CS3695/M6-­‐109   Lab  05-­‐NPS07  Metasploitable  2.0   Ver.  8  Rev.0  

Background Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools and practice common penetration testing techniques. This lab will walk you through a few attacks that work on a Metasploitable Linux platform. Remote Connection See the previous lab (1A-NPS00 Introduction to the Lab) and log onto your remote host. Procedures: {NOTE: you may want to start off on the next section first (A Closer Look at Vulnerability Scanning) so you can do this part while the scan takes 30 mins to complete)

1. Fire up your Kali host

2. First, we need to conduct an NMAP to discover what ports are available. From your Kali host conduct an NMAP of the Metasploitable machine discovered during the scanning lab. nmap -p- 10.10.10.3

3. In the list of ports you will notice port 2049 NFS is open.

Network File System (NFS) NFS is a service that can be found on UNIX systems. The purpose of NFS is to allow users to access shared directories in a network. However, special effort needs to be done from system administrators in order to properly configure an NFS share. For the needs of this lab, we will use the Metasploitable 2.0, which by default has the NFS service misconfigured.

4. Now we can use the showmount –e command to list the accessible shares.

showmount –e 10.10.10.3

5. This / means that the root directory of the remote system is shared! From the security perspective, this can be catastrophic as any attacker can mount the whole directory and he can view the contents in a local directory as it can be seen in the next three following images:

6. Now on your own kali host make a directory in temp:

mkdir /temp/

7. Now mount the share root directory of .3: mount –t nfs 10.10.10.3:/ /temp –o nolock

8. Display the mounted folder with a df command (used to look at disk space usage), you should see 10.10.10.3 listed there: df –h

9. Change directory to the temp folder: cd /temp

10. View contents of the temp directory: ls

As you can see, we can view the folders of the root directory… Lets see if we can obtain the contents of the /etc/passwd and /etc/shadow in order to have the user of the remote machine and the password hashes.

11. Change directory to 10.10.10.3’s etc directory: cd /temp/etc

12. View contents of passwd file: cat passwd

13. Now show contents of shadow file: cat shadow

This attack shows how easy a malicious attacker can exploit an NFS misconfiguration. Of course, nowadays it is difficult for a system administrator to perform these kinds of mistakes but it is always good to know the commands and what to do in a situation like this especially when NFS port 2049 is made available.

A Closer Look at Vulnerability Scanning Now you are going to practice how to use a vulnerability scanner to target your attacks using specific exploits that a target may be susceptible to.

1. Refering to lab 04-NPS01 Vulnerability Scanner Lab procedures, conduct a Nessus basic scan on host 10.10.10.3 (this can take up to takes around 30 min to complete, good time for a quick break ;-)

2. Once the scan is complete look click on the IP address to get into the details on the specific host.

3. Here you see all the vulnerabilities that the system has listed by severity. Click on Samba NDR MS-RPC Request Heap-Based Buffer Overflow to bring up its details.

4. Now we can read the description to see what the vulnerability is and which port/protocol it uses as a vector, and also a possible solution to implement for securing this vulnerability.

5. When we scroll down we get detailed information on if an exploit has already been developed. If an exploit has been developed for Metasploit the name will be listed!! In this case the Metasploit exploit is samba lsa_io_trans_names HEAP

6. Now go back and read through a few of the other vulnerabilities. Your goal is to use the information

gained in this Nessus scan to gain access to 10.10.10.3 using two different exploits. Hint: You don’t have to use Metasploit if the exploit doesn’t require it to be effective.

Deliverables: Please submit the two vulnerabilities/exploits that you use and what level of access you were able to gain via the Assignments button in Sakai.

For more information on Metasploitable, see the following link:

Metasploitable  2  Exploitability  Guide  (May  31  2012)  https://community.rapid7.com/docs/DOC-­‐1875