260
Chapter 17
Now we issue the following to determine the version of Ubuntu running
on this system:
msf auxiliary(telnet_version) >
set RHOSTS 172.16.32.162
RHOSTS => 172.16.32.162
msf auxiliary(telnet_version) >
run
[*] 172.16.32.162:23 TELNET
Ubuntu 8.04
\x0ametasploitable login:
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(telnet_version) >
Great! We know that the system is running Ubuntu 8.04 and that two
unencrypted protocols (telnet and FTP) are in use that might come into play
later.
Now let’s look at SMTP to see what version our target is running. Remem-
ber that we are trying to identify the running versions of the services operat-
ing on the various remote systems.
msf >
use auxiliary/scanner/smtp/smtp_version
msf auxiliary(smtp_version) >
set RHOSTS 172.16.32.162
RHOSTS => 172.16.32.162
msf auxiliary(smtp_version) >
run
[*] 172.16.32.162:25 SMTP 220 metasploitable.localdomain ESMTP
Postfix
(Ubuntu)\x0d\x0a
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smtp_version) >
As you can see, the Postfix mail server appears to be running on the
Metasploitable server.
This process is continued through all the different ports that have been
discovered as listening on our target. The various auxiliary modules are very
useful for this work. When you’re finished, you should have a list of the ver-
sions of software running on the system, information that you will use when
targeting attacks.
Attacking Apache Tomcat
Now we enter the attack phase again, where we start to get our hands dirty.
In the course of our research, we noticed a plethora of vulnerabilities on
this system, including direct exploits and brute force possibilities. Now, if we
were performing an overt penetration test, we could run vulnerability scanners
against the system to find most openings for us, but that would take all the
fun out of it! Let’s attack Apache instead.
We notice that Apache Tomcat is installed on port 8180, as shown in our
earlier port scans. After a bit of Internet research, we learn that Tomcat is
vulnerable to a management interface brute force attack. (In most cases, we
can use
exploit-db
or Google to identify potential vulnerabilities in a given