🔗 Metasploitable3 - rapid7 Github
Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with Metasploit.
- U:
vagrant
P:vagrant
- U:
leah_organa
P:help_me_obiw@n
- U:
luke_skywalker
P:use_the_f0rce
- U:
han_solo
P:sh00t-first
- U:
artoo_detoo
P:beep_b00p
- U:
c_three_pio
P:pr0t0c0l
- U:
ben_kenobi
P:thats_no_moon
- U:
darth_vader
P:d@rk_sid3
- U:
anakin_skywalker
P:yipp33!!
- U:
jarjar_binks
P:mesah_p@ssw0rd
- U:
lando_calrissian
P:b@ckstab
- U:
boba_fett
P:mandalorian1
- U:
jabba_hutt
P:not-a-slug12
- U:
greedo
P:hanShotFirst!
- U:
chewbacca
P:rwaaaaawr5
- U:
kylo_ren
P:daddy_issues1
All of the above users are in various user groups of varying levels of privileges.
- Install 🔗 Vagrant
- Open folder with Powershell.
vagrant plugin install vagrant-reload
mkdir metasploitable3-workspace
cd metasploitable3-workspace
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/rapid7/metasploitable3/master/Vagrantfile" -OutFile "Vagrantfile"
- Whitelist
metasploitable3-workspace
folder in the Antivirus
📌 With VMware Workstation, Vagrant file needs some additional lines to make it work and show the VMs in the VMware Library
- Open
Vagrantfile
with a text editor - Add those lines for both VMs
ub1404.vm.provider "vmware_desktop" do |v|
v.vmx["displayname"] = "Metasploitable3-ub1404"
v.memory = 2048
v.cpus = 2
v.gui = true
end
win2k8.vm.provider "vmware_desktop" do |v|
v.vmx["displayname"] = "Metasploitable3-win2k8"
v.memory = 4096
v.cpus = 2
v.gui = true
end
- Run vagrant with this commands to download and start the VMs with VMware
vagrant cap provider scrub_forwarded_ports
vagrant up --provider=vmware_desktop
- Or run vagrant with this command to download and start the VMs with VirtualBox
vagrant up --provider=virtualbox
- To fully disable firewall on the Win2k8 VM, run with
CMD
ad admin
netsh advfirewall set allprofiles state off
When both the VMs are ready, they can be opened.
Login default credentials are vagrant
:vagrant
- To stop the VMs run this command that will attempt graceful shutdown of the VMs
vagrant halt
- If this doesn't work, proceed with manual shutdown of the Virtual Machines inside VMware/VirtualBox.
- 4848 - HTTP
- 8080 - HTTP
- 8181 - HTTPS
- Username: admin
- Password: sploit
- On Metasploitable3, point your browser to http://localhost:4848.
- Login with the above credentials.
- Stop: Open task manager and kill the java.exe process running glassfish
- Start: Go to Task Scheduler and find the corresponding task. Right-click and select Run.
- CVE-2011-0807
- exploits/multi/http/glassfish_deployer
- auxiliary/scanner/http/glassfish_login
- 8282 - HTTP
- Apache Tomcat Web Application Manager
- U: sploit
- P: sploit
- To access the vulnerable application, point your browser on Metasploitable3 to http://localhost:8282/struts2-rest-showcase
- To access the Apache Tomcat Manager, point your browser on Metasploitable3 to http://localhost:8282. Login with the above credentials.
- Stop: Open services.msc. Stop the Apache Tomcat 8.0 Tomcat8 service.
- Start: Open services.msc. Start the Apache Tomcat 8.0 Tomcat8 service.
- CVE-2016-3087
- exploit/multi/http/struts_dmi_rest_exec
- 8282 - HTTP
- U: sploit
- P: sploit
- To access the Apache Tomcat Manager, point your browser on Metasploitable3 to http://localhost:8282. Login with the above credentials.
- Stop: Open services.msc. Stop the Apache Tomcat 8.0 Tomcat8 service.
- Start: Open services.msc. Start the Apache Tomcat 8.0 Tomcat8 service.
- CVE-2009-3843
- CVE-2009-4189
- auxiliary/scanner/http/tomcat_enum
- auxiliary/scanner/http/tomcat_mgr_login
- exploits/multi/http/tomcat_mgr_deploy
- exploits/multi/http/tomcat_mgr_upload
- post/windows/gather/enum_tomcat
- 8484 - HTTP
- None enabled by default
- Point your browser on Metasploitable3 to http://localhost:8484.
- Stop: Open services.msc. Stop the jenkins service.
- Start: Open services.msc. Start the jenkins service.
- exploits/multi/http/jenkins_script_console
- auxiliary/scanner/http/jenkins_enum
- 21 - FTP
Windows credentials
Any FTP client should work
- Stop:
net stop msftpsvc
- Start:
net start msftpsvc
- auxiliary/scanner/ftp/ftp_login
- 80 - HTTP
- U: vagrant
- P: vagrant
- Point your browser on Metasploitable3 to http://localhost.
- Stop: Open services.msc. Stop the World Wide Web Publishing service.
- Start: Open services.msc. Start the World Wide Web Publishing service.
- CVE-2015-1635
- auxiliary/dos/http/ms15_034_ulonglongadd
- 445 - SMB
- 139 - NetBIOS
- Any credentials valid for Metasploitable3 should work. See the list here
- Use the psexec tool to run commands remotely on the target.
- Enabled by default
- Multiple users with weak passwords exist on the target. Those passwords can be easily cracked and used to run remote code using psexec.
- exploits/windows/smb/psexec
- exploits/windows/smb/psexec_psh
- 22 - SSH
- Any credentials valid for Metasploitable3 should work. See the list here
- Use an SSH client to connect and run commands remotely on the target.
- Enabled by default
- Multiple users with weak passwords exist on the target. Those passwords can be easily cracked. Once a session is opened, remote code can be executed using SSH.
- 5985 - HTTPS
- Any credentials valid for Metasploitable3 should work. See the list here
- Stop: Open services.msc. Stop the Windows Remote Management service.
- Start: Open services.msc. Start the Windows Remote Management service.
- Multiple users with weak passwords exist on the target. Those passwords can be easily cracked and WinRM can be used to run remote code on the target.
- auxiliary/scanner/winrm/winrm_cmd
- auxiliary/scanner/winrm/winrm_wql
- auxiliary/scanner/winrm/winrm_login
- auxiliary/scanner/winrm/winrm_auth_methods
- exploits/windows/winrm/winrm_script_exec
- 80 - HTTP
- Any credentials valid for Metasploitable3 should work. See the list here
- Point your browser on metasploitable3 to http://localhost/caidao.asp
- Stop: Open services.msc. Stop the World Wide Web Publishing service.
- Start: Open services.msc. Start the World Wide Web Publishing service.
- auxiliary/scanner/http/caidao_bruteforce_login
8020 - HTTP
Username: admin Password: admin
On Metasploitable3, point your browser to http://localhost:8020. Login with the above credentials.
- Stop: In command prompt, do
net stop ManageEngine Desktop Central Server
- Start: In command prompt, do
net start ManageEngine Desktop Central Server
- CVE-2015-8249
- exploit/windows/http/manageengine_connectionid_write
9200 - HTTP
No credentials needed
On Metasploitable3, point your browser to http://localhost:9200.
- Stop: In command prompt, do
net stop elasticsearch-service-x64
- Start: In command prompt, do
net start elasticsearch-service-x64
- CVE-2014-3120
- exploit/multi/elasticsearch/script_mvel_rce
8282 - HTTP
No credentials needed
On Metasploitable3, point your browser to http://localhost:8282/axis2.
Log into Apache Tomcat, and start or stop from the application manager.
- CVE-2010-0219
- exploit/multi/http/axis2_deployer
8585 - HTTP
No credentials needed
See the PR here: rapid7/metasploitable3#16
- Stop: In command prompt, do
net stop wampapache
- Start: In command prompt, do
net start wampapache
- auxiliary/scanner/http/http_put (see rapid7/metasploitable3#16)
161 - UDP
Community String: public
Load the auxiliary/scanner/snmp/snmp_enum module in Metasploit and to parse the SNMP data.
- Stop: In command prompt, do
net stop snmp
- Start: In command prompt, do
net start snmp
- auxiliary/scanner/snmp/snmp_enum
3306 - TCP
U: root P:
Use the mysql client to connect to port 3306 on Metasploitable3.
- Stop: In command prompt, do
net stop wampmysql
- Start: In command prompt, do
net start wampmysql
- windows/mysql/mysql_payload
1617 - TCP
No credentials needed
Download the connector client and use the instructions found here: http://docs.oracle.com/javase/tutorial/jmx/remote/index.html
- Stop: In command prompt, do
net stop jmx
- Start: In command prompt, do
net start jmx
- CVE-2015-2342
- multi/misc/java_jmx_server
8585 - HTTP
No credentials needed
On Metasploitable3, point your browser to http://localhost:8585/wordpress.
- Stop: In command prompt, do
net stop wampapache
- Start: In command prompt, do
net start wampapache
- NinjaForms 2.9.42 - CVE-2016-1209
- unix/webapp/wp_ninja_forms_unauthenticated_file_upload
3389 - RDP
Any Windows credentials
Use a remote desktop client. Either your OS already has one, or download a 3rd party.
- Stop:
net stop rdesktop
- Start:
net start rdesktop
N/A
8585 - HTTP
U: root P:
On Metasploitable3, point your browser to http://localhost:8585/phpmyadmin.
- Stop: In command prompt, do
net stop wampapache
- Start: In command prompt, do
net start wampapache
- CVE-2013-3238
- multi/http/phpmyadmin_preg_replace
- 3000- HTTP
N/A
- On Metasploitable3, point your browser to http://localhost:3000.
- Stop: Open task manager and kill the ruby.exe process
- Start: Go to Task Scheduler and find the corresponding task. Right-click and select Run.
- CVE-2015-3224
- exploit/multi/http/rails_web_console_v2_code_exec