Target Machines
An attacker with nothing to attack learns nothing. Target machines are computers and applications built to be deliberately insecure, so you can safely practise finding and exploiting real vulnerabilities.
What you'll achieve in this section: a working web application target (DVWA) and an infrastructure target (Metasploitable 2) on your isolated lab network, ready for your Kali box to attack.
Two kinds of target, two kinds of skill
Penetration testing is commonly split into two broad disciplines — exactly the split used in our workshop methodology. We give each its own target so you can practise both.
🌐 Web Application Targets
Attacking websites and web apps: SQL injection, cross-site scripting, broken access control, file upload flaws, and more. Practised on DVWA.
3.2🖥️ Infrastructure Targets
Attacking servers, services, and operating systems: enumeration, vulnerable services, and remote exploitation. Practised on Metasploitable 2.
How the targets fit the lab
Both targets attach to the same isolated host-only network as your Kali box. Your attacker reaches them by their 192.168.56.x addresses; nothing reaches the internet.
These machines are intentionally riddled with serious vulnerabilities. Never attach them to a bridged adapter, your home network, or the internet. Keep them strictly host-only.