How To: Hack Metasploitable 2 Part 1

This tutorial is for people who want to try different types of hacks in an environment that is the same for everyone so it will help people to ask questions and learn. This series assumes you know how to run a VM and network them together. This series also assumes that the services running on the Metasploitable machine are needed to be running.

Download Metasploitable 2 here

First off the biggest issue with Metasploitable is the passwords for the accounts. This is super easy to hack because the login screen for Metasploitable gives the default username and password for in the /etc/issue file which we will change later.

First off is to login with SSH and accept the key

Not hit ctrl+c to exit this and connect through msfadmin (or you could do this step first ;) )

Since we know the default password is msfadmin we can log right in. After this we should grab sudo permissions so we can secure our machine more.

Now we know what the default passwords are because it is well documented. Picture from here.

Next I am going to change the passwords of all these accounts. I changed them all to nullbyte because it is simple even though it is really insecure. Also we want to keep these accounts so employees can do their work.

Next we want to prevent root login for SSH. Open the file /etc/ssh/sshdconfig and find the PermitRootLogin yes and change the yes to no. More here.

Next restart the SSH daemon with /etc/init.d/ssh restart. Next we should remove the default username and password from the welcome login screen. This is located in /etc/issue.

This was found with a simple Google search. Also editing the /etc/motd will allow you to edit for all logins no matter if it is local or remote but isn't covered here.

At least change this highlighted line. You can change more of this if you like.

More coming soon if people like this series! Please give me any feedback in the comments. I will try to help as with the awesome people of this site!

Next tutorial coming soon!