So I built a small Bash script that does the job locally, in your terminal, using Ghostscript — free, open-source, and already installed on most Linux systems.

Here's everything you need to know about it, how it works, and how to use it.

The Problem With Online PDF Compressors

Before getting into the script, it's worth talking about why a local tool is worth having.

Most web-based PDF tools work by uploading your file to a remote server, processing it there, and giving you a download link. That's fine for a recipe you found online. It's not so fine for a contract, a medical document, a tax return, or anything with sensitive information in it. You're trusting a third party with your file, usually with no clear privacy policy, and often with no idea how long they keep it.

Beyond privacy, there's the watermark problem. A lot of free online compressors add a watermark to your output unless you pay. And there's the quality problem — many of them use aggressive compression that blurs images or makes text look muddy.

A local tool avoids all of that. Your file never leaves your machine. No watermarks. No subscription. No upload limits.

Enter Ghostscript

Ghostscript is a decades-old open-source interpreter for PostScript and PDF. It's not glamorous, but it is the gold standard for PDF manipulation on Linux. It's what powers a lot of the professional PDF tooling you've probably used without knowing it.

The core compression command looks like this:

bash

gs -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/ebook \
   -dNOPAUSE -dQUIET -dBATCH \
   -sOutputFile=output.pdf input.pdf

That single command can take a 25 MB PDF down to 4 or 5 MB with no visible quality loss for most documents. The -dPDFSETTINGS flag is the key lever — it controls the trade-off between file size and quality.

There are four presets:

For most people, /ebook is the right choice. It cuts file size dramatically while keeping images sharp enough for reading on any screen.

What the Script Does

Typing that gs command from memory every time is annoying. You have to remember the flags, the output path, the input path. So I wrapped it in a friendly Bash script that walks you through the whole process interactively.

Here's what happens when you run it:

Step 1 — Ghostscript Check

The script first checks whether Ghostscript is installed on your system. If it is, it shows you the version and moves on. If it isn't, it asks whether you want to install it.

  ⚠  Ghostscript is not installed on this system.

  Would you like to install Ghostscript now? [y/N]

If you say yes, it detects your package manager automatically — apt on Debian and Ubuntu, dnf on Fedora, pacman on Arch, brew on macOS — and runs the right install command. No manual intervention needed.

Step 2 — Input File Selection

Next it asks for the PDF you want to compress. If you're running a desktop environment with GNOME or KDE, it opens a graphical file picker. If you're on a headless server or in a plain terminal, it falls back to a simple text prompt where you type the path.

Both ~ expansion and absolute paths work fine.

Step 3 — Quality Selection

  1) Screen   — Smallest file · 72 DPI  · Best for email & web
  2) eBook    — Balanced     · 150 DPI · Good for most uses (recommended)
  3) Printer  — High quality · 300 DPI · Suitable for printing
  4) Prepress — Max quality  · 300 DPI · Professional publishing

You pick a number. Press Enter without picking anything and it defaults to eBook — the most useful preset for everyday use.

Step 4 — Output Path

The script suggests a sensible default output name: if your input is report.pdf, the default output will be report_compressed.pdf in the same folder. You can override this with any path you like.

If the output directory doesn't exist, the script offers to create it. If a file already exists at the output path, it asks before overwriting. No silent data loss.

The Result

After Ghostscript runs, you get a clean summary:

  ────────────────────────────────────────
  ✔  Done in 3s!
  ────────────────────────────────────────

  Original size :  24.80 MB
  Compressed    :  4.32 MB
  Saved         :  20.48 MB (82.6% smaller)
  Output file   :  /home/user/report_compressed.pdf

If the output turns out larger than the input (which can happen with already-optimized PDFs), the script warns you and suggests trying a lower quality setting.

How to Get It

The script is a single file. Download it, make it executable, and run it.

bash

# Download
curl -O https://github.com/RootedN00b/Projects/blob/main/N00bPDF/n00bpdf.sh

# Make executable
chmod +x n00bpdf.sh

# Run
./n00bpdf.sh

Or if you'd rather copy-paste the contents directly, the full source is included below.

To make it available system-wide so you can call it from anywhere:

bash

sudo mv n00bpdf.sh /usr/local/bin/n00bpd
sudo chmod +x /usr/local/bin/n00bpdf

# Then from anywhere:
n00bpdf

Real-World Results

I ran the script against a handful of different PDF types to give you a realistic picture of what to expect.

The last row is worth noting. If a PDF has already been compressed — by a modern export tool for example — Ghostscript may actually make it slightly larger because it re-encodes everything from scratch. The script detects this and warns you.

What It Won't Do

A few honest limitations:

It won't compress encrypted PDFs. If a PDF has a password, Ghostscript can't process it. You'll need to remove the password first using a tool like qpdf --decrypt.

It won't help if your PDF is already optimized. Some PDFs exported from tools like LaTeX or modern versions of Acrobat are already well-compressed. There's not much left to squeeze out.

It won't preserve all interactive features. If your PDF has form fields, embedded JavaScript, or complex annotations, some of these may not survive the recompression. For archival or interactive PDFs, test the output carefully before distributing it.

enjoy resizing your PDF!!!

Introduction

Every system tells a story.
Not in logs.
Not in dashboards.
But on the wire.

Every login, every file transfer, every scan, every misconfiguration — legitimate or malicious — becomes network traffic. Most people never look at it. The few who do gain something powerful: clarity.

Network traffic analysis is one of those rare skills that quietly separates average professionals from dangerous ones. It is the common ground where IT technicians troubleshoot outages, network engineers validate designs, defenders detect intrusions, and pentesters map attack paths. Different missions — same packets.

Attackers don’t guess. Defenders don’t rely on luck.
They observe, capture, filter, and understand what is really happening between systems.

If you’ve ever wondered:

• How attackers move without being noticed

• Why defenders miss obvious intrusions

• Why “everything looks fine” while the network is compromised

• Or why good engineers naturally become strong security analysts

The answer is almost always the same: network visibility.

This article breaks down the core network traffic analysis skills, the tools and methodologies used across roles, and—most importantly—how attackers and defenders look at the same traffic in completely different ways.

Because once you can read the wire,
the network can’t lie to you anymore.

Why Network Traffic Analysis Matters

Network traffic analysis (NTA) allows professionals to:

• Understand how systems really communicate

• Detect misconfigurations and design flaws

• Identify malicious behavior and attack paths

• Validate security controls and detections

• Reconstruct incidents and attack timelines

Whether you are fixing an outage or breaking into a domain, everything starts with traffic.

If you don’t understand network traffic, you are blind — no matter your role.

Core Network Traffic Analysis Skills

1. Strong Networking Fundamentals (Non-Negotiable)

Before tools, before alerts, before exploits — you must understand how traffic flows.

Core concepts include:

• OSI & TCP/IP models

• TCP vs UDP behavior

• DNS resolution process

• ARP, ICMP, DHCP

• Routing vs switching

• VLANs & segmentation

• NAT & firewall logic

• TLS/SSL basics

Without this foundation, packet analysis becomes random clicking instead of analysis.

2. Packet-Level Thinking

A skilled analyst can answer:

• Who initiated the connection?

• On which port and protocol?

• Was the traffic encrypted?

• Did the handshake succeed?

• What failed — and why?

This applies equally to:

• A printer not responding

• Malware beaconing outbound

• A reverse shell failing to connect

• An authentication error in Active Directory

Packets explain everything.

3. Traffic Pattern Recognition

Over time, professionals learn to recognize:

• Normal vs abnormal traffic

• Human vs automated behavior

• Beaconing patterns

• Scanning activity

• Lateral movement indicators

This skill is built through repetition and exposure, not theory alone.

Tools Used for Network Traffic Analysis

Core Tools (All Roles)

Defender & SOC Tools

Attacker / Pentester Tools

Attackers and defenders often use the same tools — only the intent differs.

Network Traffic Analysis Methodology

This methodology applies to both offense and defense.

1. Visibility

What traffic can I see? From where?

2. Baseline

What does normal look like?

3. Filtering

Reduce noise by protocol, IP, port, or time.

4. Correlation

Network data alone is never enough.

5. Interpretation

Why does this traffic exist?

6. Action

Block, alert, fix, exploit, pivot.

How Attackers See Network Traffic

Attackers see traffic as opportunity.

They look for:

• Clear-text credentials

• Weak or legacy protocols

• Misconfigured services

• Trust relationships

• Internal visibility after compromise

Attacker Mindset

“What can this traffic reveal about the environment?”

Examples:

• DNS leaks internal domain structure

• SMB traffic exposes Active Directory design

• Kerberos errors reveal privilege boundaries

• ICMP maps reachable networks

• Firewall rules expose segmentation flaws

Traffic guides stealth, persistence, and lateral movement.

How Defenders See Network Traffic

Defenders see traffic as evidence.

They look for:

• Deviations from baseline

• Unauthorized protocols

• Suspicious destinations

• Beaconing behavior

• East-west movement

Defender Mindset

“What does not belong here?”

Examples:

• Workstations talking SMB to each other

• DNS tunneling patterns

• Long-lived outbound connections

• Rare or suspicious user agents

• Authentication outside business hours

Traffic tells the truth — if you know how to read it.

IT Technicians & Network Engineers Perspective

For IT and network engineers, traffic analysis is about reliability and stability.

They analyze:

• Packet loss

• Latency and jitter

• MTU mismatches

• Routing issues

• Firewall misconfigurations

Many security incidents are discovered during troubleshooting, not hunting.

Strong engineers naturally become strong defenders.

Common Mistakes

• Jumping to tools without understanding protocols

• Ignoring encrypted traffic metadata

• Analyzing packets without context

• Failing to establish a baseline

• Treating NTA as “security-only”

How to Build This Skill Practically

• Analyze traffic in your own lab

• Capture normal and broken scenarios

• Observe:

  • AD logins

  • File transfers

  • VPN connections

  • Malware simulations

• Compare normal vs attack traffic

• Write short analysis reports

Final Thought

Network traffic analysis is not role-specific.
It is a core technical skill.

• IT technicians use it to fix

• Network engineers use it to design

• Defenders use it to detect

• Pentesters use it to exploit

The packets never lie.
Only your interpretation can.

In today’s networks, Voice over IP (VoIP) has become a core communication service for both businesses and labs. To ensure call quality and reduce network interference, the best practice is to separate voice and data traffic using a Voice VLAN (Virtual Local Area Network).

In this guide, we’ll walk through the process of configuring VoIP using a Zyxel switch and Grandstream IP phones, focusing on proper VLAN segmentation and network efficiency.

🧠 Understanding the Concept

Before jumping into configuration, let’s review what we’re achieving:

• Voice VLAN: A dedicated VLAN for all VoIP traffic. This separation ensures better QoS (Quality of Service) and easier troubleshooting.

• Data VLAN: The regular network for computers, printers, and other non-voice devices.

• Auto Voice VLAN: A Zyxel feature that automatically detects and assigns IP phones to the voice VLAN based on the device’s OUI (Organizationally Unique Identifier).

This setup ensures:

• Low latency for voice traffic

• Isolated network for security

• Automatic phone provisioning with DHCP and VLAN tagging

🧰 Prerequisites

You’ll need the following:

• A Zyxel managed switch (e.g., GS1900 / XGS1930 / GS2220 series)

• Grandstream IP Phones (e.g., GXP or GRP models)

• DHCP server (can be on your router, firewall, or server)

• Configured VLANs (Data and Voice)

• Internet access or PBX/VoIP server (e.g., FreePBX, 3CX, or Grandstream UCM) - Optional for lab demo

⚙️ Step-by-Step Configuration Guide

1. Define VLANs on the Zyxel Switch

1. Log in to the Zyxel switch web interface.

   

2. Go to Switching → VLAN → VLAN Setup, click on the Add/Edit to add your vlan, make sure you have the Tx Tagging checked.

   Scroll down to apply the setup.

   

3. You should have the following VLANs:

   • VLAN 1 – Data VLAN

   • VLAN 100 – Voice VLAN

     

4. Set port membership:

   • Trunk ports (uplinks to router/Firewall or VoIP server) → Tagged for both VLANs

   • Access ports (for PCs) → Untagged in VLAN 1 (Uncheck Tx Tagging to untagged port)

   • Phone ports → Tagged in VLAN 100, like they are in the above picture.

2. Enable the Voice VLAN Feature

1. Navigate to Switching → VLAN → Voice VLAN Setup.

2. Enable Voice VLAN.

3. Set VLAN ID = 100 (In my case). Then apply the configuration

1. Enable OUI Detection in Voice VLAN OUI Setup and add Grandstream’s OUI prefixes, e.g.:

   • 000B82

   • 000B83

   • 000B84

At this point your phone is ready to be detected on the network and get assigned an IP via the OUI, but not ready to communicate.

Test ping from the router / Firewall will be failed because the Frame doesn’t have any VLAN ID to get.

3. Configure Port Settings for Phones

1. Go to Port → LLDP → LLDP-MED.

2. click on the LLDP-MED Network Policy to add the ports where your phones are connected, click on Add/Edit

3. Assign the ports connected to phones as Voice VLAN ports.

4. Add the Voice VLAN for Auto Assignment on that port.

5. If your phones is daisy-chained (PC connected to the phone’s PC port):

   • Configure the service as voice.

   • Set the Tag to Tagged

   • DSCP (Differentiated Service Code Point) useful for better quality of service

   • Set the QoS (802.1q priority) to 6 or 7 for high priority voice traffic. (higher priority better performance)

   • Apply the configuration.

Click on the LLDP-MED Setup in the same page check the Network Policy option for all of the port where you have connected phones

If the policy checkbox is uncheck the frame of from the phone won’t get tagged with the VLAN ID 100

Wireshark ARP frame before Network Policy checked

Wireshark ARP frame after enabling Network Policy checked

4. DHCP Options for Voice VLAN

Ensure your DHCP server has a scope for the Voice VLAN (VLAN 100).

• Assign a different subnet (e.g., 192.168.100.0/24).

• Add Option 66 or 160 if using auto-provisioning for Grandstream phones (e.g., pointing to your PBX or provisioning server).

5. Configure GrandStream Phone VLAN Settings

By default, GrandStream phones can receive VLAN info via LLDP-MED or DHCP Option 132.

If you need to configure manually:

1. Access the phone web GUI.

2. Navigate to Network → Basic Settings → Ethernet.

3. Set Layer 2 QoS 802.1p Priority to 6 and VLAN Tag to 100.

4. Save and reboot the phone.

Once rebooted, the phone should receive its IP address from the Voice VLAN DHCP scope and register with the PBX or your Provisioning server .

NB: What is LLDP ?
LLDP (Link Layer Discovery Protocol) is an open standard Layer 2 protocol (IEEE 802.1AB) used by network devices (switches, routers, wireless access points, IP phones, etc.) to advertise and discover information about each other directly connected on the same local network segment.

There is an other protocol that can achieve the same thing thing named CDP which is a Cisco proprietory not all vendor use it.

📞 Testing & Verification

• Verify the phone’s IP address — it should be in the Voice VLAN subnet, and must recieve ping packet from the router / firewall

• Ping between your PBX and the phone.

• Make a test call and check call quality.

• On the Zyxel switch, you can verify with:

  • Monitoring → VLAN Port Status

  • LLDP Neighbor Table (to confirm detection of Grandstream phones)

🧩 Troubleshooting Tips

💡 Best Practices

• Keep Voice VLAN isolated from Data VLAN for better performance.

• Use LLDP-MED for automatic VLAN assignment.

• Monitor switch port utilization for any packet drops.

• Always update switch and phone firmware to latest stable versions.

🧱 Conclusion

Implementing a Voice VLAN on a Zyxel switch with Grandstream IP phones is a simple yet powerful way to optimize your VoIP network. With proper VLAN segmentation, QoS prioritization, and device auto-detection, your voice calls will be clear, stable, and secure — exactly what a professional communication system should deliver.

Before diving in, a huge thanks to the offensive security community — from the creators of tools and labs to everyone sharing knowledge daily. Without this spirit of collaboration, many of us wouldn’t have learned how deep and fascinating Active Directory attacks really are.

The Hidden Gatekeeper Inside Every Network

If you’ve ever compromised a Windows environment, you’ve probably crossed paths with Kerberos — even if you didn’t notice it. It’s the invisible bouncer controlling who gets in, who stays out, and who can access which part of the building.

Kerberos is not just another protocol. It’s the heart of authentication in modern Windows Active Directory environments — the same environments that power corporations, schools, and governments.

And that’s exactly why understanding Kerberos attacks is non-negotiable for anyone serious about hacking, red teaming, or defending enterprise networks.

What Is Kerberos, Really?

At its core, Kerberos is an authentication protocol that uses tickets instead of passwords to verify identities.

Think of it like this:

• When you log in, Kerberos gives you a ticket proving who you are.

• That ticket lets you access services (like file shares or databases) without typing your password again.

• Everything runs smoothly — until an attacker learns how to forge, steal, or manipulate those tickets.

Once you master that concept, you’re not just playing with exploits anymore — you’re speaking the language of enterprise security.

Why Hackers Love Kerberos

Kerberos attacks are so powerful because they target the core trust mechanism of Windows networks. Once compromised, attackers can move laterally, escalate privileges, and even impersonate domain administrators.

Here’s what makes it so interesting:

• Stealth: Most Kerberos-based attacks don’t trigger antivirus or EDR alerts.

• Privilege Escalation: Once you own a ticket, you own access — sometimes domain-wide.

• Persistence: Forged tickets can last hours or even days, giving long-term control.

The Most Common Kerberos Attacks (and Why They Matter)

Here’s a breakdown of the attacks every hacker and red teamer should understand — from the simplest to the most advanced.

1. Kerbrute & User Enumeration

A recon-level attack where the attacker brute-forces usernames against Kerberos to discover valid accounts. It’s fast, silent, and forms the basis for targeted attacks later.

2. AS-REP Roasting

When users don’t require pre-authentication, attackers can request encrypted data and crack it offline to recover passwords. A simple misconfiguration — a big door wide open.

3. Kerberoasting

One of the classics. Attackers request service tickets (TGS) for service accounts, extract them, and crack them offline to reveal plaintext passwords — often with domain-level privileges.

4. Pass-the-Ticket (PtT)

Instead of stealing passwords, attackers steal tickets directly from memory (like mimikatz sekurlsa::tickets). They then reuse them to impersonate legitimate users.

5. Golden Ticket

The ultimate weapon. By compromising the KRBTGT account (the key to the entire kingdom), attackers can forge any ticket — even for accounts that don’t exist. Complete domain dominance.

6. Silver Ticket

A quieter alternative — forged for a single service instead of the entire domain. It’s harder to detect and perfect for maintaining access under the radar.

Why Beginners Should Learn This Early

If you’re just starting your offensive security journey, Kerberos might sound intimidating — but learning it early changes everything.

Understanding Kerberos attacks helps you:

• Grasp how Windows authentication truly works.

• Understand lateral movement and privilege escalation.

• Transition smoothly into Active Directory Red Teaming.

• Build a stronger foundation for advanced certs like CRTP, CRTO, or PNPT.

Even if you only play in labs like TryHackMe, HackTheBox, or PortSwigger Academy, you’ll notice Kerberos scenarios everywhere. That’s because it’s one of the most realistic attack surfaces you can simulate.

For the Pros: The Red Team Advantage

For professional red teamers, Kerberos attacks are more than just tricks — they’re tools of strategy.

Advanced operators chain Kerberos abuse with:

• BloodHound for relationship mapping

• Impacket for remote execution (GetUserSPNs.py, psexec.py)

• Cobalt Strike / Sliver for ticket impersonation

• PowerView / Rubeus for in-memory attacks

And defenders who understand these attacks can implement better mitigations — from enforcing pre-authentication to monitoring unusual ticket requests in SIEM.

How to Practice Safely

You don’t need a corporate network to get started.
You can build a mini Active Directory lab in Proxmox, Hyper-V, or even VirtualBox and reproduce these attacks step by step.

Try platforms like:

• TryHackMe – Attacktive Directory

  

• HackTheBox – Forest / Active Directory Labs

  

These resources let you practice real attacks without crossing ethical boundaries.

Defenders, Don’t Scroll Past!

If you’re blue teaming, Kerberos knowledge is equally crucial.
Knowing how attackers manipulate tickets helps you detect and respond faster.

Here’s how:

• Enable Kerberos pre-authentication for all users.

• Rotate service account passwords regularly.

• Monitor Event IDs 4768–4771 for anomalies.

• Implement tiered administration and LSA protection.

Final Thoughts

Kerberos isn’t just an authentication protocol — it’s a battlefield.
Whether you’re a beginner trying your first lab or a red teamer executing lateral movement in a mature network, understanding Kerberos gives you x-ray vision into how trust and access really work inside Windows environments.

So don’t just learn the tools — learn the system.
Because the hacker who truly understands Kerberos…
owns the network before even launching an exploit.

Further Reading & Practice

• TryHackMe: Breaching Active Directory

• HackTheBox Academy: AD Enumeration & Attacks

• MITRE ATT&CK: T1558 Kerberos Attacks

Special Thanks

Before diving in, I want to extend my deepest gratitude to the Exegol Team and the entire community of contributors behind this incredible project. Your hard work, innovation, and dedication have truly changed the way red teamers, pentesters, and cybersecurity learners build and use their offensive security environments.

Exegol isn’t just a tool — it’s a movement that empowers thousands of professionals and enthusiasts to learn, test, and operate more efficiently and securely.
Thank you for continuously pushing the boundaries of what’s possible in the red team ecosystem.

What is Exegol ?

Exegol isn’t a traditional OS you install on your laptop. It’s a modular, Docker-based environment powered by a small Python “wrapper” that manages images and containers for you. Each Exegol image is a self-contained toolkit — run one per engagement and never worry about breaking your main system or fighting library conflicts. It’s like carrying a toolbox of perfect workbenches that you can spin up or tear down at will.

Why red / blue teams and pros are buzzing about it

• Containerized reliability: Tools run inside isolated Docker images, so “it worked yesterday” actually means something. You get reproducible environments across machines and OSes.

• Modular & community-driven: Exegol images are built, tested, and published as separate artifacts — pick the image that suits your workflow (full, minimal, nightly, ARM, amd64). The community actively contributes and curates toolsets.

• Works where you are: While Linux is recommended for best performance, Exegol runs on Windows/macOS via Docker Desktop too — perfect for teams with mixed laptops. Exegol Documentation

• Offline resources & convenience: Common scripts, netshells, and privesc helpers are bundled as “resources” available inside each container so you don’t repeatedly fetch the same tools.

Exegol vs. a classic distro (Kali, Parrot, etc.)

Kali and similar distros are great, but they’re monolithic: one host OS with many tools. Exegol flips the model — instead of making your host the toolbox, each container is the toolbox. That means:

• No more dependency Hell on your host.

• Cleaner audit trails and less risk of leaving residual artifacts.

• Easier experimentations: try a risky tool inside a disposable container rather than messing with your main install. Several write-ups compare Exegol favorably for professionals who need reproducibility and sandboxing.

Real-world use cases

• Red Team engagements: Maintain separate containers per target to keep tools, logs, and configs isolated.

• CTFs & training: Quickly spin up an environment tailored for a challenge without hours of setup.

• Tool testing & research: Safely test new/potentially hazardous utilities in an ephemeral container.

• Teaching & labs: Provide students a consistent environment so every learner sees the same results (handy for instructors — and yes, it fits nicely into a learning roadmap for offensive security).

Getting started (fast)

1. Install Docker, Python3, pipx, and git.

2. Install the Exegol wrapper (the “brains”): pipx install exegol (or follow the official docs).

3. Pull an image and start a container: the wrapper handles the heavy lifting so you get a ready-to-hack shell with GUI support if you need Burp/BloodHound. The docs are straightforward and recommend Linux for the smoothest experience.

Things to keep in mind (security & ethics)

Exegol makes it easy to run offensive tooling — that power comes with responsibility. Always:

• Have explicit authorization before testing systems.

• Keep your containers and images up to date; Exegol provides nightly and stable builds but you should follow your team’s update policy.

• Understand that container isolation is strong but not absolute — configure Docker and host networking safely for sensitive engagements.

Final verdict — why you should care

If you’re a practitioner who values speed, reproducibility, and clean environments, Exegol is a game-changer. It’s the modern answer to long-standing pentest pains: dependency nightmares, messy hosts, and unreproducible setups. For learners and seasoned red-teamers alike, Exegol lets you spend less time configuring and more time actually hacking — a practical boost for anyone serious about offensive security.

Want to explore further? Check the project repo and the official docs for installation guides, images, and best practices — then try spinning up a container for your next lab. If you’re following a roadmap to become an offensive security pro, Exegol slots neatly into the “power of terminal + tooling” stage of your learning journey.

Github repo

I use Exegol and YOU

Virtualization has completely transformed the way we build, manage, and experiment with IT environments. From running multiple operating systems on a single machine to powering entire enterprise infrastructures, it has become a cornerstone of modern computing.

But what if you could take it one step further? Imagine running a hypervisor inside a virtual machine — essentially creating a virtual lab within another virtual lab. That’s exactly what nested virtualization is.

Nested virtualization opens the door to building complex environments without needing racks of servers or expensive hardware. Whether you’re a student preparing for certifications, a penetration tester building attack labs, or an engineer testing cloud workloads, nested virtualization provides the flexibility to experiment freely while saving cost and space.

In this article, we’ll break down what nested virtualization is, its benefits, limitations, and how you can set it up in different environments like Proxmox and Hyper-V.

What is Nested Virtualization?

At its core, nested virtualization is the ability to run a virtual machine (VM) inside another VM by enabling hardware virtualization extensions (such as Intel VT-x or AMD-V) to pass through to the guest hypervisor.

• Normal virtualization: Your physical machine runs a hypervisor (like Proxmox, VMware, or Hyper-V), and on top of that you run VMs.

• Nested virtualization: One of those VMs also runs its own hypervisor, which can then host more VMs inside it.

A simple analogy: it’s like putting a smaller set of Russian dolls inside a bigger one. Each doll (VM) can contain another, all while relying on the outermost physical host for resources.

Benefits of Nested Virtualization

🧑‍💻 Learning & Training

If you’re studying for certifications like Windows / Linux administration, Setting up for penetration testing certification : CRTP, CRTE, CRTO nested virtualization lets you create realistic practice labs without extra hardware.

🛡️ Cybersecurity & Red Teaming

Red teamers and penetration testers can simulate complex enterprise environments (multi-domain forests, pivoting paths, AD labs) all on a single server.

🏗️ Testing & Development

Developers and sysadmins can test new tools, simulate cloud environments, or spin up temporary labs for projects without needing to reconfigure bare-metal servers.

💰 Cost Efficiency

Why buy more servers when you can use one well-provisioned box? Nested virtualization stretches your resources by allowing multiple test environments in parallel.

Limitations & Considerations

Nested virtualization is powerful, but it’s not perfect.

• Performance Overhead: Every extra virtualization layer consumes CPU and RAM, so workloads may feel slower.

• Hardware Demands: You’ll need a CPU that supports Intel VT-x or AMD-V, and enough RAM to handle multiple VM layers.

• Compatibility Issues: Not all hypervisors handle nested virtualization equally. Some require special tweaks (like enabling KVM on Proxmox or exposing virtualization extensions in Hyper-V).

• Networking Complexity: Routing VLANs, NAT, and bridging through multiple virtualization layers can be tricky.

For production workloads, bare-metal virtualization is better. But for labs, nested virtualization is often the most practical option.

Nested Virtualization Setup Scenarios

🖥️ Proxmox → Windows Server → Hyper-V → VMs

First install Proxmox on a computer as main operating System, if you don’t know how to install proxmox refer to any youtube video and follow up to get that part done

Once you have your proxmox server ready, let’s dive into the setup

Login to proxmox using the server IP and port : https://server-ip:8006

Install windows server 2022

On the proxmox web interface click on Create VM

add a name for your Virtual Machine and click next

In the next tab use the option that fit you to install the ISO in my case I have the ISO file I leave it as default and insert the ISO in the ISO Image section then select Microsoft Windows for Guest OS Type and Version hit Next

Next tab choose the options below

NB: change EFI Storage and TPM Storage to your location on Proxmox. Then click next

Next tab , give at least 80 GiB for the disk space, chose the Bus as SATA or VirtIO Block and check SSD enumlation for better performace, storage is always your storage on proxmox for your VMs, click NEXT

I the bellow tab that’s where the crucial part is happening, for better performance allocate 2 cores to your VM, and select host on the CPU Type if Host is not selected you will get an error message later , that’s gonna stop you to create your VM on Hyper-V. Then hit NEXT

Allocate a minimum of 8 GiB, then NEXT

Next tab is where you have to configure your networking information for the VM, on thing to note is that the Model of the NIC must be E1000 or VirtIO(Paravitualized), if you have vlan setup in you network you can put the VLAN-ID in VLAN Tag. Then NEXT

and the NEXT tab you just have to click Finish.

Now your VM is ready click on the left side Folder View —> Virtual Machine Click on you VM to start it

Click on Console to have access to the VM interface

If you have trouble for your ISO to boot go on the Option below Console select Boot order and make sure the ide2 in #1 then click OK

Go back to Console click Start Now

During the boot start repeat that : mouse (right click + ENTER)

Follow the steps to install Windows server or refer to that Article : lnstall Windows server 2022

Once you have your Windows installed and ready, now we can proceed with the next step to prepare our Server for Nested Virtualization.

Windows server 2022 has a role called Hyper-V you can also find it in some windows client such as the Pro version

Let’s install Hyper. Go to Server Manager. On the top right click on Manage —> Add Roles and Features

In the page that open click NEXT

Click NEXT 2 times until you get the page below, where you will have to select the roles and feature to install, in our case Hyper-V, then click NEXT

Leave next page as default click Add Features then click NEXT

Next page leave default unless you need extras parameters click NEXT —> NEXT

choose your network adapter click NEXT

Next page leave default click NEXT —> change VM disk and file location if needed otherwise click NEXT

Select case to restart server after role installed, click YES and click INSTALL

After server restart go to search bar type : Hyper-V and click the Hyper-V Manager feature

Now we have Hyper-V on our Server Let’s create a VM

To create a VM, right click on the Server name in Hyper-V —> New —> virtual Machine

In the next page click NEXT

Give a name to your Virtual Machine —> change default location or leave as default —> click NEXT

Below chose generation type —> Generation 2 —> NEXT

Allocate memory to your VM —> 2GB minimum —> click NEXT

Configure Network, you can choose Not Connected and create a virtual switch later to attack your VM to it or just choose your Host VM network adapter just for demo purposes. Click NEXT

Allocate disk space to your VM and click NEXT

choose your installation media, here ISO file

Download ISO file here: Windows server 2022 ISO

Then click NEXT then FINISH

Now you have your VM created, select the VM and under the VM name on the right side click start or double click the MV name then click start.

Change the boot order Under VM name on the right side click on settings —> Boot firmware, make sure the DVD Drive is on top

During the boot start repeat that : mouse (right click + ENTER)

Follow the steps to install windows server 2022 or read this article: How to install windows server 2022

Common Use Cases

Nested virtualization is not just a lab toy — it solves real problems:

• Active Directory Labs: Multi-domain, multi-forest, with trust relationships for pentesting and sysadmin practice.

• Red Team / Blue Team Simulations: Build both attack and defense environments, Practice complex attack and complex implementation, SOC monitoring, and detection.

• Cloud Simulations: Run Kubernetes, Docker, and other cloud-native tools in test labs.

• Homelab Networking: Integrate with physical Networking hardware (like router, switch, firewall) to simulate enterprise-grade VLAN setups.

Troubleshooting & Best Practices

• Enable Virtualization in BIOS/UEFI: Ensure Intel VT-x/AMD-V and IOMMU are enabled.

• Pass CPU Flags to Nested VMs: For Proxmox, expose host CPU type; for Hyper-V, enable nested virtualization via PowerShell.

• Plan Resources Carefully: Assign enough RAM and CPU, but avoid starving your host.

• Networking Tip: Use bridged networking and VLAN tagging to keep lab traffic organized.

• Snapshots Are Your Friend: Always snapshot before major lab experiments.

Conclusion

Nested virtualization is more than just a cool trick — it’s a powerful tool for anyone serious about learning, testing, or simulating real-world environments. By running hypervisors inside virtual machines, you gain the ability to create highly flexible labs, replicate enterprise networks, and practice complex attack or defense scenarios — all from a single physical server.

Yes, it comes with performance trade-offs and hardware requirements, but the benefits far outweigh the limitations. For learners, it’s a game-changer. For professionals, it’s a cost-effective solution for testing and training.

If you’re serious about advancing in IT, cybersecurity, or systems engineering, consider setting up your own nested virtualization lab. Start small, optimize as you go, and soon you’ll have a powerful environment to practice, experiment, and push your skills further.

In this article, we’ll go through the key concepts you need to know before installing Windows Server 2022, and then outline the process. The detailed step-by-step technical guide will be added later.

Why Windows Server 2022?

Windows Server 2022 comes with improvements that make it stand out from previous versions:

• Enhanced Security – Secure-core server, TLS 1.3 by default, and better encryption.

• Hybrid Capabilities with Azure – Integration for cloud-connected environments.

• Modern Application Platform – Support for containers and updated networking.

• Improved Performance & Scalability – Built for both small labs and large data centers.

Installation Requirements

Before starting, make sure you meet the system requirements:

• Processor: 1.4 GHz 64-bit processor or faster

• RAM: Minimum 2 GB (Desktop Experience requires more at least 4GB)

• Disk Space: At least 32 GB (recommend 50 GB+)

• Network: Gigabit Ethernet adapter

• Installation Media: ISO file or bootable USB/DVD

Installation Options

When installing Windows Server 2022, you’ll usually choose between two main editions:

1. Standard Edition – For basic server roles and small to medium environments.

2. Datacenter Edition – For larger environments with virtualization and advanced features.

Step-by-Step Installation Guide

Insert your Media (USB - CD/DVD)

boot your machine (Physique or VM) on the installation media

on the first screen choos your install language, time and keyboard, then click NEXT

Click INSTALL NOW

In the below screen that is where you choose which windows server type you wish to install, for now let’s choose Desktop Evaluation (Desktop Experience)

In the next screen accept the License Terms and click NEXT

Chose custom to make sure you choose the right disk

Select your disk and click NEXT

If you are using virtualization software make sure after installation before server boot again you change the Boot priority so you have have your DISK #1

After the installation setup your administrator password and your server is ready to launch.

To Login press CTRL + ALT + DELETE

Post-Installation Tasks

After the installation, you’ll want to configure essential settings:

• Rename the Server – Give it a meaningful name.

• Set a Static IP Address – Ensures consistency in your network.

• Join a Domain (if needed) – Integrate into Active Directory.

• Enable Windows Updates – Keep the server secure.

• Install Server Roles & Features – Depending on your use case (DNS, AD DS, etc.).

Final Thoughts

Installing Windows Server 2022 is a foundational skill for any IT professional or homelab builder. Once you get comfortable with the process, you’ll be ready to explore advanced configurations such as domain controllers, Hyper-V virtualization, and Active Directory management.

✨ Pro Tip: Document your installation steps and configurations. Clear notes and screenshots will help you later when troubleshooting or replicating setups.

Another point to take into consideration from a pentesting point of view is the fact that you will have to run your vulnerable VM inside of an isolated Docker Network (don’t expose it to the public internet), then use a pentest machine (Kali, for example) to test against it. Below I give the commands, a docker example, security notes, and clear definitions for every term used.

What is Metasploitable?

Metasploitable is an intentionally vulnerable virtual machine/image created for learning and practicing penetration testing. It’s purposely full of old/unpatched services so students can safely practice finding and exploiting vulnerabilities. Use it only in isolated labs.

Quick install (Metasploitable2 Docker image)

1. Install Docker (if you don’t already).

   • On Linux: follow the official Docker docs (install docker and optionally docker-compose).

   •   sudo apt install docker.io
     

2. Pull the image from Docker Hub (example image that many guides use):

    docker pull tleemcjr/metasploitable2
   

   (Other community images exist; pick a trusted source or build your own from Metasploitable sources.) Docker Hub - Metasploitable2

3. Run a container in an isolated network (recommended):

    # create a user network for your lab
    docker network create pentest-lab # pentest-lab refer to the name of your docker NIC
   

Run the container and attach the network to it

docker run -it --rm --name metasploitable2 -h metasploitable-hotname --network pentest-lab tleemcjr/metasploitable2

• Find the container IP (After command successful you will prompt a shell on the metasploitable machine):

    ifconfig
  

• Login info (classic for Metasploitable2): username msfadmin, password msfadmin.

Security and best practices (must-read)

• Do not expose Metasploitable to the public internet (no port publishing with -p unless you know what you’re doing). Run it on an isolated Docker network. Educative

• Treat Metasploitable as untrusted code — it runs vulnerable services; run in a throwaway VM or on a dedicated lab machine.

• Consider snapshots or ephemeral containers: destroy and recreate the container between lessons.

• If you need reproducible builds, consider building your own Dockerfile from the Metasploitable3 project or sources rather than using random hub images.

Common variants / images

• Metasploitable2 — older, classic vulnerable Linux VM; widely used in training.

• Metasploitable3 — newer, built from scratch (Ubuntu/Windows flavors). There are community Docker builds and the official repo to build VMs. If you want an up-to-date vulnerable target you may prefer Metasploitable3

Glossary

• Docker
  Containerization platform that runs applications (and their dependencies) in lightweight, isolated environments called containers. Think of it like a very small virtual machine that shares the host OS kernel.

• Image
  A read-only template that contains the file system and configuration for a container. You pull images from registries (e.g., Docker Hub) or build them locally. Example: tleemcjr/metasploitable2 is an image.

• Container
  A running instance of an image. You run an image to create and start a container. Containers have names (e.g., metasploitable) and can be started, stopped, and removed.

• Docker Hub
  A public registry where people publish Docker images so others can download them. There are official images and community images; trust matters.

• docker pull
  Command to download an image from a registry to your host.

• docker run
  Command to start a container from an image. Options include -d (detached), -it (interactive + TTY), --name (give it a name), --network (attach to a Docker network), and -p (publish container ports to the host).

• Port mapping (-p)
  Exposes container ports to the host machine (e.g., -p 8080:80 exposes container port 80 as port 8080 on the host). For Metasploitable, avoid mapping attackable ports to your public interfaces. Use internal Docker networking instead.

• Docker network / bridge network
  A virtual network that Docker creates so containers can talk to each other. The default is bridge. Creating a dedicated user network (e.g., pentest-lab) gives you isolation and easier service discovery by container name.

• docker-compose
  A tool to define and run multi-container Docker applications using a YAML file. It simplifies starting multiple containers with one command.

• Image registry / trust
  Community images on Docker Hub may be outdated or malicious; prefer official images or build your own from known sources. When using images for security training, verify the origin or build from the official Metasploitable project if you can.

• Metasploitable (2 / 3)
  Intentionally vulnerable system images for learning pentesting. Metasploitable2 is an older Linux VM; Metasploitable3 is newer and hosted in Rapid7’s GitHub repo. Use them in isolated labs only.

• msfadmin:msfadmin
  The default username:password for Metasploitable2 (common entry point for labs).

If you want to know how to install a container on Proxmox and deploy the metasploitable2 VM into it check the Homelab serie in the link below:

link: ==article coming soon==

Video Resource:

There are videos on youtube that reproduce the same thing I can refer that one:

MarauderSec - From Ryan Yager

Becoming an offensive security professional is not about shortcuts — it’s about building a strong foundation and mastering the basics. Like many others, I started by exploring everything without a clear direction. Eventually, I realized that having a structured roadmap makes all the difference.

Coming from a Networking & Windows Server administration background, web security was my weak point. Over time, I achieved certifications such as eJPTv2, PNPT, CRTA, CRTP, and CRTO, alongside practical learning through TryHackMe (Junior Penetration Tester, Offensive Security, Web Fundamentals, AD attack & enumeration) and countless labs.

👉 Good hackers don’t guess — they understand how things really work. good foundation is everything, the good hacker don't guess but understand how things really work.

This article outlines the roadmap I used to build my offensive security skillset.

🧩 Step 1 – Build a Strong Foundation

🌐 Networking

• Network Fundamentals

• Wireshark

• Network Security

• Network Exploitation Basics

🕸️ Web Basics

• How the Web Works

• Web Hacking Fundamentals

• Burp Suite Essentials

💻 Operating Systems

• Linux Fundamentals

• Windows & Active Directory Fundamentals

• Cryptography

⌨️ Power of the Terminal

• Command Line Mastery

🐍 Scripting

• Scripting for Pentesters

🔐 Step 2 – Cybersecurity Fundamentals

• Introduction to Cyber Security

• Security Engineering Basics

• Introduction to Offensive & Defensive Security

• Vulnerability Research

• Security Solutions

• Introduction to Pentesting

🛠️ Step 3 – Hands-On Hacking Practice

Understanding tools is one thing; knowing how they work under the hood is another.

• Pentesting Tools

• Offensive Security Tooling

• Exploitation Basics

• Privilege Escalation

• Shell & Access Management

• Common Attacks

• Breaching Active Directory

Once you’re comfortable with the first three steps, your real offensive security journey begins.

✅ To-Do List

• Complete all the easy rooms on TryHackMe

• Follow the Offensive Pentesting, Junir Penetration tester, Web fundamentals, Networking path

🎯 What’s Next?

Once your foundation is solid, it’s time to specialize:

• Web Application Pentesting (via TryHackMe & PortSwigger Academy)

• Red Teaming (simulate advanced attackers)

• HackTheBox CBBH certification prep

As you progress, challenge yourself with medium and hard labs. If you get stuck, it’s okay to check a write-up or walkthrough — but always come back and try again on your own.

📝 The Importance of Note-Taking

A crucial habit in your journey is note-taking. Every test, every lab, every attack path should be documented. This not only reinforces your learning but also prepares you for real-world engagements.

A good structure for write-ups includes:

1. Information Gathering

2. Scanning & Enumeration

3. Vulnerability Research

4. Exploitation

5. Privilege Escalation

6. Post-Exploitation

7. Lateral Movement

8. Pivoting

9. Reporting

📚 Resources

Here are some useful resources to kickstart your journey using Tryhackme:

• 🔗 TryHackMe — Practical labs for hands-on learning

• 🧪 PortSwigger Academy — Free web application security training

• ⚡ HackTheBox — Advanced labs and certifications

🏁 Final Thoughts

Offensive security is not just about tools or exploits — it’s about understanding systems deeply, thinking like an attacker, and documenting everything you learn.

This roadmap is not a race. Take your time, practice daily, and never stop learning.

“The journey of an offensive security professional isn’t about becoming a script-kiddie hacker. It’s about building mastery, one layer at a time.”

Stay consistent, keep hacking, and see you at the top. 🚀

What is the PT1 Certification?

The PT1 is an entry-level penetration testing certification offered by TryHackMe. It’s designed to validate foundational skills in ethical hacking and cybersecurity. Unlike multiple-choice exams, the PT1 is hands-on: you’re dropped into a practical environment where you must enumerate, exploit, escalate, and prove your skills in real-world-style scenarios.

It’s not about theory—it’s about doing.

Key areas covered include:

• Enumeration & Reconnaissance

• Web Application Attacks

• Privilege Escalation

• Password Cracking & Exploitation

• Report Writing & Documentation

• Attacking Active Directory

• Remediation step to recover each exploited vulnerability

My Learning Journey

I started studying penetration testing through TryHackMe’s guided learning paths. What I loved most about TryHackMe is how it turns complex topics into interactive labs where you learn by breaking, fixing, and exploring systems yourself.

Some of the skills I strengthened along the way:

• Using tools like Nmap, Gobuster, Hashcat, and Burp Suite for reconnaissance and exploitation.

• Understanding how misconfigurations lead to privilege escalation.

• Practicing persistence and creative problem-solving when the “obvious” path didn’t work.

• Writing reports clearly and effectively, which is often overlooked but just as important as hacking itself.

The Exam Experience

The PT1 exam was challenging, specially the web part of the exam but in the best way possible. It tested not only my technical skills but also my ability to think critically under pressure. I had to carefully enumerate the target, try different approaches, and stay organized while taking notes and screenshots for my final report.

This was a great reminder that penetration testing is not just about tools—it’s about mindset.

Why This Matters

Achieving the PT1 certification means more than just a badge to add to my profile. It’s proof that I can approach a system like a penetration tester, find vulnerabilities, and demonstrate them responsibly.

It also motivates me to keep pushing further. PT1 is just the beginning—I plan to continue sharpening my skills with more advanced certifications, homelab projects, and real-world practice.

What’s Next?

• Building out my homelab to simulate real enterprise environments.

• Diving deeper into Active Directory attacks and defenses.

• Preparing for more advanced certifications, like OSCP, CPTS, CAPE.

• Sharing my journey and projects here on my blog and on my Github Projects.

Exam tip if you are one that Journey

If you are a beginner I would recommend to follow the Tryhackme’s recommended Learning path to get ready for the exam.

Tryhackme Recommended Learning path

If you have previous Hacking experience from certifications like : TCM Security PJPT, PNPT or eLearnSecurity (eJPTv2)

I would recommend to follow this short path

Rooms

[ ] https://tryhackme.com/room/owasptop102021

[ ] https://tryhackme.com/room/sqlfundamentals

[ ] https://tryhackme.com/room/sqlmapthebasics

[ ] https://tryhackme.com/room/raceconditionsattacks

[ ] https://tryhackme.com/room/sqlinjectionlm

[ ] https://tryhackme.com/room/xss

[ ] https://tryhackme.com/room/axss

[ ] https://tryhackme.com/room/dombasedattacks

[ ] https://tryhackme.com/room/writingpentestreports

Practice

• [ ] https://tryhackme.com/room/k2room

Certification link: https://tryhackme.com/certification/junior-penetration-tester

Final Thoughts

I’m proud to have earned the PT1 certification, but this is just one step in a much larger journey. Cybersecurity is a field where learning never stops, and I’m excited to keep growing.

If you’re starting out and wondering whether to pursue PT1: do it. It’s beginner-friendly, practical, and a confidence booster for anyone serious about penetration testing.

Stay tuned for more write-ups, projects, and lessons I’ll be sharing along the way. 🚀

Thank you

I would like to take a moment to say thank you to some people who are always in some how pushing me in that endless journey of penetration testing

Gael Beauboeuf

Morad Halmi

Mpotisambo

Roydel Foster

Djefferson Saintilus

Christ Louissaint

Certification

Exam link: Tryhackme PT1