Document the details of the Kali Ethernet Interface, eth0. This interface links Kali with the outside world:

Target 1 lies somewhere in 192.168.1.1 - 192.168.1.254. This time use "ip route show" and find out the device name on your machine which would be used to handle packets going to target 1.

What is your machine's IP number on the target network?

Use nmap to sweep the target network, and identify the IP address of target 1.

Port scan the target, limiting your portscan to only the default Web TCP ports of 80 and 8080. As part of this do an application version scan.

nmap achieved this by sending additional information to the webserver, rather than just testing what port is open.

Repeat the above experiment, but in a second window/ssh session capture the traffic being sent to perform the version identification.

To do this use tcpdump. Use numeric capture. Use the interface identified above as being the one which would handle the target's packets. Use ASCII mode (-A) and increase the snap limit to maximum (-s 0). To make it easier to see the traffic of interest, use a pcap filter of "dst ... and port 80" where "..." is the ip of the target.

What was sent by nmap to perform this check? 

Now manually fingerprint the target on port 80, using netcat or telnet, e.g.

nc TARGETIP TARGETPORT

HEAD / HTTP/1.0

Remember to hit return twice... And in netcat you may have to press CTRL-D at the end to close the connection. The response should indicate the "Server:", which identified the server software, and may also include some information which hints at additional server-side language support, such as Perl, Python, PHP, etc.

What is the "Server" set to (Case sensitive)?

What is the Hinted server-side application technology? 

Repeat the HEAD, but this time use HTTP/1.1. What is the result this time?

The error was due to HTTP/1.1 requiring a "Host", i.e. a virtual host name in the request. Make up a name, e.g. "unknown" and redo the query.

Using the virtual host field set to "unknown" redo the query and save the output to a file called "/root/vh". Give it a few seconds to work, then press CTRL-D to end the connection.

Nikto is an advance web server security scanner. To see the options in Kali just do at the command line:

nikto -Help

Again at the command line, run nikto on the target.

nikto -host TARGETIP

Analyse the results of this scan.

What does nikto suggest about the Apache version?

How many vulnerabilities has Nikto returned from the Offensive Security Vulnerability Db (OSVDB)? You must count the same vulnerability multiple times if it is listed more than once.

Research the OSVDB-877 vulnerability. What CERT vulnerability note does this relate to?

Consider the information exposed by OSVDB-3233. In terms of the target, examine this file and perform a risk assessment of the contents. You can view it using the VM browser, or making a simple web request with something like lwp-request. From this, what is the exact kernel version running here? (The entry is called "System", and is formatted "2.0.0-0-text").

Even using the small list the scan may take some time. Change the output to the tree view tab. A file in the top level ending .php is found quite quickly. What is the full name of the file?

After a few minutes the scanner will uncover a directory called "twiki". In that directory is something which looked like a README file. What is the name of the file including the filename extension.

Using the HTTP History sub-tab, what is the "Host" set to in the "GET /" request.

What was the successful login attempt here?

Which three parameters of the suggested list resulted in discovered pages?

Length information suggests success in this case by:

What does the site map say about the "Pragma:" part of the Response of dvwa/login.php? This is to be found in the response headers part of the response.

What is the password for the user "ed"?

Follow instructions on LinuxZoo