Learning Hub / Target Machines / Overview

Target Machines

Section 03 Difficulty: Beginner → Intermediate

An attacker with nothing to attack learns nothing. Target machines are computers and applications built to be deliberately insecure, so you can safely practise finding and exploiting real vulnerabilities.

What you'll achieve in this section: a working web application target (DVWA) and an infrastructure target (Metasploitable 2) on your isolated lab network, ready for your Kali box to attack.

Two kinds of target, two kinds of skill

Penetration testing is commonly split into two broad disciplines — exactly the split used in our workshop methodology. We give each its own target so you can practise both.

How the targets fit the lab

Both targets attach to the same isolated host-only network as your Kali box. Your attacker reaches them by their 192.168.56.x addresses; nothing reaches the internet.

Lab topology showing Kali attacker, a DVWA web app target, and a Metasploitable infrastructure target on one isolated host-only network
Figure 1. Attacker and both target types on the isolated lab network.

These machines are intentionally riddled with serious vulnerabilities. Never attach them to a bridged adapter, your home network, or the internet. Keep them strictly host-only.