Simulated Penetration Test
259
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_html-title: Apache Tomcat/5.5
|_http-favicon: Apache Tomcat
MAC Address: 00:0C:29:39:12:B2 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
Network Distance: 1 hop
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux
Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Name: WORKGROUP\Unknown
|_ System time: 2010-05-21 22:28:01 UTC-4
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.19 seconds
Here we see a series of open ports. Based on
nmap
’s OS detection we
see that the scanned system is a UNIX/Linux variant of some sort. Some of
these ports should jump out at you, such as FTP, Telnet, HTTP, SSH, Samba,
MySQL, PostgreSQL, and Apache.
Identifying Vulnerable Services
Because a few ports look interesting, we’ll start banner-grabbing each one to
try to find a way into the system.
msf >
use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) >
set RHOSTS 172.16.32.162
RHOSTS => 172.16.32.162
msf auxiliary(ftp_version) >
run
[*] 172.16.32.162:21 FTP Banner: '220
ProFTPD 1.3.1
Server (Debian) [::ffff:172.16.32.162]\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_version) >
Exiting the system, we know now that ProFTPD 1.3.1 is running on port 21.
Next we use SSH to learn more about the target. (The addition of the
-v
flag
gives us verbose output.) The next listing tells us that our target is running
an older version of OpenSSH, specifically written for Ubuntu:
msf >
ssh 172.16.32.162 -v
[*] exec: ssh 172.16.32.162 –v
OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007