0

ATTACKING
METASPLOITABLE 2 VM
SERVER

Cameron W
 1

Contents

Synopsis...........................................................................................................................................2

Tools Used.......................................................................................................................................2

Metasploitable..............................................................................................................................3

Metasploit.....................................................................................................................................3

NMAP..........................................................................................................................................4

System Configuration......................................................................................................................5

Reconnaissance................................................................................................................................6

Step 1: Discover MSF Server IP..................................................................................................6

Step 2: Discovery of MSF server using Nmap............................................................................8

Assignment Questions Answered..................................................................................................14

Exploitation....................................................................................................................................16

References / Work Cited................................................................................................................19

 2

Synopsis

This task demonstrates two stages of penetration testing, which are reconnaissance and
exploitation on a vulnerable network server. The vulnerable server will be the Metasploitable 2.0
virtual machine and the attacks will come from a Kali Linux virtual machine. Both the virtual
machines will be networked on a private VLAN for safety. During this assignment, the following
questions will be answered:

1. Which ports are open on the target VM?

2. What Operating System and services are running on the target VM based on the
fingerprinting performed by the VAT(s)?
3. Which services are vulnerable to external attacks?
4. How would you DoS the target VM?

Tools Used

The following tools used are free to use and available to download for anyone who wishes.
These are the basic set of tools to simulate/demonstrate an attack for practice and in professional
use.
 3

Metasploitable

Metasploitable is a virtual Linux Operating Machine loaded with many types of vulnerabilities
Normally Founds In Operating System That Can be used for Exploiting this Linux Machine.
Metasploitable Project is also created and maintained by rapid7 Community (Metasploit-
Framework Community). Metasploitable is Originally Design for Metasploit Framework
Testing. A summary of Metasploitable is a purposely vulnerable Linux server, especially design
for practicing penetration testing, network security, Metasploit-Framework And many other
avenues of practice without the worry of attacking a legitimate sever. (Bitforestinfo)

Metasploit

The Metasploit Project is a computer security project that provides information about security
vulnerabilities and aids in penetration testing and IDS signature development.

Its best-known sub-project is the open-source Metasploit Framework, a tool for developing and
executing exploit code against a remote target machine. Other important sub-projects include the
Opcode Database, shellcode archive, and related research.

The Metasploit Project is well known for its anti-forensic and evasion tools, some of which are
built into the Metasploit Framework. (Wikipedia, 2018)
 4

NMAP

Nmap (Network Mapper) is a free and open-source security scanner, originally written by
Gordon Lyon.

The software provides several features for probing computer networks, including host discovery
and service and operating-system detection. These features are extensible by scripts that provide
more advanced service detection, vulnerability detection, and other features. Nmap can adapt to
network conditions, including latency and congestion during a scan. The Nmap user community
continues to develop and refine the tool. (Wikipedia)
 5

System Configuration

Source Address:
192.168.5.1 Windows 10 Host Workstation
192.168.5.5 Kali Linux Virtual Machine

Destination Address:
192.168.5.3 Metasploitable Server Virtual Machine
 6

Reconnaissance

Step 1: Discover MSF Server IP

Due to the nature of this assignment, we have physical access to the vulnerable web server
(Metasploitable VM) and because we can access the machine, we can easily find its IP on the
VLAN network. In a traditional Penetration Test, we could have to discover the IP or were given
the IP; to reduce the time we can go to the server and type in ipconfig to locate the IP of the
server. In Figure 1, the systems IP from the ethernet connection eth0 is 192.168.5.3 on this
network.

Figure 1: ifconfig of Metasploitable Server VM

 7

Because we have the IP from the ifconfig command, the IP can be input in a web browser to
display the front webpage of the webserver. Figure 2 is a screenshot of the front-end webpage to
show that it is up and running and what is being hosted.

Figure 2: Website of the Metasploitable Server

 8

Step 2: Discovery of MSF server using Nmap

The next step after obtaining the IP of the Metasploitable VM Server is to scan the IP to find out
what information we can. The goal of a Nmap scan is to find out anything and everything we can
about the machine, however mainly we will be looking at what ports are open on the server and
what OS and version of the OS is the machine running as this can often lead to many attack
vectors
depending on what is open and available.

Figure 3: Nmap Command-List

 9

When using Nmap, you must provide a set of options after the targeted IP has been chosen.
Below is the full Nmap command that will be used, and a breakdown of each option being
provided into the command call.

Command: Nmap -v -sV -O -sS -T4 192.168.5.3

Command Argument List:
-v : Increase verbosity level (use -vv or more for greater effect)
-sV : Probe open ports to determine service/version info
-O : Enable OS detection
-sS : TCP SYN/Connect()/ACK/Window/Maimon scans
-T4 : Set timing template (higher is faster)

In Figure 4, the results of the Nmap Scan part 1 are displayed. The figure shows a ton of
information about the system which opens the system up to all kinds of possible attacks.
However, a regular scan of the server should not turn up this many results and whatever that does
show up is hopefully secured and ready for any attacks. Because Metasploitable is a simulated
vulnerable server, there are a ton of ports open on the server giving a wide range of ways to enter
the system.
 10

Figure 4: Results of the Nmap Scan Part 1/2

 11

Figure 5 is the second part of the Nmap scan which displays what is running on all the open ports
which were discovered during the scan. The results are summarized in Table 1 below Figure 5.
 12

Nmap can not only determine what port is open on the server but also what service is running
and the corresponding versions of the service running on the server depending on the port. The
results show 23 services running on the host server and 977 ports are closed ports. The open
ports provide a vast attack vector and if a malicious attacker wanted to, could use commonly
know attacks for these open ports and services. Due to this, possible exposure is one of many
reasons why we are told as security experts to patch and update systems to reduce our attack
surfaces from commonly known attacks on known vulnerable services.

Figure 5: Results of the Nmap Scan Part 2/2

Table 1:
List of
 13

Ports open from Nmap scan

Port State Service Version

21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open apache Apache httpd 2.2.8
111/tcp open Rpcbind 2 RPC #100000
139/tcp open netbios-ssn Samba smbd 3.X
445/tcp open netbios-ssn Samba smbd 3.X
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 RPC #100003
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL
3632/tcp open distccd distccd v1
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC
6000/tcp open X11
6667/tcp open irc Unreal ircd
6697/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

The final result that is useful for this assignment is the operating system and its version, which
was discovered by the scan. Displayed in Figure 6 is the operating system running which is
Linux 2.6.X, the OS details: Linux 2.6.9 – 2.6.33 stating more information on which the server is
running. This information can be used to find known attacks and use them against a server if it is
running on an outdated version of the OS.

Figure 6: Nmap result of the Operating System

 14

Assignment Questions Answered

1. Which ports are open on the target VM?

a. In Figure 4, 5 and Table 1 are lists and tables of the ports and services that are
open and running on the target VM.
 15

2. What Operating System and services are running on the target VM based on the
fingerprinting performed by the VAT(s)?
a. Figure 6 is a screenshot of the servers operating system which is Linux 2.6.X and
also provides more information on it such as OS CPE:
cpe:/o:Linux:linux_kernal:2.6 and OS details: Linux 2.6.9 – 2.6.33.
b. Table 1 provides a list of ports and services running on the target.

3. Which services are vulnerable to external attacks?

a. Every service listed in the Nmap scan is vulnerable as Metasploitable has listed
these services for possible attacks; however, as for attacks from an outsider will
be listed below.

Port State Service Version

21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH
23/tcp open telnet Linux telnetd
53/tcp open domain ISC BIND 9.4.2
80/tcp open apache Apache httpd 2.2.8
3306/tcp open mysql MySQL
3632/tcp open distccd distccd v1
5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7
5900/tcp open vnc VNC
8009/tcp open ajp13 Apache Jserv
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

4. How would you DoS the target VM?

a. There are many ways to attack a vulnerable server like this and introduce a DoS
or other such distributive attacks. The simplest and easiest attack would be an
SYN Flood attack as it is straightforward to implement, for there are many tools
that can be configured to attack with an SYN Flood.
 16

Exploitation

The assignment is finished, and the questions required are completed, however, to demonstrate
the attack I said I would use, I’ll use Metasploit to launch a DoS attack on the target VM. Figure
7 will display the starting page of the Metasploit program that will be used to attack the target
VM.

Figure 7: Metasploit Starting Page in Terminal

 17

Figure 7 displays all the options to attack a host, following along in the guide found online to
demonstrate this DoS attack. Using the command to get to this menu option from the start is to
use auxiliary/dox/TCP/synflood which is provided in the guide I am following. On this page, we
can set the host and a few other options for the attack. Once I have set the IP using the command
rhost I can now launch the attack on the target VM. Once I start the attack using exploit
command when I tried to access the website from the browser, I received “This site can’t be
reached,” and once I stopped the attack, I was once again able to access the site.
 18

Figure 7: Metasploit Options Page

Figure 7: Measploit Setting Up Attac

 19

References / Work Cited

Suraj Sign Bisht (May 19, 2017). what is Metasploitable? | what are the usages of
Metasploitable Iso? | Best For Penetration Testing Practise. Retrieved October 14, 2018, from
http://www.bitforestinfo.com/2017/05/what-is-metasploitable-what-are-the-usages-of-
metasploitable-iso-best-for-penetration-testing.html

Wikipedia. Metasploit Project. Retrieved October 14, 2018, from

https://en.wikipedia.org/wiki/Metasploit_Project

Wikipedia. Nmap. Retrieved October 14, 2018, from https://en.wikipedia.org/wiki/Nmap

WEB APP SECURITY (2017). Retrieved October 14, 2018, from

https://whitehat.academy/vmprep/

Gurbaran S (June 11, 2018). How to Launch a DoS Attack by using Metasploit Auxiliary.
Retrieved October 14, 2018, from https://gbhackers.com/kali-linux-tutorial-dos-attack/