- Joined
- Jun 28, 2020
- Messages
- 6,308
- Reaction score
- 710
- Points
- 212
- Awards
- 2
In this new Metasploit Hacking Tutorial we will be enumerating the Metasploitable 2 virtual machine to gather useful information for a vulnerability assessment. Enumeration in mathematics or computer science is referred to as listing a number of elements in a set. Enumeration in the hacking context is the process of retrieving usernames, shares, services, web directories, groups, computers on a network. This is also called network enumeration. During this process we will also collect other useful network related information for conducting a penetration test. An important part of the Metasploitable 2 enumeration process is the port scanning and fingerprinting process. Port scanning is used to probe a server or host for open TPC and UDP ports. Fingerprinting is the process of identifying the services connected to those ports. A very popular tool used for network enumeration, port scanning and fingerprinting is NMap (Network Mapper) which we will be using throughout this tutorial. We will also use an enumeration tool called enum4linux. Enum4linux is a tool used for enumerating information from Windows and Samba hosts.
After we’ve successfully completed enumerating the Metasploitable 2 VM we will be doing a vulnerability assessment on the network side in the next tutorial. With information retrieved from the enumeration process, for example the operating system version and running services with version, we will be looking for known vulnerabilities in these services. We will be using the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) for this purpose. The last step is to scan the target host for these vulnerabilities with a vulnerability scanner called OpenVAS on Kali Linux.
Metasploitable 2 enumeration and port scanning
In this part of the Metasploitable 2 enumeration tutorial we will be enumerating the running services, accounts and perform an open port scan. We will be using NMap to scan the virtual machine for open ports and we will be fingerprinting the connected services. In this tutorial we will only be focussing on enumerating the network side of the Metasploitable 2 machine. We will cover the web side in a different tutorial where we will be enumerating web applications and directories, performing SQL injection attacks and exploit the vulnerable web services.
I assume you have already installed the Metasploitable virtual machine from the previous tutorial and if it is not running by now it is time to fire it up now. When you login to the vulnerable host with msfadmin as username and password you can use the ifconfig command to determine its IP address. You can also use netdiscover on the Kali linux machine to scan a range of IP addresses for the target host. Use the following command on the terminal:
netdiscover –r 192.168.111.0/24
This command will return all live host on the given IP range, in this example it will be the 192.168.111.0/24 range which consists of IP 192.168.111.0 to 192.168.111.255. Of course you should scan the IP range your Metasploitable 2 VM installation is located on your own network.
The netdiscover -r 192.168.111.0/24 command discovers all IP addresses in the given range.
Nmap port scan and service scan
We will start the open port scan with scanning the target host with NMap. We will use a TCP SYN scan for this purpose and than we will scan the target for open UDP ports. The SYN scan is known as a stealthy port scan because it does not finish the full TCP handshake. A full TCP connection starts with a three way handshake where a SYN packet is send by NMap as the first part of the handshake. When a port on the target machine is open, it will respond with a SYN-ACK packet. When there is no response from the target on the first SYN packet, than the port is either closed or filtered by a firewall. The 3rd step in this process is the host machine that should respond to the SYN-ACK with an ACK packet to complete the full TCP handshake. In the case of a SYN scan its never does and is therefore called stealthy.
When you start a SYN scan (and any other port scan) from NMap without specifying the port range then NMap will scan only the first 1.000 ports which are considered the most important ports instead of all 65.535 ports. To scan all ports you have to use the -p- flag. The Nmap SYN scan command uses the -sS flag as used in the following command to SYN scan port 1 to port 65.535:
nmap -sS -p- [taget IP address]
A SYN scan does not complete the three way TCP handshake because the SYN/ACK packet is not responded to with an ACK packet.
The Nmap SYN scan is often called a stealthy scan which implies that it goes unnoticed. This is true for old firewalls, which only log full TCP connections, but not for modern firewalls which also log uncompleted TCP connections.
Are open ports vulnerable?
Just because a port is open doesn’t mean that the underlying software is vulnerable. We need to know the version of the operating system and running services. With this information we can determine if there are known vulnerabilities available to be exploited. The result of the service and OS scan will give us the right information to investigate further during the vulnerability assessment. To get this information we’ll run the port scan with the -sV option for version detection and the –O option for OS detection to retrieve the versions of the running services and the OS. The Nmap OS and Version scan does complete the full TCP handshake and using techniques like banner grabbing to get information from the running services.
You can also use the –A option instead of –O to enable OS Detection, version detection, script scanning and trace route all at once. This is not a stealthy way of scanning.
Nmap Service scan with OS detection
Use the following command to start the Nmap port scan with service and OS detection:
Nmap –sS –sV -O [target IP address]
After running this command NMap will return a list of open ports and the connected services:
Metasploitable 2 port scan with service and OS scan
The Nmap port and service scans returns a lot of open ports, listening services and the version of the operating system. The target host is running Linux 2.6.9 – 2.6.33 as operating system. We can see that the host is running an SSH service using OpenSSH, a telnet service, an Apache 2.2.8 webserver, 2 SQL servers and some more services. Let’s sum all services with version and port in a list we’ve be using in the next chapter where we’ll do a vulnerability assessment and look for common vulnerabilities:
After we’ve successfully completed enumerating the Metasploitable 2 VM we will be doing a vulnerability assessment on the network side in the next tutorial. With information retrieved from the enumeration process, for example the operating system version and running services with version, we will be looking for known vulnerabilities in these services. We will be using the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) for this purpose. The last step is to scan the target host for these vulnerabilities with a vulnerability scanner called OpenVAS on Kali Linux.
Metasploitable 2 enumeration and port scanning
In this part of the Metasploitable 2 enumeration tutorial we will be enumerating the running services, accounts and perform an open port scan. We will be using NMap to scan the virtual machine for open ports and we will be fingerprinting the connected services. In this tutorial we will only be focussing on enumerating the network side of the Metasploitable 2 machine. We will cover the web side in a different tutorial where we will be enumerating web applications and directories, performing SQL injection attacks and exploit the vulnerable web services.
I assume you have already installed the Metasploitable virtual machine from the previous tutorial and if it is not running by now it is time to fire it up now. When you login to the vulnerable host with msfadmin as username and password you can use the ifconfig command to determine its IP address. You can also use netdiscover on the Kali linux machine to scan a range of IP addresses for the target host. Use the following command on the terminal:
netdiscover –r 192.168.111.0/24
This command will return all live host on the given IP range, in this example it will be the 192.168.111.0/24 range which consists of IP 192.168.111.0 to 192.168.111.255. Of course you should scan the IP range your Metasploitable 2 VM installation is located on your own network.
The netdiscover -r 192.168.111.0/24 command discovers all IP addresses in the given range.
Nmap port scan and service scan
We will start the open port scan with scanning the target host with NMap. We will use a TCP SYN scan for this purpose and than we will scan the target for open UDP ports. The SYN scan is known as a stealthy port scan because it does not finish the full TCP handshake. A full TCP connection starts with a three way handshake where a SYN packet is send by NMap as the first part of the handshake. When a port on the target machine is open, it will respond with a SYN-ACK packet. When there is no response from the target on the first SYN packet, than the port is either closed or filtered by a firewall. The 3rd step in this process is the host machine that should respond to the SYN-ACK with an ACK packet to complete the full TCP handshake. In the case of a SYN scan its never does and is therefore called stealthy.
When you start a SYN scan (and any other port scan) from NMap without specifying the port range then NMap will scan only the first 1.000 ports which are considered the most important ports instead of all 65.535 ports. To scan all ports you have to use the -p- flag. The Nmap SYN scan command uses the -sS flag as used in the following command to SYN scan port 1 to port 65.535:
nmap -sS -p- [taget IP address]
A SYN scan does not complete the three way TCP handshake because the SYN/ACK packet is not responded to with an ACK packet.
The Nmap SYN scan is often called a stealthy scan which implies that it goes unnoticed. This is true for old firewalls, which only log full TCP connections, but not for modern firewalls which also log uncompleted TCP connections.
Are open ports vulnerable?
Just because a port is open doesn’t mean that the underlying software is vulnerable. We need to know the version of the operating system and running services. With this information we can determine if there are known vulnerabilities available to be exploited. The result of the service and OS scan will give us the right information to investigate further during the vulnerability assessment. To get this information we’ll run the port scan with the -sV option for version detection and the –O option for OS detection to retrieve the versions of the running services and the OS. The Nmap OS and Version scan does complete the full TCP handshake and using techniques like banner grabbing to get information from the running services.
You can also use the –A option instead of –O to enable OS Detection, version detection, script scanning and trace route all at once. This is not a stealthy way of scanning.
Nmap Service scan with OS detection
Use the following command to start the Nmap port scan with service and OS detection:
Nmap –sS –sV -O [target IP address]
After running this command NMap will return a list of open ports and the connected services:
Metasploitable 2 port scan with service and OS scan
The Nmap port and service scans returns a lot of open ports, listening services and the version of the operating system. The target host is running Linux 2.6.9 – 2.6.33 as operating system. We can see that the host is running an SSH service using OpenSSH, a telnet service, an Apache 2.2.8 webserver, 2 SQL servers and some more services. Let’s sum all services with version and port in a list we’ve be using in the next chapter where we’ll do a vulnerability assessment and look for common vulnerabilities:
- Vsftpd 2.3.4 on open port 21
- OpenSSH 4.7p1 Debian 8ubuntu 1 (protocol 2.0) on open port 22
- Linux telnetd service on open port 23
- Postfix smtpd on port 25
- ISC BIND 9.4.2 on open port 53
- Apache httpd 2.2.8 Ubuntu DAV/2 on port 80
- A RPCbind service on port 111
- Samba smbd 3.X on port 139 and 445
- 3 r services on port 512, 513 and 514
- GNU Classpath grmiregistry on port 1099
- Metasploitable root shell on port 1524
- A NFS service on port 2049
- ProFTPD 1.3.1 on port 2121
- MySQL 5.0.51a-3ubuntu5 on port 3306
- PostgreSQL DB 8.3.0 – 8.3.7 on port 5432
- VNC protocol v1.3 on port 5900
- X11 service on port 6000
- Unreal ircd on port 6667
- Apache Jserv protocol 1.3 on port 8009
- Apache Tomcat/Coyote JSP engine 1.1 on port 8180