10 Top Places to Practice Ethical Hacking on Your Own

practice ethical hacking featured image

Are you looking for the best places to practice ethical hacking? Ethical hacking, also called penetration testing, is a vital skill set in cyber security, and you can practice hacking in numerous ways.

This article will discuss the importance of using home or cloud-based labs to practice and refine ethical hacking skills. These labs offer safe and controlled environments for experimenting with various hacking techniques.

You'll learn the top five places to practice in a cloud-based lab and the five top places where you can use pre-built solutions to build out your own home lab, also known as “laptop labs.”

By the end of this article, you'll have a comprehensive list of places that will help take your hacking to the next level.

The Importance of Practicing Ethical Hacking

Developing useful hacking skills that translate into real-world situations takes practice in a safe and controlled setting, such as a home or cloud-based lab.

Such environments prepare you for potential job roles and certification exams and enable you to understand the implications of different hacking techniques that can be explored without jeopardizing real data or infrastructure.

Now, let's look deeper into why it's crucial to dedicate time to practicing ethical hacking within these controlled settings.

Safe Environment: As a beginner in ethical hacking, start in a lab environment. It's safe, controlled, and perfect for learning without risking damage. Understand, though, in the real world, you'll be handling live systems. So, while mastering your skills, prioritize practicing in the lab.

Learning Experience: A home or cloud-based lab lets you try out different situations you might face in the real world. You can also redo scenarios or tests as often as needed, which can help you learn and improve your work.

Understanding the Effects: If you practice ethical hacking in a lab, you can see what happens when you use certain hacking methods or tools. This can be a great way to learn and help you understand what might happen if you use different attacks or different types of tools for the same attack.

Skill Improvement: Ethical hacking is a complex field that requires a wide range of skills. You can improve and expand your ethical hacking skills by practicing in a controlled setting. This practice makes you better at finding and taking advantage of system flaws and keeps you updated on the latest ethical hacking methods and tools.

What Are Ethical Hacking Labs?

Ethical hacking labs can be built in your home lab by using VMs to create a network of machines. Tools such as VirtualBox or VMware can run different operating systems simultaneously. You can learn how to use different tools and practice network attacks. As it is separate from your main operating system, this type of lab is highly customizable and secure.

You can also download and set up pre-configured, vulnerable web apps. These applications are built with many intentional vulnerabilities. They offer a safe place to try out different web app hacking methods. This type of lab is generally free to set up and use unless you decide to use a paid version of the VM software.

Alternatively, you can also use cloud-based solutions already set up for you. Often there is a fee incurred to use these services but not always. All you generally need for most of them is to sign up for an account, and you'll be able to use their services through a VPN or browser-based labs.

These cloud-based solutions have many advantages and offer the ease of starting immediately, with no setup needed. All you have to do is create an account. These platforms provide diverse scenarios, updating you with the latest cyber threats and techniques.

Also, interacting with a group of active learners makes the whole learning process better. These platforms' gamified elements make learning fun, and their anytime-anywhere ease means you can practice and develop your skills whenever it's convenient for you.

Build Your Own Ethical Hacking Labs

Before we show you our top five recommendations for building your own home labs, you’ll need to have virtual machine software set up. We have two great articles depending on which product you want to use.

How to Install Kali Linux on VirtualBox & Start Hacking Now

How to Install Kali Linux on VMware: The Ultimate How-to Guide

Once your VM software is ready, you must set up your lab environment. We have a great article that will show you how to do this.

How to Create a Virtual Hacking Lab: The Ultimate Hacker Setup

Let’s get to the list with our recommendations.

VulnHub

VulnHub

Type of Hacking:

  • Targeted services, such as websites, databases, and email servers.

Cost:

  • Free

VulnHub is a well-known platform providing you with virtual machines (VMs) to learn and practice hacking skills. It provides a comprehensive environment for learning about various cyber security concepts.

VulnHub's emphasis on providing real-world scenarios is one of its features. Each VM is designed to simulate possible scenarios encountered by a professional in the field. The virtual machines contain vulnerabilities you must identify and exploit, simulating a live penetration testing environment.

Contributions to VulnHub's VMs come from a diverse community of security researchers and enthusiasts. These virtual machines cover various difficulty levels and topics, catering to beginners and seasoned professionals seeking to hone their skills or explore new areas.

Most VMs on VulnHub include community-provided walkthroughs. These walkthroughs can direct you through exploiting vulnerabilities, demonstrating each step in detail. To maximize the learning experience, attempting to solve the VMs independently is recommended before using the walkthrough.

Metasploitable

Metasploitable 

Type of Hacking:

  • Common vulnerabilities

Cost:

  • Free

Metasploitable, from Rapid7, developers of the Metasploit penetration testing toolkit, is a series of intentionally vulnerable virtual machines (VMs). These VMs present a variety of vulnerabilities, enabling ethical hackers and cyber security professionals alike to hone their penetration testing skills in a realistic yet safe environment.

These VMs are based on the idea that you learn by doing, so they give you the tools you need to understand and attack vulnerabilities in a safe environment. They allow you to interact with different vulnerabilities in different apps and services.

Metasploitable 2 and 3 have been added to the series, each becoming more difficult and spawning new vulnerabilities. Metasploitable 2 is the easier to use of the two and is perfect for people just starting out in the world of ethical hacking, helping you gain confidence and learn the basics.

Metasploitable 3, on the other hand, has a more complex environment. This version adds a layer of difficulty and challenge by requiring users to assemble the VM themselves. This step requires a better understanding of how the systems work and helps the person improve their skills even more.

Damn Vulnerable Web App

DVWA

Type of Hacking:

  • Web Application

Cost:

  • Free

DVWA is a PHP/MySQL web application that has been purposefully designed with multiple vulnerabilities. This lab is particularly valuable because it offers a safe environment to learn about and exploit these vulnerabilities, providing a critical practical aspect to your ethical hacking learning journey.

One of the standout features of DVWA is its broad scope of common web vulnerabilities, including but not limited to SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and File Inclusion. DVWA offers a hands-on understanding of these common threats by allowing you to actively exploit these vulnerabilities.

Another advantage of DVWA is its adjustable difficulty levels. This feature makes it an ideal tool for learners. You can begin on a 'low' level, grasp the basics, and gradually increase the difficulty as you become more confident and proficient. This progressive structure reinforces learning.

To install DVWA in Kali, ensure your system is updated and enter the following in the terminal:

sudo apt install dvwa

To start DVWA: dvwa-start

To stop DVWA: dvwa-stop

OWASP Juice Shop

OWASP Juice Shop

Type of Hacking:

  • Web Application

Cost:

  • Free

The OWASP Juice Shop is designed to emulate a real-world e-commerce site with all its typical functionalities but with numerous security vulnerabilities. The vulnerabilities found in Juice Shop are based on the OWASP Top Ten, a list of the most critical web application security risks. This means you'll be exposed to common threats, from Injection flaws to Cross-Site Scripting (XSS), Insecure Direct Object References (IDOR), and many more.

A unique feature of Juice Shop is its gamified structure. The application contains a scoreboard page listing the identified vulnerabilities, each a challenge for you to solve. This makes the learning experience more engaging and offers a clear progression path as you work through the list. You'll earn badges as you successfully exploit each vulnerability, providing a sense of achievement and additional motivation to your learning process.

To get started with OWASP Juice Shop, you can run it in several different ways. It's available as a packaged application for Windows, MacOS, and Linux, and it can also be deployed in a Docker container or even hosted on a cloud platform. This versatility makes it easily accessible, no matter your preferred setup or system configuration.

To have Juice Shop up and running on Kali quickly, make sure Kali is updated and in the terminal, type the following:

sudo apt install juice-shop

To start Juice Shop: juice-shop

To stop Juice Shop: juice-shop-stop

Active Directory Lab

Active Directory Lab
Taken from the Game of Active Directory GitHub

Taken from the Game of Active Directory GitHub

Type of Hacking:

  • Network Penetration Testing

Cost:

  • Free

Our last recommendation is to build your own Active Directory lab, which consists of a Windows Server and at least two Windows machines. This is a great way to learn how to attack Active Directory, which more than 90% of Fortune 1000 companies use.

Active Directory can be a complicated and tedious environment to navigate; therefore, practicing in your home lab will be beneficial to honing your skills. Not only that, but many penetration testing exams now include Active Directory, so this can be a great way to prepare yourself. You can learn and practice attacks such as kerberoasting, pass-the-hash, or pass-the-ticket, to name a few.

Many pre-built Active Directory scripts are available via a Google search and are configured with user accounts, weak passwords, and misconfigurations already set up for you.

We have you covered, as we have an amazing article that will show how to set up an Active Directory lab step by step. See our “How to Create a Virtual Hacking Lab: The Ultimate Hacker Setup”

Cloud-Based Ethical Hacking Labs

Here are our top five recommendations for cloud-based hacking labs.

Hack The Box

Hack The Box

Type of Hacking:

  • Capture The Flag
  • Network Penetration Testing
  • Targeted services, such as websites, databases, and email servers.

Cost:  

  • Regular Membership - Free
  • VIP Membership - $14/Month or $135/Year
  • VIP Plus: $20/Month or $203/Year
  • Pro Labs: $49/Month or $490/Year

Hack The Box (HTB) offers various machines designed with varying vulnerabilities and complexities, simulating real-world environments. Each machine provides a unique challenge, helping you master various aspects of penetration testing and ethical hacking.

HTB operates on a tiered model, offering both free and premium subscriptions.

Challenges are structured in a CTF format, with you being tasked with finding "flags" to gain a practical understanding of cyber security concepts.

The platform also features a strong community of users who assist, discuss strategies, and share knowledge.

Pro Labs and Endgames are available for advanced learners and professionals, providing an immersive and advanced penetration testing environment simulating real-world corporate networks.

Pro Labs is an immersive and practical environment that tasks you with infiltrating an enterprise-level network where you challenge yourself with multiple machines, simulated users, and advanced infrastructure. Each completed Pro Lab provides a certificate of completion.

SlayerLabsSlayerLabs

Type of Hacking :

  • Network Penetration Testing

Cost:

  • 14 Days: $8/User
  • 30 Days: $14/User
  • 60 Days: $26/User

SlayerLabs offers affordable, hands-on ethical hacking training labs. These labs mimic real-world corporate networks, providing virtualized, remotely accessible Cyber Ranges that are deliberately vulnerable, serving as a practical training ground for beginners to seasoned professionals.

Upon signing up, you will receive a VPN access kit that provides access not just to a single target but to an entire network of targets within the chosen range. The diverse set of vulnerabilities incorporated into the Cyber Ranges offers a comprehensive understanding of penetration testing attacks, encouraging experimentation with various tools and exploits.

Each range includes an exploitation pathway, akin to Capture The Flag competitions, leading to a final target. However, these "flags" at Slayer Labs represent real-world target intelligence like password hashes, emails, SSH keys, and more. Some ranges even feature a Campaign Mode offering linear hints and guidance, but a Free-Range mode for explorative learning is always available.

SlayerLabs provides an extraordinary experience that spans a captivating narrative. The carefully created story for each range adds a remarkable realism to hacking in a corporate environment, demonstrating the creators' extraordinary dedication and hard work.

The access includes the Range Control server, which offers tips, a target network outline, and a revert page for resetting targets.

The platform can be accessed globally, but it's best to be in the US or Canada to mitigate potential connectivity issues. Slayer Labs is a realistic, immersive, cost-effective solution for practicing ethical hacking skills.

OverTheWire

OverTheWire

Type of Hacking:

  • Cyber security Wargames

Cost:

  • Free

OverTheWire is a well-known, free platform that helps you learn how to hack through fun games and challenges. It is known for its creative "war games" that simulate real-world situations and give players real-world problems to solve.

This platform is good for a wide range of skill levels because it has tasks for both new and experienced players. You can learn about various topics, such as cryptography, computer exploitation, and network security. These challenges are fun ways to learn about internet security and find solutions to problems while having fun.

The structure of OverTheWire's games is set up as a series of progressive levels. You must complete the previous one before you can move up a level. This step-by-step progression gives you a sense of accomplishment and ensures you grasp the information and skills well before moving on to harder challenges.

One thing that makes OverTheWire stand out is the active community it fosters. It motivates users to participate in forums, work together on tasks, and share their thoughts. This makes learning more interactive and interesting.

OffSec Proving Grounds

OffSec Proving Grounds

Type of Hacking:

  • Capture The Flag
  • Targeted services, such as websites, databases, and email servers.

Cost:

  • Play: Free
  • Practice: $19/Month or $199/Year

Offsec Proving Grounds is a digital platform to improve hacking skills. It offers a variety of virtual labs, each with its own vulnerabilities, simulating the unpredictable and complex nature of real-world hacking situations.

The platform offers a supportive, step-by-step path to success for users of all levels, from beginners to experts. You can use more complicated machines as you improve, building confidence and skills in a structured environment.

Offsec Proving Grounds encourages user cooperation and collaboration, fostering a cooperative learning experience that deepens understanding.

The platform also provides a comprehensive, hands-on learning experience for Offensive Security certifications, such as the OSCP, allowing you to apply your theoretical knowledge in real-world situations.

Access to Offsec Proving Grounds is free with its "Play" level, while the "Practice" level, with a cost, offers more machines and other perks. The platform stays current by regularly adding new machines, including retired OSCP exam boxes.

PortSwigger’s Web Security Academy Labs

PortSwigger’s Web Security Academy Labs

Type of Hacking:

  • Web Application

Cost:

  • Free

PortSwigger's Web Security Academy is a free-to-use, comprehensive learning platform dedicated to web security. Created by the makers of the popular web application security testing tool Burp Suite, the academy provides an expansive array of topics that range from foundational to advanced concepts.

You can explore the theory, practical demonstrations, and hands-on labs for vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), XML External Entity (XXE) attacks, and many more. Each vulnerability topic includes a detailed breakdown of its workings, potential exploitation techniques, and how to defend against it.

Interactive labs associated with these vulnerabilities allow you to apply your knowledge in a controlled, practical environment. Each lab is designed to emulate realistic scenarios, tasking you with exploiting a particular vulnerability. This not only reinforces the theory but also provides valuable hands-on experience.

The Web Security Academy's resources are structured to cater to various skill levels. Beginners can start with basic topics and move on to more complex vulnerabilities and attacks. At the same time, more experienced users can find advanced topics to hone their skills further.

PortSwigger routinely updates the academy by introducing new labs and topics. This ensures that students remain up-to-date on emerging web security threats and the countermeasures necessary to combat them.

If you want to learn how to use Burp Suite, see our article “How to Use Burp Suite: Discover & Master Powerful Features.”

How to Make the Most of Your Hacking Practice

You should practice as much as possible to make the most of the labs we've recommended. Remember that these labs are designed to provide a learning environment, and everyone's path to understanding the concepts or tools will be unique.

It’s alright if you need to use a walkthrough of a machine or task, as you don’t know what you don’t know. It’s better to try and then seek help if needed. This can be a good way to learn as well.  

Learning is not about getting everything right the first time but about embracing the journey, including the obstacles and challenges.

Always remember to document your process when working through different labs. These notes should include the steps you’ve taken, the tools you’ve utilized, and the commands you’ve executed (with screenshots). Not only does this help you keep track of your progress, but it also prepares you for scenarios where you’ll have to provide detailed reports to clients.

Conclusion

Throughout this article, we’ve presented our top five recommendations for cloud-based labs and build your own “laptop labs.” With these labs, you will be well on your way to becoming a better ethical hacker.

And remember, practice, practice, practice. Theory can be good to know, but a hands-on approach to learning in this field is most important.

Are you ready to level up your skills? Check out our StationX Membership, where we have a large selection of courses. You can see some of the courses we offer below.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Richard Dezso

    Richard is a cyber security enthusiast, eJPT, and ICCA who loves discovering new topics and never stops learning. In his home lab, he's always working on sharpening his offensive cyber security skills. He shares helpful advice through easy-to-understand blog posts that offer practical support for everyone. Additionally, Richard is dedicated to raising awareness for mental health. You can find Richard on LinkedIn, or to see his other projects, visit his Linktree.

  • Zinabu ataro says:

    All is good for me

  • >