Metasploitable 2 – System Recon

Now we know which IP to target – we can start performing some recon to gather some more details about the system.

Again there are various ways to do this but I like to start with nmap again.

nmap -sTV -o metasploitable -p1-65535 192.168.168.134
  • -sTV = T is connect scan, V is version scan
  • -o metasploitable  = output results to file called metasploitable
  • -p1-65535 – scan all ports in this range. Without this nmap will scan the top 1000 commonly used ports but that could miss some more obscure ports so this command scans them all
  • 192.168.168.134 – the ip of the metasploitable box

nmap_port_service_results

So we now have a full list of open ports on the Metasploitable box along with the likely service and even the version in use for each service/application.

Here is the full output:

 

# Nmap 7.40 scan initiated Sun May 14 15:24:23 2017 as: nmap -sTV -o metasploitable -p1-65535 192.168.168.134
Nmap scan report for 192.168.168.134
Host is up (0.00038s latency).
Not shown: 65505 closed ports

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
53/tcp    open  domain      ISC BIND 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  shell       Netkit rshd
1099/tcp  open  rmiregistry GNU Classpath grmiregistry
1524/tcp  open  shell       Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc         VNC (protocol 3.3)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         UnrealIRCd
6697/tcp  open  irc         UnrealIRCd (Admin email admin@Metasploitable.LAN)
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
34140/tcp open  mountd      1-3 (RPC #100005)
37940/tcp open  status      1 (RPC #100024)
42380/tcp open  unknown
57109/tcp open  nlockmgr    1-4 (RPC #100021)

MAC Address: 00:0C:29:D5:07:11 (VMware)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 14 15:27:08 2017 -- 1 IP address (1 host up) scanned in 165.54 seconds

We can now use this information  to start exploiting the box.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s