Building Your First Security Lab

You’ve learned the theory across six modules. Now you need somewhere to practice. Running Nmap scans against random internet targets is illegal. Trying SQL injection on production websites will get you in trouble. You need a lab - a controlled environment where you can break things safely.

A security lab is a set of virtual machines on your own hardware, isolated from the real world. You own every system. You have permission to attack everything. Nothing you do escapes to the internet.

What You Need

Hardware

You don’t need expensive equipment. A lab runs on any modern computer:

Minimum:

• 8 GB RAM (16 GB recommended)
• 50 GB free disk space
• Any CPU from the last 5-6 years with virtualization support

Recommended for a fuller lab:

• 16-32 GB RAM
• 100+ GB SSD space
• Multi-core CPU (4+ cores)

If your computer can run a web browser and a video call simultaneously, it can run a basic lab.

Software (Free)

Component	Options
Hypervisor	VirtualBox (free, cross-platform) or VMware Workstation Player (free for personal use)
Attack machine	Kali Linux (free)
Target machines	Metasploitable, DVWA, VulnHub machines (all free)

Level 1: The Basics

Start here. One attacker machine, one target.

Step 1: Install a Hypervisor

A hypervisor runs virtual machines (VMs) on your computer. Each VM is a complete operating system running in isolation.

Download and install VirtualBox - it’s free, works on Windows, macOS, and Linux.

Step 2: Set Up Kali Linux

Kali Linux is a Linux distribution pre-loaded with security tools - Nmap, Burp Suite, Metasploit, Wireshark, and hundreds more.

1. Download the Kali VirtualBox image from kali.org
2. Import it into VirtualBox (File → Import Appliance)
3. Allocate at least 2 GB RAM and 2 CPUs
4. Start the VM
5. Default credentials: kali / kali

You now have an attack machine with every tool we’ve referenced in this series.

Step 3: Set Up a Target

DVWA (Damn Vulnerable Web Application) is the best starting target for web security practice:

1. Download a pre-built DVWA VM, or set one up in a simple Ubuntu VM:

# On a fresh Ubuntu VM
sudo apt update && sudo apt install -y docker.io
sudo docker run -d -p 80:80 vulnerables/web-dvwa

2. Access DVWA at http://<vm-ip> in a browser
3. Default login: admin / password
4. Set the security level to “Low” and start practicing

DVWA has guided challenges for XSS, SQL injection, file upload, command injection, and more. Each challenge has adjustable difficulty levels.

Step 4: Network Configuration

This is critical - keep your lab isolated:

In VirtualBox, set both VMs to use Host-Only Networking or an Internal Network:

1. Select the VM → Settings → Network
2. Set Adapter 1 to “Host-Only Adapter” (both VMs can talk to each other and your host, but not the internet)
3. Or use “Internal Network” with the same network name on both VMs (VMs talk to each other only)

# On Kali, verify you can reach the target
ping <target-ip>

# Verify you can't reach the internet (good - lab is isolated)
ping 8.8.8.8    # Should fail if using host-only/internal

Why isolation matters: If you accidentally run an exploit that spreads (like a worm), isolation ensures it stays inside your lab. It also prevents your ISP or network admin from flagging your scanning activity.

Level 2: Practice Platforms

Once you’re comfortable with the basics, expand with purpose-built vulnerable machines.

VulnHub

VulnHub hosts hundreds of downloadable vulnerable VMs, each designed as a challenge:

1. Download a VM (.ova or .vmdk file)
2. Import into VirtualBox
3. The goal is usually to find hidden flags (capture-the-flag style)

Recommended starter machines:

• Kioptrix Level 1 - Classic beginner box
• Mr. Robot - Themed, approachable
• Basic Pentesting 1 - Structured learning path

Metasploitable

A purposefully vulnerable Linux VM designed for Metasploit practice:

• Multiple vulnerable services (FTP, SSH, HTTP, Samba, MySQL)
• Perfect for practicing port scanning and service exploitation
• Download from Rapid7

# From Kali, scan Metasploitable
nmap -sV -A <metasploitable-ip>

# You'll find dozens of open ports and vulnerable services

Online Platforms

If you want guided challenges without managing VMs:

Platform	Best For	Cost
TryHackMe	Absolute beginners, guided learning paths	Free tier + paid ($14/mo)
HackTheBox	Intermediate+, realistic machines	Free tier + paid ($14/mo)
PicoCTF	CTF practice, beginner-friendly	Free
PortSwigger Web Security Academy	Web application security specifically	Free
OverTheWire	Linux command line and basics	Free

Recommendation: Start with TryHackMe’s “Complete Beginner” learning path. It walks you through concepts with built-in browser-based labs - no local setup required.

Level 3: Attack and Defend Lab

When you’re ready for a more realistic environment, build a lab that simulates a real network.

The Setup

┌─────────────────────────────────────────────────┐
│                    Your Lab                      │
│                                                  │
│  ┌──────────┐    ┌───────────┐    ┌──────────┐  │
│  │  Kali    │    │  Windows  │    │  Ubuntu   │  │
│  │ (attack) │───│  Server   │───│  (web     │  │
│  │          │    │  (AD DC)  │    │   server) │  │
│  └──────────┘    └───────────┘    └──────────┘  │
│                       │                          │
│                  ┌───────────┐                   │
│                  │  Windows  │                   │
│                  │  10/11    │                   │
│                  │(workstation)                  │
│                  └───────────┘                   │
└─────────────────────────────────────────────────┘

This gives you:

• Active Directory to practice domain attacks (Kerberoasting, Pass-the-Hash, BloodHound)
• A web server to practice application attacks
• A workstation to practice endpoint attacks and privilege escalation
• A complete network for lateral movement practice

Windows Evaluation Licenses

Microsoft provides free evaluation versions:

• Windows Server 2022 evaluation (180 days)
• Windows 10/11 Enterprise evaluation (90 days)

These are fully functional and legal for lab use.

Automated Lab Builders

Setting up Active Directory manually is educational but time-consuming. These tools automate it:

• GOAD - Game of Active Directory. Multiple vulnerable AD configurations
• DetectionLab - Pre-built lab with logging and monitoring (Splunk, osquery, Fleet)
• Ludus - Automated range builder

For a more detailed monitoring-focused setup, see our detection lab guide.

Lab Exercises to Try

Map these exercises to what you’ve learned:

Module	Exercise
Networking	Run Wireshark and capture traffic between VMs. Identify TCP handshakes, DNS queries, HTTP requests
Operating Systems	Practice Linux commands on Kali. Set up users and permissions on Ubuntu VM
Web Security	Complete DVWA challenges at all difficulty levels
Cryptography	Set up HTTPS on your Ubuntu web server. Inspect the TLS handshake in Wireshark
Attack Methods	Full pentest against Metasploitable: recon → exploit → escalate → document
Defense	Install Wazuh on a VM. Generate attacks from Kali. See if your alerts trigger

Lab Rules

1. Never connect vulnerable VMs to the internet. Use host-only or internal networking
2. Snapshot before experimenting. VirtualBox snapshots let you restore a clean state instantly
3. Document everything. Keep notes on what you tried, what worked, what didn’t. This builds your methodology
4. Only attack what you own. Your lab. Authorized platforms. Nothing else
5. Break it, then fix it. After exploiting a vulnerability, practice the hardening steps to close it

What’s Next

You have a career direction and a lab to practice in. The final post covers certifications, learning resources, and a concrete plan for continuing your security education beyond this series.

References

• VirtualBox Documentation
• Kali Linux
• VulnHub
• TryHackMe
• HackTheBox

---

Reading about hacking teaches you concepts. Practicing in a lab builds skills. The gap between knowing how SQL injection works and actually exploiting one is only closed by doing it yourself.