jramos/seclab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
jramos
2026-05-28 18:27:41 -06:00
commit 6d0035721e
45 changed files with 15082 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

655
NETWORK_DIAGRAM.md Normal file
View File

@@ -0,0 +1,655 @@
# Apophis Networking Security Lab - Network Diagram
## Physical Infrastructure Overview
```
┌─────────────────┐
│ Internet/ISP │
└────────┬────────┘
┌────────▼────────┐
│ Unifi Router │
│ (VLAN-aware) │
│ Gateway/DHCP │
└────────┬────────┘
│ Trunk Port
│ (All VLANs tagged)
┌────────▼────────┐
│ Cisco Switch │
│ (Layer 2) │
│ VLAN 100-400 │
└────────┬────────┘
│ Trunk Port
│ (All VLANs tagged)
┌────────▼────────┐
│ Proxmox Server │
│ (vmbr0) │
│ VLAN-aware │
│ bridge │
└─────────────────┘
┌────────────────────┼────────────────────┐
│ │ │
VLAN 100 VLAN 200-400 pfSense VM
(Management) (Security Lab VLANs) (Router/FW)
```
---
## VLAN Topology & Segmentation
```
┌─────────────────────────────────────────────────────────────────────────┐
│ Unifi Router (Physical) │
│ Internet Gateway │
│ Default VLAN 1 (Home) │
└─────────────────────────────────────────────────────────────────────────┘
Trunk (VLANs 100,200,300,400)
┌─────────────────────────────────────────────────────────────────────────┐
│ Cisco Switch (Physical) │
│ Trunk all VLANs to Proxmox │
└─────────────────────────────────────────────────────────────────────────┘
Trunk (VLANs 100,200,300,400)
┌─────────────────────────────────────────────────────────────────────────┐
│ Proxmox Server - vmbr0 Bridge │
│ (VLAN-aware enabled) │
└─────────────────────────────────────────────────────────────────────────┘
│ │ │ │
┌────▼────┐ ┌───▼────┐ ┌────▼────┐ ┌────▼────┐
│ VLAN 100│ │VLAN 200│ │VLAN 300 │ │VLAN 400 │
│Management│ │Red Team│ │Blue Team│ │ Victim │
│10.10.1│ │10.10.2│ │10.10.3│ │10.10.4│
│ .0/24 │ │ .0/24 │ │ .0/24 │ │ .0/24 │
└─────────┘ └────────┘ └─────────┘ └─────────┘
```
---
## Detailed VLAN Configuration
### VLAN 100 - Management Network (10.10.1.0/24)
**Purpose**: Hypervisor management and pfSense WAN interface
```
┌──────────────────────────────────────────┐
│ VLAN 100 - Management │
│ 10.10.1.0/24 │
├──────────────────────────────────────────┤
│ │
│ ┌────────────────────────────────┐ │
│ │ Proxmox Host (Physical) │ │
│ │ IP: 10.10.1.1 │ │
│ │ Web UI: https://10.10.1.1:8006 │ │
│ └────────────────────────────────┘ │
│ │
│ ┌────────────────────────────────┐ │
│ │ pfSense VM - WAN Interface │ │
│ │ IP: 10.10.1.2 │ │
│ │ Gateway to other VLANs │ │
│ │ Web UI: https://10.10.1.2 │ │
│ └────────────────────────────────┘ │
│ │
└──────────────────────────────────────────┘
```
**Access**: Your management workstation connects here to access Proxmox and pfSense
---
### pfSense VM - Internal Router/Firewall
**Role**: Routes traffic between VLANs 200, 300, 400 with firewall rules
```
┌─────────────────────────────────────────────────────┐
│ pfSense VM (Router/FW) │
│ │
│ ┌───────────┐ ┌───────────┐ ┌───────────┐ │
│ │ vtnet0 │ │ vtnet1 │ │ vtnet2 │ ... │
│ │ VLAN 100 │ │ VLAN 200 │ │ VLAN 300 │ │
│ │ (WAN) │ │ (RED) │ │ (BLUE) │ │
│ │.100.2 │ │.200.1 │ │.300.1 │ │
│ └─────┬─────┘ └─────┬─────┘ └─────┬─────┘ │
│ │ │ │ │
│ │ ┌────▼──────────────▼────┐ │
│ └────────►│ Firewall Rules │ │
│ │ NAT Rules │ │
│ │ IDS/IPS (Suricata) │ │
│ └────────────────────────┘ │
│ │
│ vtnet3 → VLAN 400 (10.10.4.1) │
└─────────────────────────────────────────────────────┘
```
**Network Interfaces**:
- **vtnet0** (WAN): VLAN 100 - 10.10.1.2 → Management network
- **vtnet1** (RED): VLAN 200 - 10.10.2.1 → Red Team gateway
- **vtnet2** (BLUE): VLAN 300 - 10.10.3.1 → Blue Team gateway
- **vtnet3** (VICTIM): VLAN 400 - 10.10.4.1 → Victim network gateway
---
### VLAN 200 - Red Team / Attacker Network (10.10.2.0/24)
**Purpose**: Offensive security tools and attack infrastructure
```
┌──────────────────────────────────────────┐
│ VLAN 200 - Red Team │
│ 10.10.2.0/24 │
├──────────────────────────────────────────┤
│ │
│ Gateway: 10.10.2.1 (pfSense) │
│ DNS: 10.10.2.1 │
│ │
│ ┌────────────────────────────────┐ │
│ │ Kali Linux VM │ │
│ │ IP: 10.10.2.50 │ │
│ │ Hostname: kali-attacker │ │
│ │ │ │
│ │ Tools: │ │
│ │ • Nmap, Masscan │ │
│ │ • Metasploit Framework │ │
│ │ • Impacket (SMB/Kerberos) │ │
│ │ • BloodHound, Responder │ │
│ │ • Mimikatz, PowerSploit │ │
│ │ • Burp Suite, SQLMap │ │
│ │ • CrackMapExec, Evil-WinRM │ │
│ └────────────────────────────────┘ │
│ │
└──────────────────────────────────────────┘
```
**Firewall Rules** (pfSense):
- **Outbound**: Allow to VLAN 400 (victim network) - controlled by lab phase
- **Inbound**: Deny all from other VLANs
- **Logging**: All traffic logged for Blue Team analysis
---
### VLAN 300 - Blue Team / Monitoring Network (10.10.3.0/24)
**Purpose**: Defensive security monitoring and SIEM
```
┌──────────────────────────────────────────┐
│ VLAN 300 - Blue Team │
│ 10.10.3.0/24 │
├──────────────────────────────────────────┤
│ │
│ Gateway: 10.10.3.1 (pfSense) │
│ DNS: 10.10.3.1 │
│ │
│ ┌────────────────────────────────┐ │
│ │ Security Onion VM │ │
│ │ IP: 10.10.3.100 │ │
│ │ Hostname: securityonion │ │
│ │ │ │
│ │ Components: │ │
│ │ • Kibana (SIEM) │ │
│ │ • Elasticsearch (logs) │ │
│ │ • Suricata (IDS/IPS) │ │
│ │ • Zeek/Bro (network analysis) │ │
│ │ • Stenographer (PCAP) │ │
│ │ • Wazuh (HIDS) │ │
│ │ │ │
│ │ Web UI: │ │
│ │ https://10.10.3.100 │ │
│ └────────────────────────────────┘ │
│ │
└──────────────────────────────────────────┘
```
**Firewall Rules** (pfSense):
- **Inbound**: Mirror/SPAN traffic from VLAN 400 for IDS monitoring
- **Outbound**: Allow to Management VLAN (alerts/logs)
- **Isolation**: No direct access to VLAN 200 or 400
---
### VLAN 400 - Victim Network (10.10.4.0/24)
**Purpose**: Vulnerable target systems for penetration testing
```
┌────────────────────────────────────────────────────────────────┐
│ VLAN 400 - Victim Network │
│ 10.10.4.0/24 │
├────────────────────────────────────────────────────────────────┤
│ │
│ Gateway: 10.10.4.1 (pfSense) │
│ DNS: 10.10.4.10 (DC01) │
│ Domain: apophis.local │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ DC01 - Domain Controller │ │
│ │ IP: 10.10.4.10 │ │
│ │ OS: Windows Server 2022 │ │
│ │ Services: AD DS, DNS, LDAP, Kerberos │ │
│ │ Domain: apophis.local │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ WS01 - HR Workstation │ │
│ │ IP: 10.10.4.20 │ │
│ │ OS: Windows 10 Pro │ │
│ │ Domain: apophis.local\hruser │ │
│ │ Group: Domain Users │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ WS02 - IT Admin Workstation │ │
│ │ IP: 10.10.4.21 │ │
│ │ OS: Windows 10 Pro │ │
│ │ Domain: apophis.local\itadmin │ │
│ │ Group: Domain Admins (privileged) │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ WEB01 - Web Application Server │ │
│ │ IP: 10.10.4.30 │ │
│ │ OS: Ubuntu 22.04 LTS │ │
│ │ Services: DVWA (Docker), Apache, MySQL │ │
│ │ Ports: 80 (HTTP), 22 (SSH), 3306 (MySQL) │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ FILE01 - Legacy File Server │ │
│ │ IP: 10.10.4.40 │ │
│ │ OS: Metasploitable 2 (Ubuntu 8.04) │ │
│ │ Services: FTP (vsftpd 2.3.4), SMB, SSH, MySQL │ │
│ │ Vulnerabilities: Multiple (intentional) │ │
│ └──────────────────────────────────────────────────┘ │
│ │
└────────────────────────────────────────────────────────────────┘
```
**Firewall Rules** (pfSense):
- **Default**: Allow internal communication within VLAN 400
- **Inbound from VLAN 200**: Deny by default (enable per-lab exercise)
- **Outbound to Internet**: Allow (for updates/downloads)
- **Logging**: All inter-VLAN traffic logged
---
## Traffic Flow Examples
### Example 1: Red Team Attack (MOD3 - Exploitation)
```
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Kali Linux │────1───►│ pfSense │────2───►│ FILE01 │
│ 10.10.2.50 │ │ Firewall │ │ 10.10.4.40 │
│ VLAN 200 │ │ Rules Check │ │ VLAN 400 │
└──────────────┘ └──────────────┘ └──────────────┘
3│ │ (Mirror/SPAN)
│ │
▼ ▼
┌──────────────────┐
│ Security Onion │
│ 10.10.3.100 │
│ VLAN 300 │
│ (IDS Alerts) │
└──────────────────┘
```
**Flow**:
1. Kali sends exploit to FILE01 (vsftpd backdoor)
2. pfSense allows (per lab rules) and logs connection
3. Security Onion captures traffic via SPAN port, Suricata generates alert
---
### Example 2: Lateral Movement (MOD5 - AD Attacks)
```
┌──────────────┐ PSExec/SMB ┌──────────────┐ Kerberos ┌──────────────┐
│ Kali Linux │─────────────────►│ WS02 │───────────────►│ DC01 │
│ 10.10.2.50 │ (via pfSense) │ 10.10.4.21 │ TGT Request │ 10.10.4.10 │
│ VLAN 200 │ │ VLAN 400 │ │ VLAN 400 │
└──────────────┘ └──────────────┘ └──────────────┘
│ │ │
└──────────────────────────────────┴──────────────────────────────┘
(All logged by
Security Onion)
```
**Flow**:
1. Kali uses stolen credentials to PSExec into WS02
2. From WS02, perform Kerberoasting against DC01
3. Security Onion logs all SMB and Kerberos traffic
---
### Example 3: Blue Team Forensics (MOD6 - Incident Response)
```
┌──────────────────┐ ┌──────────────────┐
│ Your Workstation │──────Management──────────►│ Proxmox Console │
│ (VLAN 100) │ VLAN 100 │ 10.10.1.1 │
└──────────────────┘ └─────────┬────────┘
Take VM Snapshot
Export disk image
┌───────────────────────────────────┘
┌──────────────────┐
│ WS02 (Snapshot) │◄──── Forensic Analysis
│ Disk Image │ • Autopsy
│ Memory Dump │ • Volatility
└──────────────────┘ • Timeline reconstruction
```
**Flow**:
1. Access Proxmox from Management VLAN
2. Create snapshots of compromised VMs
3. Export disk images for forensic analysis
4. Analyze with Autopsy/Volatility on separate forensics workstation
---
## Physical Switch Configuration (Cisco)
### Required VLAN Configuration
```cisco
! Create VLANs
vlan 100
name Management
vlan 200
name RedTeam
vlan 300
name BlueTeam
vlan 400
name Victim
! Trunk port to Proxmox server (assume GigabitEthernet0/1)
interface GigabitEthernet0/1
description Trunk to Proxmox Server
switchport mode trunk
switchport trunk allowed vlan 100,200,300,400
switchport trunk native vlan 100
spanning-tree portfast trunk
! Trunk port to Unifi Router (assume GigabitEthernet0/24)
interface GigabitEthernet0/24
description Trunk to Unifi Router
switchport mode trunk
switchport trunk allowed vlan 100,200,300,400
switchport trunk native vlan 1
```
---
## Unifi Router/Gateway Configuration
### VLAN Networks Setup
```
Network: Management (VLAN 100)
├─ VLAN ID: 100
├─ Subnet: 10.10.1.0/24
├─ Gateway: 10.10.1.254 (Unifi router)
├─ DHCP: Disabled (static IPs only)
└─ Purpose: Proxmox management access
Network: Red Team (VLAN 200)
├─ VLAN ID: 200
├─ Subnet: 10.10.2.0/24
├─ Gateway: 10.10.2.1 (pfSense handles routing)
├─ DHCP: Disabled (pfSense provides DHCP)
└─ Purpose: Isolated attacker network
Network: Blue Team (VLAN 300)
├─ VLAN ID: 300
├─ Subnet: 10.10.3.0/24
├─ Gateway: 10.10.3.1 (pfSense handles routing)
├─ DHCP: Disabled (static IP for Security Onion)
└─ Purpose: Monitoring and SIEM
Network: Victim (VLAN 400)
├─ VLAN ID: 400
├─ Subnet: 10.10.4.0/24
├─ Gateway: 10.10.4.1 (pfSense handles routing)
├─ DHCP: Provided by DC01 (10.10.4.10)
└─ Purpose: Target systems
```
**Inter-VLAN Routing**: Handled by pfSense VM (VLANs 200-400)
**Internet Access**: Routed through Unifi → pfSense NAT
---
## Proxmox Network Configuration
### Linux Bridge Configuration (vmbr0)
```bash
# /etc/network/interfaces
auto lo
iface lo inet loopback
# Physical interface
auto ens18
iface ens18 inet manual
# VLAN-aware bridge
auto vmbr0
iface vmbr0 inet static
address 10.10.1.1/24
gateway 10.10.1.254
bridge-ports ens18
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 100 200 300 400
```
### VM Network Configuration Examples
**pfSense VM**:
- **Net0**: vmbr0, VLAN 100 (WAN/Management)
- **Net1**: vmbr0, VLAN 200 (Red Team)
- **Net2**: vmbr0, VLAN 300 (Blue Team)
- **Net3**: vmbr0, VLAN 400 (Victim)
**Kali Linux VM**:
- **Net0**: vmbr0, VLAN 200
**Security Onion VM**:
- **Net0**: vmbr0, VLAN 300
**DC01 / WS01 / WS02 / WEB01 / FILE01**:
- **Net0**: vmbr0, VLAN 400
---
## IP Address Allocation Table
| VLAN | Network | Device | IP Address | Role |
|------|----------------|-------------------|---------------|---------------------|
| 100 | 10.10.1.0/24 | Proxmox Host | 10.10.1.1 | Hypervisor |
| 100 | 10.10.1.0/24 | pfSense WAN | 10.10.1.2 | Internal router |
| 100 | 10.10.1.0/24 | Unifi Router | 10.10.1.254 | Gateway/Internet |
| 200 | 10.10.2.0/24 | pfSense (RED) | 10.10.2.1 | VLAN 200 gateway |
| 200 | 10.10.2.0/24 | Kali Linux | 10.10.2.50 | Attacker workstation|
| 300 | 10.10.3.0/24 | pfSense (BLUE) | 10.10.3.1 | VLAN 300 gateway |
| 300 | 10.10.3.0/24 | Security Onion | 10.10.3.100 | SIEM/IDS |
| 400 | 10.10.4.0/24 | pfSense (VICTIM) | 10.10.4.1 | VLAN 400 gateway |
| 400 | 10.10.4.0/24 | DC01 | 10.10.4.10 | Domain Controller |
| 400 | 10.10.4.0/24 | WS01 | 10.10.4.20 | HR Workstation |
| 400 | 10.10.4.0/24 | WS02 | 10.10.4.21 | IT Admin Workstation|
| 400 | 10.10.4.0/24 | WEB01 | 10.10.4.30 | Web App Server |
| 400 | 10.10.4.0/24 | FILE01 | 10.10.4.40 | Legacy File Server |
---
## Security Isolation Matrix
| From VLAN | To VLAN 100 | To VLAN 200 | To VLAN 300 | To VLAN 400 | Internet |
|-----------|-------------|-------------|-------------|-------------|----------|
| **100** (Mgmt) | ✅ Allow | ✅ Allow | ✅ Allow | ✅ Allow | ✅ Allow |
| **200** (Red) | ❌ Deny | ✅ Allow | ❌ Deny | 🔶 Lab-based | ✅ Allow |
| **300** (Blue) | ✅ Allow | ❌ Deny | ✅ Allow | 👁️ Monitor only | ✅ Allow |
| **400** (Victim) | ❌ Deny | ❌ Deny | ❌ Deny | ✅ Allow | ✅ Allow |
**Legend**:
- ✅ Allow - Traffic permitted
- ❌ Deny - Traffic blocked by default
- 🔶 Lab-based - Enabled per exercise (pfSense rules)
- 👁️ Monitor only - SPAN/mirror traffic for IDS
---
## Traffic Mirroring for IDS (Security Onion)
To enable Security Onion to monitor VLAN 400 traffic:
### Option 1: pfSense Packet Capture
```bash
# On pfSense, enable packet mirroring to Security Onion
# Diagnostics → Packet Capture → Mirror to 10.10.3.100
```
### Option 2: Cisco Switch SPAN Port
```cisco
! Configure SPAN to mirror VLAN 400 to Security Onion monitoring port
monitor session 1 source vlan 400
monitor session 1 destination interface GigabitEthernet0/10
! Connect Security Onion monitoring interface to Gi0/10
```
### Option 3: Proxmox TAP Interface
- Create virtual TAP between VLAN 400 bridge and Security Onion
- Security Onion gets promiscuous interface for passive monitoring
---
## Quick Setup Checklist
### Physical Infrastructure
- [ ] Connect Proxmox server to Cisco switch via trunk port
- [ ] Connect Cisco switch to Unifi router via trunk port
- [ ] Configure VLANs 100, 200, 300, 400 on Cisco switch
- [ ] Enable VLAN-aware bridge on Proxmox (vmbr0)
### Unifi Router
- [ ] Create VLAN networks (100, 200, 300, 400)
- [ ] Set subnet for each VLAN (10.10.x.0/24)
- [ ] Configure firewall rules (optional - pfSense handles most)
### Proxmox Configuration
- [ ] Edit `/etc/network/interfaces` with VLAN-aware bridge
- [ ] Reboot Proxmox host
- [ ] Verify bridge with: `ip link show vmbr0`
### pfSense VM Deployment
- [ ] Create pfSense VM with 4 network interfaces
- [ ] Assign interfaces: vtnet0-3 to VLANs 100, 200, 300, 400
- [ ] Configure WAN (VLAN 100): 10.10.1.2
- [ ] Configure LAN interfaces for other VLANs (.1 addresses)
- [ ] Set up firewall rules per module requirements
### VM Deployment
- [ ] Deploy Kali Linux on VLAN 200
- [ ] Deploy Security Onion on VLAN 300
- [ ] Deploy victim systems on VLAN 400 (DC01, WS01, WS02, WEB01, FILE01)
- [ ] Configure static IPs per allocation table
- [ ] Join Windows systems to apophis.local domain
### Verification Tests
- [ ] Ping test: Kali → pfSense (10.10.2.1) ✅
- [ ] Ping test: Kali → FILE01 (10.10.4.40) ❌ (blocked by default)
- [ ] Ping test: Security Onion → pfSense (10.10.3.1) ✅
- [ ] DNS resolution: DC01 resolves apophis.local
- [ ] IDS test: Generate Suricata alert from Kali scan
- [ ] Web UI access: pfSense (10.10.1.2), Security Onion (10.10.3.100)
---
## Diagram for Visual Tools
If you want to create a visual diagram, use these tools:
### Recommended Tools:
1. **Draw.io** (diagrams.net) - Free, exports to PNG/SVG
2. **Lucidchart** - Professional network diagrams
3. **Microsoft Visio** - Enterprise standard
4. **Netbox** - Network documentation platform
### Import Template:
Copy this structure into your diagram tool:
**Physical Layer**:
- Internet → Unifi Router → Cisco Switch → Proxmox Server
**Virtual Layer**:
- 4 VLANs (100, 200, 300, 400) connected via pfSense VM
- VMs grouped by VLAN with IP addresses
**Visual Style** (Apophis Branding):
- Use crimson (#D72638) for Red Team components
- Use cyber blue (#0056B3) for Blue Team components
- Use silver (#E0E0E2) for infrastructure
- Use obsidian (#1B1B1E) for victim network
- Sharp corners (no rounded edges)
---
## Troubleshooting
### Issue: VMs can't communicate across VLANs
- **Check**: pfSense firewall rules allow traffic
- **Check**: VLAN tags correctly assigned in Proxmox VM config
- **Check**: Cisco switch trunk allows all VLANs
### Issue: Security Onion not seeing traffic
- **Check**: SPAN/mirror configured on switch or pfSense
- **Check**: Promiscuous mode enabled on monitoring interface
- **Check**: Suricata/Zeek services running
### Issue: Domain join fails (VLAN 400)
- **Check**: DC01 DNS configured (10.10.4.10)
- **Check**: pfSense allows DNS/Kerberos (ports 53, 88, 389)
- **Check**: Time sync between DC01 and workstations
### Issue: Kali can't reach victim network
- **Expected**: By default, VLAN 200 → 400 is blocked
- **Fix**: Enable pfSense rule per lab module requirements
---
## Notes
- **Isolation**: Red Team (VLAN 200) is isolated from victim network by default
- **Lab Control**: Enable/disable Red Team access via pfSense firewall rules per module
- **Monitoring**: All inter-VLAN traffic logged for Blue Team analysis
- **Internet Access**: All VLANs can reach Internet via Unifi router NAT (for updates)
- **Management**: Access Proxmox/pfSense from VLAN 100 only
**Security**: This lab is intentionally vulnerable. Do NOT expose to public Internet.
---
## Next Steps
1. **Review**: `.claude/MOD1_Secure_Infrastructure.md` for detailed pfSense setup
2. **Deploy**: Follow VM installation guides in each module
3. **Test**: Run connectivity tests before starting MOD2
4. **Snapshot**: Create baseline snapshots after initial setup
**"Order from Chaos"** 🐍 - Apophis Networking Security Lab