Tutorial: How to scan exploit Metasploitable-2 using Metasploit, Nexpose, nessus, Nmap, and John-the-Ripper

Blog Post created by webpwnized on Jul 5, 2012

This video tutorial covers exploiting Metasploitable-2 to get a root shell and eventually a terminal via a valid "sudo-able" login over SSH.


Two machines; a test host (Backtrack 5-R2) and a target host (Metasploitable-2) are set up on a VirtualBox host-only network. With this lab network set up, the demonstration walks through a practice pen-test using the phases of recon, scanning, exploitation, post-exploitation, and maintaining access. (Covering tracks and reporting are not covered. Recon is assumed because Virtual Box runs a default DHCP server on the 192.168.56/24 network). (Note: A video tutorial on installing Metasploitable 2 is available at the link Tutorial on installing Metasploitable 2.0 on a Virtual Box Host Only network.)


Initially, nmap is used to locate the Metasploitable-2 machine on the Virtual Box host only network. In the video the Metasploitable-2 host is running at and the Backtrack 5-R2 host at Additionally, open ports are enumerated nmap along with the services running. The nmap default NSE scripts provide additional information on the services and help nmap discover the precise version. Some features of nmap are reviewed and an nmap XML report is generated. This report is viewed in Firefox and imported into Metasploit via msfconsole and using the Metaspoit Comminity Edition web interface which has the functionality of db_import built-in. nmap is run a second time with different options to show how to focus the information in the reports on open services.


With the services listed and versions discovered, it is possible to begin locating vulnerabilites for services. To make this step easier, both Nessus and Rapid7 NexPose scanners are used locate potential vulnerabilities for each service. Eventually an exploit suitible for the outdated samba services running on Metasploitable-2 is chosen and metasploit msfconsole is used to configure the samba-usermap exploit. The cmd/unix/bind_netcat payload is selected and sent to Metasploitable-2 via the samba-usermap exploit. A remote root shell is gained.


For post exploitation, the shell is used to gather the usernames and passwords for Metasploitable-2 which are copied back to the testing machine and cracked with john-the-ripper. The two files are "unshadowed" using JTR unshadow and then cracked with JTR MD5 module. The passwords are stored in the JTR pot file for retrieval.


This video was recorded by Jeremy Druin (@webpwnized).