Share
## https://sploitus.com/exploit?id=A41BDBAB-C86F-56F2-B9E8-709503C4D553
# Metasploitable Vulnerability Assessment  
Network Enumeration & CVE Analysis (Ethical Hacking Simulation)

This project documents a vulnerability assessment performed against the Metasploitable virtual machine using Nmap for service enumeration and manual CVE research. The assessment focuses on identifying exposed services, analyzing associated vulnerabilities, and understanding potential exploitation paths. This lab was conducted in a controlled environment to simulate real‑world penetration testing fundamentals.

---

## 1. Executive Summary
This assessment evaluates the security posture of a Metasploitable VM by identifying open ports, service versions, and known vulnerabilities. The purpose is to understand how attackers enumerate systems, correlate findings with public CVEs, and determine exploitability.

Based on the analysis, the environment contains **multiple critical vulnerabilities**, including backdoored services, remote code execution flaws, authentication bypasses, and misconfigurations. These weaknesses demonstrate how quickly an attacker could escalate from reconnaissance to full system compromise.

---

## 2. Scope of Assessment

### In Scope
- Nmap scanning  
- Service enumeration  
- Version identification  
- CVE research  
- Exploit mapping  

### Out of Scope
- Full exploitation  
- Privilege escalation  
- Post‑exploitation activities  
- Defensive hardening beyond recommendations  

### Environment Summary
| Item | Description |
|------|-------------|
| Target | Metasploitable VM |
| OS | Linux (intentionally vulnerable) |
| Exposure | Local lab network |
| Tools | Nmap, CVE databases, Metasploit (research only) |

---

## 3. Methodology
1. Performed an Nmap scan to enumerate open ports and detect service versions.  
2. Researched each identified service using MITRE, NVD, and Exploit‑DB.  
3. Mapped vulnerabilities to CVEs and documented known exploit modules.  
4. Assessed risk and potential impact for each service.  
5. Compiled findings into a structured vulnerability report.

---

## 4. Vulnerability Findings

### FTP – vsftpd 2.3.4 (Port 21)
**CVE:** CVE‑2011‑2523  
**Threat:** Backdoor vulnerability enabling remote shell access.  
**Impact:** Full system compromise.  
**Exploit:** `vsftpd_234_backdoor` (Metasploit)

---

### SSH – OpenSSH 4.7p1 (Port 22)
**CVE:** CVE‑2008‑0166  
**Threat:** Weak random number generation → predictable cryptographic keys.  
**Impact:** Attackers can impersonate users or decrypt sessions.

---

### Telnet – telnetd (Port 23)
**CVE:** CVE‑2001‑0554  
**Threat:** Debug mode allows unauthorized command execution.  
**Impact:** Remote command execution without authentication.

---

### SMTP – Postfix (Port 25)
**CVE:** CVE‑2009‑3555  
**Threat:** TLS renegotiation flaw enabling MITM attacks.  
**Impact:** Interception and modification of email traffic.

---

### DNS – ISC BIND 9.4.2 (Port 53)
**CVE:** CVE‑2008‑1447  
**Description:** This version of BIND is vulnerable to the Kaminsky DNS cache‑poisoning attack. Attackers can inject malicious DNS records into the server’s cache, redirecting users to attacker‑controlled domains.  
**Exploit:** Public exploit scripts automate DNS spoofing and cache poisoning.

---

### HTTP – Apache httpd 2.2.8 (Port 80)
**CVE:** CVE‑2008‑0005  
**Description:** A flaw in Apache’s `mod_proxy` module allows remote attackers to trigger a denial‑of‑service (DoS) condition by sending crafted requests that cause the server to crash or become unresponsive.  
**Exploit:** Attackers can use automated tools to send malformed proxy requests and exhaust server resources.

---

### RPC – rpcbind (Port 111)
**CVE:** CVE‑1999‑0005  
**Threat:** Misconfigured RPC services may allow remote attackers to execute commands or gain unauthorized access.  
**Impact:** Unauthorized system access.

---

### SMB – Samba (Ports 139/445)
**CVE:** CVE‑2007‑2447  
**Threat:** Arbitrary code execution via crafted RPC requests.  
**Impact:** Full remote takeover.  
**Exploit:** Username map script (Metasploit)

---

### Java RMI – grmiregistry (Port 1099)
**CVE:** CVE‑2011‑3556  
**Threat:** Remote code execution via insecure RMI endpoints.  
**Impact:** Complete compromise of Java services.

---

### NFS – Network File System (Port 2049)
**CVE:** CVE‑1999‑0024  
**Threat:** Misconfigured NFS exports may allow unauthorized access to shared directories.  
**Impact:** Data exposure and unauthorized file access.

---

### FTP – ProFTPD 1.3.1 (Port 2121)
**CVE:** CVE‑2010‑3867  
**Threat:** Vulnerable to remote code execution or authentication bypass.  
**Impact:** Full server compromise.

---

### MySQL – 5.0.51a (Port 3306)
**CVE:** CVE‑2012‑2122  
**Description:** Due to a flaw in MySQL’s authentication code, incorrect password checks may succeed after multiple attempts. This allows attackers to log in as any user — including root — without knowing the correct password.  
**Exploit:** Simple scripts can brute‑force login attempts until the server incorrectly grants access.

---

### PostgreSQL – 8.3.x (Port 5432)
**CVE:** CVE‑2007‑6600  
**Threat:** Attackers can manipulate queries and escalate privileges.  
**Impact:** Unauthorized database access.

---

### IRC – UnrealIRCd (Port 6667)
**CVE:** CVE‑2010‑2075  
**Threat:** Backdoored version enabling remote command execution.  
**Impact:** Instant full compromise.  
**Exploit:** `unreal_ircd_3281_backdoor` (Metasploit)

---

### AJP13 – Apache JServ Protocol (Port 8009)
**CVE:** CVE‑2020‑1938  
**Threat:** Ghostcat vulnerability enabling file read and potential RCE.  
**Impact:** Sensitive file disclosure or remote code execution.

---

### Apache Tomcat – Coyote JSP (Port 8180)
**CVE:** CVE‑2020‑9484  
**Threat:** Remote code execution via insecure deserialization.  
**Impact:** Attackers can execute arbitrary commands on the server.

---

## 5. Risk Summary
The Metasploitable VM contains numerous critical vulnerabilities, including:

- Remote code execution  
- Backdoored services  
- Weak cryptographic implementations  
- Authentication bypasses  
- Denial‑of‑service weaknesses  
- Broad attack surface exposure  

These findings highlight how attackers can rapidly escalate privileges and compromise the entire system.

---

## 6. Recommended Controls
| Risk | Recommended Control | Type |
|------|---------------------|------|
| Remote code execution | Patch or remove outdated services | Corrective |
| Weak encryption | Regenerate keys; update crypto libraries | Preventive |
| Backdoored services | Replace compromised software | Corrective |
| Authentication bypass | Enforce strong authentication | Preventive |
| DoS vulnerabilities | Apply patches; restrict access | Preventive |

---

## 7. Mitigation Plan
- Remove or update vulnerable service versions  
- Disable unnecessary services  
- Restrict network access to critical ports  
- Apply patches regularly  
- Implement firewall rules to reduce exposure  
- Enforce strong authentication and encryption  

---

## 8. What I Learned
- How attackers enumerate services using Nmap  
- How to correlate service versions with known CVEs  
- How exploitation frameworks map to real vulnerabilities  
- How to write structured vulnerability reports  
- How misconfigurations and outdated software increase risk