Scanning And Enumeration, Introduction To Metasploit Framework.
Metasploitable 2 Walkthrough (Part-1)
Metasploitable 2 is an intentionally vulnerable Linux virtual machine. This virtual machine can be used to conduct security training, test security tools, and practice common penetration testing techniques. Never expose this virtual machine to an untrusted network.
First, you will need to export Kali Linux and Metasploitable 2 virtual machines into VMware workstation / Virtualbox / Hyper-V. I will use VMware workstation in this walkthrough. You can use any hypervisor you want, it doesn’t matter.
If you have trouble exporting Virtual Machines into VMware workstation , you can see below link.
Import an Open Virtualization Format Virtual Machine
Setting up Network Connection between Kali and Metasploitable 2
You need to change both Virtual Machines’ Network adapters to NAT or Host-Only.
If you need to access internet from Virtual Machines , use NAT. If internet access is not needed , use Host-Only.
Kali Linux
Change Kali Linux Network Adapter to "NAT" from virtual machine setting.
Metasploitable 2
Also change Metasploitable 2 network adapter to "NAT".
After setting up the network interfaces, power on both machines.
Login to your Kali Linux Virtual Machine.
Default credentials are username:root , password:toor.
Default credentials for Metasploitable 2 are username:msfadmin , password:msfadmin.
But you really don’t need to login to Metasploitable 2, we will find a way to get into it.
Next , we will need to check our Kali linux machine IP address.
Use “ifconfig” command for this one.
As we can see , our Kali machine IP address is 192.168.164.132 ,means we are in 192.168.164.0/24 network.
Your Kali machine IP might be different. Just use your IP instead of mine.
Next we need to find out our Victim Machine (Metasploitable 2) ip address.
Next we need to find out our Victim Machine (Metasploitable 2) ip address.
For this case , we will use a tool call “netdiscover” .
Netdiscover is a simple ARP scanner which can be used to scan for live hosts in a network.
We will use “netdiscover -r 192.168.164.0/24” to find out which hosts are alive in our network.
We will use “netdiscover -r 192.168.164.0/24” to find out which hosts are alive in our network.
“-r” switch is use to define network range.
We can see 4 IPs are alive , keep in mind that .1 , .2 and .254 IPs are used by VMware Workstation.
So our Victim machine (Metasploitable 2) IP is 192.168.164.133.
Next we need to find out which services are installed on our Victim machine.
We will use “Nmap” network scanner for that one.
We can see 4 IPs are alive , keep in mind that .1 , .2 and .254 IPs are used by VMware Workstation.
So our Victim machine (Metasploitable 2) IP is 192.168.164.133.
Next we need to find out which services are installed on our Victim machine.
We will use “Nmap” network scanner for that one.
Nmap, is a free, open-source tool for vulnerability scanning and network discovery. Network administrators use Nmap to identify what devices are running on their systems, discovering hosts that are available and the services they offer, finding open ports and detecting security risks.
First we will use Nmap fast scan option to find out which services/ports are installed on our Victim machine.
Command is “nmap -F 192.168.164.133 -v”.
“-F” switch is use to fast scan the host/network” , “-v” switch is for verbosity so that we can see what is happening behind the scanner.
Our Nmap scan result gives us open ports on Victim Machine.
As we can see there are too many open ports on our Victim machine.
“The more services/apps you use, the more vulnerable you are.”
Command is “nmap -F 192.168.164.133 -v”.
“-F” switch is use to fast scan the host/network” , “-v” switch is for verbosity so that we can see what is happening behind the scanner.
Our Nmap scan result gives us open ports on Victim Machine.
As we can see there are too many open ports on our Victim machine.
“The more services/apps you use, the more vulnerable you are.”
Next step is to discover the service version (software versions) of the open ports on your Victim Machine.
We will use “nmap -sS -sC -sV -O 192.168.164.133 -v”.
“-sS” switch is for TCP-SYN scan.
“-sC” switch is for script scan.
“-sV” switch is service versions detection.
“-O” is Operating System detection.
Scan result is as below.
As we can see , Nmap is showing the open ports and service versions those are installed on our victim machine.
We will use “nmap -sS -sC -sV -O 192.168.164.133 -v”.
“-sS” switch is for TCP-SYN scan.
“-sC” switch is for script scan.
“-sV” switch is service versions detection.
“-O” is Operating System detection.
Scan result is as below.
As we can see , Nmap is showing the open ports and service versions those are installed on our victim machine.
The goal of scanning the services on Victim machine is to identify the vulnerable softwares installed on it.
If we know the software versions , we can find that software version has vulnerability or not using Google , Searchsploit , Exploit-DB , etc..,
Let’s find out.
As we can see in our above scan result , our victim machine has FTP service running and it’s FTP software version is “vsftpd 2.3.4”.
We can also use the specific port scan in Nmap using;
If we know the software versions , we can find that software version has vulnerability or not using Google , Searchsploit , Exploit-DB , etc..,
Let’s find out.
As we can see in our above scan result , our victim machine has FTP service running and it’s FTP software version is “vsftpd 2.3.4”.
We can also use the specific port scan in Nmap using;
“nmap -sS -sC -sV -p 21 192.168.164.133”
“-p” switch is used to specify which port to scan. It saves you time and shows more clear results.
There we go , FTP service is running and version is “vsftpd 2.3.4”
Now we have to find out “vsftpd 2.3.4” is a vulnerable software or not.
You can google it or you can use “Searchsploit” in Kali linux.
I will show you how to use Searchsploit to find the vulnerabilities.
“searchsploit vsftpd 2.3.4”
As we can see , “vsftpd 2.3.4” has “Backdoor Command Execution” vulnerability and it can be exploit using “Metasploit Framework”.
Let’s start the exploitation.
Fire up “Metasploit” . Just type “msfconsole” in terminal.
Metasploit will take a while to start if you are starting it for the first time. Just wait.
Above is the screenshot of “Metasploit Framework”. It’s the penetration testing framework which is used by tons of Penetration Testers and Hackers.
“-p” switch is used to specify which port to scan. It saves you time and shows more clear results.
There we go , FTP service is running and version is “vsftpd 2.3.4”
Now we have to find out “vsftpd 2.3.4” is a vulnerable software or not.
You can google it or you can use “Searchsploit” in Kali linux.
I will show you how to use Searchsploit to find the vulnerabilities.
“searchsploit vsftpd 2.3.4”
As we can see , “vsftpd 2.3.4” has “Backdoor Command Execution” vulnerability and it can be exploit using “Metasploit Framework”.
Let’s start the exploitation.
Fire up “Metasploit” . Just type “msfconsole” in terminal.
Metasploit will take a while to start if you are starting it for the first time. Just wait.
Above is the screenshot of “Metasploit Framework”. It’s the penetration testing framework which is used by tons of Penetration Testers and Hackers.
It’s a must have tool for every Penetration Testers.
As we already know we have exploit for “vsftpd 2.3.4” in Metasploit.
Let’s find it.
Use “search” command to find exploits inside Metasploit.
“search vsftpd 2.3.4”
There is our exploit for “vsftpd 2.3.4”.
“exploit/unix/ftp/vsftpd_234_backdoor”
We will use above exploit to hack into the Victim Machine.
Just type “use” command to use the available exploits in Metasploit.
“use exploit/unix/ftp/vsftpd_234_backdoor”
Now we are using the exploit “vsftpd_234_backdoor”.
Next ,we’ll need to check what do we need to provide for successful exploitation of our exploit.
Use “show options” command.
“show options”
We can see , the exploit needs “RHOSTS – Remote Host (Target Machine IP address)” option to attack the Victim.
We have to provide it. Use “set” command to set require options for exploit.
“set RHOSTS 192.168.164.133”
Now we are ready to go. The exploit no longer need other options. It only ask for the remote host IP.
To exploit the Target machine , just type;
“exploit”
Metasploit will do the rest.
Congrats, you have successfully hacked into the Victim Machine.
“Command Shell Session 1 opened” – means you now have the control over the Victim machine's Terminal.
You can try issuing commands such as – ls , cd , whoami , uname -a , etc…,
You can see the Directory Listing inside Victim Machine.
“whoami” command output shows “root’ . Means you are the “root” user and have full permission.
You can check the OS version and build using ‘uname -a’.
Good Luck!
I will continue the walkthrough in “Metasploitable Walkthrough Part-2”
Comments
Post a Comment