ethical hacking

ethical hacking worksheets

e-hacking ws responses

unit themes: theory

HTB academy

pentest log

hacking workshops

Explore

hacking workshops

Hacking Workshop 1: Attacking Metasploitable

You should have some basic experience in using the command line of a linux box.

initial start up metasploitable

launch metasploitable

Load VirtualBox and launch the Metasploitable machine by selecting it and clicking Start. When Metasploitable has finished loading, you will see the following screen:

log in to metasploit

You can login with the username: msfadmin and password: msfadmin

Once logged in, you will be presented with the metasploitable command prompt:

Now that we are logged in, let’s try running a few commands.

to print the working directory (ie, show us where we are in the system), type

The output should be:

to list the contents of the current directory type

The output should be:

This tells us there is a directory called ‘vulnerable’ in the msfadmin directory.

prepare a flag to capture

We will stay in the msfadmin directory and create a text file called target.txt. This will be our target when we attempt to hack the machine.

create a text file called target.txt type:

This will create an empty text file called target.txt within the msfadmin directory.

In order to put some data into the text file, we need to open it with Linux’s text editor program: nano.

to open the file with the editor type:

At this point, you will be presented with the nano text editor, and you can type in some data.

Type

Now we need to save this and exit the nano text editor.

Press ctrl+o and then enter to save the file. Press ctrl+x to exit nano.

You should now be presented with your command prompt once again

We can now type ls to list the contents of directory to confirm that the file has been created:

If we type cat target.txt, it should output the contents of the file:

test network connections: metasploitable

Next, we will take a look at the network configuration. Type:

This shows some network information about the machine.

⁠

Eth0 and lo are the different network ports on the machine.

Note that the inet address of this machine is ‘10.0.2.4’: this is the IP address of the metasploitable machine. (This guide assumes you are familiar with how IP addresses work). The IP address on your VM may be different; if this is the case, take a note of it and use it whenever the guide refers to this one.

We will need the IP address when targeting the machine from Kali.

Now, let’s leave the metasploitable machine for now, but don’t shut it down; the machine needs to be running in order for us to hack into it.

⁠

network connection kali

Launch your Kali VM from VirtualBox and log in using username: kali and password: kali.

We will cover the practical aspects of the penetration testing process. As you will be aware from your studies, the main steps in a penetration test are:

Reconnaissance

Scanning

Exploitation

Maintaining access

Assuming we have conducted some passive / active reconnaissance on our target, this may have yielded some IP addresses for us to aim our attacks at.

In Kali, launch a terminal window (icon in the menu bar, top left) and type the command ifconfig

This will output the network information of the Kali machine. It should look something like this:

⁠

You will note that the IP address of this machine is 10.0.2.6 (yours may differ slightly); this is the address of the attack machine.

At this point, it is worth taking a written note of both of these IP addresses; in this case, our victim IP is 10.0.2.4, and our attack/Kali IP is 10.0.2.6. It is important not to get these mixed up.

If either of your IP addresses are different, simply swap these as appropriate when carrying out the following steps.

You will note that the IP addresses for both machines are very similar, both starting with ‘10.0.2’; this shows that both machines are on the same network.

ping

We can check that the machines can ‘see’ each other using the ping command. When you ‘ping’ a remote computer, your machine will send some data packets to the target, and the target will respond with an acknowledgement. This proves there is a live connection between the machines. In the Kali terminal, type: ping 10.0.2.4

You should see that data packets (64 bytes received...) from the target machine start arriving. This means the machine is live on the network.

⁠

Kali will continue to ‘ping’ the target until you tell it to stop. You can do this by pressing ctrl+z

(If your ping was unsuccessful, this means there is probably an issue with your network settings for one or both of your VMs. Carefully check the settings are exactly as stated earlier in this guide. You will need to shut the machines down in order to do this, as VirtualBox is unable to change network settings while the VM is running.)

using nmap to scan a target

NMap is a tool built into Kali Linux that allows us to perform network analysis and gain some useful information

about our target machine(s).

We will use NMap to perform some active reconnaissance/port scanning of our target.

Open a terminal window in Kali and type nmap –help

Typing--help will instruct the program to output a list of helpful commands along with descriptions of what they

do. This can be very helpful.

You will notice that one of the options we can use with NMap is ‘–v’. This means that NMap will be verbose with its output, and provide more detailed information than it would normally.

Another useful option is ‘–A’. This will instruct NMap to attempt to detect the operating system running on the

target machine. This is a very useful thing to know for the exploitation stage, as you will see shortly.

So in order to instruct NMap to perform a scan of our target, we would type the command:

NMap will now start performing network analysis and port scanning of the target. This may take a few minutes, and your screen will look very busy and complicated. NMap will let you know when it has completed.

As the scan progresses, NMap will detect open ports on the target and attempt to identify what services are running on these ports. NMap should also detect what OS is running on the target machine.

nmap result screen shot

You can see, for example, that a service called Unreal IRCD is running on port 6667.

Later in the output, you can see that NMap has detected that the OS is Metasploitable.

Now, it is worth noting that we just used NMap to scan a specific IP address: 10.0.2.4, because we already knew

the IP address of the target machine. In a real penetration test, we are unlikely to have such specific information,

so we could use NMap to scan a range of IP addresses.

For example, if we wanted to scan our local area network, we would be able to determine the first three parts of

from our own machine’s IP address: 10.0.2

We could then instruct NMap to scan a range of IP addresses on that network by typing the command:

This would search for any systems running on the LAN, and try to determine the open ports/OS versions etc. for

each system. As you can imagine, this can take a longer time to complete, but would be necessary if we did not

have system specific information.

It is also worth noting that scanning a target system/network in this way is viewed as a very aggressive action. In

a real world scenario, this is an extremely intrusive and ‘noisy’ course of action, and would likely result in security

systems reporting it; this would be noticed. To put it in context, this is not a subtle, agile cat burglar sneaking into

a house; this is a clumsy, loud burglar banging on every window and door while trying to get in. Real hackers will

use more subtle techniques, but we will stick with the ‘sledgehammer’ approach for now.

⁠

using legion (instead of zenmap)

sudo legion

password: kali

using metasploit framework (msf)