Wednesday, September 28, 2016

Pwning Metasploitable 2: Scoping out Target

Fire up your Kali attacker machine and your new metaploitable 2 machine.

Seeing a black screen with white text when firing up metasploitable 2? You are in the right place. Metaploitable 2 has no GUI for you to click around. Its full CLI which will help you improve your command line skills.

Here’s how your screen should look like:

Switch to your attacker machine. Let’s start a host discover scan to find out metaploitable's IP address.

Ping Sweep to discover Live Hosts

Enter command: nmap -sP -PI <<your network address/24>

4 hosts show up on the result. Let’s analyze this, it can’t be the address with “.1” and “.254” and it can’t also be the “.133” because that’s your attacker machine. We have a host with “.128” and we know there is no other machine running which means it is the metasploitable machine. Your IP addresses may vary but the logic still applies.

So we now know where our target is. Lets look for open ports, services and operating system that is running on our target.

Open Ports, Services and OS discovery

Enter command: nmap -sV -O -p 0-65535 <<target IP address>>

This command with the “-p” flag tells nmap to scan all 65535 ports on the target. Remember a normal scan only scans 1000 ports. And a full port scan makes more noise than a normal scan because it attempts to establish connections with much more ports.

Now we can see all open ports, what services are running on them, their versions and the operating system.

Carefully look at the services that are open. For example, FTP is open. FTP (File Transfer Protocol) is used to send and receive files over a network.

We could potentially use this protocol and maybe retrieve some local files from that host, or send in a keylogger to record the user's keyboard activity to gather passwords and other information.

Questions to ask yourself:-

1. Can I interact with the FTP service on port 21?
2. Can I access the service using any default credentials?
3. What version is the service? Is it the latest?
4. Google any known exploits for that service version?

Activate your google searching skills and try to answer these questions by yourself first. In our next tutorial we will dig deeper on the FTP service. 

-Jayesh Kerai (@secjay)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.