Lab Two

Information Gathering with Metasploit

Outline
❖Port Scanning
❖Hunting for MSSQL
❖Service Identification
❖Password Sniffing
❖SNMP sweeping
Preparing Metasploit for Port Scanning
• RHOSTS can take IP ranges (192.168.1.20-192.168.1.30), Classless
Inter-Domain Routing ranges (192.168.1.0/24), multiple ranges
separated by commas (192.168.1.0/24, 192.168.3.0/24), and line-
separated host list files (file:/tmp/hostlist.txt).
• This is another use for a grepable Nmap output file.
• By default, all of the scanner modules will have the ‘THREADS’ value
set to ‘1’. The ‘THREADS’ value sets the number of concurrent threads
to use while scanning.
Cont.
• Set this value to a higher number in order to speed up your scans or
keep it lower in order to reduce network traffic but be sure to adhere
to the following guidelines:-
• Keep the THREADS value under 16 on native Win32 systems
• On Unix-like operating systems, THREADS can be set as high as 256.
Nmap & db_nmap
• We can use the db_nmap command to run Nmap against our targets
and our scan results would than be stored automatically in our
database.
• However, if you also wish to import the scan results into another
application or framework later on, you will likely want to export the
scan results in XML format. It is always nice to have all three Nmap
outputs (xml,grepable, and normal).
• So we can run the Nmap scan using the -oA flag followed by the
desired filename to generate the three output files, then issue the
db_import command to populate the Metasploit database.
Cont.
• Run Nmap with the options you would normally use from the
command line. If we wished for our scan to be saved to our database,
we would omit the output flag and use db_nmap.
• Example using nmap 10.161.70.84
• nmap -v -sV XXX.XXX.XXX.XXX/XX -oA subnet_1
• Example using db_nmap
• db_nmap -v -sV XXX.XXX.XXX.XXX/XX.
Port Scanning
• In addition to running Nmap, there are a variety of other port
scanners that are available to us within the framework.
• To search available module in metasploit run 'search portscan'
• For the sake of comparison, we’ll compare our Nmap scan results for
port 80 with a Metasploit scanning module.
• First, let’s determine what hosts had port 80 open according to
Nmap.
• msfconsole > cat subnet_1.gnamp | grep 80/open | awk '{print $2}'
Cont.
• The Nmap scan we ran earlier was a SYN scan so we’ll run the same
scan across the subnet looking for port 80 or any open port through
our eth0 interface, using Metasploit.
• use auxiliary/scanner/portscan/syn
• show options
• set interface
• set port 80 or any
• set RHOSTs xxx.xxx.xxx.xxx/xx
• set THREADS 50
• run
Cont.
• We can see that Metasploit’s built-in scanner modules are more than
capable of finding systems and open ports for us. It’s just another
excellent tool to have in your arsenal if you happen to be running
Metasploit on a system without Nmap installed.
SMB Version Scanning
• Now that we have determined which hosts are available on the
network, we can attempt to determine the operating systems they
are running. This will help us narrow down our attacks to target a
specific system and will stop us from wasting time on those that
aren’t vulnerable to a particular exploit.
• Since there are many systems in our scan that have port 445 open, we
will use the scanner/smb/version module to determine which version
of Windows is running on a target and which Samba version is on a
Linux host.
Cont.
• usage
• use auxiliary/scanner/smb/smb_version
• set RHOSTS xxx.xxx.xxx.xxx/xx
• set THREADS 11
• run
• hosts
• Also notice that if we issue the hosts command now, the newly-
acquired information is stored in Metasploit’s database.
HUNTING FOR MSSQL:Using Metasploit to Find
Vulnerable MSSQL Systems
• Searching for and locating MSSQL installations inside the internal
network can be achieved using UDP foot-printing. When MSSQL
installs, it installs either on TCP port 1433 or a randomized dynamic
TCP port.
• If the port is dynamically attributed, querying UDP port 1434 will
provide us with information on the server including the TCP port on
which the service is listening.
Cont.
• Let us search for and load the MSSQL ping module inside the
msfconsole.
• msfconsole
• search mssql
• use scanner/mssql/mssql_ping
• show options
• set RHOSTS 10.211.55.1/24
• run
Cont.
• At this point you could use the scanner/mssql/mssql_login module to
brute-force the password by passing the module a dictionary file.
Alternatively, you could also use medusa, or THC-Hydra to do this.
• Once you successfully guess the password, there’s a neat little
module for executing the xp_cmdshell stored procedure.
Service Identification:Scanning Services Using
Metasploit
• Again, other than using Nmap to perform scanning for services on our target
network, Metasploit also includes a large variety of scanners for various
services, often helping you determine potentially vulnerable running services
on target machines.
• SSH Service
• A previous scan shows us we have TCP port 22 open on two machines. SSH is very
secure but vulnerabilities are not unheard of and it always pays to gather as much
information as possible from your targets.
• msf > services -p 22 -c name,port,proto
• use auxiliary/scanner/ssh/ssh_version
• set RHOSTS 172.16.194.163 172.16.194.172
• show options
• run
Cont.
• FTP Service
• Poorly configured FTP servers can frequently be the foothold you need in
order to gain access to an entire network so it always pays off to check to see
if anonymous access is allowed whenever you encounter an open FTP port
which is usually on TCP port 21.
• We’ll set the ‘THREADS’ to ‘1’ here as we’re only going to scan 1 host.
• msfconsole
• services -p 21 -c name,proto
• use auxiliary/scanner/ftp/ftp_version
• set RHOSTS xxx.xxx.xxx.xxx
• show options
• run
Cont.
• In a short amount of time and with very little work, we are able to
acquire a great deal of information about the hosts residing on our
network thus providing us with a much better picture of what we are
facing when conducting our penetration test.
• There are obviously too many scanners for us to show case. It is clear
however the Metasploit Framework is well suited for all your scanning
and identification needs.
• msfconsole
• use auxiliary/scanner/
Password Sniffing:Password Sniffing with
Metasploit
• Max Moser released a Metasploit password sniffing module named
psnuffle that will sniff passwords off the wire similar to the tool dsniff.
It currently supports POP3, IMAP, FTP, and HTTP GET. More
information is available on his blog.
• Using the psnuffle module is extremely simple. There are some
options available but the module works great “out of the box”.
• msfconsole
• use auxiliary/sniffer/psnuffle
• show options
• run
SNMP Auxiliary Module for Metasploit
• Continuing with our information gathering, let’s take a look at SNMP
Sweeping. SNMP sweeps are often good at finding a ton of
information about a specific system or actually compromising the
remote device.
• If you can find a Cisco device running a private string for example, you
can actually download the entire device configuration, modify it, and
upload your own malicious config.
• Often the passwords themselves are level 7 encoded, which means
they are trivial to decode and obtain the enable or login password for
the specific device.
Cont.
• Metasploit comes with a built in auxiliary module specifically for sweeping
SNMP devices. There are a couple of things to understand before we perform
our SNMP scan.
• First, ‘read only‘ and ‘read write‘ community strings play an important role in
what type of information can be extracted or modified on the devices
themselves.
• If you can “guess” the read-only or read-write strings, you can obtain quite a
bit of access you would not normally have.
• In addition, if Windows-based devices are configured with SNMP, often times
with the RO/RW community strings, you can extract patch levels, services
running, last reboot times, usernames on the system, routes, and various
other amounts of information that are valuable to an attacker.
Cont.
• By default Metasploitable’s SNMP service only listens on localhost.
Many of the examples demonstrated here will require you to change
these default settings. Open and edit /etc/default/snmpd, and change
the following from:
• SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid
127.0.0.1' to
• SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid
0.0.0.0'
• A service restart will be needed in order for the changes to take
effect. Once restarted, you will now be able to scan the service from
your attacking machine.
Cont.
• What is a MIB?
• When querying through SNMP, there is what is called an MIB API.
• The MIB stands for the Management Information Base. This interface allows you to
query the device and extract information.
• Metasploit comes loaded with a list of default MIBs that it has in its database, it uses
them to query the device for more information depending on what level of access is
obtained. Let’s take a peek at the auxiliary module.
• msfconsole
• search snmp
• use auxiliary/scanner/snmp/snmp_login
• show options
• set RHOSTS XXX.XXX.XXX.XXX/XX
• set THREADS 10
• run
Cont.
• SNMP Enum
• We can gather lots of information when using SNMP scanning modules such
as open ports, services, hostname, processes, and uptime to name a few.
• Using our Metasploitable virtual machine as our target, we’ll run the
auxiliary/scanner/snmp/snmp_enum module and see what information it will
provide us.
• First we load the module and set the ‘RHOST’ option using the information
stored in our workspace. Using hosts -R will set this options for us.
Cont.
• msfconsole
• use auxiliary/scanner/snmp/snmp_enum
• set RHOSTS XXX.XXX.XXX.XXX/XX
• run
• The output provided above by our SNMP scan provides us with a
wealth of information on our target system. Although cropped for
length, we can still see lots of relevant information about our target
such as its processor type, process IDs, etc.