Metasploit Framework

 METASPLOIT FRAMEWORK

USE TO  AUXILIARY MODULE FROM METASPLOIT

First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is:
  • auxiliary/scanner/discovery/arp_sweep (To verify the IPs listening in the network)

Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below:
  • INTERFACE: This I've set up the network interface that in my case is the eth0 interface.
  • RHOSTS:This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing).
  • THREADS: Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible.  

 In the picture below, we can observe that the scan has been successful because I have discovered 4 Ips:
  • 192.168.100.210 (ROUTERBOARD)
  • 192.168.100.237(CADMUS COMPUTER SYSTEM)
  • 192.168.100.238(REALTEK SEMICONDUCTOR CORP.)
  • 192.168.100.253 (UNKNOWN)
  In addition, we can see I've discovered 3 Ip addresses but 1 IP Address it's unknown so I'm going to focus on 3 IP Addresses that you can in the picture below.



SCANNER PORTSCAN TCP

In addition, as I have chosen the IP Addresses which I must scan, this is the time by use the new module whose name is: auxiliary/portscan/tcp, and I will be able to see the open ports over the different IP Addresses that you can observe in the picture bellow wherever there is this set up:
  1.  RHOSTS: This is the Ip Address which I have to analize because I want to know if there are some open ports, in  case are: 192.168.100.210, 192.-168.100.237, 192.168.100.238.
  2. RPORT: This is the port which I want to analyze but I can write a port or a range of ports such as: (1-200)o 22 o (49,90,45.80,21) etc.
  3. THREADS: In this paragraph  there are  the threads because I need to obtain the open port as fast as possible.
“IMPORTANT: THIS CONFIGURATION HAS BEEN REALIZED WITH THE SET COMMAND SUCH AS FOR EXAMPLE: SET RHOST 192.168.100.237 AND IF YOU WANT TO EXECUTE, YOU HAVE TO WRITE RUN AND PRESS THE BUTTON”


 In the picture below, we can see the set up that has been realized by me with different options:
  • RPORT: The ports or range of ports I would like to analyze.
  • RHOSTS: The IP Address I'd like to analyze.
  • THREADS: The threads will give me the analyze most sophisticated in this part.
 
In the next picture below, we can see as the scan has been successful.


In my case, I want to focus on the port from FTP which  correspond to  21 number.

SCANNER FTP VERSION

In this paragraph, as I've chosen the port which I want to intent attack, I have selected other module whose name is auxiliary called scanner/ftp/ftp_version, where I want to intent obtain the service FTP version  which is open and listening.


In the picture bellow, after I had written the command called  options  in which  I will be able to see the different options from  exploit ,module or  if I want to try to configure it. Also, we can observe that only I need to ingress the IP Address from machine which I want to do the scan, in my case is this IP; 192.168.100.237, I use the set command + the IP (set 192.168.100.237) and finally, we have to execute the run command because  we want to start the scanning.


To sum up,  we can observe that the scanning has been successful, but the most striking it's the scan has had a banner grabbing (where we can see such for example the version of operative sistems, the operative sistems open ports etc.), in my case is a ftp called  vsFTPd  whose version is 2.3.4.
    

SCAN FROM THE VVERSION vsFTPd 2.3.4

NMAP

Now, through the nmap tool it's one of the greatest tools for the scan and vulnerability analysis , I'm going to verify if the version isn't a false-positive because after I want trying to explote the vulnerability from FTP service. For it, I have to use the different options from nmap tools:
  1. -n: To prevent me from getting DNS resolutions in reverse, i.e. in the wrong way, I can wrong.
  2. -Pn: To prevent me if the 21 port it's open and the ports which I've scanned with the  auxiliary module  auxiliary/portscan/tcp to verify me.
  3. -sV: To try to me the possible versions of Operative Sistems of the machine.
  4. -A:  To try select the personality scripts which hast nmap and obtain the exact versions of the Operative Sistem with the version of Operative Sistems.
  5. -vvv: To try give  all step by step of IP Address scanning.


In the picture at the top we can see how the scan has obtained the same version and application that may be vulnerable in the port  with the  same version called vsFTPd 2.3.4.

 METHOD “VULN” 

Right now, in this paragraph I'm going to use a that is so useful if I want to discover vulnerabilities (security flaws) in the operative sistems whose name is “vuln”, where the nmap command will be:
  • nmap -n -Pn 192.168.100.237 --script “vuln” -vvv

To sum up, I have discovered with the vuln param a vulnerability (flaw/security hole), which has been created both in exploit-db such as Metasploit it's in the second picture bellow, whose module is:
  • exploit/unix/ftp/vsftpd_234_backdoor.rb

 VULNERABILITY EXPLOTATION

Firstly, to explote the vulnearbility that is created with Ruby was discovered in the year 2011.  I've used the search commands that you can find out since Metasploit: 
  • search type:exploit name:vsftpd_2.3.4
In the picture bellow, you can see that I've discovered the exploit that I'll execute just after.


Although, we can enter to both way:
  1. Using the way easiest which is the use command and with the identify number that is 0, we can see at the top of the picture.
  2. Using the most common where we can write the full exploit:
  •  use exploit/unix/ftp/vsftpd_234_backdoor  that we can see in the picture below.

Finally, to finish exploiting the vulnerability found above, we simply have to configure the RHOSTS parameter which is the IP of the victim machine which in my case is 192.168.100.237 and finally, we will use exploit to obtain the Shell, and we can see that we have obtained access to the remote machine in the images below.

    

Thank you very much for reading the article 
I hope you  liked it and learned something new 
Good hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »