Build Your Own Attack Lab : IDeas PT1

, ,

By

CyberAAA

·

Tags:

,

You don’t need a six-figure budget or a corporate SOC to learn offensive security. You need a laptop, some free software, and a willingness to break things on purpose.

Every penetration tester, red teamer, and bug bounty hunter started somewhere — and for most of them, that somewhere was a home lab. The beauty of building your own attack lab is that you get to make mistakes in a place where nobody’s production database is on the line. You can launch exploits, crash servers, and trigger alarms without a single awkward conversation with your boss the next morning.

In this post, we’re walking through eight free tools that form a complete offensive security lab. By the end, you’ll have vulnerable targets to attack, weapons to attack them with, and challenges to sharpen your skills against. Let’s get into it.

1. Kali Linux — Your Weapon of Choice

If offensive security tools were a toolbox, Kali Linux would be the entire workshop. It’s a Debian-based distribution that ships with over 600 pre-installed security tools — everything from Nmap for network scanning to Burp Suite for web application testing to John the Ripper for password cracking.

How to Get It

Head over to kali.org/get-kali and download the installer image for your platform. If you’re running a home lab, the VMware or VirtualBox pre-built image is the fastest route — you’ll be up and running in minutes instead of stepping through an installer.

How to Install It

For VirtualBox, it’s dead simple:

  1. Download the .ova file from the Kali downloads page.
  2. Open VirtualBox and go to File → Import Appliance.
  3. Select the .ova file and click Import.
  4. Allocate at least 4GB of RAM and 2 CPU cores for a smooth experience.
  5. Boot the VM. Default credentials are kali / kali.

If you prefer VMware, grab the .vmx bundle instead and open it directly.

How to Use It

Once you’re in, update everything first:

sudo apt update && sudo apt upgrade -y

Kali organises its tools into menus by category — Information Gathering, Vulnerability Analysis, Web Application Analysis, Password Attacks, and so on. Don’t try to learn everything at once. Start with the basics: nmap for scanning, netcat for manual connections, and metasploit for exploitation. The rest will follow as you work through the targets below.

A crucial tip: never connect Kali to the internet on the same network as your vulnerable targets. Use a host-only or NAT network in your hypervisor to keep your attack lab isolated.

2. Metasploitable 2 — Your First Punching Bag

You’ve got your weapon. Now you need something to hit. Metasploitable 2 is an intentionally vulnerable Ubuntu Linux virtual machine created by the Rapid7 team (the same people behind Metasploit). It’s loaded with misconfigured services, weak credentials, and exploitable software — all by design.

How to Get It

Download the VM from SourceForge. The ZIP file is around 865MB.

How to Install It

  1. Extract the downloaded ZIP. Inside you’ll find a .vmdk file.
  2. In VirtualBox, create a new VM (Linux / Ubuntu 64-bit).
  3. When asked about a hard disk, choose Use an existing virtual hard disk file and point it to the .vmdk.
  4. Allocate 1GB of RAM (it doesn’t need much).
  5. Critical: Set the network adapter to Host-Only or Internal Network. This machine is dangerously insecure — you do not want it reachable from the internet.
  6. Boot it up. Login is msfadmin / msfadmin.

How to Use It

From your Kali machine, start by scanning Metasploitable to see what’s running:

nmap -sV -sC 192.168.56.101

You’ll see a terrifying list of open ports — FTP, SSH, Telnet, HTTP, Samba, MySQL, PostgreSQL, and more. Each one is a doorway. Try these first exercises:

  • FTP Anonymous Login: Connect with ftp 192.168.56.101 using anonymous as the username.
  • SSH Brute Force: The rockyou.txt wordlist is compressed by default on Kali, so decompress it first: sudo gunzip /usr/share/wordlists/rockyou.txt.gz. Then use Hydra to crack the SSH credentials: hydra -l msfadmin -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.101
  • Metasploit Exploitation: Fire up msfconsole, search for vsftpd, and exploit the backdoor vulnerability in the FTP server.

Document everything you do. Screenshots, commands, findings. This habit will serve you well whether you’re building a portfolio or writing a professional pentest report.

3. Vulnserver — Master the Art of Buffer Overflows

Buffer overflows are one of the most fundamental classes of software vulnerabilities, and understanding them gives you an appreciation for how deeply software can go wrong. Vulnserver is a deliberately vulnerable Windows TCP server that exposes multiple buffer overflow vulnerabilities, each one slightly different from the last.

How to Get It

Clone or download from GitHub.

How to Install It

  1. You’ll need a Windows VM. Download a Windows 10 or 11 evaluation ISO from the Microsoft Evaluation Centre — these are free and valid for 90 days. Once installed, you’ll want to disable DEP and ASLR for your Vulnserver exercises, as these mitigations will prevent your exploits from working while you’re learning. (Windows 7 was traditionally used for this because it had fewer mitigations out of the box, but evaluation ISOs for it are no longer available.)
  2. Copy the Vulnserver files into the Windows VM.
  3. Download and install a debugger on the same Windows VM. Immunity Debugger is the classic choice, though the download page can be unreliable — x64dbg is a free, actively maintained alternative that works just as well.
  4. Run vulnserver.exe as Administrator. It will listen on port 9999.

How to Use It

The classic starting point is the TRUN command. Here’s the workflow:

  1. Connect and explore: From Kali, use nc 192.168.56.102 9999 and type HELP to see available commands.
  2. Fuzz: Write a Python script that sends increasingly long strings to the TRUN command until the server crashes.
  3. Find the offset: Use Metasploit’s pattern_create.rb and pattern_offset.rb to find exactly where the EIP overwrite happens.
  4. Control EIP: Replace the crash string with a precisely placed return address.
  5. Shellcode: Generate a reverse shell payload with msfvenom and drop it into your exploit.

Attach your debugger to the vulnserver.exe process before you start fuzzing — watching the registers change in real time as your exploit lands is one of the most satisfying moments in learning security.

Note: If you’re using a modern version of Windows (10 or 11), you’ll need to disable ASLR and DEP for vulnserver.exe, otherwise your exploits won’t behave as expected. This is part of the learning process — understanding why those mitigations exist becomes much clearer once you’ve seen an exploit succeed without them.

4. WebGoat — Learn Web Vulnerabilities Step by Step

OWASP’s WebGoat is a deliberately insecure web application designed to teach web security through interactive lessons. Unlike just throwing you at a vulnerable app and saying “hack it,” WebGoat walks you through each vulnerability with explanations, hints, and guided exercises.

How to Get It

The easiest path is Docker. Pull it straight from GitHub:

docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 webgoat/webgoat

How to Install It

If you don’t have Docker:

  1. Make sure you have Java 17+ installed.
  2. Download the latest .jar file from the GitHub Releases page.
  3. Run it:
java -Dfile.encoding=UTF-8 -jar webgoat-<version>.jar

(Replace <version> with the actual version number from the file you downloaded.)

  1. Open your browser to http://localhost:8080/WebGoat and register an account.

How to Use It

WebGoat organises lessons by vulnerability category. Start with these:

  • SQL Injection: Learn how a single quote in a login form can bypass authentication or dump entire databases.
  • Cross-Site Scripting (XSS): Inject JavaScript into pages and understand why input validation matters.
  • Broken Authentication: Explore session hijacking and credential stuffing.

Each lesson gives you a scenario, a text explanation, and then a challenge where you need to exploit the vulnerability to proceed. If you get stuck, there’s a hints system. This structured approach makes WebGoat one of the best tools for beginners — you’re learning why something is vulnerable, not just that it is.

5. OWASP Juice Shop — The Modern Hacking Playground

If WebGoat is a textbook, Juice Shop is the final exam. It’s a modern single-page application (built with Node.js and Angular) that’s riddled with vulnerabilities from the OWASP Top 10 and beyond. It looks and feels like a real e-commerce site, which makes finding and exploiting the vulnerabilities far more realistic.

How to Get It

Docker is again the quickest path. From GitHub:

docker run -d -p 3000:3000 bkimminich/juice-shop

How to Install It

Without Docker:

  1. Install Node.js (check the Juice Shop README for the supported versions).
  2. Clone the repository:
git clone https://github.com/juice-shop/juice-shop.git --depth 1
cd juice-shop
npm install
npm start
  1. Browse to http://localhost:3000.

How to Use It

Juice Shop tracks your progress on a hidden Score Board (finding it is actually one of the challenges). There are over 100 challenges across difficulty levels from one to six stars. Some starting points:

  • Find the Score Board — It’s not linked anywhere in the UI. Think about how modern SPAs route pages.
  • Login as admin — The login form is vulnerable to SQL injection. Try ' OR 1=1-- in the email field (note the trailing space after the double dash — SQL requires it for the comment syntax to work).
  • Access someone else’s basket — Manipulate API requests by changing IDs.
  • Find a confidential document — Directory traversal in the file server.

Pro tip: open your browser’s DevTools and watch the network requests as you navigate. Juice Shop’s REST API leaks information everywhere.

6. GoPhish — Run Your Own Phishing Campaigns

Social engineering is the number one attack vector in the real world, and phishing is its most common delivery mechanism. GoPhish is an open-source phishing simulation platform that lets you create, send, and track phishing campaigns — all within your lab.

How to Get It

Download the latest release for your OS from getgophish.com.

How to Install It

  1. Extract the downloaded archive.
  2. Run the binary:
./gophish
  1. GoPhish starts a web admin panel on https://localhost:3333. The default credentials are printed in the terminal output on first launch (usually admin and a generated password).
  2. Log in and change the default password immediately.

How to Use It

Setting up a campaign involves five steps:

  1. Create a Sending Profile: Configure an SMTP server. For lab use, you can run a local mail server like MailHog or use a test SMTP service.
  2. Build an Email Template: Write your phishing email. GoPhish supports HTML templates and lets you include tracking images and phishing links automatically.
  3. Create a Landing Page: This is the fake login page your targets will see. You can import any website with GoPhish’s built-in site cloner.
  4. Set Up a User Group: Add your target email addresses (in a lab, these are your own test accounts).
  5. Launch the Campaign: Hit send and watch the dashboard as emails are delivered, opened, and links are clicked.

GoPhish gives you real metrics — who opened the email, who clicked the link, who submitted credentials. In a professional setting, this data drives security awareness training. In your lab, it helps you understand just how convincing a well-crafted phish can be.

7. PortSwigger Web Security Academy — Free World-Class Training

PortSwigger (the company behind Burp Suite) runs the Web Security Academy, which is genuinely one of the best free cybersecurity training resources on the internet. It’s not a tool you install — it’s an online platform with detailed learning materials and interactive labs that spin up real vulnerable web applications for you to hack.

How to Get It

Go to portswigger.net/web-security and create a free account. That’s it.

How to Set Up

While the labs run entirely in your browser, you’ll want Burp Suite Community Edition (free) installed locally to intercept and modify HTTP requests:

  1. Download Burp Suite Community from portswigger.net.
  2. Configure your browser to proxy through Burp (127.0.0.1:8080).
  3. Install Burp’s CA certificate in your browser to avoid HTTPS warnings.

How to Use It

The Academy is organised into learning paths. Start with the Server-Side path if you’re new:

  • SQL Injection: Multiple labs from basic UNION attacks to blind injection and second-order injection.
  • Authentication Vulnerabilities: Brute-force attacks, 2FA bypasses, and logic flaws.
  • Path Traversal: Read arbitrary files from the server.
  • Server-Side Request Forgery (SSRF): Make the server send requests on your behalf.

Each topic has a written explanation, then a series of labs graded as Apprentice, Practitioner, or Expert. The labs are timed — you spin one up, exploit it, and submit the solution. If you solve a newly released lab first, you make it into their Hall of Fame.

The best part? Because the labs are hosted by PortSwigger, you don’t need to run anything locally beyond Burp Suite. It’s the lowest barrier to entry on this entire list.

8. CTFlearn — Sharpen Your Skills With Capture the Flag

Capture the Flag competitions are where security knowledge meets puzzle-solving. CTFlearn is a beginner-friendly platform that hosts hundreds of CTF challenges across categories like cryptography, forensics, web exploitation, binary analysis, and reverse engineering.

How to Get It

Go to ctflearn.com and create a free account.

How to Set Up

Most challenges can be solved from any Linux machine with standard tools installed. Your Kali VM is already perfectly equipped. For some challenges, you might also want:

  • CyberChef (gchq.github.io/CyberChef) — a browser-based tool for encoding, decoding, and data manipulation.
  • Ghidra — the NSA’s free reverse engineering tool, already installed on Kali.
  • Python 3 — for scripting custom solutions.

How to Use It

CTFlearn sorts challenges by difficulty and point value. Start with the easiest ones and work your way up:

  • Forensics: You might get a corrupted image file and need to recover hidden data.
  • Cryptography: Decode ciphers, crack hashes, or break weak encryption schemes.
  • Web: Find hidden parameters, exploit misconfigured servers, or chain multiple vulnerabilities together.
  • Binary: Reverse-engineer compiled programs to find hidden flags.

The community aspect is huge — each challenge has a discussion thread where people share hints (not solutions). When you solve a challenge, you earn points that show up on a global leaderboard.

CTFlearn is excellent for daily practice. Knock out one challenge a day and you’ll be amazed at how quickly your skills compound.

Putting It All Together

Here’s how all eight tools fit into a complete attack lab workflow:

Your workstation is Kali Linux. It’s where you run all your tools from.

Your targets are Metasploitable 2 (network-level attacks), Vulnserver (binary exploitation), WebGoat (guided web security learning), and Juice Shop (realistic web application hacking).

Your simulation platform is GoPhish for social engineering practice.

Your training grounds are PortSwigger Web Security Academy and CTFlearn for structured skill-building.

Set all of this up on a single machine with 16GB of RAM and a hypervisor like VirtualBox or Proxmox. Put your Kali box and your target VMs on a VirtualBox host-only network (e.g. 192.168.56.0/24) so they can communicate with each other but nothing leaks out to the wider network. With that in place, you’ve got a lab that rivals what many companies pay thousands of pounds to simulate. The only cost is your time — and that time is one of the best investments you can make in a cybersecurity career.

In the next post, we’ll flip to the other side of the fence and build out a complete defensive security stack. Because the best attackers understand defence, and the best defenders understand attack.

Happy hacking.