A Basic Guide to Hacking Metasploitable

Hey guys, I’m just doing up a quick guide for some basic Pentesting with Metasploitable covering over the basic methodology I use and some techniques to get people looking at some tool output and pushing people in the right place to research for themselves.

During this simple walkthrough, I’ll be discussing part of the Methodology that I use personally.

I’ll be leaving out Passive Reconnaissance as it’s is not required for this walkthrough and I believe it deserves a separate walkthrough.

– Reconnaissance
o Active
o Vulnerability Scanning
– Exploitation
– Post Exploitation

Setting up

First up, we need to set up our VM, so it’s on the same Network.

1. Click File Open… Browse to Metasploitable and open the VM.
2. Change the Network Settings. Right, Click on the VM’s (Kali / Metasploitable) Hit settings.
3. Select Network Adapter
4. Under Network Connection select Custom: Specific virtual Network
5. Select VMNet8

Make sure the same applies to both VMs.

Setting up our Documentation

During this entire process we need to be documenting what we are doing and the output.

1. Click on the Top Left of your Kali VMs screen and select Applications
2. Select Reporting Tools
3. Click on Keep Note
4. Hit File -> New Notebook and Select a name and save it in your Home Directory.

Keep Note is an excellent tool for Reporting; take some time to play around with it. Here a screenshot of the layout I generally use

Documenting is a significant part of the process. As a Pentester or VA you are Generally required to submit Executive Briefs and Technical Briefs after the conduct. This is going to be extremely difficult if you have not been documenting each step of the attack or assessment. It will also help keep you on track with your attack and remind you about the avenues you have already attempted or deemed not vulnerable.

 

I use a highlight within Keep Note to track Vulnerabilities I find throughout my enumeration for easy reference if I ever return to my notes.

All right, I’ll leave it to you to play around with it, to take screenshots you can use CTRL + INSERT, and it will let you drag a square over anything on the screen to cut an image like I’ve been doing through this document.

Network Ping Sweep

To start off let us run the ifconfig command to find out the subnet we are working on

The next thing we need to do is find out what is on our Subnet.

We can do this via a Ping Sweep, and We can conduct these multiple ways. I can utilise a tool such as NMAP

Syntax = Nmap -sn hostipaddress/subnet –n

Example = Nmap –sn 192.168.1.0/24 –n

Breakdown,

The arguments/switches however you like I’m using are the “-sn” which tells nmap I want to conduct a ping scan and “-n” Saying no DNS resolution which will help speed up this scan as we only care what hosts are on the network.

Also, for good practice, we could make a bash script to do this.

for x in {1..255..1}; do ping –c 1 192.168.1.$x | grep “64 b” | cut –d “ “ –f 4

Remember after saving your bash script we will need to make it executable. We can do this via the chmod +x script name.sh, try doing these other ways via the number values remembering the

421|421|421

For the variable x that varies from 1..255 ping once –c “1” and grep “64 b” specifying a live host reply. Cutting utilising delimiter “space” format 3.

Cool beans. So now we know the hosts on our network, it’s time to jump into our ACTIVE Reconnaissance.

 

Active Reconnaissance

All right, now that we know the necessary footprint of our network we can start going into our Active Reconnaissance where we will enumerate the services running on the remote hosts and even more. We will also conduct vulnerability scans against specific services as well, looking for avenues of exploitation and hopefully get a reverse shell.

We start off by conducting some Port and Service enumeration on our remote target.

There are numerous ways we can do this via a few different tools.

I’ll only be covering one tool “NMAP”, and there are still multiple methods to do this, I’ll just be touching on one method, but I encourage you to utilise the man nmap or nmap – – help and read some of the different arguments you can use to obtain other targeted information.

The Scan we will be conducting is a Version and Script scan.

Syntax = Nmap host –sV –sC –p- -T4

Example = nmap –sV –sC 192.168.126.131 –p- -T4

Breakdown,

“Nmap” obviously is the tool we are utilising and the argument “-sV” tells Nmap to enumerate versions “-sC” is telling nmap to conduct a script scan on the remote host the “-p” argument is specifying ports, we can utilise these multiple ways

-p 1-1000 = This will scan all the ports between 1-1000

-p- = This will scan all 65535 Ports

–top-ports 3000 = This will scan the Top x amount of ports specified.

All right, let’s move on with the output from our NMAP Scan. Don’t be deterred by the output.

Metasploitable is an extremely vulnerable machine with a massive attack surface, so much information is expected.

Soooo much outtttputttt

As you can see, there is much information to go through here and a lot of different avenues we can start researching for known exploits and vulnerabilities that could potentially give us access to the remote machine. However, remote access is not always the game; some of these may be Vulnerable to Denial of Service attacks or Data Leaks. These could also be extremely useful avenues of attack, and all should be considered when looking at exploiting a Remote host.

So there we have it our Basic Port and Service Enumeration for a Remote Host, there is still a lot of other techniques and tools that can do this, we can utilise tools such as a Net cat or even script our own Port Scanners utilising languages such as Python.

Exercise

1. Conduct an NMAP scan of the target network for 80,443 only.

2. How do you conduct a UDP Port Scan?

3. How do you Spoof Source IP & MAC Addresses

Vulnerability

Vulnerability Scanning is the utilising a Tool such as “Nikto” to look for known vulnerabilities in a specific service. During this stage, I’ll just be touching on Nikto an Web server Vulnerability Scanner, but there are a lot of vulnerability scanners out there such as Nessus/OWASP-ZAP/WPSCAN and so on. Take some time to look at what other tools are out there that can be utilised to look for known vulnerabilities against an extensive database against an exposed service.

Nikto – Nikto is a web vulnerability scanner that checks against predefined vulnerabilities that manual analysis might miss.

It can enumerate versions; find hidden directories, i.e. Admin login panels. Check for Vulnerabilities like Local File Inclusion or Remote File Inclusion that may potentially give us an avenue to ultimately compromise the remote host/server or Traverse directories.

This is just a general outline, and I recommend reading the man page and checking out “-H” for some other ways to use it besides the one shown.

Right, So onto why we are running this vulnerability scanner. Why? Think about to our initial reconnaissance, the enumeration of ports and services. Notice how NMAP Returned that Port 80 “Http” was open and was running an Apache Web server.

Well, this is how we will further enumerate that specific service. There are so many ways to do this, and We can utilise tools such as dirb or for the GUI version dirbuster, to try and brute force directories.

Alternatively, we can try and be a bit more discrete about this and browse to the Website yourself and look around, view the source code and document what we find, versions, input fields or website functionality such as upload.

Now let’s pause quickly.

“If there was a Blue Team actively protecting this Network, What do you think they would see right now if you were running all these Tools? Always keep that in mind”

However, this is Metasploitable, and no one cares how hard I kick it in the head, so let’s move on.

To start off with our Nikto scan, we need to know some basic syntax

Syntax = nikto –h ipaddress –p

Example = nikto –h 192.168.126.131

Breakdown,

Nitko is the tool “-h” specifies the host and “-p” specifies a port, if you do not utilize the “-p” argument it will default to port 80, Sometimes during initial Port and Service enumeration you will find web servers on obscure ports, Something like 4564, Now you know to use the “-p” argument to specify that you want to scan a web server at that specified port. Also, browse to it by using http://host:port/ if it isn’t using that default port.

 

 

So what is this giving us from the top down

• Server versions
• The language the Web Server was written in.
• Information on the release date of the current version
• OSVDB – Open Source Vulnerability Databases.

Vulnerability Scanning Continued

Another tremendous built-in tool that utilises an extensively large built-in to Kali vulnerability Database is a tool called Searchsploit; we can utilise it with the information we have now to see if our Kali VM holds any known exploits for Metasploitable that could potentially give us a shell.
Searchsploit is excellent for finding known exploits and vulnerabilities outside of Google. Also, we don’t have internet on these laptops, so you got no choice.
Let us go back to our initial NMAP Scan and have a look at the first thing on the list and let us run this through Searchsploit to see if we can find anything.

Syntax = searchsploit nameofserviceandorversion

Example = searchsploit vsftp 2.3.4

Breakdown,

Search for keywords vsftpd 2.3.4 through known DB

Well, looky here.

It found an Exploit, a Backdoor Command Execution Exploit. This also has a Metasploit module. This is going to make things extremely easy for us.
See how it also has the path to the ruby script as well?

/usr/share/exploitdb/platform/unix/remote/17491.rb

This is handy for people who are interested in learning about the back end of the exploit and want to try and replicate it in another language.

Exercise

1. Use the output from our initial NMAP Scan and use Searchsploit to find other Vulnerabilities

2. Copy an exploit to your home directory and examine it, see if you can understand the workings behind the exploit.

Exploitation

All right, Time for us to pop a shell.

So now we have a known exploit that gives us command execution on the remote machine we need the Tool that can help us fire said exploit. We can do this many ways, we could…

1. Make our exploit off the Proof of Concept on the known Exploit. (Most Technical)

2. We can check Exploit-DB or Equiv and see if we can find another public exploit for the same vulnerability. (Middle Class)

3. We can utilise the Metasploit Module that is already on our Kali VM (Easy)

We are just going to go with the Metasploit Module that is already within Kali Linux, it’s a great way to start off, but as you progress I recommend minimising your use of the Metasploit Framework as it will assist you in better understanding exploits.

Metasploit is a Framework that contains an extensive database of Exploits for known vulnerabilities, and it also has heaps of other functionality that I implore, nay, demand you go and learn about, there is also a great book that focuses on all the beautiful things the Metasploit Framework brings to the world of Offensive Security.
Now, there is a couple of ways we can open up Metasploit, and we are going to focus on the CLI Side of Metasploit.

On the far left of your screen, you can click on the “M” Icon which will start Metasploit.

Opening Armitage will turn you into a Weeaboo be Warned, but seriously, Metasploit makes it already too easy, Get used to working with CLI it will pay off in the long run.

You can also type msfconsole into the Terminal.

You should now be sitting with your Terminal looking like so, Welcome to the Metasploit framework.

Cool.

Now you might be thinking, how do I find the vsftpd 2.3.4 exploit within the framework? Well, they have search functionality that will make that extremely easy.

Also on that, they have a help function just like all proper Tools within Kali Linux.

Now let’s get back to finding the within Metasploit Exploit. We can type search vsftpd 2.3.4 and see what it returns.

Jeeze that was hard, here we go. However, how do we load the module that we want to use against our Target?

We can use the

use exploit/unix/ftp/vsftpd_234_backdoor

command and it will load our ruby script.

Great, now we have loaded the Metasploit module, but it’s not ready to use yet. Some options need to be configured for the Metasploit Module before we can Fire it.

We can see the required input fields for the module by using the command “Show Options”, and it will list all the required fields for the module before it can be run.

Exploit/Auxiliary Modules may require various settings before it can be executed, so it’s something that has to be checked.

As you see we are required to give it the IP Address of the Target before we can execute it.

We can set this by utilising the command set NAME setting as follows.

Sweetasbruh, So now the module has all the information required to run against our target.

We can do this by typing run or exploit if you are feeling Cyber.

/r00t/ dance

Exercises

1. Utilizing Searchsploit and other Tools see what else you can find and exploit against the Target Host.

2. Document and Report a Full Attack from Start to Finish.

Hope this helps guys,

Leave a Reply

Your email address will not be published. Required fields are marked *