Sergeant's Website

HW05: Enumeration in Metasploit due Mon 02 Oct 23:59

$\begin{purpose} In this assignment you will use Metasploit to enumerate some ser... ...s in the hopes of gaining additional information about open ports. \end{purpose}$

Overview

In the first few weeks we installed and worked with several VM's, two of which are a Linux version of Metasploitable 3 and a Windows version of Metasploitable 3. These are machines are intentionally configured to contain some vulnerabilities for the purpose of practing penetration testing.

This week we are going to install another vulnerable machine called “Metasploitable 2” that serves much the same purpose.

As with previous assignments you should create a text file that you will use to document your work. You will be submitting this file to Canvas when the assignment is complete.

Update Kali

As usual we will keep Kali up-to-date by checking for updates and installing them. Open a terminal window and issue these commands:

sudo apt update
sudo apt upgrade

Install Metasploitable 2 (MS2)

To install Metasploitable 2, begin by visiting https://sourceforge.net/projects/metasploitable/ and downloading the ZIP file. Once you've extracted the files, choose “New” from the VirtualBox screen. Specify the OS type as Linux and the Version as “Other Linux (64-bit)”. Also, be sure you have modify the settings for Metasploitable 2 so that it is attached to NatNetwork like the other machines.

Once it has been configured properly you should start it up and verify you can log in using the default credentials. While there you should issue a command to reveal its IP number. In your text file record this number (along with a description of what machine it maps to). (2 pts)

Find Open Ports on MS2

In msfconsole, perform the following steps:

Establish a new workspace called ms2
Use db_nmap to find all open ports, get version information for them, and save the results. (Paste the command you used into your text document).
Use the services command to list open ports.
How many open ports were discovered? (2 pts)

Enumerating SMB

(1 pts) What is the purpose of the Server Message Block (SMB) service?
(1 pts) Which TCP ports are typically used by the SMB service?
(1 pts) Issue a command that will list only the services/ports from your previous answer. Paste the command and the resulting output.
Let's try to get detailed version data for the SMB service running on MS2. Type: use auxiliary/scanner/smb/smb_version and then type: options to see what variables must be set.
(1 pts) It appears that we have to name the remote host(s). Type: set RHOSTS ms2ip (here and throughout these instructions ms2ip refers to the IP number of your Metasploitable2 box). Then type run to run this scanner. Paste in the results of the scan.
(1 pts) Let's use tab-completion to see what other scanning options are available with SMB. Type (but do not press ENTER): use auxiliary/scanner/smb/ and the press the TAB key a couple of times. This will list the available tools Metasploit offers. Paste the list into your text document.
(1 pts) From the list above the tool called smb_ms17_010 looks like a code for a known possible issue. Do an internet search for ms17_010 and look at Microsoft's report on this issue. According to that report what can happen if this issue is left unpatched?
(1 pts) Go ahead and use the smb_ms17_010 tool and run it. According to Metasploit is Metasploitable2 vulnerable to this attack?

Enumerating MySQL

(1 pts) What is the purpose of the MySQL service?
(1 pts) Which TCP port is typically used by the MySQL service?
(1 pts) Using the above instructions as a guideline use the auxiliary/scanner/mysql/mysql_version tool to determine the precise version information running on MS2. Paste in the results of this.
(1 pts) Let's try to login to the MySQL database management system. To do so we need a password list. Visit this website: https://github.com/danielmiessler/SecLists/ which is an enormous git repository and a variety of tools for PenTesting. We won't clone the entire repository because of its size. Instead click on the Passwords folder and then on the Default-Credentials folder. Then download manually (you can copy/paste if you want) the contents of: mysql-betterdefaultpasslist.txt. You can put this downloaded file in your Documents folder in Kali. Paste in this list of default passwords associated with MySQL.
(2 pts) Use the auxiliary/scanner/mysql/mysql_login tool. Inspect the options for its usage. Then enter the following values:
```
	set RHOSTS ms2ip
	set BLANK_PASSWORDS true
	set USERPASS_FILE Documents/mysql-betterdefaultpasslist.txt
```
NOTE: If you have read the description of the USERPASS_FILE variable you'll see that it want users and passwords separated by a space. So, you'll need to edit the password list according (because it is separated by colons).
Now run the tool. According to the results did any of the attempted username/password combinations succeed? If so which ones?

Enumerating HTTP

(1 pts) What is the purpose of the HTTP service?
(1 pts) Which TCP port is typically used by the HTTP service?
(2 pts) We'll attempt to use the auxiliary/scanner/http/crawler tool to get a list of URLs that are being served at the site. NOTE: When I use this tool it works for a bit and then crashes.
Go ahead and use the tool and copy/paste the output (prior to the error messages) into your text file.
(2 pts) You should see that there are a couple of URLs that were found that appear to be promising: test, twiki, and phpMyAdmin.
In a browser visit the Twiki home page on the MS2 webserver you just enumerated. Click the “get started” link and the paste the description given for Twiki into your homework text document.
(2 pts) Poke around briefly with this application. Is there anything that seems surprisingly insecure?

Pick One!

(4 pts) Choose one of these services: SSH, SNMP. Use the techniques described above to attempt some enumeration tasks on the service. Document your steps and any findings of interest.

Upon completion of this assignment, upload your text document into Canvas.