How I Built My Home Lab

How I Built My Home Lab

A common question for people getting started in InfoSec is “How do you learn and practice ethical hacking skills without getting in trouble with the law?” If you try to run Burp Suite against any old website, for example, you could end up in some very hot water. You should never use hacking tools against any IP address or website you don’t own (unless you have explicit, written permission), but who wants to get blacklisted by their ISP or to accidentally take down their own website? Lucky for us, there’s a better option: introducing the virtual home lab.

One of the first things I did when I started learning more about InfoSec in 2018 was to put together a home lab I could use to experiment and test with. I decided to do everything using free tools as much as possible, and to run it on the hardware I had available. This kind of virtual home lab is perfect for an InfoSec beginner on a tight budget; I’ll explain how I put mine together so you can do the same thing.

The whole lab currently lives in a VirtualBox on my 2017 iMac because it has 40 GB of RAM and a 1 TB Fusion drive, but you don’t need anything super powerful or expensive to make it work. I originally built this lab on my 2011 MacBook Pro with only 8 GB of RAM and a 500 GB SSD drive and ran it for a few months without any issues.


Shopping List

First, it’s time to gather all the pieces together…your hardware, software, etc. You will need:

Download these items and save them in an appropriate folder. This part takes the longest, since some of the VM files are over 4 GB in size. Unless you have a fast connection, I’d recommend letting them download overnight.


Install Virtual Box

Depending on what Operating System you’re using, the documentation from the VirtualBox website will explain how to install and set it up. Here are the instructions for Mac OS:

  1. Download the DMG file if you haven’t already…then double-click it to mount and open it
  2. Double-click the VirtualBox.pkg icon to run the installer
  3. Eject the DMG file when the installation has completed


Configure an ISOLATED Virtual Network For Your Lab

This is important…you don’t want any of these super-vulnerable VMs to have access to your home network or the Internet. Create a Host-Only network in VirtualBox and assign these VMs to that network to completely isolate them from everything else.

  1. In VirtualBox Manager, click “Tools” and then “Network”
  2. Click “Create” to set up a new Host-Only network
  3. Click “Properties”, then “DHCP Server” and select “Enable Server”
  4. Click “Apply” to finish

When we import VMs in the next steps, we’ll select this network in the NIC properties. Any VMs using this network will be able to talk to each other, but NOT to the outside world or any devices outside of this virtual network. Total air-gapped isolation.


Import and Set Up the Kali VirtualBox VM

Now it’s time to import your Kali virtual appliance.

  1. Open VirtualBox then go to File > Import Appliance
  2. Browse to the Kali .ova file you downloaded earlier and select it, then hit “Continue”

  1. Accept the defaults and click “Import”

  1. After a minute or two, your new Kali VM will be ready. Select it, click “Start” to power it on and then log yourself in

The username is “root” and the default password is “toor”. Once you’re logged in, you should be at the Kali desktop:

Once you’ve booted into Kali, perform the following steps:

  1. Change the root password
    1. Open a Terminal window and run this command to change the root password
      1. passwd
    2. Enter the new password twice when prompted
  2. Change the default SSH keys
    1. Run this command to generate new SSH keys:
      1. dpkg-reconfigure openssh-server
  3. Install all the latest updates
    1. Run this string of commands to refresh the local update cache, download/install any available updates and remove any unneeded packages from the system:
      1. apt-get update && apt-get dist-upgrade -y && apt autoremove
  4. Install the VirtualBox Guest Extensions
    1. In the VirtualBox menu, go to Devices and click “Insert Guest Additions CD Image”
    2. When prompted inside the VM, click “Run”
    3. When the installation is complete, hit the Enter key to close the Terminal window
  5. Shut the VM down and take a snapshot (you’ll thank me later)
    1. Click the properties box next to your VM and select “Snapshots”
    2. Click the “Take” button at the top of the screen
    3. Name the snapshot whatever you like and click “OK”
    4. Now you’ll be able to revert to this clean snapshot if anything ever goes wrong in your Kali VM
  6. Change the Kali VM to the Host-Only network adapter
    1. Go to your Kali VM settings, click “Network” and then select “Host-Only Adapter” from the drop down list, then “OK” to finish


Import and Set Up Your Vulnerable Test VMs

You’ll need at least one vulnerable VM to run exploits against, and if you only have the system resources for one, it should be Metasploitable. If your computer can handle more, grab one each from the list above to have more testing/exploit options at your disposal.

Here’s a screenshot of my finished VirtualBox Kali test lab:


That’s all there is to it…you now have your own mad scientist test lab where you can learn and practice your new security skills without worrying about jail time.

Ready to expand things even further? You can try some of these free (or cheap) home lab expansion projects:

  • Set up a Security Onion VM and roll your own in-home SOC
  • Set up GNS3 and see how your security exploits look at the network level
  • Spin up a Kali instance in Amazon EC2 for external pen testing against your own public IP address (always get authorization from Amazon before performing ANY testing!)
  • Build a Kali Raspberry Pi for some WiFi pen testing or war driving
  • Etc.

Any tips, feedback or suggestions? Have your own home lab building experiences to share? Let’s discuss in the comment section below.