Set Up A Penetration Testing Lab Easily With Vagrant

Today we will be looking at a neat little command line tool called Vagrant. This tool allows us to deploy virtual machines seamlessly and we are going to show you how to set up a pen testing lab at home without hassles.

We will be doing this on a Windows10 machine and deploying an Ubuntu container as well as a Kali Linux container, simply because we love Linux.

Firstly you will need to download Virtual box from here and Vagrant from here. Install doing the usual Windows Wizard method. Once you have both installed start up your Virtualbox GUI. Our one currently looks like this:



As will yours when we get set up. Next you will need to create a folder where you deploy the containers from. So lets open up a command prompt (Click Windows Icon / type cmd).

Once the command prompt is open you need to type mkdir <name of folder>. In our case it’s:

 mkdir vagrant

Next move into the vagrant folder we just created:

cd vagrant

Then we need to start the instance, this is simply done by typing:

vagrant init v1 

We just named it V1.

This will initialize the Vagrant ‘Box’ and create a vagrantfile where the you can configure the box.



Once the box is initialized, we need to give the command:

vagrant up 

This will start the virtual machine.


When you do this you will see the virtual machine appear in the VirtualBox GUI start up (as we’ve seen in the first image of the post).

Once start up has finished all we need to do now is SSH into the box.


As the image shows the command is:

vagrant ssh v1

This will give us a command line to the Ubuntu box.


Voila! we have a running VM. Okay, let’s check what the IP of the machine is. This will be a static IP assigned automatically by DHCP. Type: ifconfig


Perfect, our VM has an IP in our local network on interface eth1. So when we set up the attacking machine we will know the target IP.

Next, we need to set up a server on the virtual machine so that we can see it from our, soon to be spawned, attacking machine: sudo apt install apache2 will go ahead and do that for you. Once it is installed we just need to wake the server:

service apache2 start


That was not too much trouble, we have a web server running Apache on our virtual machine in minutes. This means we now have a /var/www/html directory where we can start to build our application (more to come on that front).

Next we’ll set up the target machine, we will go for Kali Linux. We can do all this on the command line so open another terminal (cmd as before) and move to the vagrant file we created earlier.

cd vagrant

Now lets create a new directory and call it Kali: mkdir kali

Move into the directory:

cd kali

Now let’s spawn the Kali machine, there are 2 simple commands:


Let Vagrant do it’s thing. be patient.


This step will take a few minutes but you will see the Kali box start in the VirtualBox GUI. Once the virtual machine is powered on we get a new instance of Kali Linux.

Login root, password toor. This will log you in as root user and it’s probably best to change the root password after installation, also add users so you are not always root.

We won’t go down that rabbit hole today and concentrate on the task at hand. We have a full Kali GUI.


Perfect, next we will see if we can connect to the target Ubuntu machine. Open up a command prompt and type:



We have contact. We know there’s a web server on the IP so lets see if we can see it in a browser on the Kali box.


The Apache default web page tells us we can reach it through the browser.

Well done, you have successfully set up an attacking and defending machine, what you do next is up to you.

Us, we will be building a web app on the Ubuntu box, we will post about the creation of that in later blog posts.

After that we plan to pen test it and again blog post that experience.

So stay tuned to linuxsecurityblog for future posts. Ciao for now!

QuBits 2019-05-30





Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.