Building My Own Cybersecurity Virtual Lab: Pentesting, SOC Analysis, and Threat Detection

By on

 

After enrolling in the Practical SOC Analysis Associate (PSAA) course by TCM Security and successfully passing the exam, I decided to enhance my practical learning experience by building a Virtual Lab at home. This lab serves as a dual-purpose environment: a space for honing pentesting skills and creating a detection lab to simulate real-world SOC analyst scenarios. My goal is to apply the knowledge gained from the course and stay up-to-date in the ever-evolving field of cybersecurity.

Leveraging my current experience as a network engineer, I was able to design and set up a simple yet effective home lab. On a side note, I firmly believe that having a strong foundation in networking provides a significant advantage when transitioning into the cybersecurity domain.

Here’s a list of tools and resources I used to build my Cybersecurity Virtual Lab, along with their purposes:

  • VMware Workstation:  Virtualization platform used to create and run multiple virtual machines on a single physical machine, simulating various environments for testing and experimentation.
  • EVE-NG (Emulated Virtual Environment Next Generation): A network emulation platform used for designing, testing, and practicing complex network topologies in a virtualized environment.
  • OPNsense Firewall ISO: An open-source firewall distribution, used to simulate and configure network security policies within the lab.
  • Kali Linux ISO: A widely used Linux distribution specifically designed for penetration testing and ethical hacking.
  • Windows Software ISO: For creating Windows-based virtual machines, useful for testing exploits, malware analysis, or setting up targets.
  • Ubuntu ISO: A versatile Linux distribution for creating server environments, testing, and running SOC analysis tools.
  • Pre-configured VM Images: Ready-to-use vulnerable systems such as Metasploitable, bWAPP, and others, designed to practice ethical hacking, exploit testing, and vulnerability analysis.


Network Topology



I will be using an open-source firewall, OPNsense FW, as a core component of my lab setup. In this simple virtual lab, OPNsense FW will function as the gateway for each VLAN. The lab is designed with two subnets: one for the attacker's network and another for the server environment.

As the gateway, OPNsense FW will handle all traffic between the subnets, allowing me to monitor and log network activity effectively. Additionally, I will enable its Intrusion Detection System (IDS) capabilities, a crucial network security technology that every SOC analyst needs to understand and utilize. This setup not only enhances security monitoring but also provides a practical environment to analyze and respond to potential threats.

Once the initial setup of our Cybersecurity Virtual Lab is complete, we will configure Suricata rules to align with the Intrusion Detection and Prevention System (IDS/IPS). This will enhance our lab's security monitoring capabilities and provide a more comprehensive environment for testing and analysis.

1. Locate and add the OPNsense Firewall image to your setup, ensuring it is connected to the management cloud. (Refer to the Network Topology)
2. Start the OPNsense Firewall by right-clicking on the image and selecting Start.
3. Open the running OPNsense instance using UltraVNC by clicking on it.
4. Once prompted to the CLI, log in using the credentials root/root (as configured). The WAN port is initially set to use DHCP for obtaining an IP address.

5. Select Option 1 (Assign Interface) and respond N when prompted about configuring LAGG and VLAN.
6. When asked to specify the WAN interface, enter vtnet1, as this is designated for the WAN connection.
7. For the prompts regarding the LAN interface name and the optional interface 1, simply press Enter to skip configuration.
8. When prompted to confirm the changes, type Y to proceed.



9. The next step is to assign a static IP to the WAN interface. Select Option 2 to configure the IP address manually.

10. Next, configure the IP address according to the requirements specified in the Network Topology diagram.

11. Follow the below steps.


By following the steps outlined above, you will be able to access the OPNsense Firewall through its GUI.

Now, we will create the VLANs. Specifically, VLAN 100 will be assigned to the Server VLAN, and VLAN 200 will be designated for the attack machine. And assign the vtnet2 as parent as it is the interface facing our LAN.

VLANs (Virtual Local Area Networks) are used to segment network traffic, improving security, performance, and management. By isolating devices into different VLANs, network administrators can control traffic flow, reduce broadcast traffic, and enhance overall network security.



Now, navigate to Interfaces > Assignments, and add VLAN 100, naming it ServerVLAN, and VLAN 200, naming it AttackersVLAN. 

  • Enable the interface
  • Add description
  • Config as Static IPv4
  • Assign the IP Address as our requirement
  • And click Save













Next, we will enable DHCP for both VLAN 100 and VLAN 200. In a production environment, DHCP would typically be disabled on the Server VLAN to ensure static IP addresses, preventing the servers' IPs from changing over time. However, in this lab environment, we will enable DHCP to facilitate communication and ensure that the OPNsense firewall can properly interact with hosts beyond the switches.
Go to Services>ISC DHCPv4





And now we need to configure the LAN switch:

++++Creation of VLANs at Switch 1 directly connected to the OPNSENSE FW++++

#config t
#Vlan 100
#name Server_VLAN
#end
#config t
#Vlan 200
#name Attackers_VLAN
#end

++++Assigning a hostname for the SW 1++++

#config t
#hostname
#LAN-SW
#end

++++Assigning ports to its proper VLAN as per our diagram++++

#config t
#interface fa2/0
#switchport mode access
#switchport access vlan 200
#no shut
#exit
#interface fa2/1
#switchport mode access
#switchport access vlan 100
#no shut
#end

++++Assigning ports as Trunk ports++++

#config t
#interface range fa2/2, fa2/15
#switchport mode trunk
#switchport trunk allowed vlan all
#no shut

++++Creation of VLANs at Switch 2 directly connected to the LAN-SW++++


#config t
#Vlan 100
#name Server_VLAN
#end
#config t
#Vlan 200
#name Attackers_VLAN
#end

++++Assigning a hostname for the SW 1++++

#config t
#hostname
#LAN-SW-02
#end

++++Assigning ports to its proper VLAN as per our diagram++++

#config t
#interface range fa2/0 - 4
#switchport mode access
#switchport access vlan 100
#no shut

++++Assigning ports as Trunk ports++++

#config t
#interface range fa2/15
#switchport mode trunk
#switchport trunk allowed vlan all
#no shut

After configuring the LAN switches and assigning the appropriate ports to their respective VLANs, both Kali Linux and Windows hosts will be able to obtain IP addresses from the OPNsense firewall.

For simplicity in this lab environment, I will allow all traffic between Kali Linux and Windows hosts, as the primary goal here in our Lab is to ensure that Kali Linux can successfully communicate and perform penetration testing on servers within VLAN 200. Additionally, we will set up detection mechanisms such as IDS and IPS technologies to monitor network activity. To further enhance our security and monitoring capabilities, we will implement Splunk SIEM to collect logs, track event data, and create alerts. This will help us practice our investigation skills by correlating the information gathered and identifying potential threats.





Ping test from Windows to Kali Linux

IP Address obtain by the Windows host


Ping test from Kali Linux to Windows host

IP address obtain by Kali Linux

After we confirm that Kali Linux can successfully reach the Windows host as shown above, we can conclude that the Virtual Lab has been set up correctly. In the next blog post, I will walk you through the process of enabling the IDS capabilities on OPNsense, creating Suricata rules, and applying them to the IDS configuration in OPNsense. 






"Blending years of Network Engineering with a passion for Cybersecurity."

Comments

Post a Comment

Popular posts from this blog

Deploying Sysmon on Windows and Integrating with Elasticsearch SIEM

By on
Image
  First, let's install Sysmon on our Windows host by opening this link in a browser and downloading it: Sysmon - Sysinternals | Microsoft Learn . As of this writing, the latest version of Sysmon is 15.5 Once the download is complete, go ahead and unzip the file. Sysmon configurations or rules are available on GitHub, with a well-known repository being SwiftOnSecurity's Sysmon config: 🔗 https://github.com/SwiftOnSecurity/sysmon-config We will download this configuration for our setup. We can place the downloaded configuration file in the same directory as Sysmon, then open PowerShell and follow the steps below. We can use net start to start Sysmon64, and it will list all services that start afterward. To further verify, go to Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon > Operational , where you should see the corresponding event IDs. And now let's ingest Sysmon and Windows Defender logs into elasticsearch. Click the Add integ...
Read more

Installing Suricata IDS/IPS and Triggering Rules with an Nmap Stealth Scan and XSS Attack on bWAPP Using Burp Suite

By on
Image
  We are enabling the IDS/IPS functionality on our OPNsense firewall to detect and alert on potential threats by analyzing incoming traffic against predefined rules. These rules act as "fingerprints" to identify known attacks and suspicious behaviors across the network. In this Lab, i will be using Suricata, a free and open-source cybersecurity tool that functions as both an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS). Widely adopted by organizations worldwide, Suricata monitors networks for suspicious activity and detects cyber threats. Suricata's rules analyze network packets for specific characteristics, such as source and destination IP addresses, ports, protocol types, and even packet content, to identify potential threats. When traffic matches a rule, Suricata generates an alert, notifying administrators of potential security incidents. Based on my research, it is essential to disable offloading features before enabling the IDS/IPS capa...
Read more

Boss of the SOC v1 (2015) Website Defacement

By on
Image
  Question #1 Based on the first question, the task is to identify the IP address of an individual conducting  reconnaissance using a scanning technique. I began my investigation with the search parameter  index=botv1, as provided in the instructions, and incorporated imreallynotbatman.com as  specified in question number 1. After running the search parameters, I identified the dest_header field in the left-side panel.  Upon expanding it, I analyzed the details within and discovered references to the Acunetix  Web Vulnerability Scanner, indicating its use in the reconnaissance activity. To enhance visibility and identify the IP address scanning the web server, I created a table that  included the fields src_ip, dest_ip, and dest_header. I then filtered the results by searching  for the keyword 'scan' within the dest_header field and applied a dedup command to the src_ip  field to remove duplicate entries, effectively narrowing down the source...
Read more