After this lesson, you will be able to: Set up a safe, isolated security lab: install VirtualBox and Kali Linux, configure isolated networking, take snapshots, and add a deliberately vulnerable target VM.
This is the practical foundation for every hands-on lab in the Cybersecurity track. You will install VirtualBox and Kali Linux, configure an isolated network so your experiments never touch production, learn the snapshot workflow, and stand up a Metasploitable 2 target. Complete this before any lab that needs Kali.
This is a free introductory lesson. No purchase required.
Kali Linux is a Debian-based distribution maintained by OffSec (Offensive Security) with hundreds of security tools preinstalled: Nmap, Metasploit, Burp Suite, Wireshark, Hydra, aircrack-ng, and more. It exists so you do not spend days installing and configuring tooling. It is the de facto standard for penetration testing and security training. You run it as a VM, not as your daily operating system.
VirtualBox is free and cross-platform. Use the official Kali VM image to skip manual installation.
1. Install VirtualBox (free) from virtualbox.org.
2. Download the official Kali VirtualBox image from kali.org (prebuilt, imports in minutes).
3. Import the .ova into VirtualBox and start it; log in with the default credentials, then change the password.
4. Update the system: sudo apt update && sudo apt full-upgrade -y.
5. Explore the application menu; note where the major tool categories live.
Networking is where labs go wrong. Use a Host-Only or Internal Network adapter so the lab VMs can talk to each other but not to the internet or your home network. NAT gives a VM internet access (useful for updates) but should not be combined with attack exercises against other VMs that could leak out. The safest pattern: one adapter on an isolated internal network for attacks, and only switch on NAT briefly when you need to update.
Snapshots let you reset to a known-good state after every messy lab.
1. With Kali installed and updated, take a VirtualBox snapshot named 'clean'.
2. Before each lab, you can always revert to 'clean' if something breaks.
3. Download Metasploitable 2 (a deliberately vulnerable Linux VM) and import it.
4. Put Metasploitable on the SAME isolated internal network as Kali, and never expose it to the internet (it is full of holes by design).
5. From Kali, confirm you can reach the target (ping its IP) and take a 'clean' snapshot of the target too.
Not every lab needs a full Kali VM. Docker Compose can spin up isolated networks of containers (attacker, victim, vulnerable web app) quickly and tear them down cleanly, which is ideal for the network-attack and web-app labs in this track. Use VMs for full-system and wireless work; use Docker for fast, disposable, single-service targets like DVWA.