Home - RidwanHaque/CyberSecurityLab-SOC-Honeynet-on-Azure GitHub Wiki

Welcome to the Cybersecurity-Homelab wiki!

Of course. Based on your decision to use Docker and the information from the provided video resources, here is a comprehensive project plan to build your cybersecurity home lab.

Project: The Comprehensive Docker-Based Cybersecurity Home Lab

This project will guide you through creating a secure, isolated, and multi-functional cybersecurity home lab using Docker. The lab will be capable of offensive penetration testing, defensive security monitoring with a SIEM, software reverse engineering with Ghidra, and preparing for Capture the Flag (CTF) competitions.

Phase 1: Foundational Docker Environment Setup

Objective: Install Docker and create a secure, isolated network for your lab components to communicate without exposing them to your home network or the internet.

Key Activities:

  1. Install Docker Desktop: Download and install Docker Desktop for your operating system (Windows, macOS, or Linux). This provides the core engine and command-line tools needed to manage containers .
  2. Verify Installation: Open a terminal or command prompt and run docker --version and docker-compose --version to ensure everything is installed correctly.
  3. Create an Isolated Network: Before launching any containers, create a dedicated Docker network. This is the most critical step for safety, as it ensures your vulnerable machines cannot be reached from the outside and your attack traffic stays within the lab .
    • Command: docker network create --driver bridge isolated_lab_net

Phase 2: Deploying Attacker and Target Machines

Objective: Launch your primary attacker machine (Kali Linux) and a vulnerable target machine (Metasploitable), connecting both to your isolated network.

Key Activities:

  1. Deploy Kali Linux Container:

    • Pull the official Kali Linux image from Docker Hub: docker pull kalilinux/kali-rolling .
    • Launch the Kali container and connect it to your lab network. Keep this terminal window open to access your Kali instance:
      • Command: docker run -it --network isolated_lab_net --name kali -h kali kalilinux/kali-rolling /bin/bash
    • Inside the running container, install the default set of tools and Ghidra. The base image is minimal, so you must add the tools you need .
      • Commands: 
        apt update && apt upgrade -y
apt install -y kali-linux-default ghidra
    • Note on Graphical Tools: Tools like Ghidra and Wireshark have graphical interfaces. To use them, you will need to set up a VNC server within the Kali container or configure X11 forwarding, which is an advanced but powerful technique for running graphical Linux apps on your host machine .

  2. Deploy a Vulnerable Target Machine:

    • Pull a pre-made vulnerable container like Metasploitable from Docker Hub .
      • Command: docker pull tleemcjr/metasploitable2
    • Launch the Metasploitable container on the same isolated network so your Kali container can see it .
      • Command: docker run -d --network isolated_lab_net --name target-meta tleemcjr/metasploitable2
    • Find the target's IP address, which you will need for your attacks.
      • Command: docker inspect target-meta | grep "IPAddress"

Phase 3: Offensive Security Practice (Ethical Hacking)

Objective: Use the tools in your Kali container to simulate a full penetration test against the Metasploitable target.

Key Activities:

  1. Reconnaissance: From your Kali container's command line, use Nmap to scan the target machine's IP address to discover open ports and running services .
    • Example Command: nmap -sV -A
  2. Vulnerability Analysis: Review the Nmap scan results to identify a service with a known vulnerability (e.g., an outdated FTP server or web application).
  3. Exploitation: Launch the Metasploit Framework (msfconsole) inside your Kali container. Search for an exploit that matches the vulnerability you found and use it to gain a shell (remote control) on the Metasploitable container .
  4. Post-Exploitation & Reverse Engineering: Once you have access, practice navigating the compromised system. If you find custom programs or suspicious files (common in CTFs), use Ghidra to decompile and analyze them to understand their function.

Phase 4: Defensive Security and SIEM Implementation

Objective: Build a Security Information and Event Management (SIEM) system to monitor your lab network, detect your own attacks, and learn defensive security principles.

Key Activities:

  1. Deploy the ELK Stack (SIEM): The Elastic Stack (Elasticsearch, Logstash, Kibana) is a powerful, open-source SIEM. The easiest way to deploy it is using a pre-configured docker-compose.yml file, which can launch all three services at once .
  2. Configure Log Forwarding: Deploy a log shipper like Filebeat. You can run it as another container configured to collect logs from your target machine (Metasploitable). You will need to configure Filebeat to send these logs to your Logstash or Elasticsearch container .
  3. Detect Attacks: With the SIEM running and receiving logs, access the Kibana web interface in your browser. Launch an Nmap scan or a Metasploit attack from your Kali container again .
  4. Analyze and Visualize: Watch the logs from your attack appear in Kibana in real-time. Practice searching the data and creating dashboards to visualize security events like failed login attempts, port scans, and command execution on the target. This provides direct insight into how a Security Operations Center (SOC) analyst works .

Phase 5: Advanced Practice and CTF Preparation

Objective: Leverage your completed lab to tackle advanced challenges and prepare for real-world scenarios.

Key Activities:

  1. Expand Your Target Library: Find other Docker-based vulnerable machines on platforms like Docker Hub and VulnHub. Practice against targets designed to test specific skills, such as web application attacks (XSS, SQLi) or binary exploitation.
  2. CTF Challenges: Use your lab to solve CTF challenges. Many CTFs can be run locally as Docker containers. Your setup with Kali, Ghidra, and Wireshark is a perfect environment for this.
  3. Incident Response Simulation: Create detection rules in your SIEM. Trigger an alert with an attack and then use your tools to perform a mock incident response: identify the malicious activity, trace the attacker's steps through the logs, and document your findings.