Skip to content

Doumit04/Metasploitable-2---pentest

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
exploits
exploits
 
 
report
report
 
 
wireshark-traffic-analysis
wireshark-traffic-analysis
 
 
README.md
README.md
 
 

Repository files navigation

Metasploitable 2 — Penetration Testing & Network Traffic Analysis

A two-phase security assessment conducted against Metasploitable 2 in a fully isolated virtual lab environment. Phase 1 covers vulnerability exploitation across 7 distinct attack vectors. Phase 2 covers Wireshark network traffic analysis of each attack — providing both the offensive and defensive perspectives of every exploit.

Table of Contents

Project Overview

This project is a comprehensive, two-phase penetration testing and SOC analysis engagement against Metasploitable 2 — an intentionally vulnerable Linux virtual machine developed by Rapid7 for security training and research.

The project goes beyond simple exploitation by pairing every attack with a full Wireshark network traffic analysis — examining what each attack looks like on the wire, identifying detection opportunities, and writing Snort/Suricata detection rules. This dual perspective (red team + blue team) is the core distinguishing feature of this assessment.

Phase Focus Output
Phase 1 Penetration Testing — identify, exploit, and document 7 vulnerabilities 7 individual exploit reports + 1 compiled final report
Phase 2 Wireshark Traffic Analysis — analyse every attack on the network layer 7 individual traffic analysis reports + 1 compiled final report

Lab Environment

Component Details
Host Machine Windows 11 — Intel Core i9, 16 GB RAM, 512 GB SSD
Virtualization Oracle VirtualBox 7.2.6 with Extension Pack
Attack Platform Kali Linux 2025.4 — 2 GB RAM, 2 CPU cores — 192.168.56.102
Target System Metasploitable 2 (Ubuntu Linux) — 1 GB RAM, 1 CPU core — 192.168.56.101
Network Host-Only Adapter — fully isolated, no internet access
Packet Capture Wireshark 4.6.0 — capturing on eth0 for all inter-machine traffic

Network Architecture

┌──────────────────────────────────────────────────────────────────┐
│                    Host Machine (Windows 11)                      │
│                                                                  │
│   ┌──────────────────────┐         ┌──────────────────────────┐  │
│   │      Kali Linux      │─────────▶    Metasploitable 2      │  │
│   │      (Attacker)      │         │        (Target)          │  │
│   │   192.168.56.102     │         │     192.168.56.101       │  │
│   │                      │         │                          │  │
│   │  • Nmap              │         │  • 30 open ports         │  │
│   │  • Metasploit        │         │  • 7 exploited           │  │
│   │  • Netcat            │         │  • Multiple CVEs         │  │
│   │  • msfvenom          │         │  • Default credentials   │  │
│   │  • Wireshark 4.6.0   │         │  • Backdoored services   │  │
│   └──────────────────────┘         └──────────────────────────┘  │
│                                                                  │
│              Host-Only Network  (192.168.56.0/24)                │
│              Completely isolated — no internet access            │
└──────────────────────────────────────────────────────────────────┘

Methodology

Phase 1 — Penetration Testing
│
├── Environment Setup
│     └── VirtualBox configuration, VM deployment, network isolation verification
│
├── Reconnaissance
│     └── Full TCP port scan (nmap -p- -sV) — 30 open ports discovered
│
├── Vulnerability Analysis
│     └── Service version identification, CVE research, attack vector mapping
│
├── Exploitation
│     └── 7 vulnerabilities exploited across 6 different attack categories
│
└── Documentation
      └── 7 individual exploit reports + 1 compiled 122-page final report

Phase 2 — Wireshark Traffic Analysis
│
├── Capture Setup
│     └── Wireshark started on eth0 before each exploit — full session captured
│
├── Protocol Analysis
│     └── Display filters, protocol dissectors, Follow TCP Stream per exploit
│
├── Detection Engineering
│     └── 18 Snort/Suricata rules written — one rule set per exploit
│
└── Documentation
      └── 7 individual traffic analysis reports + 1 compiled final report

Phase 1 — Exploitation

Exploits Summary

# Port Service Vulnerability CVE Severity Access Gained Root
1 1524 Bindshell Pre-installed root backdoor Critical root (uid=0)
2 21 vsftpd 2.3.4 Backdoor in source code CVE-2011-2523 Critical root (uid=0)
3 6667 UnrealIRCd Trojanised IRC daemon CVE-2010-2075 Critical root (uid=0)
4 445 Samba 3.0.20 Username field command injection CVE-2007-2447 Critical root (uid=0)
5 3632 DistCC Arbitrary command execution CVE-2004-2687 High daemon (uid=1)
6 8180 Apache Tomcat Default credentials + WAR upload High tomcat55 (uid=110)
7 5432 PostgreSQL Default credentials + file read High postgres (uid=108)

Attack Vectors Covered

Category Exploit(s) Description
Backdoor Exploitation #1, #2, #3 Connecting to or triggering pre-installed backdoors in vsftpd, UnrealIRCd, and the permanent bindshell
Command Injection #4 Injecting shell metacharacters through Samba's username map script parameter
Remote Code Execution #5 Exploiting the DistCC daemon to accept and execute arbitrary commands
Default Credential Exploitation #6, #7 Accessing Tomcat Manager and PostgreSQL using unchanged factory credentials
Payload Crafting & Deployment #6 Generating a reverse shell WAR file with msfvenom, deployed through Tomcat Manager
Database-Level File Read #7 Reading system files through PostgreSQL's COPY FROM SQL technique

Phase 2 — Wireshark Traffic Analysis

What Each Capture Reveals

# Exploit Trigger Port Shell Type Key Finding
1 vsftpd 2.3.4 21 (FTP) Bind — Port 6200 :) backdoor trigger visible in plain-text FTP traffic
2 Bindshell 1524 Bind — Port 1524 Root shell prompt appears in Packet 4 — before any command is typed
3 UnrealIRCd 6667 (IRC) Reverse — Port 4444 AB;sh trigger visible in IRC stream — reverse shell confirmed by all-red TCP stream
4 Samba 445 (SMB) Reverse — Port 4444 Shell command injection hidden inside SMB username field
5 DistCC 3632 Reverse — Port 4444 Wireshark auto-flags [Malformed Packet] — Least Privilege limits access to daemon (uid=1)
6 Apache Tomcat 8180 (HTTP) Reverse — Port 4444 Complete attack chain visible in HTTP traffic: auth → upload → deploy → execute
7 PostgreSQL 5432 None (SQL) MD5 hash and COPY FROM /etc/passwd SQL technique fully visible in unencrypted protocol stream

Universal Finding

Every protocol analysed in this assessment — FTP, TCP, IRC, SMB, DistCC, HTTP, and PostgreSQL — transmits all data in plain text without encryption. Any device passively monitoring the network segment has complete visibility of every command, every response, and every piece of sensitive data exchanged during each attack.

Detection Engineering — 18 Snort/Suricata Rules Written

Exploit Rules Primary Detection Signature
vsftpd Backdoor 3 :) pattern in FTP USER command
Bindshell 2 Any TCP connection to port 1524
UnrealIRCd 3 AB; prefix in IRC traffic
Samba 3 Backtick characters in SMB username field
DistCC 2 [Malformed Packet] on port 3632
Apache Tomcat 3 POST to /manager/html/upload
PostgreSQL 2 External connection to port 5432

Key Findings

  • 4 of 7 exploits achieved immediate root access (uid=0) — full system compromise with no privilege escalation required
  • 2 of 7 exploits succeeded through default credentials alone — no CVE, no exploit code, no technical skill required beyond knowing the default username and password
  • 4 CVEs in this assessment are between 14 and 21 years old — all had patches available from the day of disclosure
  • Port 4444 appears as the reverse shell listener across 4 consecutive exploits — an unmistakable Metasploit fingerprint detectable by a single IDS rule
  • Least Privilege worked in Exploits #5 and #6 — DistCC and Tomcat running as service accounts prevented /etc/shadow access, demonstrating a meaningful security control
  • All 7 attacks are fully visible in unencrypted Wireshark captures — protocol-aware network monitoring would detect every exploit in this assessment
  • 30 open ports were discovered during reconnaissance — only 7 were exploited, meaning the actual attack surface is significantly larger than what this report covers

Three Controls That Would Have Prevented All 7 Exploits

Control Exploits Prevented
Change all default credentials #6, #7 — immediately, with zero technical effort
Apply available patches #1, #2, #3, #4, #5 — all had patches available for over a decade
Network segmentation — close all non-required ports #1, #2, #3, #5 directly; hardens all others

Skills Demonstrated

Domain Skills
Reconnaissance & Enumeration Full TCP port scanning, service fingerprinting, attack surface mapping
Exploitation Backdoor exploitation, command injection, RCE, credential attacks, payload crafting
Network Traffic Analysis Wireshark capture methodology, display filters, TCP stream reconstruction, protocol dissection
Detection Engineering Snort/Suricata rule writing, IOC identification, protocol-level attack signatures
Security Frameworks MITRE ATT&CK alignment, CVE/CVSS-based risk assessment, Principle of Least Privilege evaluation
Tooling Nmap, Metasploit Framework, Wireshark 4.6.0, Netcat, msfvenom, PostgreSQL CLI
Reporting & Documentation Executive summaries, impact assessments, remediation guidance, professional technical writing

Repository Structure

Metasploitable-2---pentest/
│
├── README.md
│
├── exploits/
│   ├── 01_Bindshell_Port1524.pdf
│   ├── 02_vsftpd_Port21.pdf
│   ├── 03_UnrealIRCd_Port6667.pdf
│   ├── 04_Samba_Port445.pdf
│   ├── 05_DistCC_Port3632.pdf
│   ├── 06_Tomcat_Port8180.pdf
│   └── 07_PostgreSQL_Port5432.pdf
│
├── report/
│   └── Metasploitable2_Penetration_Testing_Report.pdf
│
└── wireshark-traffic-analysis/
    ├── exploit1-vsftpd.pdf
    ├── exploit2-bindshell.pdf
    ├── exploit3-unrealircd.pdf
    ├── exploit4-samba.pdf
    ├── exploit5-distcc.pdf
    ├── exploit6-tomcat.pdf
    ├── exploit7-postgresql.pdf
    └── Wireshark_Complete_Report.pdf

Tools Used

Tool Version Purpose
Nmap 7.95 Full TCP port scanning (-p-) and service version detection (-sV)
Metasploit Framework Latest Exploit module execution, payload delivery, auxiliary scanning
Wireshark 4.6.0 Full packet capture on eth0, display filters, TCP stream reconstruction
Netcat (nc) Direct TCP connection to the open bindshell on port 1524
msfvenom Generating a custom Java/JSP reverse shell WAR payload for Tomcat
psql PostgreSQL CLI for direct database interaction and verification
Oracle VirtualBox 7.2.6 Virtual machine management and isolated network configuration

Report Structure

Each of the 7 exploit reports and each of the 7 Wireshark analysis reports follows a consistent, professional format:

Exploitation Reports (Phase 1)

Section Content
Executive Summary High-level overview, severity rating, and key outcome
Vulnerability Details CVE information, CVSS score, vulnerability description
Reconnaissance Phase Nmap scan results and service analysis
Exploitation Phase Step-by-step methodology with tool configuration
Proof of Concept Access verification commands and data accessed
Impact Assessment Access level achieved, data at risk, business impact
Remediation Immediate actions and long-term security measures

Traffic Analysis Reports (Phase 2)

Section Content
Executive Summary What the attack looks like on the wire
Capture Setup Interface, filters, and methodology
Protocol Analysis Packet-by-packet breakdown with Wireshark screenshots
TCP Stream Analysis Full session reconstruction in plain text
Attack Timeline Timestamped sequence of every network event
Detection Opportunities IDS rules, IOCs, and monitoring recommendations
Key Findings Lessons learned from the network perspective

Future Work

  • Privilege escalation on the three limited-access shells (daemon, tomcat55, postgres) to explore paths from service-account access to full root compromise
  • Exploitation of remaining services across the 23 open ports identified but not targeted in this engagement
  • Post-exploitation techniques including lateral movement simulation, persistence mechanisms, and credential harvesting
  • Automated scanning integration using OpenVAS or Nessus to compare manual findings against automated vulnerability assessment results
  • Encrypted protocol comparison — re-running select attacks with encrypted alternatives (SFTP, SSH, HTTPS) to demonstrate the defensive value of encryption

Disclaimer

This project was conducted in a controlled, fully isolated virtual lab environment for educational and portfolio purposes only. Metasploitable 2 is an intentionally vulnerable virtual machine developed by Rapid7 specifically for security training and penetration testing practice. No real-world systems, networks, or data were targeted or compromised at any point. All techniques demonstrated in this project should only be performed in explicitly authorised testing environments.

Author: Tony Doumit Assessment Period: February 2026 Phases Completed: 2 of 2

About

Two-phase red/blue team lab, exploited 7 real CVEs with root access on 4 targets, then built 18 custom Snort/Suricata detection rules from Wireshark traffic captures

Topics

cybersecurity penetration-testing suricata wireshark kali-linux snort metasploit mitre-attack

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors