Every serious penetration tester, security researcher, and aspiring red teamer starts in the same place: a home lab. It is the environment where you build muscle memory with real tools, break things safely, understand how attacks work at a technical level, and develop the kind of intuition that no exam or video course can replicate on its own.
Setting up that lab correctly from the beginning saves you hours of frustration later. This guide walks through everything you need, from hardware selection and hypervisor configuration to vulnerable machine deployment and network segmentation, with real commands and configurations throughout.
Online practice platforms have their place. They give you access to pre-configured targets without any setup overhead. But they do not teach you how to build and manage your own infrastructure, which is a skill that translates directly into professional work.
When you build your own lab, you learn how networks are segmented, how services are configured and misconfigured, how traffic flows between machines, and how defenders instrument their environments. You also gain the freedom to test custom payloads, run noisy scans without restrictions, and break your environment entirely and rebuild it.
If you are working through structured training at Redfox Cybersecurity Academy, a home lab running in parallel is the fastest way to reinforce what you are learning and apply it immediately in your own controlled environment.
You do not need enterprise hardware to run an effective ethical hacking lab. What you do need is enough RAM to run multiple virtual machines simultaneously, reasonable storage for VM snapshots and disk images, and a CPU that supports virtualization extensions.
A single machine with the following specifications handles most beginner and intermediate lab scenarios comfortably:
For those running Active Directory labs, multi-target network simulations, or full red team infrastructure:
A used workstation from the previous generation, such as a Dell Precision or HP Z-series, often delivers this specification at a fraction of the cost of new consumer hardware.
Your hypervisor is the foundation of your lab. The right choice depends on your budget, intended scale, and whether you want a desktop or server-based setup.
VMware Workstation Pro is the industry standard for desktop-based lab environments. It offers robust snapshot management, excellent network configuration options, and broad compatibility with VM images from Offensive Security, VulnHub, and Hack The Box.
As of 2024, VMware Workstation Pro is available at no cost for personal use following Broadcom's acquisition. Installation on a Linux host:
chmod +x VMware-Workstation-Full-*.bundle
sudo ./VMware-Workstation-Full-*.bundle
[cta]
VirtualBox is free, open-source, and cross-platform. It is a solid option for those on a tight budget or running lab environments on macOS with Apple Silicon (via UTM or Rosetta compatibility layers).
sudo apt update && sudo apt install virtualbox virtualbox-ext-pack -y
[cta]
Proxmox is a bare-metal Type 1 hypervisor built on Debian. It is the right choice if you dedicate a physical machine to lab hosting and want to manage VMs remotely through a web interface. It supports both KVM virtual machines and LXC containers, making it highly flexible.
# After installing Proxmox from ISO, update repositories
echo "deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription" \
> /etc/apt/sources.list.d/pve-install-repo.list
apt update && apt dist-upgrade -y
[cta]
For students who want maximum control over a dedicated lab machine, Proxmox is the most scalable option and worth the initial setup investment.
Kali Linux is the standard attacker distribution for penetration testing labs. It ships with an extensive toolkit and is maintained by Offensive Security specifically for security practitioners.
Download the official VMware or VirtualBox image from the Kali website. These pre-built images save significant setup time and are configured with the correct kernel modules and tool dependencies out of the box.
After importing, update the system and install any additional tools you need:
sudo apt update && sudo apt full-upgrade -y
sudo apt install -y bloodhound neo4j gobuster ffuf nuclei \
impacket-scripts seclists crackmapexec evil-winrm
[cta]
Before installing any additional tools or running any tests, take a snapshot of your clean Kali installation. This gives you a reliable restore point if you corrupt your environment during testing.
In VMware Workstation, this is done through the VM menu. On Proxmox via the CLI:
qm snapshot <vmid> clean-kali --description "Fresh Kali install, pre-lab"
[cta]
The targets in your lab are where the actual learning happens. The goal is to run intentionally vulnerable systems that replicate real-world misconfigurations and vulnerabilities.
VulnHub hosts hundreds of freely downloadable vulnerable virtual machines ranging from beginner to advanced difficulty. Download OVA files and import them directly into your hypervisor.
After importing a VulnHub machine into VirtualBox:
VBoxManage import target-machine.ova --vsys 0 --vmname "TargetLab01"
VBoxManage modifyvm "TargetLab01" --nic1 hostonly --hostonlyadapter1 vboxnet0
[cta]
For realistic Windows exploitation practice, deploy a Windows evaluation VM from Microsoft's official evaluation center. These are time-limited but free and support snapshots for reset between exercises.
Once deployed, you can intentionally misconfigure the machine to practice specific attack paths. Disabling Windows Defender for an isolated lab target:
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
netsh advfirewall set allprofiles state off
[cta]
Only apply these configurations on isolated lab VMs with no external network access. Never disable security controls on production systems or machines connected to the internet.
Active Directory is present in the vast majority of enterprise environments and is a primary target during internal penetration tests. Building a minimal AD lab gives you essential practice with enumeration, lateral movement, and privilege escalation techniques.
A minimal AD lab requires three VMs: a Windows Server acting as the domain controller, and at least two Windows client machines joined to the domain. Use PowerShell to promote a Windows Server to a domain controller:
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Import-Module ADDSDeployment
Install-ADDSForest `
-DomainName "lab.local" `
-DomainNetbiosName "LAB" `
-ForestMode "WinThreshold" `
-DomainMode "WinThreshold" `
-InstallDns:$true `
-Force:$true
[cta]
After the domain is up, create intentionally vulnerable configurations. Add a user with a weak password and grant them domain user rights. Configure Kerberoastable service accounts:
New-ADUser -Name "svc_webapp" -SamAccountName "svc_webapp" `
-AccountPassword (ConvertTo-SecureString "Summer2023!" -AsPlainText -Force) `
-Enabled $true
Set-ADUser -Identity "svc_webapp" `
-ServicePrincipalNames @{Add="HTTP/webapp.lab.local"}
[cta]
This creates a service account with a registered SPN, making it eligible for Kerberoasting. You can then practice the full attack chain from your Kali machine using Impacket:
GetUserSPNs.py lab.local/normaluser:Password123 \
-dc-ip 192.168.56.10 \
-request \
-output kerberoast_hashes.txt
[cta]
Then crack the captured ticket offline with Hashcat:
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt \
--force \
-O
[cta]
This full workflow, from enumeration to offline cracking, is a core skill for any internal penetration tester. Practicing it in your own lab before encountering it on an engagement is what separates prepared practitioners from unprepared ones.
If you want guided instruction on Active Directory attack paths alongside your own lab practice, Redfox Cybersecurity Academy covers these techniques in structured modules with dedicated lab environments.
Network segmentation in your lab is not optional. You need to ensure that your vulnerable machines and attack traffic cannot reach your home network or the internet.
VMware Workstation provides three primary network adapter types relevant to lab work:
Open the Virtual Network Editor and create a custom host-only network:
# On Linux host, VMware creates virtual interfaces automatically
# Verify your lab network interface
ip addr show vmnet1
ip addr show vmnet8
# Assign a static IP to your attacker VM on the lab network
sudo nmcli connection modify "Wired connection 1" \
ipv4.addresses 192.168.56.5/24 \
ipv4.method manual
sudo nmcli connection up "Wired connection 1"
[cta]
Before running any tests, confirm that your target VMs cannot reach the internet:
# From your target VM or via console
ping 8.8.8.8
# Expected result: 100% packet loss or "Network unreachable"
# Confirm host-only connectivity to attacker machine
ping 192.168.56.5
# Expected result: successful replies
[cta]
This verification step is a habit worth building early. Running aggressive scans or exploitation tools against a machine that has unexpected internet connectivity is a serious risk in any environment.
Beyond the tools included in Kali by default, several utilities deserve dedicated configuration in your home lab.
Burp Suite is the standard proxy for web application testing. Install it and configure Firefox within your Kali VM to route traffic through it:
# Launch Burp Suite
java -jar burpsuite_community.jar
# Configure Firefox proxy settings via about:preferences#general
# Manual proxy: 127.0.0.1:8080
# Install Burp's CA certificate to intercept HTTPS
# Navigate to http://burp in Firefox and download the certificate
# Import via Firefox certificate manager
[cta]
Nmap remains the most versatile network scanner available. A standard service and version detection scan against your lab network:
nmap -sV -sC -O -T4 \
--open \
-oA lab_scan_$(date +%Y%m%d) \
192.168.56.0/24
[cta]
The -oA flag outputs results in all formats simultaneously, giving you XML for tool ingestion, grepable output for quick searches, and normal output for human review.
Nuclei is a fast, template-based vulnerability scanner maintained by ProjectDiscovery. It is particularly useful for web application and infrastructure scanning in lab environments:
# Update templates
nuclei -update-templates
# Scan a local web target
nuclei -u http://192.168.56.20 \
-t ~/nuclei-templates/ \
-severity medium,high,critical \
-o nuclei_results.txt
[cta]
BloodHound is indispensable for AD lab work. It ingests data collected by SharpHound and visualizes attack paths to domain dominance through a graph-based interface.
Start the Neo4j database and BloodHound:
sudo neo4j start
bloodhound &
[cta]
Collect AD data from your lab domain using SharpHound (run from a domain-joined Windows machine):
.\SharpHound.exe -c All --zipfilename lab_bloodhound.zip
[cta]
Import the resulting zip into BloodHound and run the built-in queries to find shortest paths to Domain Admin, Kerberoastable users, and accounts with unconstrained delegation.
A home lab is not a one-time setup. It evolves as your skills develop and as you take on more complex scenarios.
Develop a consistent snapshotting workflow. Before attempting any exercise, snapshot the target. After completing an exercise, either restore to clean state or document what was changed. This discipline mirrors how professional penetration testers manage their test environments and prevents hours of rebuilding.
Start with a single Linux target and a Kali attacker machine. Once comfortable with basic enumeration and exploitation, add a Windows target. Then build out the full Active Directory lab. Then introduce a web application VM running a stack like DVWA or Juice Shop for dedicated web testing practice.
Django Vulnerable App deployment as a web target:
git clone https://github.com/anxolerd/dvpwa
cd dvpwa
docker-compose up -d
# Access at http://192.168.56.30:8080
[cta]
As your skills develop, add a SIEM or logging component to your lab. Deploying the Elastic Stack (Elasticsearch, Logstash, Kibana) alongside your targets lets you observe how your attacks appear from the defender's perspective. This is one of the most valuable exercises available in a home lab environment.
# Deploy Elastic stack via Docker Compose
curl -O https://raw.githubusercontent.com/elastic/start-local/main/docker-compose.yml
docker-compose up -d
[cta]
Watching your own Nmap scans, Gobuster runs, and Impacket attacks appear as log events in Kibana builds the kind of bidirectional understanding that makes you a significantly more capable practitioner.
Students working through offensive security curricula at Redfox Cybersecurity Academy consistently report that running a parallel home lab accelerates their progress and deepens their retention of technical material.
Building an ethical hacking home lab is one of the highest-return investments you can make early in your security career. The environment you create becomes your proving ground: the place where techniques move from theoretical understanding to practiced skill.
To summarize the core principles covered here: choose hardware with enough RAM to run multiple VMs comfortably, select a hypervisor that matches your scale requirements, isolate your lab network rigorously before running any attacks, build target diversity progressively from Linux to Windows to Active Directory, snapshot aggressively, and eventually add defensive tooling to see both sides of every technique.
The commands, configurations, and tool workflows in this guide are not simplified for demonstration purposes. They are the actual workflows used by professional penetration testers in real engagements. Practice them repeatedly in your lab until they are second nature.
When you are ready to pair that hands-on practice with structured guidance and a community of serious practitioners, Redfox Cybersecurity Academy is built exactly for that next step.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
