METASPLOIT ABSTRACT In this paper we explore the Rapid7 Metasploitable tutorial.
METASPLOIT
ABSTRACTIn this paper we explore the Rapid7 Metasploitable tutorial.
Introduction
Using the Rapid7 tutorial—following a fair amount of trial and error—I was able to successfully
exploit vulnerabilities in Metasploitable by following the Rapid7 tutorial (Rapid7, 2018).
Metasploitable
First, I needed to start Metasploitable, my target machine, and then run ifconfig to get the
target machine’s IP address. The target IP address is displayed following inet addr: and is
192.168.56.101. This IP address will show up repeatedly in this paper, and confirms that I didn’t
just grabbed images off the Internet.
1
Information Gathering
Using the target IP address and the nmap and rcpinfo commands in Kali Linux, my attacker
machine, I was able to gather a good deal of information about Metasploitable. Metasploitable
had a large number of open ports (shown below).
2
rcpinfo and rlogin
rcpinfo provides further information about the target system, by giving us the services that are
running. This is where I started to run into difficulties. I was unable to run the rpcinfo
command. The error message in Kali Linux didn’t give me much information about the problem,
and nothing that I found on Google helped. It seemed that Linux couldn’t find rpcinfo or nfs,
which rpcinfo seems to depend on. After a great deal of trial and error, I discovered that I need
to update Kali. But I couldn’t get access to the Internet. So I discovered that I needed a wireless
adapter, and ordered one on Amazon. Once the device arrived—a couple days later—I
configured the virtual box image to be compatible with it, which was not trivial either.
Once my attacker machine could access the Internet, I successfully ran apt-get update. The I ran
apt-get install nfs-kernel-server, which installed the nfs and rpcbind libraries/dependencies that
I needed to run rcpinfo, rlogin, and the mount command required to gain remote access via SSH
(Banerjee, 2016). With Kali updated, and nfs-kernel-server installed, and after a week of trial
and error, I was
finally able to
run rlogin and
rcpinfo.
3
Gaining Remote Access
With information about the open ports and running services, it was time for my first major
exploit: gaining remote access on the target machine via the open SSH port. First, I needed to
generate a new public/private key pair with the ssh_keygen command.
4
Then, I needed to mount the key pair on the remote system, but since the mount -t nfs
command required nfs, I was at first unable to run it. (After successfully performing the updates
and installs that I discuss above, however, the mount -t nfs command ran successfully).
Finally, I was able to gain remote access via SSH.
I was also able to gain remote access with telnet.
5
Metasploit Exploits
So far, the exploits we’ve completed have used basic UNIX commands, but Metasploit has its
own commands, and built-in exploits that we can leverage. Metasploit comes packaged with
many exploit scripts than can be run simply by calling them.
First, however, I needed to get Metasploitable running. I found a video tutorial on YouTube that
showed me how to start the postgresql db that Metasploit depends on by typing service
6
postgresql start and then initializing it with msfdb init and finally typing msfconsole to start
Metasploit (Druin, 2016). The I could run the exploits in the Rapid7 tutorial.
7
8
Vulnerable Websites
As the tutorial states, Metasploitable also contains vulnerable websites that allow us to practice
web application penetration testing.
9
Other methods for compromising Metasploitable
10
There are methods for exploiting all of the open ports and services in Metasploitable—or any
target machine for that matter. In this assignment we focused on gaining remote access which
is, as the Rapid7 tutorial states, “the holy grail” for attackers (Rapid7, 2018). But since in the
real world gaining remote access is a somewhat rare achievement attackers must exploit other
commonly open ports such as FTP (File Transfer Protocol, Port 21), SMTP (Simple Mail Transfer
Protocol, Port 25), HTTP (Hypertext Transport Protocol) and HTTPS (HTTP over SSL), POP3 (Post
Office Protocol version 3, Port 110), Microsoft SQL Server ports (TCP port 1433 and UDP port
1434) (Beaver, 2017). If all ports are closed, attackers can still exploit an organization’s
vulnerable web applications, or use social engineering to gain information that can get them
into the network (e.g., credentials or IP addresses).
Conclusion
In conclusion, it took me a lot of time to configure the systems to complete the attacks/exploits
in the tutorial, but in the end, I was able to successfully perform all of them.
Works Cited
Banerjee, A. (2016, August 18). Kali Linux Repository Issue Solve [ "E: Unable to locate package" error solved ] New 2016. Retrieved from Youtube: https://www.youtube.com/watch?v=jdjK-jG4X10
Beaver, K. (2017). COMMONLY HACKED PORTS. Retrieved from Dummies.com: https://www.dummies.com/programming/networking/commonly-hacked-ports/
Druin, J. (2016, November 24). How to Start the Metasploit Framework Console (msfconsole). Retrieved from YouTube: https://www.youtube.com/watch?reload=9&v=83r7FXp9CX0
Rapid7. (2018). Metasploitable 2 Exploitability Guide. Retrieved from Rapid7: https://metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide
11
12