Metasploitable 2 Series Tutorial: Information collection

The Metasploitable 2 system is an Ubuntu-based system. Its design was originally designed to be a demonstration of security tool testing and common vulnerability attacks. In this tutorial on Metasploit, we will enumerate the vulnerabilities related to the Metasploitable 2 system and exploit the vulnerabilities to collect and retrieve the information we need.

Enumeration in mathematics or computer science refers to the list of elements in a group. But in hacker terminology, enumerations usually refer to enumerating the information we want to collect. For example: We need to enumerate the user name and even password of the database, enumerating the file shares of the system, enumerating the current state of the server, enumerating the web directories, the groups and the current network host's survival amount, and so on. In the enumeration process, we will also collect other available network-related information, which is of great significance for our subsequent infiltration. The most important for Metasploitable 2 is the collection of enumeration information for port scanning and fingerprint identification. The port scan is used to detect the TPC and UDP ports that are open to the server or host. Fingerprint identification is the process used to determine basic information such as the service version. In this article, we will use the famous scan artifact Nmap to implement the information collection for Metasploitable 2. In addition, we will combine another enumeration tool Enum4linux to help us complete the collection of information. Enum4linux is a tool for enumerating Windows and Samba host information.

Information retrieved from the enumeration process, such as the operating system version and the running service, we will look for a known vulnerability in these services. Exploit the exploits of the Open Source Vulnerability Library (OSVDB) and the published CVE. Finally, we will use the OpenVAS under Kali to perform a full-scale vulnerability scan on the target host.

Enumeration of Metasploitable 2 and port scanning

In this section of the Metasploitable 2 enumeration tutorial, we will enumerate the running services, the accounts, and perform the scan actions of the ports at the same time. We will use Nmap to scan and probe the virtual machine's port open state and open service fingerprint information. In this article, we mainly focus on the enumeration of network information collection!

Now, let's Open the Metasploitable 2 virtual machine already installed. And the initial login, login name and password are msfadmin ! Once the login is successful, we can use the ifconfig command to view the IP address of our current virtual machine. Similarly, we can use netdiscover on Kali to scan the IP address of the entire network segment to lock the target IP! Use the following command:

Netdiscover –r 192.168.111.0/24

The above command lists all surviving hosts in the 192.168.111.0 ~192.168.111.255 range. Of course, if you want to get metasploitable 2 IP, you must ensure that you are in the same address section!

Nmap Port and Service scan

In this section we will use NMAP for scanning tasks. We will use the TCP syn Scan method, which is known to be a relatively covert scan because it does not establish a complete three-time handshake connection to the target host. Here is a brief overview of the process of TCP scanning. The TCP scan first sends a SYN packet to the target server, and Nmap receives a syn-ack response packet when the target service port is turned on. If we send a SYN packet that does not get a response on the first delivery, we can guess that the target firewall may have filtered our probe or not turned on the service. Finally, Nmap will return an ACK packet to the target to complete a full TCP connection!

When we use Nmap for SYN or other forms of scanning, if we do not specify a port, then Nmap will default from all 65,535 ports, select 1000 of the most common port as the scan target for detection. If you're afraid of missing out on some important information, we can use the -p- parameter to scan all 65,535 ports! For example:

nmap -sS -p-[目标 IP 地址]

TIP: It is worth mentioning that even though the SYN scan is a relatively covert scanning method. But it is only for those older firewalls, and for today's technology is constantly updated and improved firewall, it is not hidden!

Does port opening mean there is a loophole to be exploited?

The above proposition is obviously wrong. Port opening does not mean that its underlying software is vulnerable, and we need to combine its operating system with the current version number of the service running. Therefore, the collection of version information, for our subsequent infiltration is also essential! The following Nmap will be very good to help us solve these problems. In Nmap, we can use the -sv and- o parameters to obtain the version of the target host and the operating system version information separately. In fact, we can also use the -A parameter to replace the- o parameter, it can also get version information, but it is TCP-based full-connection scan, so it is not safe! The command is as follows:

Nmap –sS –sV -O [目标 IP 地址]

Once we have successfully performed the above scan, we can see the result:

From the above results, we can clearly see that the target system has opened up a lot of dangerous ports and application services. and detailed list of the target operating system version for the Linux 2.6.9–2.6.33 We can see the host is running the service is: SSH is using the OpenSSH software, as well as the Telnet service, c8> Apache 2.2.8 Web Services,SQL Server and other types of services. Let's make a brief summary:

VSFTPD 2.3. 4 on open port

OpenSSH 4.7p1 Debian 8ubuntu 1 (Protocol 2.0) on open port

Linux telnetd Service on open port

Postfix smtpd on Port

ISC BIND 9.4. 2 on open port

Apache httpd 2.2. 8 Ubuntu dav/2 on port

A RPCbind service on Port 111

Samba smbd 3.X on Port 139 and 445

3 R services on Port , 513 and 514

GNU Classpath grmiregistry on Port 1099

Metasploitable root shell on Port 1524

A NFS service on Port 2049

ProFTPD 1.3. 1 on Port 2121

MySQL 5.0. 51a-3ubuntu5 on Port 3306

PostgreSQL DB 8.3. 0– 8.3. 7 on Port 5432

VNC Protocol v1. 3 on Port 5900

X11 service on Port 6000

Unreal ircd on Port 6667

Apache Jserv Protocol 1.3 on port 8009

Apache tomcat/coyote JSP engine 1.1 on Port 8180

Nmap UDP Scan

So far, we've been introducing a scan of TCP. Let's introduce a scan of UDP! We can use the following command:

nmap -sU 192.168.111.128

Again we can use the- p parameter to specify the port we want to scan. UDP scans are slower than TCP compared to TCP scans. After a short wait, NMAP returns the following UDP scan results:

53/UDP Open Domain

111/UDP Open Rpcbind

137/UDP Open Netbios-ns

2049/UDP Open NFS

TIP:UDP scanning may cause a large number of false positives relative to TCP. The reason for this is that when the port of the target host is turned off, it only returns information that is unreachable by an ICMP port. This scan is similar to the SYN scan method with TCP! Because of the loss of the package, the scan for UDP in many scanners defaults to the fact that its port is open. When we do not get an ICMP unreachable hint, the UDP port of the target system is out of the open state.

Metasploitable 2 User Enumeration

In order to get the user information on the target virtual machine, next we will use a script smb-enum-users to Nmap. Use the following command:

nmap –script smb-enum-users.nse –p 445 [目标主机]

The query results are as follows:

From the scan results we can see a lot of user information on metasploitable 2 . Many of the service accounts and admin accounts, called msfadmin this user name. Let's take a look at the second method of retrieving the user account in the list, which is the way to use a null session on the Samba server.

Enumerating user accounts with rpcclient null sessions

rpcclient is a Linux tool for performing client ms-rpc functions. A null session means that connecting a Samba or SMB server does not require user name and password authentication, so it is called a null session! Supports null sessions, which are default by the system. However, the connection to the null session is not supported on the system starting with Windows XP SP2 and Windows Server 2003 ! The connection uses 445 ports, so the target host is also open with 445 ports. When we successfully make a null session connection, we can enter the appropriate command to query the current host Port open state!

Now let's open a new Terminal window and use metasploitable 2 Samba server to establish a null session connection. The command is as follows:

rpcclient –U “” [目标 IP 地址]

The-u parameter is used to specify an empty user, followed by the IP address of the Metasploitable 2 VM. When we press ENTER, we will ask you to enter the password we can continue to enter!

We then execute the following command:

rcpclient $> querydominfo

With the querydominfo command, we get to domain, the total number of users of the server and target system, and some other information. From the returned results we learned that the target system has 35 users below let's give them a quote! The command is as follows:

rcpclient $> enumdomusers

As you can see, all available user accounts are listed at this time. Now let us use the rpcclient, using the user account information obtained, to query the user more detailed information! The command is as follows:

rcpclient $> queryuser [用户名]

Let us inquire msfadmin This account:

rcpclient $> queryuser msfadmin

This returns information about the profile path on the server, the master drive information and password-related settings, and so on. If you want to learn more about how to use rcpclient , you can use Help to view it.

Enum4linux of enumeration tools

Enum4linux is a tool developed in the Perl language that is used primarily to enumerate Windows and Samba hosts. Let's take a look at how to use it under metasploitable 2 .

Usage:./enum4linux.pl [Options]ip

-UGet userlist Get a list of users
-MGet machine list* get list of machines
-Sget sharelist get share list
-P get Password Policy information Get Password Policy information
-G get group and member list get group membership information
-D be Detailed, applies to-u and-s more detailed information, combined with-u and-s use
-u user specify username to use (default "") specify User name
-P pass specify password to use (default" ") Specify password
-a do all simple enumeration ( -u-s-g-p-r-o-n-i) Perform all enumeration operations
-O get OS information Get system Information -I get printer information get printer information

After a basic understanding, we now execute the following command on metasploitable 2 :

enum4linux 192.168.111.128

You can see that Enum4linux has obtained a lot of useful information for us, and we got a usable share:

The available account information is also listed:

There is also information about the operating system:

To this end, we have collected information on the target operating system metasploitable 2 user accounts, open ports and versions of running services! At the same time, we got a more confidential
Password policy information. We will then be able to evaluate the information we have obtained and to lay a good foundation for our next infiltration.

Metasploitable 2 Series Tutorial: Information collection