Lab 1 - VM Setup (Kali, Metasploitable2)

In this lab, you will setup Kali and Metasploitable2 on your computer, and take a brief tour of the systems in advance of future in-depth labs.

Activities

Part 1 - Infrastructure Setup

Follow the Virtual Machine setup instructions to download and install Kali and Metasploitable2 as virtual machines. Take a screenshot as proof-of-work.

Note: Don't use a digital camera to take a photo of your screen. The resulting quality ranges from marginal at best to embarrassing at worse. Use the screen capture feature in your operating system to accomplish this task.

Deliverables:

  • Upload a single screenshot showing:
    1. Kali VM running, logged in, and at the desktop ready for use
    2. Metasploitable2 VM running and at the command prompt ready for use
    3. Windows task manager, Mac activity monitor, or Linux system monitor showing system resource utilization with both VMs and your host OS running concurrently. Specifically, ensure that memory (RAM) usage is shown.
    4. A text editor open in Kali with your name and today's date clearly written within

Part 2 - Network Scanning

First, from the terminal of your running Metasploitable2 VM, find its IP address.

Reference: Linux IP command examples

Second, from the terminal of your Kali VM, use nmap to scan for open network services in the Metasploitable2 VM. Target the IP address you found previously, and scan all ports (0-65535).

Reference: Nmap command-line examples

Because you were scanning the Metasploitable2 VM, nearly every one of those active services listed happens to have a nasty security vulnerability of one form or another. Let's pick one - NFS, the Network File System, for further examination.

Deliverables:

  • What command did you use to find the IP address of your Metasploitable2 VM?
  • What command did you use for the nmap scan? The command should target a specific IP address and scan ports 0-65535.
  • From the results of your nmap scan, what TCP port is the nfs service listening on?

Part 3 - NFS

Exciting Bugfix for Part 3: Kali is a bleeding-edge Linux distribution, and Metasploitable2 is very old. The current Kali (2023+) only supports the latest/most secure SSH certificate hashing algorithms, but the old Metasploitable2 system only supports algorithms that Kali (and recent OpenSSH clients) have deprecated! For more information, see this blog post. So, how can this be resolved? Run this command to edit your SSH config file to force SSH to support the old hashing algorithms:
echo -e "Host *\nPubkeyAcceptedKeyTypes=+ssh-rsa\nHostKeyAlgorithms=+ssh-rsa" >> ~/.ssh/config

The Network File System (NFS) on Metasploitable has a significant weakness.

First, from the Kali terminal, use the showmount command to find the export list for the Metasploitable2 VM. The export list is the set of directories that is made accessible via NFS, and the IP addresses/subnets that are permitted access.

Reference: man showmount
Reference: man exports

Deliverables:

  • What is the export list for the Metasploitable2 VM? And more importantly, what does this export list mean? Explain in your own words.

Second, let's abuse our NFS access now.

On your Kali system, accomplish the following tasks.

  1. Generate a new SSH key using the ssh-keygen -t rsa command. This will produce a RSA-format public/private keypair. Accept the default key location so that SSH can find the file in the future (~/.ssh/id_rsa). Leave the passphrase blank so there's no confusion about whether you have passwordless access or not.

Reference: ssh-keygen

  1. Mount the NFS disk from Metasploitable2 using the mount command, so that you can access the remote files inside of Kali. To accomplish this, you will first need to create an empty directory in Kali as a mount point where the network files will then appear at. I suggest a location like /tmp/metasploitable. In order to mount a network disk, you need to be root, so use sudo as part of your command.

Reference: How to mount an NFS share in Linux

  1. Using the mounted NFS disk, append your SSH public key (the file ending in .pub, as shown in your ssh-keygen output) to the end of the existing file root->.ssh->authorized_keys file in the Metasploitable2 VM. This will grant you passwordless SSH access to that system, as your SSH client will automatically use your key to authenticate. Note: You need to be root in Kali to edit this file as root in Metasploitable. NFS simply carries over your user ID number (0, for root) across the network.

Reference: man cat

Tip: This command is slightly tricky to accomplish with sudo if you want to use output redirection! (which I would suggest). A common trick is to write your command like this: sudo sh -c 'COMMAND GOES HERE >> SOME OUTPUT FILE'

  1. Demonstrate that you have accomplished this task by performing the following sequence, and taking a screenshot of the complete sequence 1-4:
    1. From Kali, show your hostname: hostname (could be kali or whatever hostname you chose when installing Kali)
    2. SSH from the Kali VM to the Metasploitable2 VM as the root user. The command should be ssh root@xx.xx.xx.xx, where xx.xx.xx.xx is the IP address of the Metasploitable2 VM that you identified previously. If you correctly added your public key to the authorized_keys file previously, when you try to SSH to the system and automatically present your private key, you should get immediate access, no password required.
    3. At the prompt, show your hostname again: hostname (should be metasploitable)
    4. Exit SSH via exit to return to Kali.

Deliverables:

  • Submit a screenshot demonstrating that you have successfully inserted your private key into the Metasploitable2 VM and now have passwordless logins to that system as the root user.