Vulnerable Machines for your Lab:

  1. (msfadmin / msfadmin) Metasploitable
  2. UltimateLAMP
  3. Web Security Dojo
  4. OWASP Hackademics
  5. DVWA Damn Vulnerable Web Application
  6. Mutillidae
  7. De-ICE
  8. OWASP Web Goat
  9. Google Gruyere
  10. old Ubuntu versions




  • use sudo netdiscover to list all the active hosts in your network
  • use netstat -nr to discover the Router/Gateway
  • use nmap to scan the entire network for open ports
  • use sudo nmap -sS for a TCP syn scan, where the kali machine does not open a full tcp connection, only the first of the 3 way handshake.
  • use sudo nmap -sU for an UDP scan
  • use sudo nmap -O to get the operrationg system running on the target machine
  • use sudo nmap -sV — version-intensity 9 to discover the software version running on an open port with increased intensity
  • use sudo nmap -sV -p- for a scan of all 65536 ports on a tager machine
  • use sudo nmap -A (aggressive) enables some advanced features of nmap, OS and version detection included
  • use nmap -sn to check which hosts are UP
  • use nmap -p 80,22 to check for a specific port details on the target host, in this case port 22 and port 80
  • use nmap -p 1-65635 to check for a range of ports
  • use nmap -F to scan the TOP 100 ports (usually most used, not 1 to 100)
  • use sudo nmap -f to send tiny (8 byte) fragmented packages to avoid detection of a firewall or IDS (3 packets for a 24 byte header)
  • use sudo nmap -f -f to split the package into 16 bytes per fragment
  • use sudo nmap -D,,,ME 192.168.1.targetIP to use multiple local IP addresses to scan the target as a decoy
  • use sudo nmap -sD >> outputofscan.txt to write in a given file the output (with no output to the terminal)
  • use /usr/share/nmap/scripts/ sudo nmap — script auth -sS to use an entire category of scripts against the target (metasploitable) (found tomcat:tomcat on port 8180)
  • use /usr/share/nmap/scripts/ sudo nmap — script malware -sS to check if the target machine is infected by malware
  • use /usr/share/nmap/scripts/ sudo nmap — script banner -sS to check if the message (usually holds information disclosure – exact version of the software running on that port) sent by an open port on the target machine
  • use /usr/share/nmap/scripts/ sudo nmap — script exploit -sS that aims to actively exploit some vulnerability (port 21 ftp user:root pass: root)
  • use /usr/share/nmap/scripts/ sudo nmap — script-help firewall-bypass.nse to get details about what a certain scrip is able to do
  • use /usr/share/nmap/scripts/ sudo nmap — script firewall-bypass.nse to execute the above mentioned script
  • use ftp to ftp connect to the target machine (anonymous | password123) (help to help | exit to exit)
  • use sudo nmap -sV to discover the software version running on an open port (default intensity is 7) and then simply google the software ant the version + exploit (example: VSFTPD v2.3.4 Backdoor Command Execution – or (apache httpd 2.2.8 exploit – |
  • use searchsploit UnrealIRCd to find into KALI linux exploit library of tools that could be used
  • use locate to find the location of this script that will be usable to exloit a vulnerability identifies by the command above “searchsploit


  • use sudo nmap -sS instead of nmap -sT as the first one leave less traces available on a system. -sT make more noise on the target machine


  • use cd /usr/share/nmap/scripts/ for a full list of nmap scripts that could help with target scanning | described here: