Sadly, pen testing support is not the best. So here I am.

I would like to get into pen testing. I am a slow learner, but I do learn.

I have some computers, 2 MS surface pro 3, 3 or 4 laptops (one running early Windows), and two desktops. One desktop is pretending to be a server, and rarely gets a monitor, the other has 5 hard drives.

I use mostly Linux, started with Red Hat, switched to Debian 9 (stretch). Deb 10, 11, 12 messed up some apps in Wine, so I stayed primitive until recently, when the repositories petrified. Now I am experimenting with different distros.

A couple of the devices have Windows 10 squished into the least space possible. I still have stuff that only works on them.

Everything can connect to the local net, mostly ethernet, but some wireless too.

I installed Kali on the hard drive of a Lenovo ideapad 330

What I can't figure out is where to install VMware-Player or VirtualBox. I assume Bare Metal means directly into their own partitions on a hard disk. That makes them OSs in their own right.

But one can also install the virtual software within a given OS, I think. That makes it an application, so to speak.

What is the best way to get started? I think maybe two machines set up at first, then I could expand as I get deeper into it.

Thanks in advance.

A long time ago, there was a tutorial in the Linux Voice magazine (which is sadly now defunct).

They suggested installing Kali in one VirtualBox VM and Metasploit in a second VM on the same machine, then configuring the VM network to be "Host Only," which meant that the two VMs could see each other, but they could not see the big wide world and vice versa. That way, you could practice pentesting without fear of doing damage to your own or anyone else's system.

Given that you have installed Kali to bear metal, I'd suggesting getting hold of a second computer, perhaps at a thrift store of second-hand shop, and installing Metasploit to it, then networking them together with a crossover cable without connecting them to the internet, again, so you do not inadvertently damage someone else's system or get in trouble with your ISP.

A web search for "Metasploit tutorial" will turn up a number of resources.

Just my thoughts.