warnning disclaimer
Metasploit tutorial for beginners
Hello everybody and welcome back. Now right now what we want to do is basically just start with some of the auxiliary modules that are in the Metasploit framework. So we want to basically scan the machine with MSF console. Now let us first of all start the MSF console.
Now if you didn't start the postgresql before this started, so this can run faster. But while this is starting I also want to start my OWASP virtual machine. Now if you installed the Metasploitable before, whether it is Metasploitable one or Metasploitable two, you can also run that one as well. Now, as I said before, I cannot get Metasploitable to run for some reason so I am using OWASP. I will show you some of the attacks you can perform on Metasploitable as well.
those of you who are opening that machine right now can also do something. But some of the attacks are also similar for OWASP and for the Metasploitable. So just start any of those two machines. Now I will make sure to mention when the attack is directed to the Metasploitable, and when the attack is directed to the OWASP virtual machine. So we wait for this to open. This shouldn't take too long, as we remember this is a virtual machine. It will prompt us with entering our user name and password, which is I believe user name is root and the password is owaspbwa.
Let me just see if this has opened. OK, so this has opened. We get the standard command line tool. And we also get this banner right here. So let us first log in into the OWASP. Hopefully it will prompt us with the username and password soon enough. Here it is. So the user name is root and the password is owaspbwa. So, owaspbwa. And now we are good to go. Let us just first check the IP address of this so we know it. So the IP address of our OWASP virtual machine is 192.168.1.2 Good. Now as I said before, you can run a bunch of different commands, or basically all the commands we run from our regular terminal you can also run from the Metasploit framework command line. So what we want to do is let's first clear the screen. And what we want to do is let's first take a good scan of the OWASP virtual machine. Now we covered nmap before, so what we want to do right now is nmap -sV so we can get the version from the services running on certain ports, and then we specify the IP address of our OWASP virtual machine. Or in your case if you're using Metasploitable, of your Metasploitable machine. So execute this. And now we wait for this to finish. It should prompt us with all of the open ports.
It should prompt us with the services running on the open ports. And it should prompt us with the version of those services running, which can be useful especially when you use the Metasploit framework. So what we will do is we will try some of the certain attacks on this. Now we can see that the scan has finished in 18.3 seconds. So we get the open ports, and let's start off with the SSH port. Now here are a bunch of these other ports such as 139 and 445 running Samba smbd versions 3 to 4, which is also a vulnerable software. You also have it on Metasploitable, I believe, the same version. I will show you how you can exploit it later on. But for now, let us start off by trying to get in over the SSH. So we can see that the service running is a SSH on Port 22, and the version is OpenSSH 5.3p1 Debian 3ubuntu4. So what we will do is we will use the auxiliary module that is in the Metasploit framework, and we will try to brute force the SSH on Port 22 from our OWASP virtual machine.
If you're running Metasploitable, once again, from your Metasploitable the process is the same. So let us try with searching SSH. Now this will print us all of the available exploits auxiliary modules, post exploit modules for the SSH. Now let us scroll a little bit up since we do not want post and we do not want exploit. We want some of these modules right here. So auxiliary/dos. We have the auxiliary/dos/windows/ssh... Not really sure what that is. It says multi-server key exchange denial of service. OK. But this is on windows so we do not really need it. What we are searching for is a scanner, and the scanner has to be the log in. So here it is. The auxiliary/scanner/ssh/ssh_login. Now it does not have the date when it came out, and is it is ranked as normal, and it says the SSH login check scanner. Which basically means the SSH bruteforcer. Now you can also, for example, check the SSH version before you start that. So auxiliary scanner SSH version, SSH version scanner, so let's first of all start with that one. I believe it will give us the same thing that the nmap gave us, which is the version of the SSH. Now you can use this instead of nmap since sometimes nmap won't give you the version, and I believe this one is actually more detailed. So as we saw in the previous videos, in order to pick any of these you just type use and then the name of the module itself. So auxiliary scanner SSH and then slash SSH underscore version. And what we want do is show our available options. So we can see that we have four different options and they are all required. Most of them are already selected for us. So the RPORT, for example, is selected as 22 which is good. SSH is most likely always, and also by default, is running on Port 22. If it is not you would want to change this. Thread is the number of threads basically running during this process. Now the more treads, the more faster this process will go. So depending on your power of your virtual machine you can select, for example, let's set THREADS 3. Now we also covered the set command, so you set basically all of these options with just set command, and then the name of the option you want, and then the number. So we want three threads. So if you were to use, for example, type show options right now, you would see that the threads are now selected to 3. The only thing that we need to select right now is the RHOSTS. So the RHOSTS is basically the target address for our OWASP virtual machine. It is basically an IP address of your target. So set RHOSTS, we know it is 192.168.1.2, and now if we show our options again in order to check if everything is good, we will be able to run this. Now if you just run this, so just type in run, this will probably... here it is. This will print out the SSH version that it is running on the target software, or on target port 22. As we can see, SSH version this one, and it gives a bunch of other options as well that could be potentially useful to you. Now this is simple scan that we did for the first one, but now let's actually try to brute force this SSH on Port 22. So let us go to our available auxiliary modules, and what we want to use is the SSH to log in one. So just select the auxiliary/scanner/ssh/ssh_login, copy it, let us go down here, and let's do the use, and then our module. So copy, paste it, and the then we can see that it changed the module. So let's clear the screen so we can see stuff a little bit better, and let's show our options. Now you can see unlike the last one, this one has a lot of different modules, not modules, a lot of different options that we need to specify. Now some of them are required and some of them are not.
BLANK_PASSWORDS are not required. BRUTEFORCE_SPEED is required and we will actually select that to be five. There's no need to actually make that more. I mean, we will first of all use our simple password lists, so we will not need a higher speed for this. The next things we need, these are all not required. Password to authenticate with, no. Well basically you would use this if you already knew the password side, you see the point of this option right here. What we do want is the RHOSTS, same as in the previous scan. So just type your set RHOSTS and then the IP address of our target machine. So 192.168.1.2, I believe. Let me just check it once again. Yeah it is .2. And also what you would want to set, basically let's set again threads to be 3. So set threads 3. RPORT is correct and it is 22, stop on success false, stop guessing when a credential works for a host. So you want to set this to true since there is no real point in continuing the brute force, unless you want to on multiple accounts after you find hosts that actually work. So on credentials that are useful. So we type in set STOP_ON_SUCCESS, so you can just press tab in order for it to fill the rest of the name, and you can set this from false to true. And we can see that stop on success is now set to true for both. You also want to set to true so you can see all of the attempts that they're running.
Now you dose not to, basically, I always set it to true so I can see the attempts of a brute force that we covered already. So just set VERBOSE. Again, you can press tab to finish, and then true. And now if I type show options once again, we should have all of our options set and ready to go. Now I believe there is something else we need to use which is the... Yeah, of course, we are not set to go. We need to use a password list since this doesn't have a password list pre-specified I believe. So what we want to use is basically...let us try to find our simple password list. So let's open up a second terminal. So new window, and we know that there are some passwords in the usr/share/wordlists
Now let me view this or zoom this in. If I type here ls, you can see a bunch of these of course we won't use like the rockyou.txt. It would take forever. These large passwords are most likely the best choice for the Wi-Fi cracking. For the brute forcing it's really not that good of a choice since it's not as fast as the Wi-Fi cracking. It's not nearly as fast. So what we want to do is go to the Metasploit, type here ls, and we will see some of the password lists that are in Metasploit. So we can choose any, basically, any we want. So we do not need to really crack the SSH, we just need to show you the process of cracking it, and we will choose any password list we want. So let's say we choose, for example, this one, mirai_user_pass.txt mirai_user_pass.txt. Now what that means, I believe, is that it also has both user and password. Yeah, it has both user and password separated with the space. So we will use that and we will see the available option for that right here, which would be the user pass file
file containing users and password separated by a space, one pair per line, which is exactly what we selected. So we need to set this option right here. So let us set that option. set-USERPASS_FILE and then we specify the path to the word list. So it was usr/share/wordlists/metasploit and then mirai_ user_ pass.txt So we set the path to our brute force list, or basically password and user name list. And now if we clear and show options once again, I believe now now we should really be good to go. So let us run this. We press here run and it should start brute forcing the SSH on port 22. As we can see it is starting different types of the usernames and passwords. It is going by that list that we specified. So these are all failed ones. And if it reaches one that actually exists it will stop and it'll prompt us with a success. So here we can see root:admin, admin:admin, root:root, and some of the other passwords. Now I'm not really sure how many passwords are in this list so we will not be waiting for this to finish. I just wanted to show you some of the different types of SSH auxiliary modules that you can use. So we saw how we can actually scan the version of SSH. We also saw how we can brute force the SSH. Now you can actually try this both on Metasploitable and on the OWASP machine. I'm not really sure if this password list has username and password for those machines, but it doesn't really matter since the process of attacking is the most important. So now you can use any password list you want and actually hope that you will brute force the SSH. So, that would be it for this tutorial
In the next tutorial we will cover another auxiliary module that we will use to attack another service running on our OWASP virtual machine. So that'll be it for this tutorial, and I hope I see you in the next one. Bye!