In a metasploitable vulnerable machine in a virtual box version metasploitable 1, metasploitable 2 and metasploitable 3 and this technique supports all future versions also.
Before exploitation we need to understand what is netkit-rsh rexecd which is available on port 512, 513 and 514.
We don’t need to deeply understand but if port 513 and exec netkit-rsh rexecd is open its simple meaning this is remote shell and we are able to access remote shell using IP Address or hostname any Linux Terminal but we need rlogin and rsh-client tools.
But we need the correct IP Address or host name.
Step 1 Active Recon With Nmap
There are a lot of other ways to do active recon but In this scenario I want to use nmap (network mapping tool).
nmap -T4 -A -p 512, 513, 514 Run this command if you don’t know meaning see below i will explain.
-T4 for (-T<0-5>: Set timing (higher is faster)
-A for (-A: Enable OS detection, version detection, script scanning, and traceroute)
-p 512, 513, 514 for ( -p : Only scan 512, 513, 514 ports or netkit-rsh)
Run nmap above command.
COMMAND:-
Result:-
Most important port 512 opens rsh remote shell without password but we need two important tools.
Step 2 Install rlogin and rsh-client tools
May or may not be you have boths tools installed in your Linux pen-testing machine.
If you have both tools installed then skip this step and direct to jump step 3, But you don’t have those tools you need to install.
What Is Rlogin tool?
rlogin is a remote login tool. Rlogin starts a terminal session on a remote host.
How to Install Rlogin Tool?
Rlogin tool already installed in Linux so you don’t need to reinstall.
But you don’t have run below command.
sudo apt-get install rlogin
What is an rsh-client tool?
rsh-client tool is a remote shell tool.
How to install rsh-client tool?
Just run below two commands.
sudo apt update
sudo apt install rsh-client
Now we have both tools so move to step 3 for exploitation.
May or may not be you have boths tools installed in your Linux pen-testing machine.
If you have both tools installed then skip this step and direct to jump step 3, But you don’t have those tools you need to install.
What Is Rlogin tool?
rlogin is a remote login tool. Rlogin starts a terminal session on a remote host.
How to Install Rlogin Tool?
Rlogin tool already installed in Linux so you don’t need to reinstall.
But you don’t have run below command.
sudo apt-get install rlogin
What is an rsh-client tool?
rsh-client tool is a remote shell tool.
How to install rsh-client tool?
Just run below two commands.
sudo apt update
sudo apt install rsh-client
Now we have both tools so move to step 3 for exploitation.
Step 3 Get Root Access
Please note here if you don’t have rsh client tool then we are not able to login without password as root.
Just confirmation purpose check you have both tools.
Please note here if you don’t have rsh client tool then we are not able to login without password as root.
Just confirmation purpose check you have both tools.
Type below command and see magic.
Command:
rlogin -l root (victim ip here)
Result:-
Subscribe my channel if you want to learn Ethical Hacking for free: Visit Channel
Comments
Post a Comment