Vulnerabilities (original) (raw)

GlassFish

Ports

• 4848 - HTTP
• 8080 - HTTP
• 8181 - HTTPS

Credentials

• Username: admin
• Password: sploit

Access

• On Metasploitable3, point your browser to http://localhost:4848.
• Login with the above credentials.

Start/Stop

• Stop: Open task manager and kill the java.exe process running glassfish
• Start: Go to Task Scheduler and find the corresponding task. Right-click and select Run.

Vulnerability IDs

• CVE-2011-0807

Modules

• exploits/multi/http/glassfish_deployer
• auxiliary/scanner/http/glassfish_login

Apache Struts

Ports

• 8282 - HTTP

Credentials

• Apache Tomcat Web Application Manager
  • U: sploit
  • P: sploit

Access

• To access the vulnerable application, point your browser on Metasploitable3 to http://localhost:8282/struts2-rest-showcase
• To access the Apache Tomcat Manager, point your browser on Metasploitable3 to http://localhost:8282. Login with the above credentials.

Start/Stop

• Stop: Open services.msc. Stop the Apache Tomcat 8.0 Tomcat8 service.
• Start: Open services.msc. Start the Apache Tomcat 8.0 Tomcat8 service.

Vulnerability IDs

• CVE-2016-3087

Modules

• exploit/multi/http/struts_dmi_rest_exec

Tomcat

Ports

• 8282 - HTTP

Credentials

• U: sploit
• P: sploit

Access

• To access the Apache Tomcat Manager, point your browser on Metasploitable3 to http://localhost:8282. Login with the above credentials.

Start/Stop

• Stop: Open services.msc. Stop the Apache Tomcat 8.0 Tomcat8 service.
• Start: Open services.msc. Start the Apache Tomcat 8.0 Tomcat8 service.

Vulnerability IDs

• CVE-2009-3843
• CVE-2009-4189

Modules

• auxiliary/scanner/http/tomcat_enum
• auxiliary/scanner/http/tomcat_mgr_login
• exploits/multi/http/tomcat_mgr_deploy
• exploits/multi/http/tomcat_mgr_upload
• post/windows/gather/enum_tomcat

Jenkins

Ports

• 8484 - HTTP

Credentials

• None enabled by default

Access

• Point your browser on Metasploitable3 to http://localhost:8484.

Start/Stop

• Stop: Open services.msc. Stop the jenkins service.
• Start: Open services.msc. Start the jenkins service.

Modules

• exploits/multi/http/jenkins_script_console
• auxiliary/scanner/http/jenkins_enum

IIS - FTP

Ports

• 21 - FTP

Credentials

Windows credentials

Access

Any FTP client should work

Start/Stop

• Stop: net stop msftpsvc
• Start: net start msftpsvc

Modules

• auxiliary/scanner/ftp/ftp_login

IIS - HTTP

Ports

• 80 - HTTP

Credentials

• U: vagrant
• P: vagrant

Access

• Point your browser on Metasploitable3 to http://localhost.

Start/Stop

• Stop: Open services.msc. Stop the World Wide Web Publishing service.
• Start: Open services.msc. Start the World Wide Web Publishing service.

Vulnerability IDs

• CVE-2015-1635

Modules

• auxiliary/dos/http/ms15_034_ulonglongadd

psexec

Ports

• 445 - SMB
• 139 - NetBIOS

Credentials

• Any credentials valid for Metasploitable3 should work. See the list here

Access

• Use the psexec tool to run commands remotely on the target.

Start/Stop

• Enabled by default

Vulnerabilities

• Multiple users with weak passwords exist on the target. Those passwords can be easily cracked and used to run remote code using psexec.

Modules

• exploits/windows/smb/psexec
• exploits/windows/smb/psexec_psh

SSH

Ports

• 22 - SSH

Credentials

• Any credentials valid for Metasploitable3 should work. See the list here

Access

• Use an SSH client to connect and run commands remotely on the target.

Start/Stop

• Enabled by default

Vulnerabilities

• Multiple users with weak passwords exist on the target. Those passwords can be easily cracked. Once a session is opened, remote code can be executed using SSH.

Modules

WinRM

Ports

• 5985 - HTTPS

Credentials

• Any credentials valid for Metasploitable3 should work. See the list here

Access

Start/Stop

• Stop: Open services.msc. Stop the Windows Remote Management service.
• Start: Open services.msc. Start the Windows Remote Management service.

Vulnerabilities

• Multiple users with weak passwords exist on the target. Those passwords can be easily cracked and WinRM can be used to run remote code on the target.

Modules

• auxiliary/scanner/winrm/winrm_cmd
• auxiliary/scanner/winrm/winrm_wql
• auxiliary/scanner/winrm/winrm_login
• auxiliary/scanner/winrm/winrm_auth_methods
• exploits/windows/winrm/winrm_script_exec

chinese caidao

Ports

• 80 - HTTP

Credentials

• Any credentials valid for Metasploitable3 should work. See the list here

Access

• Point your browser on metasploitable3 to http://localhost/caidao.asp

Start/Stop

• Stop: Open services.msc. Stop the World Wide Web Publishing service.
• Start: Open services.msc. Start the World Wide Web Publishing service.

Modules

• auxiliary/scanner/http/caidao_bruteforce_login

ManageEngine

Ports

8020 - HTTP

Credentials

Username: admin Password: admin

Access

On Metasploitable3, point your browser to http://localhost:8020. Login with the above credentials.

Start/Stop

• Stop: In command prompt, do net stop ManageEngine Desktop Central Server
• Start: In command prompt, do net start ManageEngine Desktop Central Server

Vulnerability IDs

• CVE-2015-8249

Modules

• exploit/windows/http/manageengine_connectionid_write

ElasticSearch

Ports

9200 - HTTP

Credentials

No credentials needed

Access

On Metasploitable3, point your browser to http://localhost:9200.

Start/Stop

• Stop: In command prompt, do net stop elasticsearch-service-x64
• Start: In command prompt, do net start elasticsearch-service-x64

Vulnerability IDs

• CVE-2014-3120

Modules

• exploit/multi/elasticsearch/script_mvel_rce

Apache Axis2

Ports

8282 - HTTP

Credentials

No credentials needed

Access

On Metasploitable3, point your browser to http://localhost:8282/axis2.

Start/Stop

Log into Apache Tomcat, and start or stop from the application manager.

Vulnerability IDs

• CVE-2010-0219

Modules

• exploit/multi/http/axis2_deployer

WebDAV

Ports

8585 - HTTP

Credentials

No credentials needed

Access

See the PR here: https://github.com/rapid7/metasploitable3/pull/16

Start/Stop

• Stop: In command prompt, do net stop wampapache
• Start: In command prompt, do net start wampapache

Modules

• auxiliary/scanner/http/http_put (see https://github.com/rapid7/metasploitable3/pull/16)

SNMP

Ports

161 - UDP

Credentials

Community String: public

Access

Load the auxiliary/scanner/snmp/snmp_enum module in Metasploit and to parse the SNMP data.

Start/Stop

• Stop: In command prompt, do net stop snmp
• Start: In command prompt, do net start snmp

Modules

• auxiliary/scanner/snmp/snmp_enum

MySQL

Ports

3306 - TCP

Credentials

U: root P:

Access

Use the mysql client to connect to port 3306 on Metasploitable3.

Start/Stop

• Stop: In command prompt, do net stop wampmysql
• Start: In command prompt, do net start wampmysql

Modules

• windows/mysql/mysql_payload

JMX

Ports

1617 - TCP

Credentials

No credentials needed

Access

Download the connector client and use the instructions found here: http://docs.oracle.com/javase/tutorial/jmx/remote/index.html

Start/Stop

• Stop: In command prompt, do net stop jmx
• Start: In command prompt, do net start jmx

Vulnerability IDs

• CVE-2015-2342

Modules

• multi/misc/java_jmx_server

Wordpress

Ports

8585 - HTTP

Credentials

No credentials needed

Access

On Metasploitable3, point your browser to http://localhost:8585/wordpress.

Start/Stop

• Stop: In command prompt, do net stop wampapache
• Start: In command prompt, do net start wampapache

Vulnerable Plugins

• NinjaForms 2.9.42 - CVE-2016-1209

Modules

• unix/webapp/wp_ninja_forms_unauthenticated_file_upload

Remote Desktop

Ports

3389 - RDP

Credentials

Any Windows credentials

Access

Use a remote desktop client. Either your OS already has one, or download a 3rd party.

Start/Stop

• Stop: net stop rdesktop
• Start: net start rdesktop

Modules

N/A

PHPMyAdmin

Ports

8585 - HTTP

Credentials

U: root P:

Access

On Metasploitable3, point your browser to http://localhost:8585/phpmyadmin.

Start/Stop

• Stop: In command prompt, do net stop wampapache
• Start: In command prompt, do net start wampapache

Vulnerability IDs

• CVE-2013-3238

Modules

• multi/http/phpmyadmin_preg_replace

Ruby on Rails

Ports

• 3000- HTTP

Credentials

N/A

Access

• On Metasploitable3, point your browser to http://localhost:3000.

Start/Stop

• Stop: Open task manager and kill the ruby.exe process
• Start: Go to Task Scheduler and find the corresponding task. Right-click and select Run.

Vulnerability IDs

• CVE-2015-3224

Modules

• exploit/multi/http/rails_web_console_v2_code_exec