alicesec
Back to Blog
Getting Started

Setting Up Your Hacking Lab: Free Tools for 2025

AliceSec Team
3 min read

Every security professional needs a lab—a safe, legal environment to practice attacks, test tools, and break things without consequences. The good news: you can build a complete hacking lab for free.

This guide walks you through setting up everything from virtualization to vulnerable targets to offensive tools.

Why You Need a Lab

Testing on systems you don't own is illegal. Period. Even if you find a bug and report it responsibly, unauthorized testing can result in:

  • Criminal charges (Computer Fraud and Abuse Act in the US)
  • Civil lawsuits
  • Account bans from bug bounty platforms
  • Reputation damage

Your lab gives you:

  • Legal targets - Break whatever you want
  • Learning freedom - Experiment without fear
  • Controlled environment - No accidental damage to real systems
  • Realistic practice - Modern vulnerable apps mirror real vulnerabilities

Architecture Overview

text
┌─────────────────────────────────────────────────────┐
│                   HOST MACHINE                       │
│                                                      │
│  ┌─────────────────┐  ┌─────────────────────────┐   │
│  │  Kali Linux VM  │  │  Vulnerable Apps (Docker)│   │
│  │  - Burp Suite   │  │  - DVWA                  │   │
│  │  - sqlmap       │  │  - Juice Shop            │   │
│  │  - ffuf         │  │  - WebGoat               │   │
│  │  - etc.         │  │  - Custom targets        │   │
│  └─────────────────┘  └─────────────────────────┘   │
│                                                      │
│  ┌─────────────────────────────────────────────┐    │
│  │        Isolated Network (NAT/Host-only)      │    │
│  └─────────────────────────────────────────────┘    │
└─────────────────────────────────────────────────────┘

Step 1: Virtualization

Option A: VirtualBox (Free, Recommended for Beginners)

bash
# macOS
brew install --cask virtualbox

# Windows
# Download from virtualbox.org

# Linux (Ubuntu/Debian)
sudo apt install virtualbox

Minimum specs for smooth operation:

  • 8GB RAM (16GB preferred)
  • 50GB free disk space
  • CPU with virtualization support (VT-x/AMD-V)

Option B: Docker (Free, Lightweight)

For running vulnerable web applications:

bash
# macOS
brew install --cask docker

# Windows
# Download Docker Desktop from docker.com

# Linux (Ubuntu/Debian)
sudo apt install docker.io docker-compose
sudo usermod -aG docker $USER

Option C: Cloud-Based (Free Tiers)

If your machine is underpowered:

  • Linode - $100 free credit for new accounts
  • DigitalOcean - $200 free credit
  • AWS Free Tier - Limited but usable

Step 2: Attack Machine (Kali Linux)

Kali Linux comes pre-loaded with security tools:

Download and Install

bash
# Download from kali.org/get-kali
# Choose: Installer Images → Kali Linux 64-bit

# Recommended VM settings:
# - 4GB RAM minimum (8GB preferred)
# - 80GB disk
# - 2 CPU cores
# - NAT or host-only network

First Boot Setup

bash
# Update everything
sudo apt update && sudo apt upgrade -y

# Install common additions
sudo apt install -y \
  git \
  python3-pip \
  golang-go \
  default-jdk \
  nodejs \
  npm

# Set up Go path (for many tools)
echo 'export PATH=$PATH:$HOME/go/bin' >> ~/.zshrc
source ~/.zshrc

Alternative: Parrot OS

Lighter than Kali, good for older hardware:

text
Download from parrotsec.org
Choose: Security Edition

Step 3: Vulnerable Applications

Docker-Based Labs (Easiest)

DVWA (Damn Vulnerable Web Application)

bash
# Pull and run
docker run -d -p 80:80 vulnerables/web-dvwa

# Access at http://localhost
# Default login: admin/password
# Set security level to "Low" initially

OWASP Juice Shop

bash
# Modern, JavaScript-based vulnerable app
docker run -d -p 3000:3000 bkimminich/juice-shop

# Access at http://localhost:3000
# No login required to start

WebGoat

bash
# OWASP's learning platform
docker run -d -p 8080:8080 -p 9090:9090 webgoat/webgoat

# Access at http://localhost:8080/WebGoat

All-in-One Setup

yaml
# docker-compose.yml
version: '3'
services:
  dvwa:
    image: vulnerables/web-dvwa
    ports:
      - "8081:80"

  juice-shop:
    image: bkimminich/juice-shop
    ports:
      - "3000:3000"

  webgoat:
    image: webgoat/webgoat
    ports:
      - "8080:8080"
      - "9090:9090"

  mutillidae:
    image: citizenstig/nowasp
    ports:
      - "8082:80"
bash
# Run all at once
docker-compose up -d

VM-Based Labs

Metasploitable 2/3

Classic vulnerable Linux machines:

text
# Download from:
# Metasploitable 2: sourceforge.net/projects/metasploitable
# Metasploitable 3: github.com/rapid7/metasploitable3

# Import OVA into VirtualBox
# Use host-only network (NEVER bridged!)

VulnHub

Hundreds of vulnerable VMs for practice:

text
# Browse: vulnhub.com
# Recommended for beginners:
# - Kioptrix series
# - Mr Robot
# - Basic Pentesting

Step 4: Essential Tools

Web Proxy: Burp Suite Community

The most important tool for web security:

bash
# Already installed on Kali
# Or download from: portswigger.net/burp/communitydownload

# Configure browser:
# 1. Open Burp → Proxy tab
# 2. Set browser proxy to 127.0.0.1:8080
# 3. Install Burp's CA certificate for HTTPS interception

Key Burp features to learn:

  • Proxy - Intercept and modify requests
  • Repeater - Replay and edit requests manually
  • Intruder - Automated attacks (limited in free version)
  • Decoder - Encode/decode data
  • Comparer - Compare responses

SQL Injection: sqlmap

bash
# Already installed on Kali
# Or install:
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
python3 sqlmap.py --wizard

Basic usage:

bash
# Test a parameter
sqlmap -u "http://target.com/page?id=1" --dbs

# With authentication
sqlmap -u "http://target.com/page?id=1" --cookie="session=abc123"

# Increase level/risk for thorough testing
sqlmap -u "http://target.com/page?id=1" --level=5 --risk=3

Web Fuzzing: ffuf

bash
# Install
go install github.com/ffuf/ffuf/v2@latest

# Or on Kali
sudo apt install ffuf

Basic usage:

bash
# Directory bruteforce
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# Parameter fuzzing
ffuf -u "http://target.com/page?FUZZ=test" -w params.txt

# POST data fuzzing
ffuf -u http://target.com/login -X POST \
  -d "username=admin&password=FUZZ" \
  -w passwords.txt

Subdomain Enumeration: subfinder

bash
# Install
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

# Usage
subfinder -d target.com -o subs.txt

HTTP Toolkit: httpx

bash
# Install
go install github.com/projectdiscovery/httpx/cmd/httpx@latest

# Check which subdomains are alive
cat subs.txt | httpx -o alive.txt

# With tech detection
cat subs.txt | httpx -tech-detect -o results.txt

Wordlists: SecLists

bash
# Clone the essential wordlist collection
git clone https://github.com/danielmiessler/SecLists.git ~/wordlists

# Or install on Kali
sudo apt install seclists
# Located at: /usr/share/seclists

Key wordlists:

text
Discovery/Web-Content/common.txt       - Directory bruteforce
Discovery/Web-Content/api/             - API endpoint discovery
Discovery/DNS/subdomains-top1million-5000.txt - Subdomain enumeration
Passwords/Common-Credentials/          - Password lists
Fuzzing/XSS/                          - XSS payloads
Fuzzing/SQLi/                         - SQL injection payloads

Browser Extensions

Firefox (recommended for security testing):

  • FoxyProxy - Quick proxy switching
  • Wappalyzer - Technology detection
  • Cookie-Editor - Modify cookies easily
  • HackBar - Quick encoding/decoding

Step 5: Network Configuration

Isolate Your Lab

Never expose vulnerable applications to your network:

text
# VirtualBox network modes:
NAT          - VMs can access internet, isolated from LAN
Host-only    - VMs talk to host only, no internet
Bridged      - NEVER use for vulnerable VMs!

Recommended Setup

text
Attack VM (Kali):     NAT + Host-only adapter
Vulnerable VMs:       Host-only only
Docker containers:    localhost binding only

Host-Only Network Setup

bash
# VirtualBox
1. File Host Network Manager
2. Create new network (e.g., 192.168.56.0/24)
3. Assign to VMs needing internal communication

Step 6: Practice Methodology

Daily Workflow

text
1. Start your vulnerable application
2. Configure browser proxy through Burp
3. Explore the application manually
4. Identify potential vulnerabilities
5. Attempt exploitation
6. Document findings
7. Learn the fix

Skill Progression Path

Week 1-2: Environment mastery

  • Get comfortable with Burp Suite
  • Practice intercepting and modifying requests
  • Explore DVWA at security level "Low"

Week 3-4: XSS deep dive

  • Complete all DVWA XSS challenges
  • Try Juice Shop XSS challenges
  • Move to PortSwigger labs

Week 5-6: SQL Injection

  • DVWA SQLi challenges
  • Learn manual SQLi before using sqlmap
  • Practice blind SQLi techniques

Week 7-8: Access Control

  • IDOR practice on Juice Shop
  • Authentication bypass challenges
  • Session management testing

Troubleshooting Common Issues

"Burp isn't intercepting HTTPS"

text
1. Export Burp's CA certificate:
   Proxy → Options → Import/Export CA certificate
2. Import into browser/system trust store
3. Restart browser

"Docker containers can't start"

bash
# Check if Docker daemon is running
sudo systemctl status docker

# Check port conflicts
sudo lsof -i :80
sudo lsof -i :8080

# Use different ports if needed
docker run -p 8888:80 vulnerables/web-dvwa

"VMs are too slow"

text
1. Allocate more RAM (at least 4GB for Kali)
2. Enable 3D acceleration if available
3. Use SSD if possible
4. Close unnecessary host applications
5. Consider cloud alternatives

"Can't connect to VM from host"

bash
# Check VM's IP
ip addr show

# Verify network adapter is correct type
# Host-only: should have 192.168.x.x address
# NAT: should have 10.0.x.x address

# Ping from host to verify connectivity
ping 192.168.56.x

Resource Requirements Summary

Minimum Specs

text
RAM:        8GB (4GB for host, 4GB for VMs)
Storage:    50GB free
CPU:        Dual-core with virtualization
Network:    Any internet connection

Recommended Specs

text
RAM:        16GB+ (8GB for VMs)
Storage:    100GB+ SSD
CPU:        Quad-core
Network:    Stable internet for updates

Cloud Alternative

If your hardware is limited:

text
Provider:   Linode, DigitalOcean, AWS
Instance:   4GB RAM, 2 vCPU minimum
Cost:       $20-40/month (or use free credits)
Benefit:    No local resource usage

Quick Reference

Start Your Lab

bash
# Start Docker vulnerable apps
docker-compose up -d

# Start Kali VM (if using)
# Start VirtualBox → Select Kali → Start

# Open Burp Suite
burpsuite &

# Configure Firefox proxy
# Settings → Network → Manual proxy: 127.0.0.1:8080

Stop Your Lab

bash
# Stop Docker containers
docker-compose down

# Shutdown VMs through VirtualBox GUI

Access Your Targets

text
DVWA:        http://localhost:8081
Juice Shop:  http://localhost:3000
WebGoat:     http://localhost:8080/WebGoat
Mutillidae:  http://localhost:8082

Next Steps

With your lab set up, you're ready to practice. Start with our guided security challenges that match the vulnerabilities in these lab environments:

Build skills in your safe lab, then apply them to bug bounties and real-world testing.

---

Tools and vulnerable applications are regularly updated. This guide will be refreshed as new resources emerge. Last updated: December 2025.

Stay ahead of vulnerabilities

Weekly security insights, new challenges, and practical tips. No spam.

Unsubscribe anytime. No spam, ever.