1. Download from https://community.rapid7.com/docs/DOC-1875
2. Unzip and create in Virtualbox a new Linux Ubuntu machine (512mb ram). For hard-drive add the downloaded Metasploitable.vmdk
3. Go to settings / System / Processor and tick Enable PAE/NX
4. Boot up.
If you see this error - This kernel requires the following features not present on the CPU:
0:6 Unable to boot - please use a kernel appropriate for your CPU.
Stop the machine and recheck System then the Processor Tab and check Enable PAE/NX.
user = msfadmin
pass = msfadmin
sudo ifconfig eth0 ip-address netmask your-netmask (enter)
ping it from backtrack.
Nmap
root@bt:~# nmap -sV -sC -v IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2011-08-20 16:53 BST
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 16:53
Scanning IP-Address [1 port]
Completed ARP Ping Scan at 16:53, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:53
Completed Parallel DNS resolution of 1 host. at 16:53, 0.00s elapsed
Initiating SYN Stealth Scan at 16:53
Scanning IP-Address [1000 ports]
Discovered open port 21/tcp on IP-Address
Discovered open port 5900/tcp on IP-Address
Discovered open port 80/tcp on IP-Address
Discovered open port 22/tcp on IP-Address
Discovered open port 111/tcp on IP-Address
Discovered open port 445/tcp on IP-Address
Discovered open port 139/tcp on IP-Address
Discovered open port 3306/tcp on IP-Address
Discovered open port 53/tcp on IP-Address
Discovered open port 25/tcp on IP-Address
Discovered open port 23/tcp on IP-Address
Discovered open port 2121/tcp on IP-Address
Discovered open port 514/tcp on IP-Address
Discovered open port 513/tcp on IP-Address
Discovered open port 1524/tcp on IP-Address
Discovered open port 6000/tcp on IP-Address
Discovered open port 512/tcp on IP-Address
Discovered open port 8180/tcp on IP-Address
Discovered open port 8009/tcp on IP-Address
Discovered open port 6667/tcp on IP-Address
Discovered open port 2049/tcp on IP-Address
Discovered open port 1099/tcp on IP-Address
Discovered open port 5432/tcp on IP-Address
Completed SYN Stealth Scan at 16:53, 0.46s elapsed (1000 total ports)
Initiating Service scan at 16:53
Scanning 23 services on IP-Address
Completed Service scan at 16:55, 126.11s elapsed (23 services on 1 host)
Initiating RPCGrind Scan against IP-Address at 16:55
Completed RPCGrind Scan against IP-Address at 16:55, 0.01s elapsed (2 ports)
NSE: Script scanning IP-Address.
Initiating NSE at 16:55
Completed NSE at 16:56, 31.68s elapsed
Nmap scan report for IP-Address
Host is up (0.00070s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2010-03-17 14:07:45
| Not valid after: 2010-04-16 14:07:45
| MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-title: Metasploitable2 - Linux
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 38748/udp mountd
| 100005 1,2,3 57935/tcp mountd
| 100021 1,3,4 39176/tcp nlockmgr
| 100021 1,3,4 42751/udp nlockmgr
| 100024 1 33694/tcp status
|_ 100024 1 53650/udp status
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell?
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open ingreslock?
2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: c\&DcGxICQOy6>uS|<Qb
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ Unknown security type (33554432)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
| irc-info: Server: irc.Metasploitable.LAN
| Version: Unreal3.2.8.1. irc.Metasploitable.LAN
| Lservers/Lusers: 0/1
| Uptime: 0 days, 0:04:32
| Source host: 518F4D55.E23CF59D.5BFB86DA.IP
|_Source ident: OK nmap
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/5.5
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-favicon: Apache Tomcat
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port514-TCP:V=5.61TEST4%I=7%D=8/20%Time=50325D80%P=i686-pc-linux-gnu%r(
SF:NULL,33,"\x01getnameinfo:\x20Temporary\x20failure\x20in\x20name\x20reso
SF:lution\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1524-TCP:V=5.61TEST4%I=7%D=8/20%Time=50325D86%P=i686-pc-linux-gnu%r
SF:(NULL,17,"root@metasploitable:/#\x20")%r(GenericLines,73,"root@metasplo
SF:itable:/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20root@m
SF:etasploitable:/#\x20root@metasploitable:/#\x20")%r(GetRequest,428,"root
SF:@metasploitable:/#\x20\n\nDirectory\x20/\n\n\n\nDirectory\x20listing\x20o
\n
SF:f\x20/\n
SF::\x20OPTIONS:\x20command\x20not\x20found\nroot@metasploitable:/#\x20roo
SF:t@metasploitable:/#\x20root@metasploitable:/#\x20root@metasploitable:/#
SF:\x20")%r(RTSPRequest,94,"root@metasploitable:/#\x20bash:\x20OPTIONS:\x2
SF:0command\x20not\x20found\nroot@metasploitable:/#\x20root@metasploitable
SF::/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20")%r(RPCChec
SF:k,17,"root@metasploitable:/#\x20")%r(DNSVersionBindReq,17,"root@metaspl
SF:oitable:/#\x20")%r(DNSStatusRequest,17,"root@metasploitable:/#\x20")%r(
SF:Help,63,"root@metasploitable:/#\x20bash:\x20HELP:\x20command\x20not\x20
SF:found\nroot@metasploitable:/#\x20root@metasploitable:/#\x20")%r(SSLSess
SF:ionReq,51,"root@metasploitable:/#\x20bash:\x20{O\?G,\x03Sw=:\x20command
SF:\x20not\x20found\nroot@metasploitable:/#\x20");
MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel
Host script results:
| nbstat:
| NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC:
| Names
| METASPLOITABLE Flags:
| METASPLOITABLE Flags:
| METASPLOITABLE Flags:
| WORKGROUP Flags:
|_ WORKGROUP Flags:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2011-08-20 16:55:41 UTC-4
NSE: Script Post-scanning.
Initiating NSE at 16:56
Completed NSE at 16:56, 0.01s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 158.88 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.120KB)
root@bt:~# msfconsole
msf > use auxiliary/scanner/http/dir_scanner
msf auxiliary(dir_scanner) > set rhosts IP-Address
rhosts => IP-Address
msf auxiliary(dir_scanner) > run
[*] Detecting error code
[*] Using code '404' as not found for IP-Address
[*] Found http://IP-Address:80/cgi-bin/ 404 (IP-Address)
[*] Found http://IP-Address:80/doc/ 200 (IP-Address)
[*] Found http://IP-Address:80/icons/ 200 (IP-Address)
[*] Found http://IP-Address:80/index/ 200 (IP-Address)
[*] Found http://IP-Address:80/phpMyAdmin/ 200 (IP-Address)
[*] Found http://IP-Address:80/test/ 404 (IP-Address)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
> use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > set rhosts IP-Address
rhosts => IP-Address
msf auxiliary(smtp_enum) > run
[*] 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
[*] Domain Name: localdomain
[+] IP-Address:25 - Found user: ROOT
[+] IP-Address:25 - Found user: backup
[+] IP-Address:25 - Found user: bin
[+] IP-Address:25 - Found user: daemon
[-] Error: Connection reset by peer
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
One thought on “web application – metasploitable”