Setting Up Lab - Complete guide:
Why Set Up a Lab?
A cyber lab is a safe, virtual environment to practice:
Ethical hacking & penetration testing
Malware analysis & forensics
Network security configurations
Exploitation and patching vulnerabilities
Red vs Blue team simulations
Virtualization Platform
Use Oracle VirtualBox or VMware Workstation Player (both free). We’ll proceed with VirtualBox.
You can run multiple virtual operating systems on your computer without affecting the host system.
Step 1: Download Everything You Need
Tool / OS Purpose Download Link
VirtualBox - Virtualization platform - virtualbox.org
Kali Linux ISO - Ethical hacking tools - kali.org
Ubuntu ISO - Linux target system - ubuntu.com
Windows 10 ISO - Windows target system - microsoft.com
Metasploitable 2 - Vulnerable Linux target - sourceforge.net/projects/metasploitable/
Android Emulator - Mobile penetration testing - android-studio
OWASP Broken - Web app testing - owasp.org
Web Apps VM
Step 2: Create Each Virtual Machine
Create a separate VM for each OS. Below are the specific steps and purposes.
a. Kali Linux (Attacker)
Name: Kali Linux
RAM: 2–4GB
Disk: 20GB+
ISO: Use Kali ISO
Use as: Main attacker machine
Tools: Nmap, Metasploit, Burp Suite, Nikto, Hydra, Wireshark
b. Ubuntu or Metasploitable (Linux Target)
Name: Ubuntu / Metasploitable
RAM: 1–2GB
Disk: 15GB
Use as: Linux victim machine
Use Metasploitable for practicing real-world exploits.
c. Windows 10 (Windows Target)
RAM: 4GB
Disk: 25–30GB
Use as: Windows target for malware analysis, RDP brute force, etc.
d. Android Emulator (Mobile Target)
Use Android Studio AVD or Genymotion
Install apps like DVIA, InsecureBank
Use for mobile app pentesting
e. OWASP BWA / Juice Shop (Web Targets)
Deploy inside VM or as a local web server
Use Kali to scan and attack using:
Burp Suite
SQLmap
Nikto
XSSer
Step 3: Setup Internal Network
- Go to Settings → Network on each VM
- Adapter 1 → Attach to: Internal Network
- Name the network (e.g., cyber-lab)
- All VMs are now on the same isolated LAN
Step 4: Test Connectivity
On Kali:
ping 192.168.56.101 # Ubuntu
ping 192.168.56.102 # Windows
If they respond, the lab network is working fine.
Step 5: Practice with Real Tools
• Nmap – Port Scanning
nmap -sS 192.168.56.101
Shows open ports on Ubuntu machine.
• Metasploit – Exploit Metasploitable
msfconsole
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOST 192.168.56.105
run
• Burp Suite – Intercept Web Traffic
- Open Firefox in Kali
- Set proxy to 127.0.0.1:8080
- Launch Burp Suite → Intercept ON
- Visit 192.168.56.110 (target web app)
• Hydra – Password Cracking
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.56.102 ssh
Tries to brute force SSH on Windows/Linux.
• Snapshots & Rollbacks
Take snapshots of each VM before testing. If anything breaks:
- Right-click VM → Snapshots → Revert
- Prevents system reinstallation
Example Lab Practice Scenarios
Scenario Tool(s) Used
Port scanning and enumeration - Nmap, Netdiscover
Web vulnerability scanning - Nikto, OWASP ZAP, Burp Suite
Brute force login - Hydra, Medusa
Exploiting vulnerable OS - Metasploit
Android app reverse engineering - MobSF, APKTool
Packet sniffing and analysis - Wireshark
SQL Injection - SQLmap, DVWA
XSS and CSRF Testing - Burp Suite, OWASP Juice Shop
> Tips for Beginners
Do not test tools on live or unauthorized systems.
Use only test environments like this lab.
Take notes of everything you try.
Use GitHub or Notion to maintain logs.
Keep all systems up-to-date (except vulnerable ones like Metasploitable).
