How to Build Your Own Pentesting/Hacking Lab

If you’re interested in a career in penetration testing then testing  your skills is a must. Having your own home penetration test lab is a  great way to test new pentesting skills and penetration testing  software.

Practicing is always the best way to improve your skills, however,  the problem with hacking is that any real-world practicing on live  systems could land you in legal trouble that will damage your future  cybersecurity career more than lacking a few skill points here and  there.

The solutions to this problem is a home penetration testing lab. In   this article, I’ll tell you how to build your own lab so you can   improve your hacking and penetration testing skills. There are several   different options to having your own pentest lab, they all have their   pros and cons so we’ll explore some options below.

SOLUTION 1: EXPENSIVE AND NOT ADVISED FOR BEGINNERS: CLOUD

Having a pentest lab in the cloud has several  advantages; it takes up no  space on your machine, the initial  investment is small, and it’s easy to  set up and begin using almost  immediately. This option is great for  beginners. You need to consider  which provider you’re going to go with  and what operating system you  can do to your testing on. The cons to  using the cloud are that if you  want to use some weirder and more  complex configurations this can be  problematic, and you also might be  limited by the cloud company’s terms  of service.

You can use this free site as a start but it is really limited and their Kali Linux OS is really old. Check it out here: Linuxzoo.net . Just register for an account and you can start.

SOLUTION 2: BEST AND RELATIVELY CHEAP: VIRTUAL MACHINES

If you decide to do it on your own and avoid the  cloud, then here’s  what you should look out for. You need a laptop or  computer with a  decent amount of memory, think 16GB RAM upwards. This  is because if you  are running several VMs they will eat up a lot of  memory. It’s also  advisable to have an SSD/HDD of 320GB minimum, but  more is definitely  better. This option is cheap if you already have a  laptop lying around,  but expensive if you don’t.

Some great resources:
– Vulnhub’s HackinOS is a beginner level CTF style vulnerable machine. You can download it here.

–  Security infrastructure: Security Onion is a free and open source Linux   distribution for intrusion detection, enterprise security monitoring,   and log management. It includes Elasticsearch, Logstash, Kibana, Snort,   Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many   other security tools. You can download it here.

–   Metasploitable is an intentionally vulnerable Linux virtual machine.   This VM can be used to conduct security training, test security tools,   and practice common penetration testing techniques.  Download it here

–  Practical Pen Test Labs: A hands-on practical penetration testing   course that uses virtual environments. There are free labs available as   well as premium ones – great for some low cost and easy to set up pen   testing. You can check it out here.

–  XAMPP development environment: XAMPP is the most popular PHP   development environment. XAMPP is a completely free, easy to install   Apache distribution containing MariaDB, PHP, and Perl. You can download   it here.

Many of you here are new to hacking.  If so, I strongly recommend  that each of you set up a “laboratory” to  practice your hacks. Just  like any discipline, you need to practice,  practice, and practice some  more before you take it out to the real  world.

In many disciplines, if you don’t practice, you fall victim  to failure. In our discipline, if you don’t practice and fail, you may  be serving years behind bars. This makes practice and a dedicated  practice lab an even more compelling argument than with other  disciplines.

Many of you have been having difficulty setting up  your hacking  environment to practice your hacks. In this tutorial, I  will show you  the simplest and fastest way to set up a lab to practice your hacks before taking them out into the real world where any slip-ups could be devastating!

Download VMware Workstation or Player

The best way to practice hacking is within a virtual environment. Essentially, you set up a hacking system, such as Kali Linux, and some victims to exploit. Ideally, you would want multiple operating  systems (Windows XP, Vista, 7, and 8, as well as a Linux flavor) and  applications so that you can try out a variety of hacks.

Virtual  machines and a virtual network are the best and safest way  to set up a  hacking lab. There are several virtualization systems out  there,  including Citrix, Oracle’s VirtualBox, KVM, Microsoft’s Virtual PC and Hyper-V, and VMware’s Workstation, VMware Player and ESXi.   For a laboratory environment, I strongly recommend VMware’s  Workstation  or Player. Workstation is commercial product that costs  under $200,  while Player is free. You can also get a free 30-day trial  of  Workstation.

Player is limited to just playing VMs, while  Workstation can both  create and play VMs. Let’s download VMware’s  Workstation or Player here.

Download Kali VMware Images

Once you have downloaded and installed your virtualization system, our next step is to download the VMware images of Kali  provided by Offensive Security. With these images, you won’t have to   create the virtual machine, but simply run it from Workstation or   Player—Offensive Security has already created this image for you. This   means that once you have downloaded the VM of Kali, you can then use it   in either Workstation or Player.

Unzip Images

Once you have completed the  download, you will need to unzip the  files. There are numerous zip  utilities available for free including 7-Zip, WinZip, WinArchiver,  etc. Download and install one and unzip the files. In the screenshot   below, I have downloaded the free trial of WinZip and have used it to   unzip the Kali files.

Open VMware Image

Once all the files have been  unzipped, our next step is to open this  new virtual machine. Make note  of the location where you have unzipped  the virtual machine image. Then,  go to either VMware Workstation or  Player and go to File -> Open like in the screenshot below.

This will open a window like that in the screenshot below. You can  see  that my Kali image was stored under documents, so I browse there  and  double-click on the folder.

When you do so, VMware will start your virtual machine and greet you with a screen like below.

Click on the green button in the upper left below   “Kali-Linux-1.0.9-vm-amd64” that says “Power on this virtual machine.”   You should be greeted by the now familiar Kali screen.

Simply use the user “root” and password “toor” to get started hacking! Happy Hunting!

Download & Install Targets

For the next  step, you need to download and install a target system. Of course, you  could use your own host Windows 7 or 8 system, but since this is  practice, you might want to use an older, easier to hack system. In  addition, hacking your own system can leave it unstable and damaged.

I  recommend installing a Windows XP, Vista, Server 2003, or an older   version of Linux. You can also check above for great resources such as  Damn Vulnerable Machines. These systems have many known security flaws  that you  can practice on and, then when you become more proficient at  hacking,  you can then upgrade to Windows 7 and 8 and newer versions of  Linux.

If  you or your friends don’t have a copy of these older operating  systems,  you can purchase them very inexpensively many places on the  Internet.

Of course, you can also obtain these  operating systems for free on  many of the torrent sites, but BEWARE…  you will likely be downloading  more than just the operating systems. VERY often, these free downloads  include rootkits that will embed in your system when you open the file.

Download Old Applications

Once you have your  operating system in place, very often you will need applications to run  on these older versions of the Windows and Linux operating systems. You  will likely need a browser, Office, Adobe products, etc. These older  products have well-known security flaws that you can hone your skills  on.

I like the site Old Apps  to download many of these. Of course, once again, you can obtain these   from many of the torrent sites with the same caveat as above of you   might get more than you bargained for.

I’ll do a video tutorial on this. Stay tuned.

Stephen Ajulu

Hi there? My name is Stephen Ajulu. 🤓 I am a Front End Web Developer, Graphics Designer, Ethical Hacker and Author of this Blog. Here i talk about Technology, Cybersecurity and Self Improvement.