Introduction
Learning and implementing cybersecurity concepts can be challenging without access to practical and secure infrastructure. These challenges are further complicated by budget constraints that limit the acquisition of necessary hardware resources.
To overcome this, this home lab guide provides instructions for provisioning, configuring, optimizing, and securing IT infrastructure using a combination of local virtual machines (VMs) and cloud resources for practical use cases. This approach enables deploying less resource-intensive tools on local VMs while leveraging the cloud for more demanding applications. It simulates both on-premises and cloud environments. The knowledge gained here can aid in production and large-scale, enterprise-level infrastructures despite your smaller scale.
What is a Home Lab?
A home lab is a personal setup within your home designed for hands-on practice and skill development in specific fields such as IT or cybersecurity. It mimics larger-scale infrastructures using similar components and tools, providing a safe and controlled environment to experiment, learn, and refine your skills.
Lab Contents
- Lab Design and Topology
- Building/Choosing a Host PC
- Downloading, Installing, and Setting Up VMware Fusion for Mac (VMware Workstation Pro for Windows)
- Installing pfSense for Network Segmentation and Security
- Installing Kali Linux
- Configuring PfSense Interfaces and Dynamic DNS
- Creating and Setting Up a Microsoft Azure Account
- Creating a Virtual Network And Setting Up a VPN Connection on Azure
- Configuring VPN connection on pfSense
- Installing and Configuring Security Onion
- Configuring Packet Forwarding from pfSense to Security Onion using Netflow protocol
- Configuring a Windows Server as a Domain Controller
- Configuring Windows Desktops & Onboarding Users Accounts to the AD Domain
- Installing and Configuring Splunk
- Installing Splunk Universal Forwarder on Windows Server
- Ubuntu/CentOS/Metasploitable/DVWA/Vulnhub Machines: Optional machines for exploitation, detection, and monitoring purposes
Lab Design and Topology
Building/Choosing a Host PC
Due to budget constraints, I will use a MacBook Pro 2018 with 16GB of RAM, a 4GB dedicated graphics card, and a 512GB SSD for this lab. The recommended requirements for this lab are the same, a machine with at least 512GB of storage, an Intel Core i5 CPU (or its AMD equivalent), and 16GB of RAM. This lab is inspired by an article from Cyberwox's blog.
Note: While macOS is used as the host platform for this lab, the hypervisor (virtualization software) is available on most platforms, including Windows, though configuration steps may vary slightly.
Additional Suggestions for Local Setup Without Cloud Tunneling
- Build a Customized PC: To run all virtual machines and instances locally, consider building a customized PC that meets the lab's requirements. You can follow this article for guidance.
- Leverage Existing Hardware: If you have additional machines available, set up a cluster using Proxmox, provisioning networks, and VM instances as needed. Numerous tutorials are available on YouTube to help you through this process. I plan to explore this lab setup in the future.
Downloading, Installing, and Setting Up VMware Fusion for Mac (VMware Workstation Pro for Windows)
VMware, (now owned by Broadcom) has made VMware Fusion and VMware Workstation Pro free for personal use. You can download and install these products by following their official blog here. If you encounter difficulties during the download or installation process, refer to these YouTube tutorials here or here.
Alternatively, VirtualBox is another virtualization option and can be downloaded here.
Setting Up Virtual Machine Networks (VMNets) on VMware
After installing VMware, launch the software and navigate to the menu bar at the top left corner.
Click on VMware Fusion and select Settings.
Then, click on the Network tab in the settings window.
Here, you will see the predefined network configurations that define different network settings
- "Share with my Mac": Allows any VM using this setting to communicate externally (with the internet and other physical machines on the host’s network) using the host machine's IP address. All communications appear to originate from the host machine.
- "Bridged Networking": Enables the VM to act like a physical computer connected to the physical network.
- "Private to my Mac": Creates an isolated network where VMs can communicate only among themselves and are isolated from devices on the physical network.
Next, we will create four custom VMNets (vmnet2 to vmnet5) to assign machines to. Think of VMNets as networks on a router, where multiple machines can be connected. Each of these VMNets will be isolated, but they will be able to communicate with each other through a router. In this lab, pfSense will act as our router. Here is the configuration for VMNET2 to VMNET5:
- Click the + icon to add new VMNets (vmnet2 to vmnet5).
- Leave the settings unchanged; there is no need to connect through the internet directly. Instead, we will use our virtual router device (pfSense) for greater flexibility.
- Ensure the host machine is not connected to any of these networks.
- Untick provide addresses on this network via DHCP
Installing pfSense for Network Segmentation and Security
pfSense provides routing, firewall, and VPN functionality. In this lab, we will use pfSense as a firewall to segment our networks and set up a VPN tunnel from our networks to our AWS VPC.
- Download the pfSense ISO file, selecting "ISO IPMI/Virtual Machines."
- Once downloaded, open your terminal, navigate to the download directory, and type
gunzip -d <file_name>
to uncompress the file. - Open VMware and create a new Virtual Machine.
Select the uncompressed ISO file and click Continue.
Choose "Legacy BIOS" if prompted.
Click Customize Settings and name the VM "pfSense" or a suitable name.
In the configuration window, click Network Adapter under Removable Devices. Add four (4) virtual network adapters and assign each adapter to the VMNets created earlier. This VM will act as a router and firewall, so it should be connected to all 4 custom networks.
Click Add Device to add additional network adapters until all VMNets are assigned.
Go back to the main configuration window and click on Hard Disk (SCSI). Set the disk size to 20GB and ensure "Split into multiple files" is selected.
Click on Processors and Memory to allocate resources. Assign one processor and 2GB (2048 MB) of RAM.
Proceed with the installation by accepting all defaults, and pfSense will configure itself and reboot. If you encounter any issues, restart the VM.
After a successful reboot, select Option 1.
When prompted "Should VLANs be set now?", enter n.
Assign em0, em1, em2, em3, and em4 to each respective question.
Now, configure the network interfaces:
- LAN Interface (em1): Use IP 192.168.1.1 to access the pfSense WebGUI via a Kali machine.
- OPT1 and OPT2 Interfaces: Configure as required.
- OPT3 Interface: Leave without an IP for span port traffic monitoring with Security Onion.
Further configuration will be done through the pfSense WebConfigurator via the Kali machine.
Installing Kali Linux
Kali Linux is amongst the few Linux distros that come with a set of tools that can be used for offensive security. An alternative to Kali Linux is ParrotOS. Kali Linux can be used to perform attacks on the domain controller and other vulnerable machines in the lab. To begin, you can download the Kali Linux ISO image from here.
Download the image according to the VM platform you are using, for this lab, which will be VMWare. After downloading, extract the archive into an appropriate folder, and open the .vmwarevm file. You should see a window that starts the VM, kindly shut it down so we can configure its resources. Click the settings icon
You should get the window below,
Proceed to Processors & Memory to provision the right resources, I will be using 2 cores, and 2GB (2048 MB) RAM for this VM. Also, go to Network Adapter to assign the default network adapter to vmnet2.
You can start the VM when done. The default user and password is kali. You can change the password by launching the terminal and using the **passwd**
command.
Configuring PfSense Interfaces and Dynamic DNS
Now that the Kali machine is set up, navigate to the top left corner of the desktop window to open the Firefox browser, and enter https://192.168.1.1, this is the URL pfSense Web Configurator.
Click Advanced, then, Accept the Risk and Continue. You should see the login page for the pfSense web Configurator. Login to pfSense using the default credentials, admin and pfsense.
Though this is a home lab, it is recommended to always change the default password of machines and software/platforms when provisioned.
Proceed with the wizard by clicking Next till you get to Step 2 of 9
Add 8.8.8.8 as the Primary DNS Server, and Add 1.1.1.1 as the Secondary DNS Server, these are Google's and Cloudflare's public DNS Servers respectively.
Proceed by clicking Next, at Step 3 of 9, Select your timezone.
Click Next,
Untick the last two options at Step 4 of 9
At Step 5 of 9, Click Next
At Step 6 of 9, Set a new Admin Password, then Click Next
At Step 7 of 9, Click Reload, Click Finish.
At this point, the pfSense Wizard is complete and further configurations can be made. This is a home lab but, I recommend that you develop habits of creating a least-privileged user whenever you are using a root credential, as this will prevent account take-overs in real systems and ends up locking you out or wreaking havoc. You will find tons of tutorials about this on YouTube.
Now, let us proceed with configuring our interfaces.
Click on Interfaces
For Description, Change LAN to SecAssessmentNetwork as this is the network interface where Kali and Analyst machines will belong.
Scroll to the bottom of the page, Click Save and Apply Changes
If you encounter an error, you should check out this article to fix it.
Repeat the above steps until you have the named interfaces below
For OPT3, ensure you enable the interface as shown below
Next, Navigate to Interfaces >> Assignments
Select Bridges, click Add
Member Interfaces, Select VICTIMNETWORK
Click Display Advanced, under Advanced Configuration in the Span Port field, select SPANPORT
Scroll down to the bottom of the page and click Save
Next, we need to configure firewall rules,
On pfSense, navigate to Firewall >> Rules
Under the SECASSESSMENTNETWORK tab, click Add to create a new firewall rule
Under Edit Firewall Rule, in the Protocol field, select Any, scroll to the page's bottom, click Save
Note: There's a predefined rule, the Anti-Lockout Rule created by pfSense to allow incoming connections to ports 80 and 443 which are the ports to its Web Configurator.
We added a rule to allow all connections to/from the SecAssessmentNetwork. We should avoid this as much as possible, this is only done for the convenience of the lab, and it is recommended for tweaking after the lab.
Configuring Dynamic DNS (DDNS)
When we configure the Azure side of our VPN Tunnel, it is important that our VPN gateway can communicate with our on-prem gateway/router, which in the case of our home lab is our CPE (Customer Premises Equipment). Most SOHO (Small Office / Home Office) routers do not come bundled with a static or leased public IP address.
If we use the current public IP assigned, there is a high chance that Azure will lose communication with our gateway after some time (this is due to dynamic IP leasing by our ISP). To solve this, we can either lease some IPs from our ISP or use Dynamic DNS which enables Azure to track our public IP as it changes. Most SOHO routers have DDNS functionality, but in this lab, we will use pfSense.
There are so many DDNS providers, some domain name providers offer its functionality, while some providers offer it exclusively. Namecheap, Cloudflare, DynDNS, and NoIP, are some of these providers. For this lab, we will make use of DuckDNS (this is for practical purposes only, I recommend using Azure DNS, Cloudflare or Namecheap for reliable connections)
Proceed to DuckDNS.org to get started. Next, create an account and sign in. Enter the subdomain name of your choice and check if it is available. Once you have a domain name, note it and the generated token as it is needed in the following sections.
Next, navigate to the install section at the page's top nav bar.
Next, go back to our pfSense Web Configurator and log in, navigate to the services section and Click Dynamic DNS
Click Add
Select Service Type and Choose Custom
Navigate below to the Update URL section, and paste this
https://www.duckdns.org/update?domains=<domain name given to you>&token=&<generated token>ip=%IP%
e.g, https://www.duckdns.org/update?domains=example&token=f43562542412345676ip=%IP%
In Result Match type OK. Enter DUCKDNS in the Description field. Click Save & Force Update to finish setting it up. You should end up with something like this
We have successfully configured our DDNS.
Creating and Setting Up a Microsoft Azure Account
In this lab, we decided to choose Azure as our Cloud Service Provider (CSP). To get started with this section you can log in with your existing credentials or open an account if you do not have one already, proceed to the azure portal.
Once created, new accounts are given $200 worth of credits to try out their services, while some services are always free, some have quotas, which is useful for this lab. One of the security best practices I have over time gotten accustomed to is avoiding using a super-user or root account for my regular tasks. This is useful as whenever your standard/privileged account gets compromised, you can quickly use the root account to withdraw its access compared to when a root account is ATOed. So let us create a different account for our daily use.
Proceed to the top-left corner of the page's nav bar, Click the hamburger menu
Click on Microsoft Entra ID
Click on Users, and you should see a page with a list of users. When you open an Azure account, by default a new user is created for you, and it is assigned a Global Administrator role, this is the same thing as a root user.
Click Create new user, fill in the fields
Proceed by clicking Next: Properties, Fill the necessary fields
Continue by clicking Next: Assignments
Click on Add role and Add the following roles
- Network Administrator
Click *Review + create * to finish the user creation process.
We are done with our user creation, but we need to assign access to our created user on the subscription level. Click the hamburger menu and proceed to Home.
Click the Subscriptions from the Azure services section
Alternatively, you can search subscription on the search menu also
Select the subscription name, for new users, this will be Azure subscription 1.
Click Add, then Add role assignment
Select Privileged administrator roles
Select Owner, Click Next
Click Select members and add our newly created user
Proceed by clicking Next
Select *Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended) *
Click Next, then Review + assign
Sign out and re-login with the new user credentials, make sure you follow the prompts to enable MFA on the newly provisioned user.
Creating a Virtual Network And Setting Up a VPN Connection on Azure
For the following steps, ensure you are logged in as our newly created and less privileged user.
Click on Resource groups, this will help us create a container where we can create resources for our home labs and also assign a created user as the owner.
Click Create
Assign a subscription (The free trial subscription is assigned to new accounts by default)
Enter homelab-rg in the Resource group field
Select an appropriate region closer to you and Click Next: Tags
Assign tag name environment and value homelab, this helps us to quickly filter our resources in the future.
Proceed by clicking Next: Review + create, Click Create
Click the refresh icon to see the newly created resource group. Proceed by clicking the resource name.
Now, let us create our virtual network
Proceed by clicking the hamburger menu, then click on Virtual Networks
Click Create
Leave the defaults, and Enter a Virtual network name and Region
Click Next until you get to the IP addresses section
Enter 172.16.0.0/16 as the address space
Click Add a subnet
Choose Virtual Network Gateway as the subnet purpose, and fill in the necessary fields using the below sample
Proceed with the remaining defaults by clicking Add
Click Add a subnet again. This time, we are creating a subnet with outbound internet access but restrictive inbound internet access. We need a subnet to place a NAT gateway, as our Security Onion instance will need to communicate with the Internet during installation.
A NAT (Network Address Translation) gateway allows our resources to reach the Internet but prevents the Internet from reaching them. Although we can use the default subnet created automatically for us, I decided to have the default subnet be a more restrictive private subnet that does not have access to the Internet, so I will not be assigning a NAT gateway to it.
Now let us create our NAT-enabled private subnet
Proceed by following the inputs in the sample
Ensure you selected Enable private subnet (no default outbound access) as we want to explicitly grant outbound access.
Next, in the NAT gateway section, click Create new
Enter a name for the NAT gateway
Create a Public IP address for the NAT gateway also
You should end up with the below setup
Proceed by clicking Next
Add a tag name environment and a tag value homelab
Click Review + create, then Create
Next, You can go to the home screen.
Now that we have successfully created our Virtual Network, Let us create our VPN gateway and set up our site-to-site VPN connection.
On the home screen, proceed by clicking Create a resource
Under the Categories section, click Networking
Click on create under the Virtual network gateway section
Enter a name, homelab-vnetgw
Proceed to the Virtual network field and select the virtual network we created
In the Public IP address, select Create new
Give the Public IP address resource a name
Fill in the remaining fields by using the sample below
Click Review + create, then Create
It takes roughly 20 minutes for our Virtual Network Gateway to be fully deployed.
Next, we need to create a local network gateway to enable us to create a connection to our on-prem machine.
To begin, proceed by Clicking Create a resource on the home screen and selecting Networking on the Categories section
Click on Create in the Local network gateway section.
Select the appropriate resource group
On the Instance details section, enter an instance name of your choice
Select FQDN on our Endpoint field
Enter our DDNS FQDN (Fully Qualified Domain Name) we created from duckDNS.org e.g. example.duckdns.org
Next, add the address spaces to our on-prem machine. You should end up with something similar to the one below
Proceed by clicking Review + create, then Create
Finally, to finalize the Azure end of the VPN connection, we need to create a connection instance.
Let's proceed by creating another network resource, this time a connection.
Proceed by clicking Create
Select the appropriate resource group
In the Connection type field, select Site-to-site (IPsec)
Proceed by clicking Next: Settings
In the Virtual network gateway field, select the virtual network gateway we created earlier
In the Local network gateway field, select the local network gateway we had earlier created
In the Authentication Method field, leave it as Shared Key(PSK)
Enter a Pre-Shared Key (PSK) of your choice, this is more like a password, but I recommend that it should be complex and hard to brute force, though in a production environment, you will use a Public Key Infrastructure. I will be generating a key here.
Do save your PSK as it is needed on the pfSense side.
Next, Choose Custom in the IPsec / IKE policy field, and use the below entries
Proceed by clicking Review + create, then Create.
Once the connection is created, click Go to resource and Download configuration
Fill in the fields with the values in the sample below
Save the configuration file as it will be needed in setting up the pfSense end of the VPN connection.
We are done setting up the VPN connection at the Azure end.
Configuring VPN connection on pfSense
In this section, we are going to configure the pfSense part of the VPN connection. We proceed by navigating to our pfSense Web Configurator via our Kali Linux VM. Login to the pfSense Web Configurator portal.
Click VPN, then IPsec
Click Add P1
In the Description field, enter any description of your choice, e.g. Homelab to Azure Site-to-site tunnel
In the Remote Gateway field of the IKE Endpoint Configuration section, enter the Public address found in the Network parameters of the configuration file we downloaded.
The configuration entries we use in this section can be found in the Network parameters and IPsec/IKE parameters sections of the configuration file we downloaded.
Next, skip to the Pre-shared key field, and enter the PSK we used while setting up the Azure part of the connection, you can also find it in the IPsec/IKE parameters section of the configuration file we downloaded.
Proceed with the defaults, and click Save, then Apply Changes
Next, click Show Phase 2 entries, click Add P2, Enter the next configurations using the sample below
Click Save and Apply Changes
Next, proceed by navigating to Status, Click IPsec
Click Connect P1 and P2s, You should get something similar to the below output
Note: If you encounter any issues with the above step, make sure you are not behind a firewall or be sure to allow IPsec traffic on your host machine or modem.
After a couple of minutes (which takes around 10 minutes), hit the refresh button on the connection instance, and you should see that you are connected
And, we are done setting up our Site-to-site VPN tunnel
Installing and Configuring Security Onion
In the previous section, we successfully configured our VPN tunnel. In this section, we will configure Security Onion as our IDS solution. Security Onion is a free and open platform that can be used by cybersecurity analysts and engineers. You can read more about Security Onion here.
We will be using the Eval Node Type of the Security Onion Architecture which is used mainly for testing purposes, it enables us to sniff live network traffic. The evaluation mode simply allows us to test out Security Onion.
source https://docs.securityonion.net/en/2.4/_images/network-horiz.png
Security Onion has heavy resource requirements, for high-end labs, you may not worry about it, but this lab allows us to provision resources in the cloud when our lab cannot handle such resources.
Let us head to Azure to provision our security onion instance.
There are two ways we can provision our Security Onion instance, the first is using a production-ready image from the Azure marketplace, and the other is creating one from scratch, while I will show you how to accomplish the first, this lab will focus on the latter.
Option 1 - Creating a Security Onion distro via Azure Marketplace
Navigate to the portal's home screen, Click the search bar and search security onion, you should see something similar to the one below
Click Security Onion in the Marketplace search results
Note, You get a first month free using this image from the marketplace, then starting at 0.028/hr plus Azure Infrastructure costs. Alternatively, you can rent a VM and upload the security onion image which is free (though you need to still take into account Azure infra costs).
Next, you will be taken to Create a virtual machine window
For new customers with trial subscriptions, most of the costs incurred in creating and using this machine will be deducted from the trial credits of $200. Let us proceed
Select the appropriate resource group
Enter a Virtual machine name
For Availability options, select No infrastructure redundancy required
Size, It is recommended to use 4vcpus and a minimum of 12GiB memory to run an Evaluation instance, please be cost-conscious.
Authentication type, Select SSH public key, this is needed as we will configure the instance via our home-lab Kali Linux.
Click Next: Disks for disk set-up
At the OS disk type, change to Standard SSD
Untick Delete with VM, This enables us to tear down the instance without losing the saved data (we avoid paying for the VM instance, but pay little for the storage), you will have to delete it separately if not needed
Proceed by clicking Next: Networking to set up our network configuration
We want to select our home lab virtual network
Subnet should be the default or any private subnet within the vnet.
Proceed with the remaining defaults by Clicking Review + create
Option 2 - Creating a Security Onion distro from scratch
Using the previous step is great for production use cases especially when we have extra bucks to spare. But in this lab setup, we will build our instance by creating our Security Onion distro. Let's get started by going to our Azure portal.
Proceed by creating a new virtual machine,
Resource group, select the homelab-rg resource group we created
Virtual machine name, give it an appropriate name
Image, click See all images
Search for Rocky Linux
Choose Rocky Linux for x86_64 (AMD64) - Official
Select Rocky Linux 9 - x64 Gen 2
Size, select B4ms (this has 4 vCPUs and 16 GiB RAM which is the recommended requirements to run an EVAL version of Security Onion)
Note Make sure you deallocate all VM instances when not in use as they can accumulate costs.
Authentication type, select Password
Username, enter securityonion
Password, Enter a password
Public inbound ports, select None
Proceed with the remaining defaults,
Click Next: Disks
OS disk size, Select at least 200GB as it is the least recommended in the Security Onion docs.
OS disk type, Select Standard SSD (gives us reduced cost)
Click Next: Networking
Subnet, Select a subnet with a NAT gateway attached (as it is needed to connect to the internet)
Public IP, select None (we only want to connect via our VPN and not via the public internet)
Click Review + create, click Create
Once created, Click Go to resource*
Click on Stop to stop the running VM
Next, we need to create 2 network adapters to be attached to our instance
select Network settings under the Networking section at the left sidebar of the page.
Next, click on Attach network interface
Click Create and attach network interface
Resource group, choose the homelab-rg resource group
Subnet, choose the default subnet (172.16.0.0)
Private IP address assignment, choose Static and provide an IP address
Proceed by clicking Create
Once created, we need to create another one,
Next, go back to Overview and Start the machine (ensure the 2 NICs are attached before starting).
Now, let us connect to our instance via our local Kali VM. Proceed by launching the terminal on Kali, and make sure that you are connected to our Azure VPC via VPN.
First, we try to ping our security onion instance
If you are having any trouble,
- Make sure your VPN is working
- Your remote instance is up and running
- Your DDNS settings are correct and your current IP has been updated
Next, we SSH into our remote VM
Before we install Security Onion, we must configure the newly attached Network Interface Card (NIC).
First, we need to know the network adapters we will be configuring. We can know this by listing the interfaces on our instance. Type:
sudo ip addr show
In the screenshot above, we have the following NICs
Interface | IP Address | MAC Address |
---|---|---|
lo | 127.0.0.1 | 00:00:00:00:00:00 |
eth0 | 172.16.2.4 | 7c:1e:52:5f:57:44 |
eth1 | 172.16.0.10 | 60:45:bd:97:80:08 |
eth2 | 172.16.0.11 | 60:45:bd:97:84:0a |
While the IPs and interface cards might be similar in your set-up, the MACs will be different, and it is okay.
eth0 interface will be used as the management interface, take note of its MAC address
eth1 will be used as a monitor interface
eth2 will be used to receive NetFlow traffic from our pfSense machine.
Let us configure the newly attached NICs.
sudo dnf update -y
sudo dnf install NetworkManager-dispatcher-routing-rules -y
sudo systemctl enable NetworkManager-dispatcher.service
sudo systemctl start NetworkManager-dispatcher.service
echo "201 eth1-rt" | sudo tee -a /etc/iproute2/rt_tables
echo "202 eth2-rt" | sudo tee -a /etc/iproute2/rt_tables
sudo tee -a /etc/sysconfig/network-scripts/rule-eth1 <<EOF
from 172.16.0.10/32 table eth1-rt
to 172.16.0.10/32 table eth1-rt
EOF
sudo tee -a /etc/sysconfig/network-scripts/rule-eth2 <<EOF
from 172.16.0.11/32 table eth2-rt
to 172.16.0.11/32 table eth2-rt
EOF
sudo tee -a /etc/sysconfig/network-scripts/route-eth1 <<EOF
172.16.0.0/24 dev eth1 table eth1-rt
default via 172.16.0.1 dev eth1 table eth1-rt
EOF
sudo tee -a /etc/sysconfig/network-scripts/route-eth2 <<EOF
172.16.0.0/24 dev eth2 table eth2-rt
default via 172.16.0.1 dev eth2 table eth2-rt
EOF
sudo systemctl restart NetworkManager
We can now proceed to install some packages (creating our Security Onion distro)
SEC_ONION_REPO="https://github.com/Security-Onion-Solutions"
sudo dnf update -y
sudo dnf install git -y
git clone ${SEC_ONION_REPO}/securityonion.git
sudo chown $USER:$USER securityonion
sudo mv securityonion /opt/
sudo /opt/securityonion/so-setup-network
Next, you should see an interface like this
Would you like to continue the install?, select Yes
Would you like to continue?, select Yes
What kind of installation would you like to do?, select EVAL
Type AGREE, and select Ok
Enter the hostname (not FQDN) you would like to set:
Enter a hostname of your choice
Select Ok or press Enter key to proceed
Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Select Yes if you've already configured these settings. Otherwise, select No to quit., Select Yes
Next, select Ok
Please select the NIC you would like to use for management., Select the first item, eth0 and proceed by pressing Enter key or Ok
How would you like to connect to the Internet?, Select Direct
Do you want to keep the default Docker IP range?, select Yes
Please add NICs to the Monitor Interface:, Using the Spacebar Select eth1 as the monitor interface.
Next, Enter an email and password which will be used to create the admin account.
How would you like to access the web interface?, Select IP
Do you want to allow access to this Security Onion installation via the web interface?, Select Yes
Enter a single IP address or an IP range, in CIDR notation, to allow:, Enter 192.168.1.0/24
Next, your choice
Proceed by selecting Yes
Next, Security Onion will start installing some necessary packages and proceed to configuring them. Go have a coffee, as this may take a while.
After a while, you should get an interface similar to the one below indicating a successful installation.
Next, open our browser on the Kali VM, navigate to https://172.16.2.4, Click Advanced, then click Accept the Risk and Continue
We should have something similar to the one below
This is the Security Onion Console's login page, enter the email and password you used when setting up Security Onion. You should see something similar to the one below on a successful login
We now have a Security Onion instance we can practice with.
Configuring Packet Forwarding from pfSense to Security Onion using Netflow protocol
In this lab session, we need to forward packets captured by the SpanPort interface to our security onion instance on Azure.
Firstly, we need to add the Elastic integration for NetFlow Records on our Security Onion instance, we can do this by logging into our Security Onion console page via our Analyst Workstation (Kali VM).
Next, click on Elastic Fleet, enter the credentials you used when creating the Security Onion instance
On Elastic dashboard, click Agent policies tab, click so-grid-nodes-general
Click Add integration
Search for netflow and then click on NetFlow Records
The Elastic Integration page will show an overview of the NetFlow Integration. Review all information on the page and then click the Add NetFlow Records button.
In the Add NetFlow Records integration page, enter the following values for the fields:
integration name: netflow
UDP host to listen on: 0.0.0.0
UDP port to listen on: 2055
Click the Save and continue button and then click Save and deploy changes
Next, we need to allow netflow traffic through the firewall on our Security Onion instance. Let us do this going back through our Console dashboard
Navigate to Administration >> Configuration
At the top of the page, click the Options menu and then enable the Show advanced settings option
On the left side, go to firewall, select hostgroups, and click the customhostgroup0 group. On the right side, enter the IP address/CIDR block of the NetFlow exporter (192.168.0.0/16) and click the checkmark to save.
On the left side, go to firewall, select portgroups, select the customportgroup0 group, and then click udp. On the right side, enter the NetFlow listener port (2055) and click the checkmark to save.
On the left side, go to firewall, select role, and then select the node type that will receive the NetFlow records (eval). Then drill into chain >> INPUT >> hostgroups >> customhostgroup0 >> portgroups. On the right side, enter customportgroup0 and click the checkmark to save.
Under the Options menu at the top of the page, click the SYNCHRONIZE GRID button to immediately apply the rules
Next, let us proceed by logging into our pfSense dashboard, navigate to System >> Package Manager >> Available Packages
In the Search term field, search for softflowd and install it
Next, navigate to Services >> softflowd
Under the General Settings, in the Interface selection box, select SPANPORT
Host, enter 172.16.0.11
Port, enter 2055
Scroll to the bottom of the page and click Save
Once all configuration is complete, you should be able to go to the Security Onion Console and under Dashboards, select the NetFlow dashboard to see your NetFlow records.
You can also collect firewall logs from pfSense by following the steps here
That is all for Security Onion
Configuring a Windows Server as a Domain Controller
In this section of the lab, we will set up an Active Directory (AD) Domain using a Windows 2019 Server as the Domain Controller and also proceed to add 2 Windows machines to the Domain Controller.
Proceed by downloading the Windows 2019 Server Eval Copy and Windows 11
Note: Before proceeding with the Windows Server installation, do not start the machine, until:
- Ensure you install on VMWare with the defaults
- Ignore the Product key and simply skip it
- By default, a network adapter is attached when creating the VM, ensure you change the assigned network to VMnet3
Let us proceed by powering up the VM.
Click Next
Click Install now
Select *Windows Server 2019 Standard Evaluation (Desktop Experience) *
Accept the licence terms and Click Next
Select Custom: Install Windows only (advanced)
Click Next
When the installation completes, create a password, and sign in
Upon a successful installation, you should end up with the screen below
Rename the Domain Controller
-
Open System Properties:
- Press
Win + R
to open the Run dialog. - Type
sysdm.cpl
and pressEnter
.
- Press
-
Change the Computer Name:
- In the System Properties window, go to the Computer Name tab.
- Click on Change to rename the domain controller.
-
Enter the New Name:
- Under Computer Name, type the new name for your domain controller.
- Click OK and follow any prompts.
-
Restart the Domain Controller:
- A restart is required to apply the name change.
- The domain controller will restart and reflect the new name upon completion.
After the reboot, On the Server Manager Dashboard, Click Manage >> Add Roles and Features
Click Next until you get to Server Roles Menu, Select Active Directory Domain Services
Click Add Features
Proceed by Click Next until you get to Confirmation Menu, then click Install
After the installation, Click Close
Next, on the top-right corner of the dashboard, click on the flag with a yellow caution icon. Then click Promote this server to the domain controller
- Select Add a new forest
- Specify a domain name
- Click Next
Set a password
Click Next until you get to the Prerequisites Check Menu
Click Install and wait for reboot.
Configuring Active Directory Certificate Services on our Domain Controller
In this sub-section, We aim to install and configure AD Certificate Services
Once the system reboots, Log back in
Select Manage >> Add Roles and Features
Click Next until you get to Server Roles
Select Active Directory Certificate Services
Click Add Features
Click Next until you get to Confirmation Menu
Check Restart the destination server automatically if required
Click Yes in the pop-up dialog box
Click Install
After the installation, click Close
Next, Click on the flag with the yellow caution icon located at the top-right corner of the page
Click Configure Active Directory Certificate Services on the destination server
On the wizard screen, click Next
On the Role Services Menu, check Certification Authority
Click Next until you get to Validity Period Sub-Menu under Private Key
Change to 15 Years, Click Next until you get to Confirmation menu
Click Configure, then click Close
You should manually restart the server for changes to take effect.
Configuring DHCP Server on our Domain Controller
In this sub-section, our aim is to set up Dynamic Host Configuration Protocol (DHCP) Service so our domain controller can issue IPs on its network.
Note: We could have enabled DHCP for the network on the pfSense side, I chose this approach instead.
Select Manage >> Add Roles and Features
Click Next until you get to Server Roles
Select DHCP Server
Click Add Features
Click Next until you get to Confirmation Menu
Check Restart the destination server automatically if required
Click Yes in the pop-up dialog box
Click Install
After the installation, click Close
Next, Click on the flag with the yellow caution icon located at the top-right corner of the page
Click Complete DHCP configuration
On the wizard screen, click Next
On the Authorization Menu, click Commit
Click Close
Next, let's configure DHCP Scopes
On the top-right corner, click tools >> DHCP
In the DHCP management console, click on our domain name **(cybercrex.internal)
Right-click on IPv4 (or IPv6 if applicable) and select New Scope.
Follow the New Scope Wizard to configure a range of IP addresses, subnet mask, and other options to be distributed to clients.
Name, enter Desktop clients
Click Next
Start IP address, enter 192.168.2.1
End IP address, enter 192.168.2.254
Click Next
Exclude the following ranges,
192.168.2.1 to 192.168.2.10
192.168.2.201 to 192.168.2.254
Click Next until you get to **Router (Default Gateway)
Click Next
Server name, enter your domain controller name -dc (e.g.cybercrex-dc) and click resolve
Next, click Add
Click Next until Finish
Next, let us add some users
On the Server Manager dashboard, Navigate to the top-right corner of the screen, click Tools >> Active Directory Users and Computers
Select your domain name (cybercrex.internal) > Users
Right-Click on Users > New > User
Fill in the User details, First Name, Last Name, and User logon name
Enter a password (in an organization, this can be a deterministically created password which is then required from the user to change at the next logon)
Check User must change password at next logon
Click Next, >> Finish
Next, create another user with different details
Next, we must configure our AD's default gateway to pfSense.
To open Network Connections settings, you can follow these steps:
- Press
Win + R
to open the Run dialog. - Type
ncpa.cpl
and press Enter.
This will open the Network Connections window, where we can view and manage your network adapters and settings.
Right-click on the adapter Ethernet 0, click Properties
Double-click on Internet Protocol Version 4 (TCP/IPv4)
Enter the following configuration, and click Ok
This is the end of the Domain Controller's configuration. You can check The Cyber Mentor's video and follow it by this lab.
Configuring Windows Desktops & Onboarding Users Accounts to the AD Domain
In this lab section, we aim to add 2 Windows desktops to the Domain and complete the AD lab. This portion of the lab is easy to set up, and it will be on The Cyber Mentor's YouTube guide, which is referenced on the original Cyberwox's lab.
It is not a must to add 2 Desktops in this lab, successfully adding one is sufficient.
Ensure you have the Windows 11 evaluation copy downloaded.
Note: Before proceeding with the Windows Desktop installation, do not start the machine, until:
- Ensure you install on VMWare with the defaults
- Ignore the Product key and simply skip it
- By default, a network adapter is attached when creating the VM, ensure you change the assigned network to VMnet3
Next, power on the VM to begin the installation
Click Next
Click Next
Make sure Install Windows 11 is selected
Check I agree everything will be deleted including files, apps, and settings
Click Next
Click Accept
Click Next
Click Install
After installation, the VM will restart
Select your preferred language and keyboard
Select I don't have internet
Enter the name of the first user we created on our AD (John Doe)
Create a password and follow the wizard through
Once installation is finished, we proceed to join this PC to our Domain
To join our domain, follow these steps:
- Press
Win + R
to open the Run dialog. - Type
sysdm.cpl
and press Enter. This opens the System Properties window. - In the System Properties window, make sure you are at the Computer Name tab.
- Click on Change... next to "To rename this computer or change its domain..."
- In the next window, select Domain under "Member of," and enter the name of the domain you want to join e.g. (cybercrex.internal).
- Click OK and provide domain credentials when prompted.
- Restart the computer to complete the process.
After the restart, Click Other User then sign in with any of the user's credentials we created on our AD
Login and complete the onboarding process
Repeat the steps with the other machine, you can try it using Windows 10 too. Download Windows 10 Evaluation
Installing and Configuring Splunk
In this section, we are going to install and configure Splunk.
In the cybersecurity industry, Splunk is a leading platform for collecting, monitoring, and analyzing security data in real time, enabling rapid threat detection, incident response, and compliance through powerful data insights and automation.
You can learn more about Splunk here
We will be creating our Splunk instance on a Ubuntu Server VM, so let us download the Ubuntu server image here
After downloading the image, create a new VM using the Ubuntu Server image. The VM should have the following setup:
- RAM: 4GB (4096 MB)
- Processors: 2
- Hard Disk: 100GB
You can start the VM to begin the installation
Proceed by accepting the defaults
Use the following settings for Guided Storage configuration
Next set up a profile
Upgrade to Ubuntu Pro, select Skip for now
Next, SSH configuration, depending on your preference, you can install OpenSSH server
Next, proceed with the defaults and reboot when installation is complete.
During reboot, you will asked to unmount the image, simply press the Enter key to proceed
After a successful reboot, you should be shown a similar interface as below, simply enter the credentials you used during the Ubuntu installation
For the Splunk server installation, there are two options:
- Accessing it via an Analyst workstation/VM using SSH
- Installing a GUI (Ubuntu Desktop) on the Ubuntu Server
In this lab, I'll be installing a GUI on the Ubuntu Server for this lab using the following steps:
# Install tasksel
sudo apt update
sudo apt install tasksel
# Install the Ubuntu desktop GUI but note that there are a variety of desktop flavors to choose from
sudo tasksel install desktop
# Reboot the server
reboot
After rebooting, you should have your GUI
Installing Splunk
On the Ubuntu server, open your browser and navigate to https://splunk.com
Click on Free Splunk
Create an account or log in
Under Products >> Free Trials & Downloads >> Splunk Enterprise
Click Get My Free Trial
Select the linux package and download the .tgz package
Next, open the terminal and navigate to the Downloads directory
Next, untar and install Splunk
# Untar the download
tar -zxf splunk-*
./splunk/bin/splunk start
Enter an administrator username and a password
Next, open your browser and navigate to HTTP://splunk:8000
Login with the credentials you created
Installing Splunk Universal Forwarder on Windows Server
One of the processes to accomplish Endpoint Detection and Response (EDR) is to log the activities of our endpoint. To log the activities on our endpoint, Splunk uses a method or agent called the Universal Forwarder. The Universal Forwarder can be installed on Linux/Unix, Windows and Mac systems to forward logs to our Splunk instance.
Before proceeding to our Windows Server, Add a new network adapter to the Splunk instance, and ensure you assign the adapter to the vmnet4 network.
After adding the network adapter, open the Splunk dashboard, navigate to Settings >> Forwarding and receiving >> Add new receiving port
Enter 9997 and Click Save
Navigate to Settings >> Indexes >> New Index
Index Name, enter wineventlog and Click Save
Next, open your terminal and type
sudo ip link show
, what we are looking for is the name of our newly attached interface which is currently down. In my own case below, it is ens7
Next type sudo ip link set dev up e.g. sudo ip link set dev ens37 up
Next run this script, replace ens37 with the appropriate interface
sudo tee -a /etc/netplan/01-netcfg.yaml <<EOF
network:
version: 2
ethernets:
ens37: # Replace with your network interface name
dhcp4: false
addresses:
- 192.168.3.10/24
routes:
- to: default
via: 192.168.3.1
nameservers:
addresses:
- 192.168.3.1
- 8.8.4.4
EOF
sudo netplan apply
We can now proceed to the Windows Server, open the browser and download the Universal Forwarder
You may encounter an issue when using Internet Explorer, follow these steps to fix it:
- Open Internet Options by clicking on the gear icon or from the Control Panel.
- Go to the Security tab, select Internet zone, then click Custom level....
- Scroll to Downloads, locate File download, and select Enable.
- Click OK to save the settings, then Apply and OK to close.
Restart Internet Explorer and try the download again.
I recommend you download a different browser
After downloading, install it
Accept the License Agreement
Click Next
Create a username and password and Click Next
Under the Deployment Server,
In the Hostname field, enter 192.168.3.10, and enter 8089 in the Port field
Under the Receiving Indexer
In the Hostname field, enter 192.168.3.10, and enter 9997 in the Port field
Next, let's proceed to our Splunk Instance's dashboard
Navigate to Settings >> Add Data >> Forward
Select a Server Class under the Available hosts(s) menu, select our Windows Domain Controller, in the New Server Class Name field,enter Domain Controller
At the top-right corner, Click Next
Select Local Event Logs, choose your desired event logs
Click Next
Select wineventlog (the receiver index we created) as the index
Click Next and click Submit
Ubuntu/CentOS/Metasploitable/DVWA/Vulnhub Machines: Optional machines for exploitation, detection, and monitoring purposes
We have concluded the lab, note that we can further advance the lab by adding different types of machines for practice.
You have garnered the knowledge and tools you need to do a lot of labs, research, and anything you want to do. Work on detection rules, SIEM content, rule tuning, and attack scenarios to build skills from various angles.
Important Notes
To avoid outrageous costs in the cloud, ensure all VMs are shut down via the Azure console, APIs or CLI when not in use.
After shutting down VMs, you will be charged for storage, and public IP resources that are not deprovisioned.
Also, you will be charged for the VPN appliance until you deprovision it.
You are also charged for egress traffic to the internet and cross-regional communication.