Ethical Hacking Lesson 9 – Hacking Lab Setup | Dataplexa

Ethical Hacking

I. Foundations & Hacking Mindset
1. What is Ethical Hacking 2. Hacker Types & Motivations 3. Legal & Ethical Considerations 4. Hacking Methodologies 5. Cyber Kill Chain 6. Footprinting & Reconnaissance 7. Passive vs Active Recon 8. Information Gathering Tools 9. Hacking Lab Setup 10. Kali Linux Overview
II. Reconnaissance & Scanning
11. DNS Enumeration 12. Whois & Network Enumeration 13. Google Dorking 14. Nmap Scanning 15. Port Scanning 16. Service Enumeration 17. Vulnerability Scanning 18. Nessus & OpenVAS 19. Banner Grabbing 20. Recon Best Practices
III. System & Network Attacks
21. Password Cracking 22. Brute Force Attacks 23. Credential Harvesting 24. Exploiting Misconfigurations 25. Linux System Attacks 26. Windows System Attacks 27. Privilege Escalation 28. Malware Concepts 29. Backdoors & Trojans 30. Network Sniffing 31. MITM Attacks 32. DoS Attacks 33. Wireless Attacks 34. Covering Tracks 35. Attack Mitigation
IV. Web Hacking & Real World
36. Web Architecture 37. OWASP Top 10 38. SQL Injection 39. Cross-Site Scripting (XSS) 40. Authentication Attacks 41. Session Hijacking 42. File Upload Vulnerabilities 43. API Security 44. Tools Summary 45. Mini Project – Ethical Hacking Lab
Foundations & Hacking Mindset · Lesson 9

Hacking Lab Setup

Every technique in this course needs a safe, legal place to practise. This lesson walks you through building exactly that — a personal hacking lab that runs on your own machine, completely isolated from the internet, where you can test anything without risk to yourself or anyone else.

Practising on real systems without a lab is not an option

A doctor does not practise surgery on a patient before they have trained on models and simulations. The same logic applies here. Running port scans, testing exploits, and practising attack techniques needs to happen in a controlled environment first — one where mistakes carry no legal or practical consequences.

Testing against real systems you do not own or have permission to test is a criminal offence — even if your intent is purely educational. The lab removes that risk entirely. Everything stays on your own machine, in a private virtual network that never touches the internet.

The setup takes about an hour. Once it is done, you have a working environment that you will use for every practical lesson from here through to the final project.

The architecture — two virtual machines, one private network

A hacking lab needs two things: a machine to attack from and a machine to attack. Both run as virtual machines — software-simulated computers that run inside your real computer. They behave exactly like physical machines but exist entirely as files on your hard drive.

LAB ARCHITECTURE — overview

Attacker Machine

Kali Linux

Your primary working machine. Pre-loaded with 600+ security tools. This is where you run scans, launch exploits, and analyse results. All your commands start here.

Private
Network

Target Machine

Metasploitable 2

A deliberately vulnerable Linux system built specifically for practising attacks. Every vulnerability in it is intentional. It exists so you have something legal and safe to test against.

Both machines sit on a host-only private network — completely isolated from the internet. Nothing you do in the lab can affect real systems outside it.

Metasploitable 2 is the standard practice target used in security training courses worldwide. It runs a deliberately broken version of Linux with intentionally misconfigured services, weak credentials, and unpatched software — designed from the ground up to be attacked. Using it is completely legal because you own it, it runs on your own machine, and it was built for this exact purpose.

Software you need before starting

The entire lab runs on free, freely available software. You do not need to purchase anything. Here is what you need to download and install before the setup begins.

VirtualBox — free from virtualbox.org

The virtualisation software that runs your virtual machines. Think of it as the container that holds and runs both Kali Linux and Metasploitable. Works on Windows, macOS, and Linux. Download the version that matches your operating system.

Kali Linux — free from kali.org

Download the VirtualBox pre-built image — this is a ready-to-run version of Kali that imports directly into VirtualBox with no installation needed. File size is around 3GB. Choose the 64-bit version.

Metasploitable 2 — free from SourceForge

Search "Metasploitable 2 download" — the official SourceForge page hosts the file. It downloads as a zip containing a pre-built virtual machine. Around 800MB. This is your practice target.

Minimum system requirements

8GB RAM minimum (16GB recommended), 50GB free disk space, a 64-bit processor with virtualisation enabled in BIOS. Most machines bought after 2015 meet these requirements.

Setting up the network — host-only mode

The single most important configuration step in the entire lab setup is the network. Both virtual machines need to be on the same private network — able to communicate with each other — but completely unable to reach the internet or your home network.

VirtualBox calls this Host-Only Adapter mode. When both machines use it, they can see each other on a private subnet but cannot reach anything outside VirtualBox. This is the configuration that keeps your lab activity completely contained.

VIRTUALBOX NETWORK SETTINGS — step by step
1

Open VirtualBox — select your Kali Linux VM — click Settings

Right-click the Kali machine in the left panel, or select it and click the Settings cog icon at the top of the window.

2

Go to Network — Adapter 1 — change "Attached to" to Host-Only Adapter

In the dropdown, select "Host-Only Adapter" and confirm the Name field shows "vboxnet0" or similar. Click OK to save.

3

Repeat for Metasploitable 2 — same setting, same adapter name

Select your Metasploitable VM, go to Settings → Network → Adapter 1, set it to Host-Only Adapter using the same vboxnet0. Both machines must use the same adapter to communicate.

4

Start both machines and verify they can see each other

Boot Kali first, then Metasploitable. Once both are running, find the IP address of Metasploitable and ping it from Kali to confirm the network connection is working.

If you set Kali to Host-Only but leave Metasploitable on NAT (the default), they will not be able to communicate. Both machines must use the same Host-Only adapter. This is the most common setup mistake — and if your ping fails later, this is the first thing to check.

Verifying the lab is working — the first test

Once both machines are running and on the same Host-Only network, the first thing to do is confirm they can communicate. This single check tells you the entire network setup is correct before you invest any time running actual tools.

The scenario: You have just finished setting up your lab for the first time. Both VMs are running. You need to confirm that Kali can reach Metasploitable across the private network — and that Metasploitable is up and responding. The default credentials for Metasploitable are msfadmin / msfadmin. You log in, find its IP address, then switch to Kali and ping it.

# Step 1 — On the Metasploitable machine, find its IP address
# ifconfig shows the network interface configuration
# Look for the inet address under eth0 — this is the machine's IP on the lab network
# It will typically be something like 192.168.56.101

ifconfig

Breaking it down:

eth0
The name of the network interface — essentially the virtual network card. eth0 is the first ethernet interface. This is the one connected to your Host-Only network.
inet addr:192.168.56.101
This is the IP address of your Metasploitable machine on the private lab network. Write this down — you will use it in every scan and attack exercise that follows. The exact number may differ on your machine but will always start with 192.168.56. 
# Step 2 — Switch to the Kali machine and ping Metasploitable
# ping sends small test packets to an IP address and waits for a response
# If you get replies back, the two machines can communicate across the network
# Replace 192.168.56.101 with the actual IP you found in the previous step

# -c 4 means send exactly 4 packets then stop
# Without -c, ping runs forever until you press Ctrl+C
ping -c 4 192.168.56.101

Breaking it down:

64 bytes from 192.168.56.101
Metasploitable received the packet and sent a reply. Each line represents one packet going out and coming back. Four lines means all four packets were answered — the connection is working perfectly.
time=0.621 ms
The round-trip time for the packet — how long it took to travel from Kali to Metasploitable and back. Under 1ms is normal for two virtual machines on the same host. Very fast because both machines are running on the same physical computer.
0% packet loss
All four packets arrived and were answered. 0% loss means the network connection between the two machines is clean and stable. If you see packet loss or "Request timeout" instead, the network configuration needs checking — go back and verify both machines are using the same Host-Only adapter.

Lab is working. Four packets sent, four received, 0% loss. This is the confirmation you need. Your Kali machine can reach your Metasploitable target across the private lab network. From this point, everything you run in the practical lessons will work exactly as described.

Lab safety rules — three things to always check

A lab is only safe if it stays contained. These three checks take less than a minute and should become habit before every practice session.

Metasploitable must never be on a NAT or Bridged network

NAT gives the VM internet access. Bridged puts it on your real network. Either one means a deliberately vulnerable machine is reachable by others. Always confirm it is set to Host-Only before starting a session.

Only target the Metasploitable IP — never scan outside 192.168.56.0/24

Every command in this course targets the Metasploitable machine. If you ever accidentally direct a scan at an IP address outside your lab subnet, stop immediately. Scanning systems outside your authorised scope is illegal regardless of intent.

Take snapshots before each major exercise

VirtualBox lets you take a snapshot of a VM at any point — saving its exact state so you can restore it instantly if something breaks. Take a snapshot of Metasploitable before each practical exercise. One click to restore beats rebuilding the whole lab from scratch.

Troubleshooting — the four most common setup problems

Most people hit at least one issue during lab setup. Here are the four most common ones and exactly how to fix them.

Problem Likely cause Fix
Ping fails — request timeout VMs are on different network adapters Check both VMs are set to the same Host-Only adapter (vboxnet0)
Kali will not boot Virtualisation not enabled in BIOS Restart, enter BIOS, enable Intel VT-x or AMD-V under CPU settings
Metasploitable boots to blank screen VM needs more RAM allocated Increase RAM to at least 512MB in VirtualBox settings for Metasploitable
VirtualBox will not import the OVA file File downloaded incompletely Delete and re-download. Check the file size matches what the download page shows

Teacher's Note: Set up the lab before moving to Lesson 10. Every practical lesson from here on assumes you have a working Kali machine and a reachable Metasploitable target. Ten minutes spent verifying the ping works now saves a lot of confusion later.

Practice questions

Scenario:

A student sets up their lab following the course instructions. They boot both Kali and Metasploitable, but when they try to ping the Metasploitable IP from Kali, every packet returns "Request timeout." They check and realise that Kali is set to Host-Only Adapter but Metasploitable is still on NAT — the VirtualBox default. What network adapter mode should Metasploitable be set to so both machines can communicate on the private lab network?


Scenario:

A pen testing student needs a legal target to practise scanning and exploitation techniques against in their home lab. They need something that is designed to be attacked — deliberately running vulnerable services with weak credentials and unpatched software — but that they legally own and control completely. What is the standard practice target used in this course and in security training courses worldwide?


Scenario:

A student is about to practise a privilege escalation technique on their Metasploitable machine. They are worried that if the exercise goes wrong and corrupts the system, they will have to rebuild the entire lab from scratch. A classmate tells them VirtualBox has a feature that saves the exact current state of a VM so it can be restored instantly to that point if anything breaks. What is this VirtualBox feature called?


Quiz

Scenario:

A student sets their Metasploitable VM to Bridged Adapter mode because they read it gives the VM a real IP address on the home network — making it easier to reach from Kali. Their instructor immediately tells them to change it back to Host-Only. What is the specific security risk that Bridged mode creates in this situation?

Scenario:

A student runs "ping -c 4 192.168.56.101" from Kali and gets this output: "4 packets transmitted, 0 received, 100% packet loss." Both VMs are running and Metasploitable logged in successfully. Kali is set to Host-Only Adapter on vboxnet0. What is the most likely cause and what should they check first?

Scenario:

While practising a scanning exercise in their home lab, a student accidentally enters the wrong IP address and realises mid-scan that they are scanning a device on their home network — their router at 192.168.1.1 — rather than their Metasploitable target at 192.168.56.101. They do not own the router software and have no authorisation to scan it. What should they do immediately?

Up Next · Lesson 10

Kali Linux Overview

A proper introduction to your primary working environment — how to navigate it, where the tools live, and how to run your first real commands.

← Previous Course Index Next →