{"id":511,"date":"2024-01-17T18:35:35","date_gmt":"2024-01-17T23:35:35","guid":{"rendered":"https:\/\/davidfailor.com\/?page_id=511"},"modified":"2024-01-17T19:49:23","modified_gmt":"2024-01-18T00:49:23","slug":"kali-linux-and-metasploitable-2-penetration-testing","status":"publish","type":"page","link":"https:\/\/davidfailor.com\/index.php\/kali-linux-and-metasploitable-2-penetration-testing\/","title":{"rendered":"Kali Linux and Metasploitable 2 Penetration Testing"},"content":{"rendered":"

I installed both Kali and Metasploitable 2 on internal network 10.10.10.0 in a VirtualBox VM.\u00a0 I gave the Metasploitable 2 (Ubuntu) machine an IP address of10.10.10.2 for “target practice”. The documentation for Metasploitable 2 is found here: https:\/\/docs.rapid7.com\/metasploit\/metasploitable-2-exploitability-guide\/<\/span><\/a><\/p>\n

The first exercise<\/em> is a simple port scan of the well-known ports using nmap as root.\u00a0 We find 3 of the Unix “R-services” ports are open that are used for remote login on Unix machines on tcp ports 512, 513, 514:<\/p>\n

#nmap -p0-65535 10.10.10.2<\/strong><\/p>\n

Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-01-17 18:48 EST
\nNmap scan report for 10.10.10.2
\nHost is up (0.00010s latency).
\nNot shown: 65506 closed tcp ports (reset)
\nPORT STATE SERVICE
\n21\/tcp open ftp
\n22\/tcp open ssh
\n23\/tcp open telnet
\n25\/tcp open smtp
\n53\/tcp open domain
\n80\/tcp open http
\n111\/tcp open rpcbind
\n139\/tcp open netbios-ssn
\n445\/tcp open microsoft-ds
\n512\/tcp open exec<\/em><\/strong><\/span>
\n513\/tcp open login<\/em><\/strong><\/span>
\n514\/tcp open shell<\/em><\/strong><\/span>
\n1099\/tcp open rmiregistry
\n1524\/tcp open ingreslock
\n2049\/tcp open nfs
\n2121\/tcp open ccproxy-ftp
\n3306\/tcp open mysql
\n3632\/tcp open distccd
\n5432\/tcp open postgresql
\n5900\/tcp open vnc
\n6000\/tcp open X11
\n6667\/tcp open irc
\n6697\/tcp open ircs-u
\n8009\/tcp open ajp13
\n8180\/tcp open unknown
\n8787\/tcp open msgsrvr
\n34864\/tcp open unknown
\n35281\/tcp open unknown
\n46972\/tcp open unknown
\n50179\/tcp open unknown
\nMAC Address: 08:00:27:B3:EF:46 (Oracle VirtualBox virtual NIC)<\/p>\n

Nmap done: 1 IP address (1 host up) scanned in 16.33 seconds<\/p>\n

For the second exercise<\/em>, as long as the rsh client is installed in our Kali system we can create a root level connection to the remote device.\u00a0 (The “-l” switch allows you to choose the user you want to log in as).<\/p>\n

#rlogin -l root 10.10.10.2<\/strong><\/p>\n

Last login: Wed Jan 17 18:54:27 EST 2024 from 10.10.10.3 on pts\/1<\/strong><\/span>
\nLinux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686<\/strong><\/span><\/p>\n

root@metasploitable:~#<\/strong><\/span><\/p>\n

And now we have root access to the remote computer.\u00a0 For the third exercise<\/em> we use the remote control protocol command to show the active remote ports:<\/p>\n

Running the rpcinfo command as root from the remote machine shows us active ports we can use.\u00a0 Here we see that there are nfs “network file system” ports available (udp and tcp).<\/p>\n

root@metasploitable:~# rpcinfo -p 10.10.10.2<\/strong>
\nprogram vers proto port
\n100000 2 tcp 111 portmapper
\n100000 2 udp 111 portmapper
\n100024 1 udp 45372 status
\n100024 1 tcp 58302 status
\n100003 2 udp 2049 nfs<\/span><\/strong>
\n100003 3 udp 2049 nfs<\/span><\/strong>
\n100003 4 udp 2049 nfs<\/span><\/strong>
\n100021 1 udp 52388 nlockmgr
\n100021 3 udp 52388 nlockmgr
\n100021 4 udp 52388 nlockmgr
\n100003 2 tcp 2049 nfs<\/strong><\/span>
\n100003 3 tcp 2049 nfs<\/strong><\/span>
\n100003 4 tcp 2049 nfs<\/strong><\/span>
\n100021 1 tcp 35971 nlockmgr
\n100021 3 tcp 35971 nlockmgr
\n100021 4 tcp 35971 nlockmgr
\n100005 1 udp 33215 mountd
\n100005 1 tcp 37136 mountd
\n100005 2 udp 33215 mountd
\n100005 2 tcp 37136 mountd
\n100005 3 udp 33215 mountd
\n100005 3 tcp 37136 mountd<\/p>\n

Exercise four<\/em>:\u00a0 In the first nmap scan we can see the SSH is active (port 22, tcp) so we can set up our own ssh connection since we have root access to the MSF2 remote computer.\u00a0 To do so we create a new SSH keys and install them on the remote target computer as accepted cryptographic keys.<\/p>\n","protected":false},"excerpt":{"rendered":"

I installed both Kali and Metasploitable 2 on internal network 10.10.10.0 in a VirtualBox VM.\u00a0 I gave the Metasploitable 2 (Ubuntu) machine an IP address of10.10.10.2 for “target practice”. The documentation for Metasploitable 2 is found here: https:\/\/docs.rapid7.com\/metasploit\/metasploitable-2-exploitability-guide\/ The first exercise is a simple port scan of the well-known ports using nmap as root.\u00a0 We…<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-511","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/davidfailor.com\/index.php\/wp-json\/wp\/v2\/pages\/511","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/davidfailor.com\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/davidfailor.com\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/davidfailor.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/davidfailor.com\/index.php\/wp-json\/wp\/v2\/comments?post=511"}],"version-history":[{"count":20,"href":"https:\/\/davidfailor.com\/index.php\/wp-json\/wp\/v2\/pages\/511\/revisions"}],"predecessor-version":[{"id":532,"href":"https:\/\/davidfailor.com\/index.php\/wp-json\/wp\/v2\/pages\/511\/revisions\/532"}],"wp:attachment":[{"href":"https:\/\/davidfailor.com\/index.php\/wp-json\/wp\/v2\/media?parent=511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}