Chapter 3: Setting Up Your Hacking Lab

"In theory, there is no difference between theory and practice. In practice, there is." — Attributed to Yogi Berra (and to many others)

Chapter Overview

In 2014, a computer science student at a midwestern university decided to practice his newly acquired Nmap scanning skills. He had just completed an introductory cybersecurity course and was eager to explore. So he opened a terminal and ran a comprehensive scan — not against a virtual machine in a lab, but against his university's campus network. Within hours, the university's intrusion detection system flagged the scan. Within days, the student was facing disciplinary proceedings and a visit from campus police. He was eventually expelled and referred to federal authorities under the Computer Fraud and Abuse Act. His career in cybersecurity was over before it started — not because of malicious intent, but because he did not have a safe place to practice.

This story, which we will explore in detail in this chapter's first case study, illustrates a critical truth: you must have a safe, isolated environment where you can practice hacking techniques without any risk of affecting real systems or violating any law. That environment is your hacking lab.

In this chapter, we will build that lab from scratch. We will start with the concepts — why virtualization matters and how it works. Then we will get hands-on: installing a hypervisor, setting up Kali Linux as your attack platform, deploying vulnerable target machines, and configuring network isolation so your lab traffic stays contained. We will explore online platforms that supplement your local lab with additional practice targets. And we will establish the safety practices that will protect you legally and technically throughout this book and your career.

By the end of this chapter, you will have a fully functioning hacking lab and you will have run your first reconnaissance scripts against intentionally vulnerable targets. The real hands-on learning begins now.

3.1 Why You Need a Lab

Before we start downloading software, let us understand why a dedicated lab environment is not just recommended but absolutely essential.

3.1.1 Legal Protection

As we discussed in Chapter 1, unauthorized access to computer systems is a criminal offense in virtually every jurisdiction. The defining word is "unauthorized." When you practice in your own lab, on virtual machines you own and control, you are the system owner and you are authorizing yourself. There is no legal ambiguity.

The moment your scanning, exploitation, or testing traffic reaches a system you do not own, you are potentially committing a crime — regardless of your intent. Network isolation in your lab is not a nice-to-have; it is a legal necessity.

⚖️ Legal Note: Even on your home network, be careful. If you share your network with roommates, family members, or neighbors (shared apartment Wi-Fi), scanning the network may touch their devices. If you are on a university or corporate network, scanning is almost certainly a policy violation and may be a criminal offense. Your lab must be completely isolated.

3.1.2 Safe Experimentation

A lab gives you freedom to experiment without consequences. You can: - Run aggressive scans without triggering anyone's intrusion detection system - Attempt exploits that might crash target systems (just restore from a snapshot) - Test malware samples without risking infection of production systems - Practice post-exploitation techniques including privilege escalation and lateral movement - Break things repeatedly and learn from each failure

This freedom to fail safely is essential for learning. Security skills are developed through practice, and practice requires a safe environment.

3.1.3 Reproducibility

With virtual machines, you can save snapshots — point-in-time images of a machine's state — and restore to them at will. This means you can: - Set up a specific vulnerable configuration, save a snapshot, and return to it whenever you want to practice that exploitation technique - Reset a compromised machine to its pre-compromise state in seconds - Create specific scenarios for study or demonstration - Share environments with classmates or study partners

3.1.4 Realistic Scenarios

A well-designed lab can simulate realistic enterprise environments. Throughout this book, we will build lab configurations that mirror aspects of our MedSecure and ShopStack running examples. By the time you reach the advanced chapters, your lab will include Active Directory domains, web applications, databases, and network services that reflect real-world targets.

🔗 Connection: In Chapter 1, we introduced MedSecure Health Systems with its Windows Active Directory domain, Linux servers, and web applications. In this chapter, we will begin building a lab that simulates elements of MedSecure's environment. Each subsequent chapter will add components, so that by the end of the book, you have a comprehensive practice environment.

3.2 Virtualization Fundamentals

Virtualization is the technology that makes your hacking lab possible. It allows you to run multiple operating systems simultaneously on a single physical computer, each in its own isolated environment.

3.2.1 What Is Virtualization?

Virtualization creates virtual computers — called virtual machines (VMs) — that behave like physical computers but exist entirely in software. Each VM has its own virtual hardware: CPU, RAM, disk, network interfaces, and so on. The software that creates and manages VMs is called a hypervisor.

From the perspective of the operating system running inside a VM (called the "guest OS"), it appears to be running on real hardware. The guest OS does not know — or need to know — that it is virtualized.

3.2.2 Type 1 vs. Type 2 Hypervisors

Type 1 (bare-metal) hypervisors run directly on the physical hardware, without a host operating system. Examples include VMware ESXi, Microsoft Hyper-V (when running as a server role), and Xen. Type 1 hypervisors are used in data centers and enterprise environments for maximum performance and isolation.

Type 2 (hosted) hypervisors run as applications on top of a host operating system. Examples include VirtualBox, VMware Workstation, VMware Fusion (macOS), and Parallels. Type 2 hypervisors are what we will use for our hacking lab because they run on your existing desktop or laptop operating system.

3.2.3 Choosing Your Hypervisor

For this book, we recommend one of two options:

VirtualBox (Oracle) - Free and open source - Available for Windows, macOS, and Linux - Active community and extensive documentation - Slightly lower performance than VMware - Excellent for learning; used in many training courses (including OSCP)

VMware Workstation Pro (Windows/Linux) or VMware Fusion (macOS) - Now free for personal use (as of late 2023) - Generally better performance, especially for complex labs - Better snapshot management - Better integration with VMware enterprise products - Industry standard in many professional environments

Either option will work for every exercise in this book. If you are unsure, start with VirtualBox — it is free, well-documented, and widely used in cybersecurity training.

💡 Intuition: Think of a Type 2 hypervisor like a building within a building. Your physical computer (the outer building) runs your normal operating system (Windows, macOS, or Linux). Inside that, the hypervisor creates separate rooms (virtual machines) where different operating systems can run. Each room is isolated from the others and from the outer building — unless you specifically open doors between them (network connections).

3.2.4 Hardware Requirements

To run a comfortable hacking lab, your physical machine should have:

Verify virtualization support: Before installing a hypervisor, verify that your CPU supports hardware virtualization and that it is enabled in your BIOS/UEFI settings:

• Windows: Open Task Manager > Performance > CPU. Look for "Virtualization: Enabled."
• Linux: Run egrep -c '(vmx|svm)' /proc/cpuinfo. A result greater than 0 means virtualization is supported.
• macOS: All Intel Macs and Apple Silicon Macs support virtualization natively.

⚠️ Common Pitfall: Many students hit a wall during lab setup because hardware virtualization is disabled in their BIOS. This is especially common on laptops. If VirtualBox or VMware gives errors about VT-x or AMD-V, reboot into your BIOS/UEFI settings and enable Intel VT-x (Intel CPUs) or AMD-V/SVM (AMD CPUs). The exact menu location varies by manufacturer.

3.3 Installing VirtualBox

We will walk through VirtualBox installation as our primary hypervisor. If you prefer VMware, the concepts are identical — only the interface differs.

3.3.1 Download and Install

1. Navigate to https://www.virtualbox.org/wiki/Downloads
2. Download the installer for your host operating system
3. Run the installer with default settings
4. On Windows, approve the installation of VirtualBox network drivers when prompted (these are needed for host-only and NAT networking)
5. Restart your computer if prompted

3.3.2 Install the Extension Pack

The VirtualBox Extension Pack adds USB 2.0/3.0 support, disk encryption, and remote display capabilities. While not strictly required, it is useful for passing USB devices (like wireless adapters) to VMs.

1. Download the Extension Pack from the same download page
2. Double-click the downloaded file — VirtualBox will open and prompt you to install it
3. Accept the license agreement and complete the installation

3.3.3 Initial Configuration

Before creating any VMs, adjust a few VirtualBox settings:

• Default Machine Folder: Go to File > Preferences > General. Set the Default Machine Folder to a location with plenty of disk space (preferably an SSD).
• Host Key: Note the "Host Key" displayed in the lower right of the VirtualBox window (default is Right Ctrl on Windows/Linux, Left Command on macOS). This key is used to release the keyboard and mouse from a VM back to the host.
• Network Preferences: We will configure these in detail in the network isolation section.

3.4 Installing and Configuring Kali Linux

Kali Linux is the industry-standard penetration testing distribution. Maintained by Offensive Security (the creators of the OSCP certification), Kali comes pre-installed with hundreds of security tools organized by category: information gathering, vulnerability analysis, web application analysis, database assessment, password attacks, wireless attacks, exploitation tools, sniffing and spoofing, post-exploitation, forensics, and reporting.

3.4.1 Why Kali?

Kali is not the only option for a pentesting platform — Parrot OS, BlackArch, and others exist — but Kali is the de facto standard for several reasons: - Most widely used in training, certifications, and professional environments - Extensive tool library, regularly updated - Excellent documentation and community support - Available as VM images for easy deployment - Maintained by a reputable organization (Offensive Security)

3.4.2 Option A: Pre-Built VM Image (Recommended for Beginners)

The easiest way to get started is to use Kali's pre-built VM images:

1. Navigate to https://www.kali.org/get-kali/#kali-virtual-machines
2. Download the VirtualBox image (64-bit) — it will be a .7z or .ova file
3. If .7z, extract it using 7-Zip (Windows) or 7z command (Linux/macOS)
4. In VirtualBox, go to File > Import Appliance (for .ova) or Machine > Add (for .vbox)
5. Import the appliance with default settings
6. Before starting the VM, adjust its settings: - System > Processor: Allocate at least 2 CPUs (4 recommended) - System > Memory: Allocate at least 4096 MB (8192 recommended) - Display > Video Memory: Set to 128 MB - Network: We will configure this in the network isolation section

Default credentials for the pre-built image: kali / kali

3.4.3 Option B: Install from ISO (Recommended for Learning)

Installing from the ISO gives you a deeper understanding of the system:

1. Download the Kali Linux installer ISO from https://www.kali.org/get-kali/#kali-installer-images
2. In VirtualBox, click "New" to create a new VM: - Name: "Kali-Attack" - Type: Linux - Version: Debian (64-bit) - Memory: 4096 MB minimum - Hard disk: Create a virtual hard disk (VDI, dynamically allocated, 80 GB)
3. Before starting, adjust settings: - System > Processor: 2+ CPUs - Storage: Mount the Kali ISO as a virtual optical drive - Display > Video Memory: 128 MB
4. Start the VM and follow the graphical installer
5. During installation: - Choose "Graphical Install" - Set hostname to "kali-attack" - Create a non-root user (e.g., "hacker") - Use guided partitioning (entire disk) - When prompted for software selection, choose the default desktop environment (Xfce) and the default tool collection
6. Complete the installation and reboot

3.4.4 Post-Installation Configuration

After your Kali VM is running, perform these essential configuration steps:

Update the system:

sudo apt update && sudo apt full-upgrade -y

Install VirtualBox Guest Additions (for better display, shared folders, and clipboard integration):

sudo apt install -y virtualbox-guest-x11
sudo reboot

Create a snapshot: Before making any further changes, create a snapshot of your clean, updated Kali installation. In VirtualBox, go to Machine > Take Snapshot. Name it "Clean Install - Updated." This gives you a clean starting point to return to.

Customize your environment:

# Set up useful aliases
echo 'alias ll="ls -la"' >> ~/.bashrc
echo 'alias update="sudo apt update && sudo apt full-upgrade -y"' >> ~/.bashrc
echo 'alias myip="ip -4 addr show | grep inet | grep -v 127.0.0.1"' >> ~/.bashrc
source ~/.bashrc

# Create a working directory structure
mkdir -p ~/pentests/{recon,scans,exploits,loot,reports}
mkdir -p ~/tools
mkdir -p ~/wordlists

Install additional tools that are not in the default Kali package:

# Install useful additional tools
sudo apt install -y seclists gobuster feroxbuster bloodhound neo4j
sudo apt install -y python3-pip python3-venv
pip3 install requests beautifulsoup4 scapy

# Download additional wordlists
sudo gunzip /usr/share/wordlists/rockyou.txt.gz

✅ Best Practice: Take snapshots frequently. Before installing new tools, before running major updates, before starting a new exercise — snapshot your VM. Snapshots are cheap (they only store differences from the previous state) and they give you instant recovery. A corrupted system is a minor inconvenience when you can restore from a snapshot in seconds.

3.4.5 Kali Linux Filesystem and Tool Organization

Understanding how Kali organizes its tools and files will help you work more efficiently:

Key directories: - /usr/bin/ — Most security tools are installed here as executable binaries - /usr/share/ — Data files, wordlists, and tool-specific resources - /usr/share/wordlists/ — Password wordlists including the famous rockyou.txt - /usr/share/nmap/scripts/ — Nmap NSE (Nmap Scripting Engine) scripts - /usr/share/metasploit-framework/ — The Metasploit Framework installation - /usr/share/exploitdb/ — The Exploit Database used by searchsploit - /usr/share/seclists/ — SecLists collection of wordlists for various testing purposes - /etc/ — System configuration files - /var/log/ — System logs - /tmp/ — Temporary files (cleared on reboot)

Finding tools: Kali organizes tools in its application menu by category (Information Gathering, Vulnerability Analysis, Web Application Analysis, etc.). You can also find any tool using the which command (which nmap) or search the package database (apt search <keyword>).

Adding tools from GitHub: Many cutting-edge security tools are published on GitHub before they appear in Kali's repositories. To install a tool from GitHub:

cd ~/tools
git clone https://github.com/author/tool-name.git
cd tool-name
pip3 install -r requirements.txt  # if Python
# Follow the tool's README for specific installation steps

Keeping your custom tools in ~/tools separates them from system-installed tools and makes them easy to manage and update.

3.4.6 Essential Kali Tools Overview

Kali comes with hundreds of tools. Here are the ones you will use most frequently in this book:

We will introduce each tool in context as we need it throughout the book.

3.5 Setting Up Target Environments

Your Kali VM is your attack platform. Now you need targets to practice against. We will set up several intentionally vulnerable systems.

3.5.1 Metasploitable 2

Metasploitable 2 is an intentionally vulnerable Linux VM created by Rapid7 (the makers of Metasploit). It contains dozens of vulnerabilities spanning network services, web applications, and misconfigured software.

Installation: 1. Download Metasploitable 2 from https://sourceforge.net/projects/metasploitable/ 2. Extract the downloaded ZIP file 3. In VirtualBox, click "New": - Name: "Metasploitable2" - Type: Linux - Version: Ubuntu (64-bit) - Memory: 1024 MB - Hard disk: Use existing virtual hard disk file — select the .vmdk file from the extracted archive 4. Configure the network adapter (see Network Configuration section) 5. Start the VM

Default credentials: msfadmin / msfadmin

What Metasploitable 2 provides: - Vulnerable versions of vsftpd, Samba, Apache, MySQL, PostgreSQL, and many other services - Multiple web applications (DVWA, Mutillidae, phpMyAdmin) pre-installed - Misconfigured SSH, NFS, and other services - Dozens of exercises covering the OWASP Top 10

🧪 Try It in Your Lab: Once Metasploitable 2 is running and connected to your isolated network, try pinging it from your Kali VM to confirm connectivity. Then run a basic Nmap scan: nmap -sV <metasploitable-ip>. You should see dozens of open ports with identified services. If this is your first Nmap scan, take a moment to appreciate what the output is telling you — every open port is a potential entry point.

3.5.2 DVWA (Damn Vulnerable Web Application)

DVWA is a PHP/MySQL web application designed to practice web application hacking. While it comes pre-installed on Metasploitable 2, you can also run it in its own Docker container for a cleaner setup.

Docker-based installation (on Kali or a separate Linux VM):

# Install Docker on Kali
sudo apt install -y docker.io
sudo systemctl start docker
sudo systemctl enable docker
sudo usermod -aG docker $USER

# Log out and back in for group change to take effect

# Run DVWA in Docker
docker run -d -p 80:80 vulnerables/web-dvwa

Access DVWA at http://localhost (or the VM's IP) and log in with admin / password. Click "Create / Reset Database" on the setup page.

DVWA has adjustable security levels (Low, Medium, High, Impossible) that let you progressively challenge yourself as your skills improve.

3.5.3 VulnHub Images

VulnHub (https://www.vulnhub.com/) hosts hundreds of downloadable vulnerable VMs created by the security community. These range from beginner-friendly to extremely challenging and often simulate realistic scenarios.

Recommended starter VMs from VulnHub: - Kioptrix Level 1: Classic beginner VM with straightforward vulnerabilities - Mr. Robot: Themed after the TV show; good for web application and Linux privilege escalation - DC series (DC-1 through DC-9): Progressive difficulty, great for building methodology - HackLAB: Vulnix: Good for practicing NFS and Unix enumeration

Installation pattern (same for all VulnHub images): 1. Download the .ova or .vmdk file from VulnHub 2. Import into VirtualBox (File > Import Appliance for .ova, or create new VM using existing disk for .vmdk) 3. Configure the network adapter to your isolated network 4. Start the VM (many VulnHub images boot to a login screen — you are not supposed to have the credentials; your job is to hack in)

3.5.4 Windows Target Environments

To practice Windows-specific attacks (Active Directory, Windows privilege escalation, pass-the-hash), you need Windows VMs. Microsoft provides free evaluation versions:

Windows Server Evaluation: 1. Download Windows Server 2019 or 2022 evaluation ISO from Microsoft's Evaluation Center 2. Create a new VM with 4 GB RAM and 60 GB disk 3. Install Windows Server and configure it as a Domain Controller 4. Create user accounts, groups, and group policies that simulate an enterprise environment

Windows 10/11 Evaluation: 1. Download a Windows 10 or 11 evaluation VM from Microsoft's Evaluation Center 2. Join it to your lab's Active Directory domain

We will build out a full Active Directory lab environment in the chapters on Active Directory attacks (Part 4). For now, having a basic Windows installation available is sufficient.

✅ Best Practice: Microsoft evaluation licenses are time-limited (usually 180 days). To extend the evaluation period, run slmgr /rearm from an elevated command prompt before the license expires (you can do this up to three times). Alternatively, just delete the VM and recreate it when the license expires — snapshots make this quick.

3.5.5 Docker-Based Targets

Docker containers are an efficient way to deploy individual vulnerable services without the overhead of full VMs:

# WebGoat — OWASP's deliberately insecure web application
docker run -d -p 8080:8080 -p 9090:9090 webgoat/webgoat

# Juice Shop — OWASP's modern vulnerable web application (Node.js)
docker run -d -p 3000:3000 bkimminich/juice-shop

# Vulnerable WordPress
docker run -d -p 8081:80 --name vuln-wordpress vulnerables/cve-2016-1000027

# SQLi-labs — SQL injection practice
docker run -d -p 8082:80 acgpiano/sqli-labs

Each of these containers provides a focused practice environment for specific vulnerability classes.

3.6 Network Configuration and Isolation

This is arguably the most important section of this chapter. Proper network configuration ensures that your lab traffic stays in your lab and never reaches real systems.

3.6.1 VirtualBox Network Modes

VirtualBox provides several networking modes:

NAT (Network Address Translation): - The VM can access the Internet through the host's connection - Other VMs and the host cannot directly reach the VM - Use case: Downloading updates to your Kali VM

NAT Network: - Like NAT, but VMs on the same NAT network can communicate with each other - VMs can access the Internet - The host cannot directly reach the VMs (without port forwarding) - Use case: Lab VMs that need both Internet access and inter-VM communication

Host-Only: - Creates an isolated network between the host and VMs - VMs can communicate with each other and with the host - No Internet access — VMs are completely isolated from external networks - Use case: Your primary lab network for hacking exercises

Internal Network: - Creates an isolated network between VMs only - The host cannot access this network - No Internet access - Use case: Maximum isolation for dangerous experiments (malware analysis)

Bridged Adapter: - The VM gets an IP address on the same network as the host - The VM is visible to all devices on the physical network - DANGER: This mode allows your lab traffic to reach real devices on your network - Use case: Rarely appropriate for hacking labs; avoid unless you have a specific, controlled need

3.6.2 Recommended Lab Network Architecture

Here is the network architecture we recommend for your hacking lab:

┌─────────────────────────────────────────────────────┐
│                   Host Machine                       │
│                                                       │
│  ┌──────────────────────────────────────────────┐    │
│  │         VirtualBox Host-Only Network          │    │
│  │              192.168.56.0/24                   │    │
│  │                                                │    │
│  │  ┌──────────┐  ┌───────────┐  ┌───────────┐  │    │
│  │  │  Kali    │  │Metasploit-│  │  VulnHub  │  │    │
│  │  │  Attack  │  │  able 2   │  │   VMs     │  │    │
│  │  │ .56.101  │  │  .56.102  │  │  .56.1xx  │  │    │
│  │  └──────────┘  └───────────┘  └───────────┘  │    │
│  └──────────────────────────────────────────────┘    │
│                                                       │
│  ┌──────────────────────────────────────────────┐    │
│  │         VirtualBox NAT (Adapter 2)            │    │
│  │         (Kali only — for updates)             │    │
│  └──────────────────────────────────────────────┘    │
│                                                       │
└─────────────────────────────────────────────────────┘

Configuration steps:

Step 1: Create a Host-Only Network 1. In VirtualBox, go to File > Host Network Manager (or File > Tools > Network Manager in newer versions) 2. Click "Create" to create a new host-only network 3. Configure: - IPv4 Address: 192.168.56.1 - IPv4 Network Mask: 255.255.255.0 - DHCP Server: Enable (Lower: 192.168.56.100, Upper: 192.168.56.200)

Step 2: Configure Kali VM (Two Adapters) 1. Open Kali VM settings > Network 2. Adapter 1: Host-Only Adapter (select the network from Step 1) 3. Adapter 2: NAT (for Internet access when you need to update tools)

Step 3: Configure Target VMs (One Adapter) 1. For each target VM, go to Settings > Network 2. Adapter 1: Host-Only Adapter (same network as Kali) 3. No other adapters — target VMs should never have Internet access

Step 4: Verify Isolation From your Kali VM:

# Verify you can reach targets on the host-only network
ping 192.168.56.102  # Should succeed (Metasploitable 2)

# Verify you can reach the Internet on the NAT adapter (if needed)
ping 8.8.8.8  # Should succeed via NAT adapter

# Verify targets cannot reach the Internet
# (SSH into Metasploitable, then try)
ssh msfadmin@192.168.56.102
ping 8.8.8.8  # Should FAIL — target is isolated

3.6.3 Advanced: Using pfSense as a Lab Router

For more complex lab scenarios (simulating multiple network segments, as in MedSecure's environment), you can deploy pfSense as a virtual router:

1. Download pfSense ISO from https://www.pfsense.org/download/
2. Create a VM with 1 GB RAM, 10 GB disk, and multiple network adapters
3. Configure pfSense to route between multiple host-only networks
4. This allows you to simulate segmented environments with firewall rules between segments

We will build this more complex topology in later chapters when we cover network penetration testing.

⚠️ Common Pitfall: The most dangerous network configuration mistake is using "Bridged Adapter" mode for your target VMs. In bridged mode, your vulnerable targets are directly on your physical network — visible to your router, your other devices, and potentially to your ISP. A Metasploitable 2 VM in bridged mode on your home network is like leaving your front door open in a high-crime neighborhood. Always use Host-Only or Internal Network for target VMs.

3.7 Online Hacking Platforms

Your local lab is your primary practice environment, but online platforms offer additional benefits: professionally designed challenges, community discussion, and realistic scenarios that would be difficult to build locally.

3.7.1 HackTheBox (HTB)

Overview: HackTheBox is the most popular online hacking platform, offering virtual machines ("boxes") of varying difficulty that you attack through a VPN connection.

Key features: - Active machines rotated regularly (retired machines available with subscription) - Difficulty ratings from "Easy" to "Insane" - Pro Labs that simulate realistic enterprise environments (Dante, Offshore, RastaLabs, Zephyr) - Tracks for different skill areas (Active Directory, Web, Forensics) - Competitive rankings and a strong community

Getting started: 1. Create an account at https://www.hackthebox.com/ 2. Download the VPN connection file (.ovpn) 3. On your Kali VM, connect: sudo openvpn lab_YourUsername.ovpn 4. Start with "Starting Point" machines designed for beginners

Cost: Free tier includes two active machines. VIP subscription ($14/month) provides access to all retired machines, priority VPN, and Pro Labs access (additional cost).

🧪 Try It in Your Lab: HackTheBox's "Starting Point" track is designed for absolute beginners. The first few machines walk you through basic enumeration, exploitation, and privilege escalation with guided instructions. It is an excellent complement to the exercises in this book.

3.7.2 TryHackMe (THM)

Overview: TryHackMe is a learning-focused platform with guided "rooms" that teach specific concepts step by step.

Key features: - Guided learning paths (Complete Beginner, Jr Penetration Tester, Offensive Pentesting) - Attack boxes provided in-browser (no local setup required for basic rooms) - Rooms cover individual topics (Nmap, Burp Suite, SQL Injection, Active Directory) - Excellent for structured learning alongside this textbook - Lower barrier to entry than HackTheBox

Getting started: 1. Create an account at https://tryhackme.com/ 2. Start with the "Complete Beginner" learning path 3. For hands-on rooms, either use the in-browser attack box or connect via VPN from your Kali VM

Cost: Free tier includes many rooms. Premium subscription ($14/month) provides full access.

3.7.3 PortSwigger Web Security Academy

Overview: Created by the makers of Burp Suite, this is the best free resource for learning web application security.

Key features: - Covers all major web vulnerability classes in depth - Interactive labs for each topic - No setup required — labs run in the browser - Content is continuously updated - Completely free

Getting started: 1. Navigate to https://portswigger.net/web-security 2. Work through the learning materials and labs in order 3. Start with SQL Injection, then move to Authentication, XSS, and CSRF

3.7.4 SANS Cyber Ranges and NetWars

Overview: SANS Institute offers professional-grade cyber ranges and the NetWars competition platform. These are the most realistic and challenging practice environments available.

Key features: - Professionally designed by SANS instructors - Simulate complex enterprise environments - Used in SANS courses and tournaments - Holiday Hack Challenge (annual free event) is exceptional

Cost: Most SANS offerings are expensive (courses range from $5,000–$9,000). The Holiday Hack Challenge (December–January each year) is free and highly recommended.

3.7.5 Additional Platforms

📊 Real-World Application: Many employers assess pentesting candidates using HackTheBox Pro Labs or OSCP-style practical exams. Building a track record on these platforms — demonstrated by your HackTheBox rank or completed TryHackMe learning paths — is one of the most effective ways to demonstrate practical skills to potential employers. Several pentesters we know have landed their first security jobs based primarily on their HackTheBox writeups and rankings.

3.8 Lab Safety Practices

Building a lab is not just about installing software — it is about establishing practices that keep you safe, legal, and organized throughout your learning journey and professional career.

3.8.1 The Cardinal Rules of Lab Safety

Rule 1: Never attack systems you do not own or have written authorization to test. This bears repeating. Your lab exists to keep you safe. The moment you send a scan, exploit, or probe to a system outside your lab without authorization, you are potentially committing a crime.

Rule 2: Isolate your lab network. As covered in the network configuration section, your target VMs must not be able to reach external networks. Verify isolation periodically.

Rule 3: Take snapshots before every major change. Before installing new tools, running exploits, or changing configurations, take a snapshot. This gives you instant rollback capability.

Rule 4: Keep notes. Document what you do in your lab — what you tried, what worked, what failed, and what you learned. These notes will be invaluable for your professional development, certification preparation, and future reference.

Rule 5: Handle sensitive tools responsibly. Some tools in Kali can be genuinely dangerous if misused. Exploit code, password cracking tools, and network attack tools should only be used in your isolated lab or authorized engagements. Never store exploit code or tools on systems connected to corporate networks without authorization.

3.8.2 Documentation and Note-Taking

We strongly recommend establishing a note-taking system from day one. Options include:

CherryTree: A hierarchical note-taking application pre-installed on Kali. Good for organizing notes by engagement or topic.

Obsidian: A powerful markdown-based knowledge management tool. Excellent for creating a personal knowledge base that grows with your learning.

Joplin: An open-source note-taking application with encryption and synchronization.

Notion or OneNote: Cloud-based options if you prefer; be mindful of storing sensitive data in cloud services.

Structure your notes by: - Date - Target (what machine/application you were testing) - Objective (what you were trying to achieve) - Steps taken (commands, tools, techniques) - Results (what worked, what did not) - Lessons learned (what you would do differently)

✅ Best Practice: The note-taking habit you build in your lab will serve you throughout your career. Professional pentesters maintain detailed engagement logs that serve as the foundation for their reports. The difference between a good report and a great report often comes down to the quality of notes taken during testing.

3.8.3 Snapshot Management Strategy

Develop a snapshot naming convention:

[VM Name] - [State] - [Date]
Examples:
Kali-Attack - Clean Install Updated - 2024-01-15
Kali-Attack - Pre-AD-Lab-Config - 2024-02-01
Metasploitable2 - Fresh Deploy - 2024-01-15
WinServer2019 - DC Configured - 2024-02-10

Delete old snapshots periodically to reclaim disk space. Keep at minimum: - A clean/fresh install snapshot for each VM - The most recent working snapshot for each VM - Any snapshots needed for specific exercises or scenarios

3.8.4 Malware Handling

In later chapters, you may work with actual malware samples for analysis. When you do: - Keep malware in password-protected ZIP files (standard practice; password is typically "infected") - Only extract and execute malware in isolated VMs with no network access (use Internal Network mode, not Host-Only) - Never transfer malware to your host machine - Use FlareVM (a Windows-based malware analysis distribution) for Windows malware analysis - Use REMnux (a Linux-based malware analysis distribution) for Linux malware and document analysis

3.9 Your First Lab Exercise: Reconnaissance Against Metasploitable 2

Let us put your new lab to work. This exercise will give you your first hands-on experience with network reconnaissance while verifying that your lab is properly configured.

3.9.1 Verify Connectivity

From your Kali VM:

# Check your IP address on the host-only network
ip addr show eth0  # or whatever your host-only interface is named

# Ping Metasploitable 2
ping -c 4 192.168.56.102  # Use your Metasploitable 2's actual IP

If ping succeeds, your lab network is functioning.

3.9.2 Host Discovery

Even though you know Metasploitable 2's IP address, let us practice discovering hosts on the network as if we did not:

# ARP scan (fastest for local networks)
sudo arp-scan 192.168.56.0/24

# Nmap ping scan
nmap -sn 192.168.56.0/24

# Nmap with ARP discovery (most reliable on local networks)
nmap -PR -sn 192.168.56.0/24

You should see your Kali VM, Metasploitable 2, and the host-only adapter's gateway (192.168.56.1) in the results.

3.9.3 Port Scanning

Now let us discover what services are running on Metasploitable 2:

# Basic port scan (top 1000 ports)
nmap 192.168.56.102

# Service version detection
nmap -sV 192.168.56.102

# Comprehensive scan (versions, default scripts, OS detection)
nmap -sV -sC -O 192.168.56.102

# Full port scan (all 65535 ports) — takes longer
nmap -p- 192.168.56.102

🧪 Try It in Your Lab: Compare the output of nmap 192.168.56.102 (default top 1000 ports) with nmap -p- 192.168.56.102 (all 65535 ports). How many additional open ports does the full scan find? This illustrates why comprehensive scanning matters — attackers scan all ports, and so should you.

3.9.4 Service Enumeration

Let us dig deeper into some of the discovered services:

# Enumerate SMB shares
smbclient -L //192.168.56.102 -N

# Check for anonymous FTP access
ftp 192.168.56.102
# (try anonymous login with blank password)

# Enumerate web server
curl -s http://192.168.56.102 | head -50

# Run Nikto web scanner
nikto -h http://192.168.56.102

3.9.5 Documenting Your Findings

Open CherryTree (or your preferred note-taking tool) and document: - Date and time of the exercise - Network configuration - All hosts discovered - All open ports and services on Metasploitable 2 - Any interesting findings from enumeration - Questions for further investigation

This is exactly the process a professional pentester follows, scaled down to a learning exercise.

🔴 Red Team Perspective: Notice how much information you gathered without exploiting anything. Reconnaissance and enumeration alone revealed the operating system, running services, software versions, and potential vulnerability points. In a real engagement, this information would guide your exploitation strategy. Many pentesters find that 80% of the work is reconnaissance and enumeration; exploitation is often the easy part once you know exactly what you are targeting.

3.10 Understanding Your Tools at a Deeper Level

Before we move on, let us take a moment to understand what is happening under the hood when you use your reconnaissance tools. This understanding is what separates a skilled penetration tester from someone who merely runs tools without comprehension.

3.10.1 How Nmap Works Under the Hood

When you run nmap -sS 192.168.56.102, Nmap performs a TCP SYN scan. Here is what happens at the packet level:

1. For each port to be tested, Nmap crafts a TCP packet with the SYN flag set (the first step of the TCP three-way handshake) and sends it to the target.

2. If the port is open, the target responds with a SYN-ACK packet (acknowledging the connection attempt). Nmap records the port as "open" and immediately sends a RST (reset) packet to tear down the half-open connection. This is why SYN scans are called "half-open" — they never complete the three-way handshake.

3. If the port is closed, the target responds with a RST packet. Nmap records the port as "closed."

4. If there is no response (the packet is dropped by a firewall), Nmap waits for a timeout and records the port as "filtered."

This SYN scan is the default for privileged users (root/sudo) because it requires raw socket access to craft custom TCP packets. Unprivileged users get a full TCP connect scan (-sT) instead, which uses the operating system's normal connect() system call and completes the full three-way handshake.

3.10.2 How ARP Scanning Works

ARP (Address Resolution Protocol) scanning is the fastest method for discovering hosts on a local network. When you run arp-scan 192.168.56.0/24 or Nmap's -PR flag:

1. An ARP request is broadcast to every device on the local network: "Who has IP address 192.168.56.102? Tell 192.168.56.101."

2. The device at that IP responds with its MAC address: "192.168.56.102 is at 08:00:27:ab:cd:ef."

3. The response confirms the host is alive — and provides the MAC address, which can reveal the virtualization platform (VirtualBox, VMware) or hardware vendor.

ARP scanning only works on the local network segment because ARP operates at Layer 2. This is why your lab uses Host-Only networking — all VMs are on the same Layer 2 network.

3.10.3 The Importance of Understanding Protocols

Why does this matter? Because when your tools fail or produce unexpected results, understanding the underlying protocols lets you diagnose the problem:

• If Nmap shows a port as "filtered" but you expect it to be open, a firewall between you and the target is dropping your SYN packets. In your lab, this might mean a host-based firewall is running on the target.

• If ARP scanning finds hosts but ICMP ping does not, the target is blocking ICMP. This is common in hardened environments but unusual in your lab.

• If banner grabbing returns unexpected results, a reverse proxy or load balancer may be intercepting your connection. Understanding this helps you adjust your approach.

💡 Intuition: Learning to use Nmap without understanding TCP is like learning to drive a car without understanding that pressing the gas pedal makes fuel combust in the engine. You can do it, but when something goes wrong, you will have no idea how to diagnose the problem. Throughout this book, we will consistently connect tools to their underlying protocols so you develop deep understanding alongside practical skills.

3.10.4 Writing Your Own Tools

The Python scripts in this chapter's code directory are not just utilities — they are learning exercises. By writing your own network scanner (even a basic one), you internalize concepts that no amount of running Nmap can teach:

• How raw sockets work
• How ARP requests and responses are structured
• How TCP flags determine connection behavior
• How timeout handling affects scan reliability and speed

We encourage you to read the code carefully, modify it, break it, and fix it. The debugging process is itself a powerful teacher.

🧪 Try It in Your Lab: Open example-02-network-scanner-basic.py in a text editor and read through the comments. Then modify the script to scan a different port range, add a new output format, or implement a different scanning technique. Compare your modified scanner's results with Nmap to verify your implementation.

3.11 Building Toward MedSecure: Lab Roadmap

Your current lab is a starting point. As we progress through this book, we will expand it to simulate aspects of our running examples. Here is a preview of what we will add:

Part 2 (Network Fundamentals and Reconnaissance): - Multiple target VMs simulating different network segments - pfSense router for network segmentation

Part 3 (Web Application Hacking): - DVWA with multiple security levels - OWASP Juice Shop (simulating ShopStack-like functionality) - Custom vulnerable web applications

Part 4 (System and Network Attacks): - Windows Active Directory lab (Domain Controller + member servers + workstations) - Simulated MedSecure domain with realistic users, groups, and policies

Part 5 (Wireless and Advanced Topics): - Wireless testing setup (requires a compatible wireless adapter) - IoT device simulation

Part 6 (Advanced and Professional Topics): - Multi-domain Active Directory forest - Cloud environment integration (AWS free tier)

Each addition will be covered in detail in the relevant chapter. For now, focus on getting your core lab (Kali + Metasploitable 2 + proper network isolation) working reliably.

3.12 Troubleshooting Common Lab Issues

Let us address the most common problems students encounter when setting up their labs.

3.12.1 VM Will Not Start

"VT-x/AMD-V is disabled": Enable hardware virtualization in your BIOS/UEFI settings. This requires rebooting and entering the BIOS setup (usually by pressing F2, F10, Delete, or Escape during boot).

"Not enough memory": Close unnecessary applications on your host machine, reduce the VM's allocated RAM, or add more physical RAM to your computer.

"Could not open virtual hard disk": The disk file may be corrupted or the path may contain special characters. Re-download the VM image and try again.

3.12.2 Network Issues

VMs cannot communicate: Verify both VMs are on the same Host-Only network. Check that the DHCP server is enabled in the Host Network Manager. If using static IPs, verify they are in the same subnet.

VM has no Internet access: If you need Internet (for updates), add a second adapter in NAT mode. Remember that only your Kali VM should have Internet access; target VMs should remain isolated.

Host cannot reach VMs: Verify the Host-Only network adapter is enabled on your host. On Windows, check that the VirtualBox Host-Only Ethernet Adapter is enabled in Network Connections.

3.12.3 Performance Issues

VMs are slow: Ensure you have allocated enough RAM (at least 4 GB for Kali) and CPU cores (at least 2). Close unnecessary applications on your host. Consider moving VM storage to an SSD.

Display is slow or laggy: Install VirtualBox Guest Additions (for VirtualBox) or VMware Tools (for VMware). Increase video memory to 128 MB. Enable 3D acceleration if available.

3.12.4 Import Failures

OVA import fails: Try extracting the OVA file (it is a TAR archive) and importing the OVF file directly. Some OVA files may be incompatible with your VirtualBox version — try updating VirtualBox.

💡 Intuition: Lab troubleshooting is itself a valuable skill. The patience and systematic debugging you practice here — checking logs, verifying configurations, testing hypotheses — are the same skills you will use when troubleshooting failed exploits, unexpected network behavior, and other challenges during real penetration tests. Embrace the troubleshooting process rather than getting frustrated by it.

3.13 The Student Home Lab: Your Third Running Example

Throughout this book, alongside MedSecure and ShopStack, we will reference your Student Home Lab — the environment you are building right now. While MedSecure and ShopStack are fictional scenarios for discussion, your home lab is real. It is where you will practice every technique, verify every concept, and build the hands-on skills that separate theoretical knowledge from practical capability.

3.13.1 Current Lab Inventory

By the end of this chapter, your lab should include:

3.13.2 Lab Journal

Start a lab journal today. For each lab session, record: - Date and duration - What you practiced - Key commands used - Findings and observations - Problems encountered and how you solved them - Questions for further research

This journal will become one of your most valuable professional assets.

🔗 Connection: Your home lab is where theory becomes practice. Every chapter in this book will include "Try It in Your Lab" callouts with specific exercises you can perform in your environment. Treat these as essential practice, not optional extras. Ethical hacking is a skill that must be practiced, like playing a musical instrument or performing surgery. Reading about it is necessary but not sufficient.

3.14 Connecting Your Lab to the MedSecure Scenario

Let us explicitly map the lab you have built to elements of the MedSecure environment. This connection will deepen as we progress through the book, but even at this early stage, we can draw meaningful parallels.

Metasploitable 2 as a MedSecure legacy server: Metasploitable 2 runs Ubuntu with deliberately outdated services. In MedSecure's environment, the CentOS 7 servers running the legacy radiology application are similarly outdated and similarly vulnerable. When you enumerate Metasploitable 2's services and find exploitable versions of vsftpd, Samba, and Apache, you are experiencing the same situation a penetration tester would encounter when scanning MedSecure's legacy infrastructure.

DVWA as the MedSecure patient portal: DVWA is a PHP web application with common vulnerabilities. MedSecure's patient portal (React/Node.js/PostgreSQL) uses different technology, but the vulnerability classes are the same: SQL injection, cross-site scripting, broken authentication, and insecure direct object references. When you practice SQL injection in DVWA, you are building skills directly applicable to testing MedSecure's patient portal.

Your Host-Only network as a network segment: Your 192.168.56.0/24 network represents a single flat network segment. In MedSecure's environment, the corporate network (10.10.0.0/16) and medical device network (10.20.0.0/16) are separate segments with incomplete segmentation between them. In later chapters, we will add a virtual router to create segmented lab networks that more closely mirror MedSecure's architecture.

Understanding these parallels transforms abstract lab exercises into concrete preparation for real-world engagements.

3.15 Lab Verification and Automation

To ensure your lab is properly configured, we have provided Python scripts in this chapter's code directory that automate common verification tasks.

3.15.1 Lab Setup Checker

The example-01-lab-setup-checker.py script (see code/ directory) verifies: - Required tools are installed on your Kali system - Network interfaces are properly configured - Target VMs are reachable - Network isolation is intact (targets cannot reach the Internet)

Run it after completing your lab setup:

python3 code/example-01-lab-setup-checker.py

3.15.2 Basic Network Scanner

The example-02-network-scanner-basic.py script (see code/ directory) provides a simple Python-based network scanner using Scapy. While Nmap is the professional tool for network scanning, writing your own scanner helps you understand what is happening under the hood.

Run it to discover hosts on your lab network:

sudo python3 code/example-02-network-scanner-basic.py --network 192.168.56.0/24

🧪 Try It in Your Lab: Run both the lab checker and the network scanner. Compare the network scanner's output with Nmap's output for the same target range. Note any differences and consider why they might occur. Understanding how scanners work at the packet level will serve you well throughout this book.

3.16 Alternative Lab Configurations

Not every student has the same hardware, budget, or operating system. Here are alternative lab configurations for different situations.

3.16.1 Low-Resource Lab (8 GB RAM)

If your computer has only 8 GB of RAM, you can still build an effective lab:

• Allocate 2 GB to Kali and 512 MB to Metasploitable 2
• Run only one or two VMs simultaneously
• Use Docker containers instead of full VMs where possible (DVWA, Juice Shop)
• Close all unnecessary applications on the host
• Use the Kali command-line interface (no desktop environment) to save RAM: boot with systemctl set-default multi-user.target

3.16.2 macOS Host with Apple Silicon

Apple Silicon Macs (M1, M2, M3, M4) use ARM architecture, which complicates VM setup:

• Use UTM (free) or Parallels Desktop (paid) instead of VirtualBox
• Download the ARM64 version of Kali Linux from kali.org
• Some x86-only tools may require Rosetta 2 translation
• Metasploitable 2 is x86-only — use UTM's x86 emulation mode (slower) or Docker-based alternatives
• Consider using HackTheBox and TryHackMe more heavily to supplement limited local lab capabilities

3.16.3 Cloud-Based Lab

For students with very limited local hardware, a cloud-based lab is possible:

• Use AWS Free Tier to spin up Kali and target instances in a VPC
• Ensure all instances are in a private subnet with no Internet-facing access
• Use SSH tunneling or AWS Systems Manager to access the lab
• Be mindful of costs — running VMs 24/7 on AWS accumulates charges
• Linode, DigitalOcean, and Vultr offer affordable alternatives for small VMs

⚠️ Common Pitfall: If you build a cloud-based lab, you MUST ensure your vulnerable targets are not exposed to the Internet. A Metasploitable 2 instance on a public IP address will be compromised within minutes. Use private subnets, security groups that deny all inbound traffic from the Internet, and verify your configuration before deploying vulnerable machines.

3.16.4 Dual-Boot Configuration

For maximum performance, some students dual-boot Kali Linux alongside their primary OS:

• Kali can be installed directly on bare metal for the best performance
• Use a separate partition or drive for the Kali installation
• Run target VMs inside Kali using VirtualBox or KVM/QEMU
• This approach gives Kali access to all your hardware resources, including wireless adapters for Wi-Fi testing

The dual-boot approach is particularly useful for wireless penetration testing (covered in later chapters) because virtual machines cannot directly access the host's wireless hardware without USB passthrough, which can be unreliable.

3.16.5 Team and Classroom Lab Configurations

If you are studying in a group or classroom setting, consider these collaborative approaches:

Shared target infrastructure: One student (or the instructor) hosts target VMs on a dedicated machine, and all students connect their Kali VMs to the shared network. This requires careful network design to prevent students from interfering with each other's work, but it enables collaboration and shared scenarios.

CTF-style challenges: Set up CTFd (an open-source Capture the Flag platform) on a local server and deploy custom challenges. This gamifies the learning experience and provides a competitive element that motivates practice.

Peer testing: Students build intentionally vulnerable VMs for each other. Building a vulnerable system teaches defensive thinking (you must understand vulnerabilities to implement them), and attacking a peer-built system provides practice against unfamiliar targets. This bidirectional exercise is exceptionally effective for learning.

📊 Real-World Application: Many universities and boot camps now use platforms like RangeForce, Immersive Labs, or custom-built cyber ranges for classroom instruction. If your institution has access to such a platform, use it alongside your personal lab. The institutional platform provides shared exercises and instructor guidance, while your personal lab provides the freedom to experiment, break things, and learn from your mistakes in a private, pressure-free environment.

Chapter Summary

In this chapter, we transformed theory into practice by building your hacking lab:

1. Lab necessity: A safe, isolated environment is legally essential, practically invaluable, and the foundation for every hands-on exercise in this book.

2. Virtualization enables you to run multiple operating systems on a single computer. Type 2 hypervisors (VirtualBox or VMware) are ideal for hacking labs.

3. Kali Linux is the industry-standard penetration testing distribution, pre-loaded with hundreds of security tools. We installed it, updated it, and customized it for our work.

4. Target environments including Metasploitable 2, DVWA, VulnHub images, and Docker-based vulnerable applications give you safe, intentionally vulnerable systems to practice against.

5. Network isolation is critical. We configured a Host-Only network for our lab, ensuring target VMs cannot reach external systems while allowing our Kali attack platform to reach targets.

6. Online platforms (HackTheBox, TryHackMe, PortSwigger Web Security Academy) supplement your local lab with professionally designed challenges and learning paths.

7. Lab safety practices — including documentation, snapshot management, and the cardinal rule of never attacking unauthorized systems — protect you legally and professionally.

8. Your first reconnaissance exercise against Metasploitable 2 demonstrated the practical application of host discovery, port scanning, and service enumeration.

What's Next

In Chapter 4, we will dive deep into networking fundamentals — the TCP/IP protocol suite, the OSI model, and the network services that form the backbone of every penetration test. Understanding networking at a fundamental level is what separates skilled penetration testers from tool operators. When you understand how TCP handshakes work, why DNS is such a rich source of information, and how ARP operates at the link layer, you will understand not just how your tools work but why — and that understanding is what enables you to adapt when tools fail and improvise when standard approaches do not work.

Your lab is built. Your tools are ready. Now let us learn the language of the networks we will be testing.