Warning: A non-numeric value encountered in /home/guillerm/public_html/wp-content/themes/Builder-Cohen/lib/builder-core/lib/layout-engine/modules/class-layout-module.php on line 499

Building an Ethical Hacking Lab

If you want to have a successful career in Information Security, building your own personal lab is essential. Not only it is likely to come up during technical interview questions but it will also be your personal geek playground. The lab is where you learn, discover, and have fun.

In this blog post I will show you how to set up a simple virtual lab with cheap hardware and free software that will help you get started in the amazing world of offensive security.

With the advancement in virtualization technologies building a lab is now easier than ever. All you really need is a computer, a virtualization platform, software, and most importantly, lots of enthusiasm.


If you are reading this post on a laptop or desktop computer, chances are good that you can use it to host this lab. I typically recommend people to use a computer with at least the following minimum specs:

  • i5 Quad Core CPU
  • 16GB of RAM
  • 250GB HDD, or even better, use an SSD if you can afford it.

Probably the single most important hardware component is memory. VMs are very memory hungry, so don’t go below 16GB if you want to run multiple VMs at the same time.

Virtualization platform

When it comes to choosing a virtualization platform you have several options. I won’t go into a detailed review of each platform here but I encourage you to do some research on your own. For this post, I will be using Oracle’s VirtualBox for three main reasons: it’s very simple to use, it’s available on all major platforms (Windows, Mac, and Linux), and it’s free.

Installing VirtualBox is pretty straight forward so I won’t cover the installation steps in this post. Check out the official documentation here.

General considerations

Arguably the most important thing to keep in mind when building a hacking lab is network isolation. It is really important to make sure that:

  1. Your vulnerable VMs are not exposed to the internet.
  2. The attacker VM cannot launch attacks against unintended targets.

Thus, I always suggest to use an Internal Network Adapter (more information about network modes here) to ensure that your VMs can see each other but cannot communicate with the outside world. This is vital since penetration testing can be a very destructive process. Tools such as nmap or metasploit can easily bring an entire network down.

You can use the VirtualBox command below to create a DHCP server for you internal network. In my case the network name is “pentest_net” and the IP range is

Some VMs might also need a NAT adapter to be able to download software and/or updates from the internet. I strongly suggest you disable the NAT adapter by default, and only enable it when strictly required.

Pentest VM

If you are new to offensive security you should check out one of the pen test distributions available online for free. These Linux-based distributions are great for beginners since they come with a bunch of pre-installed software and tools. Without a doubt the most popular one is Kali Linux, and for that same reason is the one that we will be using today.

First, download the latest version of Kali here:


Then, run the following command to register the VM:

Give it 2GB of memory:

Create an empty hard driver file in VDI format:

Add a SATA controller for your HDD:

Attach the VDI file:

Add an IDE controller for your ISO file:

Attach the ISO file:

By default, all VMs are created with a NAT adapter. This adapter will allow your VM to communicate with the internet. You will need this adapter for installing/updating software in your Kali Linux VM. However, we will also need a second Internal Network adapter to allow your VM to connect to the “pentes_net” network created earlier:

Start you VM from the GUI, select install, and follow the installation instructions:

Once the installation process is done, open up a terminal in Kali Linux and type “ifconfig” to see the list of available network interfaces. You should see something like this:

Notice that we have two ethernet interfaces (eth0 and eth1). The first is attached to the NAT adapter, while the second one should be attached to the Internal Network adapter.

Run the following commands to enable eth0 so that we can connect to the internet:

Then, run the following commands to update your packages and installed the guest additions:

This will take some time but make sure you disable eth0 and enable eth1 as soon as the installation is done:

If you run “ifconfig” again you should only see eth1 and the loopback interface:

Vulnerable VMs

Once you have your attacker machine setup you’ll need some victims. Though I strongly recommend you to play around with a commercial OS such as Windows (preferably unpatched versions of Windows XP or Windows 7), for this post we will use intentionally vulnerable VMs that were specially designed for learning.

We will install and configure two target VMs:

  • Metasploitable 2: Linux VMs which was created in an intentionally insecure manner.
  • CentOS minimal running WebGoat, which is a java-based web application great for learning Web Application Pen Testing.

Metasploitable 2

Download the Metasploitable 2 files from this link:


Notice that the zip file already contains a VirtualBox image in vmdk format (metasploitable-linux-2.0.0\Metasploitable2-Linux\Metasploitable.vmdk), so all we need to do is attach it to the SATA controller:


WebGoat is a just Java-based web application, so the first thing we need is an operating system. Download CentOS minimal from here:


And use these commands to create the VM:

Start the VM from the GUI and follow the installation instructions.

Once the VM is up and running we need to install docker in order to run the WebGoat container. Run this command from the CentOS terminal to add the official Docker repository, download the latest version of Docker, and install it:

Start the Docker daemon when the installation is done:

Verify that it’s running:

Lastly, make sure it starts at boot time:

Now run the following commands to download the container image and run it:

At this point the WebGoat application should be running and listening on port 8080 inside your CentOS VM.

You don’t need the NAT adapter anymore so feel free to remove it or disable it. Though we want to make sure that the VM can connect to our “pentest_net” network.

Edit the following file using vi:

And set the following property at the end:

Finally restart the network service:


If everything worked as expected you should now be able to ping the target VMs from Kali. Connect to your Kali VM and do a ping sweep using fping to discover their IPs:

The hosts.txt file should contain three IP (you might get different IPs in your environment):

Where to go from here

Now it’s time to try hacking into your VMs! 

The following Metasploitable tutorials are a good place to start playing:

Metasploit Unleashed

Metasploitable 2 Exploitatability Guide

The WebGoat project has some useful tutorials.

Finally, the following book is also a great introduction to penetration testing:

The Basics of Hacking and Penetration Testing

Warning: A non-numeric value encountered in /home/guillerm/public_html/wp-content/themes/Builder-Cohen/lib/builder-core/lib/layout-engine/modules/class-layout-module.php on line 499