Homelab Guide Part 4: Kali Linux & Nmap

1. Download and Configure a Kali VM

go here https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/ and download Kali

extract it into your virtual machines folder

click "open a virtual machine" and navigate to the Kali folder - open the only vmx file there - this will add the VM to your VMware home screen

power on the Kali vm

username and password are both "kali" - fun fact: Kali used to be configured for root login with the password "toor" but has recently changed its philosophy to retroactively disable root

open a terminal and type "sudo apt-get update" - it updates the package lists for upgrades for packages that need upgrading, as well as new packages that have just come to the repositories

then type "sudo apt-get upgrade" and press y on the keyboard to accept the install - this will take a while especially after a fresh install

kali is now setup


2. Using NMAP to find your Windows 10 Workstation

open the terminal

type "nmap -h" to list out the nmap reference

type "nmap -oN /home/kali/scan.txt -F 192.168.1.0-255"

this uses the output flag, '-oN', to save your results to a txt file and the fast flag, '-F', for a fast scan

Scanning this range targets 192.168.1.0, 192.168.1.1, 192.167.1.3, and so on untill 192.168.1.255

this is assuming that all your devices and virtual machines are within that 0-255 range - remember that 192.168.x.x are part of reserved IP addresses

after the scan is done you will see a list of discovered IP addressed with various open ports

you should be able to find your Windows 10 workstation in the results(if configured to be leased an IP by a domain controller, the actual hostname of the machine will be displayed - for example "DESJTIO-ASD21SM.homelab.local(192.168.1.199)"

you will see under the report for that workstation that port 3306/tcp is open - this is mysql running for the DVWA webapp

you will also see under the same report that port 80/tcp is open - this is http and is why you can access the webapp from any computer on your network


3. NMAP IP List

scanning IP ranges in your home network multiple times throughout the course of a day will become tedious and a waste of time. Because of DHCP you will have to run the range scan again eventually, but to save you energy it is good practice to create an "IP List" text file that you can point to when using more complex NMAP scans

in the terminal type "echo ''
/home/kali/iplist.txt"

this will create an empty text file in your user directory

open that file and type out a new IP address on every line - this will be the list of IP addresses you discovered in your range scan from before - once finished, save the file and close it

back in the terminal type "nmap -iL /home/kali/iplist.txt -F" to pass the IP list using the "-iL" flag and perform a fast scan on it

you should get the same exact results as if you ran the original IP range scan


4. NMAP Port Scanning

note that there are 65,535 ports. Scanning all ports on multiple targets will take a long time - the regular scan and the fast scan only check for common ports - those common ports go up to 1024

It is better to specify common ports like 80-http, 443-https, 21-ftp, 23-telnet, 22-ssh, 25-SMTP, 3306-mysql

but for practice, type "nmap -p- 192.168.1.199" - replace the target IP with the IP of your workstation - the '-p-' flag is for all ports

next, type "nmap -sV -O 192.168.1.199" - again, replace the target IP with your workstation's IP - the '-sV' flag is for service/version detection and the '-O' flag is for OS detection

you should see that the workstation is running a specific version of Apache - this namp scan effectively tells you that the target IP is acting as a webserver