Skip to content

Metasploitable3 Demo

Demo 1: Exploit injection (EternalBlue)

Discovery

You are on your attacking machine. First of all you need to find the IP address and network number of your Kali machine (ifconfig command).

At this point you need to execute the MITRE tactic called Discovery: The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. The technical jargon often uses a different term for these steps: enumeration.

  • Determine which other hosts are connected to your network. This can be done with nmap network-number-of-your-interface (with /24 syntax). You will probably find 3 IP addresses: one for your Kali machine; one for the target (metasploitable3 VM) and the third one for what?
  • How to determine which of the two addresses that do not belong to your Kali machine belongs to the target? (hints: which ports are open at those addresses?)
  • Finally, execute a scan on IP-address-target by running nmap with default options.

The above steps correspond to the Network Service Discovery technique.

Reference and suggestions

  • Execute another scan with nmap -sV -p- IP-address-target. This command takes much longer and generates much more network traffic but provides a more detailed description. Try to understand the difference in depth and coverage of the scan between the two cases.
  • Metasploitable3 has a vulnerable service listening on ports 9200/9300. Is that service detected by nmap in both executions? If yes, is it identified correctly (search on the web what is the typical usage for those ports)?
  • Capture the traffic generated by nmap with default options by running wireshark on the attacking machine. This is useful for understanding the amount of “noise” that could be detected by a defender.

Useful link: Running a quick NMAP scan to inventory my network.

SMB Exploitation (EternalBlue)

Overview

SMB is a communication protocol for sharing files and printers. A service that can be accessed with this protocol runs on basically all Windows systems. It exposes functionalities for accessing files, navigating through directories and alike (e.g., search “smb commands windows”). As such, this service does not expose any functionality for executing arbitrary commands, launching a shell, managing users or devices and alike.

Vulnerability CVE-2017-0144 affects the Windows SMB server. This vulnerability can be exploited by an unauthenticated remote attacker for executing arbitrary code on the machine running the server (see also Microsoft Security Bulletin MS17-010).

An exploit for this vulnerability, developed by the NSA and secretly used for their attacks, was publicly released on 17/4/2017 by "The Shadow Brokers", a hacking group whose real identities are not known. This exploit is widely known as “EternalBlue'' and was used in several large scale ransomware attacks a few months later (WannaCry / NotPetya). Interestingly, a patch for this vulnerability had already been made available by Microsoft at the time of those disrupting attacks. One of the reasons for the large-scale impact of those attacks is that hundreds of thousands of machines around the world had not applied the patch (a few notes by myself on this fact).

The metasploitable3 Windows VM has this vulnerability (no longer present in modern Windows platforms). Metasploit has a module containing an exploit for that vulnerability, where the default payload launches a Metepreter session with SYSTEM privilege (i.e., a shell with full control on the attacked system).

Exploit injection

MITRE ATT&CK Techniques: Exploitation of Remote Services or Exploit Public-Facing Application

  • Execute the metasploit search command of metasploit to have a look at the exploits available and possibly focus on those available for Windows targets.
  • Use the exploit exploit/windows/smb/ms17_010_eternalblue for obtaining a meterpreter session on metasploitable3. You just need to specify the RHOST option by setting it to the IP address of metasploitable3.
  • Ascertain the user associated with that session (meterpreter getuid command).
  • Take a moment to realize what has happened: by exploiting a mistake in a service for accessing files and printers, one has taken full control of the attacked machine.

Then you can operate on metasploitable3 by playing with meterpreter from the attacker machine. Before doing that, make sure to read and understand the next section.

Understand process structure

The exploit payload is the meterpreter server. This payload is injected within the memory of the vulnerable program (SMB server). After injection, thus, the meterpreter client will be connected to the same process that runs the SMB server. No new process is created.

The meterpreter commands issued by the client machine will be executed by the vulnerable process at the other side, i.e., on the attacked machine. The operating system on the attacked machine will execute only those commands for which the vulnerable process has sufficient access rights. Since that process is associated with the SYSTEM identity, that process has the highest privilege level possible and thus every command can be executed.

One of the possible meterpreter commands is shell, which spawns a shell on the attacked machine. In this case a new process is created. The identity of that process is the same as the identity of its parent process (i.e., of the vulnerable process). Thus, the shell process will also have the SYSTEM identity.

One of the possible meterpreter commands is migrate, which move the meterpreter server within the memory of another running process on the attacked machine. In this case, the identity of the meterpreter server after migration will be that of the "destination process".

Play with the attacked machine

Some suggestions:

  • Have a look at which files might have interesting content (search -f *.pdf or jpg or whatever). Search may be rooted at a specified directory with the -d option.
  • Grab a screen of the desktop. To do so, there must be a user logged on metasploitable3, otherwise the screenshot will be fully black (no desktop); you might want to logon some user on metasploitable3, e.g., user vagrant with password vagrant. Details for grabbing the screenshot are described here: try to understand what you are doing and why.
  • Have a look at the event logs in metasploitable3. You need to logon on metasploitable3 as user vagrant\vagrant and then run the Windows “event viewer” (i.e., not from the attacker machine). Understanding the meaning of those "low-level" events and mapping them to "high-level" activities to them is very difficult (we will touch this topic very briefly near the end of this course). Just have a look and see that there are many events. Then execute the meterpreter clearev command and look at the event logs again. Try to imagine the implications.
  • Launch a shell on metasploitable3 with the meterpreter shell command and then execute some commands.

Interesting commands to run from a meterpreter shell (the following suggestions require some simple web searches, or ChatGPT interactions, for figuring out the necessary details):

  • Create a new user (search in the web for “windows create user command line” or ask ChatGPT with a suitable prompt, as indicated in the page about LLMs (ChatGPT, Gemini, DeepSeek etc.))
  • Assign administrator privilege to that user (search in the web for “windows modify user and account privileges command line” or ask ChatGPT)

Note that the newly created user will be visible on the logon screen of metasploitable3. If one wants to keep the newly created user hidden (in that screen), then a certain system attribute of that user should be modified. This is possible but not trivial, I do not think it is interesting in this context. It may be more interesting to identify the corresponding events that have been generated in the Security log of metasploitable3 and then clearing the log as suggested above.

Demo 2: Password guessing and stealing

Online password guessing

MITRE ATT&CK Techniques: Brute Force: Password Guessing.

There are many tools for executing an online password guessing attack, including nmap, metasploit, Hydra (all of them already installed in Kali). A tool of this kind must be able to execute the authentication exchange of the specific protocol considered and the tools mentioned above support many protocols. In general, one has to specify a list of users and a list of passwords as inputs. There are many such lists available and many possible ways for constructing them. Note that many web pages (somewhat improperly) use the term “brute force” for describing this kind of guessing attacks.

One could use some of the many wordlists available on Kali Linux (see the wordlists package), but those attacks would take a very long time. For simplicity, I suggest to proceed as follows:

  • Use the Kali cewl command for constructing a new wordlist from the content of the metasploitable3 configuration page: cewl -d 0 -w metasploitable3.txt https://github.com/rapid7/metasploitable3/wiki/Configuration (option -d 0 states that hyperlinks should not be followed)
  • Construct a much smaller wordlist (metasploitable3-short.txt) containing:
    • vagrant, root, administrator, Administrator
    • 5-10 words taken from metasploitable3.txt constructed as above.
  • Use metasploitable3-short.txt in the attacks suggested below. This wordlist can be used as a user list or a password list, or both.

In a real setting one could reasonably use cewl as indicated above for creating metasploitable3.txt. The step for shrinking this wordlist and obtaining metasploitable3-short.txt is obviously not realistic, though.

Useful link: Detailed guide on Hydra.

SSH

(Update March 2025) For some strange reason, in some cases the SSH service on the Windows Server Metasploitable3 machine does not start (we are not alone here: https://github.com/rapid7/metasploitable3/issues/70). You can see whether it started on not by looking at the nmap output. If it does not start, just skip this section and go to the next one directly. If you find a solution please let me know.

The SSH service is an attractive target for password guessing attacks because a success would provide a remote shell (whose level of privilege will depend on the privilege of the user whose credentials have been found).

Metasploitable3 has weak credentials for this service (of course, in a real setting this knowledge is not available).

Suggestions:

  • Try to see whether the metasploitable3 SSH service is vulnerable to the exploit auxiliary/scanner/ssh/ssh_enumusers. This exploit takes a list of users as input and tells which of those users is a valid username for the targeted service.
  • If the above exploit succeeds, use the corresponding user list with the password list obtained in a previous section for executing a guessing attack. Such an attack may be executed either with Hydra or with metasploit (auxiiary/scanner/ssh/ssh_login).
  • Always make sure to set the necessary options for checking whether a null password works.
  • If you manage to find valid credentials, you may connect to the SSH service with any SSH client or with the metasploit auxiiary/scanner/ssh/ssh_login module, by setting the options username and password.

SSH is often configured with public key client authentication. With this configuration, a SSH client must prove knowledge of a password and of a certain private key; the SSH server must know the matching public key of that client. The mechanism is conceptually identical to TLS with mutual authentication (a topic no longer studied in "Computer Networks"): in the default TLS configuration, it is the server that proves knowledge of a private key; in the mutual TLS configuration, instead, each of the two sides prove knowledge of the respective private key to the other side.

SSH in metasploitable3 is not configured this way, thus obtaining a client password suffices for impersonating that client. Note that a guessing attack for obtaining the private key of a client is not meaningful (why?).

Useful link: What Is SSH: Understanding Encryption, Ports and Connection.

MySQL

The MySQL service is an attractive target for password guessing attacks, because a success would provide access to the corresponding databases. The content of those databases may often be very valuable to the attacker.

Furthermore, the content of a MySQL database is often useful for executing further attack steps. The reason is because services that store and manage credentials independent of the store of the operating system, often store their credentials in a database. This is usually the case of web applications, for example. A MySQL database, thus, often contain credentials of some other services running on the same machine as the MySQL server (section Password Stealing, MySQL).

Metasploitable3 has weak credentials for the MySQL service (of course, in a real setting this knowledge is not available).

Suggestions:

  • Try to find credentials with Hydra or with metasploit (auxiliary/scanner/msysql/mysql_login). Use metasploitable3-short.txt as user list and password list. Make sure to set the necessary options for checking whether a null password works.
  • If you manage to find valid credentials, you may connect to the MySQL service with any MySQL client (search the web for “kali mysql client”).

Password stealing

MITRE ATT&CK Techniques: OS Credential Dumping: Security Account Manager and Credentials from Password Stores.

Passwords must never be stored in plaintext. They must be stored in some non-invertible form (e.g., hashed) so that they are not immediately useful to an adversary if they are stolen (this topic will be analyzed in much more detail later in this course).

Windows

Credentials of all Windows accounts are stored in a portion of secondary storage called SAM (Security Account Manager). The SAM usually contains two different hashes for each password, one of them for compatibility reasons not discussed here. The SAM content may be read (i.e., password hashes may be stolen) by specialized programs executed on the target machine with high privilege. Several such programs exist.

Password hashes of Windows accounts may be used for:

  • Trying to obtain the corresponding password (see section Password Cracking below).
  • Impersonating the corresponding users even without figuring out the respective passwords (this topic is discussed in a later part of this course---MITRE ATT&CK Pass the Hash).

Suggestions:

  • Having obtained a meterpreter session as described in section SMB Exploitation (EternalBlue), dump the SAM content with the meterpreter command hashdump and store its output in a text file on the attacking machine.

MySQL

Services often manage accounts and credentials independently of the underlying operating system, i.e., Windows. The corresponding information must be stored in some secondary storage, usually on a database. This is usually the case of web applications, for example. A MySQL database, thus, often contain credentials of some other services running on the same machine as the MySQL server.

The target machine has a MySQL service running. This database could store credentials of some service running on that machine (hint: the MySQL database store Wordpress credentials; Wordpress is an open source content management system widely used for building web sites).

Suggestions:

  • Having obtained MySQL credentials as described in section MySQL password guessing, try to determine whether any such credentials have admin privilege on MySQL. Then, use those credentials for:

    • Listing the databases on the MySQL service and see whether there is anyone that could contain credentials of some service.
    • Listing the tables of that database and see which one could contain credentials.
    • Inspect the schema of that table and prepare a SQL query for extracting the relevant columns.
    • Execute that query and store its output in a text file on the attacking machine.

Useful links:

Demo 3: Password cracking

Password cracking is an attack that, given a password hash, attempts to obtain the corresponding password (MITRE ATT&CK Brute Force: Password Cracking). Since hash functions are designed to be not invertible (an output value does not provide any information about the corresponding input), such attacks work by computing the hash of each password in an input dictionary (password list) until finding a value identical to the hash available. Of course, success of the attack depends on whether the password to be found is in the input dictionary and on the amount of computing resources available.

This guessing attack is often called “offline guessing” because during its execution there is no communication at all with the service where the targeted credentials are used.

The most widely used tools for password cracking are hashcat and john the ripper (command john). Keep in mind:

  • The input file containing the hashes must be structured as required by the tool (hashcat expects to receive only the hashes, john can receive a SAM line with the suitable input option).
  • The correct hash format is specified in input.
  • Usage of both hashcat and john is quite complex (e.g., john maintains a hidden cache of recently cracked hashes, so in repeated executions those hashes are not cracked again; and, a VM might not have enough memory to run hashcat).

Cracking credentials extracted from MySQL

  • Take the credentials extracted from the MySQL database in the previous section.
  • Execute the Kali command hash-identifier on one of the hashes in order to have an indication of the hash function used, i.e., of the program that could have originated that hash (we already have such information: wordpress).
  • Use the password list constructed in the above section Online password guessing for executing an offline guessing (password cracking) on the Wordpress credentials. In less than half an hour you should recover some password

Of course, in a real environment, you would not know in advance whether the attack would be successful or how long it would take. Nor would you know in advance that the passwords stored in MySQL are for Wordpress authentication.

Assuming you obtained some wordpress credentials:

  • Launch a browser and point it to http://IP-address-target:8585/wordpress (a website created with wordpress is usually available on the standard ports, i.e., 80/443; in metasploitable3 it has instead been configured to be available on port 8585 at that URL).
  • Try to find the login page.
  • Try to use one of the recovered credentials for becoming admin of the web site.

Cracking credentials extracted from Windows SAM

  • Take the credentials extracted from the Windows SAM in the previous section.
  • Execute the very same steps as those for cracking MySQL password hashes.

Assuming you obtained some Windows credentials, use them for interactive logon on metasploitable3.

You may use those credentials also for some action that requires a network logon (e.g., remote file access, remote command execution). In that case keep in mind:

  • Command execution with network logon is possible only for accounts in the Administrator group.
  • In practice, a password hash usually suffices for network logon on a Windows machine (this topic is discussed in a later part of this course---MITRE ATT&CK Pass the Hash).