2. Attack OS /VM . Once your virtualization software is chosen , choose an attack OS to download. You will use Kali Linux in the lab environment and would likely be the most comfortable with that . However , you may download any "attack OS ." Other options include : Parrot OS, BackBox, BlackArch (advanced only - save yourself the pain and skip this one ), and many others . Note : It will be much easier to download a pre -built VM instead of the .iso image option . Additionally , the pre - built images are specific to the virtualization software that you are using so choose accordingly. https://www. offensive-security.com/kali-linux-vm-vmware-virtualbox- image -download / 3. Vulnerable Target OS/VM. You will need a victim machine to target and exploit . Download a virtual machine that you can attack . There are many options that are designed to help students practice their skills and learn to exploit vulnerabilities in an approved, educational manner. Keep in mind that these are inherently vulnerable and designed to be relatively easy to exploit . A recommended best practice is to not allow other machines outside of your "virtual network " to be able to communicate with them . There is a "NAT" network setting within your virtualization software that helps to isolate your "lab" systems from the other devices on your local area network . Many options exist, but here are a few: Metasploitable (also includes many of the ones below - the same as what is in the InfoSec labs). There are a few versions out there - go with "Metasploitable2 " - it can be downloaded from : https ://sourceforge .net /projects /metasploitable /files /Metasploi table2 / (Links to an external site .) or https ://information .rapid7 .com /download -metasploitable 2017 . html (Links to an external site.) OWASP's Broken Web Apps (includes WebGoat): https ://sourceforge .net /projects /owaspbwa /files /latest /do wnload (Links to an external site) DVWA (Web Application ): https://github.com/ethicalhack3/DVWA/archive/master .zip (Links to an external site.). Bad Store (Web Application ): https://www.vulnhub.com/entry/badstore-123,41/ (Link 5 to an external site .) VulnHub: Many options exist here - somewhat like a "capture the flag " with near limitless possibilities with new ones being added all of the time (Note : I would save these for after the class project more for fun) https://www. vulnhub.com (Links to an external site.)