VirtualBox and Kali Linux

  1. Download VirtualBox and the Kali Linux ISO. Make sure you verify your downloads.
  2. Install VirtualBox and run it. Prepare the Host-Only network by opening the VirtualBox Preferences -> Network -> Host-only Networks. Add a new network (there should be only one) and edit it so it matches the following image.

    Kali Host-Only network config

    This will configure a DHCP server on, the host (your computer) on, and DHCP will serve a range of to for the VMs. I choose that subnet to avoid any possible conflicts. If you have networking issues, try changing to a different subnet.
  3. In VirtualBox, create a new Linux 2.6/3.x/4.x VM. Just follow the prompts. Kali's RAM and disk requirements are on their website.

    You can edit the settings for the newly created VM. I disable audio and USB (you'll have to change the pointing device to PS/2) to save resources. You can also increase the number of CPUs allocated and change other settings as you wish.
  4. Next, in the VM's settings, you need to setup two network adapters. The first one should be enabled by default: NAT. This lets the VM access the internet through whatever connection you're normally using. You should only enable this for the Kali VM (to install updates), as there is no reason to let the vulnerable VM access the internet.

    The second network adapter will be the Host-Only network. This lets the VMs and the host (your computer) access one another. This Host-Only network is isolated from the internet.

    Kali Host-Only network adapters
  5. Boot up the VM and select the Kali image to install. Follow the instructions and install as you would normally.

    Remember to select the first network adapter, eth0, as this is the one that is NAT'ed to the internet.

    Remember to update the packages after installing! As of 2.0, Kali is rolling.

    You can follow the Kali documentation for installing the VirtualBox Guest Additions and enabling Metasploit. Among other things, the Guest Additions enable the option to let you copy/paste between the host and the VM, which is very useful.
  6. By default, only the first interface, eth0, is enabled in Kali. To enable the secondary interface, eth1, simply select it from the system menu and choose Connect. It will connect automatically on boot from now on.

    Enabling eth1 in Kali
  7. Now is a good time to take a snapshot of the fresh base system, after updating and shutting it down, to ensure it can be restored later.

The Vulnerable VM

  1. Now we need the second VM to "attack." There are good collections of intentionally vulnerable VMs on VulnHub and PentesterLab. For this guide, I'm going to use the Metasploitable 2 VM.
  2. Download, verify, then extract the Metasploitable zip file. Begin the same process to create a new VM, except instead of creating a new disk image, select the Metasploitable image.

    Since these VMs usually don't have a GUI, you don't need to allocate many system resources to it. 256 MB RAM is usually fine.

    Selecting a pre-existing disk image
  3. There's no reason the vulnerable VM should access the internet, but we want it to be accessible by the Kali VM. Replace the default NAT interface with the Host-Only network. Most VM images should use DHCP to get an IP address automatically.

    Metasploitable Host-only network config
  4. Finally, before you boot, it would be a good time to take a snapshot of the untouched Metasploitable VM.

Hack Away!

As you can see below, both machines are networked together and there's plenty of ports open ;-) Happy hacking!

Metasploitable pinging the Kali machine

Running nmap on Kali against the Metasploitable VM