How to Set Up Hacking Lab in 2026 — Complete Home Lab Guide for Ethical Hackers
Mr Elite ··
14 min read
⚠️ Isolated Network Required: All vulnerable VMs (Metasploitable, DVWA, VulnHub machines) must run on an isolated Host-Only network adapter. Never connect vulnerable VMs to your home network or the internet. Metasploitable has known exploitable services running by design and is not safe to expose outside your lab.
How to set up hacking lab in 2026 — this is the most important practical step any aspiring ethical hacker can take, and it costs you nothing except the time to follow this guide. Every tool, every technique, every vulnerability covered in this course needs a safe, legal, isolated environment to practice in. You cannot become a professional penetration tester by reading alone. Today you are building the lab that makes everything else real — on whatever hardware you have, for free, by the end of this article.
🎯 What You’ll Build in This Guide
A fully isolated VirtualBox network with Kali Linux as your attacker machine
Metasploitable 2 as a deliberately vulnerable Linux network target
DVWA via Docker for web application testing practice
The correct Host-Only network configuration that keeps everything safe
A roadmap for expanding to Windows Active Directory and advanced targets
⏱️ 50 min read · 3 exercises · complete lab running by end
📊 What is your current lab setup?
✅ This guide meets you wherever you are. Starting from zero, follow the whole guide. Already have Kali but no targets, jump to Section 3. For Active Directory lab expansion, the final section covers exactly what you need and where to get it free.
📋 What You’ll Build — How to Set Up Hacking Lab 2026
Every terminal exercise in the 180-Day Kali Linux Mastery Course and the 100-Day Ethical Hacking Course references a local lab environment. TryHackMe and HackTheBox are excellent for guided learning, but a local lab gives you complete control — break a target completely, rebuild it in two minutes, and try again. No time limits, no subscription required, no internet dependency. This is where your real skill development happens.
Why a Local Lab Is Non-Negotiable for Serious Security Learning
Online platforms like TryHackMe and HackTheBox are genuinely excellent for structured learning. But they have real limitations. Machines reset on a schedule. You cannot install custom tools or reconfigure targets. You cannot build the multi-machine attack chains that real penetration tests require. You cannot practice post-exploitation persistence without worrying about cleaning up a shared environment.
A local lab removes every one of those constraints. You can run Metasploit against a target you own and control. You can set up a full Active Directory environment, deliberately misconfigure it, then find and exploit every flaw you introduced. You can run 10 Nmap scans in a row without worrying about rate limits or impact on other users. You can break things badly and restore from snapshot in under 60 seconds.
Every professional penetration tester has a local lab. Not because online platforms are bad — but because deep skill development requires the freedom to experiment without limits. This guide builds that foundation.
securityelites.com
Complete Home Hacking Lab Architecture
🖥️ Host Machine (Your Computer) · Internet Access via Normal NIC
⚠️ Metasploitable has NO internet access · cannot reach your home network
📸 Complete home hacking lab network architecture — Kali attacker on Host-Only plus NAT, Metasploitable on Host-Only only, DVWA running in Docker inside Kali. All lab traffic stays within the 192.168.56.0/24 isolated segment.
VirtualBox and Kali Linux — Your Attacker Machine Setup
VirtualBox is the free, open-source hypervisor that runs all your virtual machines. Kali Linux is the attacker machine — the VM you work from, with every security tool pre-installed. Together they are the foundation everything else builds on.
VIRTUALBOX + KALI LINUX — INSTALLATION STEPS
# Step 1: Download VirtualBox (free)
https://www.virtualbox.org/wiki/Downloads
# Install for your OS — Windows/macOS/Linux packages available
# Step 2: Download Kali Linux VirtualBox OVA (~4GB)
# Takes 5–15 minutes depending on connection speed
🛠️ EXERCISE 1 — BROWSER (8 MIN · NO INSTALL)
Assess Your Hardware and Plan Your Lab Configuration Before Downloading
⏱️ Time: 8 minutes · Browser and your computer’s system settings only
Step 1: Check your available RAM:
Windows: Task Manager → Performance → Memory
macOS: About This Mac → System Report → Memory
Linux: free -h
Step 2: Check free disk space on your largest drive
Step 3: Use this decision table to plan your lab:
8GB RAM → Kali (2GB) + DVWA Docker (0.5GB) only
Use TryHackMe for network targets
12GB RAM → Kali + DVWA + Metasploitable (512MB)
Full basic lab — this guide’s target setup
16GB RAM → Kali + DVWA + Metasploitable + 1 VulnHub VM
Comfortable multi-target testing
32GB RAM → Full AD lab (Kali + DC + 2x Windows + DVWA)
Professional-grade training environment
Step 4: Verify your CPU supports virtualisation:
Windows: Task Manager → Performance → CPU → “Virtualization: Enabled”
If disabled: enable Intel VT-x or AMD-V in BIOS settings
Step 5: Bookmark these download pages for after reading this guide:
virtualbox.org/wiki/Downloads
kali.org/get-kali
sourceforge.net/projects/metasploitable
✅ What you just learned: Matching your lab configuration to your available hardware prevents the most common beginner frustration — running out of RAM mid-session and having VMs crash. An 8GB machine with only Kali and Docker-based DVWA is a perfectly functional lab for learning web application testing. The full three-VM setup needs 12GB. Every configuration in the table above supports everything in the SecurityElites course — you pick the one that matches your machine.
📸 Screenshot your RAM and disk specs with your chosen lab configuration and share in #lab-setup on Discord.
Metasploitable 2 — Your First Vulnerable Target VM
Metasploitable 2 is a deliberately insecure Ubuntu Linux VM created by Rapid7 specifically for Metasploit Framework testing. It runs over 30 intentionally vulnerable services including FTP (vsftpd 2.3.4 backdoor), SSH, Telnet, HTTP (DVWA, Mutillidae, phpMyAdmin), Samba, and many more. It is the best general-purpose network target for learning exploitation fundamentals.
METASPLOITABLE 2 — DOWNLOAD AND CONFIGURE
# Download from SourceForge (free, ~900MB)
https://sourceforge.net/projects/metasploitable/
# Extract ZIP — contains Metasploitable2-Linux.vmdk
# In VirtualBox: New VM
Name: Metasploitable2
Type: Linux | Version: Ubuntu (64-bit)
RAM: 512 MB
Hard disk: Use existing → select Metasploitable2-Linux.vmdk
⚠️ Never expose Metasploitable: Metasploitable 2 has a backdoored FTP service, default credentials on every service, and dozens of known vulnerabilities — by design. It exists to be hacked. If you accidentally place it on a Bridged or NAT network, anyone on your home network (or potentially the internet) could compromise your host machine through it. Host-Only adapter only, always.
DVWA via Docker — Web Application Testing Environment
DVWA (Damn Vulnerable Web Application) is the web application testing target used throughout this entire course. Running it via Docker inside your Kali VM is simpler and faster than running it as a separate VM — and keeps it accessible at 127.0.0.1 without any additional network configuration.
DVWA DOCKER SETUP — INSIDE KALI VM
# Install Docker (if not present in Kali)
sudo apt update && sudo apt install docker.io -y
sudo systemctl enable –now docker
# Pull and run DVWA
docker pull vulnerables/web-dvwa
docker run -d -p 80:80 –name dvwa vulnerables/web-dvwa
# Access DVWA in Kali Firefox
http://127.0.0.1/dvwa/setup.php
# Click: Create / Reset Database
http://127.0.0.1/dvwa/login.php
# Login: admin / password
# Stop and start DVWA between sessions:
docker stop dvwa
docker start dvwa
# Reset DVWA to clean state (removes all injected data):
Host-Only Network Configuration — Keeping Your Lab Isolated
The Host-Only network is the most important configuration in your lab setup. It creates a private network between your host machine and your VMs that has no routing to the internet or your home network. Vulnerable VMs on this network can be attacked freely because they are completely contained — they cannot reach anything outside the virtual network segment.
VIRTUALBOX HOST-ONLY NETWORK — CREATION AND ASSIGNMENT
# Step 1: Create the Host-Only network in VirtualBox
# File → Host Network Manager → Create
Adapter IPv4: 192.168.56.1
Subnet mask: 255.255.255.0
DHCP Server: Enable
DHCP Lower: 192.168.56.101
DHCP Upper: 192.168.56.200
# Step 2: Kali VM network settings:
Adapter 1: Host-only Adapter (for lab traffic)
Adapter 2: NAT (for internet updates — optional)
# Step 3: Metasploitable VM network settings:
Adapter 1: Host-only Adapter ONLY
NO second adapter — complete isolation required
# Step 4: Verify isolation from Kali:
ping 192.168.56.102 # Reaches Metasploitable ✓
# From Metasploitable terminal:
ping 8.8.8.8 # Times out — no internet ✓
ping 192.168.1.1 # Times out — no home network ✓
🧠 EXERCISE 2 — THINK LIKE A HACKER (10 MIN · NO TOOLS)
Design a Lab Network for an Active Directory Attack Scenario
⏱️ Time: 10 minutes · Paper or text editor
You want to practice this Active Directory attack chain:
1. External recon → find a domain user account
2. Compromise a Windows workstation (phishing simulation)
3. Local privilege escalation on the workstation
4. Pass the Hash to a second machine
5. BloodHound attack path analysis
6. Domain Admin compromise via shortest path
Design the lab that lets you practice this full chain.
Answer these questions:
– How many VMs do you need? What OS is each one?
– What IP range would you assign the lab segment?
– What network adapter does each VM need?
– What is the minimum RAM this lab requires?
– Where do you get each VM image for free?
– Which machines need internet access? Which must be isolated?
✅ The AD lab needs: Kali (attacker, 4GB RAM, Host-Only + NAT for updates), Windows Server 2022 Eval (Domain Controller, 4GB RAM, Host-Only only), Windows 10 Eval (workstation, 2GB RAM, Host-Only only). Minimum RAM: 10GB dedicated to VMs. Sources: Kali from kali.org, Windows Server and Windows 10 evaluation ISOs from microsoft.com/evalcenter — both free for 180-day trials, renewable. Domain Controller and workstation: Host-Only only. Kali: Host-Only plus NAT for tool updates. Total cost: zero dollars.
📸 Draw your AD lab diagram and share in #lab-setup on Discord.
Lab Expansion Roadmap — Windows, Active Directory and VulnHub
The basic lab (Kali + Metasploitable + DVWA) covers web application testing and foundational network exploitation. As you advance through the courses, you need additional targets. Here is the expansion path aligned with the SecurityElites course progression.
Months 1–2 — Basic Lab: Master DVWA at all four security levels. Work through all 30 DVWA labs in the lab series. Exploit all major Metasploitable services (FTP backdoor, Samba, web apps). Add VulnHub beginner machines — Mr-Robot, Basic Pentesting, and DC-1 are excellent starting points that introduce real engagement methodology.
Month 3 — Active Directory Lab: Download Windows Server 2022 and Windows 10 evaluation ISOs from microsoft.com/evalcenter. Configure a Domain Controller, join a workstation to the domain, create users and groups with intentional misconfigurations. This is the environment for BloodHound, Pass the Hash, Kerberoasting, and all Days 23–50 of the Ethical Hacking course.
Beyond — Advanced Targets: VulnHub intermediate and advanced machines. A dedicated box (old laptop or Raspberry Pi) running your lab 24/7 so you can practice any time without spinning up VMs. Cloud lab environments on AWS Free Tier for cloud security practice alongside your local setup.
🌐 EXERCISE 3 — TRYHACKME (20 MIN)
Use TryHackMe as a Cloud Lab While Your Local Lab Downloads
⏱️ Time: 20 minutes · Free TryHackMe account
Step 1: Create a free TryHackMe account at tryhackme.com
Step 2: Start the room “Pre-Security” (completely free path)
OR “Introduction to Cybersecurity” (also free)
Step 3: Open the TryHackMe AttackBox (free browser-based Kali machine)
This gives you a Kali environment instantly — no local setup
Step 4: In the AttackBox terminal, run:
nmap -sV [target IP shown in the room]
Compare the output to what you expect from your local lab
Step 5: WHILE the AttackBox session is running, start downloading
your local lab files in parallel:
— VirtualBox from virtualbox.org
— Kali Linux OVA from kali.org/get-kali
— Metasploitable 2 from sourceforge.net/projects/metasploitable
Step 6: Complete the first room task using the AttackBox
Step 7: When your downloads finish, switch to setting up the local
VirtualBox environment using the steps in this guide
TryHackMe fills the gap while your lab is being built.
Your local lab becomes the permanent environment once complete.
✅ What you just learned: TryHackMe and a local lab are complementary. TryHackMe gives you instant access with guided scenarios. Your local lab gives you complete control and permanence. The ideal workflow: TryHackMe for structured learning modules and guided rooms, local lab for free-form practice, tool experimentation, and the multi-machine scenarios that cloud platforms cannot host. The downloads running in Step 5 while you practice in Step 4 means you waste zero time.
📸 Screenshot your AttackBox session running Nmap alongside your download progress and share in #lab-setup on Discord. Tag #hackinglabsetup2026
🧠 QUICK CHECK — Hacking Lab Setup
You want to add Metasploitable 2 to your VirtualBox lab. It needs to be accessible from your Kali VM but must not be reachable from your home Wi-Fi network. Which network adapter configuration achieves this?
📋 Lab Setup Checklist — Verify Everything Works
VirtualBox installedvirtualbox.org — free for all platforms
Kali Linux VM imported and updatedsudo apt update && sudo apt full-upgrade -y
DVWA accessible in Kali browserhttp://127.0.0.1/dvwa/ loads login page
❓ Frequently Asked Questions
How much does a home hacking lab cost to build?
Completely free. VirtualBox, Kali Linux, Metasploitable 2, and DVWA are all free. The only cost is hardware — a machine with at least 8GB RAM and 50GB free disk space. 16GB RAM runs the full three-VM basic lab comfortably.
Is it safe to run a hacking lab on my main computer?
Yes, with correct network configuration. Use VirtualBox’s Host-Only Adapter for all vulnerable VMs. This creates an isolated network with no access to the internet or home network. Never put Metasploitable on a Bridged Adapter.
What is the difference between VirtualBox and VMware?
VirtualBox is free and open-source. VMware’s personal editions became free in 2024. For hacking labs, VirtualBox works perfectly and is recommended for beginners due to zero cost and strong community documentation.
What vulnerable VMs should I practice on after Metasploitable?
After Metasploitable 2: Metasploitable 3, VulnHub machines (hundreds of free VMs), OWASP WebGoat, and HackTheBox retired machines. VulnHub.com is the best free resource covering every skill level.
Can I build a hacking lab on a Mac with Apple Silicon?
Yes. VirtualBox 7.0+ supports Apple Silicon. UTM is a free alternative. Kali Linux has an official ARM64 image. Docker-based targets (DVWA, WebGoat) run natively. Use Metasploitable 3 instead of 2 for better ARM compatibility.
What is the minimum system requirement for a hacking lab?
Minimum: 8GB RAM, 4-core CPU, 50GB free disk — runs Kali plus DVWA Docker. Recommended: 16GB RAM, 100GB SSD — runs full three-VM lab. For a full AD lab: 24–32GB RAM for Domain Controller and Windows workstation.
DVWA Lab Series — 30 Labs— The complete 30-lab DVWA walkthrough series covering every web application vulnerability class — the primary curriculum for your new DVWA Docker installation.
180-Day Kali Linux Mastery Course— The full Kali Linux course with every tool exercise referencing your local lab — every day from Nmap through advanced exploitation uses the environment you just built.
VulnHub — Free Vulnerable VMs— The largest free repository of intentionally vulnerable virtual machines — hundreds of targets at every skill level available for immediate download and VirtualBox import.
Microsoft Evaluation Center— Free 180-day evaluation ISOs for Windows Server and Windows 10/11 — the official source for building your Active Directory lab environment at zero cost.
ME
Mr Elite
Owner, SecurityElites.com
I built my first hacking lab on a seven-year-old laptop with 8GB RAM and a 120GB SSD that was already 70% full. Kali and Metasploitable on a Host-Only network, DVWA in the browser, and three months of breaking the same intentionally vulnerable services over and over until the techniques became reflexive. That laptop lab taught me more than any course or book ever could — because when you break something yourself and have to figure out why, you understand it in a way that watching someone else break it never produces. The difference between people who understand hacking conceptually and people who can actually do it comes down almost entirely to lab hours. Build it today.
Leave a Reply