Metasploitable3 is a Ubuntu 14.04 VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with Metasploit. Not every type of vulnerability on Metasploitable3 can be exploited with a single Metasploit module, but some can.
Network Setup
To conduct these exercises, you need to have 2 machines. One computer is used for attacking, the second computer is used as the victim. Using virtual machines is always the best solution for training purposes so in the following examples a Kali Linux VM and a Metasploitable 3 VM connected to a Virtual Box internal network with a router between the two VMs.
To change the settings of the Metasploitable 3 VM just follow the normal procedure to configure network interfaces in Linux. Besides, the VM might have some IPTables rules being enforced.
Having the firewall turned off from the start will allow you to get complete scan results.
But if you decide to attack this VM with the firewall on, turning it off could be one of the first tasks. Or you can get a shell and then create an SSH tunnel that will allow you to bypass the firewall.
Resetting can be easily achieved using the following command:
- sudo iptables --policy INPUT
- sudo iptables --policy OUTPUT
- sudo iptables --policy FORWARD
- sudo iptables –F
Scanning and Enumerating
The first step is to gather as much information as you can about the remote system. Use Nmap, Legion and OpenVAS to identify the open ports, running services and vulnerabilities on the target.
Nmap Scan
Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. You can run Nmap directly from the CLI but it might be a good idea to run Nmap from within Metasploit so that the results are added to the MSF database for further analysis and later use.
There are many scanning possibilities but the following choices of options will balance speed with accuracy. As you add more options, you might sacrifice speed in order to get better results:
- nmap -sS [IP Address]
- nmap -sV [IP Address]
- nmap -T4 -sV --version-all --osscan-guess -A [IP Address]
Typical results:
However, the previous options won’t show you all the open ports because the -sV scan mode for service and version detection will use the nmap-services database of about 2,200 well-known services.
Therefore, it might be a good idea to run some scans covering wider ranges of ports:
- nmap -sV --osscan-guess -p 1-10000 [IP Address]
- nmap -T4 -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
- nmap -T4 -PA -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
- nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
- nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-65535 [IP Address]
and even UDP ports:
- nmap -sU -sV --version-all -p 1-10000 [IP Address]
And these are the results:
As you can see, there are many open ports and running services on the target VM.
Legion Scan
Another easy way to get initial information on the target is to use Legion. This tool will run a number of Nmap scans and it will also load a number of other tools and use them to get information about the target machine.
Some of the tools will immediately try to test the found services and even brute force the logins.
You can save the result of this scan for later usage or for a quick reference. But for proper vulnerability scanning, you will need a better tool.
OpenVAS Scan
For a comprehensive scan, try the Open Vulnerability Assessment Scanner. This this tool has a full range of capabilities including unauthenticated testing, authenticated testing, various high level and low-level Internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.
It can be installed on Kali Linux and it can be updated daily with the latest vulnerability tests.
Previous post: Metasploitable 3 Windows Walkthrough: Part X
No comments:
Post a Comment