Breaking into Cybersecurity

Building Your Home Lab

Why a Home Lab Changes Everything

Reading about security concepts is useful. Watching tutorials is helpful. But nothing - absolutely nothing - replaces hands-on practice in a real environment. A home lab is where you transform theoretical knowledge into muscle memory.

I have interviewed hundreds of security candidates over the years. The ones who stand out are not the ones with the longest certification lists. They are the ones who say "I set up X, tested Y, and here is what I learned when Z broke." A home lab gives you those stories.

The best part? You can build a fully functional security lab for zero dollars. You do not need dedicated hardware, expensive software, or a corporate budget. Everything in this chapter runs on your existing computer with free and open-source tools.

What You Are Building

Here is the architecture of the lab we are going to set up:

    HOME LAB ARCHITECTURE
    ======================

    Your Physical Computer (Host)
    +----------------------------------------------------------+
    |                                                          |
    |  Virtualization Layer (VirtualBox or VMware)             |
    |  +---------------------------------------------------+  |
    |  |                                                   |  |
    |  |  +-----------+  +-----------+  +-------------+   |  |
    |  |  | Kali      |  | Ubuntu    |  | Metasploit- |   |  |
    |  |  | Linux     |  | Server    |  | able 2      |   |  |
    |  |  | (Attacker)|  | (Defender)|  | (Target)    |   |  |
    |  |  +-----------+  +-----------+  +-------------+   |  |
    |  |       |              |               |           |  |
    |  |  +-------------------------------------------+   |  |
    |  |  |          Internal Lab Network              |   |  |
    |  |  |          (Host-Only / NAT Network)         |   |  |
    |  |  +-------------------------------------------+   |  |
    |  |                                                   |  |
    |  |  +-----------+  +-----------+                    |  |
    |  |  | DVWA      |  | Wazuh     |                    |  |
    |  |  | (Web App  |  | (SIEM)    |                    |  |
    |  |  |  Target)  |  |           |                    |  |
    |  |  +-----------+  +-----------+                    |  |
    |  |                                                   |  |
    |  +---------------------------------------------------+  |
    |                                                          |
    +----------------------------------------------------------+

You will have:

  • An attack machine (Kali Linux) with all the standard security testing tools
  • A defender machine (Ubuntu) for learning log analysis and defensive tools
  • Vulnerable targets (Metasploitable, DVWA) that are intentionally broken for practice
  • A SIEM (Wazuh) to learn security monitoring and alerting
  • An isolated network so nothing touches your real network or the internet

Step 1: Choose Your Virtualization Platform

Platform Cost Pros Cons Recommendation
VirtualBox Free Open source, cross-platform, well-documented Slightly slower than VMware Best for beginners
VMware Workstation Player Free (personal) Better performance, smoother experience Free version has limitations Good alternative
VMware Workstation Pro Free (since 2024) Full features, snapshots, clones Larger install Best if your system handles it
Hyper-V Free (Windows Pro) Built into Windows, decent performance Windows only, less community content Fine if you prefer Windows
UTM Free Native for Apple Silicon Macs Newer, less community content Best for M-series Macs
Note

System requirements: You need at least 16 GB of RAM and 100 GB of free disk space for a comfortable lab. 8 GB of RAM is workable if you only run 2-3 VMs simultaneously. If your machine is older, start with just Kali and one target - you can add more as you upgrade.

Installing VirtualBox

  1. Download VirtualBox from virtualbox.org
  2. Run the installer with default settings
  3. Also install the Extension Pack (same download page) - it adds USB support and other features
  4. Restart your computer

That is it. Seriously. The hard part is not installation - it is what comes next.

Step 2: Set Up Kali Linux (Your Attack Machine)

Kali Linux is a Debian-based distribution pre-loaded with hundreds of security tools. It is the standard platform for penetration testing and security research.

Quick Setup

  1. Download the Kali VirtualBox image from kali.org/get-kali (choose "Virtual Machines")
  2. Import the downloaded .ova file into VirtualBox (File -> Import Appliance)
  3. Adjust settings: 4 GB RAM minimum, 2 CPU cores
  4. Start the VM
  5. Default credentials: kali / kali (change this immediately)

First Things to Do in Kali

# Update everything
sudo apt update && sudo apt upgrade -y

# Change the default password
passwd

# Verify key tools are installed
which nmap        # Network scanner
which wireshark   # Packet analyzer
which burpsuite   # Web app testing
which msfconsole  # Metasploit Framework
which john        # Password cracker
which hydra       # Brute force tool
which sqlmap      # SQL injection tool

Essential Kali Tools You Will Use

Tool Category What It Does When to Use It
Nmap Reconnaissance Network scanning, port discovery, service detection Starting any assessment
Wireshark Network Analysis Capture and analyze network packets Understanding traffic patterns
Burp Suite Community Web Testing Intercept and modify web traffic Testing web applications
Metasploit Exploitation Framework for developing and executing exploits Practicing exploitation
John the Ripper Password Crack password hashes Understanding password security
Hydra Password Online brute force and dictionary attacks Testing authentication
Nikto Web Scanning Scan web servers for known vulnerabilities Quick web app assessment
SQLMap Web Exploitation Automated SQL injection testing Finding database vulnerabilities
Gobuster Web Recon Directory and file brute forcing on web servers Discovering hidden content
Netcat Networking Network connections, file transfers, shells General-purpose network tool

Step 3: Set Up Vulnerable Targets

This is where the learning happens. These are intentionally vulnerable systems designed for security practice.

DVWA (Damn Vulnerable Web Application)

DVWA is a PHP/MySQL web application that is deliberately vulnerable. It covers the OWASP Top 10 vulnerabilities and lets you practice at different difficulty levels.

# Option 1: Docker (easiest)
# On your Ubuntu VM or Kali:
sudo apt install docker.io -y
sudo docker run -d -p 80:80 vulnerables/web-dvwa

# Option 2: Download the DVWA VM
# Get it from dvwa.co.uk and import into VirtualBox

DVWA vulnerabilities you can practice:

Vulnerability Difficulty Levels What You Learn
SQL Injection Low, Medium, High Database attacks, input validation
XSS (Reflected) Low, Medium, High Client-side attacks, output encoding
XSS (Stored) Low, Medium, High Persistent script injection
Command Injection Low, Medium, High OS command execution through web apps
File Upload Low, Medium, High Uploading malicious files, bypassing filters
CSRF Low, Medium, High Forging authenticated requests
File Inclusion Low, Medium, High Local and remote file inclusion
Brute Force Low, Medium, High Password attack techniques
Tip

Start every DVWA exercise on Low difficulty. Understand how the vulnerability works when there are no defenses. Then increase to Medium and learn how the defenses can be bypassed. Finally, try High - and read the source code to understand why the defenses work. This progression teaches you both attack and defense.

Metasploitable 2

Metasploitable is a deliberately vulnerable Linux VM. It has misconfigured services, weak passwords, and exploitable software across the entire operating system.

  1. Download Metasploitable 2 from SourceForge
  2. Extract the ZIP file
  3. In VirtualBox, create a new VM (Linux, Ubuntu 64-bit)
  4. Instead of creating a new disk, use the extracted .vmdk file as the hard drive
  5. Assign 1 GB RAM, connect to the same internal network as Kali
  6. Default credentials: msfadmin / msfadmin

Other Practice Targets

Target Focus Where to Get It
OWASP WebGoat Web application security lessons Download from GitHub
HackTheBox Wide variety of challenges hackthebox.com (some free)
TryHackMe Guided learning paths tryhackme.com (some free)
VulnHub Downloadable vulnerable VMs vulnhub.com
OWASP Juice Shop Modern web app vulnerabilities Download from GitHub
PicoCTF Beginner CTF challenges picoctf.org

Step 4: Network Configuration

This is critical. You need your lab VMs to talk to each other but not to your real network (and definitely not to the internet while you are attacking them).

Setting Up an Isolated Network

In VirtualBox:

  1. Go to File -> Tools -> Network Manager
  2. Create a new Host-Only Network (e.g., vboxnet0)
  3. Note the IP range (usually 192.168.56.0/24)
  4. For each VM, go to Settings -> Network
  5. Set Adapter 1 to Host-Only Adapter, select vboxnet0
  6. If a VM needs internet (for updates), add Adapter 2 as NAT
    NETWORK LAYOUT
    ===============

    Host-Only Network: 192.168.56.0/24

    Kali Linux:         192.168.56.101
    Ubuntu Server:      192.168.56.102
    Metasploitable 2:   192.168.56.103
    DVWA (Docker):      192.168.56.102:80

    All machines can reach each other.
    None can reach your home network.
    Your home network cannot reach them.
Warning

Never expose intentionally vulnerable VMs to a real network. Metasploitable and DVWA are designed to be exploited - if they are accessible from outside your lab, they will be compromised by real attackers almost immediately. Always use host-only or internal-only networking for vulnerable targets.

Step 5: Set Up Wazuh (Your SIEM)

A SIEM (Security Information and Event Management) collects, analyzes, and alerts on security events from across your environment. Learning SIEM tools is essential for anyone interested in defensive security, SOC work, or security engineering.

Wazuh is open-source, full-featured, and used by thousands of organizations in production. Setting it up in your lab teaches you real skills.

Wazuh Setup (Docker Method)

# On your Ubuntu VM
# Clone the Wazuh Docker deployment
git clone https://github.com/wazuh/wazuh-docker.git
cd wazuh-docker/single-node

# Generate SSL certificates
docker compose -f generate-indexer-certs.yml run --rm generator

# Start Wazuh
docker compose up -d

# Access the web interface at https://192.168.56.102
# Default credentials: admin / SecretPassword

What to Do with Your SIEM

Once Wazuh is running, install agents on your other VMs:

  1. Install the Wazuh agent on Kali and Metasploitable
  2. Run attacks from Kali against Metasploitable
  3. Watch the alerts appear in the Wazuh dashboard
  4. This is exactly what SOC analysts do in production - but you are generating the attacks yourself
Activity What to Watch For in Wazuh
Nmap scan from Kali Network scanning alerts, port scan detection
SSH brute force attempt Authentication failure alerts, brute force rules
Web application attacks on DVWA WAF alerts, suspicious HTTP requests
File changes on targets File integrity monitoring (FIM) alerts
New user creation User management alerts

5 Structured Exercises

These exercises are designed to build your skills progressively. Complete them in order.

Exercise 1: Network Reconnaissance (Beginner)

Objective: Map the lab network and discover all running services.

Steps:

  1. From Kali, run: nmap -sn 192.168.56.0/24 to discover live hosts
  2. For each host found, run: nmap -sV -sC [target_ip] to identify services
  3. Document every open port, service, and version
  4. Research each service - which ones have known vulnerabilities?

Deliverable: Create a network map showing all hosts, open ports, and services. This is exactly what a real penetration tester does first on every engagement.

Exercise 2: Web Application Testing (Beginner-Intermediate)

Objective: Find and exploit vulnerabilities in DVWA.

Steps:

  1. Open DVWA in your browser, log in (admin/password)
  2. Set security level to Low
  3. Complete the SQL Injection exercise - extract usernames and passwords
  4. Complete the XSS (Reflected) exercise - pop an alert box
  5. Try the Command Injection exercise - run OS commands through the web form

Deliverable: Write a short finding report for each vulnerability. Include: what you found, how you exploited it, what data you accessed, and how it should be fixed.

Exercise 3: Exploitation with Metasploit (Intermediate)

Objective: Exploit a vulnerability on Metasploitable and gain shell access.

Steps:

  1. From your Nmap scan, identify the vsftpd service on Metasploitable (port 21)
  2. In Kali, launch Metasploit: msfconsole
  3. Search for the exploit: search vsftpd
  4. Select and configure the exploit with the target IP
  5. Run the exploit and gain a shell
  6. Explore the compromised system - find sensitive files, user accounts

Deliverable: Document the full attack chain - from discovery to access. What would a defender see? Check your Wazuh SIEM for related alerts.

Exercise 4: Network Traffic Analysis (Intermediate)

Objective: Capture and analyze network traffic to identify attacks.

Steps:

  1. Start Wireshark on your Kali machine
  2. From another terminal, run an Nmap scan against Metasploitable
  3. Stop the capture and analyze the packets
  4. Filter for SYN scans: tcp.flags.syn == 1 && tcp.flags.ack == 0
  5. Identify the scanning pattern - what does a port scan look like in packets?
  6. Repeat with an SSH brute force attempt using Hydra, capture that traffic too

Deliverable: Save the packet captures (pcap files). Write analysis notes describing what attack patterns look like at the network level.

Exercise 5: SIEM Alert Investigation (Intermediate-Advanced)

Objective: Investigate security alerts like a SOC analyst.

Steps:

  1. Review all Wazuh alerts generated by exercises 1-4
  2. For each alert, determine: Is it a true positive or false positive?
  3. Correlate alerts across different sources (network, host, application)
  4. Create a timeline of the attack from the defender's perspective
  5. Write a brief incident report summarizing what happened

Deliverable: An incident report covering the attacks from exercises 1-4, written from the defender's perspective. This is the kind of work SOC analysts do every day.

Budget Breakdown

Item Cost Notes
VirtualBox $0 Open source
Kali Linux $0 Open source
Ubuntu Server $0 Open source
Metasploitable 2 $0 Free download
DVWA $0 Open source
Wazuh $0 Open source
Wireshark $0 Open source
Nmap $0 Open source
Burp Suite Community $0 Free edition
Additional RAM (if needed) $30-50 16 GB stick, used
Total $0-50
Note

The cybersecurity community has created an incredible ecosystem of free, high-quality tools and practice environments. There is no financial barrier to entry for learning security skills. The only investment required is your time and persistence.

Maintaining Your Lab

A few practices to keep your lab productive:

Take snapshots. Before every major exercise, snapshot your VMs. When things break (and they will), you can restore to a known-good state in seconds.

Document everything. Keep a lab journal. Every command you run, every result you get, every error you encounter. This documentation becomes your portfolio material and your future reference.

Expand gradually. Once you are comfortable with the basics, add new targets from VulnHub, set up Active Directory environments, add cloud components with free-tier accounts, or introduce container security with Docker and Kubernetes.

Break things on purpose. The lab exists so you can experiment without consequences. Try things that seem crazy. Try to break your own defenses. The worst that happens is you restore a snapshot.

Your home lab is now ready. In the next chapter, we will explore the zero trust mindset - a security philosophy that will change how you think about every system and every network, including your lab.