Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
168 views6 pages

Lab Exercise - Exploiting The Target Using Metasploit

This document outlines a lab exercise for exploiting a target using Metasploit, divided into three parts: connecting nodes, identifying services, and exploiting the target. It details the setup of Kali Linux and Metasploitable VMs, performing an NMAP scan to identify services, and using Metasploit to execute an SSH brute-force attack. The exercise requires specific resources and configurations to successfully establish communication between the VMs and carry out the exploitation process.

Uploaded by

Christian Flores Ramirez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
168 views6 pages

Lab Exercise - Exploiting The Target Using Metasploit

This document outlines a lab exercise for exploiting a target using Metasploit, divided into three parts: connecting nodes, identifying services, and exploiting the target. It details the setup of Kali Linux and Metasploitable VMs, performing an NMAP scan to identify services, and using Metasploit to execute an SSH brute-force attack. The exercise requires specific resources and configurations to successfully establish communication between the VMs and carry out the exploitation process.

Uploaded by

Christian Flores Ramirez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Lab Exercise 4 – Exploiting the target using Metasploit

Objectives

▪ Part 1: Connecting the nodes


▪ Part 2 : Identification of services
▪ Part 3 : Using metasploit to exploit the targe

Required Resources

▪ Computer with a minimum of 8 GB of RAM and 50 GB of free disk space


▪ Kali Linux installed on virtual box
▪ Metasploitable VM

Part 1: Connecting the nodes

1. Download the metasploitable VM from concordia sharepoint portal. Double click on the OVA
download to import the VM into Virtualbox.
(Alternate Link: https://www.dropbox.com/s/2j7atysi1ej7jlh/8.%20Metasploitable%20VM.ova?dl=0)
2. Click on Kali linux VM (Turn it off if it is on). Go to settings > Network > Adapter 2 > Enable.
For the “Attached to” option, select internal network from the dropdown . Set the name as
HOME-LAB-NETWORK.
3. Repeat the same steps for Metasploitable VM. (Enabling network adapter and setting it to
HOME-LAB-NETWORK)
4. Turn on both the VMs.

CECR 1003 – Cybersecurity by Design


5. On the KALI VM, type in the following command to set the IP address on eth1 to 10.10.10.1.
Type in the ifconfig command to verify that the IP address has been assigned.
# ifconfig eth1 10.10.10.1 netmask 255.255.255.0 up

6. Login to the metasploitable VM using the crendentials msfadmin/msfadmin.


Yype in the following command to set the IP address on eth1 to 10.10.10.10. Type in the
ifconfig command to verify that the IP address has been assigned.
# ifconfig eth1 10.10.10.10 netmask 255.255.255.0 up

7. On Metasploitable, Perform a ping test to Kali VM by pinging the IP 10.10.10.1. At this point,
both VMs are able to communicate each other.

CECR 1003 – Cybersecurity by Design


Part 2 : Identification of services

1. From Kali linux VM, perform an NMAP Scan of the metasploitable VM to identify the services
running, the OS version and the open ports.
# nmap -v -sV 10.10.10.10

CECR 1003 – Cybersecurity by Design


Part 3 : Exploiting metasploitable using metasploit

1. On Kali Linux VM, Open a terminal and start postgresql service.


# service postgresql start

2. Start the metasploit using the command msfconsole.


# msfconsole

3. From part 2 of the exercise, we got to know about the services running on our target. So on
metasploit, we will look for exploits specific to these services using search command.

CECR 1003 – Cybersecurity by Design


4. Then we make use of one of the exploits or auxillaries using the use command along with the
complete path. In this case, we will be using the ssh_login auxillary to try and bruteforce the
SSH login. Use the show options command to see the available options.
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > show options

5. On desktop > Right click > Create document > Empty document (Name it usernames.txt). Add
the following 10 standard usernames and save.
Also copy the rockyou.txt password dictionary to the desktop.

6. Configure the options required such as the target IP address, username file to be used,
password dictionary to be used and finally the run command to execute the attack.

CECR 1003 – Cybersecurity by Design


The attack runs for several minutes after which one of the combination works and the command
shell session opens.

CECR 1003 – Cybersecurity by Design

You might also like