How I Set Up My Home Cybersecurity Lab for Free

Why a Home Lab?

You can’t learn cybersecurity from textbooks alone. You need to practice — scan networks, analyse packets, test vulnerabilities. But you can’t do that on other people’s systems (that’s illegal). A home lab gives you a safe, isolated environment to break things without consequences.

I spent weeks reading about cybersecurity theory before I finally set up my own lab, and I wish I’d done it sooner. The moment I ran my first Nmap scan and saw actual open ports on a target machine, everything I’d been reading suddenly clicked. Theory is important, but there’s no substitute for hands-on practice.

The best part? It’s completely free.

What You Need

Minimum requirements:

• A computer with at least 8GB RAM (16GB is better)
• 50GB free disk space
• An internet connection (for downloads only — the lab runs offline)

That’s it. No special hardware, no expensive software.

Nice to have but not essential:

• A second monitor (handy for having documentation open while you work)
• An SSD rather than a traditional hard drive (VMs load much faster)
• 16GB+ RAM if you want to run three or more VMs simultaneously

Lab Architecture

Before diving into the setup steps, here’s how all the pieces fit together. Understanding this architecture helps you troubleshoot issues later — if something isn’t working, you can pinpoint which layer is the problem.

The key thing to notice is that the host-only network sits between your VMs and isolates them from the outside world. Your Kali machine can talk to Metasploitable (and vice versa), but neither can reach the internet. This is exactly what you want — it means you can run scans and exploits without any risk of accidentally hitting real systems.

Step 1: Install VirtualBox

VirtualBox (version 7.x as of March 2026) is a free, open-source tool that lets you run multiple operating systems on one computer.

1. Download VirtualBox from virtualbox.org
2. Run the installer (accept defaults)
3. Restart your computer if prompted

Time: 10 minutes

Step 2: Download Kali Linux

Kali Linux (2026.x as of March 2026) is a Linux distribution designed for security testing. It comes pre-loaded with hundreds of security tools.

1. Go to kali.org/get-kali
2. Download the “Pre-built Virtual Machines” version for VirtualBox
3. The file is about 3-4GB — grab a coffee while it downloads

Time: 20-40 minutes (depends on internet speed)

Step 3: Import Kali into VirtualBox

1. Open VirtualBox
2. Click “Import” and select the downloaded Kali file
3. Adjust settings: give it 2-4GB RAM and 2 CPU cores
4. Click “Import” and wait for it to finish

Default credentials: kali / kali

Time: 10 minutes

Step 4: Set Up an Isolated Network

This is crucial for safety. You don’t want your lab traffic hitting the real internet.

1. In VirtualBox, go to File > Host Network Manager
2. Create a new host-only network
3. For each VM, go to Settings > Network > Adapter 1
4. Set “Attached to” to “Host-only Adapter”

Now your VMs can talk to each other but can’t reach the internet.

Step 5: Add a Vulnerable Target (Optional)

To practice on, download Metasploitable 2 — a deliberately vulnerable Linux system:

1. Search for “Metasploitable 2 download” from SourceForge
2. Import it into VirtualBox the same way as Kali
3. Set its network to the same host-only adapter

Never expose Metasploitable to the internet. It’s intentionally insecure.

What I Learned Setting This Up

• VirtualBox needs virtualisation enabled in BIOS. If you get errors, restart and enter BIOS settings to enable VT-x or AMD-V.
• Give VMs enough RAM. Kali with 2GB RAM is sluggish. 4GB makes it usable.
• Take snapshots. Before experimenting, snapshot your VMs so you can roll back if something breaks.
• Host-only adapter naming differs by OS. On Windows, VirtualBox creates an adapter called “VirtualBox Host-Only Ethernet Adapter.” On macOS, it shows up as vboxnet0. On Linux, the name varies by distro. If your VMs can’t see each other, double-check they’re both on the same named adapter.
• Kali’s pre-built VM image sometimes has the wrong keyboard layout. If your keys aren’t mapping correctly, open Settings > Keyboard in Kali and switch to your locale. I spent twenty minutes thinking my terminal was broken before I realised the @ symbol was just mapped to a different key.
• Disable Hyper-V on Windows before installing VirtualBox. Windows has its own hypervisor (Hyper-V) that conflicts with VirtualBox. If VMs refuse to start or crash immediately, open “Turn Windows features on or off” and untick Hyper-V, then restart. This one caught me out for an entire afternoon.

The biggest lesson I’ve taken away from building this lab: you learn more from 30 minutes of hands-on troubleshooting than from hours of watching tutorials. Every error I hit forced me to understand something deeper about how networking, virtualisation, or Linux actually works. Don’t be discouraged by problems — they’re the best teachers.

My Lab Setup

Total RAM used: 5GB (leaving 3GB+ for my host OS with 8GB total)

First Commands to Try

Once your lab is running, don’t just stare at the Kali desktop — start poking around. Here are the first exercises I ran through, in order. Each one builds on the previous.

1. Verify Your Network Configuration

First, confirm that Kali is on the host-only network and has the right IP address:

# Verify your Kali network configuration
ip addr show
# You should see an interface with a 192.168.56.x address

Look for an interface (usually eth0 or eth1) with an IP address in the 192.168.56.x range. If you don’t see one, your network adapter isn’t configured correctly — go back to Step 4 and double-check the settings.

2. Discover Hosts and Scan for Open Ports

Now use Nmap to find what’s on your network and what services are running:

# Discover hosts on your lab network
nmap -sn 192.168.56.0/24

# Scan Metasploitable for open ports
nmap -sV 192.168.56.101

The -sn flag does a ping sweep — it tells you which IP addresses are alive on the network. You should see your Kali machine and your Metasploitable target. The -sV flag does a more detailed scan, identifying the specific services and versions running on each open port. When I first ran this against Metasploitable, I was stunned by how many ports were open — FTP, SSH, Telnet, HTTP, and more. That’s the point: it’s intentionally wide open so you have plenty to practise on.

3. Capture and Analyse Network Traffic

Open Wireshark and start watching the traffic between your machines:

# Start a packet capture on the lab interface
sudo wireshark &

# Useful display filters to try:
# ip.addr == 192.168.56.101    (traffic to/from Metasploitable)
# tcp.port == 80               (HTTP traffic)
# dns                          (DNS queries)

Start a capture on the host-only interface, then run your Nmap scan again in another terminal window. Switch back to Wireshark and watch the packets flow in real time. You’ll see the actual ARP requests, TCP handshakes, and port probes that Nmap sends. This is how you start connecting theory to reality — you’re not just reading about TCP three-way handshakes anymore, you’re watching them happen.

Try filtering by tcp.port == 80 and then open a web browser in Kali and navigate to http://192.168.56.101. You’ll see every HTTP request and response in Wireshark, including headers, payloads, and response codes. It’s a fantastic way to understand how web traffic actually works.

Troubleshooting Common Issues

Even with a straightforward setup like this, things go wrong. Here are the issues I hit (and the solutions I found) so you don’t have to spend hours searching forums.

VMs Won’t Start — “VT-x is not available”

Problem: VirtualBox throws an error about hardware virtualisation when you try to boot a VM.

Solution: Restart your computer and enter BIOS/UEFI settings (usually by pressing F2, F12, Del, or Esc during boot — it varies by manufacturer). Look for “Intel Virtualization Technology” (VT-x) or “AMD-V” under CPU or Advanced settings, and enable it. Save and exit. On Windows, also make sure Hyper-V is disabled (see the lesson above).

VMs Can’t Ping Each Other

Problem: Kali and Metasploitable are both running, but ping 192.168.56.101 from Kali gets no response.

Solution: Check three things in order. First, confirm both VMs are using the same host-only adapter in their network settings. Second, verify both VMs have IP addresses in the same subnet by running ip addr show on Kali and checking the Metasploitable console. Third, check that VirtualBox’s DHCP server is enabled for the host-only network (File > Host Network Manager > DHCP Server tab). If Metasploitable has no IP, you may need to run sudo dhclient eth0 inside it.

Kali Is Extremely Slow

Problem: The Kali desktop is laggy, applications take forever to open, and the whole VM feels unusable.

Solution: Allocate more RAM (4GB minimum, not 2GB) and ensure you’ve assigned at least 2 CPU cores. Also install VirtualBox Guest Additions — this dramatically improves graphics performance. In Kali, run sudo apt update && sudo apt install -y virtualbox-guest-x11 and reboot the VM. If you’re on a laptop, make sure it’s plugged in — many laptops throttle CPU on battery power, which tanks VM performance.

Metasploitable Won’t Boot — “FATAL: No bootable medium found”

Problem: You imported the Metasploitable image but it won’t start.

Solution: Metasploitable 2 is distributed as a VMDK (VMware disk), not an OVA. You need to create a new VM in VirtualBox manually: click “New,” choose Linux/Ubuntu (32-bit), and when asked about a hard disk, select “Use an existing virtual hard disk file” and point it to the .vmdk file you downloaded. Don’t use the “Import” button — that’s only for OVA files.

No Internet in Kali When You Need to Install Something

Problem: You’re on a host-only network (as recommended) but need to install a package or update tools.

Solution: Temporarily add a second network adapter. Go to the VM settings > Network > Adapter 2, enable it, and set it to NAT. Boot Kali, install what you need with sudo apt update && sudo apt install <package>, then disable Adapter 2 again. Always return to host-only-only networking before running any scans or attacks. You don’t want lab traffic accidentally going out to the real internet.

What’s Next?

With the lab running, I can start practising:

• Network scanning with Nmap — try different scan types (-sS for stealth SYN, -O for OS detection, -A for aggressive). The Nmap documentation is excellent and worth reading cover to cover.
• Packet analysis with Wireshark — start with the beginner exercises. Capture traffic while you browse, scan, or transfer files, and practise reading the packet details.
• Vulnerability scanning — install OpenVAS on Kali and run a full vulnerability scan against Metasploitable. The report it generates is a goldmine for understanding common vulnerabilities.
• Web application testing — Metasploitable includes DVWA (Damn Vulnerable Web Application) at http://192.168.56.101/dvwa/. It’s a structured way to learn about SQL injection, XSS, and other web vulnerabilities with difficulty levels you can adjust.
• Password cracking — use Hydra or John the Ripper against the services running on Metasploitable. This teaches you why strong passwords and account lockout policies matter.

Check out the full home lab setup guide for more detailed instructions. If you’re also studying for CompTIA A+, see my week 1 study plan for how I’m pairing certification study with hands-on practice.

Further Reading

• Home Lab Setup Guide — more detailed instructions and advanced configurations
• My Week 1 CompTIA A+ Study Plan — pairing certification study with lab practice
• Cybersecurity Tools Overview — learn about the tools you’ll use in your lab
• Security Concepts — understand what you’re practising

Important: Only perform security testing on systems you own or have explicit written permission to test. Unauthorised access to computer systems is illegal.