Part 1 – Infrastructure Setup
Follow the Virtual Machine setup instructions to download and install Kali and Metasploitable2 as virtual machines.
- Upload a single screenshot showing:
- Kali VM running, logged in, and at the desktop ready for use
- Metasploitable2 VM running and at the command prompt ready for use
- Windows task manager or Mac activity monitor showing system resource utilization with both VMs and your host OS running concurrently. Specifically, ensure that memory (RAM) usage is shown.
Part 2 – Network Scanning
First, from the terminal of your running Metasploitable2 VM, find its IP address.
Reference: Linux IP command examples
Second, from the terminal of your Kali VM, use
nmap to scan for open network services in the Metasploitable2 VM. Target the IP address you found previously, and scan all ports (0-65535).
Reference: Nmap command-line examples
Because you were scanning the Metasploitable2 VM, nearly every one of those active services listed happens to have a nasty security vulnerability of one form or another. Let’s pick one – NFS, the Network File System, for further examination.
- What command did you use to find the IP address of your Metasploitable2 VM?
- What command did you use for the nmap scan? The command should target a specific IP address and scan ports 0-65535.
- From the results of your nmap scan, what TCP port is the nfs service listening on?
Part 3 – NFS
The Network File System (NFS) on Metasploitable has a significant weakness.
First, from the Kali terminal, use the
showmount command to find the export list for the Metasploitable2 VM. The export list is the set of directories that is made accessible via NFS, and the IP addresses/subnets that are permitted access.
- What is the export list for the Metasploitable2 VM? And more importantly, what does this export list mean?
Second, let’s abuse our NFS access now.
On your Kali system, accomplish the following tasks.
- Generate a new SSH key using the
ssh-keygencommand. Accept the default key location so that SSH can find the file in the future (~/.ssh/id_rsa). Leave the passphrase blank so there’s no confusion about whether you have passwordless access or not.
- Mount the NFS disk from Metasploitable2 using the
mountcommand, so that you can access the remote files inside of Kali. To accomplish this, you will first need to create an empty directory in Kali as a mount point where the network files will then appear at. I suggest a location like
/tmp/metasploitable. In order to mount a network disk, you need to be root, so use
sudoas part of your command.
Reference: How to mount an NFS share in Linux
- Using the mounted NFS disk, append your SSH public key (the file ending in
.pub, as shown in your
ssh-keygenoutput) to the end of the existing file root->.ssh->authorized_keys file in the Metasploitable2 VM. This will grant you passwordless SSH access to that system, as your SSH client will automatically use your key to authenticate. Note: You need to be root in Kali to edit this file as root in Metasploitable. NFS simply carries over your user ID number (0, for root) across the network.
Reference: man cat
Tip: This command is slightly tricky to accomplish with sudo if you want to use output redirection! (which I would suggest). A common trick is to write your command like this:
sudo sh -c 'COMMAND GOES HERE >> SOME OUTPUT FILE'
- Demonstrate that you have accomplished this task by performing the following sequence, and taking a screenshot of the complete sequence 1-4:
- From Kali, show your hostname:
- SSH from the Kali VM to the Metasploitable2 VM as the root user. The command should be
ssh email@example.com, where xx.xx.xx.xx is the IP address of the Metasploitable2 VM that you identified previously. If you correctly added your public key to the
authorized_keysfile previously, when you try to SSH to the system and automatically present your private key, you should get immediate access, no password required.
- At the prompt, show your hostname again:
- Exit SSH via
exitto return to Kali.
- Take a screenshot demonstrating that you have successfully inserted your private key into the Metasploitable2 VM and now have passwordless logins to that system as the root user.