My personal sandbox environment for testing out new security tools, vulnerable applications, and using in CTFs. Feel free to use this for your own studying or enjoyment!
There are only two requirements to get up and running:
Once you've got a virtualization solution setup as well as Hashicorp Vagrant, you're ready to go.
Set up the Vagrant box and bootstrap it with my preferred directory structure and workspace environment.
# Clone the repository with the Github CLI
gh repo clone brittonhayes/security-sandbox
# Start up the primary Kali machine
vagrant up
# The login is
username: vagrant
password: vagrantTo view the available helper commands use make help.
❯ make help
Usage:
kali Build the Kali box
sandbox Build the whole sandbox
teardown Tear down the sandbox
destroy Destroy the sandboxThis virtual environment comes with a few testing labs available. Pick your flavor!
The kali box comes with tor and proxychains setup on boot, so feel free to chain requests through there first.
# Check tor service
systemctl status tor
# Run a port scan against scanme.nmap.org
# through a tor proxy
proxychains nmap -sT -Pn scanme.nmap.org # Start up juiceshop
vagrant up juiceshop
# Navigate to http://192.168.33.20# Start up DVWA
vagrant up dvwa
# Navigate to http://192.168.33.30# Start up Metasploitable
vagrant up metasploitable
# Navigate to http://192.168.33.40If you're looking for a good blue team environment to pair with this sandbox, I recommend a Detection Lab deployment.
Setup instructions can be found here: Detection Lab Deployment Instructions
If you'd like to collaborate with others on any of the vulnerable web applications, you can use vagrant share right in the command line. This will create a URL that you can give to anyone and will route directly into your chosen Vagrant environment.
This utilizes a service called ngrok. For more information, visit ngrok's documentation.
# Install the plugin
vagrant plugin install vagrant-share
# Share your environment
vagrant share