Hi,

I wrote two posts a while back detailing my my lab's network setup that I use for testing. Will hopefully give you an idea and point in the right direction:

• Virtual Lab Network
• Virtual Lab Machines

Hope this helps,
--Andrew Waite

So, you're unable to load up VMWare workstation or VirtualBox, even?  How old are these boxes?

I know that without VT-enabled machines, you're not going to throw up Xen or anything, but you should be able to load up multiple VM's on VMWare workstation, regardless.

With regards to my lab, personally:

I have 3 rackmount servers, all running VMWare ESXi or KVM, so each of those has multiple guests.

I have multiple physical machines, as well, running flavors of Windows or Linux, and on some of those, I run VMWare workstation, to allow me a few additional (and portable, in the case of my laptops) guests, for demonstration purposes, or mobile tests.  That said, Andrew's lab posts should help you to get some ideas, and there are plenty of lab setups discussed on the forums, here.  

First, you should just start by getting your feet wet, and work on local exploits.  Setup as if you're ON the local subnet, and understand things like sniffing, port scanning and enumeration, etc.  Understand the different attack vectors, as they apply to the OSI layers, and how each comes into play in a pentest.  Practice with nmap, netcat and other tools, against local machines, as the knowledge you'll gain for the underlying protocols and such is necessary to do the same testing for remote systems, etc.  Learn about passing the hash, man-in-the-middle, etc.  Then, move on to topics for remote exploits, like SQL Injection, XSS, and client-side attacks, and start to grow out your base.

Assuming your 'guest' OS availability is as limited as you infer, what I'd do, now, is make some decisions on where you want to START learning.  Decide on which base OS's you want to begin with, such as unpatched Windows XP and older Linux kernel versions, load up a couple, and begin looking at the tutorials on hacking / pentesting, with those.  Additionally, look at the DE-Ice cd images, etc, that give you some bootable images to toy with, and watch / learn from the tutorials on those.  Start learning about the stack, about buffer overflows, about WHERE to research, learn about, and find public exploits, and begin to parse through them, to see how they do what they do.

But most importantly, have fun with your lab.  Don't get tied into one specific topic, and frustrate yourself, if you don't get it right away.  Mix things up enough that you'll get some successes here and there, to help you understand that you ARE progressing.  

And ALWAYS ask questions.  That's the key to being a good pentester, as there will ALWAYS be someone with more knowledge and experience out there.  May not find them right away, but the key to learning, especially in this field, is to share with others.

Link is dead for me, try here.

Not sure how I forgot that as I wrote the article, it's been one of those days....

@MadCoder - I wasn't saying, 'definitely virtualize, and use XYZ to do it.'  And I understand the desire to get ESXi (when you CAN support it, it's well worth it, but I know the feeling when you can't...  been down that road, too.  My latest boxes were purchased, based on their compatability.   )  Bare metal hypervisors are always my choice, when possible.  

As you've kind of decided, since you really have to go with something like VMWare Workstation / Virtualbox or something, then it's well worth it, if you've still got 64-bit hardware and a 64-bit base OS, as at least you can get better utilization from the CPU's and memory subsystems.

Anyway, glad we can help and give you some ideas.  Keep us posted on what you do with it all.  Sharing of info is why EH-net exists, and it's always good to learn from others' experiences.