Hack Tech

:: YOUR SOURCE FOR CYBER INTELLIGENCE ::

VMware Practice Lab Overview

Stand up a repeatable, ethics-first environment for sharpening exploitation, detection, and response tradecraft. This guide walks through building a compact VMware Workstation/Fusion lab that mirrors production-style segmentation without risking live infrastructure.

Objectives

  • Isolated virtual network

    Configure segmented VLANs and a pivot-friendly topology that never bridges to the internet unless explicitly required.

  • Red vs Blue workflows

    Install dedicated attacker, victim, and monitoring systems to rehearse offensive maneuvers alongside defensive detections.

  • Rapid snapshots

    Capture golden images of each host to fast-forward resets after high-impact exploit attempts or malware detonation.

Reference Topology

Suggested Virtual Machines

  • Attacker Node (Kali Linux)

    Primary offensive box with tools such as Burp Suite, Metasploit, BloodHound, and CrackMapExec. Allocate 2 vCPU / 4 GB RAM.

  • Victim Workstation (Windows 10/11)

    Patched baseline with vulnerable software snapshots (e.g., intentionally outdated browsers) for phishing and post-exploitation drills.

  • Server Segment (Windows Server + Ubuntu)

    Domain Controller plus Linux services (web, file share) to practice privilege escalation, AD misconfigurations, and lateral movement.

  • Monitoring Stack (Security Onion or Wazuh)

    Instrument the lab with network sensors and host agents to visualize attack telemetry and tune detections.

Network Layout

  • Mgmt Network (Host-Only)

    Used for administrative access to VMware and management services. No routing outside of the hypervisor.

  • Corp LAN (Custom Host-Only)

    Contains the victim workstation, domain controller, and monitoring stack. Simulates a production subnet.

  • Attack Net (NAT)

    Provides controlled outbound internet access for tool updates while still isolating inbound connectivity.

Build Checklist

Prerequisites

  • VMware Platform

    VMware Workstation Pro (Windows/Linux) or VMware Fusion Pro (macOS) with virtualization extensions enabled in BIOS/UEFI.

  • Hardware Baseline

    Minimum 32 GB RAM, 8 physical cores, and 500 GB SSD recommended for smooth multi-VM operation.

  • ISO Library

    Collect installer media for Kali, Windows, Ubuntu Server, Security Onion, and any additional tooling VMs.

Need the Windows build?

Download VMware Workstation Pro directly from VMware for Windows hosts to begin building the lab immediately.

Download Workstation Pro for Windows

Need a mirror? Grab the current installer build directly:

Download Workstation Pro 17.6.4 (Mirror)

Deployment Flow

  1. Enable virtualization support, install VMware, and create custom host-only networks via the Virtual Network Editor.
  2. Provision the attacker VM first and validate outbound NAT connectivity for package updates and tool installs.
  3. Deploy the domain controller and victim workstation on the corporate LAN, joining them to the same Active Directory domain.
  4. Harden segmentation by disabling shared folders/clipboard and restricting promiscuous mode to sensors that need it.
  5. Install the monitoring stack, mirror traffic with a virtual TAP (SPAN) port, and forward logs to the SIEM component.
  6. Create clean snapshots of every VM after base configuration, then branch new snapshots for specialized scenarios.

Training Scenarios

Offensive Plays

  • Phishing to Domain Admin

    Craft a malicious payload with MSFVenom, deliver via spear-phish, and chain privilege escalation through Kerberoasting.

  • Web Exploitation Pipeline

    Exploit a vulnerable CMS hosted on the Ubuntu server, pivot through file shares, and exfiltrate simulated crown jewels.

  • Ransomware Simulation

    Detonate a controlled sample to rehearse containment, response runbooks, and backup restoration drills.

Defensive Plays

  • Detection Engineering

    Ingest Sysmon + Zeek telemetry, build Sigma or Elastic rules, and validate detections against attack replays.

  • Incident Response Drills

    Practice triage on cloned snapshots: collect volatile data, memory images, and craft structured timeline reports.

  • Purple Team Iterations

    Coordinate red/blue exercises with MITRE ATT&CK mapping to measure coverage and share remediation insights.

Next Steps & Enhancements

Keep Expanding

  • Infrastructure as Code

    Automate rebuilds using VMware PowerCLI, Terraform, or Ansible to version-control your lab topology.

  • Adversary Emulation

    Layer Caldera, Atomic Red Team, or Prelude Operator to script repeatable adversary behaviors.

  • Hybrid Cloud

    Bridge to a small AWS or Azure subscription with a VPN appliance to rehearse multi-cloud incident response.

Document every build, test, and lesson learned. Treat the lab like production: version changes, baseline snapshots, and enforce rules of engagement for anyone operating inside.