AeroLab v2: Building a Purple Team Home Lab from Scratch
I built my first home lab a while back and wrote about it on this site. It was a single node, flat network, and not designed with any testing methodology in mind. AeroLab v2 is the rebuild: two physical nodes, segmented networks, and a full detection stack.
This post is the overview. I’ll link to individual writeups as they go up.
Hardware
Two Lenovo ThinkCentre M920q machines, both running Proxmox VE in a cluster called aero-lab. A UniFi USW Flex 2.5G switch connects them.
| Node | RAM | Storage | Role |
|---|---|---|---|
| aero-1 | 64GB | 1TB SSD | pfSense, DC, SIEM, Velociraptor, Caldera, targets |
| aero-2 | 40GB | 1TB SSD | Kali, Windows 11 workstation |
Network Design
AeroLab v2 uses five network segments, each on its own Proxmox bridge:
| Segment | Subnet | What lives here |
|---|---|---|
| Management | 10.10.10.0/24 | pfSense admin access |
| Production | 10.10.20.0/24 | Windows Server DC, Windows 11 workstation |
| Security | 10.10.30.0/24 | Elastic SIEM, Velociraptor |
| Red Team | 10.10.40.0/24 | Kali, Caldera, vulnerable targets |
| WAN | 192.168.0.x | Uplink to home network |
pfSense routes between segments with per-interface firewall rules. The red team segment can reach production for attack simulations, but has no path to the security segment. Attack tools stay away from the SIEM.
The Stack
pfSense handles routing and firewall rules across all five segments. NAT port forwards expose each service to the home network. WireGuard is on the roadmap.
Windows Server 2022 is the domain controller on the production segment, running the aerolab.lan domain. BadBlood populated it with 2,491 users, 545 groups, and 100 computer objects with realistic misconfigurations.
Elastic SIEM 9.x runs on a dedicated Ubuntu VM in the security segment. Sysmon (SwiftOnSecurity config) is installed on the DC and Winlogbeat ships those events to Elasticsearch. An ILM policy handles automatic index rollover and deletion.
Velociraptor handles live endpoint forensics and threat hunting. The server runs its own VM with an agent enrolled on the DC.
MITRE Caldera is the adversary emulation platform, running on the red team segment as a persistent systemd service. You build operations using ATT&CK-mapped abilities and deploy agents to target endpoints.
Kali Linux on aero-2 handles manual offensive work from an isolated attack VM.
Vulnerable target range is a Docker Compose stack on the red team segment: DVWA, OWASP Juice Shop, and WebGoat.
What This Lab Is For
Run an attack, see what Elastic catches, write a Sigma rule, repeat. The AD environment is the target for identity attacks: Kerberoasting, AS-REP roasting, Pass-the-Hash, DCSync. Velociraptor covers the forensics layer. The web apps cover OWASP-style testing.
Coming up: attack and detection writeups, an AD attack chain series, and a simulated IR report from a full Caldera operation.