Metasploitable3 Linux Edition Parrot OS

Metasploitable3 Vulnerability Scan

Metasploitable3 Vulnerability Scan

Target: Metasploitable 3 Linux

Tools: Metasploit and Nmap

Scan for existing vulnerabilities

Nmap scan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

┌─[parrot@parrot][~]
└──╼ $nmap -oA 10.0.2.28 -sV -p- -Pn -n --version-all --open 10.0.2.28
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-06 13:31 GMT
Stats: 0:03:24 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 43.68% done; ETC: 13:39 (0:04:23 remaining)
Nmap scan report for 10.0.2.28
Host is up (0.0038s latency).
Not shown: 65524 filtered tcp ports (no-response), 3 closed tcp ports (conn-refused)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.7
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
631/tcp  open  ipp         CUPS 1.7
3306/tcp open  mysql       MySQL (unauthorized)
6697/tcp open  irc         UnrealIRCd
8080/tcp open  http        Jetty 8.1.7.v20120910
Service Info: Hosts: 127.0.2.1, METASPLOITABLE3-UB1404, irc.TestIRC.net; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 384.36 seconds

Metasploit

Load WMAP

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

[msf](Jobs:0 Agents:0) >> load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
[msf](Jobs:0 Agents:0) >> wmap_sites -a
[-] No site provided.
[msf](Jobs:0 Agents:0) >> wmap_sites
[*] Usage: wmap_sites [options]
 -h        Display this help text
 -a [url]  Add site (vhost,url)
 -d [ids]  Delete sites (separate ids with space)
 -l        List all available sites
 -s [id]   Display site structure (vhost,url|ids) (level) (unicode output true/false)

Add Site to Scan

1
2
3
4
5
6
7
8
9

[msf](Jobs:0 Agents:0) >> wmap_sites -a 10.0.2.28
[*] Site created.
[msf](Jobs:0 Agents:0) >> wmap_sites -l
[*] Available sites
===============

     Id  Host       Vhost      Port  Proto  # Pages  # Forms
     --  ----       -----      ----  -----  -------  -------
     0   10.0.2.28  10.0.2.28  80    http   0        0

Specify Target URL

Set the specific target URL we want to scan using wmap_targets.

1
2

[msf](Jobs:0 Agents:0) >> wmap_targets -d 0
[*] Loading 10.0.2.28,http://10.0.2.28:80/.

Run Scanner

Type wmap_run at the prompt to view the options for this command.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

[msf](Jobs:0 Agents:0) >> wmap_run -t
[*] Testing target:
[*]  Site: 10.0.2.28 (10.0.2.28)
[*]  Port: 80 SSL: false
============================================================
[*] Testing started. 2024-03-05 05:15:03 +0000
[*] Loading wmap modules...
[*] 39 wmap enabled modules loaded.
[*] 
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*] 
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[*] Module auxiliary/scanner/http/frontpage_login
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[*] Module auxiliary/scanner/http/svn_scanner
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] Module auxiliary/scanner/http/webdav_website_content
[*] 
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Module auxiliary/scanner/http/dir_scanner
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Module auxiliary/scanner/http/files_dir
[*] Module auxiliary/scanner/http/http_put
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Module auxiliary/scanner/http/trace_axd
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*] 
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/admin/vmware/vcenter_forge_saml_token
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*] 
=[ Query testing ]=
============================================================
[*] 
=[ General testing ]=
============================================================
[*] Done.

Scan by using wmap_run with the -e flag

It will run all of the modules instead of just a specified one.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

[msf](Jobs:0 Agents:0) >> wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*]  Site: 10.0.2.28 (10.0.2.28)
[*]  Port: 80 SSL: false
============================================================
[*] Testing started. 2024-03-05 05:17:53 +0000
[*] 
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*] 
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version

[+] 10.0.2.28:80 Apache/2.4.7 (Ubuntu)
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Attempting to connect to 10.0.2.28:80
[-] No File(s) found
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[-] 10.0.2.28 does not appear to be vulnerable, will not continue
[*] Module auxiliary/scanner/http/frontpage_login
[*] 10.0.2.28:80          - http://10.0.2.28/ may not support FrontPage Server Extensions
[*] Module auxiliary/scanner/http/host_header_injection
[+] 10.0.2.28:80/ (10.0.2.28)(200)(GET)(evidence into body) is vulnerable to HTTP Host header injection
[*] Module auxiliary/scanner/http/options
[+] 10.0.2.28 allows GET,HEAD,POST,OPTIONS methods
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[+] [10.0.2.28] / [Index of /]
[*] Module auxiliary/scanner/http/svn_scanner
[*] Using code '404' as not found.
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] [10.0.2.28] Sending request with random domain YnEnK. 
[*] [10.0.2.28] Sending request with random domain EILCC. 
[-] [10.0.2.28] Unable to identify error response
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] 10.0.2.28 (Apache/2.4.7 (Ubuntu)) WebDAV disabled.
[*] Module auxiliary/scanner/http/webdav_website_content
[*] 
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Path: /
[*] Using code '404' as not found.

[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Path: /
[+] Found Directory Listing http://10.0.2.28:80/
[*] Module auxiliary/scanner/http/dir_scanner
[*] Path: /
[*] Detecting error code
[*] Using code '404' as not found for 10.0.2.28
[+] Found http://10.0.2.28:80/cgi-bin/ 403 (10.0.2.28)
[+] Found http://10.0.2.28:80/chat/ 200 (10.0.2.28)
[+] Found http://10.0.2.28:80/icons/ 403 (10.0.2.28)
[+] Found http://10.0.2.28:80/phpmyadmin/ 200 (10.0.2.28)
[+] Found http://10.0.2.28:80/uploads/ 200 (10.0.2.28)
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Path: /
[*] Using code '404' as not found.
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/files_dir
[*] Path: /
[*] Using code '404' as not found for files with extension .null
[*] Using code '404' as not found for files with extension .backup
[*] Using code '404' as not found for files with extension .bak
[*] Using code '404' as not found for files with extension .c
[*] Using code '404' as not found for files with extension .cfg
[*] Using code '404' as not found for files with extension .class
[*] Using code '404' as not found for files with extension .copy
[*] Using code '404' as not found for files with extension .conf
[*] Using code '404' as not found for files with extension .exe
[*] Using code '404' as not found for files with extension .html
[*] Using code '404' as not found for files with extension .htm
[*] Using code '404' as not found for files with extension .ini
[*] Using code '404' as not found for files with extension .log
[*] Using code '404' as not found for files with extension .old
[*] Using code '404' as not found for files with extension .orig
[*] Using code '404' as not found for files with extension .php
[*] Using code '404' as not found for files with extension .tar
[*] Using code '404' as not found for files with extension .tar.gz
[*] Using code '404' as not found for files with extension .tgz
[*] Using code '404' as not found for files with extension .tmp
[*] Using code '404' as not found for files with extension .temp
[*] Using code '404' as not found for files with extension .txt
[*] Using code '404' as not found for files with extension .zip
[*] Using code '404' as not found for files with extension ~
[*] Using code '404' as not found for files with extension 
[+] Found http://10.0.2.28:80/chat 301
[+] Found http://10.0.2.28:80/phpmyadmin 301
[+] Found http://10.0.2.28:80/uploads 301
[*] Using code '404' as not found for files with extension 
[+] Found http://10.0.2.28:80/chat 301
[+] Found http://10.0.2.28:80/phpmyadmin 301
[+] Found http://10.0.2.28:80/uploads 301
[*] Module auxiliary/scanner/http/http_put
[*] Path: /
[-] 10.0.2.28: File doesn't seem to exist. The upload probably failed
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Path: /
[-] 10.0.2.28:80 Folder does not require authentication. [405]
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Path: /
[*] Starting scan with 0ms delay between requests
[*] Server 10.0.2.28:80 returned HTTP 404 for /.  Use a different one.
[*] Module auxiliary/scanner/http/trace_axd
[*] Path: /
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*] 
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/admin/vmware/vcenter_forge_saml_token
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*] 
=[ Query testing ]=
============================================================
[*] 
=[ General testing ]=
============================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Launch completed in 226.5683000087738 seconds.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[*] Done.
[msf](Jobs:0 Agents:0) >>

Type the wmap_vulns -l command to display the results of the scan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

[msf](Jobs:0 Agents:0) >> vulns

Vulnerabilities
===============

Timestamp                Host       Name                                              References
---------                ----       ----                                              ----------
2024-02-19 10:00:51 UTC  10.0.2.28  Drupal HTTP Parameter Key/Value SQL Injection     CVE-2014-3704,URL-https://www.drupal.org/SA-CORE
                                                                                      -2014-005,URL-http://www.sektioneins.de/en/advis
                                                                                      ories/advisory-012014-drupal-pre-auth-sql-inject
                                                                                      ion-vulnerability.html,URL-https://www.whitewint
                                                                                      erwolf.com/posts/2017/11/16/drupageddon-revisite
                                                                                      d-a-new-path-from-sql-injection-to-remote-comman
                                                                                      d-execution-cve-2014-3704/
2024-02-19 14:37:58 UTC  10.0.2.28  ProFTPD 1.3.5 Mod_Copy Command Execution          CVE-2015-3306,EDB-36742,URL-http://bugs.proftpd.
                                                                                      org/show_bug.cgi?id=4169
2024-02-20 12:30:10 UTC  10.0.2.28  UnrealIRCD 3.2.8.1 Backdoor Command Execution     CVE-2010-2075,OSVDB-65445,URL-http://www.unreali
                                                                                      rcd.com/txt/unrealsecadvisory.20100612.txt
2024-02-20 13:01:20 UTC  10.0.2.28  SSH Login Check Scanner                           CVE-1999-0502
2024-02-21 03:19:30 UTC  10.0.2.28  Generic Payload Handler
2024-03-04 14:54:11 UTC  10.0.2.28  phpMyAdmin Authenticated Remote Code Execution v  CVE-2013-3238,EDB-25003,OSVDB-92793,URL-http://w
                                    ia preg_replace()                                 ww.waraxe.us/advisory-103.html,URL-http://www.ph
                                                                                      pmyadmin.net/home_page/security/PMASA-2013-2.php
2024-03-04 14:59:03 UTC  10.0.2.28  Ruby on Rails ActionPack Inline ERB Code Executi  CVE-2016-2098
                                    on
2024-03-05 05:18:00 UTC  10.0.2.28  HTTP Host Header Injection Detection              CVE-2016-10073,URL-http://www.skeletonscribe.net
                                                                                      /2013/05/practical-http-host-header-attacks.html

[msf](Jobs:0 Agents:0) >>
comments powered by Disqus
© 2020 - 2024 Abril Jordan Casinillo
Hello world!
Built with Hugo
Theme Stack designed by Jimmy