Advanced Ethical Hacking Institute in Pune
The foundation for any successful penetration test is solid reconnaissance. Failure to perform proper information gathering will have you flailing around at random, attacking machines that are not vulnerable and missing others that are.
We’ll be covering just a few of these information gathering techniques such as:
Scanners and most other auxiliary modules use the RHOSTS option instead of RHOST. RHOSTS can take IP ranges (192.168.1.20-192.168.1.30), CIDR ranges (192.168.1.0/24), multiple ranges separated by commas (192.168.1.0/24, 192.168.3.0/24), and line separated host list files (file:/tmp/hostlist.txt). This is another use for our grepable Nmap output file.
Note also that, by default, all of the scanner modules will have the THREADS value set to ‘1’. The THREADS value sets the number of concurrent threads to use while scanning. Set this value to a higher number in order to speed up your scans or keep it lower in order to reduce network traffic but be sure to adhere to the following guidelines:
We can use the ‘db_nmap‘ command to run an Nmap against our targets and our scan results would than be stored automatically in our database. However, if you also wish to import the scan results into another application or framework later on, you will likely want to export the scan results in XML format. It is always nice to have all three Nmap outputs (xml, grepable, and normal). So we can run the Nmap scan using the ‘-oA’ flag followed by the desired filename to generate the three output files then issue the ‘db_import’ command to populate the Metasploit database.
Simply run Nmap with the options you would normally use from the command line. If we wished for our scan to be saved to our database, we would omit the output flag and use ‘db_nmap‘. The example below would then be “db_nmap -v -sV 192.168.1.0/24″.
In addition to running Nmap, there are a variety of other port scanners that are available to us within the framework.
For the sake of comparison, we’ll compare our Nmap scan results for port 80 with a Metasploit scanning module. First, let’s determine what hosts had port 80 open according to Nmap.
The Nmap scan we ran earlier was a SYN scan so we’ll run the same scan across the subnet looking for port 80 through our eth0 interface using Metasploit.
Here we’ll load up the ‘tcp’ scanner and we’ll use it against another target. As with all the previously mentioned plugins, this uses the RHOSTS. Remember we can issue the ‘hosts -R’ command to automatically set this option with the hosts found in our database.
Now that we have determined which hosts are available on the network, we can attempt to determine which operating systems they are running. This will help us narrow down our attacks to target a specific system and will stop us from wasting time on those that aren’t vulnerable to a particular exploit.
Since there are many systems in our scan that have port 445 open, we will use the ‘scanner/smb/version’ module to determine which version of Windows is running on a target and which Samba version is on a Linux host.
Nmap’s IPID Idle scanning allows us to be a little stealthy scanning a target while spoofing the IP address of another host on the network. In order for this type of scan to work, we will need to locate a host that is idle on the network and uses IPID sequences of either Incremental or Broken Little-Endian Incremental. Metasploit contains the module ‘scanner/ip/ipidseq’ to scan and look for a host that fits the requirements.
In the free online Nmap book, you can find out more information on Nmap Idle Scanning.
Judging by the results of our scan, we have a number of potential zombies we can use to perform idle scanning. We’ll try scanning a host using the zombie at 192.168.1.109 and see if we get the same results we had earlier.
fe-acc18info fe-shopru
