Metasploitable 3 Windows Walkthrough: Part I

Overview

Metasploitable3 is a Windows Server 2008 VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with Metasploit. Not every type of vulnerability on Metasploitable3 can be exploited with a single module from Metasploit, but some can. Also, by default, the image is configured to make use of some mitigations from Windows, such as different permission settings and a firewall.

Network Setup

To conduct these exercises, you need to have 2 machines. One computer is used for attacking, the second computer is used as the victim. Using virtual machines is always the best solution for training purposes so in the following examples a Kali Linux VM and a Metasploitable 3 VM connected to a Virtual Box internal network with a router between the two VMs.

To change the settings of the Metasploitable 3 VM just follow the normal procedure to configure network interfaces in Windows. Besides, the VM has the normal Windows firewall installed and configured with a set of rules. For the following examples, the firewall will be turned off but feel free to turn it back on or tweak the rules.

Metasploitable 3 firewall settings

Having the firewall turned off from the start will allow you to get complete scan results.

But if you decide to attack this VM with the firewall on, turning it off could be one of the first tasks. Or you can get a shell and then create an SSH tunnel that will allow you to bypass the firewall.

Scanning and Enumeration

The first step is to gather as much information as you can about the remote system. Use Nmap, Legion and OpenVAS to identify the open ports, running services and vulnerabilities on the target.

Nmap scan

Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. You can run Nmap directly from the CLI but it might be a good idea to run Nmap from within Metasploit so that the results are added to the MSF database for further analysis and later use.

There are many scanning possibilities but the following choices of options will balance speed with accuracy. As you add more options, you might sacrifice speed in order to get better results:

  • nmap -sS [IP Address]
  • nmap -sV [IP Address]
  • nmap -T4 -sV --version-all --osscan-guess -A [IP Address]

Typical results:

Metasploitable 3 Nmap initial scan results

However, the previous options won’t show you all the open ports because the -sV scan mode for service and version detection will use the nmap-services database of about 2,200 well-known services.

Therefore, it might be a good idea to run some scans covering wider ranges of ports:

  • nmap -sV --osscan-guess -p 1-10000 [IP Address]
  • nmap -T4 -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
  • nmap -T4 -PA -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
  • nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
  • nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-65535 [IP Address]

and even UDP ports:

  • nmap -sU -sV --version-all -p 1-10000 [IP Address]

And these are the results:

Metasploitable 3 Nmap final scan results

As you can see, there are many open ports and running services on the target VM.

However, the host is added to the database with wrong information:

OS identification in the MSF database

But Nmap identifies it correctly:

Nmap OS identification results

If you want to have things nice and clean from the start, just use Metasploit to fix it:

Using auxiliary module to identify the OS

Now you have the correct info about your target added to the database.

Legion scan

Another easy way to get initial information on the target is to use Legion. This tool will run a number of Nmap scans and it will also load a number of other tools and use them to get information about the target machine.

Some of the tools will immediately try to test the found services and even brute force the logins.

Metasploitable 3 Legion scan results

You can save the result of this scan for later usage or for a quick reference. But for proper vulnerability scanning, you will need a better tool.

OpenVAS scan

For a comprehensive scan, try the Open Vulnerability Assessment Scanner. This this tool has a full range of capabilities including unauthenticated testing, authenticated testing, various high level and low-level Internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.

It can be installed on Kali Linux and it can be updated daily with the latest vulnerability tests.

Metasploitable 3 OpenVAS scan results

You are now ready to start exploiting the services available in Metasploitable 3 Windows 2008 Server!


Previous post: Metasploitable 2 Walkthrough: Part X

Posted by
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)