Frequently Asked Questions


Well that depends on what you have downloaded:
  • '.7z', '.RAR', '.TAR', '.TAR.BZ2' and '.ZIP' - These are different compressed archive formats. They can be extracted to reveal additional files. 7-zip is free, cross-platform and is able to extract all the mentioned formats.
  • '.ISO' and '.IMG' - These are disk images of an optical disc. They could be burnt onto a CD/DVD (IMGBurn), loaded onto a USB stick (UNetbootin) or mounted inside a virtual machine.
  • '.NVRAM' - The virtual machine's BIOS.
  • '.OVA' - 'Open Virtualization Archive' is a single compressed archive ('.tar') which contains the entire virtual machine (Virtual machine's settings ('.OVF') & hard drive ('.VMDK')). This can be imported into virtualization software.
  • '.OVF' - 'Open Virtualization Format' is the configuration file for the virtual machine. This can be imported into virtualization software.
  • '.VMDK' and '.VHD' - 'Virtual Machine Disk (VMDK)' and 'Virtual Hard Disk (VHD)' are virtual hard drive formats. These can be compressed to save room and expand when required. These can be imported into an existing virtual machine.
  • '.VMEM' - The Virtual machine's paging file.
  • '.VMSN' and '.VMSD' - VMSN are VMware snapshots and VMSD file stores metadata related to the snapshots.
  • '.VMX' - Virtual machine's settings. This can be imported into virtualization software.

Static IP? DHCP Server?
When the author created the virtual machine, they may have chosen for the machine to have a static IP address, or for it to be assigned one via a Dynamic Host Configuration Protocol (DHCP) server.
If there is a README file to go along side the machine, it might be mentioned there. It may also be discussed on the author's download page. However, there are certain cases when this hasn't been disclosed.
If you're new to setting up a lab, you might be unsure if the target machine is working correctly or not, or, if you have over looked something. This is why on the entry page on VulnHub; we have listed the networking status of each machine.

If it is using a static IP address it will have a pre-assigned IP address. As IP addresses are unique and shouldn't have duplicates on the same network, you will need to check that there isn't already a device using the machine's static IP address. Usually this shouldn't be a problem as these machines should be placed in an isolated network.
However, if the virtual machine requires a DHCP server to assign an IP address, there needs to be a DHCP service running within the environment. Both Virtualbox and VMware products offer a DHCP service, which, when using the right 'network type', will isolate the machine from the current network.
It is highly recommended that you DO NOT run these machines on a: production network, home network, a network with Internet access and/or a network containing sensitive information (VulnHub will not be responsible for any loss or damage caused). These virtual machines will work in isolated networks.

Subnetwork
IPv4 network addresses can be broken down into various classes:
                Class   -    Start-End        Subnet Mask (Dotted)-CIDR notation  - Common Ranges
Class A - 0.0.0.0-127.255.255.255 255.0.0.0 /8 - 10.xxx.xxx.xxx
Class B - 128.0.0.0-191.255.255.255 255.255.0.0 /16 - 172.16.xxx.xxx
Class C - 192.0.0.0-223.255.255.255 255.255.255.0 /24 - 192.168.xxx.xxx
If the machine is using a DHCP to get an IP address, it will be placed into the same subnet as the DHCP configuration.
But, if the machine is using a static IP address, the machine could lie outside the subnet. Common ranges for a class C network are 192.168.0.0/24, 192.168.1.0/24. However, if the virtual machine uses '192.168.2.50/24', or '10.10.10.100/16' as examples, the attacker will need to adjust their virtual environment so they are in the same subnet.

Being the attacker, you will need to learn techniques to locate machines on a network.

Ping
A common way to see if the machine is 'alive' on a network is to send a ping packet (Internet Control Message Protocol (ICMP) echo request) and see if there is a reply.
However, if the machine has a firewall installed, it could be designed to drop the packet. This would result in no response to the ping request, thus failing the test to see if the machine is 'alive'.

Being the attacker, you would have to discover/research other methods to see if the machine is actually online & functioning correctly.

A 'virtual machine (VM)', is the simulation of a machine (called the 'guest') that is running inside another machine (the 'host').
The 'guest' machine uses the 'hosts' system resources to create a virtual environment, which allows for multiple machines to be created and running at the same time.
These machines behave as close as possible to a 'real' instance.
Depending on the virtualization software, the virtual machine could use 'hypothetical specifications' or emulate the host's hardware.
These machines can be integrated with a virtual network or interact with an existing network.

It depends what you want to get out of them:
  • Virtualbox is free & open source. VMware has a freeware and commercial products. VMware player is freeware; VMware workstation & VMware fusion are commercial.
  • Both solutions work on Linux & Windows hosts, and both support Linux & Windows guests. However, Virtualbox also supports OSX as a host & guest. Whereas VMware fusion is the only product which VMware currently offers which supports OSX host & guest.

  • VMware player has the same 'core' as workstation, but its either missing various features, or has limitations.
  • Virtualbox has all the features of VMware player, including any features that are 'limited' (e.g. snapshots & virtual network control) along with additional ones (e.g. cloning).
  • Virtualbox has a few features that VMware doesn't (currently) offer, such as, capping 'processor usage'.
  • VMware workstation offers a lot more features which Virtualbox (currently) doesn't, for example, fully automated installations of operating systems, USB3.0 support, better USB device control (more reliable connecting & releasing devices).

  • VMware player is free, and is a limited version of workstation. It's good if you just want to run a virtual machine.
  • Virtualbox is free, works everywhere and has various features over VMware player that are very beneficial: this product is good if you want to run & manage various virtual machines.
  • VMware workstation needs to be purchased, works everywhere and has additional features that are very beneficial. This product is great if you want to run & manage various virtual machines, especially across multiple hosts.

That's up to you!
Many people use these pre-made environments to: test out new tools, compare results between tools, benchmark the performance of tools, or, to try and discover new methods to exploit know vulnerabilities.

However, if this is all new to you and you're still learning the basics, you may wish to have a specifically designed environment, which has purposely been created for such an event/task.
An example of such software:
Alternatively, you can take the time to create your own. First by installing a base operating system, installing your favourite tools, then customizing it to your hardware & liking.

Again, that's up to you!
VulnHub offers various pre-built VM scenarios (check: 'Vulnerable Machines'), which require varying amounts of skill & technique. You can download one (or them all) and start learning.
We also have a 'Vulnerable code' section. These are also scenarios, however, they require some form of additional configuration before they'll work. For example, if the vulnerable code was a web application it will require an operating system & a web server before it can be exploited (it also may need additional services, such as a database).

You may wish to install an operating system with a certain application, then 'misconfigure it' in different ways. You can then check to see what 'damage' can be done by exploiting the misconfigured application. One example could be to enable 'Simple Network Management Protocol (SNMP)' or 'NetBIOS/Samba' and modify their settings.
If you wanted to replicate a machine virtually, allowing you to safely experiment on the clone without any fear of any effect on the original machine.

  • Bridged
    • This allows for the VM to connect to the same network via the host's network card (You can specify which interface to use).
    • The VM will have its own unique IP address on the network (closest possible to simulating an additional node on the network).
    • If there is already a DHCP service running on the network, it will be automatically assigned an IP address. Otherwise, it needs to be manually assigned one (a static IP address).
    • This is useful when providing services externally to/from the VM
    • Any external nodes on the same network are able to interact with the VM as well as any VMs which also have access to the host network.
  • NAT (Network Address Translation)
    • This allows for the VM to connect to the same network as the host by using the hosts PC & IP address.
    • The VM only has a unique IP address between the guest OS and the host OS. When traffic is leaving from the hosts, it appears to originate from the host (masking the effect of an additional node on the network).
    • Between the guest OS and the host OS, the VM will have an IP address automatically assigned to it from VMware, but afterwards it uses the host's address. Therefore, no network configuration is needed.
    • This is useful when IP addresses are limited/restricted. For example, dial up Internet or Wi-Fi hotspots.
    • No external nodes on the same network are able to interact with the VM, however, other machines also using 'NAT' will be able to communicate with each other.
  • Host-only
    • This creates a separate network which is only connected to the host, thus causing an isolated virtual network.
    • The VMs will have their own unique IP addresses on the separate network.
    • VMware has its own DHCP service (by default) running for the clients, however, IP addresses can still be manually assigned.
    • If multiple VMs use 'host-only' on the same host, they will all be able to communicate between themselves as well as the host inside the virtual network.
    • This is useful for separating machines from any existing network access, whilst allowing for communication to still happen between the host and the VM.
    • No external nodes are able to interact with the VM, however, other machines also using 'host-only' will be able to communicate.
  • LAN segment
    • This creates a separate network, with no network access to the host, causing an isolated virtual network.
    • The VM will have their own unique IP addresses on the separate network.
    • IP addresses need to be a manually assigned or a DHCP service needs to be installed, configured and running inside the segment. There isn't any communication to the host so VMware can't offer its DHCP service.
    • Only machines that are in the same segments can communicate with each other. Multiple segments can be used at once, however these are separate networks so nodes can't communicate between segments.
    • This is useful for separating machines from any existing network access and the host, whilst allowing for communication to still happen between VMs in their virtual segments.
    • No external nodes are able to interact with the VM including the host. Only machines on the same segment are able to communicate.
By enabling the option 'Replicate physical network connection state' under 'Bridged' network type selection, when the network connection is disconnected on the host this will be reflected inside the VM. For example, if the host was using a wired connection and the cable is unplugged, or if disconnected from a wireless network, the VM will also be disconnected. By doing so, the IP address of the VM will be renewed. This is useful for mobile devices that might not always have a permitted network connection as they could be moving from wired connections or using a different wireless connection.

A good guide explaining the differences in network modes can be found here.

You can customise VMware player further by pressing on 'advanced', to reveal more control over the virtual network.

  • Not attached
    • This has the effect of not having been plugged in, causing the machine itself to be isolated from the network.
    • The VM will not be able to get an IP address.
    • No machine will be able to communicate to the VM.
    • Useful for separating the machine from any network access.
  • NAT (Network Address Translation)
    • This allows for the VM to connect to the same network as the host by using the hosts PC & IP address.
    • The VM only has a unique IP address between the guest OS and the host OS. When traffic is leaving from the host's, it appears to originate from the host (masking the effect of an additional node on the network).
    • Between the guest OS and the host OS, the VM will have an IP address automatically assigned to it from Virtualbox, but afterwards it uses the host's address. Therefore, no network configuration is needed.
    • This is useful when IP addresses are limited/restricted. For example, dial up Internet or Wi-Fi hotspots.
    • No external nodes on the same network are able to interact with the VM, as well other VMs also using 'NAT' (This is because each VM has the same NAT IP address).
  • Bridged Adapter
    • This allows for the VM to connect to the same network via the host's network card (You can specify which interface to use).
    • The VM will have its own unique IP address on the network (closest possible to simulating an additional node on the network.
    • If there is already a DHCP service running on the network, it will be automatically assigned an IP address. Otherwise it needs to be manually assigned one (a static IP address).
    • This is useful when providing services externally to/from the VM
    • Any external nodes on the same network are able to interact with the VM as well as any VMs that have external access.
  • Internal Network
    • This creates a separate network, with no network access to the host, causing an isolated virtual network.
    • The VM will have their own unique IP addresses on the separate network.
    • IP addresses need to be a manually assigned or a DHCP service needs to be installed, configured and running inside the virtual network. There isn't any communication to the host so Virtualbox can't offer its DHCP service.
    • Only machines that are in the same 'network name' can communicate with each other. Multiple 'network names' can be used at once, however these are separate networks so nodes can't communicate between networks.
    • This is useful for separating machines from any existing network access and the host, whilst allowing for communication to still happen between VMs in their virtual networks.
    • No external nodes are able to interact with the VM including the host. Only machines with the name 'network name' can communicate.
  • Host-only
    • This creates a separate network which is only connected to the host, thus causing an isolated virtual network.
    • The VM will have their own unique IP addresses on the separate network.
    • Virtualbox has its own DHCP service (by default) running for the clients, however, IP addresses can still be manually assigned.
    • If multiple VMs use 'host-only' on the same host, they will all be able to communicate between themselves as well as the host inside the virtual network.
    • This is useful for separating machines from any existing network access, whilst allowing for communication to still happen between the host and the VM.
    • No external nodes are able to interact with the VM, however, other machines also using 'host-only' will be able to communicate.
  • Generic Driver
  • Requires downloading the extension pack for Virtualbox.
    • UDP Tunnel - Enabling virtual machines to be interconnecting using different hosts machines.
    • 'Virtual Distributed Ethernet (VDE)' networking - "a flexible, virtual network infrastructure system, spanning across multiple hosts in a secure way. It allows for L2/L3 switching, including spanning-tree protocol, VLANs, and WAN emulation".

If 'Promiscuous mode' is disabled, only the traffic that was intended to receive will be passed along. It's seen as more 'secure' because only the intentional traffic for each node will forward along. This is how a 'network switch' functions.
However, if it's enabled, the 'network interface controller (NIC)' will pass all the traffic which is going though. This is used for 'packet sniffing' and a single node can view all the traffic on the network, useful for inspecting & debugging the network. This is how a 'network hub' functions.
Virtualbox has multiple settings regarding promiscuous mode:
  • Deny - Disables promiscuous mode. It has the effect of using a virtual switch, rather than a virtual hub.
  • Allow VMs - Only the traffic between VMs will be promiscuous mode.
  • Allow All - All traffic (VMs & supported devices in the physical network) will be promiscuous mode.

  • Bridged
    • This allows for the VM to connect to the same network via the host's network card (You can specify which interface to use).
    • The VM will have its own unique IP address on the network (closest possible to simulating an additional node on the network).
    • If there is already a DHCP service running on the network, it will be automatically assigned an IP address. Otherwise it needs to be manually assigned one (a static IP address).
    • This is useful when providing services externally to/from the VM
    • Any external nodes on the same network are able to interact with the VM as well as any VMs that have external access.
  • NAT (Network Address Translation)
    • This allows for the VM to connect to the same network as the host by using the hosts PC & IP address.
    • The VM only has a unique IP address between the guest OS and the host OS. When traffic is leaving from the hosts, it appears to originate from the host (masking the effect of an additional node on the network).
    • Between the guest OS and the host OS, the VM will have an IP address automatically assigned to it from VMware, but afterwards it uses the host's address. Therefore, no network configuration is needed.
    • This is useful when IP addresses are limited/restricted. For example, dial up Internet or Wi-Fi hotspots.
    • No external nodes on the same network are able to interact with the VM, however, other machines also using 'NAT' will be able to communicate with each other.
  • Host-only
    • This creates a separate network which is only connected to the host, thus causing an isolated virtual network.
    • The VM will have their own unique IP addresses on the separate network.
    • VMware has its own DHCP service (by default) running for the clients, however, IP addresses can still be manually assigned.
    • If multiple VMs use 'host-only' on the same host, they will all be able to communicate between themselves as well as the host inside the virtual network.
    • This is useful for separating machines from any existing network access, whilst allowing for communication to still happen between the host and the VM.
    • No external nodes are able to interact with the VM, however, other machines also using 'host-only' will be able to communicate.
  • Custom
  • This allows for custom settings for 'Bridged', 'NAT' or 'Host-only'. For example:
    • Change which interface to use (Bridged).
    • Port forwarding (NAT).
    • DHCP settings (NAT & Custom).
  • LAN segment
    • This creates a separate network, with no network access to the host, causing an isolated virtual network.
    • The VM will have their own unique IP addresses on the separate network.
    • IP addresses need to be a manually assigned or a DHCP service needs to be installed, configured and running inside the segment. There isn't any communication to the host so VMware can't offer its DHCP service.
    • Only machines that are in the same segments can communicate with each other. Multiple segments can be used at once, however these are separate networks so nodes can't communicate between segments.
    • This is useful for separating machines from any existing network access and the host, whilst allowing for communication to still happen between VMs in their virtual segments.
    • No external nodes are able to interact with the VM including the host. Only machines on the same segment are able to communicate.
By enabling the option 'Replicate physical network connection state' under 'Bridged' network type selection, when the network connection is disconnected on the host this will be reflected inside the VM. For example, if the host was using a wired connection and the cable is unplugged, or if disconnected from a wireless network, the VM will also be disconnected. By doing so, the IP address of the VM will be renewed. This is useful for mobile devices that might not always have a permitted network connection as they could be moving from wired connections or using a different wireless connection.

A good guide explaining the differences in network modes can be found here.

You can customise VMware workstation further by pressing on 'advance' or going to 'virtual network editor' (from either the start menu or VMware workstation --> Edit), to reveal more control over the virtual network.

We all learn in different ways. What works for some people, doesn't for others.
Some people learn by "watching others", or "hands on experiences", other learn by "reading about it".
We offer walkthroughs for various reasons:
  • If this is all new to you, you might want a helping hand to get you started.
  • After giving it a go, you might become stuck for a few hours, so they offer a nudge in the right direction.
  • Once completing it, you can compare methods.

We don't make you press the 'walkthrough' button, if you wish to 'cheat' - that's your decision and you're only 'cheating' yourself.

You can:

Updated on: 1.1.2020