Metasploitable 2 – Compromise: UnrealIRC

Lets take a look at this Nmap result in more detail:

6667/tcp  open  irc         UnrealIRCd

Nessus results also show some details here:

Critical (10.0) 46882 UnrealIRCd Backdoor Detection

Worth checking to see if Metasploit has a module we can use here. Fire up Metasploit with:


And lets do a search for any hits on ‘unrealirc’:

search unrealirc


Great we have a hit, lets choose this exploit:

use exploit/unix/irc/unreal_ircd_3281_backdoor


We now need to configure it. To see what’s required, use:

show options


Lets set our target (using our Metasploitable IP address) with:


Once done you can run ‘show options’ again to confirm it looks good:


Now lets see if it works by typing ‘run’



Be aware that you may not get much feedback even if the exploit is successful.

Try typing ‘hostname’ as above and see what comes back. As you can see the exploit was successful, we have root access to the metasploitable box once more.




Metasploitable 2 – Compromise: rlogin

One of the simplest compromises of the Metasploitable box.

We can see from the nmap results:

513/tcp   open  login?

Nessus also detected the use of rlogin:

High (7.5) 10205 rlogin Service Detection

At this stage we don’t have any info on possible accounts on the Metasploitable box but it probably likely that there is a ‘root’ account.

As such we can try the following command and see what we get:

rlogin -l root
  • -l: user to login as


So we are prompted for a password – a good sign the root account is valid.

But there is actually more to this than the above suggests.

I am using a fresh install of Kali 2 and the rsh-client is not installed by default. So lets install it with:

apt-get install rsh-client


Now lets try that original rlogin command once more:

rlogin - compromise

Bingo… we’re in, and with root access no less.

Metasploitable 2 – Vuln scan with Nessus

One of the simplest ways to spot a simple attack vector is to simply peform a simple vuln check against the box.

In this case I am going to use Nessus Home ( as it is free to sign up and does the job well.

Once Nessus Home is up and running (and up to date) we can kick off a scan against our box:Nessus Scan

And once complete we can take a look at the results:


The full list of results with details can be found here:

Nessus Scan Report