How to Build a Hacking Lab

Building a hacking lab may seem like a daunting task for the uninitiated. But by leveraging the wonders of virtualization, you’ll find it is really quite easy. In this article, I will describe how you, the prospective hacker, can assemble a basic yet fully functional hacking lab.

Penetration Testing with PowerShell Empire

Overview: We are going to utilize virtual machines to populate our hacking environment. You will have a designated attack platform and at least one vulnerable host to practice techniques on. As long as you’re connected to the internet and you have a halfway decent computer, you will not have to acquire additional hardware.

  1. Download VMware software – I recommend either VMware Workstation 12 Player, or Oracle’s VirtualBox.
  2. Download Kali Linux 2
  3. Download Metasploitable 2
  4. Acquire Windows XP if possible
  5. Boot each VM image in VM software
  6. Configure Networking – recommend “Host Only” mode for isolated testing
  7. Get shells.

1. Download and Install Virtual Machine Software

For those just getting into hacking, I recommend downloading and installing Oracle’s VirtualBox. It has nearly all the features of the paid version of VMware Workstation (namely the ability to take snapshots), and it is absolutely free! You may also want to try the free 30 day trial version of VMware Workstation 12 Pro, as it is commonly used in enterprise environments, and is often what you’ll be working with on the job. After the 30 day trial is up, it will revert to the VMware Workstation 12 Player version, which sadly, does not have the ability to take snapshots. Both VirtualBox and VMware Player are worth knowing, so don’t be afraid to try both and see which one you like more.

Oracle VirtualBox:

VMware Workstation 12 Player:

IMPORTANT: Make sure you download the VM software version that matches your operating system and architecture (32- or 64-bit).

2. Download Kali Linux 

Kali Linux is a Debian-based Linux distribution that comes pre-loaded with hundreds of hacking and security assessment tools. For many, it is the penetration tester’s hacking platform of choice. For someone who wants to get into hacking, this is the OS I recommend starting with.

Kali Linux:

3. Download Metasploitable 2

Metasploitable 2 is an intentionally vulnerable Linux platform that you may use to safely practice hacking. It is loaded with vulnerabilities so that you can try all sorts of different tools, techniques, and exploits to get root.


4. Acquire Windows XP (if possible)

You’ll want to get a Windows XP machine to practice on if at all possible, because many foundational hacking techniques are best demonstrated against a Windows XP and/or 2000 system. Unlike Kali and Metasploitable, we cannot freely download Windows XP, even though it is no longer commercially sold or supported. You can often find Windows XP discs with valid license keys on Ebay from $20-30 dollars. Torrenting is also an option… just know that it is technically illegal and you may inadvertently expose your system to unscrupulous trojans and root-kits.

5. Boot each VM in VM software

Booting a virtual machine tends to be pretty straightforward – use the GUI. Generally speaking, you’ll create a “new vm,” which will open up a wizard that will guide you through setting up your OS. You will provide an Installer disc image file, which is the ISO image you downloaded (kali2.iso/metasploitable2.iso), as the base image that will be used to set up your VM.  You may have to “power on” the VM by clicking a play button. Once the OS is installed/booted, you will be able to interact with the VM as if it were a real computer. If you find yourself struggling to get everything to work, google your VM software and something along the lines of “how to load ISO.”

6. Configure Networking Mode

VM software generally offers at least three different network connection modes: Bridged, NAT, or Host-only. Describing each mode is beyond the scope of this article. Suffice it to say, you will have use bridged or NAT if your VM needs internet connectivity. Vulnerable machines like Metasploitable should not be in bridged or NAT; rather, they should be in Host-only. Host only limits the virtual machine to a local private subnet on your host, which has the effect of keeping your vulnerable VM from being exposed to the internet, where it would otherwise likely be exploited by automatic scanners, worms, etc. Remember to set Kali to Host-only when you are ready to attack Metasploitable.

7. Get shells. 

With your VM’s booted up and networking established, you should be ready to start using your hacking lab. Great job! For now, I recommend googling and/or youtube-ing for guides on hacking Metasploitable 2 using Kali Linux. This will be enough to get your feet wet and get some shells. So here is to the start of your hacking journey! Keep practicing, and you’ll go from noob 2 root in no time.