Ethical hacking can only be conducted legally and safely. Building a home lab allows you to establish a safe and legal environment to simulate attacks, develop software/exploit vulnerabilities, and practice persistence on your system without putting any real systems at risk or breaking any laws.
As of 2026, with so many free resources available today (hypervisors, Kali Linux images, and intentionally vulnerable virtual machines), you do not need to invest a lot of money into expensive hardware; 8GB to 16GB of RAM and a server-class CPU that is capable of running virtual machines will work in most cases.
The objective of a home lab setup is to create real-world scenarios of a virtual network (attacker VM + a number of target VMs and optional Active Directory-like environment) while also keeping the entire configuration off of the public Internet.
Step 1: Select a Free Hypervisor (Virtualization Platform)
When selecting a hypervisor that you want to use, ensure that it runs on your current computer (Windows, macOS, Linux) and meets your requirements.
1. Oracle VirtualBox : The easiest to get up and running; free to use, cross-platform compatibility, and simple user interface. Good for 2 to 4 virtual machines running concurrently.
2. VMware Workstation Player : Free to use for personal use and has better performance and networking capabilities than VirtualBox in most cases.
3. Proxmox VE (recommended if you have spare hardware or if you are looking for something more advanced) : Free and open-source; powered by a web interface. Excellent for larger labs but has a steeper learning curve than the other options.
Recommendation for practical purposes would be to begin with VirtualBox (available for download from virtualbox.org). Be sure to download and install the guest additions to provide mouse and clipboard integration between your host and guest operating systems.
Step 2: Create Your Attacker Machine
Kali Linux is the dominant pentesting operating system in 2026 with many new tools to enhance AI-assisted attacks, recon on the cloud, and so on.
1. Download the latest ISO from kali.org. Choose the VirtualBox/VMware image so the installation process is easier.
2. Set Up the VM:
a. RAM: 4 to 6 GB
b. CPU: 2 to 4 cores
c. Disk: 40 to 80 GB
3. Install and then update the system with:
a. sudo apt update && sudo apt full-upgrade -y
Important Tools that will be used frequently and that are all available for free in Kali:
1. Nmap is used for discovering networks.
2. Metasploit Framework is a way to exploit vulnerabilities.
3. Burp Suite Community is a web application testing framework.
4. Wireshark is a tool used for analyzing packets in the network.
5. Sqlmap is a tool to perform automated SQL injection attacks against databases.
6. John the Ripper/Hashcat can be used for cracking passwords.
7. Nuclei is a scanner that can identify vulnerabilities quickly.
8. BloodHound CE will be helpful in determining attack paths inside Active Directory. It can be installed via apt or GitHub.
Step 3: Get the free vulnerable target machine VMs
These intentional broken machines are for your legal and ethical hacking practice, do not download them from anything but the official sources.
1. Metasploit vulnerability collections metaplay 3 (there are both Windows/Linux versions) : because this is an easy to use for beginners.
2. DVWA (Damn Vulnerable Web Application) : is web application focused on SQLi, XSS, CSRF, etc...
3. Vulnhub.com VMs - free downloads can be found from vulnhub.com (like the Kioptrix series and the Mr. Robot).
4. TryHackMe and HackTheBox have some retired VMs : If you have an OVA, you can export it from them; otherwise, use a free export link.
5. bWAPP or OWASP Juice Shop : are both excellent web vulnerabilities labs.
6. Vulnerability Pen Testing Lab Environment (VPL) or the equivalent lab from VulnHub.com
Practical: Look for "easy" or "beginner" Vulnerability Pen Testing Lab Environments on VulnHub.com. Download the OVA/VMDK files directly to VirtualBox or VMware as an import.
Step 4: Setting Up a Basic Network (Isolated and Secured)
1. You will be creating an internal network (or host-only network) in your virtual machine platform (e.g. Virtual Box or VMware): this allows your virtual machines to communicate with each other but not with the outside world (e.g. the internet and/or your physical router).
2. You will create one attacker virtual machine (Kali) and two-to-three target virtual machines.
3. You can also optionally create a Windows 10 or 11 evaluation version virtual machine (available for free through Microsoft) and set up an Active Directory laboratory. You can create your AD by using a free Samba AD server or an evaluation version of Windows Server.
Example Topology:
1. Kali (Attacker) → Scanning and exploiting Target Virtual Machines.
2. Metasploitable 3 (Target 1) → Practice memory buffer overflows and SMB exploits.
3. DVWA (Target 2) → Web Application Attacks.
4. Windows Virtual Machine (Target 3) → Active Directory and Privilege Escalation.
Examples and Code Snippets
1. Performing A Basic Nmap Scan From A Kali Machine To Discover All Host/Systems/Devices
# Quick Ping Sweep Example Against A Lab Network. (192.168.56.0/24)
sudo nmap -sn 192.168.56.0/24
# Basic Nmap Scan Example Against A Target Machine
sudo nmap -sV -sC -O -p- 192.168.56.101 -oN scan_results.txt
2. Using An Exploit With Metasploit (Exploiting vsftpd Backdoor On Metasploitable 3)
msfconsole
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 192.168.56.101
exploit
You'll end up with a shell, where you can execute commands such as 'whoami' and 'pwd'.
3. Sample Workflow Of Web Application Testing Using Burp Suite (using DVWA)
1. Browser Set To Use 127.0.0.1:8080 as the proxy
2. Get The Login Request and Forward It To The Repeater
3. SQL Injection Testing: Change username to ' OR 1=1 -- → observe bypass.
4. Performing Active Directory Reconnaissance Using BloodHound (if desired and a Windows Server With Active Directory VM is installed)
PowerShell
# In the target Windows environment, once access has been established
.\SharpHound.exe --CollectionMethods All --ZipFileName bloodhound.zip
Upload The ZIP File That Contains The BloodHound Collection Files to Kali, within The BloodHound User Interface on the Kali System, Locate and Visit The Path of Domain Administrator Privileges
How to Be Successful in 2026
1. Be Respectful of the Law
You should always scan your own Virtual Machine (VM) and do not scan any other entity without their consent.
2. RAM Minimums
Ideally, you should have 16 GB of RAM on your physical computer; for some lighter Virtual Machines, 8 GB will work just fine.
3. Backup your VMs
Make sure to take a VM snap shot of your VM prior to using any high-risk exploits against that VM.
4. Write a Report
After you exploit a "box", read the report that you create detailing your findings, the impact of your exploitation and your proposed fixes, and learn to report your findings.
5. Progression Plan
Follow the THM "Complete Beginner" path to gain some basic knowledge → Progress through the HTB Starting Point course → Work on VulnHub Boxes, and then look for a Bug Bounty or pursue OSCP certification.
Conclusion
Ethical hacking using a Virtual Machine for no cost in 2026 is entirely feasible, as long as you have a combination of tools such as VirtualBox or VMware Player, Kali Linux and free (limited) vulnerable VMs from VulnHub and Metasploitable. The major focus here should be isolation, basic networking concepts, and practicing the tools that are already included with Kali.
You must practice on Enumeration, Exploitation, Post-exploitation and Reporting. By using this setup, you will develop real world ethical hacking skills without paying a penny; download your copy of Kali now and a VM today!
