web application – metasploitable


1. Download from https://community.rapid7.com/docs/DOC-1875
2. Unzip and create in Virtualbox a new Linux Ubuntu machine (512mb ram). For hard-drive add the downloaded Metasploitable.vmdk
3. Go to settings / System / Processor and tick Enable PAE/NX
4. Boot up.

If you see this error - This kernel requires the following features not present on the CPU:
0:6 Unable to boot - please use a kernel appropriate for your CPU.

Stop the machine and recheck System then the Processor Tab and check Enable PAE/NX.

user = msfadmin
pass = msfadmin

sudo ifconfig eth0 ip-address netmask your-netmask (enter)

ping it from backtrack.

Nmap

root@bt:~# nmap -sV -sC -v IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2011-08-20 16:53 BST
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 16:53
Scanning IP-Address [1 port]
Completed ARP Ping Scan at 16:53, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:53
Completed Parallel DNS resolution of 1 host. at 16:53, 0.00s elapsed
Initiating SYN Stealth Scan at 16:53
Scanning IP-Address [1000 ports]
Discovered open port 21/tcp on IP-Address
Discovered open port 5900/tcp on IP-Address
Discovered open port 80/tcp on IP-Address
Discovered open port 22/tcp on IP-Address
Discovered open port 111/tcp on IP-Address
Discovered open port 445/tcp on IP-Address
Discovered open port 139/tcp on IP-Address
Discovered open port 3306/tcp on IP-Address
Discovered open port 53/tcp on IP-Address
Discovered open port 25/tcp on IP-Address
Discovered open port 23/tcp on IP-Address
Discovered open port 2121/tcp on IP-Address
Discovered open port 514/tcp on IP-Address
Discovered open port 513/tcp on IP-Address
Discovered open port 1524/tcp on IP-Address
Discovered open port 6000/tcp on IP-Address
Discovered open port 512/tcp on IP-Address
Discovered open port 8180/tcp on IP-Address
Discovered open port 8009/tcp on IP-Address
Discovered open port 6667/tcp on IP-Address
Discovered open port 2049/tcp on IP-Address
Discovered open port 1099/tcp on IP-Address
Discovered open port 5432/tcp on IP-Address
Completed SYN Stealth Scan at 16:53, 0.46s elapsed (1000 total ports)
Initiating Service scan at 16:53
Scanning 23 services on IP-Address
Completed Service scan at 16:55, 126.11s elapsed (23 services on 1 host)
Initiating RPCGrind Scan against IP-Address at 16:55
Completed RPCGrind Scan against IP-Address at 16:55, 0.01s elapsed (2 ports)
NSE: Script scanning IP-Address.
Initiating NSE at 16:55
Completed NSE at 16:56, 31.68s elapsed
Nmap scan report for IP-Address
Host is up (0.00070s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)

23/tcp open telnet Linux telnetd

25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2010-03-17 14:07:45
| Not valid after: 2010-04-16 14:07:45
| MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6

53/tcp open domain ISC BIND 9.4.2

80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-title: Metasploitable2 - Linux
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)

111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 38748/udp mountd
| 100005 1,2,3 57935/tcp mountd
| 100021 1,3,4 39176/tcp nlockmgr
| 100021 1,3,4 42751/udp nlockmgr
| 100024 1 33694/tcp status
|_ 100024 1 53650/udp status

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell?
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open ingreslock?
2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
2121/tcp open ftp ProFTPD 1.3.1

3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: c\&DcGxICQOy6>uS|<Qb
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ Unknown security type (33554432)

6000/tcp open X11 (access denied)

6667/tcp open irc Unreal ircd
| irc-info: Server: irc.Metasploitable.LAN
| Version: Unreal3.2.8.1. irc.Metasploitable.LAN
| Lservers/Lusers: 0/1
| Uptime: 0 days, 0:04:32
| Source host: 518F4D55.E23CF59D.5BFB86DA.IP
|_Source ident: OK nmap

8009/tcp open ajp13 Apache Jserv (Protocol v1.3)

8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/5.5
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-favicon: Apache Tomcat
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port514-TCP:V=5.61TEST4%I=7%D=8/20%Time=50325D80%P=i686-pc-linux-gnu%r(
SF:NULL,33,"\x01getnameinfo:\x20Temporary\x20failure\x20in\x20name\x20reso
SF:lution\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1524-TCP:V=5.61TEST4%I=7%D=8/20%Time=50325D86%P=i686-pc-linux-gnu%r
SF:(NULL,17,"root@metasploitable:/#\x20")%r(GenericLines,73,"root@metasplo
SF:itable:/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20root@m
SF:etasploitable:/#\x20root@metasploitable:/#\x20")%r(GetRequest,428,"root
SF:@metasploitable:/#\x20\n\nDirectory\x20/\n\n\n\n

Directory\x20listing\x20o
SF:f\x20/

\n
    \n
  • \./\n
  • \.\./\n
  • bin/\n
  • boot/\n
  • cdrom/\n
  • dev/\n
  • etc/\n
  • home/\n
  • initrd/\n
  • initrd\.img\n
  • lib/\n
  • lost\+found/\n
  • media/\n
  • mnt/\n
  • nohup\.out\n
  • opt/\n
  • proc/\n
  • root/\n
  • sbin/\n
  • srv/\n
  • sys/\n
  • tmp/\n
  • usr/\n
  • var/\n
  • vmlinuz\n<")%r(HTTPOptions,94,"root@metasploitable:/#\x20bash
    SF::\x20OPTIONS:\x20command\x20not\x20found\nroot@metasploitable:/#\x20roo
    SF:t@metasploitable:/#\x20root@metasploitable:/#\x20root@metasploitable:/#
    SF:\x20")%r(RTSPRequest,94,"root@metasploitable:/#\x20bash:\x20OPTIONS:\x2
    SF:0command\x20not\x20found\nroot@metasploitable:/#\x20root@metasploitable
    SF::/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20")%r(RPCChec
    SF:k,17,"root@metasploitable:/#\x20")%r(DNSVersionBindReq,17,"root@metaspl
    SF:oitable:/#\x20")%r(DNSStatusRequest,17,"root@metasploitable:/#\x20")%r(
    SF:Help,63,"root@metasploitable:/#\x20bash:\x20HELP:\x20command\x20not\x20
    SF:found\nroot@metasploitable:/#\x20root@metasploitable:/#\x20")%r(SSLSess
    SF:ionReq,51,"root@metasploitable:/#\x20bash:\x20{O\?G,\x03Sw=:\x20command
    SF:\x20not\x20found\nroot@metasploitable:/#\x20");
    MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)
    Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel

    Host script results:
    | nbstat:
    | NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC:
    | Names
    | METASPLOITABLE Flags:
    | METASPLOITABLE Flags:
    | METASPLOITABLE Flags:
    | WORKGROUP Flags:
    |_ WORKGROUP Flags:
    | smb-os-discovery:
    | OS: Unix (Samba 3.0.20-Debian)
    | NetBIOS computer name:
    | Workgroup: WORKGROUP
    |_ System time: 2011-08-20 16:55:41 UTC-4

    NSE: Script Post-scanning.
    Initiating NSE at 16:56
    Completed NSE at 16:56, 0.01s elapsed
    Read data files from: /usr/local/bin/../share/nmap
    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 158.88 seconds
    Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.120KB)

    root@bt:~# msfconsole

    msf > use auxiliary/scanner/http/dir_scanner
    msf auxiliary(dir_scanner) > set rhosts IP-Address
    rhosts => IP-Address
    msf auxiliary(dir_scanner) > run

    [*] Detecting error code
    [*] Using code '404' as not found for IP-Address
    [*] Found http://IP-Address:80/cgi-bin/ 404 (IP-Address)
    [*] Found http://IP-Address:80/doc/ 200 (IP-Address)
    [*] Found http://IP-Address:80/icons/ 200 (IP-Address)
    [*] Found http://IP-Address:80/index/ 200 (IP-Address)
    [*] Found http://IP-Address:80/phpMyAdmin/ 200 (IP-Address)
    [*] Found http://IP-Address:80/test/ 404 (IP-Address)
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

    > use auxiliary/scanner/smtp/smtp_enum
    msf auxiliary(smtp_enum) > set rhosts IP-Address
    rhosts => IP-Address
    msf auxiliary(smtp_enum) > run

    [*] 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)

    [*] Domain Name: localdomain
    [+] IP-Address:25 - Found user: ROOT
    [+] IP-Address:25 - Found user: backup
    [+] IP-Address:25 - Found user: bin
    [+] IP-Address:25 - Found user: daemon
    [-] Error: Connection reset by peer
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

One thought on “web application – metasploitable

  1. Pingback: This is one of the 15 thousand reasons why I love « myexploit

Leave a comment