Trevor Carstensen Technology & Cyber Security

Building a Homelab & Cyber Range: The Firing Range – Vulnerable Targets

Welcome back to the Cyber Range build! In our last two posts, we established our network architecture with pfSense and built out our purple team command center on VLAN 1. The infrastructure is solid, the monitoring tools are watching, and our attack platforms are ready. But a cyber range needs targets.

A firing range is useless without something to shoot at. This is where we build the core of our practice environment. I’ve built three distinct victim networks, each isolated on its own VLAN, to simulate a wide array of security challenges: a classic pen-testing playground, a realistic Active Directory environment, and a modern containerized lab for web application security.

Let’s dive into the anatomy of VLANs 10, 20, and 30.

VLAN 10: The Pen-Testing Playground (192.168.10.0/24)

Every penetration tester cuts their teeth on classic, intentionally vulnerable machines. This network is for exactly that—foundational practice, tool mastery, and learning the timeless art of enumeration and exploitation.

Metasploitable 2

The cornerstone of this VLAN is the venerable Metasploitable 2. It’s a Linux VM designed by Rapid7 to be a punching bag, riddled with common vulnerabilities and misconfigurations. Deploying it was a great first step into handling different VM formats within Proxmox.

The process involved:

  1. Downloading the Image: I pulled the Metasploitable 2 image, which comes as a .zip file.
  2. Converting the Disk: Inside the archive is a .vmdk disk file (a VMware format). To use it in Proxmox (which prefers QEMU’s format), I used the qemu-img command-line tool on the Proxmox host to convert the .vmdk into a .qcow2 file.
  3. Attaching and Booting: I created a new VM shell in Proxmox, detached the default hard disk, and attached the newly converted .qcow2 disk.

Once booted, it grabbed an IP address from the VLAN 10 DHCP scope, and just like that, we had a classic target ready for Nmap scans and Metasploit modules. This segment is also the perfect home for machines from VulnHub, providing an endless supply of CTF-style challenges.

VLAN 20: Simulating a Corporate Network (192.168.20.0/24)

While CTF boxes are fun, the real world often involves navigating a corporate Active Directory (AD) environment. VLAN 20 is designed to be a realistic, albeit small, enterprise network, providing a place to practice techniques that are critical for modern red team engagements.

This network consists of:

  • A Windows Server 2022 Domain Controller (DC): The heart of our domain, handling authentication, DNS, and DHCP.
  • A Windows 10 Client: A standard user workstation joined to the domain.
  • An Ubuntu 22.04 Client: A Linux machine also joined to the domain, adding complexity and a different attack surface.

The setup, as detailed in Episode 5 of the video series, was a multi-step process:

  1. Building the Server: I installed a fresh Windows Server 2022 VM on Proxmox, giving it a static IP (192.168.20.10) to serve as our DC.
  2. Promoting to Domain Controller: I installed the Active Directory Domain Services (AD DS), DHCP, and DNS roles. I then promoted the server to a new forest, creating the J.local domain.
  1. Configuring Services: I migrated DHCP services from the pfSense firewall to the Windows DC for this VLAN, creating a scope to hand out IPs to clients.
  2. Creating Users and Groups: I created a standard domain user (J.O’Brien), a domain admin account, and security groups to manage permissions.
  3. Joining Clients: Finally, I built the Windows 10 and Ubuntu VMs and joined them to the J.local domain.

This environment is an incredible training ground for AD attacks like Kerberoasting, password spraying, AS-REP Roasting, lateral movement, and hunting for misconfigured GPOs.

VLAN 30: The Modern AppSec Lab (192.168.30.0/24)

Web applications are one of the biggest attack surfaces today. This VLAN is dedicated to practicing web-based attacks in a modern, containerized environment, powered by our Ubuntu Docker host. Using Portainer makes deploying these targets incredibly simple.

A key piece of this setup was configuring a MacVLAN network in Docker. This allows each container to have its own unique IP address on the VLAN 30 subnet, making them appear as separate hosts on the network. This is crucial for realistic scanning and targeting with tools like Nessus.

Our deployed vulnerable applications include:

  • bWAPP (Buggy Web Application): A classic for practicing a huge range of vulnerabilities, from SQL Injection (SQLi) and Cross-Site Scripting (XSS) to insecure file uploads.
  • DVWA (Damn Vulnerable Web App): Another staple, perfect for learning the basics of web exploitation in a structured way.
  • WebGoat & WebWolf: An interactive OWASP project that teaches common web security flaws through a series of hands-on lessons.

These containerized labs are lightweight, easy to reset, and provide a safe space to launch web attacks without affecting a full operating system.

The Range is Hot

With these three distinct target environments now live, our cyber range is officially a “hot” range. We have a classic playground for fundamentals, a corporate network for advanced TTPs, and a modern app lab for web security. Each one is monitored by the tools on VLAN 1, creating a complete feedback loop where we can launch an attack and immediately pivot to the defensive side to see what it looked like.

In our next post, we will build out the final piece of our lab: a safely isolated environment for reverse engineering malware.