Metasploitable 2 Tutorial Part 1: Checking for open Ports with Nmap

I mentioned a week or two ago that we would take a closer look at Metasploitable 2.0, the purposefully vulnerable Linux virtual machine used for learning security tactics and techniques. In this intro, we will quickly cover obtaining Metasploitable and scanning it for open ports and services. (No you do not want Metasploitable running on a open or production machine, it’s vulnerable for Pete’s sake!  🙂  )

For this series of tutorials you will need:

You can setup a test network using VMware or Virualbox. I will not cover this in the article, there are many tutorials out there for setting this up

The Rapid7 website references a great Metasploitable setup tutorial on webpwnized’s YouTube Channel. This covers installing Metasploitable 2 on Virtual Box and how to get to Mutillidae, a great learning tool for web app security:

Okay, let’s take a look at Metasploitable from our Backtrack box. Let’s run an nmap scan and see what services are installed.

Open a Terminal window on your Backtrack system and type:

nmap -v -A 192.168.12.20 (metasploitable’s IP address)

This will show us the open ports and try to enumerate what services are running. Here is a look at the ports:

Holy open ports Batman!

Nmap will churn for a while while it tries to detect the actual services running on these ports. In a few minutes you will see a screen that looks like this:

For each port, we see the port number, service type and even an attempt at the service software version.

From here, we can grab the software version, in this case “Unreal IRC 3.2.8.1”, and do a search for vulnerabilities for that software release. Just searching “unreal3.2.8.1 exploits” in Google should do the trick. With a little searching, you can find an Unreal exploit usable through Backtrack 5’s Metasploit program that will give you a root shell. See if you can find it and give it a shot. If you strike out, no worries, we will take a closer look at this in a later tutorial.

If nothing comes up, you may not have the exact software version. Nmap tries its best, but it is not always correct. Backtrack 5’s Metasploit console has several service scanners that we can use to get exact version levels. We will take a closer look at these in the next tutorial. Then we will dive into exploiting the open services.

zAnti – Fast & Simple Android Based Security Testing Platform

zImperium’s zAnti is a quick and simple Android based app that you can use to  test your network security. Want network scanning, Man-in-the-Middle (MITM) attacks, exploit capability and reporting features all from your Droid table or phone? Then look no further.

If you liked the previous version (called Anti) then you will love this update. zAnti seems to be smoother and easier to use than its predecessor. zAnti still comes with a token type credit system that allows you to access the more advanced features, but like the first one, you can still see the power of zAnti with the free version.

So how does it work?

Once you start the App, you will be asked to login. Then zAnti does a quick scan of available Wi-Fi networks and asks which one you want to test. Just select the network and zAnti does a quick scan and shows all the available hosts on the network.

Found a target that looks interesting? Just select it and with a quick swipe of the finger and you reach the Action menu. From here you can perform several different attacks including sniffing and exploit attempts. Swipe again and you come to the Nmap menu where you have the option to run several levels of nmap based scanning to attempt to detect OS version and service identification. Swipe once more and you will come to a comment page where you can write notes about the target.

In a test, I ran zAnti on my 7″ Polaroid Android Tablet. Within a few seconds I had a complete list of all the machines on my network. Selecting one of my Windows 7 systems from the menu I performed a deeper nmap scan. The scan found no open ports, and it could not provide much information about the client. But by switching to the Action menu I choose the sniffer option:

Within seconds I was viewing a list of all the webpages that my Windows 7 wired client was visiting, remotely on my droid tablet! Obviously some type of ARP (Address Resolution Protocol) cache poisoning was going on here.

A quick look at the Windows 7 client’s ARP Table showed that zAnti successfully performed a man-in-the-middle attack on the client. And sure enough, switched its MAC address for the client gateway. This effectively put the wireless Droid in between my router and the wired Windows 7 Client so it could sniff all the network traffic!

Even though you need to buy credits to do the more advanced attacks and Pentest reporting features, Free zAnti is a fun, sleek, uber-cool tool to add to the security toolbox. And if you need the advanced features, the support will help the company create even more feature rich programs in the future (zImperium is also working on some interesting looking mobile defense projects).

Did I mention they have a beta program from an iOS based version?  🙂

Check it out!

Anti – Android Network Toolkit and 7″ Tablet make a $99 Pentesting Platform

Every once in a while you run into a product that just makes you sit back and say – “Wow!”

I just picked up a 7″ Polaroid tablet for $99 and was stunned at how good it works. The screen quality, how smooth it ran and how responsive it was. In some functions it works better than my trusty iPad that cost a whole lot more.

Well, I wanted to see how well the Android Tablet could work as a pentesting platform and found “Anti” the Android Network Toolkit by zImperium. I was stunned.

I just used the “Free” version, and within seconds I was looking at a network map of all the machines on my network. Anti runs nmap scans, including an intrusive scan to detect device Operating Systems and vulnerabilities. Once the scan is done, it can take a while, you can click on individual systems and are presented with a tool option menu. These options include:

Attack, DoS, Cracker, Replace Image, Spy, Man in the Middle

Some of the more advanced tools require you to purchase “Anti credits” to run them. But with the free version, you can view available networks, and run scans against them.

I ran it on my wireless network and was able to view a wired system. For a short period of time, I could see a text list of what websites the computer was visiting, and even images from the visited websites. The options even included “View Passwords”, but this did not seem to be enabled in the free version. Obviously it was working in some sort of Man-in-the-Middle mode to be able grab the information off of a wired lan system connected to a switch. Very interesting.

And this was just the free version, the paid versions reportedly includes remote exploit capability.

Anti also includes a reporting feature so you can keep a track of vulnerable systems found during your pentest. Using Anti on a cheap $99 Android tablet really opens up a lot of possibilities for pentesters.

Social-Engineer Toolkit v3.0 Codename “#WeThrowBaseballs” Released

The mad hugger, Dave Kennedy (ReL1K) has been at it again. As if the Social Engineering Toolkit was not already one of the top security tools, Dave has been hard at work making it even better. Adding a slew of new features and updates.

Here is a list of the top new features:

1. Support for Windows – Tested on XP, Windows 7, and Windows Vista. Note that the Metasploit-based payloads to not work yet – when SET detects Windows they will not be shown only RATTE and SET Shell

2. New attack vector added – QRCode Attack – Generates QRCodes that you can direct to SET and perform attacks like the credential harvester and Java Applet attacks

3. Improved A/V avoidance on the SETShell and better performance. I’ve also fixed the non-encrypted communications when AES was not installed

4. Added a number of improvements and enhancements to all aspects of SET including major rehauls of the coding population and moved from things like subprocess.Popen(“mv etc.”) to shutil.copyfile(“etc”)

5. Rehauled SET Interactive Shell and RATTE to support Windows

6. New Metasploit exploits added to SET

Hey, does that say it runs on Windows??  🙂

As always, nice job Dave.

Why not head on over to http://sectools.org/tool/socialengineeringtoolkit/ and vote for the Social Engineering Toolkit?