For this lab I will be using Metasploitable machine which is precisely designed as a lab to test all of these vulnerabilities.
The goal of this section is to explore Vulnerability Scanning with the metasploit framework and utilities such as searchsploit in Kali.
The first thing I did was setup both metasploitable machine and Kali machine in the same network so I could communicate between both of them ( from now on I will be posting the commands I used for each section ).
Fist step was getting my IP address and network IP so I could do a ping sweep and check how many devices were online before doing anything else.
nmap -sn 10.0.2.0/24Responses I got , my own machine and this ⇒ 10.0.2.15.
After this , I had to connect postgresql to metasploit framework and while on the labs is usually online , in my own machine I had to modify postgres user and add a password so I could log in from the metasploit framework console which i did with:
db_connect postgres:postgres@localhost/msf
Then , the usual , create the workspace and check whether the connection to the database was actually working or not.
After this I did check how many ports metasploitable got open:
db_nmap -sS -sV -O -T4 10.0.2.4
host port proto name state info
---- ---- ----- ---- ----- ----
10.0.2.4 21 tcp ftp open vsftpd 2.3.4
10.0.2.4 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
10.0.2.4 23 tcp telnet open
10.0.2.4 25 tcp smtp open
10.0.2.4 53 tcp domain open ISC BIND 9.4.2
10.0.2.4 80 tcp http open Apache httpd 2.2.8 (Ubuntu) DAV/2
10.0.2.4 111 tcp rpcbind open 2 RPC #100000
10.0.2.4 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
10.0.2.4 445 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
10.0.2.4 512 tcp exec open
10.0.2.4 513 tcp login open
10.0.2.4 514 tcp shell open
10.0.2.4 1099 tcp java-rmi open GNU Classpath grmiregistry
10.0.2.4 1524 tcp bindshell open Metasploitable root shell
10.0.2.4 2049 tcp nfs open 2-4 RPC #100003
10.0.2.4 2121 tcp ccproxy-ftp open
10.0.2.4 3306 tcp mysql open
10.0.2.4 5432 tcp postgres open PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3
(Ubuntu 4.2.3-2ubuntu4)
10.0.2.4 5900 tcp vnc open VNC protocol 3.3
10.0.2.4 6000 tcp x11 open access denied
10.0.2.4 6667 tcp irc open UnrealIRCd
10.0.2.4 8009 tcp ajp13 open Apache Jserv Protocol v1.3
10.0.2.4 8180 tcp http open Apache Tomcat/Coyote JSP engine 1.1
In the video I followed in the eJPT academy I got to actually do some scanning about some vulns for certain services that are no more in this version of metasploitable since this is a newer version so I decided to check If I could use some modules to exploit some of the services that I was finding , I must say that at first it was kinda difficult and I was kinda locked in place.
Buuuuut , as it’s usually said , with practice comes perfect , and so by trying I am slowly adding some tools to my arsenal hehe.
I won’t post all the services I actually scanned and later exploited but I will use some examples we can use for this purpose. For example PostgreSQL. So , I did the following:
search type:exploit name:postgres
or
searchsploit postgres | grep -e "Metasploit" (In this way I can actually check whether if the exploit is actually implemented on the msf)
Result:
PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit) | multiple/remote/46813.rb
I didn’t really know if the postgres service running in the metasploitable machine was vulnerable or not but I supposed that since the service version was older than the exploit version it was going to be vulnerable , so I just tried launching the exploit to see what it was going to happen and so I got to exploit it because it worked.
Anyway in the course we also used the plugin db_autopwn and analyze but I didnt find those much useful , what I actually found is that in the searchsploit results I often got CVE references which I actually could use to search about the exploit but these references were also appearing on the modules information so no big deal at all.
lab active exploit enumeration metasploit
Linked from : Index