In our last Metasploitable tutorial we looked at scanning the system with Nmap looking for open ports and services. This time we will take a look at some of the built in auxiliary scanners that come with Metasploit. These scanners let us search and recover service information from a single computer or an entire network!
So let’s get started! (As usual these techniques are for security professionals. Do not attempt to access systems that you do not own or have permission to do so, and do not use production systems to learn these techniques)
Lets get started, for this tutorial we again will be using our Backtrack 5 system as the testing platform and the purposefully vulnerable Metasploitable 2 virtual machine as our target system.
Runing our nmap scan produced a huge amount of open ports for us to pick and choose from. What many people don’t know is that Metasploit comes with a substantial amount of built in scanners.
Run “msfconsole” from a Backtrack command prompt. Then type “search scanner” at the prompt:
msf > search scanner
Read down through the massive list to see what is available. For this tutorial let’s focus on the ports that we found open. Let’s search for only ssh scanners:
Notice that several are available, we are just looking for version information for now, so we will use that one. Simply “use” the program, then “show options” to see what options you can use. In this case all we set was the “RHOSTS name” or remote host, which is our target.
Then just type “exploit” to run:
We see that our target is indeed running an SSH server and we see what version of the software is operating.
Some of the scanners are more helpful than others, for example, if we use the Mysql scan we get this:
The full version of MySQL that is running. But others aren’t quite as helpful, let’s look at Telnet:
Hmm… Just looks like a banner grab with no hint as to what level of software is running. But it is proof that there is something there.
What is interesting too is that with these scanner programs we have different options that we can set. For instance, let’s run the SMB scanner:
Okay, we put in 192.168.12.20 and it scanned it and returned the version of Samba that was running on it. But what if we wanted to scan the whole network for just systems running Samba. This is where the beauty of the RHOSTS command comes into play. Instead of just scanning the single host, let’s scan all 256 clients on the 192.168.12.0 network.
We use the same exact command, but modify the RHOSTS command like so:
Notice now it scanned all 256 hosts on the network and found Samba running on our Metasploitable 2 machine at 192.168.12.20!
This makes things much easier if you are just scanning for certain services running on a network. I set the threads command too. I believe this comes set to “1” as default. If you are scanning a local LAN, you can bump this up to 255 to make it go faster, or up to 50 if testing a remote network.
Let’s use another scanner, this time let’s look for FTP servers running. We won’t scan for version information, though we could, let’s try the FTP anonymous scanner. This one scours a network and looks for FTP services that allow Read, Write or Both access to an anonymous user.
Just search for FTP scanner and use “ftp anonymous scanner”.
As you can see, this FTP server allows Read access to anonymous users. If would have been better if it also allowed write access, but this shows that we can check for certain vulnerabilities with the included scanners very easily.
Well, that’s it for this tutorial. Next time we will look at using information obtained from a scan to find and use a root level exploit on the Linux Metasploitable box!
(Want to learn a LOT more about penetration testing with Metasploit on the Backtrack platform? Check out the Bible of pentesting with Metasploit, “Metasploit: The Penetration Tester’s Guide“.)