Metasploitable 2.0 Tutorial: Checking for Open Ports with Nmap

Friday, August 03, 2012

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

I mentioned recently that we would take a closer look at Metasploitable 2.0, the purposefully vulnerable Linux virtual machine used for learning security tactics and techniques.

In this intro, we will quickly cover obtaining Metasploitable and scanning it for open ports and services. (No you do not want Metasploitable running on a open or production machine, it’s vulnerable for Pete’s sake!)

For this series of tutorials you will need:

You can setup a test network using VMware or Virualbox. I will not cover this in the article, there are many tutorials out there for setting this up

The Rapid7 website references a great Metasploitable setup tutorial on webpwnized’s YouTube Channel. This covers installing Metasploitable 2 on Virtual Box and how to get to Mutillidae, a great learning tool for web app security:

 

Okay, let’s take a look at Metasploitable from our Backtrack box. Let’s run an nmap scan and see what services are installed.

Open a Terminal window on your Backtrack system and type:

nmap -v -A 192.168.12.20 (metasploitable’s IP address)

This will show us the open ports and try to enumerate what services are running. Here is a look at the ports:

(click image to enlarge)

Holy open ports Batman!

Nmap will churn for a while while it tries to detect the actual services running on these ports. In a few minutes you will see a screen that looks like this:

(click image to enlarge)

For each port, we see the port number, service type and even an attempt at the service software version.

From here, we can grab the software version, in this case “Unreal IRC 3.2.8.1″, and do a search for vulnerabilities for that software release. Just searching “unreal3.2.8.1 exploits” in Google should do the trick.

With a little searching, you can find an Unreal exploit usable through Backtrack 5′s Metasploit program that will give you a root shell. See if you can find it and give it a shot. If you strike out, no worries, we will take a closer look at this in a later tutorial.

If nothing comes up, you may not have the exact software version. Nmap tries its best, but it is not always correct. Backtrack 5′s Metasploit console has several service scanners that we can use to get exact version levels.

We will take a closer look at these in the next tutorial. Then we will dive into exploiting the open services.

Cross-posted from Cyber Arms

Possibly Related Articles:
31090
Network->General
Software
Hacking Tools Penetration Testing Nmap Network Scanning Tutorial Backtrack 5 Metasploitable Port Scanning
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.