A local virtual machine lab is the foundation of practical cybersecurity learning. It gives you an isolated environment to practice attacks and defences without risking your own network or breaking any laws. VirtualBox is free, runs on Windows, and is more than capable of hosting a full attack-and-defence scenario.
This is the exact setup I use — what to install, how to network it correctly, and the scenarios worth running.
Hardware Requirements
You do not need a powerful machine. My lab runs on a mid-range laptop:
- CPU: Intel Core i7 (8th gen or newer) with virtualisation enabled in BIOS
- RAM: 16GB minimum — 8GB for the host OS, 8GB shared between VMs
- Storage: 100GB+ free space (SSD strongly preferred for VM performance)
Check virtualisation first: Open Task Manager > Performance > CPU. If "Virtualisation" shows as Disabled, enable Intel VT-x or AMD-V in your BIOS before installing VirtualBox.
The VM Stack
1. Kali Linux — Attacker Machine
Kali is the standard penetration testing distribution. Download the pre-built VirtualBox image from kali.org/get-kali — it saves 30 minutes of manual setup. Import it via File > Import Appliance.
Allocate: 2 vCPUs, 4GB RAM, 80GB disk.
2. Metasploitable 2 — Intentionally Vulnerable Target
Metasploitable is a deliberately vulnerable Ubuntu VM built by Rapid7 for practising exploitation. Every common vulnerability is present: FTP anonymous login, Samba misconfiguration, open Postgres with default creds, and more. Download from SourceForge — it comes as a ready-to-import OVF.
Allocate: 1 vCPU, 512MB RAM.
3. Windows Server 2019 (Evaluation) — Enterprise Target
Microsoft offers free 180-day evaluation ISOs of Windows Server. This lets you practice Active Directory attacks — Kerberoasting, pass-the-hash, BloodHound enumeration — in a realistic enterprise environment.
Allocate: 2 vCPUs, 4GB RAM, 60GB disk.
4. Ubuntu Server — SIEM / Monitoring Node
Install Wazuh or the ELK stack here to monitor the Windows Server and Metasploitable VMs. This closes the loop: you attack from Kali, the activity generates logs, and your SIEM detects it.
Network Configuration — The Critical Part
Getting the network wrong means your VMs cannot talk to each other, or worse, your intentionally vulnerable VMs are exposed to your real network. Use a NAT Network (not "NAT" and not "Bridged"):
- VirtualBox > Tools > Network > NAT Networks > Create
- Name it "CyberLab", set CIDR to 10.0.2.0/24, enable DHCP
- For each VM: Settings > Network > Adapter 1 > NAT Network > CyberLab
This creates an isolated virtual network. All VMs can reach each other and access the internet (for updates) but are not reachable from your physical LAN. Metasploitable stays safely isolated.
Snapshots — Your Safety Net
Before every attack scenario, take a snapshot of each VM. After you are done (or if something breaks), revert to the snapshot and start fresh. In VirtualBox: Machine > Take Snapshot. Name it descriptively: "Clean state before Metasploit exercise."
Scenarios Worth Running
Scenario 1 — Metasploit Against Metasploitable
# On Kali
msfconsole
use exploit/multi/handler
# Or target vsftpd backdoor:
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 10.0.2.x # Metasploitable IP
runWatch your Wazuh/SIEM dashboard as the exploit fires — you will see exactly what a successful exploitation event looks like in logs.
Scenario 2 — Active Directory Enumeration
Promote the Windows Server to a Domain Controller, create some user accounts, then use BloodHound from Kali to enumerate the AD structure and identify privilege escalation paths. This is what real red teams do on day one of an engagement.
Scenario 3 — Network Scan and Log Correlation
Run your Python Nmap scanner against the lab network and observe how the scans appear in your SIEM. This teaches you what legitimate scanning looks like in logs — essential for alert triage in a real SOC.
Documenting Your Work
Every scenario should produce a write-up: what you did, what you found, how it would be detected. These become GitHub README files and portfolio pieces. Three documented lab scenarios on GitHub outweigh a list of certifications for many Melbourne employers.