Building a Home Red‑Team / Pentest Lab (Proxmox, MikroTik, AD, Suricata) — A Practical Guide

Transparency note: This project was built collaboratively using my own lab hardware and planning, with AI assistance (ChatGPT) for drafting configs and refining ideas. All hands‑on implementation, testing, screenshots and lessons learned are mine. I’ve included everything needed so you can reproduce it end‑to‑end safely at home.

Reading time: ~20–30 min • Skill level: Intermediate • Estimated build time: Weekend project (6–10 hrs)

What you’ll build

  • Proxmox‑based virtual lab with clean network segmentation on a MikroTik
  • Vulnerable web apps (Juice Shop, DVWA) behind Traefik
  • A small Active Directory domain seeded with realistic misconfigurations (training only!)
  • Network visibility via Suricata on a SPAN/mirrored port
  • A set of red‑team exercises + blue‑team detections you can practise repeatedly

Why this post?
Hiring managers love proof. This is a portfolio‑grade, reproducible build you can link in your CV, reference at interview, and extend into research write‑ups.

Table of contents

  1. Hardware & topology
  2. Network design (VLANs on MikroTik)
  3. Proxmox provisioning playbook
  4. Vulnerable apps with Docker + Traefik
  5. Active Directory bootstrap (lab‑only vulns)
  6. Visibility: mirrored port + Suricata
  7. Exercises: red‑team to blue‑team
  8. Safety, ethics & clean‑up
  9. What I’d improve next
  10. Appendix: full configs & scripts

Hardware & topology

My kit: spare PC + basic server (Proxmox), MikroTik RouterBOARD + switch, WiFi Pineapple (optional), Synology NAS.

High‑level topology

[Internet]
    |
[MikroTik]───(trunk)───[Switch]
   |  |  |                 |---- Proxmox (vmbr trunk)
   |  |  |                 |---- NAS (VLAN 60)
   |  |  └─ VLAN 40 (Red Team) -> Kali
   |  └───── VLAN 30 (AD) -> DC + Workstations
   └──────── VLAN 20 (Apps) -> Web targets
(Opt) VLAN 10 (Mgmt), VLAN 50 (WiFi/Pineapple), VLAN 60 (NAS)

IP plan (edit to suit):

  • VLAN10 Mgmt: 192.168.10.0/24 (GW .1)
  • VLAN20 Apps: 192.168.20.0/24 (GW .1)
  • VLAN30 AD: 192.168.30.0/24 (GW .1)
  • VLAN40 Red: 192.168.40.0/24 (GW .1)
  • VLAN60 NAS: 192.168.60.0/24 (GW .1)

Network design (VLANs on MikroTik)

Key goals: isolate targets from management; allow Red‑Team → Targets; default‑deny everything else. Full bootstrap script is in the appendix.

Highlights

  • Per‑VLAN bridges: br-mgmt, br-apps, br-ad, br-red, br-nas
  • DHCP per VLAN, strict inter‑VLAN firewall (allow only mgmt→any and red→targets)
  • NAT to WAN for patching only (optional)

Pro tip: Start permissive enough to build, then tighten rules once routing works.

Proxmox provisioning playbook

  • Create bridges (vmbr10/20/30/40) or one trunk bridge with tagged NICs.
  • Templates to build once, clone often:
    • Kali (attacker)
    • Ubuntu (app host, docker‑compose)
    • Windows Server (DC)
    • Windows 10/11 (workstations)
  • Cloud‑init for Ubuntu; sysprep for Windows; snapshots everywhere.

ZFS note: With no hardware RAID, I used ZFS mirror (RAID‑1) for integrity + easy snapshots.

Vulnerable apps with Docker + Traefik

Expose by hostname via Traefik, back apps with docker‑compose. Add A‑records on the DC: juice.lab.local, dvwa.lab.local → app‑host IP.

# docker-compose.yml (excerpt)
services:
  traefik:
    image: traefik:v2.10
    command:
      - --providers.docker=true
      - --entrypoints.web.address=:80
    ports: ["80:80","8080:8080"]
  juice-shop:
    image: bkimminich/juice-shop
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.juice.rule=Host(`juice.lab.local`)"
  dvwa:
    image: vulnerables/web-dvwa
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dvwa.rule=Host(`dvwa.lab.local`)"

Active Directory bootstrap (lab‑only vulns)

I provision a small lab.local domain then deliberately add misconfigurations for training:

  • Weak user/service account passwords + SPNs (Kerberoasting)
  • GPP XML with cpassword artifact in SYSVOL
  • SMBv1 enabled on a test host
  • Unconstrained delegation on a workstation
  • Unquoted service path + scheduled task storing creds

Warning: all of these are intentionally unsafe. Use only in an isolated lab. A revert/hardening checklist is included.

Script: see appendix (ad-bootstrap-vulns.ps1).

Visibility: mirrored port + Suricata

  • Configure a SPAN/mirror on the switch → dedicated NIC on Proxmox → vmbr-monitor
  • Suricata VM: capture on ens18 (monitor NIC), log to eve.json, ship to Elastic via Filebeat

Quick test

sudo suricata -c /etc/suricata/suricata.yaml -i ens18 -vv
nmap -sS -p 22,80,445 192.168.30.10    # generate alerts

Exercises: red‑team to blue‑team

Each exercise is a mini‑module with attacker steps, detections, and remediation.

  1. Kerberoasting — enumerate SPNs, request TGS, crack offline; detect unusual TGS volume.
  2. GPP cpassword — hunt cpassword in SYSVOL; demonstrate decryption; alert on GPO file changes.
  3. Legacy SMB — find SMBv1 hosts; enumerate permissive shares; monitor SMB traffic.
  4. Unquoted service path — find unquoted binaries; explain hijack path; audit & fix.
  5. Scheduled task creds — enumerate tasks storing creds; remove, migrate to gMSA.
  6. WinRM Basic — identify insecure config; capture in lab; enforce HTTPS/disable Basic.
  7. Capstone — chain 2–3 findings into a narrative: recon → cred access → lateral → persistence → exfil; produce detections.

Deliverables for your portfolio: screenshots of each step, sanitized logs, and a short reflection on what you’d harden.

Safety, ethics & clean‑up

  • Keep the lab off production networks; default‑deny routing to anything sensitive.
  • After each exercise, either revert snapshots or run the hardening checklist.
  • Document what changed and why — this becomes your blue‑team playbook.

What I’d improve next

  • Add Zeek alongside Suricata for richer protocol logs
  • Deploy Elastic/Opensearch dashboards for ready‑made detections
  • Replace weak service accounts with gMSA and measure what breaks
  • Add CI/CD for Docker apps to practise supply‑chain hardening

Appendix: full configs & scripts

  • MikroTik: VLANs + firewall (bootstrap)
  • Docker compose: Traefik + Juice Shop + DVWA + MariaDB
  • AD bootstrap: ad-bootstrap-vulns.ps1 (with revert function)
  • Suricata: /etc/suricata/suricata.yaml example + Filebeat module

I keep an up‑to‑date gist/repo with these snippets. Replace hostnames/paths for your environment and use at your own risk.

Acknowledgements & tooling

  • Proxmox, MikroTik, Docker, Traefik, Suricata, Elastic (great docs)
  • AI‑assisted drafting with ChatGPT — configs and scripts were reviewed, tested, and adapted in my lab

If this helped you, drop a comment or ping me on LinkedIn/Twitter. Happy hacking — responsibly.

Leave a Reply

Your email address will not be published. Required fields are marked *