davidalvk

Reconocimiento Pentesting en Máquina Metasploitable

1. Introducción

Este post es la resolución al ejercicio: https://github.com/breatheco-de/pentesting-reconnaissance-vulnerable-machine-project.git

El presente documento detalla los resultados de las pruebas de penetración realizadas en la máquina Metasploitable (IP: 10.0.2.8), diseñada como entorno controlado para evaluar técnicas de seguridad ofensiva. El objetivo principal fue identificar vulnerabilidades críticas, analizar su impacto potencial y proponer medidas de mitigación efectivas. Utilizando herramientas como Nmap, se realizó un escaneo exhaustivo de puertos, servicios y configuraciones, complementado con scripts especializados para detectar fallos de seguridad conocidos. Este informe no solo refleja la importancia del reconocimiento en el pentesting, sino que también destaca cómo configuraciones obsoletas o débiles pueden exponer sistemas a riesgos significativos. Los hallazgos incluyen desde backdoors explotables hasta deficiencias en protocolos de cifrado, lo que subraya la necesidad de adoptar prácticas proactivas en la gestión de la seguridad informática.

2. Objetivo y Alcance.

  

Objetivo

La máquina Metasploitable, ubicada en la dirección IP 10.0.2.8.

Alcance

Realizar pruebas de penetración que incluyan reconocimiento, análisis de vulnerabilidades y recomendaciones de mitigación en la máquina objetivo.

3. Herramientas y Técnicas Utilizadas.

Nmap: Se utilizó para escanear todos los puertos (-p-), identificar servicios y versiones (-A) y ejecutar scripts de detección de vulnerabilidades (–script vuln).

Parámetros usados en Nmap:

nmap -p- -A --script vuln -oA Escaneo_completo_Metasploitable 10.0.2.8.

4. Resultados del reconocimiento.

4.1 Puertos Abiertos y Servicios Descubiertos:

  1. Puerto 21 (FTP): Servicio vsFTPd versión 2.3.4.
  2. Puerto 22 (SSH): Servicio OpenSSH versión 4.7p1 (Debian 8ubuntu1).
  3. Puerto 23 (Telnet): Servicio Linux telnetd.
  4. Puerto 25 (SMTP): Postfix smtpd.
  5. Puerto 53 (DNS): ISC BIND versión 9.4.2.
  6. Puerto 80 (HTTP): Servidor Apache httpd versión 2.2.8 (Ubuntu) con soporte DAV/2.
  7. Puerto 111 (RPC): Servicio rpcbind.
  8. Puerto 139 (NetBIOS): Servicio Samba smbd (versiones 3.X – 4.X).
  9. Puerto 445 (NetBIOS): Servicio Samba smbd.
  10. Puerto 512 (exec): Servicio netkit-rsh rexecd.
  11. Puerto 513 (login): Servicio OpenBSD o Solaris rlogind.
  12. Puerto 514 (shell): Servicio Netkit rshd.
  13. Puerto 1099 (Java RMI): GNU Classpath grmiregistry.
  14. Puerto 1524 (Bindshell): Shell raíz de Metasploitable.
  15. Puerto 2049 (NFS): Servicio NFS.
  16. Puerto 2121 (FTP): Servicio ProFTPD versión 1.3.1.
  17. Puerto 3306 (MySQL): Base de datos MySQL versión 5.0.51a.
  18. Puerto 3632 (Distccd): Servicio distccd versión 1 (GNU).
  19. Puerto 5432 (PostgreSQL): Base de datos PostgreSQL (versiones 8.3.0 – 8.3.7).
  20. Puerto 5900 (VNC): Servicio VNC protocolo 3.3.
  21. Puerto 6000 (X11): Servicio X11 (acceso denegado).
  22. Puerto 6667 (IRC): UnrealIRCd.
  23. Puerto 6697 (IRC): UnrealIRCd (versión con SSL).
  24. Puerto 8009 (AJP13): Apache Jserv Protocol v1.3.
  25. Puerto 8180 (HTTP): Apache Tomcat/Coyote JSP engine versión 1.1.
  26. Puerto 8787 (Ruby DRb): Ruby Distributed Ruby (RMI).
  27. Puertos altos (varios asociados a RPC):
    • 36316 (mountd).
    • 57777 (nlockmgr).
    • 58753 (nlockmgr).
    • 59356 (mountd).
    • 59613 (status).

4.2 Vulnerabilidades detectadas

  1. Puerto 21 (FTP) – vsFTPd versión 2.3.4:
    • Vulnerabilidad: Backdoor en vsFTPd 2.3.4.
    • Identificador: CVE-2011-2523.
    • Descripción: La versión contiene un backdoor que permite acceso remoto no autorizado.
  2. Puerto 25 (SMTP) – Postfix:
    • Vulnerabilidades en SSL/TLS:
      • POODLE (Padding Oracle Attack): CVE-2014-3566.
      • Logjam: CVE-2015-4000.
    • Descripción: Estas vulnerabilidades comprometen la confidencialidad del tráfico cifrado.
  3. Puerto 80 (HTTP) – Apache httpd versión 2.2.8:
    • Vulnerabilidad: Ataque de denegación de servicio (DoS) conocido como Slowloris.
    • Identificador: CVE-2007-6750.
    • Descripción: Un atacante puede agotar los recursos del servidor utilizando múltiples conexiones HTTP incompletas.
  4. Puerto 1099 (Java RMI Registry):
    • Vulnerabilidad: Carga de clases remotas debido a configuración débil.
    • Descripción: Permite ejecución remota de código.
    • Referencias: CVE relacionado no especificado en el reporte.
  5. Puerto 1524 (Bindshell):
    • Vulnerabilidad: Shell raíz expuesta.
    • Descripción: Configuración de prueba que deja un shell abierto accesible.
  6. Puerto 2049 (NFS):
    • Vulnerabilidad: Configuración débil en NFS.
    • Descripción: Permite acceso no autorizado a recursos compartidos.
  7. Puerto 3632 (Distccd):
    • Vulnerabilidad: Ejecución remota de comandos.
    • Identificador: CVE-2004-2687.
    • Descripción: Configuración débil permite ejecutar comandos arbitrarios de manera remota.
  8. Puerto 5432 (PostgreSQL):
    • Vulnerabilidades en SSL/TLS:
      • POODLE (Padding Oracle Attack): CVE-2014-3566.
      • Logjam: CVE-2015-4000.
    • Descripción: Tráfico cifrado susceptible a ataques de intermediarios.
  9. Puerto 6667 (IRC) – UnrealIRCd:
    • Vulnerabilidad: Backdoor conocido.
    • Descripción: El software contiene un backdoor que permite ejecución remota de código.
  10. Puerto 8180 (Apache Tomcat/Coyote):
    • Vulnerabilidad: Flags de seguridad faltantes en cookies.
    • Descripción: Configuración insegura que facilita ataques relacionados con sesiones.
  11. SSL/TLS en múltiples servicios (25, 3306, 5432, entre otros):
    • Vulnerabilidad general: Grupos Diffie-Hellman débiles (Logjam) y uso de cifrados inseguros (POODLE).
  12. Puerto 51866 (Java-rmi)
    • Vulnerabilidad: Ejecución remota de comandos.
    • Descripción: Configuración débil permite ejecutar comandos arbitrarios de manera remota.

4.3 Impacto potencial

El impacto de estos fallos varía desde la exposición de información sensible hasta el control total del sistema por parte de un atacante. Esto podría derivar en pérdida de datos, interrupción del servicio o incluso el uso del sistema comprometido para lanzar ataques contra otros objetivos.

4.4 Mitigación general

  1. Mantener actualizado el software y los sistemas operativos.
  2. Realizar análisis frecuentes con herramientas como Nmap para identificar vulnerabilidades y poder corregirlas.
  3. Implementar configuraciones de seguridad recomendadas para cada servicio.
  4. Utilizar firewalls y sistemas de detección de intrusiones (IDS).

5. Este es el Reporte generado por Nmap

Nmap Scan Report – Scanned at Wed Mar 19 08:11:28 2025

Scan Summary

Nmap 7.95 was initiated at Wed Mar 19 08:11:28 2025 with these arguments: 

/usr/lib/nmap/nmap -p- -A --script vuln -oA Escaneo_completo_Metasploitable 10.0.2.8

Nmap done at Wed Mar 19 08:26:59 2025; 1 IP address (1 host up) scanned in 931.05 seconds

10.0.2.8

Address

  • 10.0.2.8 (ipv4)
  • 08:00:27:34:34:9A – PCS Systemtechnik/Oracle VirtualBox virtual NIC (mac)

Ports

The 65505 ports scanned but not shown below are in state: closed

  • 65505 ports replied with: reset

Port

State 

Service

Reason

Product

Version

Extra info

21

tcp

open

ftp 

syn-ack

vsftpd 

2.3.4 

 

 

ftp-vsftpd-backdoor 

VULNERABLE:

vsFTPd version 2.3.4 backdoor

State: VULNERABLE (Exploitable)

IDs: CVE:CVE-2011-2523 BID:48539

vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.

Disclosure date: 2011-07-03

Exploit results:

Shell command: id

Results: uid=0(root) gid=0(root)

References:

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb

https://www.securityfocus.com/bid/48539

http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523

 

22

tcp

open

ssh 

syn-ack

OpenSSH 

4.7p1 Debian 8ubuntu1 

protocol 2.0 

23

tcp

open

telnet 

syn-ack

Linux telnetd 

 

 

25

tcp

open

smtp 

syn-ack

Postfix smtpd 

 

 

 

sslv2-drown 

ERROR: Script execution failed (use -d to debug) 

 

smtp-vuln-cve2010-4344 

The SMTP server is not Exim: NOT VULNERABLE

 

 

ssl-poodle 

VULNERABLE:

SSL POODLE information leak

State: VULNERABLE

IDs: CVE:CVE-2014-3566 BID:70574

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other

products, uses nondeterministic CBC padding, which makes it easier

for man-in-the-middle attackers to obtain cleartext data via a

padding-oracle attack, aka the «POODLE» issue.

Disclosure date: 2014-10-14

Check results:

TLS_RSA_WITH_AES_128_CBC_SHA

References:

https://www.imperialviolet.org/2014/10/14/poodle.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

https://www.securityfocus.com/bid/70574

https://www.openssl.org/~bodo/ssl-poodle.pdf

 

 

ssl-dh-params 

VULNERABLE:

Anonymous Diffie-Hellman Key Exchange MitM Vulnerability

State: VULNERABLE

Transport Layer Security (TLS) services that use anonymous

Diffie-Hellman key exchange only provide protection against passive

eavesdropping, and are vulnerable to active man-in-the-middle attacks

which could completely compromise the confidentiality and integrity

of any data exchanged over the resulting session.

Check results:

ANONYMOUS DH GROUP 1

Cipher Suite: TLS_DH_anon_EXPORT_WITH_RC4_40_MD5

Modulus Type: Safe prime

Modulus Source: Unknown/Custom-generated

Modulus Length: 512

Generator Length: 8

Public Key Length: 512

References:

https://www.ietf.org/rfc/rfc2246.txt

 

Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)

State: VULNERABLE

IDs: CVE:CVE-2015-4000 BID:74733

The Transport Layer Security (TLS) protocol contains a flaw that is

triggered when handling Diffie-Hellman key exchanges defined with

the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker

to downgrade the security of a TLS session to 512-bit export-grade

cryptography, which is significantly weaker, allowing the attacker

to more easily break the encryption and monitor or tamper with

the encrypted stream.

Disclosure date: 2015-5-19

Check results:

EXPORT-GRADE DH GROUP 1

Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

Modulus Type: Safe prime

Modulus Source: Unknown/Custom-generated

Modulus Length: 512

Generator Length: 8

Public Key Length: 512

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000

https://www.securityfocus.com/bid/74733

https://weakdh.org

 

Diffie-Hellman Key Exchange Insufficient Group Strength

State: VULNERABLE

Transport Layer Security (TLS) services that use Diffie-Hellman groups

of insufficient strength, especially those using one of a few commonly

shared groups, may be susceptible to passive eavesdropping attacks.

Check results:

WEAK DH GROUP 1

Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

Modulus Type: Safe prime

Modulus Source: postfix builtin

Modulus Length: 1024

Generator Length: 8

Public Key Length: 1024

References:

https://weakdh.org

 

53

tcp

open

domain 

syn-ack

ISC BIND 

9.4.2 

 

80

tcp

open

http 

syn-ack

Apache httpd 

2.2.8 

(Ubuntu) DAV/2 

 

http-slowloris-check 

VULNERABLE:

Slowloris DOS attack

State: LIKELY VULNERABLE

IDs: CVE:CVE-2007-6750

Slowloris tries to keep many connections to the target web server open and hold

them open as long as possible. It accomplishes this by opening connections to

the target web server and sending a partial request. By doing so, it starves

the http server’s resources causing Denial Of Service.

 

Disclosure date: 2009-09-17

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750

http://ha.ckers.org/slowloris/

 

 

http-fileupload-exploiter 

 

Couldn’t find a file-type field. 

 

http-enum 

/tikiwiki/: Tikiwiki

/test/: Test page

/phpinfo.php: Possible information file

/phpMyAdmin/: phpMyAdmin

/doc/: Potentially interesting directory w/ listing on ‘apache/2.2.8 (ubuntu) dav/2’

/icons/: Potentially interesting folder w/ directory listing

/index/: Potentially interesting folder

 

 

http-trace 

TRACE is enabled 

 

http-vuln-cve2017-1001000 

ERROR: Script execution failed (use -d to debug) 

 

http-server-header 

Apache/2.2.8 (Ubuntu) DAV/2 

 

http-dombased-xss 

Couldn’t find any DOM based XSS. 

 

http-stored-xss 

Couldn’t find any stored XSS vulnerabilities. 

 

http-csrf 

Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.0.2.8

Found the following possible CSRF vulnerabilities:

 

Path: http://10.0.2.8:80/dvwa/

Form id:

Form action: login.php

 

Path: http://10.0.2.8:80/twiki/TWikiDocumentation.html

Form id:

Form action: http://TWiki.org/cgi-bin/passwd/TWiki/WebHome

 

Path: http://10.0.2.8:80/twiki/TWikiDocumentation.html

Form id:

Form action: http://TWiki.org/cgi-bin/passwd/Main/WebHome

 

Path: http://10.0.2.8:80/twiki/TWikiDocumentation.html

Form id:

Form action: http://TWiki.org/cgi-bin/edit/TWiki/

 

Path: http://10.0.2.8:80/twiki/TWikiDocumentation.html

Form id:

Form action: http://TWiki.org/cgi-bin/view/TWiki/TWikiSkins

 

Path: http://10.0.2.8:80/twiki/TWikiDocumentation.html

Form id:

Form action: http://TWiki.org/cgi-bin/manage/TWiki/ManagingWebs

 

Path: http://10.0.2.8:80/dvwa/login.php

Form id:

Form action: login.php

 

 

http-sql-injection 

Possible sqli for queries:

http://10.0.2.8:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=documentation%2Fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=credits.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=notes.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=php-errors.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=usage-instructions.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?do=toggle-hints%27%20OR%20sqlspider&page=home.php

http://10.0.2.8:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?do=toggle-security%27%20OR%20sqlspider&page=home.php

http://10.0.2.8:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=login.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?username=anonymous&page=password-generator.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=documentation%2Fvulnerabilities.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider

http://10.0.2.8:80/dav/?C=D%3BO%3DA%27%20OR%20sqlspider

http://10.0.2.8:80/dav/?C=M%3BO%3DA%27%20OR%20sqlspider

http://10.0.2.8:80/dav/?C=S%3BO%3DA%27%20OR%20sqlspider

http://10.0.2.8:80/dav/?C=N%3BO%3DD%27%20OR%20sqlspider

http://10.0.2.8:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider

http://10.0.2.8:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider

http://10.0.2.8:80/rdiff/TWiki/TWikiHistory?rev1=1.9%27%20OR%20sqlspider&rev2=1.8

http://10.0.2.8:80/rdiff/TWiki/TWikiHistory?rev1=1.9&rev2=1.8%27%20OR%20sqlspider

http://10.0.2.8:80/rdiff/TWiki/TWikiHistory?rev1=1.10%27%20OR%20sqlspider&rev2=1.9

http://10.0.2.8:80/rdiff/TWiki/TWikiHistory?rev1=1.10&rev2=1.9%27%20OR%20sqlspider

http://10.0.2.8:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider

http://10.0.2.8:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider&param1=1.10

http://10.0.2.8:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%20OR%20sqlspider

http://10.0.2.8:80/rdiff/TWiki/TWikiHistory?rev1=1.8%27%20OR%20sqlspider&rev2=1.7

http://10.0.2.8:80/rdiff/TWiki/TWikiHistory?rev1=1.8&rev2=1.7%27%20OR%20sqlspider

http://10.0.2.8:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider

http://10.0.2.8:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider

http://10.0.2.8:80/rdiff/TWiki/TWikiHistory?rev1=1.9%27%20OR%20sqlspider&rev2=1.8

http://10.0.2.8:80/rdiff/TWiki/TWikiHistory?rev1=1.9&rev2=1.8%27%20OR%20sqlspider

http://10.0.2.8:80/rdiff/TWiki/TWikiHistory?rev1=1.10%27%20OR%20sqlspider&rev2=1.9

http://10.0.2.8:80/rdiff/TWiki/TWikiHistory?rev1=1.10&rev2=1.9%27%20OR%20sqlspider

http://10.0.2.8:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider&param1=1.10

http://10.0.2.8:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%20OR%20sqlspider

http://10.0.2.8:80/rdiff/TWiki/TWikiHistory?rev1=1.8%27%20OR%20sqlspider&rev2=1.7

http://10.0.2.8:80/rdiff/TWiki/TWikiHistory?rev1=1.8&rev2=1.7%27%20OR%20sqlspider

http://10.0.2.8:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=documentation%2Fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=credits.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=notes.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=php-errors.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=usage-instructions.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?do=toggle-hints%27%20OR%20sqlspider&page=home.php

http://10.0.2.8:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?do=toggle-security%27%20OR%20sqlspider&page=home.php

http://10.0.2.8:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/?page=login.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?username=anonymous&page=password-generator.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=documentation%2Fvulnerabilities.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider

http://10.0.2.8:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider

 

111

tcp

open

rpcbind 

syn-ack

 

RPC #100000 

 

rpcinfo 

program version port/proto service

100000 2 111/tcp rpcbind

100000 2 111/udp rpcbind

100003 2,3,4 2049/tcp nfs

100003 2,3,4 2049/udp nfs

100005 1,2,3 36316/udp mountd

100005 1,2,3 59356/tcp mountd

100021 1,3,4 57777/udp nlockmgr

100021 1,3,4 58753/tcp nlockmgr

100024 1 46587/tcp status

100024 1 59613/udp status

 

139

tcp

open

netbios-ssn 

syn-ack

Samba smbd 

3.X – 4.X 

workgroup: WORKGROUP 

445

tcp

open

netbios-ssn 

syn-ack

Samba smbd 

3.X – 4.X 

workgroup: WORKGROUP 

512

tcp

open

exec 

syn-ack

netkit-rsh rexecd 

 

 

513

tcp

open

login 

syn-ack

OpenBSD or Solaris rlogind 

 

 

514

tcp

open

shell 

syn-ack

Netkit rshd 

 

 

1099

tcp

open

java-rmi 

syn-ack

GNU Classpath grmiregistry 

 

 

 

rmi-vuln-classloader 

VULNERABLE:

RMI registry default configuration remote code execution vulnerability

State: VULNERABLE

Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.

 

References:

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb

 

1524

tcp

open

bindshell 

syn-ack

Metasploitable root shell 

 

 

2049

tcp

open

nfs 

syn-ack

 

2-4 

RPC #100003 

2121

tcp

open

ftp 

syn-ack

ProFTPD 

1.3.1 

 

3306

tcp

open

mysql 

syn-ack

MySQL 

5.0.51a-3ubuntu5 

 

 

ssl-ccs-injection 

No reply from server (TIMEOUT) 

3632

tcp

open

distccd 

syn-ack

distccd 

v1 

(GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4) 

 

distcc-cve2004-2687 

VULNERABLE:

distcc Daemon Command Execution

State: VULNERABLE (Exploitable)

IDs: CVE:CVE-2004-2687

Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Allows executing of arbitrary commands on systems running distccd 3.1 and

earlier. The vulnerability is the consequence of weak service configuration.

 

Disclosure date: 2002-02-01

Extra information:

 

uid=1(daemon) gid=1(daemon) groups=1(daemon)

 

References:

https://distcc.github.io/security.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687

https://nvd.nist.gov/vuln/detail/CVE-2004-2687

 

5432

tcp

open

postgresql 

syn-ack

PostgreSQL DB 

8.3.0 – 8.3.7 

 

 

ssl-dh-params 

VULNERABLE:

Diffie-Hellman Key Exchange Insufficient Group Strength

State: VULNERABLE

Transport Layer Security (TLS) services that use Diffie-Hellman groups

of insufficient strength, especially those using one of a few commonly

shared groups, may be susceptible to passive eavesdropping attacks.

Check results:

WEAK DH GROUP 1

Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

Modulus Type: Safe prime

Modulus Source: Unknown/Custom-generated

Modulus Length: 1024

Generator Length: 8

Public Key Length: 1024

References:

https://weakdh.org

 

 

ssl-ccs-injection 

VULNERABLE:

SSL/TLS MITM vulnerability (CCS Injection)

State: VULNERABLE

Risk factor: High

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h

does not properly restrict processing of ChangeCipherSpec messages,

which allows man-in-the-middle attackers to trigger use of a zero

length master key in certain OpenSSL-to-OpenSSL communications, and

consequently hijack sessions or obtain sensitive information, via

a crafted TLS handshake, aka the «CCS Injection» vulnerability.

 

References:

http://www.openssl.org/news/secadv_20140605.txt

http://www.cvedetails.com/cve/2014-0224

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224

 

 

ssl-poodle 

VULNERABLE:

SSL POODLE information leak

State: VULNERABLE

IDs: CVE:CVE-2014-3566 BID:70574

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other

products, uses nondeterministic CBC padding, which makes it easier

for man-in-the-middle attackers to obtain cleartext data via a

padding-oracle attack, aka the «POODLE» issue.

Disclosure date: 2014-10-14

Check results:

TLS_RSA_WITH_AES_128_CBC_SHA

References:

https://www.imperialviolet.org/2014/10/14/poodle.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

https://www.securityfocus.com/bid/70574

https://www.openssl.org/~bodo/ssl-poodle.pdf

 

5900

tcp

open

vnc 

syn-ack

VNC 

 

protocol 3.3 

6000

tcp

open

X11 

syn-ack

 

 

access denied 

6667

tcp

open

irc 

syn-ack

UnrealIRCd 

 

 

 

irc-unrealircd-backdoor 

Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again). 

 

irc-botnet-channels 

ERROR: Closing Link: [10.0.2.9] (Ping timeout)

 

6697

tcp

open

irc 

syn-ack

UnrealIRCd 

 

 

 

ssl-ccs-injection 

No reply from server (TIMEOUT) 

 

irc-unrealircd-backdoor 

Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again). 

8009

tcp

open

ajp13 

syn-ack

Apache Jserv 

 

Protocol v1.3 

8180

tcp

open

http 

syn-ack

Apache Tomcat/Coyote JSP engine 

1.1 

 

 

http-stored-xss 

Couldn’t find any stored XSS vulnerabilities. 

 

http-cookie-flags 

/admin/:

JSESSIONID:

httponly flag not set

/admin/index.html:

JSESSIONID:

httponly flag not set

/admin/login.html:

JSESSIONID:

httponly flag not set

/admin/admin.html:

JSESSIONID:

httponly flag not set

/admin/account.html:

JSESSIONID:

httponly flag not set

/admin/admin_login.html:

JSESSIONID:

httponly flag not set

/admin/home.html:

JSESSIONID:

httponly flag not set

/admin/admin-login.html:

JSESSIONID:

httponly flag not set

/admin/adminLogin.html:

JSESSIONID:

httponly flag not set

/admin/controlpanel.html:

JSESSIONID:

httponly flag not set

/admin/cp.html:

JSESSIONID:

httponly flag not set

/admin/index.jsp:

JSESSIONID:

httponly flag not set

/admin/login.jsp:

JSESSIONID:

httponly flag not set

/admin/admin.jsp:

JSESSIONID:

httponly flag not set

/admin/home.jsp:

JSESSIONID:

httponly flag not set

/admin/controlpanel.jsp:

JSESSIONID:

httponly flag not set

/admin/admin-login.jsp:

JSESSIONID:

httponly flag not set

/admin/cp.jsp:

JSESSIONID:

httponly flag not set

/admin/account.jsp:

JSESSIONID:

httponly flag not set

/admin/admin_login.jsp:

JSESSIONID:

httponly flag not set

/admin/adminLogin.jsp:

JSESSIONID:

httponly flag not set

/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html:

JSESSIONID:

httponly flag not set

/admin/includes/FCKeditor/editor/filemanager/upload/test.html:

JSESSIONID:

httponly flag not set

/admin/jscript/upload.html:

JSESSIONID:

httponly flag not set 

 

http-server-header 

Apache-Coyote/1.1 

 

http-dombased-xss 

Couldn’t find any DOM based XSS. 

 

http-csrf 

Couldn’t find any CSRF vulnerabilities. 

 

http-enum 

/admin/: Possible admin folder

/admin/index.html: Possible admin folder

/admin/login.html: Possible admin folder

/admin/admin.html: Possible admin folder

/admin/account.html: Possible admin folder

/admin/admin_login.html: Possible admin folder

/admin/home.html: Possible admin folder

/admin/admin-login.html: Possible admin folder

/admin/adminLogin.html: Possible admin folder

/admin/controlpanel.html: Possible admin folder

/admin/cp.html: Possible admin folder

/admin/index.jsp: Possible admin folder

/admin/login.jsp: Possible admin folder

/admin/admin.jsp: Possible admin folder

/admin/home.jsp: Possible admin folder

/admin/controlpanel.jsp: Possible admin folder

/admin/admin-login.jsp: Possible admin folder

/admin/cp.jsp: Possible admin folder

/admin/account.jsp: Possible admin folder

/admin/admin_login.jsp: Possible admin folder

/admin/adminLogin.jsp: Possible admin folder

/manager/html/upload: Apache Tomcat (401 Unauthorized)

/manager/html: Apache Tomcat (401 Unauthorized)

/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/FCKeditor File upload

/admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FCKeditor File Upload

/admin/jscript/upload.html: Lizard Cart/Remote File upload

/webdav/: Potentially interesting folder

 

8787

tcp

open

drb 

syn-ack

Ruby DRb RMI 

 

Ruby 1.8; path /usr/lib/ruby/1.8/drb 

46587

tcp

open

status 

syn-ack

 

RPC #100024 

51866

tcp

open

java-rmi 

syn-ack

GNU Classpath grmiregistry 

 

 

 

rmi-vuln-classloader 

VULNERABLE:

RMI registry default configuration remote code execution vulnerability

State: VULNERABLE

Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.

 

References:

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb

 

58753

tcp

open

nlockmgr 

syn-ack

 

1-4 

RPC #100021 

59356

tcp

open

mountd 

syn-ack

 

1-3 

RPC #100005 

Remote Operating System Detection

  • Used port: 21/tcp (open)
  • Used port: 1/tcp (closed)
  • Used port: 31133/udp (closed)
  • OS match: Linux 2.6.9 – 2.6.33 (Ubuntu) (100%)

Host Script Output

Script Name

Output

smb-vuln-ms10-054 

false 

smb-vuln-ms10-061 

false 

smb-vuln-regsvc-dos 

ERROR: Script execution failed (use -d to debug) 

Metric

Value

Ping Results

arp-response

System Uptime

2691 seconds (last reboot: Wed Mar 19 07:42:08 2025)

Network Distance

1 hops

TCP Sequence Prediction

Difficulty=195 (Good luck!)

IP ID Sequence Generation


All zeros

6. Conclusión

Las pruebas de penetración en la máquina Metasploitable revelaron múltiples vulnerabilidades críticas, entre las que destacan: backdoors en servicios como vsFTPd y UnrealIRCd, configuraciones inseguras en NFS y PostgreSQL, y deficiencias en protocolos SSL/TLS (POODLE, Logjam). Estas fallas representan un riesgo elevado, permitiendo desde la exposición de datos sensibles hasta el control total del sistema por parte de un atacante.

Para mitigar estos riesgos, se recomienda:

  1. Actualizar software y sistemas operativos para corregir vulnerabilidades conocidas.
  2. Reforzar configuraciones de servicios expuestos (FTP, SSH, HTTP, etc.), eliminando opciones inseguras.
  3. Implementar cifrados robustos (TLS 1.2/1.3) y deshabilitar protocolos obsoletos como SSLv3.
  4. Utilizar firewalls y sistemas de detección de intrusiones (IDS) para monitorizar y bloquear actividades sospechosas.
  5. Realizar auditorías periódicas con herramientas como Nmap o Nessus para identificar y remediar nuevas vulnerabilidades.

Este proyecto refuerza la importancia de la seguridad proactiva en entornos tecnológicos. Un enfoque basado en actualizaciones constantes, configuración adecuada y monitoreo continuo no solo protege los activos críticos, sino que también reduce la superficie de ataque, evitando que sistemas vulnerables se conviertan en puertas de entrada para amenazas avanzadas. La seguridad no es un estado, sino un proceso dinámico que requiere atención permanente.

Comparte esta Publicación en Redes Sociales