Change Log

Major overhaul of the Active Directory lab section:

• Added emphasis to disable DHCP service on pfSense AD network
• Added a step to configure the Domain Controller with a static IP address configuration now that pfSense DHCP service is disabled
• Added a step to create a DNS forwarder on the domain controller to the pfSense default gateway for unresolvable lookups
• Added a diagram depicting the DNS resolution flow of domain-joined hosts
• Added a step to create a DHCP server on the domain controller to configure Active Directory hosts
• Added a diagram depicting the DHCP discovery process of hosts on the AD network
• Added a step to configure a Windows 10 Enterprise VM as a golden image using sysprep

Updated the Wazuh SIEM and NIDS step with:

• Notice about port mirroring and reboot persistence
• A link to a PowerShell script to check the status of the port mirror
  • NOTE (Oct. 15, 2022): In case you downloaded the script prior to this date, git pull the repo, or download a fresh copy of the script, as I have corrected some issues. Review the commit message for more details.
  • PowerShell will need to be installed on the Proxmox host
  • Specific to this lab environment, but can be customized to work with other environments
• Suggested cron jobs to run the script at specific intervals

Updated the Kali VM setup step due to changes made by the OffSec folks:

• No longer publishing .ova files for VirtualBox images
• They are publishing QEMU images, which are perfect for Proxmox
• Multiple steps on the command line have been updated

Looking for My VirtualBox Guide?

Building a Security Lab in VirtualBox

In this post, we we will take a look at an in-detail process of setting up an entry-level cybersecurity lab using VirtualBox

0xBEN0xBEN

Proxmox Dark Mode

GitHub - Weilbyte/PVEDiscordDark: A Discord-like dark theme for the Proxmox Web UI.

A Discord-like dark theme for the Proxmox Web UI. Contribute to Weilbyte/PVEDiscordDark development by creating an account on GitHub.

GitHubWeilbyte

Honorable Mentions

• Check out @Dewalt’s PimpMyKali script to make your Kali VMs so much better
• @Linkavych has forked this guide and started Terraforming a slightly modified lab
• @Tank1334 for QA testing and feedback
• @dfir-jesseee from the Black Hills Information Security Discord server for QA testing and feedback
• @Jj19101 for QA testing and feedback
• @Blund from the TCM Security Discord Server for QA testing and feedback
• @Admiral Awesome from the InfoSec Prep Discord Server for QA testing and feedback

Foreword

Your mileage may vary!
Use LXC instead of VMs whenever possible to save your host resources.

This guide specifically focuses on converting an old laptop into a bare metal server.

You are not required to use a laptop.

You could follow this guide successfully to get up and running with an old desktop computer or a dedicated server. A few things might change on your end like disk partitioning or format types (eg. ZFS or ext4). Should mostly stay the same otherwise.

All laptops are not created equal. I would recommend a system with at least:

• A somewhat current i7 CPU
• 16 GB RAM
• 500 GB SSD storage
  • More than one disk would be preferred
    • A smaller disk for the Proxmox installation
    • A larger disk to store the guest disks
• Again, SSDs would be best

All networks are also not created equal. I would recommend at least:

• A good connection speed
• A capable router with more advanced configuration options

Prerequisites

Host

A host system to run Proxmox (an old laptop if you are following this guide for that purpose); preferably a system with a decent processor and enough RAM. You could use a desktop computer or an old server – tower or rackmount as well.

Upgrades

If you are lacking in resources, determine if you can upgrade your components. The laptop I used in this guide was equipped with 16 GB RAM and I upgraded it to 32 GB (which is the max for this system).

Network

A router with more sophisticated configuration options would be best, as we will be setting up a VPN for remote access. This guide does not cover how to tunnel out of CGNAT.

What is Carrier Grade NAT (CGNAT)?

How can I check if I am behind CGNAT?

• Login to your home router and find its public IP address
• Google search: what’s my IP
• Compare the two
• If they’re the same, good. If they’re different, that is bad

Network Diagram

Reviewing the Network Diagram

Working downward from the top:

• Internet
• Modem (cable) / ONT (fiber)
  • This is the line between you and your ISP (the demarcation point)
• Router
  • WAN Port
    • This is the IP address provided by your ISP
    • The Wide Area Network
  • LAN Port
    • This is your private network
      • The Local Area Network
      • It is not accessible directly from the Internet except by port forwarding
      • Uses Port Address Translation via the WAN interface to reach the Internet
• Laptop
  • Connected to your router either by Wi-Fi or network cable
  • This provides the hardware on which Proxmox runs
  • This is how WAN-routed traffic gets to the Internet and how traffic gets to other hosts on the LAN from Proxmox guests
• Logical Interface
  • Proxmox maps the physical network devices on your laptop to logical ones
  • VMBR0 will be bridged to the physical interface to allow guests access to the LAN and WAN
• VMBR0 (Open vSwitch Virtual Switch)
  • Bridged to the logical interface
  • Any VMs attached to this virtual switch will be on your home router’s LAN
  • We create a SPAN port to forward a copy of every frame on every interface to the sniff port used by the NIDS
• Virtual pfSense
  • WAN Port (vtnet0 interface)
    • This is not a public IP, rather a private IP on your home router’s LAN
    • Attached to VMBR0
    • Allows traffic to get out to the LAN and to the Internet via your home router’s WAN port
  • LAN Port (vtnet1 interface)
    • Provides another virtual LAN for VMBR1
    • Firewall rules will dictate how traffic is routed between subnets
    • VLANs are defined as sub-interfaces on vtnet1
      • vtnet1 (native): 10.0.0.0/24
        • Any machine that is not tagged with a VLAN
      • vtnet1.80 - 10.80.80.0/24
        • Active Directory Lab
      • vtnet1.666 - 10.6.6.0/24
        • Any untrusted machine that needs internet access
      • vtnet1.999 - 10.9.9.0/24
        • Any untrusted machine that should be isolated and only accessible to Kali Linux
• VMBR1 (Open vSwitch Virtual Switch)
  • Connected to pfSense LAN port (not bridged to a physical interface)
  • Provides connectivity to pfSense for internal VMs
  • Any time a machine is plugged in, we can define a VLAN tag
    • The VLAN tag will be stamped on the frame headers and flow up the wire to pfSense, where pfSense will determine how to route the packets between any networks
    • We create a SPAN port to forward a copy of every frame on every interface to the sniff port used by the NIDS

Staging the Environment

I will be using my home router as an example. This procedure may vary from router to router. Most routers ship with a default private IP address range of 192.168.1.0/24. This can be changed at any time. I changed mine to be 172.16.1.0/24.

In my browser, I go to https://172.16.1.1 and login.

Then, I go to the Advanced > System Settings. I set my local domain to home.lab and save the changes.

Now, I can ping any device on my network using a local fully qualified domain name (FQDN)

# Pinging using the FQDN
ping lapprox.home.lab

Pinging lapprox.home.lab [172.16.1.16] with 32 bytes of data:
Reply from 172.16.1.16: bytes=32 time=2ms TTL=64
Reply from 172.16.1.16: bytes=32 time=1ms TTL=64
Reply from 172.16.1.16: bytes=32 time=1ms TTL=64
Reply from 172.16.1.16: bytes=32 time=2ms TTL=64


# We're on the same local network so using only the hostname works, too
ping lapprox

Pinging lapprox.home.lab [172.16.1.16] with 32 bytes of data:
Reply from 172.16.1.16: bytes=32 time=2ms TTL=64
Reply from 172.16.1.16: bytes=32 time=1ms TTL=64
Reply from 172.16.1.16: bytes=32 time=1ms TTL=64
Reply from 172.16.1.16: bytes=32 time=2ms TTL=64

Optional: Changing the Private IP Address Range

While still logged into the router, if you wish to change your private IP address range from the default to something else – like 172.16.1.0/24 – now is the time to do that.

Word of Advice

Your devices will not immediately get a new IP  from the router. You should do either of the following to facilitate that change:

 A) Restart the client devices so they get a new IP address
 B) Wait for the client DHCP lease to expire and they request a new address

Changing the Private IP Address Space
Reminder! This is optional

Again, using my home router as an example (your procedure may vary).
Go to My Network > Network Connections > Network (Home/Office)
Go Settings and change the following values:

Don't forget to save the changes. The router may reboot after making these changes. If you were previously logged in at https://192.168.1.1, you will now be logged in at https://172.16.1.1.

Installing Proxmox VE 7

A Note on Virtualization

Type 1 Hypervisors

• These are called “bare metal” hypervisors, because there is nothing between the hypervisor and the computer’s hardware.
  • Installed directly on the disk
  • When you turn on the computer, the hypervisor is loaded
  • There is no other operating system
• Have 100% of the access to the computer’s hardware resources
• Common type 1 hypervisors:
  • VMware ESXi
  • Proxmox
  • XCP-NG

Type 2 Hypervisors

• Installed on top of an operating system like Windows, Linux, or Mac OS
• Do not have direct access to the computer’s hardware
• Cannot utilize 100% of the computer’s hardware resources, as they must be shared with the primary operating system
• When you turn on the computer, the primary operating system is loaded, then you run the hypervisor
• Common type 2 hypervisors:
  • VirtualBox
  • VMware Player
  • VMware Fusion

My Production Home Server

I run my production instance of Proxmox on this server:

• A single Intel Xeon D-1541
• 128 GB RAM
• 256 GB SSD OS Disk
• 2 TB, 4 disk SATA array, ZFS Raid-Z2
• 4 port network interface card

It's not much – certainly not compared to many home labs I've seen. I would love to upgrade eventually, but that has not happened for a variety of reasons.

That is why we are doing this exercise – to show that you do not need to start with anything fancy to begin your home lab.

Get started now!
Upgrade as you grow.

The New Laptop Server

An HP EliteBook 840 G4

• Intel i7-7600U dual core, hyperthreaded
• 16 GB RAM
• 1 Intel gigabit Ethernet NIC
• 1 SSD, 500 GB

Why an Old Laptop?

Is it the greatest option? No. Is it recommended as a long-term strategy? Probably not. Are there far better choices? Absolutely.

I want to demonstrate that we can GET STARTED TODAY with a simple home lab using something that you may have lying around the house; or something that is not going to cost a fortune to acquire.

Just note that I strongly recommend using SSDs whenever possible in your home lab.

Maybe you have tinkered with something like VirtualBox or VMware Player. Those are both respectable platforms and they have their place in virtualization and lab environments. But, we can do so much more. We can learn so much more.

Preparing the Laptop

Please remember that the steps I am taking here will probably be different from the steps you take to prepare your computer. This is just serving as a guide to get you in the right direction.

Creating a Bootable USB Drive

First, Download the Proxmox VE ISO.

Then, use a USB drive to make a bootable image using the .ISO file.

Enabling Virtualization in the BIOS

Turn on the laptop.
Press the ESC key multiple times until you get to the system setup menu.

Warning: you might need to press a different key on your system to get to the BIOS. For my HP laptop, ESC was the key to get to the BIOS.

Choose BIOS Setup

Go to Advanced > System Options

Enable VTx and VTd

Save changes and exit the BIOS setup

Boot from the USB Drive

Power off the laptop and insert the USB drive. Power on the laptop and press the ESC key until you reach the setup menu.

Choose the Boot Menu. Then, choose USB Disk.

Proxmox Installation Steps

Choose Install Proxmox VE (sorry, the font was very small). Down in the bottom-right, click I agree.

Disk Partitioning

If you only have one disk in the laptop, you need to adjust the partition sizes. If you have more than one disk, you can skip this step.

Select the install disk and click Options

I referenced the official documentation here: https://pve.proxmox.com/wiki/Installation regarding the partition sizes.

• hdsize: Defines the total hard disk size to be used.
• maxroot: Defines the maximum size of the root volume, which stores the OS. The maximum limit of the root volume size is hdsize/4.
• maxvz (make this value as large as you can):
  Defines the maximum size of the data volume. (Where all of the VM and container data files will be stored)
• minfree: Defines the amount of free space left in the LVM volume group pve

I will partition my 500 GB disk as such:

Click OK

Wrapping Up

Choose your country, time zone, and keyboard layout. Set a password for the root user. Set your email address – where you will receive alerts. Then, configure your network settings.

NOTE: I strongly recommend giving your Proxmox host a static DHCP reservation. It is best practice to give your important infrastructure permanent IP addresses.

• Hostname: lapprox.home.lab (laptop Proxmox. Get it? Funny, right?)
• IP Address: I logged into my router and  gave lapprox a static IP reservation of 172.16.1.16/24 and filled it out here.
• Gateway: Your home router's IP address
• DNS Server: Probably your home router, unless you want to specify otherwise

Confirm everything looks good and install. That's all there is to it.

Required Updates

Log into Proxmox locally at the server or via SSH. The username is root and the password was set by you during the installation procedure.

Update the APT Repositories

# Remove the enterprise repositories
rm /etc/apt/sources.list.d/pve-enterprise.list

# Add the community repositories
echo '# Proxmox community package repository' >> /etc/apt/sources.list
echo 'deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription' >> /etc/apt/sources.list

Install Some Dependencies

apt clean && apt update
apt install ifupdown2 openvswitch-switch -y

If You're Using a Laptop

If you are following this guide, using an old laptop, you will want to disable power off when the lid is closed.

# We're going to edit this file in the terminal
nano /etc/systemd/logind.conf

Change these lines from this:

#HandleLidSwitch=suspend
#HandleLidSwitchExternalPower=suspend
#HandleLidSwitchDocked=ignore

to this:

HandleLidSwitch=ignore
HandleLidSwitchExternalPower=ignore
HandleLidSwitchDocked=ignore

Press CTRL + X to exit. Press Y to save the changes. Press Enter to save with same file name. Now, we need to restart the login service.

systemctl restart systemd-logind.service

Install Any Pending Upgrades

pveupgrade

Before We Begin

The Web Console

In your web browser go to https://proxmox-ip-address:8006. In my case, I will be going to https://172.16.1.16:8006. You should see a login screen.

To log in, the username is root and the password is whatever you set it to during the installation steps.

Upon logging in, you will be informed that you do not have an active support subscription. You can press OK and safely ignore this.

Changing the Software Networking

Converting to Open vSwitch

By default, Proxmox uses Linux Bridges. There is nothing wrong with Linux Bridges. They just do not allow us to accomplish some of the things we could do with our home lab.

Make a Backup of the Current Network Configuration

Open the shell from the web console. This is the same shell as if you are sitting in front of the server.

And, run this command:

cp /etc/network/interfaces /etc/network/interfaces.bak

Remove the Linux Bridge

Click on your [Proxmox Node] > Network. Select vmbr0 and choose Remove.

Create the Open vSwitches

Create the Production Switch

Click Create > OVS Bridge
A bridge is another name for a switch

Fill out the fields exactly like this and click Create. Note that my physical interface on my laptop has the name enp0s31f6. Fill in this field with your physical interface name.

Create the Management Interface

Click Create > OVS IntPort. An IntPort is a way to create VLANs.

Fill it out and click Create. Make sure you enter your Proxmox node’s IP address – not mine. The Proxmox web console IP address gets its own IntPort. This is will ensure that you can log into the web console.

Create the pfSense Internal Switch

Click Create > OVS Bridge.

Fill out exactly like this and click Create.

Create a VLAN for Internet-Facing Insecure VMs

Click Create > OVS IntPort. Fill it out as pictured and click Create.

Create a VLAN for Isolated Insecure VMs

Click Create > OVS IntPort. Fill it out as pictured and click Create.

Final Review

By the end of this, you should have a set of interfaces that looks like this:

Please be sure to press the "Apply Configuration" button to activate the new network setttings.

You may lose connectivity to the Proxmox web console.

If for some reason you made a typo or some other error in your configuration and you’re having trouble connecting via the web browser:

1. Go to your Proxmox server and logon locally
2. Run these commands

cp /etc/network/interfaces.bak /etc/network/interfaces
ifreload -a

3. Try following these steps again

Next Steps in the Series

Getting to Know Proxmox

Getting to Know Proxmox

In this module, we will take a look at some basic tasks and the core areas of the Proxmox web front end.

0xBEN0xBEN

Create a pfSense Firewall for Security Infrastructure

Create a pfSense Firewall for Our Proxmox Lab

In this module, we will look at setting up a pfSense firewall VM in Proxmox to segment our home lab network.

0xBEN0xBEN

Adding a Comprehensive Wazuh SIEM and Network Intrusion Detection System (NIDS) to the Lab

Adding a Comprehensive Wazuh SIEM and Network Intrusion Detection System (NIDS) to the Proxmox Lab

In this module, we will take a look at the process setting up a comprehensive Wazuh SIEM, including a NIDS and some HIDS agents, in our Proxmox home lab.

0xBEN0xBEN

Create a Kali Linux VM

Create a Kali Linux VM in Proxmox

In this module, we will look at the process of creating a Kali Linux VM using the command line in Proxmox

0xBEN0xBEN

Create an OWASP Juice Shop Container

Create an OWASP Juice Shop Container in Proxmox

In this module, we will look at creating a container in our Proxmox home lab to run OWASP Juice Shop to practice our web app pentest skills

0xBEN0xBEN

Adding Vulnhub VMs to the Cyber Range

Adding Vulnhub VMs to Our Proxmox Cyber Range

In this module, we will look at how to import VMs from Vulnhub into our Proxmox home lab

0xBEN0xBEN

Setup Remote Access to Our Home Lab

Set up Remote Access to Our Proxmox Home Lab

In this module, we will look at using dynamic DNS, OpenVPN, and WireGuard to setup remote access to our Proxmox home lab

0xBEN0xBEN

Proxmox Troubleshooting

Troubleshooting Proxmox

In this module, we will look at various command line utilities to troubleshoot our Proxmox home lab

0xBEN0xBEN

Running Windows Guests on Proxmox

Running Windows Guests on Proxmox

In this module, we will look at the optimal way to run Windows guests in our Proxmox home lab

0xBEN0xBEN

Active Directory Lab: Getting Started

Adding an Active Directory Forest to Our Proxmox Lab

In this module, we will cover the steps to set up a small Active Directory forest in Proxmox, including a domain controller and two client computers

0xBEN0xBEN

Creating a Windows 7 Buffer Overflow VM

Creating a Windows 7 Buffer Overflow Practice VM in Proxmox

In this module, we will look at creating a vulnerable Windows 7 VM in Proxmox that will run some applications which are vulnerable to 32-bit stack-based buffer overflows

0xBEN0xBEN

Keeping Tabs on Our Lab

Always-Running Resources

At any time, we are always going to want these resources running, so that our lab will function as intended. You should have these resources set to start at boot, just in case your computer loses power and comes back on.

On-Demand Resources

If we are running on a laptop with 32 GB RAM and 512 GB SSD storage, you can see that we have nearly maxed out the resources. It’s up to you how to proceed. Your options in this scenario would be:

• Increase the RAM on the server (if possible) and add another disk.
• Or, you could add another Proxmox node to your network and cluster them and then move the Active Directory lab to the other node.

We can keep tabs on our node’s resource consumption by glancing at the Summary panel, as well as the storage panels -- local and local-lvm.

Note: In this screenshot, HD space(root) is the OS disk space, or local, not local-lvm where the VM disks are allocated.

If we click on local > Summary, we can see how much of the OS disk partition is in use. If we click on local-lvm > Summary, we can see how much of the guest space partition is in use.

What Next?

Work within your constraints and look at ways you can improve what you already have.

Upgrade in Place

If you have a laptop with 16 GB of RAM and 1 TB disk space, I would consider the following:

• What is the maximum amount of RAM compatible with your system?
  • 32 GB or 64 GB?
    • Can you find a good deal on the memory?
      • Upgrade
    • If not, consider looking at another node.

Add Another Proxmox Node

That’s the nice thing about clustering multiple nodes together. If you have a couple of under-resourced nodes working together, you can accomplish more of your goals. You just have to budget out what works best for you.

Additional Lab Ideas

Malware Analysis
You could set up a malware analysis environment using some unpatched Windows VMs and the Remnux Linux distro.

Networking Labs
Set up some additional Linux routers and use IPTABLES or set up some additional pfSense firewalls and practice routing between them. You could set up some pivoting networks and practice SSH tunneling and data exfiltration.

Mail Server
Try hosting your own email system.

Web Server
Build a public or internal web server and try deploying a website to said server.

Clustering Proxmox Nodes

On the left, there is lapprox -- the laptop used in the making of this guide. On the right, there is my production Proxmox node. Lapprox is at 172.16.0.16 and my production server is at 172.16.0.6. I have joined them together to form a cluster. I can manage both servers from a single IP address. If I log into lapprox, I can manage both servers. If I log into production, I can manage both servers.

The Clustering Process

I would highly advise reading this page before proceeding: https://pve.proxmox.com/wiki/Cluster_Manager#pvecm_join_node_to_cluster

Please note: A node that is about to be added to the cluster cannot hold any guests. All existing configuration in /etc/pve is overwritten when joining a cluster, since guest IDs could be conflicting. When forming a cluster, empty nodes should always join existing nodes.

1. Go to your existing node (eg. https://existing-node-ip:8006)
   This is your Proxmox node that already has guests and configurations.
   • Click on Datacenter > Cluster
   • Click on Create Cluster
   • Click on Join Information
   • Click Copy Information
2. Go to your brand new node (eg. https://172.16.0.16:8006)
   This is your brand-new Proxmox node. It is empty, no guests, no configurations.
   • Go to Datacenter > Cluster
   • Click Join Cluster
   • Paste the Join Information you copied above
   • And, join the cluster