Metasploitable3
Description
đ Metasploitable3 - rapid7 Github
Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with Metasploit.
Credentials
U:
vagrant
P:vagrant
U:
leah_organa
P:help_me_obiw@n
U:
luke_skywalker
P:use_the_f0rce
U:
han_solo
P:sh00t-first
U:
artoo_detoo
P:beep_b00p
U:
c_three_pio
P:pr0t0c0l
U:
ben_kenobi
P:thats_no_moon
U:
darth_vader
P:d@rk_sid3
U:
anakin_skywalker
P:yipp33!!
U:
jarjar_binks
P:mesah_p@ssw0rd
U:
lando_calrissian
P:b@ckstab
U:
boba_fett
P:mandalorian1
U:
jabba_hutt
P:not-a-slug12
U:
greedo
P:hanShotFirst!
U:
chewbacca
P:rwaaaaawr5
U:
kylo_ren
P:daddy_issues1
All of the above users are in various user groups of varying levels of privileges.
Installation - Vagrant
Install đ Vagrant
Open folder with Powershell.
Whitelist
metasploitable3-workspace
folder in the Antivirus
Configure Vagrantfile (only for VMware)
đ With VMware Workstation, Vagrant file needs some additional lines to make it work and show the VMs in the VMware Library
Open
Vagrantfile
with a text editorAdd those lines for both VMs
Run the VMs
VMware
Run vagrant with this commands to download and start the VMs with VMware
VirtualBox
Or run vagrant with this command to download and start the VMs with VirtualBox
Win2k8
To fully disable firewall on the Win2k8 VM, run with
CMD
ad admin
Connection
When both the VMs are ready, they can be opened.
Login default credentials are vagrant
:vagrant
Stop the VMs
To stop the VMs run this command that will attempt graceful shutdown of the VMs
If this doesn't work, proceed with manual shutdown of the Virtual Machines inside VMware/VirtualBox.
GlassFish
Ports
4848 - HTTP
8080 - HTTP
8181 - HTTPS
Credentials
Username: admin
Password: sploit
Access
On Metasploitable3, point your browser to http://localhost:4848.
Login with the above credentials.
Start/Stop
Stop: Open task manager and kill the java.exe process running glassfish
Start: Go to Task Scheduler and find the corresponding task. Right-click and select Run.
Vulnerability IDs
CVE-2011-0807
Modules
exploits/multi/http/glassfish_deployer
auxiliary/scanner/http/glassfish_login
Apache Struts
Ports
8282 - HTTP
Credentials
Apache Tomcat Web Application Manager
U: sploit
P: sploit
Access
To access the vulnerable application, point your browser on Metasploitable3 to http://localhost:8282/struts2-rest-showcase
To access the Apache Tomcat Manager, point your browser on Metasploitable3 to http://localhost:8282. Login with the above credentials.
Start/Stop
Stop: Open services.msc. Stop the Apache Tomcat 8.0 Tomcat8 service.
Start: Open services.msc. Start the Apache Tomcat 8.0 Tomcat8 service.
Vulnerability IDs
CVE-2016-3087
Modules
exploit/multi/http/struts_dmi_rest_exec
Tomcat
Ports
8282 - HTTP
Credentials
U: sploit
P: sploit
Access
To access the Apache Tomcat Manager, point your browser on Metasploitable3 to http://localhost:8282. Login with the above credentials.
Start/Stop
Stop: Open services.msc. Stop the Apache Tomcat 8.0 Tomcat8 service.
Start: Open services.msc. Start the Apache Tomcat 8.0 Tomcat8 service.
Vulnerability IDs
CVE-2009-3843
CVE-2009-4189
Modules
auxiliary/scanner/http/tomcat_enum
auxiliary/scanner/http/tomcat_mgr_login
exploits/multi/http/tomcat_mgr_deploy
exploits/multi/http/tomcat_mgr_upload
post/windows/gather/enum_tomcat
Jenkins
Ports
8484 - HTTP
Credentials
None enabled by default
Access
Point your browser on Metasploitable3 to http://localhost:8484.
Start/Stop
Stop: Open services.msc. Stop the jenkins service.
Start: Open services.msc. Start the jenkins service.
Modules
exploits/multi/http/jenkins_script_console
auxiliary/scanner/http/jenkins_enum
IIS - FTP
Ports
21 - FTP
CredentialsWindows credentials
AccessAny FTP client should work
Start/Stop
Stop:
net stop msftpsvc
Start:
net start msftpsvc
Modules
auxiliary/scanner/ftp/ftp_login
IIS - HTTP
Ports
80 - HTTP
Credentials
U: vagrant
P: vagrant
Access
Point your browser on Metasploitable3 to http://localhost.
Start/Stop
Stop: Open services.msc. Stop the World Wide Web Publishing service.
Start: Open services.msc. Start the World Wide Web Publishing service.
Vulnerability IDs
CVE-2015-1635
Modules
auxiliary/dos/http/ms15_034_ulonglongadd
psexec
Ports
445 - SMB
139 - NetBIOS
Credentials
Any credentials valid for Metasploitable3 should work. See the list here
Access
Use the psexec tool to run commands remotely on the target.
Start/Stop
Enabled by default
Vulnerabilities
Multiple users with weak passwords exist on the target. Those passwords can be easily cracked and used to run remote code using psexec.
Modules
exploits/windows/smb/psexec
exploits/windows/smb/psexec_psh
SSH
Ports
22 - SSH
Credentials
Any credentials valid for Metasploitable3 should work. See the list here
Access
Use an SSH client to connect and run commands remotely on the target.
Start/Stop
Enabled by default
Vulnerabilities
Multiple users with weak passwords exist on the target. Those passwords can be easily cracked. Once a session is opened, remote code can be executed using SSH.
Modules
WinRM
Ports
5985 - HTTPS
Credentials
Any credentials valid for Metasploitable3 should work. See the list here
Access
Start/Stop
Stop: Open services.msc. Stop the Windows Remote Management service.
Start: Open services.msc. Start the Windows Remote Management service.
Vulnerabilities
Multiple users with weak passwords exist on the target. Those passwords can be easily cracked and WinRM can be used to run remote code on the target.
Modules
auxiliary/scanner/winrm/winrm_cmd
auxiliary/scanner/winrm/winrm_wql
auxiliary/scanner/winrm/winrm_login
auxiliary/scanner/winrm/winrm_auth_methods
exploits/windows/winrm/winrm_script_exec
chinese caidao
Ports
80 - HTTP
Credentials
Any credentials valid for Metasploitable3 should work. See the list here
Access
Point your browser on metasploitable3 to http://localhost/caidao.asp
Start/Stop
Stop: Open services.msc. Stop the World Wide Web Publishing service.
Start: Open services.msc. Start the World Wide Web Publishing service.
Modules
auxiliary/scanner/http/caidao_bruteforce_login
ManageEngine
Ports8020 - HTTP
CredentialsUsername: admin Password: admin
AccessOn Metasploitable3, point your browser to http://localhost:8020. Login with the above credentials.
Start/Stop
Stop: In command prompt, do
net stop ManageEngine Desktop Central Server
Start: In command prompt, do
net start ManageEngine Desktop Central Server
Vulnerability IDs
CVE-2015-8249
Modules
exploit/windows/http/manageengine_connectionid_write
ElasticSearch
Ports9200 - HTTP
CredentialsNo credentials needed
AccessOn Metasploitable3, point your browser to http://localhost:9200.
Start/Stop
Stop: In command prompt, do
net stop elasticsearch-service-x64
Start: In command prompt, do
net start elasticsearch-service-x64
Vulnerability IDs
CVE-2014-3120
Modules
exploit/multi/elasticsearch/script_mvel_rce
Apache Axis2
Ports8282 - HTTP
CredentialsNo credentials needed
AccessOn Metasploitable3, point your browser to http://localhost:8282/axis2.
Start/StopLog into Apache Tomcat, and start or stop from the application manager.
Vulnerability IDs
CVE-2010-0219
Modules
exploit/multi/http/axis2_deployer
WebDAV
Ports8585 - HTTP
CredentialsNo credentials needed
AccessSee the PR here: https://github.com/rapid7/metasploitable3/pull/16
Start/Stop
Stop: In command prompt, do
net stop wampapache
Start: In command prompt, do
net start wampapache
Modules
auxiliary/scanner/http/http_put (see https://github.com/rapid7/metasploitable3/pull/16)
SNMP
Ports161 - UDP
CredentialsCommunity String: public
AccessLoad the auxiliary/scanner/snmp/snmp_enum module in Metasploit and to parse the SNMP data.
Start/Stop
Stop: In command prompt, do
net stop snmp
Start: In command prompt, do
net start snmp
Modules
auxiliary/scanner/snmp/snmp_enum
MySQL
Ports3306 - TCP
CredentialsU: root P:
AccessUse the mysql client to connect to port 3306 on Metasploitable3.
Start/Stop
Stop: In command prompt, do
net stop wampmysql
Start: In command prompt, do
net start wampmysql
Modules
windows/mysql/mysql_payload
JMX
Ports1617 - TCP
CredentialsNo credentials needed
AccessDownload the connector client and use the instructions found here: http://docs.oracle.com/javase/tutorial/jmx/remote/index.html
Start/Stop
Stop: In command prompt, do
net stop jmx
Start: In command prompt, do
net start jmx
Vulnerability IDs
CVE-2015-2342
Modules
multi/misc/java_jmx_server
Wordpress
Ports8585 - HTTP
CredentialsNo credentials needed
AccessOn Metasploitable3, point your browser to http://localhost:8585/wordpress.
Start/Stop
Stop: In command prompt, do
net stop wampapache
Start: In command prompt, do
net start wampapache
Vulnerable Plugins
NinjaForms 2.9.42 - CVE-2016-1209
Modules
unix/webapp/wp_ninja_forms_unauthenticated_file_upload
Remote Desktop
Ports3389 - RDP
CredentialsAny Windows credentials
AccessUse a remote desktop client. Either your OS already has one, or download a 3rd party.
Start/Stop
Stop:
net stop rdesktop
Start:
net start rdesktop
ModulesN/A
PHPMyAdmin
Ports8585 - HTTP
CredentialsU: root P:
AccessOn Metasploitable3, point your browser to http://localhost:8585/phpmyadmin.
Start/Stop
Stop: In command prompt, do
net stop wampapache
Start: In command prompt, do
net start wampapache
Vulnerability IDs
CVE-2013-3238
Modules
multi/http/phpmyadmin_preg_replace
Ruby on Rails
Ports
3000- HTTP
CredentialsN/A
Access
On Metasploitable3, point your browser to http://localhost:3000.
Start/Stop
Stop: Open task manager and kill the ruby.exe process
Start: Go to Task Scheduler and find the corresponding task. Right-click and select Run.
Vulnerability IDs
CVE-2015-3224
Modules
exploit/multi/http/rails_web_console_v2_code_exec
Last updated