Metasploit Penetration Testing Manual 3rd Edition Chapter 2 Information Gathering and Scanning (Translation)

Chapter 2 Information collection and scanning

In this chapter, we will look at the following

Use Metasploit to gather information passively

Use Metasploit to proactively collect information

Use Nmap to scan ports

Use the db_nmap command to scan ports

Use ARP to discover hosts

UDP Service Detection

SMB scan and enumeration

SSH Version scanning

FTP scanning

SMTP enumeration

SNMP enumeration

HTTP scanning

WinRM scan and blast

This parameter is used with the Nessus

Use in conjunction with NeXpose

Use in conjunction with OpenVAS

Introduction to the

Information collection is one of the first important things to be done in penetration testing. The purpose is to find as much information about the target as possible. The more information we have, the greater the chance of penetration success. In the information collection phase, our main task is to collect all the information about the target machine, such as IP address, open services, open ports. This information plays a vital role in the penetration testing process. To do this, we will learn various scanning techniques in this chapter, such as SMB scanning, SSH service scanning, FTP scanning, SNMP enumeration, HTTP scanning, and WinRM scanning and brute force cracking.

There are three main ways to collect information:

1. Passive information collection: This method refers to the acquisition of information related to the target without physical connection or access, which means we need to use other information sources to obtain the target information. For example, query whoIS information. Suppose our target is an online Web service, then its IP address, domain name information, subdomain information, server location information and so on can be obtained through whoIS query.

2. Active information collection: This method refers to establishing a logical connection with the target to obtain information. This method can further provide us with target information and enable us to further understand the security of the target. In port scanning, the most commonly used active scanning technique is used to detect open ports and services of the target.

3. Social engineering: This approach is similar to passive information collection, mainly for human error, where information is leaked in the form of printouts, phone conversations, emails, etc. There are many techniques that use this approach, and different ways of gathering information, so social engineering is a technical category in itself.

Victims of social engineering are tricked into Posting information they do not realise will be used to attack corporate networks. For example, an employee in a business may be tricked into revealing an employee’s identity number to someone who pretends to be her trust. Although the employee number may seem of little value to the employee, making it easier for him to leak information in the first place, the social engineer can use the employee number with other information he collects to find a way into the enterprise network more quickly.

1. Use Metasploit for passive information collection

In this chapter, we will study in detail the various passive and active techniques for information gathering. First, we’ll learn to analyze the most common and most overlooked passive information gathering techniques, and then we’ll focus on getting information through port scanning. Metasploit has a variety of built-in scanning capabilities, as well as some third-party tools that integrate with it to further enhance port scanning. We’ll learn to use the built-in scanner, as well as some third-party scanning tools that work in conjunction with the Metasploit framework. Let’s get started.

The preparatory work

We will collect information from the company domain name, obtain information about the company, collect sub-domain name, detect honeypot, collect email address, etc.

How to do

Metasploit has several information collection modules. In this section, we’ll look at using some of them. We recommend that you explore all of them on your own.

DNS record scanning and enumeration

The DNS scan and enumeration module can be used to collect information about domain names from a given DNS server and perform various DNS queries (such as domain transport, reverse queries, SRV records, etc.)

The program is in the auxiliary module. After entering the MSfConsole, we can use the use command to call the module we want, the auxiliary/ Gather/enum_DNS module that we want to use. Run the use auxiliary/gather/enum_dns command to access the module and enter info to view the module information, including the author, description, and basic configuration information.

Msf5 > use auxiliary/gather/enum_dns // Switch to the enum_DNS module. DNS Record Scanner and Enumerator Module: auxiliary/gather/enum_dns License: Metasploit Framework License (BSD) Rank: Normal Provided by: Carlos Perez <[email protected]> Nixawk Check supported: No Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DOMAIN yes The target domain ENUM_A true yes Enumerate DNS A record ENUM_AXFR true yes Initiate a zone transfer against each NS record ENUM_BRT false yes Brute force subdomains and hostnames via the supplied wordlist ENUM_CNAME true yes Enumerate DNS CNAME record ENUM_MX true yes Enumerate DNS MX record ENUM_NS true yes Enumerate DNS NS record ENUM_RVL false yes Reverse lookup a range of IP addresses ENUM_SOA true yes Enumerate DNS SOA record ENUM_SRV true yes Enumerate the most common SRV records ENUM_TLD  false yes Perform a TLD expansion by replacing the TLD with the IANA TLD list ENUM_TXT true yes Enumerate DNS TXT record IPRANGE no The target address range or CIDR identifier NS no Specify the nameserver to use for queries (default is system DNS) STOP_WLDCRD false yes Stops bruteforce enumeration if wildcard resolution is detected THREADS 1 no Threads for ENUM_BRT WORDLIST /usr/share/metasploit-framework/data/wordlists/namelist.txt no Wordlist of subdomains Description: This module can be used to gather information about a domain from a given DNS server by performing various DNS queries such as zone transfers, reverse lookups, SRV record brute forcing, and other techniques. References: https://cvedetails.com/cve/CVE-1999-0532/ OSVDB (492) msf5 auxiliary(gather/enum_dns) >Copy the code

2, set the domain to query, set the number of threads, and run it

Msf5 auxiliary(Gather /enum_dns) > set DOMAIN packtpub.com // Set the DOMAIN name to be queried. DOMAIN => packtpub.com msf5 Auxiliary (Gather/enum_DNS) > Set THREADS 10 // Set the number of THREADS. THREADS => 10 MSF5 Auxiliary (Gather/enum_DNS) > Run [*] Querying DNS  NS records for packtpub.com [+] packtpub.com NS: dns3.easydns.org. [+] packtpub.com NS: dns4.easydns.info. [+] packtpub.com NS: dns1.easydns.com. [+] packtpub.com NS: dns2.easydns.net. ... [*] Auxiliary module execution completed msf5 auxiliary(gather/enum_dns) >Copy the code

The obtained DNS records are displayed in the output

More and more

The DNS scan and enumeration module can also be used for active information collection. Set ENUM_BRT to true by blasting. You can enumerate subdomains and host names by using dictionary violence. The WORDLIST option allows you to set dictionary files.

CorpWatch company name information collection

Collect company information is necessary, we can use launched croctail company name information search module: auxiliary/gather/corpwatch_lookup_name, through this module can collect company name, address, department and industry information. This module connects to the CorpWatch API to get publicly available information for a given company name.

API application: api.corpwatch.org

Switch to the auxiliary/gather/corpwatch_lookup_name module, set up the company name, set the number of information display

msf5 > use auxiliary/gather/corpwatch_lookup_name 
msf5 auxiliary(gather/corpwatch_lookup_name) > set COMPANY_NAME Microsoft
COMPANY_NAME => Microsoft
msf5 auxiliary(gather/corpwatch_lookup_name) > set LIMIT 1
LIMIT => 1
msf5 auxiliary(gather/corpwatch_lookup_name) > run

[*] Company Information
---------------------------------
[*] CorpWatch (cw) ID): cw_4803
[*] Company Name: MICROSOFT CORP
[*] Address: ONE MICROSOFT WAY, REDMOND WA 98052-6399
[*] Sector: Business services
[*] Industry: Services-prepackaged software
[*] Auxiliary module execution completed
msf5 auxiliary(gather/corpwatch_lookup_name) > 
Copy the code

Tip: This site is Q and you need to configure a proxy to use this service.

Search engine subdomain name collector

Collecting subdomains is a good way to find new targets, we can use the search engine subdomain collection module.

Module name: auxiliary/gather/searchengine_subdomains_collector

Collect subdomain information from Yahoo and Bing

Switch to this module, set the domain to query, and run

msf5 > use auxiliary/gather/searchengine_subdomains_collector msf5 auxiliary(gather/searchengine_subdomains_collector) >  set TARGET packtpub.com TARGET => packtpub.com msf5 auxiliary(gather/searchengine_subdomains_collector) > run [*] Searching Bing for subdomains from domain:packtpub.com [*] Searching Yahoo for subdomains from domain:packtpub.com [+] domain:packtpub.com subdomain: Subscription.packtpub.com [*] Searching Bing for subdomains from IP: 54.171.32.62 [*] Searching Yahoo for subdomains the from IP :54.171.32.62 [+] IP :54.171.32.62 Subdomain: niobase.com [+] IP :54.171.32.62 Subdomain: Demandpeoples. Vote [*] Searching Bing for subdomains from IP :34.240.217.226 [-] IP: 34.240.217.226-getaddrinfo: Name or service not known [*] Searching Yahoo for subdomain from IP :34.240.217.226 [+] IP :34.240.217.226 subdomain: IP: www.snp.org [+] 34.240.217.226 subdomain: Answerthepublic.com [*] Searching for subdomains from IP :34.243.45.171 [-] IP: 34.243.45.171-getaddrinfo: Name or service not known [*] Searching Yahoo for subdomains from IP :34.243.45.171 [*] Searching Bing for subdomains From IP :34.248.41.77 [*] Searching Yahoo for subdomain from IP :34.248.41.77 [+] IP :34.248.41.77 subdomain: www.buzzi.space [+] IP :34.248.41.77 subdomain: www.bookishfirst.com [+] IP :34.248.41.77 Subdomain: IP: www.vizlib.com [+] 34.248.41.77 subdomain: www.alphacodeincubate.club [+] IP: 34.248.41.77 subdomain: IP: www.appliedmldays.org [+] 34.248.41.77 subdomain: www.accessable.co.uk [*] Searching Bing for subdomains from IP :34.254.137.88 [-] IP: 34.254.137.88-getaddrinfo: Name or service not known [*] Searching Yahoo for subdomains from IP :34.254.137.88Copy the code

Through this module, we have collected some new targets.

Now that we’ve learned how to use some of the basic modules, let’s learn how to use some of the more powerful tools.

Censys search

Censys is an Internet device search engine. Censys continuously monitors all accessible servers and devices on the Internet by scanning hosts and websites on a daily basis through ZMap and ZGrab.

We can use the Censys search module to query information through the Censys REST API. Can retrieve more than 100W of website and device information.

Tip: If you want to use Censys to search for modules, you need to go to https://censys.io to register for the API and key

Msf5 > use auxiliary/gather/ CENsys_search MSF5 auxiliary(Gather/CENsys_search) > set CENSYS_DORK packtpub.com CENSYS_DORK => packtpub.com msf5 auxiliary(Gather/CENsys_search) > set CENSYS_SEARCHTYPE ipv4 // Set search type CENSYS_SEARCHTYPE Ipv4 MSf5 auxiliary(gather/ CENsys_search) > set CENSYS_SECRET l5xZ******Z4xzVmIPZ0P // Set the censys key. L5xZa0zJ *******VlCZ4xzVmIPZ0P MSf5 auxiliary(Gather/CENsys_search) > set CENSYS_UID 24d813a********c1b3e80c9e // Set API_ID CENSYS_UID => 24d813a******2-89c1b3e80c9e MSf5 auxiliary(Gather/CENsys_search) > run [+] 109.234.207.108 - 443/ HTTPS,80/ HTTP [+] 109.234.207.108-443 / HTTPS,80/ HTTP [+] 34.253.81.66-443 / HTTPS,80/ HTTP [+] 34.253.81.66 - 443/ HTTPS,80/ HTTP [+] 123.252.235.122-443 / HTTPS [+] 109.234.200.116-443 / HTTPS [+] 83.166.169.240 - 443/https,22/ssh,80/http ...... [+] / HTTPS 67.198.37.17-443, 80 / HTTP, 25 / SMTP, 53 / DNS [+] 67.198.37.17-443 / HTTPS, 80 / HTTP, 25 / SMTP, 53 / DNS 67.198.37.17 [+] - 443 / HTTPS, 80 / HTTP, 25 / SMTP, 53 / DNS [+] / HTTPS 67.198.37.17-443, 80 / HTTP, 25 / SMTP, 53 / DNS [+] 172.104.243.217-80 / HTTP [+] 66.42.34.69-443 / HTTPS,80/ HTTP [+] 66.42.34.69-443 / HTTPS,80/ HTTP [*] Auxiliary Module execution completed msf5 auxiliary(gather/censys_search) >Copy the code

A lot of IP information and port information are collected

Shodan search engine

Shodan search engine is a paid Internet device search engine that tries to make a clean integration of your web sites and make a passionate integration of your devices — metadata such as device locations, host names, operating systems and so on.

To use the Shodan search module, you need to go to the Shodan website (www.shodan.io) and register for the API Key.

msf5 > use auxiliary/gather/shodan_search msf5 auxiliary(gather/shodan_search) > set QUERY hostname:packtpub.com QUERY => Host :packtpub.com msf5 auxiliary(Gather /shodan_search) > set SHODAN_APIKEY SDaE*******ABKTxJ3 SHODAN_APIKEY => SDaEijF******dudxCABKTxJ3 msf5 auxiliary(gather/shodan_search) > run [*] Total: 3 on 1 pages. Showing: 1 page(s) [*] Collecting data, please wait... The Search Results = = = = = = = = = = = = = = IP: Port City Country the Hostname -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 83.166.169.228:80 Nottingham Nottingham in Nottingham, England: Nottingham, UK United Kingdom imap.packtpub.com [*] Auxiliary module execution completedCopy the code

More target information can be found through Shodan search module, such as IP address, open port, location information and so on.

Shodan honeypot inspection

Detect if the target is a honeypot to avoid wasting time or being blocked by trying to attack the honeypot. Using the Shodan Honeyscore Client module, you can detect whether the target is a honeypot using the Shodan search engine. The result is a rating score of 0 to 1, with 1 being a honeypot.

msf5 > use auxiliary/gather/shodan_honeyscore msf5 auxiliary(gather/shodan_honeyscore) > set SHODAN_APIKEY SDa******CABKTxJ3 SHODAN_APIKEY => SDaEij*****xCABKTxJ3 msf5 auxiliary(gather/shodan_honeyscore) > set TARGET 83.166.169.248 TARGET => 83.166.169.248 MSf5 auxiliary(gather/shodan_honeyscore) > run [*] Scanning 83.166.169.248 [-] 83.166.169.248 is not a honeypot [*] 83.166.169.248 0.0/1.0 [*] Auxiliary Module Execution completed MSf5 Auxiliary (Gather /shodan_honeyscore) >Copy the code

Collecting Email Information

Collecting email information is a common part of penetration testing, which allows us to learn traces of targets on the Internet that can be used in subsequent violent attacks and activities such as phishing.

We can use the auxiliary/gather/search_email_collector module, which uses a search engine to get E-mail information about a target.

msf5 > use auxiliary/gather/search_email_collector 
msf5 auxiliary(gather/search_email_collector) > set DOMAIN packtpub.com
DOMAIN => packtpub.com
msf5 auxiliary(gather/search_email_collector) > run

[*] Harvesting emails .....
[*] Searching Google for email addresses from packtpub.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from packtpub.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from packtpub.com
[*] Extracting emails from Yahoo search results...
[*] Located 3 email addresses for packtpub.com
....
[*] Auxiliary module execution completed
Copy the code

From the output, you can see that the module uses Google, Bing, and Yohoo to search for E-mail addresses related to the target.

2. Use Metasploit for active information collection

In general, active information collection is conducted through scanning, and from this step we will logically connect directly to the target.

Port scanning is an interesting information-gathering process that involves a deeper search of the target system, but because active port scanning involves direct access to the target system, it may be detected by firewalls and intrusion detection systems.

How to do

In the Metasploit framework, a variety of port scanning modules are available to allow us to accurately detect the target system. You can view these modules with the search portscan command.

msf5 > search portscan

Matching Modules
================

   #Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- ----------- 1 auxiliary/scanner/http/wordpress_pingback_access normal Yes WordPress Pingback Locator 2 auxiliary/scanner/natpmp/natpmp_portscan normal Yes NAT-PMP External Port Scanner 3 auxiliary/scanner/portscan/ack normal Yes TCP ACK Firewall Scanner 4 auxiliary/scanner/portscan/ftpbounce normal Yes FTP  Bounce Port Scanner 5 auxiliary/scanner/portscan/syn normal Yes TCP SYN Port Scanner 6 auxiliary/scanner/portscan/tcp normal Yes TCP Port Scanner 7 auxiliary/scanner/portscan/xmas normal Yes TCP "XMas" Port Scanner 8 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port ScannerCopy the code

TCP Port scanning

Let’s start with the TCP port scanning module and see what information we can get about the target.

We will use module is the use of auxiliary/scanner/portscan/TCP

Tip: We will use this module to scan the network of the penetration test experiment environment. Please comply with local laws and regulations. Do not scan Internet devices directly.

Msf5 > use auxiliary/scanner/portscan/TCP msf5 auxiliary (scanner/portscan/TCP) > set RHOSTS 192.168.177.0/24 / / set the target network RHOSTS => 192.168.177.0/24 MSF5 auxiliary(scanner/ portScan/TCP) > Set THREADS 100. THREADS => 100 MSF5 Auxiliary (scanner/ portScan/TCP) > run [+] 192.168.177.1:- 192.168.177.1:22 -tcp OPEN [+] 192.168.177.1: - 192.168.177.1:21 -tcp OPENCopy the code

Tip: Scanner modules usually use RHOSTS, which means to scan the entire network, not RHOST (single machine).

When we use the Metasploit module, we can use show options to view all configurable options, and use show Missing to view the options that must be configured.

msf5 auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf5 auxiliary(scanner/portscan/tcp) > show missing

Module options (auxiliary/scanner/portscan/tcp):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target address range or CIDR identifier

msf5 auxiliary(scanner/portscan/tcp) > 
Copy the code

TCP SYN scanning

Compared to normal TCP scanning, SYN scanning is faster because it does not complete the TCP three-way handshake and can evade detection by firewalls and intrusion detection systems to some extent.

Use of modules is auxiliary/scanner/portscan/syn, using the module, you need to specify the port range.

Msf5 > use auxiliary/scanner/portscan/syn msf5 auxiliary (scanner/portscan/syn) > set INTERFACE eth0 / / set the network card INTERFACE = > Eth0 MSf5 auxiliary(scanner/ portScan/SYN) > Set PORTS 1-10000 // Set port range PORTS => 1-10000 MSF5 Auxiliary (scanner/ portScan/SYN) > set THREADS 256 msF5 MSF5 (scanner/ portScan/SYN) > set RHOSTS 192.168.177.0/24 // Set the target network RHOSTS => 192.168.177.0/24 MSf5 auxiliary(scanner/ portScan/SYN) > runCopy the code

3. Port scanning: Nmap

Nmap is a powerful network scanning tool of choice for security personnel, and we will analyze the various scanning techniques of Nmap in detail, from beginner to advanced.

The preparatory work

You can run Nmap directly from msfConsole, but to import the results into the Metasploit database, you need to export the report file as XML using the -ox option, and then import the results using the db_import command.

How to do

1. Start msfconsole and enter nmap

Msf5 > nmap [*] exec: nmap nmap 7.70 (https://nmap.org) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -il < inputFilename >: Input from list of hosts/networks -ir <num hosts>: Choose random targets --exclude <host1[,host2][,host3],... >: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as online -- skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol PingCopy the code

Use the -st parameter. This is the default and most basic scanning mode. It will complete the TCP three-way handshake to detect the port on the target machine.

Msf5 > nmap -st 192.168.177.144 [*] exec: Nmap -ST 192.168.177.144 Starting nMAP 7.70 (https://nmap.org) at 2019-04-12 12:20 CST NMAP Scan report for 192.168.177.144 Host is up (0.00045s latency). Not shown: 990 filtered ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 4848/tcp open appserv-http 8022/tcp open oa-system 8080/tcp open http-proxy 8383/tcp open m2mservices 9200/tcp open wap-wsp 49153/tcp open unknown 49154/tcp open unknown MAC Address: 00:0C:29:D7:02:F6 (VMware) Nmap done: 1 IP Address (1 Host up) Scanned in 5.31 seconds MSf5 >Copy the code

Tip: When the port range is not specified, NMAP scans 1000 common ports by default.

3. Use the -ss parameter to perform TCP SYN scanning. SYN scanning does not establish the complete TCP three-way handshake process, and is also called half-open connection scanning.

Msf5 > nmap -ss 192.168.177.144 -p 22-5000 [*] exec: Nmap -ss 192.168.177.144-p 22-5000 Starting nmap 7.70 (https://nmap.org) at 2019-04-12 12:29 CST NMAP Scan report for 192.168.177.144 Host is up (0.00037s latency). Not shown: 4975 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 1617/tcp open nimrod-agent 4848/tcp open Appserv - HTTP MAC Address: 00:0c :29: d7:02 :F6 (VMware) Nmap Done: 1 IP Address (1 host up) Scanned in 14.45 seconds MSf5 >Copy the code

For the most part, the TCP connection scan and SYN scan outputs are similar, the only difference being that the SYN is more difficult to detect by firewalls and IDS. Of course, most modern firewalls can capture SYN scans, and the -p parameter sets the range of ports we want to scan.

4. UDP Scan The -su parameter is used to identify open UDP port scanning technology on the target machine. The UDP scan sends an empty (no data)UDP header to the target port and determines whether the target port is open only through the ICMP message.

Msf5 > nmap -su 192.168.177.144 [*] exec: Nmap -su 192.168.177.144 Starting nmap 7.70 (https://nmap.org) at 2019-04-12 12:36 CST NMAP Scan report for 192.168.177.144 Host is up (0.00035s latency). Not shown: 999 open|filtered ports PORT STATE SERVICE 137/udp open netbios-ns MAC Address: 00:0C:29:D7:02:F6 (VMware) Nmap done: 1 IP Address (1 Host up) Scanned in 16.36 seconds MSf5 >Copy the code

TIp: If the port range is not specified, 1000 common UDP ports are scanned by default

How does it work

We analyzed three different types of NMAP scans that are useful in penetration testing. Nmap provides many different types of scanning, but we will focus on just three here, TCP connection scanning, SYN covert scanning, and UDP scanning. The different scanning options of Nmap can be combined to allow for more advanced and complex scanning of the target.

In penetration testing, the scanning process can provide many useful results. The information collected during the scan forms the basis of subsequent penetration testing, so it is highly recommended that you have a knowledge of the scan types and that we take a closer look at the scanning techniques we have just learned.

TCP connection scanning is the most basic scanning technology. In this scanning process, a complete TCP connection is established with the target. It uses the operating system network function to establish a connection, and the scanner sends a SYN packet to the target, which returns an ACK message if the port is open. The scanner then sends an ACK packet to the target and the connection is established. This is known as a three-way handshake. The technique of terminating the connection immediately after it is opened has its advantages, but is easily detected by firewalls and IDS.

A SYN scan is another type of TCP scan, but it does not establish a full connection to the target. Instead of using the network capabilities of the operating system, it generates raw IP packets and monitors response packets. If the target port is open, the target responds with an ACK message, and the scanner sends an RST to end the connection. Therefore, it is also called half open scanning. This is also considered a covert scanning technique that can avoid detection by some firewalls and IDS.

UDP scanning is a connectionless scanning technology, so no information is returned to the scanner whether the target has received the packet or not. If the target port is disabled, the scanner receives an ICMP port unreachable message. If there is no message, the scanner will assume that the port is open. This method returns an error because the firewall blocks the packet, so no response message is generated and the scanner reports the port as open.

More and more

Let’s explore Nmap scanning further and learn how to combine different scan types

Operating system and version detection

In addition to port scanning, Nmap provides some advanced options that can help us get more information about the target. One of the other most widely used options is the operating system recognition option: -o. Can help us identify the type of operating system of the target computer.

Here are the operating system identification scan results:

Msf5 > nmap -o 192.168.177.144 [*] exec: Nmap -o 192.168.177.144 Starting nmap 7.70 (https://nmap.org) at 2019-04-12 13:12 CST Nmap Scan report for 192.168.177.144 Host is up (0.00035s latency). Not shown: 990 filtered ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 4848/tcp open appserv-http 8022/tcp open oa-system 8080/tcp open http-proxy 8383/tcp open m2mservices 9200/tcp open wap-wsp 49153/tcp open unknown 49154/tcp open unknown MAC Address: 00:0C:29:D7:02:F6 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: General purpose | specialized | phone Running: Microsoft Windows 2008 | | 8.1 7 | phone | Vista OS CPE: Cpe: / o: Microsoft: windows_server_2008: r2 cpe: / o: Microsoft: windows_8. Cpe: 1 / o: Microsoft: windows_7: : - : professional cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 OS details: Microsoft Windows Server 2008 R2 or Windows 8.1, Microsoft Windows 7 Professional, Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.0 or 8.0, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) Scanned in 14.51 secondsCopy the code

As you can see, Nmap successfully identifies the operating system type of the target machine.

Another advanced option that is widely used is version detection for open port services, with the parameter -SV. It can be used in combination with previous scan parameters.

Msf5 > nmap -sV 192.168.177.144 [*] exec: Nmap -sV 192.168.177.144 Starting nMAP 7.70 (https://nmap.org) at 2019-04-12 13:17 CST NMAP Scan report for 192.168.177.144 Host is up (0.00045s latency). Not shown: 990 Filtered Ports PORT STATE SERVICE VERSION 21/ TCP Open FTP Microsoft FTPD 22/ TCP OpenSSH OpenSSH 7.1 (Protocol 2.0) 80/ TCP Open HTTP Microsoft IIS HTTPD 7.5 4848/ TCP Open SSL/AppServ - HTTP? 8022/ TCP Open HTTP Apache Tomcat/Coyote JSP Engine 1.1 8080/ TCP Open HTTP Sun GlassFish Open Source Edition 4.0 8383/ TCP Open SSL/HTTP Apache HTTPD 9200/ TCP Open engine 1.1 8080/ TCP Open HTTP Sun GlassFish Open Source Edition 4.0 8383/ TCP Open SSL/HTTP Apache HTTPD 9200/ TCP Open HTTP Elasticsearch REST API 1.1.1 (Name: Turac; Lucene 4.7) 49153/ TCP Open MSRPC Microsoft Windows RPC 49154/ TCP Open MSRPC Microsoft Windows RPC MAC Address 00:0C:29:D7:02:F6 (VMware) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP Address (1 host up) Scanned in 82.54 seconds MSf5 >Copy the code

Stealth scanning

Sometimes it is necessary to scan in stealth mode. By default, firewall and IDS logs will record your IP. Nmap provides the -d option to add confusion.

This option does not prevent the firewall and IDS from recording your IP, it only adds to the confusion by adding other IP addresses to make the target think it is multiple IP addresses. For example, if you add two decoy IP addresses, the firewall or IDS log will show that the packets were sent from three different IP addresses, one yours and the other two the bogus addresses you added.

Msf5 > nmap - sT 192.168.177.144 - D 192.168.177.34 192.168.177.56Copy the code

In this example, the IP address after -d is a fake IP address. It will appear in the target’s network log file along with the original IP address, which will fool the network administrator into thinking that all three IP addresses are forgeries. Do not add too many false IP addresses. Otherwise, the scan results will be affected. So just use a certain number of addresses.

4. Use db_nmap to scan ports

The benefit of using db_nmap is that you can store the results directly into the Metasploit database without needing to use DB_import for import.

The preparatory work

The db_nmap command is part of msfconsole, so you just need to start msfconsole and use it. Arguments are just like using Nmap alone on the command line.

How to do

In Chapter 1, we looked at some of the basic uses of DB_nmap, so now we’ll look at some of the more advanced features. In the following examples, you’ll learn how to use some of these features.

Msf5 > db_nmap -pn-stv-t4 --open --min-parallelism 64 --version-all 192.168.177.144 -p -Copy the code

-pn: skips the host discovery process

-sTV: indicates the version of the TCP scanning and detecting open port service

-T4: sets the time template to speed up scanning

–open: Displays only open ports

–min-parallelism: Indicates the number of concurrent probe packets

–version-all: Attempts each probe, ensuring that each probe packet is attempted for each port to obtain a more specific version of the service

-p – : scans all ports (1-65535).

The output is as follows:

Msf5 > db_nmap -pn-stv-t4 --open --min-parallelism 64 --version-all 192.168.177.144 -p - [*] Nmap: Starting Nmap 7.70 (https://nmap.org) at 2019-04-12 13:41 CST [*] Nmap: Nmap scan report for 192.168.177.144 [*] Nmap: Host is up (0.00059s latency). [*] Nmap: Not shown: 65516 filtered ports [*] Nmap: Some closed ports may be reported as filtered due to --defeat-rst-ratelimit [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 21/tcp open ftp Microsoft ftpd [*] Nmap: 22/ TCP open SSH OpenSSH 7.1 (Protocol 2.0) [*] Nmap: 80/ TCP open HTTP Microsoft IIS HTTPD 7.5 [*] Nmap: 1617/tcp open rmiregistry Java RMI [*] Nmap: 4848/tcp open ssl/appserv-http? [*] Nmap: 5985/ TCP open HTTP Microsoft HTTPAPI HTTPD 2.0 (SSDP/UPnP) [*] Nmap: 8020/ TCP open HTTP Apache HTTPD [*] Nmap: 8022/ TCP open HTTP Apache Tomcat/Coyote JSP engine 1.1 [*] Nmap: 8027/ TCP open unknown [*] Nmap: 8080/ TCP Open HTTP Sun GlassFish Open Source Edition 4.0 [*] Nmap: 8282/ TCP open HTTP Apache Tomcat/Coyote JSP engine 1.1 [*] Nmap: 8383/ TCP open SSL/HTTP Apache HTTPD [*] Nmap: 8484/ TCP Open HTTP Jetty Winstone -2.8 [*] Nmap: 8585/ TCP open HTTP Apache HTTPD 2.2.21 ((Win64) PHP/5.3.10 DAV/2) [*] Nmap: 9200/ TCP Open HTTP Elasticsearch REST API 1.1.1 (name: Turac; Lucene 4.7) [*] Nmap: 49153/ TCP Open MSRPC Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC [*] Nmap: 49207/tcp open rmiregistry Java RMI [*] Nmap: 49209/tcp open tcpwrapped [*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows [*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . [*] Nmap: Nmap done: 1 IP Address (1 Host up) Scanned in 593.00 seconds MSf5 >Copy the code

Nmap script engine

One of Nmap’s most powerful and flexible features is the Nmap scripting Engine (NSE), which turns Nmap into a vulnerability scanner. NSE has over 600 scripts in several categories, ranging from non-invasive to invasive, such as brute force, exploits and denial of service attacks. You can find these scripts in Kali’s /user/share/nmap/scripts directory. Or search with locate for *.nse.

root@osboxes:~# locate *.nse
/usr/share/nmap/scripts/targets-xml.nse
/usr/share/nmap/scripts/teamspeak2-version.nse
/usr/share/nmap/scripts/telnet-brute.nse
/usr/share/nmap/scripts/telnet-encryption.nse
/usr/share/nmap/scripts/telnet-ntlm-info.nse
/usr/share/nmap/scripts/tftp-enum.nse
/usr/share/nmap/scripts/tls-alpn.nse
/usr/share/nmap/scripts/tls-nextprotoneg.nse
/usr/share/nmap/scripts/tls-ticketbleed.nse
/usr/share/nmap/scripts/tn3270-screen.nse
/usr/share/nmap/scripts/tor-consensus-checker.nse
/usr/share/nmap/scripts/traceroute-geolocation.nse
/usr/share/nmap/scripts/tso-brute.nse
/usr/share/nmap/scripts/tso-enum.nse
/usr/share/nmap/scripts/unittest.nse
/usr/share/nmap/scripts/unusual-port.nse
Copy the code

Here’s how it can be used:

nmap --script <scriptname> <host ip>
Copy the code

The same can be used in db_nmap. Let’s try using the NSE script to find the target HTTP/HTTPS vulnerability

Msf5 > db_nmap - open - sTV - Pn - 80802 0802 2808 0828 2838 3848 4858, 5920, p --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup- finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,ssl-poodle,s Heartbleed,http-webdav-scan, http-IIS-webdav-vuln 192.168.177.144 [*] Nmap: Starting Nmap 7.70 (https://nmap.org) at 2019-04-12 14:03 CST [*] Nmap: Nmap Scan report for 192.168.177.144 [*] Nmap: Host latency is up (0.00052s latency). [*] Nmap: The PORT STATE SERVICE VERSION [*] Nmap: 80 / TCP open HTTP 7.5 [*] Nmap: Microsoft IIS HTTPD | HTTP - the methods: [*] Nmap: | Supported Methods: OPTIONS TRACE GET HEAD POST [*] Nmap: |_ Potentially risky methods: TRACE [*] Nmap: | _http - server - the header: Microsoft IIS / 7.5 [*] Nmap: | HTTP - vhosts: [*] Nmap: | _127 names had status 200 [*] Nmap: 8020/tcp open http Apache httpd [*] Nmap: |_http-iis-webdav-vuln: WebDAV is DISABLED. Server is not currently vulnerable. [*] Nmap: | http-methods: [*] Nmap: | Supported Methods: GET HEAD POST PUT DELETE OPTIONS [*] Nmap: |_ Potentially risky methods: PUT DELETE [*] Nmap: |_http-server-header: Apache [*] Nmap: | http-vhosts:Copy the code

According to the output, the HTTP/HTTPS service of the target host is enabled with some dangerous methods, such as DELETE/PUT.

5. ARP based host discovery

Through ARP request, we can enumerate the surviving hosts in the local network, which provides us with a simple and fast method to identify the target.

The preparatory work

When the attacker and the target machine reside on the same LAN, you can perform ARP scanning to discover hosts

How to do

1, using ARP scanning module (auxiliary/scanner/discovery/arp_sweep), set the target address range and concurrent threads, then run.

msf5 > use auxiliary/scanner/discovery/arp_sweep msf5 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.177.0/24 RHOSTS => 192.168.177.0/24 MSF5 auxiliary(scanner/ Discovery/ARp_sweep) > Set THREADS 256 THREADS => 256 Msf5 auxiliary(scanner/discovery/arp_sweep) > run [+] 192.168.177.1 appears to be up (VMware, Inc.). [+] 192.168.177.2 appears to be up (VMware, Inc.). [+] 192.168.177.144 appears to be up (VMware, Inc.). Inc.). [+] 192.168.177.254 appears to be up (VMware, Inc.). [+] 192.168.177.2 appears to be up (VMware, Inc.). Inc.). [+] 192.168.177.254 appears to be up (VMware, Inc.). [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/discovery/arp_sweep) >Copy the code

2. If the database is started, the results are stored in the Metasploit database. You can use hosts to display the discovered hosts.

msf5 auxiliary(scanner/discovery/arp_sweep) > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info Comments -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 34.240.217.226 34.248.41.77 54.171.32.62 192.168.177.1 00:50:56: C0 :00:08 Unknown Device 192.168.177.2 00:50:56: FA: C4 :65 192.168.177.139 00:0 C :29: C6: A9 :e5 Unknown Device 192.168.177.142 00:0 C :29:92:63:8c Linux 2.6.X Server 192.168.177.144 00:0 C :29: D7:02: F6 Unknown Device 192.168.177.254 00:50:56: ec: 3 c: cfCopy the code

6. UDP service identification

The UDP service scanning module runs the UDP service of our detection template system. Because UDP is a connectionless protocol (not connection-oriented), detection is more difficult than TCP. Using the UDP service probe module can help us find some useful information.

How to do

Select auxiliary/scanner/discovery/udp_sweep module, set up the target range, then run the scan

msf5 > use auxiliary/scanner/discovery/udp_sweep msf5 auxiliary(scanner/discovery/udp_sweep) > set RHOSTS 192.168.177.0/24 RHOSTS => 192.168.177.144/24 MSF5 auxiliary(scanner/ Discovery/UDP_sweep) > run [*] sends 13 probes to 192.168.177.0->192.168.177.255 (256 hosts) [*] Discovered NetBIOS on 192.168.177.144:137 (METASPLOITABLE3:<20>:U) :METASPLOITABLE3:<00>:U :WORKGROUP:<00>:G :00:0c:29:d7:02:f6) [*] Discovered SNMP on 192.168.177.144:161 (Hardware: Intel64 Family 6 Model 94 Stepping 3 AT/AT COMPATIBLE - Software: Windows Version 6.1 (Build 7601 Multiprocessor Free) [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary Module execution completed msf5 auxiliary(scanner/discovery/udp_sweep) >Copy the code

7, SMB scan and enumeration

Over the years, the SMB protocol (a protocol that uses network file sharing on Microsoft Windows systems) has proven to be one of the most vulnerable protocols, allowing attackers to enumerate target files and users, and even remote code execution.

How to do

Using the no-authentication SMB share enumeration module helps you gather valuable information such as share name, operating system version, and so on.

Module name: auxiliary/scanner/SMB/smb_enumshares

Msf5 > use auxiliary/scanner/SMB/smb_enumshares msf5 auxiliary (scanner/SMB/smb_enumshares) > set RHOSTS 192.168.177.144 RHOSTS => 192.168.177.144 MSf5 auxiliary(scanner/ SMB /smb_enumshares) > run [-] 192.168.177.144:139 - Login Failed: Unable to Negotiate with remote host [*] 192.168.177.144: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completedCopy the code

The SMB share enumeration module is also very useful in the later stages of the attack, by providing credentials to easily enumerate shares and file lists

msf5 auxiliary(scanner/smb/smb_enumshares) > set SMBUSER vagrant SMBUSER => vagrant msf5 auxiliary(scanner/smb/smb_enumshares) > set SMBPASS vagrant SMBPASS => vagrant msf5 Auxiliary (scanner/ SMB/smb_enumShares) > set RHOSTS 192.168.177.144 RHOSTS => 192.168.177.144 MSF5 auxiliary(scanner/smb/smb_enumshares) > set ShowFiles true ShowFiles => true msf5 auxiliary(scanner/smb/smb_enumshares) > Set SpiderShares true SpiderShares => true MSf5 auxiliary(scanner/ SMB/SMb_enumShares) > run [-] 192.168.177.144:139 - Login Failed: Unable to Negotiate with remote host [+] 192.168.177.144:445-admin $- (DS) remote ADMIN [+] 192.168.177.144:445-c $- (DS) Default share [+] 192.168.177.144:445 - IPC$- (I) Remote IPC [*] 192.168.177.144: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/smb/smb_enumshares) >Copy the code

Metasploit also provides several other SMB scanning modules. Let’s take a look at the usage of other modules.

3. The SMB version detection module can detect the SMB version

Msf5 > use auxiliary/scanner/SMB/smb_version msf5 auxiliary (scanner/SMB/smb_version) > set RHOSTS 192.168.177.144 RHOSTS => 192.168.177.144 MSf5 auxiliary(scanner/ SMB /smb_version) > run [+] 192.168.177.144:445-host is running Windows 2008 R2 Standard SP1 (build:7601) (Name :METASPLOITABLE3) (WorkGroup: workgroup) [*] 192.168.177.144:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completedCopy the code

4. The user enumeration module can enumerate the existing users through the SAM RPC service

msf5 > use auxiliary/scanner/smb/smb_enumusers
msf5 auxiliary(scanner/smb/smb_enumusers) > set SMBUSER vagrant
SMBUSER => vagrant
msf5 auxiliary(scanner/smb/smb_enumusers) > set SMBPASS vagrant
SMBPASS => vagrant
msf5 auxiliary(scanner/smb/smb_enumusers) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_enumusers) > run

[+] 192.168.177.144:445   - METASPLOITABLE3 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leah_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.177.144:      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumusers) >
Copy the code

5. The SMB login detection module can test SMB login

Msf5 > use auxiliary/scanner/SMB/smb_login msf5 auxiliary (scanner/SMB/smb_login) > set RHOSTS 192.168.177.144 RHOSTS = > 192.168.177.144 MSf5 auxiliary(scanner/ SMB /smb_login) > set SMBUSER vagrant SMBUSER => Vagrant MSf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE /root/password.lst PASS_FILE => /root/password.lst msf5 Auxiliary (scanner/ SMB /smb_login) > run [*] 192.168.177.144:445-192.168.177.144:445-starting SMB login bruteforce [-] 192.168.177.144:445-192.168.177.144:445 - Failed: '.vagrant :admin', [-] 192.168.177.144:445-192.168.177.144:445-failed: '.vagrant :admin123', [+] 192.168.177.144:445-192.168.177.144:445 - Success: '.\vagrant:vagrant' Administrator [*] 192.168.177.144:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/smb/smb_login) >Copy the code

6. Ms17-010 Eternal Blue vulnerability Detection module

Msf5 > use auxiliary/scanner/SMB/smb_ms17_010 msf5 auxiliary (scanner/SMB/smb_ms17_010) > set RHOSTS 192.168.177.144 RHOSTS => 192.168.177.144 MSf5 auxiliary(scanner/ SMB/smb_MS17_010) > run [+] 192.168.177.144:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit) [*] 192.168.177.144:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/smb/smb_ms17_010) >Copy the code

7, other modules, are in auxiliary/scanner/ SMB /, you can hit the TAB key to view, you can learn one by one, here is not an example to explain.

msf5 > use auxiliary/scanner/smb/
use auxiliary/scanner/smb/impacket/dcomexec      
use auxiliary/scanner/smb/smb1                   
use auxiliary/scanner/smb/smb_login
.....         
Copy the code

8. Scan and detect SSH versions

SSH is a widely used remote login program. It uses strong encryption to provide identity authentication and guarantee confidentiality. In this section, we will use the SSH version scanning module to determine the SSH version used by the target, determine if it is a vulnerable SSH version, and if so, we can take advantage of it.

The preparatory work

In the previous scan, we found that the target machine opened TCP port 22, which is also the default port of SSH. We used the SSH version detection module to obtain the SSH version information running on the target system.

How to do

1, the module name: auxiliary/scanner/SSH/ssh_version

Msf5 > use auxiliary/scanner/SSH/ssh_version msf5 auxiliary (scanner/SSH/ssh_version) > set RHOSTS 192.168.177.144 RHOSTS 192.168.177.144 msf5 auxiliary(scanner/ SSH /ssh_version) > run [+] 192.168.177.144:22 - SSH server version: Version =7.1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH Service. Cpe23 = cpe: / a: openbsd: openssh: 7.1 service. The protocol = SSH fingerprint_db = SSH. The banner) [*] 192.168.177.144:22 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/ssh/ssh_version) >Copy the code

The RHOSTS option can also be specified as a network address to scan the entire network segment.

Once we have the version information, we can search for vulnerabilities in that version.

2. Common test password To log in to SSH, you can use SSH to log in to the test module

Msf5 > use auxiliary/scanner/SSH/ssh_login msf5 auxiliary (scanner/SSH/ssh_login) > set RHOSTS 192.168.177.144 RHOSTS = > 192.168.177.144 MSf5 auxiliary(scanner/ SSH/sSH_login) > Set USERNAME User USERNAME => user MSf5 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/password.lst PASS_FILE => /root/password.lst msf5 auxiliary(scanner/ssh/ssh_login) > run [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completedCopy the code

3. If the login is successful, you can use Sessions to view the session and interact with the target session

msf5 auxiliary(scanner/ssh/ssh_login) > sessions

Active sessions
===============

No active sessions.

Copy the code

9. FTP scan

The FTP scanning module is used to scan the versions of all FTP services on the network

The preparatory work

FTP Version Scan Module run We detect the running FTP version

How to do

1, use the auxiliary/scanner/FTP/ftp_version module, set the scanning scope and thread, you can run the scanning.

Msf5 > use auxiliary/scanner/FTP/ftp_version msf5 auxiliary (scanner/FTP/ftp_version) > set RHOSTS 192.168.177.0/24 RHOSTS => 192.168.177.0/24 MSf5 auxiliary(scanner/ FTP /ftp_version) > Set THREADS 256 THREADS => 256 MSF5 Auxiliary (scanner/ FTP /ftp_version) > run [+] 192.168.177.1:21 -FTP Banner: '220 Serv -u FTP Server v15.0 ready... \x0d\x0a' [+] 192.168.177.144:21 - FTP Banner: '208 Microsoft FTP Service\x0d\x0a' [*] 192.168.177.0/24:21 - Scanned 78 of 256 hosts (30% complete) [*] 192.168.177.0/24:21 - Scanned 123 of 256 hosts (48% complete) [*] 192.168.177.0/24:21 - Scanned 125 of 256 hosts (48%) Complete) [*] 192.168.177.0/24:21 - Scanned 129 of 256 hosts (50% complete) [*] 192.168.177.0/24:21 - Scanned 130 of 256 Hosts (50% complete) [*] 192.168.177.0/24:21 - Scanned 255 of 256 hosts (99% complete) [*] 192.168.177.0/24:21 - Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/ftp/ftp_version) >Copy the code

2. The scan result is saved to the database as before. You can run the services command to view the detected service information.

msf5 auxiliary(scanner/ftp/ftp_version) > services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.177.1 21 TCP FTP open 220 Serv -u FTP Server v15.0 ready... \x0d\x0a 192.168.177.144 21 TCP FTP open 220 Microsoft FTP Service\x0d\x0a 192.168.177.144 22 TCP SSH open Ssh-2.0-openssh_7.1 192.168.177.144 80 TCP HTTP Open Microsoft IIS HTTPD 7.5Copy the code

10. SMTP enumeration

The SMTP server pairs two internal commands that allow enumeration of users: VRFY (to confirm valid user names) and EXPN (to display the user’s actual address, alias, and mailing list)

The preparatory work

The SMTP user enumeration module implements these SMTP commands to enumerate a list of valid users

How to do

By default, the SMTP enumeration module USES unix_users. TXT file located in: / usr/share/metasploit framework/data/wordlists) file as a dictionary, you can also specify your own dictionary files. Switch to the auxiliary/scanner/SMTP/smtp_enum module, set goals and threads, and then start.

Msf5 > use auxiliary/scanner/SMTP/smtp_enum msf5 auxiliary (scanner/SMTP/smtp_enum) > set RHOSTS 192.168.177.145 RHOSTS => 192.168.177.145 MSF5 auxiliary(scanner/ SMTP/SMTP_enum) > Set THREADS 256 THREADS => 256 MSF5 Auxiliary (scanner/ SMTP /smtp_enum) > run [*] 192.168.177.145:25-192.168.177.145:25 Banner: 220 metasploitable localdomain ESMTP Postfix (Ubuntu) [+] 192.168.177.145:25-192.168.177.145:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, news, nobody, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, Www-data [*] 192.168.177.145:25 - Scanned 1 of 1 hosts (100% complete) [*] Simplex Module Execution completed MSf5 auxiliary(scanner/smtp/smtp_enum) >Copy the code

Valid SMTP users in target Metasploitable 2 are shown in the output

11. SNMP enumeration

Simple Network Management Protocol (SNMP) is used to manage network devices, such as monitoring device status information, interface information, network interface data throughput, and so on. A large amount of information about a particular system can be found through an SNMP scanner. In this section, we’ll learn how to use it.

The preparatory work

Metasploit has a built-in helper module dedicated to scanning SNMP devices. You have to understand it before you attack it. First, community strings (read-only/read-write) play an important role in the type of information that can be mined or modified on the device itself. The MIB interface allows us to query devices and extract information.

Tip: If the target system is Windows and SNMP is configured (usually RO/RW community string), we can extract the system restart time, user name on the system, system network information, running services and other valuable information.

When querying device information through SNMP, you can use THE MIB API to extract device information. Metasploit loads a list of default MIBs in its database, which are used to query the device for more information.

How to do

1. Using the SNMP login module, you can log in to the target system using the public community name.

Msf5 > use auxiliary/scanner/SNMP/snmp_login msf5 auxiliary (scanner/SNMP/snmp_login) > set RHOSTS 192.168.177.144, 145 RHOSTS => 192.168.177.144,145 MSF5 auxiliary(scanner/ SNMP/SNMP_login) > run [+] 192.168.177.144:161 - Login Successful: public (Access level: read-only); Proof (sysDescr.0): Hardware: Intel64 Family 6 Model 94 Stepping 3 AT/AT COMPATIBLE - Software: Windows Version 6.1 (Build 7601 Multiprocessor Free) [*] Scanned 1 of 2 hosts (50% complete) [*] Scanned 2 of 2 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/snmp/snmp_login) >Copy the code

2. Use the SNMP scanning module to collect information, such as port, service, host name, process and so on.

Msf5 > use auxiliary/scanner/SNMP/snmp_enum msf5 auxiliary (scanner/SNMP/snmp_enum) > set RHOSTS 192.168.177.144 RHOSTS Msf5 auxiliary(scanner/ SNMP/SNMP_enum) > run [+] 192.168.177.144, Connected. Host IP: 192.168.177.144 Hostname: Metasploitable3 Description: Hardware: Intel64 Family 6 Model 94 Stepping 3 AT/AT COMPATIBLE - Software: Windows Version 6.1 (Build 7601 Multiprocess r Free) Contact: -location: -uptime SNMP: 01:18:04.40 Uptime system: 01:16:09.69 System date: 2019-4-12 16:44:05.7 [*] User accounts: ["sshd"] ["Guest"] ["greedo"] ["vagrant"] ["han_solo"] ["kylo_ren"] ["boba_fett"] ["chewbacca"] ["ben_kenobi"] ..... [*] Network information: IP forwarding enabled : no Default TTL : 128 TCP segments received : 70121 TCP segments sent : 70024 TCP segments retrans : 23 Input datagrams : 634 Delivered datagrams : 825 .... [*] Network interfaces: Interface : [ up ] Software Loopback Interface 1 Id : 1 Mac Address : ::::: ....Copy the code

12. HTTP scanning

Hypertext Transfer Protocol (HTTP) is an application layer protocol that is the basis of world Wide Web communication. It is used by numerous applications, from Internet of Things (IoT) devices to mobile applications. It’s also a good place to search for bugs.

The preparatory work

The HTTP SSL certificate detection module can detect the certificate of the Web server.

Robots.txt content detection module can search the robots.txt file and analyze the contents.

If the server allows an unauthorized PUT request method, any Web page can be inserted into the Web site directory, resulting in the execution of destructive code or the filling of the server with garbage data, resulting in a denial of service attack.

The Jenkins-CI HTTP scan module can enumerate unauthorized Jenkins-CI services.

How to do

1. Check the HTTP SSL certificate of the target

Msf5 > use auxiliary/scanner/HTTP/cert msf5 auxiliary (HTTP/scanner/cert) > set RHOSTS 192.168.177.144 RHOSTS = > 192.168.177.144 MSf5 auxiliary(scanner/ HTTP /cert) > set RPORT 8383 RPORT => 8383 MSf5 auxiliary(scanner/ HTTP /cert) > run [*] 192.168.177.144:8383-192.168.177.144 - 'Desktop Central' : '2010-09-08 12:24:44 UTC' - '2020-09-05 12:24:44 UTC' [*] 192.168.177.144:3273-SCANNED 1 of 1 hosts (100% complete)Copy the code

2. Detect the robots.txt file

msf5 > use auxiliary/scanner/http/robots_txt msf5 auxiliary(scanner/http/robots_txt) > set PATH /mutillidae PATH => /mutillidae msf5 auxiliary(scanner/ HTTP /robots_txt) > set RHOSTS 192.168.177.145 RHOSTS => 192.168.177.145 msf5 Auxiliary (scanner/ HTTP /robots_txt) > run [*] [192.168.177.145] /mutillidae/robots.txt found [+] Contents of robots.txt: User-agent: * Disallow: ./passwords/ Disallow: ./config.inc Disallow: ./classes/ Disallow: ./javascript/ Disallow: ./owasp-esapi-php/ Disallow: ./documentation/ [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/http/robots_txt) >Copy the code

3. HTTP writable path PUT/DELETE The file access module can upload and DELETE the content on the Web server through PUT and DELETE requests.

msf5 > use auxiliary/scanner/http/http_put msf5 auxiliary(scanner/http/http_put) > set PATH /uploads PATH => /uploads Msf5 auxiliary(scanner/ HTTP /http_put) > set RHOSTS 192.168.177.144 RHOSTS => 192.168.177.144 MSF5 auxiliary(scanner/http/http_put) > set RPORT 8585 RPORT => 8585 msf5 auxiliary(scanner/http/http_put) > run [+] File uploaded: http://192.168.177.144:8585/uploads/msf_http_put_test.txt [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/http/http_put) >Copy the code

4. Jenkins-ci scanning module

Msf5 > use auxiliary/scanner/HTTP/jenkins_enum msf5 auxiliary (HTTP/scanner/jenkins_enum) > set RHOSTS 192.168.177.144 RHOSTS => 192.168.177.144 MSf5 auxiliary(scanner/ HTTP /jenkins_enum) > Set RPORT 8484 RPORT => 8484 MSF5 auxiliary(scanner/http/jenkins_enum) > set TARGETURI / TARGETURI => / msf5 auxiliary(scanner/http/jenkins_enum) > run [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completedCopy the code

13. WinRM scanning and blasting

Windows Remote Management (WinRM) is Microsoft’s implementation of the WS-Management protocol. The protocol is a standard firewall friendly protocol based on simple Object Access Protocol (SOAP) that enables hardware and operating systems from different vendors to interact with each other.

The preparatory work

The WinRM authentication method detection module detects whether the HTTP/HTTPS request is the WinRM service by discovering the HTTP/HTTPS request from the target. If so, it will detect the supported authentication method.

The login credentials of the target can be retrieved through the SMB_login module. We can run the module with the WinRM command to test whether the Windows command can be run through the WinRM service.

How to do

1. WinRM identity authentication detection

msf5 > use auxiliary/scanner/winrm/winrm_auth_methods msf5 auxiliary(scanner/winrm/winrm_auth_methods) > set RHOSTS Msf5 auxiliary(scanner/winrm/winrm_auth_methods) > run [+] 192.168.177.144:5985: Negotiate protocol supported [+] 192.168.177.144:5985: Basic protocol supported [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/winrm/winrm_auth_methods) >Copy the code

2. Run the module with the WinRM command

msf5 > use auxiliary/scanner/winrm/winrm_cmd msf5 auxiliary(scanner/winrm/winrm_cmd) > set CMD hostname CMD => hostname Msf5 auxiliary(scanner/winrm/ winRM_cmd) > set RHOSTS 192.168.177.144 RHOSTS => 192.168.177.144 MSF5 auxiliary(scanner/winrm/winrm_cmd) > set USERNAME Administrator USER => Administrator msf5 auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD vagrant PASSWORD => vagrant msf5 auxiliary(scanner/winrm/winrm_cmd) > The run [+] 192.168.177.144:5985: Metasploitable3 [+] Results saved to/root /. Msf4 / loot / 20190412172543 _default_192 168.177.144 _winrm. Cmd_result_858044. TXT  [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/winrm/winrm_cmd) >Copy the code

As you can see, we successfully executed the command on the target.

So far, we’ve looked at the basics of port scanning and learned how to use Nmap. Scanning and information gathering techniques have been further enhanced through the introduction of other tools. In the following sections, we’ll look at several other tools that scan for available services and ports on target, and they can also help us determine the types of vulnerabilities that may exist for specific services and ports.

Stay tuned for the remaining three sections, which cover the three techniques and methods used by the vulnerability scanner in conjunction with Metasploit, in the next article

14 andNessusUse a combination of

15, andNeXposeUse a combination of

16, andOpenVASUse a combination of

Chapter 2 Information Collection and scanning – continued

instructions

Metasploit Penetration Testing Cookbook-Third Edition

www.packtpub.com/networking-…

This article is compiled by hetian Network security laboratory, please indicate the source of reprint.

About hetian Net security laboratory

Hetian Network security Laboratory (www.hetianlab.com) – China’s leading practical network security online education platform

Real environment, online practice learning network security; The experiment covers: system security, software security, network security, Web security, mobile security, CTF, forensic analysis, penetration testing, network security awareness education, etc.