Target 1 lies somewhere in the 192.168.1.1 - 192.168.1.254 host range. Use "ip route show" to check which network interface on your Kali Linux VM is connected to the target network (the network which target 1 is running on). You can identify it by looking at the output, finding the line involved with the target subnet, and looking for the "dev".

What is your machine's IP number on the target network?

Use nmap to sweep the target network for live hosts, and identify the IP address of target 1. Use the appropriate flags so that no port scanning is done and no name resolution is performed.

Now we have identified the target system, lets port scan for services it may be running. How many or the top 1000 most common tcp ports are open on the target?

Lets also check for UDP services running. Scan for the top 10 most common UDP ports on the target? Warning... a top 1000 scan takes about 15 minutes...

We would like you to try a scan on the target system using the OpenVAS Vulnerability Scanner. We need to start the OpenVAS system, which can take a minute to run the first time. You can check the services it runs using ss -at before and after starting OpenVAS, including the web application we will use to run our scans. Also review the output displayed in the terminal window when OpenVAS starts. Start OpenVAS, and set up the scan we will perform, but do not start the scan itself until told... see below

From Kali Linux, start openvas from the menu 02 - Vulnerability Analysis -> gvm start

In the OpenVAS web client, connect to the local host and web app port number, log in and from the OpenVAS Dashboard create the following:

Configure a List of Ports to scan for vulnerabilities called "port ssh" which is set to port 22

Create a Target called "target1" with the target system's IP Address we found previously and add the Port List we created for port 22 only "port ssh", and skip the host discovery (Alive Test).

Create a new Scan Task "ssh scan target1" which scans "target1". Make the Maximum concurrently executed NVTs per host 20.

ONCE ALL OPENVAS SERVICE CHECKS ARE PASSED you can start the task "ssh scan target1".

The scan can take a few minutes. While waiting for the scan to complete you can run another Terminal window and check the traffic being created with tcpdump -nv on the correct target network interface (identified previously), and then go onto the next question.

The username is "admin" and the password is "kali".

While OpenVAS is running the vulnerability scan lets enumerate the target for other services.

We can use netcat and connect and get the banner announcment for the target vnc server. Experiment with the flags "-n -v" and "-w 1", rather than "-z" for port scanning only. This will close the connection after 1 second, gicing enough timeout to get a banner if the service is running.

Use the same technique to isentify the OpenSSH version of the target. Get this from its banner, where the version lies in the characters immediately after "OpenSSH_" but before the next space character.

Use that version number for ssh and locate an CVE exploit which affects that version which was published in November 2008. Specify it in its full name, e.g. CVE-1999-1234. Case sensitive.

Use netcat as a client to connect to the target on a range of services, to fingerprint the ports which are open:

echo "" | nc -v -n -w1 target_IP 20-100

Remember to replace target_IP with the target's IP number.

What version of FTP Server is reported?

Use xprobe2 to identify what sort of machine target 1 is. Save that information to /root/info1. Ignoring the final version number, what version of Linux is this (so if the version is "2.1.16", just enter "2.1").

Use nmap with "-O" to identify what sort of machine target 1 is. Save that information to /root/info2. Ignoring the final version number, what version of Linux is this (so if the version is "2.1.16", just enter "2.1").

Compare the major version information and evaluate the results.

What is the reason for the result? 

From Kali, in a terminal window perform two tcpdumps to capture the nmap OS fingerprint packets sent, filtering on the target host address (e.g using the HOST filter), and not doing name resolution. Remember the interface is br0.

First capture with tcpdump the packets generated when using xprobe to fingerprint the target using the same procedure as earlier. Save the output of tcpdump to a file /root/dump1 using standard redirection.

Secondly capture with tcpdump the packets generated when using nmap to fingerprint the target using the same procedure as earlier. Save the output of tcpdump to a file /root/dump2 using standard redirection.

Look at the number of packets generated by each tool: