where explicitly required.

A detailed architecture diagram is available in:

/diagrams/lab-architecture.png

Flowchart

Lab Architecture Diagram

Network Architecture and IP Plan

pfSense acts as the default gateway and enforcement point for all lab traffic. Each network segment is mapped to a dedicated pfSense interface.

WAN

  • Purpose: Internet access via home network
  • Adapter: Bridged
  • Notes:
    • Used only for outbound connectivity
    • RFC 1918 blocking is disabled due to double NAT

LAN – Attacker and Management Network

  • Subnet: 10.0.0.0/24
  • Gateway: 10.0.0.1 (pfSense)
Host IP Address Role
Kali Linux 10.0.0.2 Attacker and management jump host
Wazuh (Mgmt) 10.0.0.3 SIEM management interface for SSH and SIEM login

This network is used to:

  • Launch attacks
  • Access management interfaces (pfSense, Wazuh)
  • Administer the lab environment

ISOLATED VLAN – Vulnerable Targets (No Internet)

  • Subnet: 10.6.6.0/24
  • Gateway: 10.6.6.1 (pfSense)
Host IP Address Role
VulnHub VM 10.6.6.13 Vulnerable target
Metasploitable2 10.6.6.22 Intentionally vulnerable Linux VM

Characteristics:

  • No internet access
  • No access to other VLANs
  • Reachable only from the LAN (Kali)

AD_LAB VLAN – Active Directory Environment

  • Subnet: 10.80.80.0/24
  • Gateway: 10.80.80.1 (pfSense)
Host IP Address Role
Domain Controller 10.80.80.2 AD DS, DNS, DHCP
Windows Client 1 10.80.80.32 Domain-joined workstation
Windows Client 2 10.80.80.43 Domain-joined workstation

This network simulates a small corporate environment and is intentionally misconfigured for attack and detection practice.

Note: The DHCP service on pfSense is disabled AD LAN, we want the domain controller to act as the DHCP server.

VULN_EGRESS VLAN – Vulnerable Targets with Internet Access

  • Subnet: 10.10.10.0/24
  • Gateway: 10.10.10.1 (pfSense)
Host IP Address Role
VulnHub VM 10.10.10.11 Vulnerable target
VulnHub VM 10.10.10.12 Vulnerable target

Characteristics:

  • Internet access allowed
  • Access to other private subnets blocked
  • Used to study outbound traffic and egress filtering

Detection and Monitoring

The lab includes a SOC-style monitoring setup:

  • Wazuh acts as the central SIEM for log collection and alerting
  • Suricata performs real-time network traffic inspection (NIDS)
  • pfSense mirrors traffic from all VLANs using a SPAN interface

Wazuh Interfaces

  • Monitoring interface: Receives mirrored traffic (passive)
  • Management interface: 10.0.0.3, accessed from Kali

This setup allows attacks launched from Kali to be observed, analyzed, and correlated within the SIEM.

Repository Layout

├── README.md
├── .gitignore
├── diagrams/
├── notes/
│ ├── index.md
│ ├── networking/
│ ├── active-directory/
│ ├── detection/
│ └── attacks/
├── playbooks/
│ ├── attack/
│ ├── detection/
│ └── response/

Safety and Isolation

  • Vulnerable systems are segmented from the home network
  • Internet access is blocked where unsafe
  • All testing is performed only against lab-owned systems

No production or external systems are targeted.

Project Status

This project is actively in progress. Notes, playbooks, and diagrams are added as new attack paths and detection scenarios are explored.

References

About

This is where I’ll be documenting my Security Lab setup for my future reference. Visitors are welcome!

benheater.com/building-a-security-lab-in-virtualbox/

Topics

linux networking firewall nat cybersecurity segmentation ctf siem nids endpoint domaincontroller

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published