This Is How I Spend My Time

A Blog About Self-Imposed IT Projects and Tech Exploration

Sticky post Diagram of lab network with firewall, external, DMZ, and internal networks.

Creating a New Home Hacking Lab with Proxmox

May 25, 2023 /

Sadly, my plans with my budget private cloud did not work out. Long story short, I moved internationally twice since I initially made plans to build that cloud. The first move was to Japan, and the second to Italy. Through each of those moves I lost two servers. On the upside, I have plans for the remaining three servers: a better home hacking and lab using Proxmox.

Designing a new hacking lab with Proxmox for learning and new courses.

After taking a year off I am back to making Pluralsight courses. I recently published Security Onion Basic Concepts and Functionality. I am currently working on a new course: Command and Control with Sliver. While creating the new course, I decided that I needed a better lab to simulate an actual network and make use of the Globomantics domain. Globomantics is a fake company Pluralsight uses for demos. I decided to take some old servers I had from a previous project, drew up a design for a potential network, and got to work. The design I came up with is below.

Hacking lab design in Proxmox. External network, firewall, DMZ, and internal network.
Proxmox hacking lab design

The design includes a firewall with separate internal and DMZ networks. The DMZ contains a vulnerable web server from VulnHub, a DNS server using Pi-Hole, and an email server running iRedMail. The DMZ is used because I want to keep the vulnerable hosts separate from the internal network. The internal network is a Microsoft Active Directory domain with a few workstations and a file server. I included one Ubuntu workstation as well that is joined to the domain. For security I have a firewall running pfsense and a Security Onion server acting as an IDS and SIEM.

On the external side I have a Kali Linux VM that is my main workstation for hacking, along with a phishing LXC running Gophish. I also have another Pi-Hole DNS server running that the internal network forwards requests to. This allows me to configure DNS records for fake websites without having to register actual domains.

Available Equipment for Home Lab

The three servers I have left are:

  • VMhost1: Dell Poweredge R610
    • 2x 6 core Intel Xeon processors
    • 16 GB RAM
    • 600 GB HDD
  • VMhost2: Dell Poweredge R610
    • 2x 6 core Intel Xeon processors
    • 16 GB RAM
    • 600 GB HDD
  • VMhost3: Dell Poweredge R510
    • 2x 6 core Intel Xeon processors
    • 16 GB RAM
    • 1.8 TB HDD

The biggest issue I will face is the available RAM with the amount of machines I plan to run. So, I will make use of Linux Containers (LXC) where possible to reduce the resources required for particular services. I should be able to use an LXC for DNS, email, and the phishing server because these services use fewer resources.

Additional Considerations for Network and Proxmox

  1. I am building this on a separate segment of my home network. It will remain behind a firewall, and none of the vulnerable machines will be exposed to the Internet.
  2. I am using Proxmox as the virtualization software because it is free and allows me to use features like software defined networking, clusters for management, and VM migration between hosts.
  3. I have limits on host performance due to using very old equipment. I will likely need to build a new host in the future to improve performance and reduce power consumption in the long term.

Ready to Build the Home Hacking Lab with Proxmox

For this build I am going to create posts about each step that serve as a guide for anyone looking to build something similar. The first post in that series will show the VMhost cluster and cover software defined networking installation.

Next: Install Proxmox and Configure Cluster

Challenge Complete: My Experience Passing the OSCP

September 20, 2025 /

About one week ago I took and passed the Penetration Testing with Kali Linux (PWK) cert exam and obtained the OSCP+ and OSCP. Passing the OSCP was on my “to do” list for a long time but I just never got around to it, so it’s good to finally check that one off. I enjoyed the overall experience enough that I already signed up for the next one and start my OSEP journey today!

The OSCP+ Certification

OSCP+ badge image

I assume you already know about the OSCP if you are reading this. In case you don’t it is an ethical hacking and penetration testing exam. The exam gives you six machines to hack in 23 hours 45 minutes, and then another 24 hours to submit a report. Three machines are an Active Directory environment, and three machines are standalone challenges. You get 40 points by completing AD, and then 20 points each for the standalone machines (10 for access, 10 for privilege escalation). You need 70 to pass.

OSCP vs. OSCP+

The OSCP+ and OSCP certifications are the same cert, but the OSCP+ is used to line up with the whole continuing education scheme to maintain the plus. Being in the DoD contracting line of work, this makes sense to me. Most of the certifications have continuing education scheme to prove that your knowledge is current. Since I am in that line of work, this for me is a plus. From what I understand the OSCP is still a lifetime certification if you let the OSCP+ lapse by not paying the fees and submitting CEUs. Nice benefit compared with my CISSP that will just go away if I don’t do that.

The value of certifications (is it worth it?)

Certifications are taking some hits lately. Go ahead and Google for yourself and I am sure you will find all forms of social media contain posts expressing both sides of the cert debate (along with every other credential out there). Is it necessary to get a certification? No, probably not. Could it help you land a job? In my opinion yes, but like anything else a cert does not get you a job on its own. What it does do is prove that you went through some form of training, and that you proved you knew enough to pass that particular exam.

The Offsec PWK training

I am married with kids, so spending the money on the training and certification and then the time commitment to complete it is a discussion. It goes something like this:

Bernie meme I am once again asking

A huge thank you to my wife for supporting me while I pursued this certification, and to my kids who were great while I took the exam.

Then it was time to sign up for the PWK and get started. I read a lot of criticism of Offsec and their training while preparing for this exam. Most of it seems to come down to price. I agree that $1750 is a steep cost, but it does provide training and certification. I have seen a lot of training+cert packages that costs significantly more, so to me this was acceptable.

Is the PWK training enough?

The PEN-200: Penetration Testing with Kali Linux course provided by Offsec provides everything you really need to pass the OSCP exam. I saw a lot of other blog posts discussing multiple other supplemental training resources like Try Hack Me, but in my opinion these are not necessary to pass. I didn’t use anything except for the PWK training material to study. Then again, I do have an extensive IT background, previously obtained the CEH that I let expire, and produced quite a few Pluralsight courses on hacking tools and security. So you could say I am not new to the field or the material.

I still think that the PWK training material provides everything you really need to know, even without that experience. All my experience did was allow me to spend less time studying the material and practicing. Example: I already know how Active Directory works and can build a domain, so I could just focus on what tools are used and how to use them to get what I need. I went through all of the training modules up to and including “Assembling the Pieces”, and then took one OSCP practice lab from the challenge labs prior to the exam. This was enough for me to pass.

A few notes about notes

Throughout the training I used the recommended Obsidian app to capture the material. My method was to make a folder for each module of the training, and then a note inside for each topic within that module. It took me awhile to make the full use of the app, but later I started really using the markdown features to make the most of this.

In particual I would recommend using these markdown features:

  1. Use the code blocks. This is done by entering the backtik key three times to create a block. Then whatever you paste in the block will keep its plain text format, and this creates a copy button allowing for easy copy/paste.
  2. Use the subheadings. I failed to do this until the VERY end and regretted it. If you create subheadings with the “#” characters, Obsidian makes everything beneath it collapsible. This is extrememly valuable when trying to sift through your notes on the exam.

Passing the OSCP Exam Experience

Pre-Exam: Before the exam even started I staged the following to keep everything pretty organized.

Make a directory called OSCP-exam

  1. Make these subdirectories
    • Standalone1
    • Standalone2
    • Standalone3
    • AD1
    • AD2
    • DC
    • tools
  2. Within the “tools” directory, place the tools you typically need to transfer to other machines, like webshells and privilege exec tools. Easier to have them ready ahead of time then to have to go and find them, then start the server. It’s just a time saver.
  3. Start a web server with python from the tools directory. Now that’s done and you don’t have to remember to do it later. If you need another tool later, just copy it into this directory.
  4. Start a terminal for each machine and then change directory into the subdirectory for it. Now all of your terminal windows are labeled so when you end up with a ton of them open (I had way too many by the end), it’s easier to find the one you need.
  5. Make a quick action cheat sheet in Obsidian of typical things you think you might need.
    • Bash one-liner reverse shells
    • PowerShell one-liner reverse shells
    • msfvenom payload generation
    • Command sequences for common tools if you forget them a lot
    • PowerShell/wget/curl download commands
    • Netcat bind and reverse shells
    • Nmap commands for initial enumeration

The Exam: 24 hours of stress with moments of relief and excitement

I can’t say much about the exam experience in detail because I would like to keep my certification. What I will say is that I think I fell for every rabbit hole and distraction they threw at me. I spent a lot of time on exploits that didn’t work, or chasing down something that ultimately went nowhere when the answer was right in front of my face.

To recycle some advice from others that I tried (but sometimes failed) to remember while taking the exam:

  1. If something isn’t working, move on and try something else.
  2. Especially if #1 happens, go back and check the enumeration you did… maybe even enumerate again.
  3. If something is taking longer than it should, you might be in a rabbit hole, GET OUT and see #2.
  4. Check the exam FAQ and guide. It has some good information, like how long some actions should take and what to do if yours takes longer. Listen to that advice to save yourself some time.
  5. Passing the OSCP is not rocket science, it is possible, and everything is hackable in some way.

Passing the OSCP exam takes a score of 70/100 points. There are no longer bonus points offered for completing training. I chose the route of going for the full 40 on the AD machines, then start the standalones. This worked well for me. I kept going past 70 with one more privilege escalation to secure 80/100 in case there was an issue with my report. One of the machines, I just couldn’t get. Thinking through it after the exam, I think I figured out what I needed to do, but too late now! Doesn’t matter, passing is passing in the end.

Passing the OSCP Victory Baby meme

The Report: finally, it’s all over

Once you pass that portion, you have 24 hours to write a report. Other blog posts recommended writing the report as you go, which I did not do and really regreted it. I would recommend following the advice of others. Although I took extensive notes in Obsidian during the exam, I barely got my report done on time, and I was then stressing about it as my word processor messed up the format on occasion, or I wondered if I had everything included, etc.

Write the report during the exam if you can, or take notes that allow you to copy/paste well. I did at least take good notes, so that helped. I also left all of the terminals open after the exam in case I needed to go back and take screenshots of anything, or remember how I did something that I missed in my notes. This DID help me in the report for one screenshot I forgot to take. I HIGHLY recommended to leave everything open after the exam until you submit your report. You won’t have access to any machines anymore, but all of your history is still there.

After about a 5 day wait, I received the email I was waiting for letting me know that I passed and now obtained the OSCP+ certification! Passing the OSCP was a rewarding experience. I am glad I chose to finally sit down for it and knock this one out.

Next Steps

I can finally check off passing the OSCP from my to-do list. I actually enjoyed the overall experience, and learned a lot from the material and the actual exam. Although the process was long, I enjoyed it enough that I immediately signed up for the next step, PEN-300 and the OSEP exam! I am looking forward to learning more and continuing this journey.

My plan is to post some content during my training for OSEP, and will probably modify my home lab to fit better with this process. Check in on my blog from time to time for updates on that if you are interested.

Recommendations on passing the OSCP

  1. Preparation: Focus on studying the PWK training material. Don’t get too distracted chasing down supplemental training. Overpreparation might just mentally exhaust you.
  2. Note taking: I used Obsidian with one folder per module, and each subtopic had a note. Use markdown to create headings and copy/paste code blocks.
  3. AD and privilege escalation are 70 out of the total potential 100 points. Spend some time studying these portions of the material. Remember though you do have to obtain initial access to at least 2 standalone machines to pass.
  4. Just go for it: If you know me personally and ever asked me for tips on an exam, I probably told you to just go sit down and take it. The same advice applies here. You can endlessly prepare and probably will never truly feel ready, just try the exam. Go into it allowing yourself to purchase a second attempt, this helps me at least.
3 host setup in proxmox lab

Back With A New Proxmox Lab in 2025

April 8, 2025 /

Well, it happened again to my old lab, another server died and I decided to move to a lower power solution for my Proxmox lab instead. I am still using a three host configuration but this time I used Dell Optiplex 7070 Micro Form Factor PCs. I also have a new purpose in mind for this lab. At least initially, I am going to use it mainly for my Pluralsight courses, and for my new business venture called Cybrid Technology LLC.

Three host setup in Proxmox lab

Each host has 8 cores for CPU, 500GB of SSD space, and I upgraded the RAM to 32 GB each. This gives me enough computing power to get started at least. The specifications of each are in the image below.

Dell Optiplex 7070 proxmox lab specifications of each host.

Getting Started With The New Proxmox Lab

As you can see from the images, I already started, and I am not going to repeat the guidelines around the basics of setting up Proxmox. For that, I refer you to some of my older posts:

I set up new templates in this lab. If you couldn’t tell from the image, this is what I created now:

  • Windows 11
  • Windows Server 2022
  • Windows Server 2025
  • Ubuntu 24.04.2 Server
  • Ubuntu 24.04.2 Desktop
  • Red Hat Enterprise Linux (RHEL) 9.5 Server
  • Red Hat Enterprise Linux (RHEL) 9.5 Desktop

This time I am going to use Terraform to create the machines, and plan to use Ansible as well for configuration. That is a topic for another post though. To create each of the templates I took these actions:

  1. Install the operating system
  2. Install all available updates
  3. Configure remote administration for servers
  4. Set the timezone and time
  5. Configure the local admin for all machines
  6. Sysprep the machine using either the sysprep.exe for Windows machines or virtio-sysprep for the Linux machines.

Thanks for reading and following. This environment is much quieter and uses a lot less power than my previous setup. I am looking forward to getting started with it and putting out some new content along the way.

Firewall and DNS Configuration to Allow External Access

January 30, 2024 /

The final step for the internal network is enabling access to the DMZ network from external devices by changing the Firewall and DNS configuration. This involves configuring port forwarding to route external traffic to the appropriate internal devices. I also need to change the DNS configuration to route the traffic for the domain correctly. First step, port forwarding in pfsense.

Prerequisite: Installing a Network Firewall

Firewall Configuration in pfsense

To route external traffic to internal devices, we will configure port forwarding. This routes external traffic destined to certain ports, like port 443 for HTTPS, to the appropriate internal server in the DMZ. Within pfsense, we go to NAT settings, and port forward. The image below shows an example configuration to route inbound HTTP traffic on the WAN interface to my DMZ host 10.10.1.12.

For my lab, I also added rules for DNS, SMTP, and HTTPS.

pfsense port forwarding configuration

Due to my lab’s configuration using all private IP addresses and having a private IP on the WAN interface for the lab, I also had to remove the reserved network block.

uncheck the block private IP and loopback on WAN interface pfsense

To test the configuration, I used my external Kali machine to run an Nmap scan of port 80 and 443 of my firewall.

Configure DNS for External Access

The next step is to configure the simulated external DNS to route traffic to my lab network from the external network. I added an A record to the external Pihole.

A record for the domain.

I also need an A record for the email server.

Next, I need to create an MX record. For dnsmasq, this requires a custom configuration file.

# touch /etc/dnsmasq.d/99-mail.conf
# pihole restartdns

To check that the MX record is working, I use nslookup on the external Kali machine.

Now that the configuration is complete, I run a few Nmap scans to check that the ports are forwarded to the correct internal devices, and that I can scan by domain name.

With that, my Firewall and DNS configuration is complete and my lab is accessible from the simulated external network devices.

Next: Gophish in an LXC
Previous: Import a VulnHub Machine

Adding a VulnHub Machine to the Proxmox Lab

January 29, 2024 /

I could practice and work on hacking the machines I already built, but another good addition to my lab is vulnerable machines. A good source of these is VulnHub. In this post I will cover how to add a VulnHub machine to Proxmox.

Prerequisite: Install Proxmox and Configure a Cluster

Download and Extract the Machine

The first step in adding the machine is to download it from vulnhub onto the host and extract it. For this example, I am using the machine Earth. To accomplish this, I entered the three commands below.

# mkdir vulnhub && cd vulnhub
# wget -O Earth.ova https://download.vulnhub.com/theplanets/Earth.ova
# tar xvf Earth.ova

Once downloaded you should have 3 files in the vulnhub directory.

output of ls command in vulnhub directory showing 3 files

Adding the VulnHub Machine to Proxmox

Now we need to create the VM in Proxmox to tie to the disk we downloaded. First we create the machine, and under operating system, select “Do not use any media.”

Create: Virtual Machine screen in Proxmox
Select OS screen to create Proxmox virtual machine

For the other options, I configured:

  • System: default
  • Disks: default
  • CPU: 1 socket / 1 core
  • Memory: 1024MB
  • Network: DMZnet / MTU: 1450

Once created, but before booting, the next step is to remove the hard disk. You do that by first detaching the existing disk, and then remove the unused disk.

Unused disk after detach in Proxmox

Now you import the disk, using the command below. Replace “115” with the number corresponding to your virtual machine in Proxmox, and the vmdk file with the correct file corresponding to the machine you downloaded.

# qm importdisk 115 Earth_dev-disk001.vmdk local-lvm --format vmdk
Example command output after importing disk.

Once the disk imports, you need to go back to the GUI and change the disk type to SATA in the Proxmox interface.

Change disk type to SATA in Proxmox

After changing, you should see the hard drive in sata0.

virtual machine hardware information in Proxmox

The last step is to change the boot order to boot to the hard drive first, and then start the VM. After starting you should get the login screen.

Change boot order to hard drive in Proxmox.
login prompt for VulnHub VM in Proxmox

The whole process is that simple. Now you can import new VulnHub machines anytime to try them out in your new Proxmox lab. Now that we have machines ready, its time to configure the DNS and firewall for external access.

Next: Configure DNS and Firewall for External Access
Previous: Configure a SPAN Port for Security Onion

Configure a SPAN port for Security Onion in Proxmox

September 10, 2023 /

The remaining server left to create in my lab is a Security Onion server. Security Onion is an out of the box blend of multiple open source tools that feed a central alert dashboard. I actually created a whole separate Pluralsight course called Security Onion Concepts and Basic Functionality if you are interested. The course covers the fundamentals, installation, and basic operation of the tool. This post is focused on capturing network traffic using my lab’s Security Onion server. To enable that, I configure a SPAN port for Security Onion in Proxmox on my pfsense virtual machine.

Configure physical NIC passthrough on the host

Prerequisite: Installing a Network Firewall Using Pfsense in Proxmox

My Proxmox lab has multiple hosts which significantly complicate this operation. The Security Onion server and pfsense firewall are located on separate hosts which means I have to pass the network traffic between hosts. I enabled this capability previously with software defined networking. There was a problem though, this does not support SPAN ports effectively. The best way I found to enable a SPAN port in Proxmox is to configure a physical NIC passthrough on the host. This allows me to assign a physical port on the host directly to a virtual machine which successfully passes all traffic.

The first step I took is to enable IOMMU in the /etc/default/grub file by adding the line below as seen in the image.

GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on"
Image of /etc/default/grub file with line added
Enable IOMMU in Proxmox

Then I ran update-grub and reboot the machine. To check that the setting is correct after reboot, I ran the command below and looked for “IOMMU enabled”.

# dmesg | grep -e DMAR -e IOMMU
Example output of the dmesg command above
Example output of dmesg command

Next I added the required modules to enable physical NIC passthrough by editing the /etc/modules file and adding the modules in the image below.

Output of /etc/modules file with required modules added
Added required modules for physical NIC passthrough

Just to be safe, I rebooted the machine at this point and then checked that I could add a PCI device in the hardware setting in Proxmox.

Configure a SPAN port for Security Onion in Proxmox

Now that I can map a physical NIC to one of my virtual machines, I added one of the host ethernet adapters to the hardware on my pfsense virtual machine.

To make this work correctly on my old servers, I also had to enable unsafe interrupts with this command:

# echo "options vfio_iommu_type1 allow_unsafe_interrupts=1" > /etc/modprobe.d/iommu_unsafe_interrupts.conf
Example output of command to enable unsafe interrupts
Command run to enable unsafe interrupts

Now when I access the pfsense interface menu from the command line, the new interface is available as bce0.

Example output of pfsense screen showing new interface available.
New interface available in pfsense

I assigned the interface the name OPT2 and then in the web configurator I enabled it and gave it a description of SPANport.

pfsense web configurator interface configuration screen
Enabling the interface in web configurator

To configure a SPAN port in pfsense, you actually create a bridge within the interface menu. I went to Interfaces > Interface Assignments > Bridges and made a new one to create the SPAN port. I selected the LAN interface, added a description and then selected the SPANPORT interface under Span Port in the advanced configuration.

pfsense SPAN port bridge configuration
Adding a SPAN port in pfsense

To complete my lab setup I did the same thing for the DMZ network, leaving me with two bridges.

Bridges view in pfsense web configurator
SPAN ports in pfsense

The last step to verify operation is to test the SPAN port. To test, I used the packet capture tool in pfsense and set the interface to SPANPORT. I also enabled promiscuous mode to capture all data seen by the adapter.

Once I ran it, I could see multiple packets showing it was working as intended.

On the Security Onion server I will add another physical adapter, just like the pfsense machine. Then I will connect the interfaces directly with an ethernet cable.

Skipping ahead a bit to show it works

The output in Security Onion is not something I cover in the lab build, but it worked as configured in this post. Here is a tcpdump on my Security Onion Server and an overview of alerts.

I covered the how to install in a Pluralsight course, and you could also follow their documentation to build it. Security Onion is really one of the last steps to creating the basic structure of this lab other than adding the Kali machine and enabling remote access, but I also cover in the next post how to add VulnHub machines to the DMZ.

Next: Add a VulnHub Machine to Proxmox
Previous: Join an Ubuntu Machine to Active Directory

Building My Own App to Track Personal Goal Progress and Be Better

September 10, 2023 /

This post is a break from my typical posts around the build out of my home hacking lab or anything to do with Pluralsight. I decided to document the beginning of a process of building my own app by explaining the reasons behind it.

I was on vacation in August enjoying some down time to relax. While traveling to and from each destination, I had time to take note of changes in my life and where I wanted it to go. What I noticed is that while I felt like I had achieved most of what I set out to do, there were gaps between where I was today and where I still wanted to be. I felt like while each of the areas below were good, there is always room for improvement and I shouldn’t settle on where I was if I could make it better.

I decided that:

  • I want to be a better husband and father.
  • I want to achieve and maintain a better mental state.
  • I want to have hobbies again and share them with my kids.
  • I want to cook better food and healthier meals to share with my family.
  • I want to get in better physical shape again and feel more energized everyday.
  • I want to finally build something of my own and gain the independence and freedom that comes with it.

Those are big statements that I am sure everyone wants to achieve to some degree. How am I going to break these down into manageable chunks and actually achieve them?

Building habits to achieve a goal

A few months ago I read a great book on working to become better called Atomic Habits. If you have never read it, I highly recommend purchasing it or reading a copy from the library. It is a great book that will motivate you to be better. In it he discusses a concept of changing habits to get 1% better everyday results in a 37x improvement over 1 year. You’ve probably seen the concept in images that look something like the one below.

The power of tiny gains chart from JamesClear.com
Power of tiny gains image from James Clear’s website (author of Atomic Habits)

To achieve everything I want to achieve, I will need a system. To create a system, I need to do a combination of setting measurable goals for the next year, and creating habits that will lead their achievement.

Solving my own problem by building my own app

Based on my larger long term goals above, I decided to set measurables goals for achievement in the next year. These goals will help me improve multiple aspects of my life and be a better me. I am still working out every specific goal and building the habits around it. My plan is to document in their own posts tied to each category because each are worth their own post.

I realized in planning this out that I would need a good place to track all of my goals, habits, and progress toward them. Since one of my goals is to build something of my own and gain the independence and freedom that comes with it, building my own app is the perfect way to get started. There are other benefits outside of independence and freedom. Building this will help me brush up on my coding skills. I will learn a new programming language, and gain experience creating a modern web application.

I plan to stick with something simple to start and build from there. Using what I know seems like the best way for me to get the underlying application working.

Join an Ubuntu Machine to Active Directory

August 3, 2023 /

The next step to finish off my client machine setup is to add my Linux machine to the domain. I am going to join Ubuntu to Active Directory so I can use the domain accounts to authenticate and login. Once joined, I login with my admin account to test. The first step is to prepare the client machine by setting the hostname and changing DHCP settings.

Preparing the Ubuntu Machine

Prerequisite: Creating a Domain: Installing Active Directory on Server Core

The first thing I need to do is change my Ubuntu machine’s hostname to a fully qualified domain name (FQDN). I used the command below to fix my machine’s hostname and then the next command to check it.

$ sudo hostnamectl set-hostname ubuntudesk1.corp.globomantics.local 
$ hostanmectl
Output of sudo hostnamectl set-hostname command
Changing my hostname using hostnamectl

Now that my hostname is fixed, the next step is to configure the DNS domain and set it to the internal Active Directory domain. You can make this change by adding the line to resolv.conf, but since I am using DHCP I set the search domain on my firewall which is my DHCP server. Both options are shown below.

Example content of resolv.conf file with search domain added
Changing resolv.conf to add the local domain
Adding search domain to pfsense DHCP settings
Adding search domain in pfsense DHCP settings

Now I check the status using resolvectl status to make sure the changes took effect.

Output of resolvectl status showing correct DNS domain
Checking search domain settings

Now that the networking is set up correctly, the next step on my client is to install the necessary packages. I used the apt command below to install everything I needed.

$ sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

Now I am ready for the next step which is actually joining the Ubuntu client to the domain.

Join Ubuntu to Active Directory

Joining Ubuntu to Active Directory is a multi-step process where I will use the terminal. The actual domain join is a single command, but after that I am going to take some additional steps to set up the users. The first step is to use realm to discover and then join the domain. Realm discover is used to obtain information about the domain and also list the required packages to connect, which I installed already in the previous step.

$ sudo realm discover corp.globomantics.local
Output of realm discover command
Using realm discover to obtain information about the Active Directory domain

Since all packages were already installed, I can use realm join to join the domain, and then realm list to confirm.

$ sudo realm join -U Administrator corp.globomantics.local
$ realm list
Output of realm list
Output of realm list showing configured domain

Now I need to set up home directories, which I can do using pam_mkhomedir. I first used nano to edit mkhomedir in /usr/share/pam-configs. Following the Manpage, I decided to stick with the default umask and skeleton directory settings.

Example mkhomedir config
Edit mkhomedir in pam-configs

Next I entered the command below to update and set the options shown in the image. Then I resarted sssd after pam-path-update. After that, I set realm to enable everyone to login.

$ sudo pam-path-update
Output of pam-path-update
Pam-path-update settings
$ sudo systemctl restart sssd
$ sudo realm permit --all

Once everyone is configured to login the next step is to enable admins on my domain admin privileges on the Ubuntu machine. I set this in the sudoers file for the admin accounts in the image below.

Example sudoers file configuration
Enable admin accounts to have admin privileges

Now that everything is set up, I should be able to login with a domain account and if it is admin then sudo should work.

Testing Domain Login and Admin Access

To test login, I will use SSH to access the Ubuntu machine from my Windows 10 admin machine. If everything is set up correctly I should be able to SSH without specifying a login name from Windows 10 while logged in as BAdmin, and then enter a sudo command.

Example SSH from Windows 10 to Ubuntu machine
Login to Ubuntu machine using SSH from Windows 10 PC
Output of sudo apt update
Output of sudo apt update

That’s it! My configuration is successful and I can login to my Ubuntu machine using domain credentials. My client machines are all set up correctly and ready for testing. The next step in my process is to install and configure Security Onion which is the topic for the next series of posts.

Next: Configure a SPAN Port for Security Onion
Previous: New User Machines: Creating Windows Clients

New User Machines: Creating Windows Clients

July 10, 2023 /

In this post I will go over the creation of a Windows client machine with Windows 11 as an OS. I also added the PC to the Globomantics domain. Once I add the machine to the domain, I installed a Thunderbird email client and configured it to connect to the iRedMail server. I also followed the same procedure on a Windows 10 machine, which is very similar so I will focus on the Windows 11 PC for this post.

Adding a Windows Client Machine

Prerequisite: Bulk User Creation with PowerShell

The first step to creating a client machine in my Proxmox lab is to clone the template machines. I used the full clone mode in Proxmox. After creating the machine I started it up and chose the correct region, keyboard layout, and accepted the license agreement. For sign in options I selected domain join instead.

Full clone mode screen in Proxmox
Example full clone menu

I configured the Windows 11 PC for my user Jane Johnson created in the previous post. Once it loaded, I went to settings to change the computer name and add it to the Globomantics domain.

Settings menu in Windows 11 to domain join a PC
Settings menu in Windows 11 to change computer name and add to domain
Changing the computer name and adding to the domain
Changing computer name and adding to domain

After adding to the domain I restarted the new PC. Then I could login as Jane Johnson to the CORP domain.

Windows 11 domain login
Logging in to the CORP domain on Windows 11 PC

Configuring the Thunderbird Email Client

Once logged in, I can access the Globomantics share created previously. I downloaded the Thunderbird client installer on my Windows Admin PC and uploaded it to the share. On each client I just run the installer from the share.

Windows Explorer used to upload a file to a network share.
Uploading the Thunderbird email client to Globoshare
Running a file from a network share
Running the email client from the Globoshare

After Thunderbird finished installing I configured it on each machine to map to the email accounts created in the last post. Part of that involved configuring the connection manually to iRedMail. An example of the configuration I used is in the image below.

Thunderbird email and password entry
Thunderbird email and password entry
Manual configuration of IMAP settings in Thunderbird
Manual configuration of IMAP settings in Thunderbird

Once configured, the client will connect to the server. My email server is using a self-signed certificate, so I had to confirm a security exemption.

Confirming security exemption for self-signed certificate in Thunderbird
Confirming security exemption for self-signed certificate

After that Thunderbird loaded the inbox so I could send a test email between the user accounts to confirm my email server works.

Inbox on first login to Thunderbird
Inbox on first login to Thunderbird
Test email between John Smith and Jane Johnson
Test email between John Smith and Jane Johnson

Again, because of the self-signed certificate I had to confirm another security exemption.

Successful test email received

The test email succeeded, finishing up my internal configuration and user services! The domain is ready for internal use at least and all services are working. The next steps are finishing up my clients, installing Security Onion, and configuring the firewall to enable external traffic into the DMZ servers.

Next: Joining Ubuntu to a Windows Domain
Previous: Bulk User Creation in PowerShell

Bulk User Creation with PowerShell

June 30, 2023 /

Now that I have a domain and working Email server, its time to create some users for the network. I could create these individually using the Active Directory Users and Computers interface in RSAT, but instead I am going to use PowerShell to script the process. User creation with PowerShell is an easy process and pretty straightforward. I will make a CSV file with the account information, and then use PowerShell to create the accounts quickly.

User Creation with PowerShell

Prerequisite: Creating a Domain: Install Active Directory in Server Core

Creating a user with PowerShell is done using the Active Directory module for PowerShell to import the needed command. From there, it’s as easy as using the “New-ADUser” command to add a user. I am going to create a script that first reads a CSV file containing the user information, and assigns each piece to a variable. Then the script will check if the user already exists, and if it doesn’t create it using “New-ADUser”.

Here is the PowerShell script I wrote for this:

Import-Module activedirectory

$NewUsers = Import-csv C:\Users\BAdmin\Desktop\Users.csv

foreach ($User in $NewUsers) {
$username = $User.SAMAccount
$password = $User.password
$firstname = $User.FirstName
$lastname = $User.LastName
$email = $User.email
$title = $User.title
$department = $User.department

if (Get-ADUser -F {SamAccountName -eq $username) {
Write-Warning "User already exists with that name."}

else {
New-ADUser -SamAccountName $username `
-UserPrincipalName "$username@globomantics.local" `
-Name "$firstname $lastname GivenName $firstname `
-Surname $lastname -Enabled $True `
-DisplayName "$lastname $firstname" -EmailAddress $email `
-Title $title -Department $department `
-AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) `
-ChangePasswordAtLogon $True
}

}
Bulk user creation with PowerShell script reading CSV file
PowerShell Script in the PowerShell IDE

I also made the CSV file “Users.csv” and stored it on the Windows 10 Admin PC desktop where I wrote this script. The CSV has these headings matching the script’s variables: SAMAccount, password, FirstName, LastName, email, title, and department.

Example CSV file for bulk user creation with PowerShell
Example CSV file used for my domain

After creating both of these files, making the user accounts is as easy as running the script. After that the user accounts will show up in Active Directory.

Active Directory Users and Computers
New user accounts populate in Active Directory after running the script.

Adding User Mailboxes

Prerequisite: Enable Email Services: Configure DNS for Email and Testing

Using the iRedMail server admin page, making mailboxes for the new users is also a very easy and straightforward process. From the admin page, add a mail user and then fill out their required information.

Example adding user account in iRedMail server
Example creation of the mail user account for Bob
View of all mail users for the globomantics.local domain
All user mailboxes for the Globomantics domain

Once all the users are added, you can login to any of the domain workstations and then use either the webmail interface or an email application to check their email. In my next post I am going to create the client machines and use Thunderbird to connect to the iRedMail server.

Next: Client Machines, User Logins, and Email
Previous: Enable Email Services: Configure DNS for Email and Testing

Enable Email Services: Configure DNS for Email and Testing

June 28, 2023 /

My next step in adding Email services to my lab domain is to configure DNS for Email. This involves adding the required MX, CNAME, and A records on the Pi-Hole so external email traffic can route correctly to the Globomantics domain.

Configure DNS for Email

Prerequisite: Create My Own Email Server: Install and Configure Email on an LXC

To enable Email services, I first need to add an A record for my new server. I used the Pi-Hole admin panel to create this record mapping the name “mx” to 10.10.1.5. After creation the new record is visible in the admin panel.

Local domain list in Pi-Hole with new record for host mx
Pi-Hole admin panel after creating the new A record

Next, I am going to add a CNAME to my DNS configuration that creates an alias for mx.globomantics.local. The alias I am assigning is mail.globomantics.local. I am using the Pi-Hole admin panel again for this change.

Adding a CNAME record to Pi-Hole
Adding a CNAME record to Pi-Hole

Last I need to add an MX record which directs mail to my new Email server for the Globmantics domain. In the Pi-Hole configuration panel there is no option to add an MX record, so I need to add a custom file to dnsmasq. To create the file, I use the command below and then edit using Nano.

# touch /etc/dnsmasq.d/99-mail.conf

Within the file, I add this line to create the MX record mapping incoming mail destined to the globomantics.local domain to my MX host.

mx-host=globomantics.local,mx.globomantics.local,1
Configure DNS for email, dnsmasq MX record line
Custom file with MX record for dnsmasq

Once created, the last step in DNS configuration is testing that the records resolve correctly. I used nslookup on the Windows 10 Admin PC. Using the commands below queries MX records tied to the globomantics.local domain.

C:\Users\BAdmin>nslookup
> set q=mx
> globomantics.local
Output of nslookup command query for MX records
Output from nslookup shows that the domain MX record resolves correctly

A Quick Firewall Change

To enable the server to send outbound email I need to open a few firewall ports on the DMZ. Reading through the iRedMail configuration, the minimum ports I need open are 25 (SMTP), 587 (Submission), and 143 (IMAP). I added those in the same method used previously.

pfsense firewall changes to enable required services
Added ports 25, 587, and 143 to DMZ interface on pfsense

Testing Login to Postmaster Account

Now that DNS and firewall configuration is done, I can test logging in to the Postmaster account and check my email. I am going to login to the Roundcube webmail by navigating to the alias address: mail.globomantics.local and then logging in as Postmaster.

Roundcube login page
Roundcube login page loaded after navigating to MX alias
Postmaster mailbox view on initial login
Successful login to Postmaster account and inbox view in Roundcube

That’s all there is to it! My server is ready for user Email. That is the topic for my next post where I will create users in bulk, and create their mailboxes.

Next: Setting up Users and Email
Previous: Create My Own Email Server
« Older posts

© 2026 This Is How I Spend My Time

Theme by Anders NorenUp ↑