Build Your Own Pentest Lab (No Experience Needed)

I’ve always wanted a safe, realistic place to test out security tools — one where I could try things without risking any production systems or breaking anything live. This week, I finally sat down and built my own Purple Team lab environment from scratch.

If you’re just getting into offensive/defensive testing and want to follow along, here’s exactly how I did it — step by step, with zero experience or tools at the start.

What I Had Before Starting

• A laptop running Windows 11 (with 16 GB RAM)
• A 1 TB external SSD (brand new)
• Internet access
• Curiosity and time to learn

That’s it. I didn’t have any ISO files, hypervisors, VMs, or security tools set up — I built everything from the ground up.

Goal: Create a Private Pentest Lab

• Isolated from my Windows system
• Runs on my external SSD
• Can simulate real attacks and defense
• Reusable for Web security testing, vulnerability scanning, red/blue team exercises

Step 1: Setup SSD Structure

I kept things simple — no disk partitioning (yet). I organized the SSD like this:

/SSD/
├── ISOs/         → Kali Linux, target machine images
├── VMs/          → All my virtual machines
├── Tools/        → Scripts, wordlists, configs
└── Notes/        → My learnings, findings, snapshots

Step 2: Installed VirtualBox

I downloaded the latest version of VirtualBox for Windows from https://virtualbox.org and installed it with default settings.

When prompted for permissions (e.g., “this app wants to make changes to your device”), I selected Yes — because I trusted the source and launched it myself.

💡 If you get a warning about needing Microsoft Visual C++ Redistributable, install the latest 2015–2022 x64 version from Microsoft.

Step 3: Downloaded Kali Linux ISO

From kali.org I downloaded the “Installer” ISO (not the live version), around 3.5 GB.

I saved it inside my SSD here:

/SSD/ISOs/kali-linux-2025.2-installer-amd64.iso

Step 4: Created Kali Linux VM

Using VirtualBox:

• Name: kali-pentest
• Machine Folder: Set to my SSD’s /VMs/kali-pentest/
• Type: Linux
• Version: Debian (64-bit)
• Memory: 4096 MB (4 GB)
• CPU: 2 cores
• Disk: 40 GB (VDI, dynamically allocated, stored on SSD)

Attached the Kali ISO and booted the VM.

Step 5: Kali Linux Installation (Inside VM)

• Language: English (or local)
• Keyboard: English (for me)
• Hostname: kali-lab
• Full name: skipped
• Username: abcd
• Password: 12345
• Timezone: Europe
• Partitioning: Use entire disk, all files in one partition
• Install GRUB bootloader: Yes, on /dev/sda
• Desktop: XFCE
• Toolsets: Selected default, top10, core, firmware

Installation took ~15–20 mins.

Step 6: First Boot into Kali

After reboot, I logged in:

• Username: abcd
• Password: 12345

XFCE desktop loaded perfectly.

Step 7: Updated the System

Opened the terminal and ran:

sudo apt update && sudo apt full-upgrade -y

⚠️ At first, package updates failed — I realized /etc/apt/sources.list was empty. I fixed it by editing:

sudo nano /etc/apt/sources.list

Added this line:

deb http://http.kali.org/kali kali-rolling main non-free contrib

Then updated again:

sudo apt update && sudo apt upgrade -y

Step 8: Installed Essential Pentest Tools

Even though many tools were already included (because I selected default tools during install), I made sure key tools were available:

sudo apt install -y nmap burpsuite wireshark metasploit-framework hydra john

They all installed without issues.

Optional (but useful):

sudo apt install docker.io
sudo systemctl enable --now docker
sudo usermod -aG docker $USER

Step 9: Snapshot and Backup

Inside VirtualBox:

• Took a full snapshot of the Kali VM (clean, freshly updated state)
• Named it: fresh-install-snapshot

Why?
So I can always revert back if I break the system during testing.

Final Thoughts

I started this project with zero setup, no prior ISO files or tooling. Now I have a working Kali machine with real tools, fully isolated from my main system, and ready to attack a replica of my own website — safely.

Stay tuned for Post2