background image

Simulated Penetration Test

259

8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_html-title: Apache Tomcat/5.5
|_http-favicon: Apache Tomcat
MAC Address: 00:0C:29:39:12:B2 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
Network Distance: 1 hop
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Name: WORKGROUP\Unknown
|_  System time: 2010-05-21 22:28:01 UTC-4

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.19 seconds

Here we see a series of open ports. Based on 

nmap

’s OS detection we 

see that the scanned system is a UNIX/Linux variant of some sort. Some of 
these ports should jump out at you, such as FTP, Telnet, HTTP, SSH, Samba, 
MySQL, PostgreSQL, and Apache.

Identifying Vulnerable Services

Because a few ports look interesting, we’ll start banner-grabbing each one to 
try to find a way into the system.

msf > 

use auxiliary/scanner/ftp/ftp_version

msf auxiliary(ftp_version) > 

set RHOSTS 172.16.32.162

RHOSTS => 172.16.32.162
msf auxiliary(ftp_version) > 

run

[*] 172.16.32.162:21 FTP Banner: '220 

ProFTPD 1.3.1

 Server (Debian) [::ffff:172.16.32.162]\x0d\x0a'

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_version) >

Exiting the system, we know now that ProFTPD 1.3.1 is running on port 21. 

Next we use SSH to learn more about the target. (The addition of the 

-v

 flag 

gives us verbose output.) The next listing tells us that our target is running 
an older version of OpenSSH, specifically written for Ubuntu:

msf > 

ssh 172.16.32.162 -v

[*] exec: ssh 172.16.32.162 –v

OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007