Project 5: Enumerating Metasploitable 2 (15 points)

What You Need

  1. A Kali Linux machine, real or virtual
  2. The "Metasploitable 2" vulnerable Linux Server you prepared in a previous project

Setup

Start your Kali VM and log in as root with the password toor

Start your Metasploitable 2 VM and log in as msfadmin with the password msfadmin

Execute the ifconfig command on both machines and ping from one to the other. Make sure you get replies, as shown below.

Task 1: Finding Hosts & Open Ports

In Kali, execute this command to locate all hosts on your network.

Replace the subnet address below with the correct subnet for your machine. Usually all you need is the first 3 bytes of the IP address, as highlighted in the image above. 

netdiscover -r 172.16.1.0/24
As shown below, the scanner finds all the machines on your network. One of them should be your Metasploitable 2 machine.

Press Ctrl+C to exit netdiscover.

Execute this command to scan all 65,536 TCP ports on the target, replacing the IP address with the IP address of your Metasploitable 2 VM. 

nmap -sS -p- 172.16.1.190
This scan quickly finds all open ports, as shown below, but it doesn't find versions of the services.

Execute this command to scan 1000 common ports on the target, with version detection and OS detection. Replace the IP address with the IP address of your Metasploitable 2 VM. 

nmap -sS -sV -O 172.16.1.190
This scan finds many version numbers, as shown below.

Capturing a Screen Image

Make sure the "vsftpd 2.3.4" message is visible, as shown above.

Capture a whole-desktop image and save it as "Proj 5a".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Replace all the IP addresses in commands below with the IP address of your Metasploitable 2 target machine.
Execute this command to scan UDP ports on the target. 
nmap -sU 172.16.1.190
This scan will take about 15 minutes to run, so leave it going and open a new Terminal window to continue with the rest of the project while it runs.

When it finishes, it finds several UDP-based services, as shown below.

Task 2: Enumerating Users

Enumerating with Nmap

Execute this command to run the Nmap script "smb-enum-users" on the target. This will find a list of user accounts from the SMB service, which is available if a host is sharing files with Windows systems. 
nmap --script smb-enum-users.nse -p 445 172.16.1.190
This produces a long list of user accounts, as shown below.

Enumerating with rpcclient

You can also enumerate users via Null sessions with the "rpcclient" command. Execute this command: 
rpcclient -U "" 172.16.1.190
When it asks for a password, press Enter.

This displays an "rpcclient $>" prompt. Execute this command: 

querydominfo
This shows that there are 35 users on the system, as shown below.

Execute this command to list all 35 user accounts. 

enumdomusers
This lists all the user accounts, with their "Relative ID" numbers (rid), as shown below.

Execute this command to get more information about the "msfadmin" account. 

queryuser msfadmin
This shows that user's profile path, and other information, as shown below.

Execute the exit command to leave "rpcclient".

Enumerating with enum4linux

enum4linux is a Perl script that uses smbclient, rpcclient, net, and nmblookup to automatically enumerate a target.

Execute this command to see the options for the enum4linux command. 

enum4linux --help
Not specifying any options runs them all. Execute this command to enumerate the target: 
enum4linux 172.16.1.190
A lot of output scrolls by. First there are a couple lists of all the usernames, as we found previously with other tools.

Then a "Share Enumeration" appears, showing that the /tmp folder is shared, as shown below. This has a note of "oh noes!" because /tmp is world-writeable. This means we can probably upload scripts into that folder and execute them :).

Capturing a Screen Image

Make sure the "oh noes!" message is visible, as shown above.

Capture a whole-desktop image and save it as "Proj 5b".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Turning in Your Project

Email the images to cnit.124@gmail.com with a subject line of "Proj 5 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

Credits

I followed this guide:
Metasploitable 2 enumeration

Last Modified: 8-17-17 1:19 pm