- Published on
Digital Playground: Building a Secure Exploit Laboratory
- Authors
- Name
- Ethan Marshall
- @Artegium
Digital Playground: Building a Secure Exploit Laboratory
After years of doing security work on a laptop with VMware Workstation, I finally decided to build a dedicated lab environment that could handle serious exploit development and malware analysis. Today I'm sharing the setup that's transformed my security research capabilities - from hardware choices to network isolation strategies.
- Digital Playground: Building a Secure Exploit Laboratory
- Why I Built a Dedicated Lab: The Limitations of Laptop-Based Research
- The Hardware Foundation: Building for Flexibility
- Proxmox VE: Moving Beyond Type 2 Hypervisors
- My Current Lab Structure
- Network Isolation: The Critical Security Layer
- Attack Platform: Parrot OS Configuration
- Target Environment Strategy
- Operational Security Layers
- Lessons Learned from the Migration
- Getting Started with Your Own Lab
- Until Next Time
Why I Built a Dedicated Lab: The Limitations of Laptop-Based Research
For years, I ran my security research off a laptop using VMware Workstation. While VMware is an excellent platform with great snapshot management and a clean interface, I kept hitting limitations. Running multiple VMs simultaneously, especially when analyzing malware or developing exploits, would bog down the system. The host OS consuming significant resources meant I was always making compromises about what I could run.
The tools and techniques I use in security research are powerful – that's what makes them valuable, but it's also what makes them potentially dangerous if mishandled. Think of exploit development like working with biological samples – you need proper containment to ensure nothing harmful escapes into the wild.
The Hardware Foundation: Building for Flexibility
I wanted a system that would serve me well for years to come, so I went a bit beyond what's strictly necessary. But having the flexibility when you need it is worth the investment:
-- Case: Lian Li Q58
- CPU: Intel i9-14900K (high thread count for virtualization)
- Motherboard: MSI MPG B760I Edge
- Memory: 64GB DDR5
- Graphics Card: MSI GTX 1080ti (that I scrapped from an older pc)
- Power Supply: Lian Li SP850
- AIO Cooling: Thermaltake TH280
- Primary Storage: 2x 4TB NVMe SSDs configured in ZFS RAID 1 (mirror) mode for redundancy and performance
- Backup/Utility Storage: 8TB External Drive (USB 3.0)
The key decisions here were the high memory capacity (64GB lets me run multiple resource-intensive VMs simultaneously) and ZFS storage (provides both performance and data protection for my research work).
Proxmox VE: Moving Beyond Type 2 Hypervisors
Like many security researchers, I migrated from VMware Workstation to Proxmox VE. It hasn't been as plug-and-play as VMware, but the benefits are significant:
Type 1 vs Type 2 Hypervisors:
- Type 1 (Bare-Metal): Runs directly on hardware (Proxmox VE, ESXi, Hyper-V)
- Better performance, more isolation
- Requires dedicated hardware, more complex setup
- Type 2 (Hosted): Runs on top of existing OS (VMware Workstation, VirtualBox)
- Easier setup, more flexible for casual use
- Performance overhead, dependent on host OS
For serious security research, Type 1 hypervisors provide the isolation and performance you need.
My Current Lab Structure
Here's how I've organized my virtual environment:
| VM ID | Name | Dataset | CPU | RAM | Disk | Network |
|---|---|---|---|---|---|---|
| 101 | dhcp-vmbr1 | management | 1 | 256MB | 1G | vmbr1 |
| 102 | dhcp-vmbr2 | management | 1 | 256MB | 1G | vmbr2 |
| 200 | ParrotOS-Security | security | 8 | 16GB | 150G | vmbr1 |
| 201 | vuln-web-hub | security | 2 | 2GB | 30G | vmbr1 |
| 202 | Metasploitable 2 | security | 1 | 1GB | 10G | vmbr1 |
| 203 | Metasploitable 3 | security | 4 | 6GB | 60G | vmbr1 |
| 204 | Win7 Target | security | 2 | 4GB | 40G | vmbr1 |
| 205 | Win10 Target | security | 2 | 6GB | 60G | vmbr1 |
| 206 | Win11 Target | security | 4 | 8GB | 60G | vmbr1 |
| 207 | Windows Server 2016 Target | security | 2 | 6GB | 60G | vmbr1 |
| 208 | Windows Server 2019 Target | security | 2 | 6GB | 60G | vmbr1 |
| 209 | Windows Server 2022 Target | security | 2 | 4GB | 40G | vmbr1 |
| 300 | FlareVM-Malware | malware | 8 | 16GB | 350G | vmbr2 |
| 301 | REMnux | malware | 4 | 8GB | 100G | vmbr2 |
| 302 | ParrotOS-Malware | malware | 8 | 16GB | 150 | vmbr2 |
This gives me dedicated environments for exploit development, malware analysis, and various target systems to practice against.
Network Isolation: The Critical Security Layer
Proper network isolation is probably the most important aspect of a safe security research environment. I've kept my networking relatively simple but effective:
Three-Network Strategy
VMBR0 - Bridged network for systems that need internet access (management, updates)
VMBR1 - Exploit development environment - completely isolated network with its own IP range
VMBR2 - Malware analysis environment - the most restricted network for analyzing live malware
DHCP Management
I run Alpine container templates with dnsmasq as DHCP servers for VMBR1 and VMBR2. These automatically assign static IP addresses based on MAC addresses. It's a convenience feature - you could manually configure networking on each VM, but I prefer the centralized approach.
Proxmox Firewall Integration
One feature I really appreciate about Proxmox is its built-in firewall capabilities. Instead of setting up dedicated firewall VMs, I can configure rules at multiple levels:
- VM level: Rules specific to individual machines
- Node level: Rules for the physical host
- Datacenter level: Global rules across the environment
I have rules that allow specific ports I need while blocking inbound and outbound traffic by default. This approach balances isolation with the practicality of updating systems and downloading tools.
Attack Platform: Parrot OS Configuration
For my primary attack platform, I use Parrot OS instead of the more common Kali Linux. It's really a personal preference - both are excellent security distributions. I find Parrot OS has:
- Lower resource requirements
- Better out-of-the-box desktop experience
- Includes firejail for additional sandboxing
- More privacy-focused by default
My Parrot OS VM Specifications
While Parrot OS can run on modest hardware, I allocate significant resources to ensure smooth operation:
- CPU: 8 cores (overprovisioned for multi-tool workflows)
- RAM: 16GB (allows running Binary Ninja, Burp, browsers simultaneously)
- Disk: 150GB thin-provisioned on ZFS with compression
- Display: virtio-gpu for optimal GUI performance
Proxmox Configuration Details
- CPU Type: Set to
hostfor full instruction set access - Virtualization: KVM and nested virtualization enabled
- BIOS: UEFI (OVMF) for modern OS compatibility
- Network: Connected to both vmbr1 (isolated) and vmbr0 (bridged) as needed
Target Environment Strategy
Beyond the attack platform, I maintain various target systems:
Vulnerable Applications Hub
VM 201 serves as a hub for web application testing with DVWA, bWAPP, Mutillidae, and WebGoat pre-configured and ready to attack.
Windows Target Variety
I maintain multiple Windows versions to practice against different vulnerability classes and understand how exploitation techniques vary across OS generations.
Purpose-Built Vulnerable Systems
Metasploitable 2 and 3 provide known-vulnerable Linux environments for practicing specific techniques.
Operational Security Layers
Snapshot Management
Proxmox's snapshot system, especially with ZFS backing, makes it easy to:
- Take snapshots before major experiments
- Maintain clean baselines for each VM
- Schedule automated snapshots for protection
- Quickly roll back after testing
I've developed a habit of taking snapshots before any significant testing - it's saved me countless hours of rebuilding corrupted systems.
Backup Strategy
- Daily compressed backups via Proxmox GUI
- External storage for backup retention
- Manual backups before risky operations
- Separate backup datasets for different research areas
External Storage Organization
My 8TB external drive organizes research data:
For Exploit Development:
/writeups- Analysis notes and findings documentation/data- Compiled payloads and fuzzing results/backups- VM dumps and snapshots
For Malware Analysis:
/malware_repo- Live samples and unpacked binaries- Accessible only to vmbr2 VMs
- Blocked from other networks via firewall rules
Lessons Learned from the Migration
Moving from a laptop-based VMware setup to a dedicated Proxmox lab has been transformative:
Performance: No more choosing between running multiple VMs or maintaining host system responsiveness
Isolation: Better separation between analysis environments and production systems
Scalability: Easy to add new VMs for specific research projects
Reliability: ZFS and proper backups mean I spend less time rebuilding and more time researching
Flexibility: Multiple network segments allow for complex testing scenarios
The setup process was more involved than VMware Workstation, but the operational benefits make it worthwhile for serious security research.
Getting Started with Your Own Lab
If you're considering building a dedicated security research lab:
- Start with your constraints: Budget, space, and noise considerations
- Plan for growth: Build in more capacity than you think you need
- Prioritize isolation: Network segmentation is more important than raw performance
- Automate backups: You will break things - plan for recovery
- Document your setup: You'll forget configuration details over time
Whether you choose Proxmox, ESXi, or stick with hosted solutions like VMware Workstation, the key is creating safe, reproducible environments where you can push boundaries without consequences.
Until Next Time
Building this lab has fundamentally changed how I approach security research. Having dedicated, isolated environments removes the friction that previously limited my experimentation. The investment in proper hardware and hypervisor setup pays dividends in both capability and peace of mind.
I'd love to hear about other lab setups in the security community. What hypervisor platforms do you prefer? How do you handle network isolation and backup strategies? Drop your thoughts in the comments or reach out on X - I'm always curious to learn from other researchers' approaches.
Build smart, break safely,
