What this project is
Most cybersecurity courses teach you about attacks in theory. You read about how phishing works, watch a demo, and move on. I wanted to actually do it — in a controlled environment where the only victim was my own hardware.
This home lab is a mini network I built specifically for offensive and defensive security practice. It has an attacker machine, a victim machine, and a router creating an isolated subnet that keeps everything off my main home network. The whole thing cost under $150 in hardware, most of which I already had.
The bonus piece: I embedded a ttyd live terminal in a demo website so people could see a real terminal session running in the browser — because that's exactly the kind of thing that makes people stop and ask "wait, how does that work?"
How I set it up
The lab has three main components:
1. The Victim Machine — Raspberry Pi 4 running Ubuntu Server
The Pi runs Ubuntu Server (headless — no display, SSH only). It acts as the target for network scans, the machine I run Wireshark on to capture traffic, and the host for the ttyd terminal server. It's always on, pulls about 3W of power, and lives on my desk.
2. The Isolated Network — Wavlink Router
The Wavlink router creates a completely separate subnet (192.168.10.0/24) that's isolated from my home network. Nothing on this subnet can reach the internet or my actual devices. This is the most important part — you do not want to run Kali attacks on your production network. The Pi and the Kali machine both connect to this router.
3. The Attacker Machine — Kali Linux
My laptop dual-boots Kali Linux. From the Kali side, I run all the offensive tools: Nmap for network discovery, Wireshark for packet capture, and Zphisher for simulating phishing attacks.
Here's a typical session — scanning the victim Pi from the Kali machine:
The ttyd integration is what made this a web project, not just a hardware project. ttyd is a tool that exposes a terminal as a web page over HTTP. I ran it on the Pi, set it to share a restricted shell session, and embedded it in a demo site via an iframe. Visiting the site, you see a live terminal — not a recording, not a GIF, an actual shell you can watch run commands in real time.
Security note on ttyd: Never expose ttyd to the public internet without authentication. The demo I built ran on localhost and was only shown during demos. For anything facing the web, you'd need auth + TLS + rate limiting at minimum.
Zphisher is a phishing framework that generates convincing clone pages of major sites (Instagram, Gmail, Netflix, etc.) and captures credentials when someone enters them. Running it in the isolated lab — with myself as the only target — was eye-opening. The pages look exactly like the real thing. Without checking the URL bar, most people would not catch it.
What's running in the lab
What hit different doing it for real
Network segmentation is not optional — it's the first thing you set up. I made the mistake of initially running some Nmap scans without the isolated router, and my home router's logs lit up. Lesson learned: always isolate first.
Wireshark is humbling. Seeing the raw packets for something as simple as an HTTP GET request makes everything you thought you knew about networking feel shallow. When you can see the actual bytes flowing between machines, abstractions stop being abstract.
The Zphisher experience genuinely changed how I think about phishing awareness training. You can tell people "phishing pages look real" all you want, but watching someone interact with a cloned login page in real time is a different kind of lesson. That insight directly shaped the Phishing Awareness Capstone project I built later.
The ttyd-in-browser demo was a hit whenever I showed it to people. Non-technical people do a double take when they see a terminal running inside a webpage. It's a great conversation starter and makes the abstract concept of "server-side execution" suddenly very concrete.