background image

260

Chapter 17

Now we issue the following to determine the version of Ubuntu running 

on this system:

msf auxiliary(telnet_version) > 

set RHOSTS 172.16.32.162

RHOSTS => 172.16.32.162
msf auxiliary(telnet_version) > 

run

[*] 172.16.32.162:23 TELNET 

Ubuntu 8.04

\x0ametasploitable login:

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(telnet_version) >

Great! We know that the system is running Ubuntu 8.04 and that two 

unencrypted protocols (telnet and FTP) are in use that might come into play 
later.

Now let’s look at SMTP to see what version our target is running. Remem-

ber that we are trying to identify the running versions of the services operat-
ing on the various remote systems.

msf > 

use auxiliary/scanner/smtp/smtp_version

 

msf auxiliary(smtp_version) > 

set RHOSTS 172.16.32.162

RHOSTS => 172.16.32.162
msf auxiliary(smtp_version) > 

run

[*] 172.16.32.162:25 SMTP 220 metasploitable.localdomain ESMTP 

Postfix

 (Ubuntu)\x0d\x0a

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smtp_version) >

As you can see, the Postfix mail server appears to be running on the 

Metasploitable server.

This process is continued through all the different ports that have been 

discovered as listening on our target. The various auxiliary modules are very 
useful for this work. When you’re finished, you should have a list of the ver-
sions of software running on the system, information that you will use when 
targeting attacks.

Attacking Apache Tomcat

Now we enter the attack phase again, where we start to get our hands dirty.

In the course of our research, we noticed a plethora of vulnerabilities on 

this system, including direct exploits and brute force possibilities. Now, if we 
were performing an overt penetration test, we could run vulnerability scanners 
against the system to find most openings for us, but that would take all the 
fun out of it! Let’s attack Apache instead.

We notice that Apache Tomcat is installed on port 8180, as shown in our 

earlier port scans. After a bit of Internet research, we learn that Tomcat is 
vulnerable to a management interface brute force attack. (In most cases, we 
can use 

exploit-db

 or Google to identify potential vulnerabilities in a given