For our FINAL event of the year, we are setting up a vulnerable server for all Hacking Club members to compromise. We have spun up a VM of metasploitable on a LAN and have given our members the tasks of doing the following:
- Launch a Virtual Machine with Kali Linux.
- Setup a PostgreSQL Server locally.
- Running a network scanning tool, nmap.
- Enumerating the server.
- Uploading a php shell to access the server later
- Gain root access.
For this exercise, you will need the following:
- Computer (any OS)
- Virtualization Software
- Virtualbox is free and works on all platforms
- VMware is also a great suit
- An iso copy of Kali Linux.
- Metasploitable VM, which can be downloaded here.
Create a virtual machine (VM) of Kali Linux, and make sure the network configure is bridged. This enables your VM to use your network card as if it was its own. Don't worry, your main host and your guest host will both be able to use it, and have different IP addresses on the network.
Launch Metasploitable in your visualization software. The most difficult part of this configuration, is making sure the two VMs are connected. If the bridge connection on both VMs don't work. Connect them using custom specific VirtualNet.
Here is what your VM will look like when it's starts.
You will know if it is setup correctly, if the IP's look about the same, and they have the same netmask.
You can run the following command to check your IP.
This command has many uses, but for this exercise, we will only concentrate of the finding the ip aspect. If your IP says 169...., it means it could not get an IP address from the router.
Now let's have some fun! We will be scanning the local network for our metasploitable server. Click Applications, 01 - Information Gathering, and then the zenmap button on the left side. Alternatively, you can enter zenmap in the terminal. It opens the nmap (gui).
So we know that the network subnet is 255.255.255.0. This means there can be a total of 254 computers/devices connected to this network. Here is a cheatsheet to determine the "slider" of the network. For 255.255.255.0, the slider is /24.
When zenmap comes up, enter the network IP as well as the slider and execute a ping scan. A ping scan scans all IPs specified. It gather's their MAC Address and IP Address.
By knowing a devices MAC address, you can determine the manufacturer of the device. The first three octets in a MAC Address is specific to a vendor. If we take a look at 192.168.1.1, we can see that it's MAC address is 00:c0:02:63:00:08. The first 3 octets are 00:C0:02. If we enter this into a mac-address lookup such as http://www.coffer.com/mac_find/, we can see that it's vendor is Sercomm, just as it says in our nmap scan.
An important thing to note, the scan results gave us back the IP 192.168.1.1. This is the first IP in the 192.168.1.0 network, which means this IP address is MOST LIKELY the router. For further investigation, one can do a more intensive scan on the router, but for this exercise, we are targeting a different server. Let's now see which servers we can remote into.
root@kali:~# nmap -sV -p 20-23 192.168.1.0/24
As you can see, not only is the router running Dropbear sshd, but it's also running DD-WRT telnetd. This tells us the router has been flashed with DD-WRT firmware. But since htis isn't our target, we will keep checking what else we got in this scan.
Alright, so we know a few of the ports are open. Let's check all the ports on this server.
So we have a server, know all of the ports that are open, and the version. What we can do now, is save the scan results, and import them into Metasploit Framework. In Zenmap, click Scan > Save Scan and save it somewhere you will remember. Desktop, Downloads, or Documents are fine locations. Now it's time to get Metasploit running. But first, we have to create a database where we can store our port scan results. In a terminal, run...
root@kali:~# service postgresql start
Now let's finish configuring our database with...
root@kali:~# msfdb init
Alright, so now that we have metasploit running, we should check to see if the database we created in connected to metasploit.
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > show options
Learn more here.