Building a Modern Red Team Lab: Tools, Infrastructure & Automation ## Introduction Every successful red team operation starts with a robust practice environment. In 2026, a professional red team lab isn't just a collection of Kali Linux VMs—it's a sophisticated, automated infrastructure that mirrors real-world enterprise environments while enabling continuous skill development and tool testing. This comprehensive guide covers everything you need to build a state-of-the-art red team lab that supports: - Offensive Tool Development & Testing - C2 Infrastructure Deployment - Attack Technique Practice - Team Training & Certification Prep - Automated Security Research ## Lab Architecture Overview ### Three-Tier Design Tier 1: Attack Infrastructure - Kali Linux / Parrot OS workstations - C2 servers (Cobalt Strike, Metasploit, Havoc, Mythic) - Redirectors and domain fronting infrastructure - Phishing infrastructure (GoPhish, Evilginx2) Tier 2: Target Environment - Vulnerable applications (DVWA, WebGoat, HackTheBox) - Enterprise simulation (Active Directory, Exchange, SharePoint) - Cloud environments (AWS, Azure, GCP) - OT/ICS simulators (SCADA, PLC networks) Tier 3: Monitoring & Analysis - Security monitoring (SIEM, EDR, NDR) - Traffic analysis (Wireshark, Zeek, Suricata) - Logging infrastructure (ELK stack) - Threat intelligence platforms ### Network Topology ┌─────────────────────────────────────────────────────┐ │ Internet │ └──────────────────┬──────────────────────────────────┘ │ ┌──────▼────────┐ │ DMZ Network │ │ (Redirectors)│ └──────┬────────┘ │ ┌─────────────┴─────────────┐ │ │ ┌────▼─────┐ ┌────────▼───────┐ │ Attack │ │ Target │ │ Network │◄─────────►│ Environment │ │ (Isolated)│ Firewall │ (Isolated) │ └────┬─────┘ └────────┬───────┘ │ │ │ ┌──────────────┐ │ └─────►│ Monitoring │◄───┘ │ Network │ └──────────────┘
## Essential Tools & Software ### Offensive Operations Reconnaissance & OSINT: bash # Install reconnaissance toolkit sudo apt install -y nmap masscan amass subfinder assetfinder httprobe waybackurls gau gospider # OSINT frameworks git clone https://github.com/laramies/theHarvester git clone https://github.com/smicallef/spiderfoot git clone https://github.com/s0md3v/Photon
Exploitation Frameworks: bash # Metasploit (pre-installed on Kali) msfconsole # Covenant C2 docker pull covenant/covenant docker run -it -p 7443:7443 covenant/covenant # Sliver C2 curl https://sliver.sh/install | sudo bash # Havoc C2 git clone https://github.com/HavocFramework/Havoc.git
Web Application Testing: bash # Burp Suite Professional (commercial) # Download from: https://portswigger.net/burp # OWASP ZAP (free alternative) sudo apt install zaproxy # SQLMap git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git # Nuclei - vulnerability scanner go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
Post-Exploitation: bash # Mimikatz (Windows credential dumping) # Download from: https://github.com/gentilkiwi/mimikatz # BloodHound (AD enumeration) sudo apt install bloodhound neo4j # Impacket (network protocol toolkit) git clone https://github.com/SecureAuthCorp/impacket.git pip3 install impacket/
### Infrastructure Automation Terraform for Lab Deployment: hcl # main.tf - Deploy Red Team Lab in AWS terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } } } provider "aws" { region = "us-east-1" } # VPC for isolated lab environment resource "aws_vpc" "red_team_lab" { cidr_block = "10.0.0.0/16" enable_dns_hostnames = true enable_dns_support = true tags = { Name = "RedTeamLab" } } # Attack subnet resource "aws_subnet" "attack_subnet" { vpc_id = aws_vpc.red_team_lab.id cidr_block = "10.0.1.0/24" availability_zone = "us-east-1a" tags = { Name = "AttackSubnet" } } # Target subnet resource "aws_subnet" "target_subnet" { vpc_id = aws_vpc.red_team_lab.id cidr_block = "10.0.2.0/24" availability_zone = "us-east-1a" tags = { Name = "TargetSubnet" } } # Kali Linux instance resource "aws_instance" "kali_linux" { ami = "ami-0a0c6574ce16ce87a" # Kali Linux AMI instance_type = "t3.medium" subnet_id = aws_subnet.attack_subnet.id user_data = <<-EOF #!/bin/bash apt update && apt upgrade -y apt install -y metasploit-framework EOF tags = { Name = "KaliAttackBox" } } # Vulnerable target (DVWA) resource "aws_instance" "dvwa_target" { ami = "ami-0c55b159cbfafe1f0" # Ubuntu 22.04 instance_type = "t2.micro" subnet_id = aws_subnet.target_subnet.id user_data = <<-EOF #!/bin/bash apt update apt install -y docker.io docker run -d -p 80:80 vulnerables/web-dvwa EOF tags = { Name = "DVWA-Target" } }
### Docker-Based Lab Deployment Docker Compose for Instant Lab: yaml # docker-compose.yml version: '3.8' services: # Kali Linux container kali: image: kalilinux/kali-rolling container_name: kali-attacker hostname: kali networks: - redteam-attack volumes: - ./tools:/opt/tools - ./loot:/root/loot tty: true stdin_open: true # Command & Control Server (Sliver) c2-sliver: image: bishopfox/sliver container_name: sliver-c2 ports: - "31337:31337" # HTTPS - "8888:8888" # HTTP networks: - redteam-attack volumes: - sliver-data:/root/.sliver # Vulnerable Web App (DVWA) dvwa: image: vulnerables/web-dvwa container_name: dvwa-target ports: - "8080:80" networks: - redteam-target # Metasploitable 3 metasploitable: image: rapid7/metasploitable3-ub1404 container_name: metasploitable3 networks: - redteam-target # Active Directory Simulation ad-dc: image: tecnativa/windows-ad container_name: ad-domain-controller environment: - DOMAIN_NAME=REDTEAM.LOCAL - ADMIN_PASSWORD=ComplexP@ss123! networks: - redteam-target # SIEM / Monitoring (Elastic Stack) elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:8.11.0 container_name: elasticsearch environment: - discovery.type=single-node - "ES_JAVA_OPTS=-Xms512m -Xmx512m" networks: - redteam-monitor ports: - "9200:9200" kibana: image: docker.elastic.co/kibana/kibana:8.11.0 container_name: kibana environment: - ELASTICSEARCH_HOSTS=http://elasticsearch:9200 networks: - redteam-monitor ports: - "5601:5601" depends_on: - elasticsearch networks: redteam-attack: driver: bridge redteam-target: driver: bridge redteam-monitor: driver: bridge volumes: sliver-data:
Start the Lab: bash docker-compose up -d # Access Kali container docker exec -it kali-attacker /bin/bash # Access DVWA open http://localhost:8080 # Access Kibana monitoring open http://localhost:5601
## Building Vulnerable Target Environments ### Active Directory Lab Automate AD Lab with PowerShell: powershell # AD-Lab-Setup.ps1 # Run on Windows Server 2022 # Install AD Domain Services Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools # Promote to Domain Controller Import-Module ADDSDeployment Install-ADDSForest ` -DomainName "redteam.local" ` -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force) ` -Force # Create vulnerable users New-ADUser -Name "sql_service" ` -AccountPassword (ConvertTo-SecureString "Summer2024!" -AsPlainText -Force) ` -Enabled $true ` -PasswordNeverExpires $true # Create vulnerable groups New-ADGroup -Name "Domain Admins Clone" -GroupScope Global # Add users to sensitive groups Add-ADGroupMember -Identity "Domain Admins Clone" -Members "sql_service" # Enable insecure protocols (for practice) Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\LanmanServer\Parameters" -Name "EnableSecuritySignature" -Value 0
### Cloud Environment Targets AWS Lab Environment: bash # Create S3 bucket with misconfiguration (for practice) aws s3api create-bucket --bucket redteam-test-bucket # Make bucket publicly readable (intentional vuln) aws s3api put-bucket-acl --bucket redteam-test-bucket --acl public-read # Create IAM user with overly permissive policy aws iam create-user --user-name vulnerable-service-account # Attach admin policy (intentional misconfiguration) aws iam attach-user-policy ` --user-name vulnerable-service-account ` --policy-arn arn:aws:iam::aws:policy/AdministratorAccess # Create Lambda function with secrets in environment variables aws lambda create-function ` --function-name vulnerable-lambda ` --runtime python3.9 ` --role arn:aws:iam::ACCOUNT_ID:role/lambda-role ` --handler lambda_function.lambda_handler ` --zip-file fileb://function.zip ` --environment Variables={API_KEY=supersecretkey123,DB_PASSWORD=admin123}
## C2 Infrastructure Setup ### Cobalt Strike Team Server Install and Configure: bash # Install Java (required for Cobalt Strike) sudo apt install openjdk-11-jdk # Extract Cobalt Strike tar -xvzf cobaltstrike-dist.tgz cd cobaltstrike # Start team server sudo ./teamserver [your-ip] [password] [malleable-c2-profile] # Example: sudo ./teamserver 192.168.1.100 MySecurePassword ./c2-profiles/amazon.profile
Malleable C2 Profile Example: # Amazon-themed C2 profile for domain fronting set sleeptime "60000"; set jitter "20"; set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"; http-get { set uri "/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; client { header "Accept" "*/*"; header "Host" "www.amazon.com"; metadata { base64; prepend "session-token="; prepend "skin=noskin;"; append "csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996"; header "Cookie"; } } server { header "Server" "Server"; header "x-amz-id-1" "THKUYEZKCKPGY5T42PZT"; header "x-amz-id-2" "a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tm"; output { base64; print; } } }
### Redirector Infrastructure Apache Redirector Setup: bash # Install Apache sudo apt install apache2 # Enable required modules sudo a2enmod rewrite proxy proxy_http ssl # Create redirector config sudo nano /etc/apache2/sites-available/redirector.conf
Redirector Configuration: apache <VirtualHost *:443> ServerName legitimate-looking-domain.com SSLEngine On SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem # Only forward traffic with proper User-Agent RewriteEngine On RewriteCond %{HTTP_USER_AGENT} "^Mozilla/5.0.*Windows NT 10.0" [NC] RewriteRule ^(.*)$ https://real-c2-server.com$1 [P,L] # Redirect everyone else to legitimate site RewriteRule ^(.*)$ https://www.google.com$1 [R=302,L] # Proxy settings SSLProxyEngine On ProxyPreserveHost On ProxyPass / https://real-c2-server.com/ ProxyPassReverse / https://real-c2-server.com/ </VirtualHost>
## Automation & CI/CD for Red Team Tools ### GitHub Actions for Tool Testing yaml # .github/workflows/test-tools.yml name: Red Team Tool Testing on: push: branches: [ main ] schedule: - cron: '0 0 * * 0' # Weekly jobs: test-exploit-framework: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Setup Python uses: actions/setup-python@v4 with: python-version: '3.10' - name: Install dependencies run: | pip install -r requirements.txt - name: Test exploit against DVWA run: | docker run -d -p 80:80 vulnerables/web-dvwa sleep 10 python test_exploit.py --target localhost --port 80 - name: Generate report run: | python generate_report.py > exploit_report.md - name: Upload results uses: actions/upload-artifact@v3 with: name: exploit-results path: exploit_report.md
### Ansible Playbook for Lab Deployment yaml # red-team-lab-setup.yml --- - name: Deploy Red Team Lab Infrastructure hosts: lab_servers become: yes vars: kali_version: "2024.1" metasploit_version: "6.3" tasks: - name: Update system packages apt: update_cache: yes upgrade: dist - name: Install Docker apt: name: - docker.io - docker-compose state: present - name: Deploy Kali container docker_container: name: kali-attacker image: "kalilinux/kali-rolling:{{ kali_version }}" state: started restart_policy: always networks: - name: redteam-net - name: Deploy target applications docker_compose: project_src: /opt/redteam-lab files: - docker-compose.yml state: present - name: Configure C2 infrastructure include_tasks: setup_c2.yml - name: Setup monitoring include_tasks: setup_monitoring.yml
## Cost Optimization Strategies ### Cloud Lab Cost Breakdown AWS Red Team Lab - Monthly Costs: | Component | Instance Type | Monthly Cost | |-----------|--------------|--------------| | Kali Linux | t3.medium | $30 | | C2 Server | t3.small | $15 | | Target Environment (3x) | t2.micro | $30 | | VPC, Networking | - | $5 | | Total | | ~$80/month | Cost Reduction Tips: 1. Use Spot Instances: bash aws ec2 run-instances --instance-market-options "MarketType=spot,SpotOptions={MaxPrice=0.05}" --instance-type t3.medium --image-id ami-XXXXX
Savings: Up to 70% 2. Auto-Shutdown During Off-Hours: bash # CloudWatch rule to shutdown at 6 PM aws events put-rule --name "StopRedTeamLab" --schedule-expression "cron(0 18 * * ? *)" aws events put-targets --rule StopRedTeamLab --targets "Id"="1","Arn"="arn:aws:automation:..."
3. Use Docker Locally: - Run entire lab on laptop with Docker Desktop - Cost: $0 (uses local resources) - Trade-off: Limited scalability ## Security & Isolation Best Practices ### Network Segmentation Firewall Rules: bash # iptables rules for lab isolation iptables -A FORWARD -i attack-net -o target-net -j ACCEPT iptables -A FORWARD -i target-net -o attack-net -m state --state RELATED,ESTABLISHED -j ACCEPT # Block target-to-attack initiated connections iptables -A FORWARD -i target-net -o attack-net -m state --state NEW -j DROP # Block lab-to-internet by default (whitelist exceptions) iptables -A FORWARD -i lab-net -o external -j DROP
### Legal & Ethical Considerations Lab Authorization Documentation: markdown # Red Team Lab Authorization **Purpose:** Security research, tool development, and training **Authorized Activities:** Testing offensive tools against lab targets only Developing exploits for educational purposes Simulating real-world attack scenarios **Prohibited Activities:** Testing tools against external targets without authorization Participating in unauthorized penetration testing Using lab infrastructure for actual attacks Storing or processing real sensitive data **Compliance:** - All activities logged and monitored - Lab isolated from production networks - No real PII or sensitive data used - Regular security reviews conducted Signed: [Your Name] Date: [Date]
## Monitoring & Metrics ### Lab Health Dashboard Grafana + Prometheus Setup: yaml # prometheus.yml global: scrape_interval: 15s scrape_configs: - job_name: 'red-team-lab' static_configs: - targets: - 'kali:9100' - 'c2-server:9100' - 'dvwa:9100'
Key Metrics to Track: - Lab uptime percentage - Tool success rates - Target availability - Resource utilization (CPU, memory, disk) - Network throughput - Number of exploits tested - Training hours logged ## Conclusion Building a professional red team lab in 2026 is about more than just installing Kali Linux. It's about creating a comprehensive, automated, and continuously evolving environment that mirrors real-world infrastructure while enabling safe offensive security research. Key Takeaways: Use Infrastructure-as-Code (Terraform, Ansible) for reproducible deployments Implement proper network segmentation for safety Automate routine tasks with CI/CD pipelines Monitor lab health and usage metrics Keep tools and targets updated regularly Document all configurations and procedures Your Next Steps: 1. Choose deployment model (cloud, local, hybrid) 2. Set up base infrastructure (network, compute) 3. Deploy vulnerable targets 4. Configure C2 and attack tools 5. Implement monitoring and logging 6. Start practicing and developing skills --- Need help building your red team lab? Download our "Red Team Lab Setup Checklist" or browse our Terraform templates on GitHub.
┌─────────────────────────────────────────────────────┐ │ Internet │ └──────────────────┬──────────────────────────────────┘ │ ┌──────▼────────┐ │ DMZ Network │ │ (Redirectors)│ └──────┬────────┘ │ ┌─────────────┴─────────────┐ │ │ ┌────▼─────┐ ┌────────▼───────┐ │ Attack │ │ Target │ │ Network │◄─────────►│ Environment │ │ (Isolated)│ Firewall │ (Isolated) │ └────┬─────┘ └────────┬───────┘ │ │ │ ┌──────────────┐ │ └─────►│ Monitoring │◄───┘ │ Network │ └──────────────┘bash # Install reconnaissance toolkit sudo apt install -y nmap masscan amass subfinder assetfinder httprobe waybackurls gau gospider # OSINT frameworks git clone https://github.com/laramies/theHarvester git clone https://github.com/smicallef/spiderfoot git clone https://github.com/s0md3v/Photon bash # Metasploit (pre-installed on Kali) msfconsole # Covenant C2 docker pull covenant/covenant docker run -it -p 7443:7443 covenant/covenant # Sliver C2 curl https://sliver.sh/install | sudo bash # Havoc C2 git clone https://github.com/HavocFramework/Havoc.git bash # Burp Suite Professional (commercial) # Download from: https://portswigger.net/burp # OWASP ZAP (free alternative) sudo apt install zaproxy # SQLMap git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git # Nuclei - vulnerability scanner go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest bash # Mimikatz (Windows credential dumping) # Download from: https://github.com/gentilkiwi/mimikatz # BloodHound (AD enumeration) sudo apt install bloodhound neo4j # Impacket (network protocol toolkit) git clone https://github.com/SecureAuthCorp/impacket.git pip3 install impacket/ hcl # main.tf - Deploy Red Team Lab in AWS terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } } } provider "aws" { region = "us-east-1" } # VPC for isolated lab environment resource "aws_vpc" "red_team_lab" { cidr_block = "10.0.0.0/16" enable_dns_hostnames = true enable_dns_support = true tags = { Name = "RedTeamLab" } } # Attack subnet resource "aws_subnet" "attack_subnet" { vpc_id = aws_vpc.red_team_lab.id cidr_block = "10.0.1.0/24" availability_zone = "us-east-1a" tags = { Name = "AttackSubnet" } } # Target subnet resource "aws_subnet" "target_subnet" { vpc_id = aws_vpc.red_team_lab.id cidr_block = "10.0.2.0/24" availability_zone = "us-east-1a" tags = { Name = "TargetSubnet" } } # Kali Linux instance resource "aws_instance" "kali_linux" { ami = "ami-0a0c6574ce16ce87a" # Kali Linux AMI instance_type = "t3.medium" subnet_id = aws_subnet.attack_subnet.id user_data = <<-EOF #!/bin/bash apt update && apt upgrade -y apt install -y metasploit-framework EOF tags = { Name = "KaliAttackBox" } } # Vulnerable target (DVWA) resource "aws_instance" "dvwa_target" { ami = "ami-0c55b159cbfafe1f0" # Ubuntu 22.04 instance_type = "t2.micro" subnet_id = aws_subnet.target_subnet.id user_data = <<-EOF #!/bin/bash apt update apt install -y docker.io docker run -d -p 80:80 vulnerables/web-dvwa EOF tags = { Name = "DVWA-Target" } } yaml # docker-compose.yml version: '3.8' services: # Kali Linux container kali: image: kalilinux/kali-rolling container_name: kali-attacker hostname: kali networks: - redteam-attack volumes: - ./tools:/opt/tools - ./loot:/root/loot tty: true stdin_open: true # Command & Control Server (Sliver) c2-sliver: image: bishopfox/sliver container_name: sliver-c2 ports: - "31337:31337" # HTTPS - "8888:8888" # HTTP networks: - redteam-attack volumes: - sliver-data:/root/.sliver # Vulnerable Web App (DVWA) dvwa: image: vulnerables/web-dvwa container_name: dvwa-target ports: - "8080:80" networks: - redteam-target # Metasploitable 3 metasploitable: image: rapid7/metasploitable3-ub1404 container_name: metasploitable3 networks: - redteam-target # Active Directory Simulation ad-dc: image: tecnativa/windows-ad container_name: ad-domain-controller environment: - DOMAIN_NAME=REDTEAM.LOCAL - ADMIN_PASSWORD=ComplexP@ss123! networks: - redteam-target # SIEM / Monitoring (Elastic Stack) elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:8.11.0 container_name: elasticsearch environment: - discovery.type=single-node - "ES_JAVA_OPTS=-Xms512m -Xmx512m" networks: - redteam-monitor ports: - "9200:9200" kibana: image: docker.elastic.co/kibana/kibana:8.11.0 container_name: kibana environment: - ELASTICSEARCH_HOSTS=http://elasticsearch:9200 networks: - redteam-monitor ports: - "5601:5601" depends_on: - elasticsearch networks: redteam-attack: driver: bridge redteam-target: driver: bridge redteam-monitor: driver: bridge volumes: sliver-data: bash docker-compose up -d # Access Kali container docker exec -it kali-attacker /bin/bash # Access DVWA open http://localhost:8080 # Access Kibana monitoring open http://localhost:5601 powershell # AD-Lab-Setup.ps1 # Run on Windows Server 2022 # Install AD Domain Services Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools # Promote to Domain Controller Import-Module ADDSDeployment Install-ADDSForest ` -DomainName "redteam.local" ` -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force) ` -Force # Create vulnerable users New-ADUser -Name "sql_service" ` -AccountPassword (ConvertTo-SecureString "Summer2024!" -AsPlainText -Force) ` -Enabled $true ` -PasswordNeverExpires $true # Create vulnerable groups New-ADGroup -Name "Domain Admins Clone" -GroupScope Global # Add users to sensitive groups Add-ADGroupMember -Identity "Domain Admins Clone" -Members "sql_service" # Enable insecure protocols (for practice) Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\LanmanServer\Parameters" -Name "EnableSecuritySignature" -Value 0 bash # Create S3 bucket with misconfiguration (for practice) aws s3api create-bucket --bucket redteam-test-bucket # Make bucket publicly readable (intentional vuln) aws s3api put-bucket-acl --bucket redteam-test-bucket --acl public-read # Create IAM user with overly permissive policy aws iam create-user --user-name vulnerable-service-account # Attach admin policy (intentional misconfiguration) aws iam attach-user-policy ` --user-name vulnerable-service-account ` --policy-arn arn:aws:iam::aws:policy/AdministratorAccess # Create Lambda function with secrets in environment variables aws lambda create-function ` --function-name vulnerable-lambda ` --runtime python3.9 ` --role arn:aws:iam::ACCOUNT_ID:role/lambda-role ` --handler lambda_function.lambda_handler ` --zip-file fileb://function.zip ` --environment Variables={API_KEY=supersecretkey123,DB_PASSWORD=admin123} bash # Install Java (required for Cobalt Strike) sudo apt install openjdk-11-jdk # Extract Cobalt Strike tar -xvzf cobaltstrike-dist.tgz cd cobaltstrike # Start team server sudo ./teamserver [your-ip] [password] [malleable-c2-profile] # Example: sudo ./teamserver 192.168.1.100 MySecurePassword ./c2-profiles/amazon.profile # Amazon-themed C2 profile for domain fronting set sleeptime "60000"; set jitter "20"; set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"; http-get { set uri "/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; client { header "Accept" "*/*"; header "Host" "www.amazon.com"; metadata { base64; prepend "session-token="; prepend "skin=noskin;"; append "csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996"; header "Cookie"; } } server { header "Server" "Server"; header "x-amz-id-1" "THKUYEZKCKPGY5T42PZT"; header "x-amz-id-2" "a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tm"; output { base64; print; } } }bash # Install Apache sudo apt install apache2 # Enable required modules sudo a2enmod rewrite proxy proxy_http ssl # Create redirector config sudo nano /etc/apache2/sites-available/redirector.conf apache <VirtualHost *:443> ServerName legitimate-looking-domain.com SSLEngine On SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem # Only forward traffic with proper User-Agent RewriteEngine On RewriteCond %{HTTP_USER_AGENT} "^Mozilla/5.0.*Windows NT 10.0" [NC] RewriteRule ^(.*)$ https://real-c2-server.com$1 [P,L] # Redirect everyone else to legitimate site RewriteRule ^(.*)$ https://www.google.com$1 [R=302,L] # Proxy settings SSLProxyEngine On ProxyPreserveHost On ProxyPass / https://real-c2-server.com/ ProxyPassReverse / https://real-c2-server.com/ </VirtualHost> yaml # .github/workflows/test-tools.yml name: Red Team Tool Testing on: push: branches: [ main ] schedule: - cron: '0 0 * * 0' # Weekly jobs: test-exploit-framework: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Setup Python uses: actions/setup-python@v4 with: python-version: '3.10' - name: Install dependencies run: | pip install -r requirements.txt - name: Test exploit against DVWA run: | docker run -d -p 80:80 vulnerables/web-dvwa sleep 10 python test_exploit.py --target localhost --port 80 - name: Generate report run: | python generate_report.py > exploit_report.md - name: Upload results uses: actions/upload-artifact@v3 with: name: exploit-results path: exploit_report.md yaml # red-team-lab-setup.yml --- - name: Deploy Red Team Lab Infrastructure hosts: lab_servers become: yes vars: kali_version: "2024.1" metasploit_version: "6.3" tasks: - name: Update system packages apt: update_cache: yes upgrade: dist - name: Install Docker apt: name: - docker.io - docker-compose state: present - name: Deploy Kali container docker_container: name: kali-attacker image: "kalilinux/kali-rolling:{{ kali_version }}" state: started restart_policy: always networks: - name: redteam-net - name: Deploy target applications docker_compose: project_src: /opt/redteam-lab files: - docker-compose.yml state: present - name: Configure C2 infrastructure include_tasks: setup_c2.yml - name: Setup monitoring include_tasks: setup_monitoring.yml bash aws ec2 run-instances --instance-market-options "MarketType=spot,SpotOptions={MaxPrice=0.05}" --instance-type t3.medium --image-id ami-XXXXX bash # CloudWatch rule to shutdown at 6 PM aws events put-rule --name "StopRedTeamLab" --schedule-expression "cron(0 18 * * ? *)" aws events put-targets --rule StopRedTeamLab --targets "Id"="1","Arn"="arn:aws:automation:..." bash # iptables rules for lab isolation iptables -A FORWARD -i attack-net -o target-net -j ACCEPT iptables -A FORWARD -i target-net -o attack-net -m state --state RELATED,ESTABLISHED -j ACCEPT # Block target-to-attack initiated connections iptables -A FORWARD -i target-net -o attack-net -m state --state NEW -j DROP # Block lab-to-internet by default (whitelist exceptions) iptables -A FORWARD -i lab-net -o external -j DROP markdown # Red Team Lab Authorization **Purpose:** Security research, tool development, and training **Authorized Activities:** Testing offensive tools against lab targets only Developing exploits for educational purposes Simulating real-world attack scenarios **Prohibited Activities:** Testing tools against external targets without authorization Participating in unauthorized penetration testing Using lab infrastructure for actual attacks Storing or processing real sensitive data **Compliance:** - All activities logged and monitored - Lab isolated from production networks - No real PII or sensitive data used - Regular security reviews conducted Signed: [Your Name] Date: [Date] yaml # prometheus.yml global: scrape_interval: 15s scrape_configs: - job_name: 'red-team-lab' static_configs: - targets: - 'kali:9100' - 'c2-server:9100' - 'dvwa:9100' 
