๐Ÿ›ก๏ธ A penetration testing lab is a safe, isolated environment for ethical hackers to learn and test exploits without any risk to real networks or legal issues.

๐Ÿ–ฅ๏ธ Step 1: Choose a Virtualization Platform

Tool of Choice: Oracle VirtualBox

  • โœ… Free & open-source
  • ๐Ÿ’ก Works on Windows, Linux, macOS
  • ๐Ÿ” Alternatives: VMware Workstation, Hyper-V, KVM

๐Ÿ“ฆ Step 2: Download Required ISO / VM Files

VM Role OS/Tool Download Link
Attacker Kali Linux (Latest) kali.org
Target (Vuln) Metasploitable 2 SourceForge

๐Ÿงฐ Step 3: Install Kali Linux (Attacker Machine)

  1. Open VirtualBox โ†’ New VM โ†’ Name: Kali Linux
  2. Type: Linux, Version: Debian (64-bit)
  3. Assign:
    • RAM: 2 GB minimum
    • Disk: 20 GB (Dynamically Allocated)
  4. Mount Kali ISO and boot.
  5. Follow GUI installation:
    • Create user
    • Choose mirror (optional)
    • Partition and install
  6. After boot, update system:
sudo apt update && sudo apt upgrade -y
  1. Install basic tools:
sudo apt install net-tools curl vim git proxychains nmap

๐ŸŽฏ Step 4: Import Metasploitable 2 (Target Machine)

  1. Download .ova โ†’ VirtualBox โ†’ File โ†’ Import Appliance

  2. Set:

    • RAM: 512 MB
    • Network: Host-only Adapter (same as Kali)

  3. Boot & login:

Username: msfadmin
Password: msfadmin

๐ŸŒ Step 5: Network Configuration

Ensure both VMs are on the same Host-only Adapter:

  • Go to Settings โ†’ Network:

    • Kali: Adapter 1 โ†’ Host-only Adapter โ†’ vboxnet0
    • Metasploitable: Same

๐Ÿ–ฅ๏ธ Verify Network:

# On Kali
ip a

# Ping Metasploitable
ping 192.168.56.102

Use ifconfig or ip a on both machines to get the IPs.

๐Ÿ“ธ Step 6: Take Snapshots

After installing each VM:

  1. Go to Snapshots in VirtualBox
  2. Click Take Snapshot
  3. Name it: Clean Install

๐Ÿ“Œ Snapshots allow you to revert VMs after running exploits or malware tests.

๐Ÿงท Step 7: Guest Additions + Enhancements (Optional)

Install Guest Additions on Kali:

sudo apt install virtualbox-guest-x11

Enable Drag & Drop and Shared Clipboard:

  • VM Settings โ†’ General โ†’ Advanced โ†’ Set both to Bidirectional

๐Ÿ—‚๏ธ Suggested Lab Folder Structure

~/Pentest-Lab/
โ”œโ”€โ”€ Notes/
โ”œโ”€โ”€ Reports/
โ”œโ”€โ”€ Payloads/
โ”œโ”€โ”€ Tools/

Clone helpful tools:

git clone https://github.com/carlospolop/PEASS-ng
git clone https://github.com/rebootuser/LinEnum

๐Ÿง  Final Lab Topology Diagram

+----------------------+           +------------------------+
|     Kali Linux VM    | <-------> |  Metasploitable 2 VM   |
|  (Attacker Toolkit)  | Host-only |  (Vulnerable Target)   |
| IP: 192.168.56.101   | Network   | IP: 192.168.56.102     |
+----------------------+           +------------------------+
              โ†•
        VirtualBox Host
          (Your System)

๐Ÿง  Pro Tips & Blue Team Notes

  • ๐Ÿ”’ Keep your lab offline: Use Host-only or Internal networks.
  • ๐Ÿ’ฅ Always snapshot before running malware or privilege escalation exploits.
  • ๐Ÿง‘โ€๐Ÿ’ป Install useful enumeration tools early on.
  • ๐Ÿ” Revert VMs after each pentest session for repeatability.

โœ… Key Takeaways

  • You now have a fully isolated lab with:

    • โœ… Kali Linux (attacker)
    • โœ… Metasploitable 1 (target)

  • This is your playground to practice:

    • Nmap scans
    • Exploits via Metasploit
    • Manual recon and enumeration

๐Ÿ’ฌ Got questions or suggestions? Comment below or reach out on LinkedIn. Stay tuned for more ethical hacking labs!