Breaking Tutorial on Hacking Metasploitable 2 with MetaSploit
- What is Metasploitable?
- Recon Metasploitable Virtual Machine
- Attacking Metasploitable Services
- Attack Linux DistCC Daemon Command Execution
- Attack PostgreSQL Server Port 5432
- Attack Samba Server Port 139
- Attack Samba Server Port 445
- Attack Apache and PHP 5.3
- Attack FTP Service Port 21 (vsftpd 2.3.4)
- Attack Unreal IRC Server Port 6667
- Attack Apache PHP CGI Argument Injection
- Leverage Metasploitable Backdoors
- Attack Metasploitable Web Services
- Metasploitable Weak Passwords
What is Metasploitable?
Metasploitable is a test environment provides a secure place to perform penetration testing and security research. For your test environment, you need a Metasploit instance that can access a vulnerable target. The following sections describe the requirements and instructions for setting up a vulnerable target.
The default login and password is msfadmin : msfadmin.
Never expose this VM to an untrusted network (use NAT or Host-only mode if you have any questions what that means).
Metasploitable Download VM
The easiest way to get a target machine is to use Metasploitable 2, which is an intentionally vulnerable Ubuntu Linux virtual machine that is designed for testing common vulnerabilities. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms.
The compressed file is about 800 MB and can take up to 30 minutes to download. After you have downloaded the file, you will need to unzip the file to see its contents.
Once the VM is available on your desktop, open the device, and run it with VMWare Player. Alternatively, you can also use VMWare Workstation or VMWare Server.
Recon Metasploitable Virtual Machine
Scanning the Machine for Open Ports
msf5 > db_nmap 172.16.74.129 -p0-65535
Attacking Metasploitable Services
Attack Linux DistCC Daemon Command Execution
Attack Linux DistCC Daemon – This module uses a documented security weakness to execute arbitrary commands on any system running distccd.
Attack PostgreSQL Server Port 5432
Attack PostgreSQL Server – This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that passwords may be either plaintext or MD5 formatted hashes.
Attack Samba Server Port 139
Attack Samba Server – This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands.
Attack Samba Server Port 445
Attack Samba Server – This module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writable share must be specified. The newly created directory will link to the root filesystem.
Attack Apache and PHP 5.3
Attack Apache – When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution.
Attack FTP Service Port 21 (vsftpd 2.3.4)
This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands.
Attack Unreal IRC Server Port 6667
Attack Unreal IRC Server – This module exploits a malicious backdoor that was added to the Unreal IRCD 22.214.171.124 download archive. This backdoor was present in the Unreal126.96.36.199.tar.gz archive between November 2009 and June 12th 2010.
Attack Apache PHP CGI Argument Injection
When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution.
From the advisory: “if there is NO unescaped ‘=’ in the query string, the string is split on ‘+’ (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the “encoded in a system-defined manner” from the RFC) and then passes them to the CGI binary.”
This module can also be used to exploit the plesk 0day disclosed by kingcope and exploited in the wild on June 2013.
Leverage Metasploitable Backdoors
Attack Metasploitable Web Services
Metasploitable Weak Passwords