Setup Progress
0%
Phase 0 — Before Any Lab

Build Your Home Lab

Everything you need to run Kali Linux, SIFT Workstation, REMnux, and Flare-VM locally — free, fully isolated, and ready for real security work.

System Check
Hypervisor
Virtual Machines
Network
Snapshots & Verify
1
System Requirements
Verify your machine can run multiple VMs before downloading anything
⚠️
Virtualization must be enabled in BIOS/UEFI. On most machines this is off by default. Search "enable VT-x [your CPU brand]" or "enable AMD-V [your motherboard]" for your specific steps. Without this, no hypervisor will work.

💾 Memory (RAM)

Minimum16 GB
Recommended32 GB
WhyRunning 2–3 VMs simultaneously

🖥️ Storage

Minimum free200 GB
Recommended500 GB SSD
WhyVM snapshots consume significant space

⚙️ CPU

MinimumQuad-core (Intel i5/Ryzen 5)
Recommended8-core with VT-x/AMD-V
Required featureHardware virtualization enabled

🖥️ Host OS

Windows10 / 11 (64-bit)
macOS12 Monterey or newer
LinuxUbuntu 20.04 / Debian 11+
Check RAM: open Task Manager (Windows) or Activity Monitor (Mac) → verify 16 GB+ installed
Check free disk space: need 200 GB+ free on an SSD if possible
Windows: Open Task Manager → Performance → CPU → confirm "Virtualization: Enabled"
Mac (Apple Silicon): VirtualBox doesn't support M1/M2. Use UTM (free) or VMware Fusion 13+ instead. Download UTM →
2
Install a Hypervisor
The software that runs your virtual machines. Pick one — both are free.
Best choice for beginners. Free, open-source, runs on Windows/Mac/Linux. All lab instructions in this course use VirtualBox commands and settings.
Download VirtualBox for your OS: virtualbox.org/wiki/Downloads →
On the same page, also download the VirtualBox Extension Pack — provides USB 2.0/3.0 and better VM performance
Install VirtualBox first, then double-click the Extension Pack to install it
Verify installation — open a terminal and run:
# Windows (PowerShell)
vboxmanage --version
# Expected output: 7.0.x or similar
ℹ️
Better performance on Windows. VMware Workstation Player is free for personal use. Mac users need VMware Fusion (also free for personal use).
Windows/Linux: Download VMware Workstation Player (free): VMware Workstation Player →
Mac: Download VMware Fusion Player (free for personal use): VMware Fusion →
Install and create a free account when prompted. Select "Use VMware Workstation Player for free for non-commercial use"
3
Download & Import Virtual Machines
Five free VMs covering attack, forensics, malware analysis, and vulnerable targets
💡
You don't need all VMs on day one. Start with Kali Linux. Add SIFT and REMnux before Week 5 labs. Flare-VM is used in the malware analysis module.
🐉

Kali Linux

Penetration testing, network scanning, password cracking, wireless attacks

Attack Pen Testing Network
4 GB
RAM
2 vCPU
Processors
80 GB
Storage
kali / kali
Default Creds
Download the VirtualBox or VMware pre-built image: kali.org/get-kali/#kali-virtual-machines → (choose the .ova or .7z for your hypervisor)
VirtualBox: File → Import Appliance → select the .ova file → set RAM to 4 GB → Import
Boot the VM, log in with kali / kali, then update all packages:
sudo apt update && sudo apt full-upgrade -y
# This may take 10-20 minutes on first run
Verify key tools are present: nmap --version, wireshark --version, msfconsole --version
🔑
Change the default password immediately: passwd in terminal. Never leave kali/kali as credentials on a network-connected VM.
🔬

SIFT Workstation SANS Free

Digital forensics, incident response, memory analysis, timeline analysis

DFIR Forensics Memory Analysis
8 GB
RAM
4 vCPU
Processors
60 GB
Storage
sansforensics
Username

SIFT includes: Volatility, Autopsy, Sleuth Kit, Plaso, bulk_extractor, Foremost, log2timeline, Wireshark, NetworkMiner, Rekall and 80+ additional forensics tools.

Free download (SANS account required): sans.org/tools/sift-workstation/ →
Import the OVA file into VirtualBox. Allocate at least 8 GB RAM — Volatility memory analysis is memory-intensive
Default password is forensics. Change it immediately after first boot
Verify key tools:
volatility --info | head -20
log2timeline.py --version
autopsy & # opens in browser at localhost:9999
🦠

REMnux SANS Free

Malware analysis, reverse engineering, static & dynamic analysis of suspicious files

Malware RE Static Analysis Dynamic Analysis
4 GB
RAM
2 vCPU
Processors
40 GB
Storage
remnux
Username

REMnux includes: FLOSS, Capa, Ghidra, Cutter (radare2), pefile, YARA, PE-bear, oletools, CyberChef, VirusTotal CLI, Detect-It-Easy and 150+ analysis tools.

Free download: remnux.org → — choose the OVA for VirtualBox or VMDK for VMware
Import and set network to Host-Only + Internal Network "malware-net" — this isolates malware from reaching the internet through your host
Verify tools after boot:
floss --version
capa --version
remnux list-installed-packages | grep -c .
# Should show 100+ packages
🚫
Never give REMnux a NAT adapter when analyzing real malware. Samples will phone home. Use Host-Only + INetSim to simulate network responses safely.
🔥

Flare-VM Mandiant Free

Windows-based malware analysis — debuggers, disassemblers, PE tools, .NET decompilers

Windows RE Debugger .NET Analysis
8 GB
RAM
4 vCPU
Processors
80 GB
Storage
Windows 10
Base OS

Flare-VM includes: x64dbg, OllyDbg, PE-bear, CFF Explorer, Ghidra, IDA Free, dnSpy, de4dot, FLOSS, Wireshark, Process Monitor, Process Hacker and 50+ Windows tools.

⚠️
Flare-VM installs on top of a clean Windows VM. You need a Windows 10 base image first. A 90-day evaluation version from Microsoft works.
Get a Windows 10 evaluation VM (90-day free): Microsoft Eval Center →
Import the Windows VM. Allocate 8 GB RAM, 4 vCPU. Take a clean snapshot before running the Flare-VM installer
Disable Windows Defender (Flare will re-configure it). In the Windows VM, open PowerShell as Administrator and run:
# Step 1: Disable Windows Defender real-time protection first
Set-MpPreference -DisableRealtimeMonitoring $true

# Step 2: Download and run the Flare-VM installer
(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath('Desktop'))\install.ps1")
Unblock-File .\install.ps1
Set-ExecutionPolicy Unrestricted -Force
.\install.ps1
# Installation takes 30-60 minutes — do not interrupt
After install completes and VM reboots, take a "Flare-VM Clean" snapshot — this is your restore point for every malware lab
🎯

Metasploitable 3 Rapid7 Free

Intentionally vulnerable Linux & Windows targets for practicing attacks and detection

Vulnerable Target Practice
2 GB
RAM
1 vCPU
Processors
40 GB
Storage
vagrant / vagrant
Default Creds
🚨
NEVER connect Metasploitable to the internet. It is full of critical vulnerabilities by design. Host-Only network only.
Pre-built OVA download: SourceForge — Metasploitable →
Import into VirtualBox. Set network adapter to Host-Only only (no NAT, no bridged)
From Kali, verify you can reach it: nmap -sV 192.168.56.101 — you should see 20+ open vulnerable services
4
Configure Lab Networks
Set up isolated networks so VMs can talk to each other without reaching the internet
Lab Network Architecture
🐉
Kali Linux
192.168.56.10
🔬
SIFT
192.168.56.20
🎯
Metasploitable
192.168.56.101
Host-Only Network — 192.168.56.0/24
All VMs can see each other • No internet access from this network
🦠
REMnux
10.0.0.1
🔥
Flare-VM
10.0.0.2
Internal Network "malware-net" — 10.0.0.0/24 (Air-Gapped)
Completely isolated • Malware cannot reach internet or host network • REMnux acts as fake DNS/gateway
🐉
Kali
NAT adapter
🌐
Internet
Tool updates only
NAT (Kali only) — Internet access for tool updates & research

Create Host-Only Network (VirtualBox)

Open VirtualBox → File → Host Network Manager → click Create
Set IPv4 Address: 192.168.56.1, Mask: 255.255.255.0 — disable DHCP (we'll assign static IPs)
For each VM: Settings → Network → Adapter 1 → Host-Only Adapter
Kali only: Settings → Network → Adapter 2 → NAT (for internet tool updates)
REMnux + Flare-VM: Add a second adapter → Internal Network → name it malware-net
5
Take Snapshots & Verify
Snapshots are your undo button — take one before every lab
📸
Golden rule: Before starting ANY lab, take a snapshot named "Pre-Lab [date]". After the lab, revert to it to get a clean state. This takes 30 seconds and saves hours of rebuilding.
Boot each VM, let it fully load, then right-click the VM → Snapshots → Take. Name it "Clean State — [date]"
Verify Kali tools are working:
# Run these in your Kali VM
nmap --version # Should show 7.x
wireshark --version # Should show 4.x
msfconsole --version # Should show Metasploit Framework 6.x
python3 --version # Python 3.11+
hashcat --version # Should show 6.x

Full Verification Checklist

VMCommand to RunExpected Result
Kalinmap -sV 192.168.56.101Sees Metasploitable open ports
Kaliwireshark -vVersion info shown
SIFTvolatility --info | head -5Lists OS profiles
SIFTautopsyWeb UI opens on port 9999
REMnuxfloss --versionFLOSS version shown
REMnuxcapa --versionCapa version shown
Flare-VMOpen Start Menu → search "x64dbg"x64dbg icon visible
Flare-VMOpen Start Menu → search "Ghidra"Ghidra icon visible
All tools verified and working on all VMs
Clean State snapshot taken on all VMs
Lab network verified — Kali can ping Metasploitable: ping 192.168.56.101

Your Lab Is Ready

You now have a professional-grade security lab that rivals what analysts use at Fortune 500 companies — and it cost you nothing but time. Time to put it to work.

Start the Labs → Jump to Malware Analysis Lab