top of page

How To Set Up A PC For Hacking (Guide)

How To Set Up A PC For Hacking (Guide) | Black Hat HQ

Setting Up A PC For Hacking


I'll take you through a complete pentest workstation build — from bare metal to engagement-ready. This setup assumes you'll use it as your primary attack machine. This is a guide on how to set up a PC for hacking.


Phase 1: OS Selection


Three practical options, all Linux-based:


OS

Best For

Downsides

Kali Linux

All-around pentesting, largest tool repo

Heavy, runs as root by default

Parrot OS

Similar to Kali, lighter, better daily driver

Smaller community, some tools missing

Ubuntu/Debian + tools

Custom minimal build, better OPSEC

Manual tool installation, more work


Recommendation: Kali Linux for a dedicated pentest box. If this doubles as your daily driver, use Ubuntu LTS and install tools selectively to avoid the bloat and root-by-default behavior of Kali.


Kali Installation


bash

# 1. Download ISO: kali.org/get-kali → Kali Linux Live (or Installer)
# 2. Flash to USB:
dd if=kali-linux-2024.X-live-amd64.iso of=/dev/sdX bs=4M status=progress

# 3. Boot from USB, select "Graphical Install"
# 4. Partitioning:
#    - If single OS: Guided → use entire disk → encrypted LVM (recommended)
#    - If dual boot: Manual → separate /, /home, swap
# 5. Choose XFCE or KDE (XFCE is lighter, KDE has better multi-monitor)

# Post-install: update everything
apt update && apt full-upgrade -y

Critical: Create a Non-Root User


Kali defaults to root. For daily use and to avoid accidents, create a standard user:


bash

useradd -m -G sudo,netdev,kvm,vboxsf pentest
passwd pentest
# Log out, log back in as "pentest"

Phase 2: Essential Tools - Full Toolchain


Kali ships with 600+ tools, but most engagements need a core set. Here's the install script for what actually gets used:


bash

#!/bin/bash
# pentest-tools.sh — Install and update essential pentest toolchain
# Run on fresh Kali or Ubuntu/Debian

set -e

echo "[*] Updating system..."
apt update && apt full-upgrade -y

# ===== RECON =====
echo "[*] Installing recon tools..."
apt install -y \
    nmap \
    masscan \
    rustscan \
    amass \
    subfinder \
    dnsrecon \
    dnsenum \
    fierce \
    theharvester \
    gobuster \
    ffuf \
    feroxbuster \
    dirb \
    whatweb \
    wafw00f \
    eyewitness \
    aquatone

# Install additional recon tools not in apt
# httpx (fast HTTP probing)
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
cp ~/go/bin/httpx /usr/local/bin/

# nuclei (template-based vulnerability scanner)
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
cp ~/go/bin/nuclei /usr/local/bin/

# ===== EXPLOITATION =====
echo "[*] Installing exploitation tools..."
apt install -y \
    metasploit-framework \
    exploitdb \
    searchsploit \
    sqlmap \
    burpsuite \
    zaproxy \
    beef-xss \
    commix \
    routersploit

# ===== POST-EXPLOITATION =====
echo "[*] Installing post-exploitation tools..."
apt install -y \
    crackmapexec \
    impacket-scripts \
    bloodhound \
    neo4j \
    mimikatz \
    powershell-empire \
    evil-winrm \
    chisel \
    socat \
    proxychains4

# NetExec (crackmapexec successor)
pip3 install netexec

# Ligolo-ng (pivoting)
wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_proxy_linux_amd64.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_agent_linux_amd64.tar.gz
tar xzf ligolo-ng_proxy_linux_amd64.tar.gz -C /usr/local/bin/
tar xzf ligolo-ng_agent_linux_amd64.tar.gz -C /usr/local/bin/

# ===== CRACKING =====
echo "[*] Installing cracking tools..."
apt install -y \
    hashcat \
    john \
    hydra \
    hash-identifier \
    fcrackzip \
    pdfcrack

# Wordlists
if [ ! -f /usr/share/wordlists/rockyou.txt ]; then
    echo "[*] Extracting rockyou..."
    gunzip /usr/share/wordlists/rockyou.txt.gz 2>/dev/null || true
fi

# SecLists (comprehensive wordlists)
if [ ! -d /opt/SecLists ]; then
    git clone --depth 1 https://github.com/danielmiessler/SecLists.git /opt/SecLists
fi

# ===== WIRELESS & RF =====
echo "[*] Installing wireless/RF tools..."
apt install -y \
    aircrack-ng \
    reaver \
    bully \
    hcxdumptool \
    hcxtools \
    bettercap \
    kismet

# ===== EVASION & OBFUSCATION =====
echo "[*] Installing evasion tools..."
apt install -y \
    veil \
    shellter \
    upx \
    packer

# ScareCrow (ETW/AMSI patching loader)
wget https://github.com/Tylous/ScareCrow/releases/latest/download/ScareCrow_linux_amd64 \
    -O /usr/local/bin/scarecrow && chmod +x /usr/local/bin/scarecrow

# ===== WEB APP TESTING EXTRAS =====
echo "[*] Installing web app tools..."
apt install -y \
    nodejs \
    npm

# wfuzz
pip3 install wfuzz

# Arjun (HTTP parameter discovery)
pip3 install arjun

# ===== REPORTING =====
apt install -y \
    cherrytree \
    keepassxc \
    flameshot \
    peek \
    gimp

# Ghostwriter (report generation)
# git clone https://github.com/GhostManager/Ghostwriter.git /opt/ghostwriter

# ===== CONTAINER TOOLS =====
apt install -y \
    docker.io \
    docker-compose
systemctl enable docker --now
usermod -aG docker $USER

echo "[+] Tool installation complete. Reboot or re-log for group changes."

Phase 3: Terminal and Shell Configuration


Your terminal is your primary interface. Invest in making it efficient.


Tmux — Session Management


bash

apt install -y tmux

cat > ~/.tmux.conf << 'EOF'
# Modern tmux config for pentesting
set -g mouse on
set -g history-limit 50000
set -g status-bg black
set -g status-fg green
set -g status-left '#[fg=red]#H #[fg=white]| #[fg=cyan]#(whoami)'
set -g status-right '#[fg=yellow]%Y-%m-%d %H:%M'
set -g window-status-current-format '#[fg=green,bold]#I:#W'
set -g window-status-format '#[fg=white]#I:#W'

# Split panes with | and -
bind | split-window -h -c "#{pane_current_path}"
bind - split-window -v -c "#{pane_current_path}"

# Quick window creation
bind c new-window -c "#{pane_current_path}"

# Vim-style pane navigation
bind h select-pane -L
bind j select-pane -D
bind k select-pane -U
bind l select-pane -R
EOF

Zsh + Oh-My-Zsh (Better Shell)


bash

apt install -y zsh

# Oh-My-Zsh
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended

# Plugins
git clone https://github.com/zsh-users/zsh-autosuggestions \
    ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions
git clone https://github.com/zsh-users/zsh-syntax-highlighting \
    ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting

# Enable plugins in ~/.zshrc:
# plugins=(git zsh-autosuggestions zsh-syntax-highlighting docker tmux sudo)

chsh -s $(which zsh)

Shell Aliases (Pentest-Specific)


Append to ~/.zshrc or ~/.bash_aliases:


bash

# ===== RECON =====
alias scan-quick='nmap -T4 -F'
alias scan-full='nmap -T4 -A -p- -oA nmap_full'
alias scan-udp='nmap -sU -T4 --top-ports 200 -oA nmap_udp'
alias rustscan-all='rustscan -a $1 --ulimit 5000 -- -A -oA rustscan_full'

# ===== WEB =====
alias ffuf-dir='ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u $1/FUZZ -ac'
alias gobuster-dir='gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u $1'

# ===== POST-EXPLOIT =====
alias cme='crackmapexec'
alias smb-null='crackmapexec smb $1 --shares -u "" -p ""'
alias smb-spray='crackmapexec smb $1 -u users.txt -p passwords.txt --continue-on-success'
alias winrm='evil-winrm -i $1 -u $2 -p $3'

# ===== SMB =====
alias smb-list='smbclient -L //$1 -N'
alias smb-mount='mount -t cifs //$1/$2 /mnt/smb -o username=$3,password=$4'

# ===== NETWORK =====
alias myip='curl -s ifconfig.me && echo'
alias tunip='ip addr show tun0 | grep "inet " | awk "{print \$2}"'
alias serve='python3 -m http.server 8080'
alias serve-ssl='python3 -c "import http.server, ssl; http.server.HTTPServer((\"0.0.0.0\", 443), http.server.SimpleHTTPRequestHandler).socket = ssl.wrap_socket(http.server.HTTPServer((\"0.0.0.0\", 443), http.server.SimpleHTTPRequestHandler).socket, certfile=\"cert.pem\", keyfile=\"key.pem\", server_side=True); http.server.HTTPServer((\"0.0.0.0\", 443), http.server.SimpleHTTPRequestHandler).serve_forever()"'

# ===== BLOODHOUND =====
alias neo4j-start='neo4j console'
alias bloodhound-start='bloodhound --no-sandbox'

# ===== NOTES & LOGGING =====
alias logs='cd ~/pentest/logs'
alias notes='cd ~/pentest/notes'

# ===== ENGAGEMENT SETUP =====
# Creates directory structure for a new engagement
new-engagement() {
    mkdir -p ~/pentest/$1/{recon/{nmap,web,dns,osint},exploitation,loot,logs,notes,evidence,reports}
    cd ~/pentest/$1
    echo "[+] Engagement directory: ~/pentest/$1/"
    tree -L 2
}

# Quick HTTP share from current directory
alias share-http='printf "Serving on:\n  http://$(ip addr show tun0 2>/dev/null | grep "inet " | awk "{print \$2}" | cut -d/ -f1 || ip addr show eth0 | grep "inet " | awk "{print \$2}" | cut -d/ -f1):8080\n" && python3 -m http.server 8080'

Phase 4: Workspace Organization


Standardized directory structure prevents chaos during engagements:


bash

mkdir -p ~/pentest
mkdir -p ~/pentest/tools       # Custom scripts, downloaded tools
mkdir -p ~/pentest/wordlists    # Custom wordlists
mkdir -p ~/pentest/templates    # Report templates, email templates
mkdir -p ~/pentest/certs        # SSL certs for phishing/hosting
mkdir -p ~/pentest/iso          # OS ISOs for VMs

# Create structure for a specific engagement:
new-engagement() {
    local name="$1"
    mkdir -p ~/pentest/$name/{recon/{nmap,web,dns,osint},exploitation,loot,logs,notes,evidence,reports}
    echo "# $name — Engagement Notes" > ~/pentest/$name/notes/notes.md
    echo "[+] Created ~/pentest/$name/"
}

Phase 5: Burp Suite Setup


Your primary web testing tool needs proper configuration:


bash

# 1. Launch Burp Suite Community or Pro
burpsuite &

# 2. Configure proxy listener:
#    Proxy → Options → Add listener
#    Bind to: 127.0.0.1:8080
#    Check: "Support invisible proxying"

# 3. Install useful extensions (Extender → BApp Store):
#    - Autorize (automated auth testing)
#    - ActiveScan++ (improved active scanning)
#    - JWT Editor (JWT manipulation)
#    - Turbo Intruder (fast brute force)
#    - Param Miner (parameter discovery)
#    - Backslash Powered Scanner

# 4. Configure browser:
#    Install FoxyProxy extension
#    Add Burp proxy (127.0.0.1:8080)
#    Install Burp's CA certificate in browser trust store

Phase 6: Virtualization


Isolate targets, test environments, and tools:


bash

# Install VirtualBox
apt install -y virtualbox virtualbox-ext-pack

# Or install VMware Workstation (better performance, snapshots)
# Download from vmware.com, install .bundle

# Create a snapshot template VM with common targets:
# - Windows 10/11 (test client-side attacks)
# - Windows Server 2019/2022 (AD lab)
# - Ubuntu Server (test Linux targets)
# - Metasploitable / DVWA / Juice Shop (web app practice)

# Docker for quick service testing:
docker pull bkimminich/juice-shop        # OWASP Juice Shop
docker pull vulnerables/web-dvwa         # DVWA
docker pull webgoat/goatandwolf          # WebGoat

Phase 7: Security Hardening


Your pentest machine holds client data, credentials, and exploit code. Protect it:


bash

# === Full Disk Encryption ===
# Enable during OS install (LUKS + LVM)
# Verify:
lsblk
# Should show "crypt" or "LUKS" on root partition

# === Firewall ===
ufw default deny incoming
ufw default allow outgoing
ufw enable

# Allow specific services if hosting payloads:
# ufw allow 443/tcp
# ufw allow 80/tcp

# === Auto-Screen Lock ===
# XFCE: Settings → Power Manager → Security → Lock screen after sleep
# KDE: Settings → Workspace Behavior → Screen Locking → Enable

# === SSH Hardening (if running SSH server) ===
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd

# === Separate Engagement Data ===
# Store each client's data in separate encrypted containers
# Use LUKS containers mounted per-engagement:
dd if=/dev/urandom of=~/pentest/engagement.enc bs=1M count=2048  # 2GB
cryptsetup luksFormat ~/pentest/engagement.enc
cryptsetup luksOpen ~/pentest/engagement.enc engagement_vault
mkfs.ext4 /dev/mapper/engagement_vault
mount /dev/mapper/engagement_vault ~/pentest/$CLIENT_NAME/
# When done: umount + luksClose

# === USBGuard (prevent BadUSB attacks against YOU) ===
apt install -y usbguard
usbguard generate-policy > /etc/usbguard/rules.conf
systemctl enable usbguard --now

Phase 8: Essential Git Repos to Clone


bash

# Tool repositories worth having locally
cd /opt

# Payload frameworks
git clone https://github.com/BC-SECURITY/Empire.git
git clone https://github.com/n1nj4sec/pupy.git
git clone https://github.com/trustedsec/trevorc2.git

# Windows exploitation
git clone https://github.com/S3cur3Th1sSh1t/PowerSharpPack.git
git clone https://github.com/GhostPack/Seatbelt.git
git clone https://github.com/GhostPack/SharpUp.git

# Linux enumeration
git clone https://github.com/carlospolop/PEASS-ng.git
git clone https://github.com/rebootuser/LinEnum.git

# Active Directory
git clone https://github.com/ShawnDEvans/smbmap.git
git clone https://github.com/BloodHoundAD/BloodHound.git

# Phishing
git clone https://github.com/kgretzky/evilginx2.git
git clone https://github.com/gophish/gophish.git

# Post-exploitation
git clone https://github.com/carlospolop/PEASS-ng.git
git clone https://github.com/gentilkiwi/mimikatz.git

Phase 9: VPN / C2 Infrastructure Quick Setup


If this machine also hosts your C2 or acts as a redirector:


bash

# WireGuard for infrastructure VPN
apt install -y wireguard

# Quick server setup
wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key

cat > /etc/wireguard/wg0.conf << 'EOF'
[Interface]
Address = 10.99.0.1/24
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
EOF

systemctl enable wg-quick@wg0

Phase 10: Final Checklist


Run this before your first engagement:


[ ] OS installed and fully updated (apt update && apt full-upgrade)
[ ] Non-root user created and in use
[ ] Full disk encryption verified (lsblk)
[ ] Core tools installed (recon, exploit, post-exploit, cracking)
[ ] Wordlists available (rockyou, SecLists)
[ ] Tmux configured with custom config
[ ] Shell aliases set up in ~/.zshrc or ~/.bash_aliases
[ ] Engagement directory structure scripted
[ ] Burp Suite configured with extensions
[ ] Browser with FoxyProxy + Burp CA cert
[ ] Virtualization working (VirtualBox or VMware)
[ ] Firewall enabled (ufw enable)
[ ] SSH hardened (key-only, no root login)
[ ] KeepassXC installed for credential management
[ ] CherryTree or equivalent note-taking tool ready
[ ] WireGuard installed for C2 infrastructure
[ ] Test internet connectivity through VPN/tunnel
[ ] git repos cloned to /opt
[ ] Take a system snapshot or backup

Enroll In Online Cybersecurity & Hacking Classes/Courses | Black Hat HQ

Comments


bottom of page