A Ludus range for practicing pivoting, lateral movement, and initial access techniques. Originally created by CleverNamesTaken, this fork extends the lab with a dual-homed network topology, a Windows jump box with Responder/LLMNR poisoning for initial access, and additional exploitation scenarios.
Table of Contents
Broadly speaking, this lab includes the use of three different types of tools:
- live off the land tools
- non-native binaries
- webshells
The lab consists of three dual-homed jump boxes and two target machines across two network segments. The jump boxes include a Tomcat server for JSP webshells, an Apache server for PHP webshells, and a Windows Server running IIS (for ASPX webshells) with a Responder/LLMNR poisoning bait. The Kali attack box can only reach the jump boxes on VLAN 20 — to reach the targets on VLAN 22, you must pivot through the jump boxes. Linux machines can be administered via the SSH key on the Kali box. The Windows jump box has a weak service account (svc_backup/butterfly) that broadcasts LLMNR traffic for hash capture with Responder.
The jump boxes are dual-homed -- they have a NIC on VLAN 20 (attacker network) and a second NIC on VLAN 22 (target network). The Kali attack box can only reach VLAN 20. To reach the targets on VLAN 22, you must pivot through one or more jump boxes.
VLAN 20 VLAN 22
(Attacker Network) (Target Network)
10.X.20.0/24 10.X.22.0/24
┌──────────────┐ ┌──────────────────┐
│ Kali │ │ lamp (Apache) │
│ Attack Box │ 10.X.20.220 │ │ 10.X.22.220
│ 10.X.20.201 ├───────────────────►│ eth0 eth1 ├──────────┐
│ │ │ PHP webshells │ │
└──────┬───────┘ └──────────────────┘ │
│ │ ┌──────────────────┐
│ ┌──────────────────┐ ├───►│ Linux Target │
│ 10.X.20.221 │ windows-jump │ │ │ 10.X.22.50 │
├───────────────────────────►│ (IIS/WinRM) │ 10.X.22.221 │ │
│ │ nic0 nic1 ├──────────┤ │ CVE-2024-47176 │
│ │ ASPX webshells │ │ │ CVE-2025-32433 │
│ │ LLMNR/Responder │ │ └──────────────────┘
│ └──────────────────┘ │
│ │
│ ┌──────────────────┐ │ ┌──────────────────┐
│ 10.X.20.222 │ tom (Tomcat) │ │ │ Windows Target │
└───────────────────────────►│ │ 10.X.22.222 │ 10.X.22.60 │
│ eth0 eth1 ├──────────┘ │ │
│ JSP webshells │ │ CVE-2022-3229 │
└──────────────────┘ └──────────────────┘
Firewall Rules:
- Kali (VLAN 20) CANNOT reach VLAN 22 directly (inter-VLAN default: REJECT)
- Jump boxes (.220-.222) CAN reach VLAN 22 (allowed by firewall rule)
- Targets on VLAN 22 CAN respond to jump boxes
- All VMs have WireGuard and internet access
This guide assumes the user already has Promox and Ludus installed. If Ludus is not yet installed, start here.
-
Clone the repo
git clone https://github.com/BLTSEC/PivotLab.git
-
Add the necessary roles
cd PivotLab ludus ansible role add -d roles/attack_box/ ludus ansible role add -d roles/fvarovillodres.lamp/ ludus ansible role add -d roles/lamp/ ludus ansible role add -d roles/linux_target/ ludus ansible role add -d roles/tom/ ludus ansible role add -d roles/tomcat/ ludus ansible role add -d roles/windows_jump/ ludus ansible role add -d roles/windows_target/ ludus ansible role add -d roles/ludus_vulhub/ ludus ansible role add -d roles/dual_home/Note: The
dual_homerole is bundled locally in this repo. If you're building your own range and want dual-homing, you can install it standalone withludus ansible role add BLTSEC.ludus_dual_home. See ludus_dual_home for details. -
Import the range config file
ludus range config set -f range-config.yml -
Deploy the range
ludus range deploy
Feel free to test any number of pivoting tools you'd like. The Conops.md file contains a walkthrough on basic usage of the following tools, which are pre-installed on the Kali attack box at 10.<RANGE_NUMBER>.20.201:
ssh to 10.<RANGE_NUMBER>.20.201 with the credentials kali:kali, and check out the ~/tools directory for pre-installed tools.
If you are like me and prefer your own attack box, then just run prepareTools.sh to install the tools on a different platform.
See Conops.md for how these tools can be deployed.
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Distributed under the Apache License 2.0. See LICENSE for more information.
Project Link: https://github.com/BLTSEC/PivotLab
Original Project: https://github.com/CleverNamesTaken/PivotLab
- CleverNamesTaken for creating the original PivotLab
- Erik (Bad Sector Labs) for all the amazing work on Ludus
- opsdisk and the incredible Cyber Plumber's Handbook
- fvarovillodres for his development of the ansible-role for installing a LAMP stack