I mentioned a week or two ago that we would take a closer look at Metasploitable 2.0, the purposefully vulnerable Linux virtual machine used for learning security tactics and techniques. In this intro, we will quickly cover obtaining Metasploitable and scanning it for open ports and services. (No you do not want Metasploitable running on a open or production machine, it’s vulnerable for Pete’s sake! 🙂 )
For this series of tutorials you will need:
- Backtrack 5 r2 – I used the Gnome, 32 Bit version, available here.
- Metasploitable 2.0 – Available here.
You can setup a test network using VMware or Virualbox. I will not cover this in the article, there are many tutorials out there for setting this up
The Rapid7 website references a great Metasploitable setup tutorial on webpwnized’s YouTube Channel. This covers installing Metasploitable 2 on Virtual Box and how to get to Mutillidae, a great learning tool for web app security:
Okay, let’s take a look at Metasploitable from our Backtrack box. Let’s run an nmap scan and see what services are installed.
Open a Terminal window on your Backtrack system and type:
nmap -v -A 192.168.12.20 (metasploitable’s IP address)
This will show us the open ports and try to enumerate what services are running. Here is a look at the ports:
Holy open ports Batman!
Nmap will churn for a while while it tries to detect the actual services running on these ports. In a few minutes you will see a screen that looks like this:
For each port, we see the port number, service type and even an attempt at the service software version.
From here, we can grab the software version, in this case “Unreal IRC 220.127.116.11”, and do a search for vulnerabilities for that software release. Just searching “unreal18.104.22.168 exploits” in Google should do the trick. With a little searching, you can find an Unreal exploit usable through Backtrack 5’s Metasploit program that will give you a root shell. See if you can find it and give it a shot. If you strike out, no worries, we will take a closer look at this in a later tutorial.
If nothing comes up, you may not have the exact software version. Nmap tries its best, but it is not always correct. Backtrack 5’s Metasploit console has several service scanners that we can use to get exact version levels. We will take a closer look at these in the next tutorial. Then we will dive into exploiting the open services.