Building a Cybersecurity Purple Team Home Lab — Part One
This article was significantly updated on 6/23/2024.
Changes:
- Updated the network map
- Updated network switching instructions
- Corrected and updated my /etc/network/interfaces configuration for Proxmox
Why build a Home Lab?
As a cybersecurity or IT professional, it is paramount that we keep our skills up to date. Regarding training, there's many resources out there, but in my opinion the best way to train yourself is to build something from the ground up. What you build doesn’t have to be an advanced XDR it can be something simpler like what I’m working on. Technology at the fundamental level hasn’t really changed. The new security solutions that come out everyday work the same fundamentally. Building simpler projects that are based on more complex production ready products is a great way to learn how a security/IT solution works, this process of learning is applicable to most new products that come out.
Building my purple teaming lab is what I decided to do during my layoff. Instead of sitting around waiting for something to happen and allowing my skills to grow dull, I decided to take initiative to grow as a person and a professional. This home lab has helped me to persevere and discipline myself when problem solving and troubleshooting is hard.
Building persistence is the key to becoming a good problem solver.
I used the classic troubleshooting methodology of recognizing where I was at on the OSI layer and going up or down the stack depending on what kind of problem I was facing that needed resolution. For example, just last night I didn’t understand why my Windows 2019 Server DC was not getting an Internet connection. I noticed the network adapters had a red x on them. I started troubleshooting at Layer 3 (Networking/Routing), I managed to ping the AD-DC gateway, but obviously could not ping the DC. I recognized the adapters were not even available on the Windows DC so this was a layer 1 or layer 2 issue. After some research I needed to install Proxmox specific network drivers for Window guests, once I loaded the driver iso onto the VM and installed them, the networking adapters were online and I could finally ping to the DC.
When I managed to solve a problem, it was a victory, whether big or small it kept me motivated to stay on this path of self-training.
Part One covers the hardware needed, initial setup and networking configuration on Proxmox.
Hardware List:
- Workstation (64 GB RAM and 2TB of space). I used this Lenovo ThinkCentre M900.
- Networking Switch (has at least 4 free ports). I used this RB260GS MikoTek Switch.
- Home Router (mine has 1GB of internet speed). I used an ARRIS G34.
Before we build the lab, we need a plan. I suggest creating a network map like the one I made.
Step-by-step Instructions
- Download the Proxmox VE 8.1 ISO and have it flashed onto a USB drive: https://www.proxmox.com/en/downloads/proxmox-virtual-environment/iso/proxmox-ve-8-1-iso-installer
- Plug one ethernet port of the switch into the router, and the second switch port into your Workstation running the Proxmox Hypervisor.
- Flash the Proxmox iso onto your workstation hardware using a USB stick.
- Access the Proxmox web interface at
https://[IP-address]:8006You may have to login to your router to see what IP address Proxmox is assigned to. - While on the router console find out what your switch IP is if you don’t know it.
- Your switching configuration should have auto negotiation enabled on ports one and two. Auto negotiation is a very helpful feature to have on your switch as these two switch ports will determine optimal duplex mode and connection speeds. Its optional, but I turned off the ports I wasn’t going to be using.
7. On the Proxmox web interface, go to the pve shell and edit your interfaces file.
Here’s what my Proxmox /etc/network/interfaces file looks like:
auto lo
iface lo inet loopback
auto enp1s0
iface enp1s0 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.0.50/24
gateway 192.168.0.1
bridge-ports enp1s0
bridge-stp off
bridge-fd 0
# LAN with VLAN enabled, the vmbr1 bridge is for LAN sniffing/mirroring.
# The "post-up" command below enables bridge mirroring for the entire LAN.
auto vmbr1
iface vmbr1 inet static
address 10.0.0.0/24
bridge-ports none
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K vmbr1 $i off; done
#Web Server
auto vmbr1.10
iface vmbr1.10 inet static
address 10.0.1.0/24
#Blue Team Subnet: SIEM
auto vmbr1.20
iface vmbr1.20 inet static
address 10.0.2.0/24
#Malware Analysis: Cuckoo VM
auto vmbr1.30
iface vmbr1.30 inet static
address 10.0.3.0/24
#Active Directory: Windows DC[s] and hosts
auto vmbr1.40
iface vmbr1.40 inet static
address 10.0.4.0/24
source /etc/network/interfaces.d/*8. Note the post-up commands in the interfaces file exist so that SecurityOnion can sniff traffic from Proxmox’s virtual NIC. In our case we will use vmbr0 (bridged with enp1s0) as our WAN bridge connected to the Internet. vmbr1 will be used as the LAN bridge that is sniffing network traffic from each VLAN under it. Here’s more information on virtual NIC sniffing: https://docs.securityonion.net/en/2.4/proxmox.html
9. After the edits you should reload the networking configuration with ifreload -a The changes should persist since we saved the changes to the interfaces file.
9. The Proxmox “pve” Network tab should show the new configuration once your interfaces file has been reloaded.
Linked below is Part Two where we will configure pfSense, our virtual router that is the lynchpin of this entire home lab.
https://medium.com/@varunbelani/building-a-cybersecurity-purple-team-home-lab-part-two-c83a866576af
If you found this article helpful and want to support me in my content creation then buy me a coffee!
