background image

Simulated Penetration Test


8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_html-title: Apache Tomcat/5.5
|_http-favicon: Apache Tomcat
MAC Address: 00:0C:29:39:12:B2 (VMware)
No exact OS matches for host (If you know what OS is running on it, see ).
Network Distance: 1 hop
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Name: WORKGROUP\Unknown
|_  System time: 2010-05-21 22:28:01 UTC-4

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 60.19 seconds

Here we see a series of open ports. Based on 


’s OS detection we 

see that the scanned system is a UNIX/Linux variant of some sort. Some of 
these ports should jump out at you, such as FTP, Telnet, HTTP, SSH, Samba, 
MySQL, PostgreSQL, and Apache.

Identifying Vulnerable Services

Because a few ports look interesting, we’ll start banner-grabbing each one to 
try to find a way into the system.

msf > 

use auxiliary/scanner/ftp/ftp_version

msf auxiliary(ftp_version) > 


msf auxiliary(ftp_version) > 


[*] FTP Banner: '220 

ProFTPD 1.3.1

 Server (Debian) [::ffff:]\x0d\x0a'

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_version) >

Exiting the system, we know now that ProFTPD 1.3.1 is running on port 21. 

Next we use SSH to learn more about the target. (The addition of the 



gives us verbose output.) The next listing tells us that our target is running 
an older version of OpenSSH, specifically written for Ubuntu:

msf > 

ssh -v

[*] exec: ssh –v

OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007