There are two schools of thought on this. Build your own VM’s by installing into a new VM or use prebuilt ones available on the Internet. Personally I favour the latter for the majority of my work as it is the quickest and easiest method of building a virtual domain and running my tests.
Prebuilt Linux VM’s
If you are looking for Linux server builds I recommend TURNKEY Linux, they have over 100 ready built VM’s that cover virtually all applications – web development, IT infrastructure, content management, business management, messaging, issue tracking, database development, developer tools, and what they call ‘Specials’. The great thing about these VM’s is, as they were created ‘back in time’ they are going to need patching. For example download the WordPress server and as it is vulnerable to known exploits, we can experiment on it. If you are just looking for bare bones Linux OS’s then OSBoxes has over 50 distro’s and a lot of them have multiple versions, for example their Ubuntu library covers 6 versions from 12.04 to 17.10
Should you want some more esoteric operating systems such as FreeBSD there is generally a direct VM image download from the developer.
Prebuilt Microsoft VM’s
Windows of course is a bit more tricky, Microsoft do prefer it if you pay for their product, however they also like people to develop for their platform, so they provide VM’s for developers to test their web applications for Internet Explorer and Edge on Windows 7, 8.1 and 10, – there is the limitation that they expire after 90 days, but unbelievably they recommend ‘setting a snapshot when you first install the virtual machine which you can roll back to later’ thus negating the expiry!!
So you have installed your Windows 10 VM but it’s a bit bare bones, so you can either stay in, open a big bottle of red wine and spend an evening installing all your favourite applications, or you can use Ninite and package up all your favourite applications into one installer and let it do its thing while you go down the pub.
But I want to do some testing against a Windows Server 2016 running SQL Server 2014 SP2, well that’s OK because again Microsoft want its users to try before they buy, so if you register for their Evaluation Centre you can download pretty much any Microsoft product you could ask for with varying lengths of time before they expire, from 30 days to unlimited.
Now you have your VM’s and are ready to go, the question is, do you go for a Type 1 or a Type 2 hypervisor, my preference is for a Type 2 but its probably because that’s what I started out with 10 years ago. The last decision for your hypervisor is do you go for the free Player, or pay for the snapshot tool in the full Workstation? The full Workstation will allow you to maximise your Microsoft usage, this is a financial question only you can answer.
The last couple of resources for your home lab, besides Kali Linux of course, are the Damn Vulnerable Web Application and exercises such as those found at Computer Security Student, and Metasploitable and the Metasploit Unleashed Free Ethical Hacking Course.