You first want to set up a host OS (Windows or Kali, whichever you prefer to use when you're not hacking.) Inside that host OS, install a virtual machine platform (VMware, VirtualBox, whatever you choose.) Inside the virtual machine control panel, create a first VM and install Kali, (presuming you want to use Kali for your pentest environment.) I would configure the virtual network adapter of this first VM to permit it to connect to the internet so you can install updates, new tools, or whatever. You can always disable this virtual network adapter later if you're going to try something risky.
Now, go back to the Virtual Box control panel, create a second VM to be your victim, and install a vulnerable guest OS such as Windows, or whatever other OS you want to attack. Add a virtual network adapter to each VM that connects your VMs to each other, configuring this little virtual network so both the pentest and victim VMs are on the same virtual network. Once it's all working to your liking, save a backup of your victim machine's virtual hard disk (VHD) image, and save your virtual machine configuration. You now have an environment where you can instantly bring up a clean battleground, allowing you to test a fresh system from a known starting point.
You can install anything you like in your vulnerable system, hack on it all you want, infect it with malware, whatever. Then when you want to try something else, restore a copy of the clean VHD image, and you're back to square one.
If you do plan to install malware on the victim, I'd recommend disabling any virtual adapter on the victim VM that allows it to connect to the host system or to the internet before you infect it. You don't want this VM to infect the other computers in your home! This is the main reason for running the pentest environment in its own VM, instead of directly on your host OS. It could help contain the damage if your malware finds your Kali VM on the virtual network and tries to spread to it.
Another nice thing about the VM approach is that if you have an expiring licensed demo copy of something you want to attack, you can install it on a fresh VHD, attack it, and when it expires you just delete the old VHD, reinstall on a new VHD, and resume your attack.
As you learn how to break in, be sure to study how to configure the victim machine to prevent those kinds of attacks. Whenever you like, perhaps when you discover something interesting, you can save a copy of the VHD so you can restore the machine to that point some time in the future.
Consider storing the victim machine's VHDs on removable media, such as flash drives or an external hard disk, or on a large network storage appliance. Each VHD is a huge file, and you'll probably acquire a lot of them. It helps to have a way to organize them that doesn't eat your system's main hard disks. You may find a forensic tool like Autopsy helps keep your experiments organized.
Once you get practiced and comfortable with this setup, you will soon be creating different virtual machines with different operating systems to see how they can be attacked. You may eventually add a third VM running a firewall, router, or other network appliance to see how to attack from outside a network, or how an NDIS might alert you to attacks.
Eventually when you're ready to tackle an external client's system, consider connecting a USB network adapter in your virtual Kali instance to help isolate your laptop from the client. If you're going to work in a client environment that already has malware, make a backup of your Kali VHD, and run your VM using a clean copy. This can help prevent it from spreading, and it's especially important to not spread an infection from one client to the next.
