Scribd
Upload
13 views9 pages

Lab4 IA1702

The document provides instructions for enumerating information about a Metasploitable 2 virtual machine using various networking tools in Kali Linux. It describes using netdiscover to find hosts on the local network, nmap to scan for open ports and services, rpcclient to enumerate user accounts, and enum4linux to automatically enumerate the target, finding a list of users, open shares, and noting that the /tmp folder is world-writable.

Uploaded by

Le Quang Vu (K16HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views9 pages

Lab4 IA1702

The document provides instructions for enumerating information about a Metasploitable 2 virtual machine using various networking tools in Kali Linux. It describes using netdiscover to find hosts on the local network, nmap to scan for open ports and services, rpcclient to enumerate user accounts, and enum4linux to automatically enumerate the target, finding a list of users, open shares, and noting that the /tmp folder is world-writable.

Uploaded by

Le Quang Vu (K16HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Project 5: Enumerating

Metasploitable 2 (15 points)


What You Need
1. A Kali Linux machine, real or virtual.
2. The "Metasploitable 2" vulnerable Linux Server you prepared
in a previous project.

Setup
Start your Kali VM and log in as root.
Start your Metasploitable 2 VM and log in as msfadmin with
the password msfadmin.
Execute the ifconfig command on both machines and ping from
one to the other. Make sure you get replies, as shown below.
Task 1: Finding Hosts & Open Ports
In Kali, execute this command to locate all hosts on your
network.
Replace the subnet address below with the correct subnet for
your machine. Usually all you need is the first 3 bytes of
the IP address, as highlighted in the image above.
netdiscover -r 192.168.234.0/24
As shown below, the scanner finds all the machines on your
network. One of them should be your Metasploitable 2
machine.
Press Ctrl+C to exit netdiscover.
Execute this command to scan all 65,536 TCP ports on the
target, replacing the IP address with the IP address of your
Metasploitable 2 VM.
nmap -sS -p- 192.168.234.133
This scan quickly finds all open ports, as shown below, but it
doesn't find versions of the services.

Execute this command to scan 1000 common ports on the target,


with version detection and OS detection. Replace the IP address
with the IP address of your Metasploitable 2 VM.address with
the IP address of your Metasploitable 2 VM.
nmap -sS -sV -O 192.168.234.133
This scan finds many version numbers, as shown below.
Execute this command to scan UDP ports on the target.
nmap -sU 192.168.234.133
This scan will take about 15 minutes to run, so leave it going
and open a new Terminal window to continue with the rest
of the project while it runs.
When it finishes, it finds several UDP-based services, as shown
below.

Task 2: Enumerating Users


Enumerating with Nmap
Execute this command to run the Nmap script "smb-enum-users" on the target. This
will find a list of user accounts from the SMB service, which is available if a host is
sharing files with Windows systems.
nmap --script smb-enum-users.nse -p 445 192.168.234.133
This produces a long list of user accounts, as shown below.
Enumerating with rpcclient
You can also enumerate users via Null sessions with the "rpcclient" command.
Execute this command:
rpcclient -U "" 192.168.234.133
When it asks for a password, press Enter.
This displays an "rpcclient $>" prompt. Execute this command:
querydominfo
This shows that there are 35 users on the system, as shown below.

Execute this command to list all 35 user accounts.


enumdomusers
This lists all the user accounts, with their "Relative ID" numbers (rid), as shown
below.
Execute this command to get more information about the "msfadmin" account.
queryuser msfadmin
This shows that user's profile path, and other information, as shown below.

Execute the exit command to leave "rpcclient".


Enumerating with enum4linux
enum4linux is a Perl script that uses smbclient, rpcclient, net, and nmblookup to
automatically enumerate a target.
Execute this command to see the options for the enum4linux command.
enum4linux --help
Not specifying any options runs them all. Execute this command to enumerate the
target:
enum4linux 192.168.234.133
A lot of output scrolls by. First there are a couple lists of all the usernames, as we
found previously with other tools.
Then a "Share Enumeration" appears, showing that the /tmp folder is shared, as
shown below. This has a note of "oh noes!" because /tmp is world-writeable. This
means we can probably upload scripts into that folder and execute them :).

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy