- Joined
- Jun 13, 2020
- Messages
- 7,545
- Reaction score
- 916
- Points
- 212
- Awards
- 2
After we’ve successfully completed enumerating the Metasploitable 2 VM we will be doing a vulnerability assessment on the network side in the next tutorial. With information retrieved from the enumeration process, for example the operating system version and running services with version, we will be looking for known vulnerabilities in these services. We will be using the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) for this purpose. The last step is to scan the target host for these vulnerabilities with a vulnerability scanner called OpenVAS on Kali Linux.
Metasploitable 2 enumeration and port scanning
In this part of the Metasploitable 2 enumeration tutorial we will be enumerating the running services, accounts and perform an open port scan. We will be using NMap to scan the virtual machine for open ports and we will be fingerprinting the connected services. In this tutorial we will only be focussing on enumerating the network side of the Metasploitable 2 machine. We will cover the web side in a different tutorial where we will be enumerating web applications and directories, performing SQL injection attacks and exploit the vulnerable web services.
I assume you have already installed the Metasploitable virtual machine from the previous tutorial and if it is not running by now it is time to fire it up now. When you login to the vulnerable host with msfadmin as username and password you can use the ifconfig command to determine its IP address. You can also use netdiscover on the Kali linux machine to scan a range of IP addresses for the target host. Use the following command on the terminal:
We will start the open port scan with scanning the target host with NMap. We will use a TCP SYN scan for this purpose and than we will scan the target for open UDP ports. The SYN scan is known as a stealthy port scan because it does not finish the full TCP handshake. A full TCP connection starts with a three way handshake where a SYN packet is send by NMap as the first part of the handshake. When a port on the target machine is open, it will respond with a SYN-ACK packet. When there is no response from the target on the first SYN packet, than the port is either closed or filtered by a firewall. The 3rd step in this process is the host machine that should respond to the SYN-ACK with an ACK packet to complete the full TCP handshake. In the case of a SYN scan its never does and is therefore called stealthy.
When you start a SYN scan (and any other port scan) from NMap without specifying the port range then NMap will scan only the first 1.000 ports which are considered the most important ports instead of all 65.535 ports. To scan all ports you have to use the -p- flag. The Nmap SYN scan command uses the -sS flag as used in the following command to SYN scan port 1 to port 65.535:
A SYN scan does not complete the three way TCP handshake because the SYN/ACK packet is not responded to with an ACK packet.
Just because a port is open doesn’t mean that the underlying software is vulnerable. We need to know the version of the operating system and running services. With this information we can determine if there are known vulnerabilities available to be exploited. The result of the service and OS scan will give us the right information to investigate further during the vulnerability assessment. To get this information we’ll run the port scan with the -sV option for version detection and the –O option for OS detection to retrieve the versions of the running services and the OS. The Nmap OS and Version scan does complete the full TCP handshake and using techniques like banner grabbing to get information from the running services.
Use the following command to start the Nmap port scan with service and OS detection:
Metasploitable 2 port scan with service and OS scan
The Nmap port and service scans returns a lot of open ports, listening services and the version of the operating system. The target host is running Linux 2.6.9 – 2.6.33 as operating system. We can see that the host is running an SSH service using OpenSSH, a telnet service, an Apache 2.2.8 webserver, 2 SQL servers and some more services. Let’s sum all services with version and port in a list we’ve be using in the next chapter where we’ll do a vulnerability assessment and look for common vulnerabilities:
Metasploitable 2 enumeration and port scanning
In this part of the Metasploitable 2 enumeration tutorial we will be enumerating the running services, accounts and perform an open port scan. We will be using NMap to scan the virtual machine for open ports and we will be fingerprinting the connected services. In this tutorial we will only be focussing on enumerating the network side of the Metasploitable 2 machine. We will cover the web side in a different tutorial where we will be enumerating web applications and directories, performing SQL injection attacks and exploit the vulnerable web services.
I assume you have already installed the Metasploitable virtual machine from the previous tutorial and if it is not running by now it is time to fire it up now. When you login to the vulnerable host with msfadmin as username and password you can use the ifconfig command to determine its IP address. You can also use netdiscover on the Kali linux machine to scan a range of IP addresses for the target host. Use the following command on the terminal:
This command will return all live host on the given IP range, in this example it will be the 192.168.111.0/24 range which consists of IP 192.168.111.0 to 192.168.111.255. Of course you should scan the IP range your Metasploitable 2 VM installation is located on your own network.
Nmap port scan and service scan
We will start the open port scan with scanning the target host with NMap. We will use a TCP SYN scan for this purpose and than we will scan the target for open UDP ports. The SYN scan is known as a stealthy port scan because it does not finish the full TCP handshake. A full TCP connection starts with a three way handshake where a SYN packet is send by NMap as the first part of the handshake. When a port on the target machine is open, it will respond with a SYN-ACK packet. When there is no response from the target on the first SYN packet, than the port is either closed or filtered by a firewall. The 3rd step in this process is the host machine that should respond to the SYN-ACK with an ACK packet to complete the full TCP handshake. In the case of a SYN scan its never does and is therefore called stealthy.
When you start a SYN scan (and any other port scan) from NMap without specifying the port range then NMap will scan only the first 1.000 ports which are considered the most important ports instead of all 65.535 ports. To scan all ports you have to use the -p- flag. The Nmap SYN scan command uses the -sS flag as used in the following command to SYN scan port 1 to port 65.535:
A SYN scan does not complete the three way TCP handshake because the SYN/ACK packet is not responded to with an ACK packet.
Are open ports vulnerable?
Just because a port is open doesn’t mean that the underlying software is vulnerable. We need to know the version of the operating system and running services. With this information we can determine if there are known vulnerabilities available to be exploited. The result of the service and OS scan will give us the right information to investigate further during the vulnerability assessment. To get this information we’ll run the port scan with the -sV option for version detection and the –O option for OS detection to retrieve the versions of the running services and the OS. The Nmap OS and Version scan does complete the full TCP handshake and using techniques like banner grabbing to get information from the running services.
Nmap Service scan with OS detection
Use the following command to start the Nmap port scan with service and OS detection:
After running this command NMap will return a list of open ports and the connected services:
Metasploitable 2 port scan with service and OS scan
The Nmap port and service scans returns a lot of open ports, listening services and the version of the operating system. The target host is running Linux 2.6.9 – 2.6.33 as operating system. We can see that the host is running an SSH service using OpenSSH, a telnet service, an Apache 2.2.8 webserver, 2 SQL servers and some more services. Let’s sum all services with version and port in a list we’ve be using in the next chapter where we’ll do a vulnerability assessment and look for common vulnerabilities:
- Vsftpd 2.3.4 on open port 21
- OpenSSH 4.7p1 Debian 8ubuntu 1 (protocol 2.0) on open port 22
- Linux telnetd service on open port 23
- Postfix smtpd on port 25
- ISC BIND 9.4.2 on open port 53
- Apache httpd 2.2.8 Ubuntu DAV/2 on port 80
- A RPCbind service on port 111
- Samba smbd 3.X on port 139 and 445
- 3 r services on port 512, 513 and 514
- GNU Classpath grmiregistry on port 1099
- Metasploitable root shell on port 1524
- A NFS service on port 2049
- ProFTPD 1.3.1 on port 2121
- MySQL 5.0.51a-3ubuntu5 on port 3306
- PostgreSQL DB 8.3.0 – 8.3.7 on port 5432
- VNC protocol v1.3 on port 5900
- X11 service on port 6000
- Unreal ircd on port 6667
- Apache Jserv protocol 1.3 on port 8009
- Apache Tomcat/Coyote JSP engine 1.1 on port 8180
Of course we know the Metasploitable 2 virtual machine is intentionally vulnerable. Therefor one can only suspect that most, if not all, of the services contain vulnerabilities, backdoors etc. In this hacking tutorial we will only cover enumeration tactics, port scanning and a vulnerability assessment on the network side. In the Metasploitable tutorials to follow we will be exploiting the vulnerabilities. Let’s continue with user enumeration.
