HOMELAB

Overview

This homelab is a small, self-contained environment for practicing offensive security, adversary simulation, and detection engineering. It runs on a Proxmox host and includes a Windows Active Directory domain, attacker infrastructure, internal services, and a basic logging/monitoring stack.

The goal is to have a space where I can rehearse full attack chains from external recon to internal compromise, then tune detections and reporting without touching production systems or client data.

Lab Goals

  • Practice realistic attack paths from initial access to domain compromise.
  • Test tooling (C2 frameworks, enumeration tools, custom scripts) safely.
  • Experiment with logging, detection logic, and basic SIEM workflows.
  • Capture repeatable scenarios for writeups and demo material.
  • Keep everything simple enough to rebuild from scratch when needed.

Physical & Virtual Layout

The lab currently runs on a single home server with Proxmox, with room to grow into additional nodes later.

  • Hypervisor: Proxmox VE on bare metal.
  • Storage: Local SSDs for VMs; separate disk for ISOs and backups.
  • Networking: One physical NIC, multiple virtual networks/bridges for segmentation.

Network Topology

The lab is split into a few logical networks to mimic a small corporate environment:

  • Management network: Proxmox UI, IPMI/management access.
  • Internal network: Windows domain, file server, internal services.
  • Attacker network: Kali/attacker VM, tooling, C2 infrastructure.
  • DMZ / external-facing: Optional web apps and jump boxes for external-style tests.

A more detailed diagram lives here (work in progress):
/img/homelab-topology.png

Proxmox & VM Layout

Proxmox hosts the main pieces of the environment as separate virtual machines:

  • DC01: Windows Server domain controller (AD, DNS, basic GPOs).
  • MEM01: Windows member server or file server.
  • WIN10-CLIENT: Domain-joined workstation for user simulation.
  • ATTACKER: Kali Linux / attacker workstation with common tooling.
  • LOG/SIEM: Linux VM for log aggregation (e.g., ELK, Wazuh, or similar).
  • UTILITY: Misc services, test apps, or vulnerable web services.

Active Directory & Internal Network

The domain is designed to be small but realistic enough to practice common attack paths:

  • Single forest/domain with a handful of user and service accounts.
  • Basic OU structure for workstations, servers, and users.
  • A few misconfigurations introduced intentionally for testing (e.g., weak ACLs, over-privileged groups).
  • File shares and internal services to simulate real user activity.

Over time, I plan to add more complexity: tiered admin accounts, constrained delegation, and scenarios pulled from real-world assessments (recreated generically in the lab).

Detection & Logging

One of the key goals of this lab is not just to attack, but to see the attacks. The logging pipeline is still evolving, but currently includes:

  • Windows event forwarding from domain-joined systems.
  • Centralized log collection on a Linux VM.
  • Basic dashboards and searches for suspicious activity (logon patterns, PowerShell, service creation, etc.).
  • Room to integrate additional tools (Sigma rules, Zeek, Suricata, or a full SIEM) later on.

Use Cases

Some of the scenarios I use this lab for:

  • Practicing external-to-internal attack paths and lateral movement.
  • Testing enumeration and exploitation tooling in a safe environment.
  • Running through red team playbooks end-to-end, including reporting.
  • Recreating interesting vulnerabilities and misconfigurations encountered during past engagements.

Roadmap

This lab is an ongoing project. Planned improvements include:

  • More detailed network segmentation and VLANs.
  • Additional “user behavior” simulation (scheduled tasks, file activity, log noise).
  • Better visual diagrams and documentation.
  • Documented playbooks and lab exercises for specific techniques (Kerberoasting, ADCS abuse, cloud hybrid scenarios, etc.).

As the lab evolves, I plan to add more detailed writeups, screenshots, and diagrams to this page and related posts.