Metasploitable: Difference between revisions

From charlesreid1

(Created page with "=MySQL= See MSF#MySQL for the MySQL exploits using Metasploit framework.")
 
Line 2: Line 2:


See [[MSF#MySQL]] for the MySQL exploits using Metasploit framework.
See [[MSF#MySQL]] for the MySQL exploits using Metasploit framework.
=Recon=
Make a box for stuff:
<pre>
$ mkdir -p box/metasploitable
</pre>
Start by using nmap to scan the host.
First a fast scan <code>-F</code>:
<pre>
$ nmap -F 10.0.0.*
</pre>
Then we can do a more extensive scan:
<pre>
$ nmap -sS 10.0.0.*
</pre>
This reveals the IP address of the VirtualBox, which is 10.0.0.27.
We can also do a deeper scan:
<pre>
$ nmap -sS -sV -A 10.0.0.27
</pre>
This will reveal an array of services, some of which may be exploitable using metasploit.
Sure enough, the verbose scan returns lots of good information:
<pre>
$ nmap -sS -sV -A 10.0.0.27
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT
Nmap scan report for 10.0.0.27
Host is up (0.016s latency).
Not shown: 977 closed ports
PORT    STATE SERVICE    VERSION
21/tcp  open  ftp        vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh        OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|  1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp  open  telnet      Linux telnetd
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time.
53/tcp  open  domain      ISC BIND 9.4.2
| dns-nsid:
|_  bind.version: 9.4.2
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind    2 (RPC #100000)
| rpcinfo:
|  program version  port/proto  service
|  100000  2            111/tcp  rpcbind
|  100000  2            111/udp  rpcbind
|  100003  2,3,4      2049/tcp  nfs
|  100003  2,3,4      2049/udp  nfs
|  100005  1,2,3      42810/tcp  mountd
|  100005  1,2,3      45599/udp  mountd
|  100021  1,3,4      34385/tcp  nlockmgr
|  100021  1,3,4      60702/udp  nlockmgr
|  100024  1          38085/udp  status
|_  100024  1          52004/tcp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    Java RMI Registry
1524/tcp open  shell      Metasploitable root shell
2049/tcp open  nfs        2-4 (RPC #100003)
2121/tcp open  ftp        ProFTPD 1.3.1
3306/tcp open  mysql      MySQL 5.0.51a-3ubuntu5
| mysql-info:
|  Protocol: 53
|  Version: .0.51a-3ubuntu5
|  Thread ID: 8
|  Capabilities flags: 43564
|  Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression
|  Status: Autocommit
|_  Salt: w$K,8vk7k8tagd@PR*zK
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc        VNC (protocol 3.3)
| vnc-info:
|  Protocol version: 3.3
|  Security types:
|_    Unknown security type (33554432)
6000/tcp open  X11        (access denied)
6667/tcp open  irc        Unreal ircd
| irc-info:
|  users: 1
|  servers: 1
|  lusers: 1
|  lservers: 0
|  server: irc.Metasploitable.LAN
|  version: Unreal3.2.8.1. irc.Metasploitable.LAN
|  uptime: 0 days, 1:05:20
|  source ident: nmap
|  source host: 6D4CD63B.D3975B40.7B559A54.IP
|_  error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt)
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|  OS: Unix (Samba 3.0.20-Debian)
|  NetBIOS computer name:
|  Workgroup: WORKGROUP
|_  System time: 2016-03-22T21:31:31-04:00
TRACEROUTE
HOP RTT      ADDRESS
1  16.11 ms 10.0.0.27
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds
</pre>

Revision as of 05:21, 24 March 2016

MySQL

See MSF#MySQL for the MySQL exploits using Metasploit framework.

Recon

Make a box for stuff: 

$ mkdir -p box/metasploitable

Start by using nmap to scan the host.

First a fast scan -F: 

$ nmap -F 10.0.0.*

Then we can do a more extensive scan: 

$ nmap -sS 10.0.0.*

This reveals the IP address of the VirtualBox, which is 10.0.0.27.

We can also do a deeper scan: 

$ nmap -sS -sV -A 10.0.0.27

This will reveal an array of services, some of which may be exploitable using metasploit.

Sure enough, the verbose scan returns lots of good information: 

$ nmap -sS -sV -A 10.0.0.27

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT
Nmap scan report for 10.0.0.27
Host is up (0.016s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      42810/tcp  mountd
|   100005  1,2,3      45599/udp  mountd
|   100021  1,3,4      34385/tcp  nlockmgr
|   100021  1,3,4      60702/udp  nlockmgr
|   100024  1          38085/udp  status
|_  100024  1          52004/tcp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    Java RMI Registry
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression
|   Status: Autocommit
|_  Salt: w$K,8vk7k8tagd@PR*zK
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    Unknown security type (33554432)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 1:05:20
|   source ident: nmap
|   source host: 6D4CD63B.D3975B40.7B559A54.IP
|_  error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2016-03-22T21:31:31-04:00

TRACEROUTE
HOP RTT      ADDRESS
1   16.11 ms 10.0.0.27

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds
Retrieved from "https://charlesreid1.com/w/index.php?title=Metasploitable&oldid=9658"