I am a newbie at this and I am stuck, I am hoping I can get some advice; my situation is I have a laptop running vmware on Windows 7, my 3 virtual machines are Linux, my objective is to obtain the root password on my 2 of my Linux VMs, where I am stuck at is how to break in and obtain a shell prompt at least thats what I think I need to do: I tried many exploits with metasploit to the listener ports open but to no avail; I tried running an exploit to run a netcat command to open a shell but no sessions created on metaspoit: I want to figure this out myself but its obvious I need some guidence. I hope some one can help me. Thanks in advance. gunman Here are my nmap result on machine 200: Discovered open port 110/tcp on 192.168.1.200 Discovered open port 111/tcp on 192.168.1.200 Discovered open port 993/tcp on 192.168.1.200 Discovered open port 143/tcp on 192.168.1.200 Discovered open port 443/tcp on 192.168.1.200 Discovered open port 22/tcp on 192.168.1.200 Discovered open port 21/tcp on 192.168.1.200 Discovered open port 23/tcp on 192.168.1.200 Discovered open port 199/tcp on 192.168.1.200 Discovered open port 80/tcp on 192.168.1.200 Discovered open port 995/tcp on 192.168.1.200 Discovered open port 109/tcp on 192.168.1.200 Discovered open port 32770/tcp on 192.168.1.200 Discovered open port 7/tcp on 192.168.1.200 Discovered open port 79/tcp on 192.168.1.200 Discovered open port 6000/tcp on 192.168.1.200 Discovered open port 32768/tcp on 192.168.1.200 PORT STATE SERVICE VERSION 7/tcp open echo 21/tcp open ftp vsftpd 1.1.3 22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99) |_sshv1: Server supports SSHv1 | ssh-hostkey: 1024 2d:db:ed:2f:1c:0b:90:8f:32:bd:d5:76:79:6d:7f:6e (RSA1) | 1024 79:99:86:f3:25:35:e8:34:c2:ae:2e:f3:75:88:14:12 (DSA) |_1024 02:e1:de:15:37:36:f6:e0:16:07:c2:e8:05:4e:4f:77 (RSA) 23/tcp open telnet Linux telnetd 79/tcp open finger Linux fingerd |_finger: No one logged on. 80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux)) | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE |_html-title: Test Page for the Apache Web Server on Red Hat Linux 109/tcp open pop2 UW POP2 server 2001.63rh 110/tcp open pop3-proxy PGP Universal pop3 proxy (Proxied greeting: POP3 [192.168.1.200] v2001.78rh server ready) |_pop3-capabilities: OVID STLS OK(K Capability list follows) UIDL USER LOGIN-DELAY(180) TOP SASL(LOGIN PLAIN) 111/tcp open rpcbind 2 (rpc #100000) 143/tcp open jdwp |_imap-capabilities: IMAP4rev1 AUTH=LOGIN IDLE AUTH=PLAIN OVID STARTTLS 199/tcp open smux Linux SNMP multiplexer 443/tcp open ssl/http Apache httpd 2.0.40 ((Red Hat Linux)) | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE |_sslv2: server still supports SSLv2 |_html-title: Test Page for the Apache Web Server on Red Hat Linux 993/tcp open ssl/imap UW imapd 2001.315rh |_sslv2: server still supports SSLv2 |_imap-capabilities: LOGIN-REFERRALS IMAP4REV1 AUTH=PLAIN SCAN THREAD=REFERENCES MAILBOX-REFERRALS SORT AUTH=LOGIN THREAD=ORDEREDSUBJECT IDLE NAMESPACE MULTIAPPEND 995/tcp open tcpwrapped |_pop3-capabilities: OK(K Capability list follows) UIDL LOGIN-DELAY(180) USER TOP SASL(PLAIN LOGIN) 6000/tcp open X11 (access denied) 32768/tcp open status 1 (rpc #100024) 32770/tcp open mountd 1-3 (rpc #100005) Running: Linux 2.4.X OS details: Linux 2.4.18 - 2.4.35 (likely embedded) Here are my nmap result on machine 73: Discovered open port 22/tcp on 192.168.1.73 Discovered open port 111/tcp on 192.168.1.73 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: 1024 85:62:1b:9c:3c:36:bb:41:2d:64:6a:4b:e1:aa:9f:07 (DSA) |_2048 f9:19:f1:a0:f5:33:80:90:33:07:f9:9f:21:2f:fb:7f (RSA) 111/tcp open rpcbind 2 (rpc #100000) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.9 - 2.6.28
This exercise is for my CPT cert, I would appreciate a hint if metasplot is the right direction or not, or should I pursue another route. FTP, TELNET etc.
