Metasploit Intelligence Gathering

-


Goals
Gain accurate information about your targets without revealing you presence or your intentions.

It takes time and patience to sort web pages, perform Google hacking, and map system thoroughly
 in an attempt to understand the infrastructure of a particular target.

Require : Careful planning, research, and most importantly , the ability to think like an attacker.


Whois lookups

Msf > whois sitename.com

Netcraft
Netcraft is a web-based tool that we can use to find the IP address of a server hosting a particular website.

NsLookup
To get Additional server information.
  • nslookup
       set type=mx  // mx = mail exchanger
       sitename.com
 

Port scanning with Nmap
Scan open ports on the target system.

  • nmap -sS -Pn ipaddress


Working with Databases in Metasploit
When we are running complex penetration test with lot of targets, keeping track of 
everything can be a challenge.
Metasploit has you covered with expansive support for multiple databases systems.

  • To ensure that database support is avilable for system.
  • Metasploit support MySQL and PostSQL databses is the default ;
  • # /etc/init.d/postgresql.x.x start




  • # db_connect postgres:host
  • # db_status
                Default connections .

Import Nmap Results into Metaspolit
  •  nmap -Pn -sS -A -oX Subnet1 ipaddress
        -A attempt advanced service enumeration and banner grabbing.





  • db_import Subnet1.xml

 
  • db_hosts -c address






Advanced Nmap Scanning : TCP Idle Scan

TCP IDLE Scan allows us to scan a target stealthily by spoofing the IP address of another host on the
 network.

Steps:
  • Locate an idle host on the network that uses incremental IP IDs ( used to track packet order).
  • Spoofing the address of an idle host while scanning a target's response form open ports;

msf > use auxiliary/scanner/ip/ipidseq
  •    show options
    • RHOSTS -- IP ranges ( 192.168.1.20-192.168.1.30 like that );
    • Classless Inter-Domain Routing (CIDR) ranges 
                                            (such as (192.168.1.0/24-192.168.3.0/24)); we use text files /desktop/file.txt
    • THREADS -- concurrent threads to use while scanning.
      • Raise this value to speed up our 
                                                                  scans or lower it to reduce network traffic.
      • Metasploit On Windows :  threats 16 (set the value greater )
      • On A UNIX :  threats 128 (not greater)


  • set RHOSTS ipranges
  • set THREADS 50
  • run

 

Using the system at your idle scan IP by using -sI command line flag to specify the idle host;
  • nmap -PN -sI <IDLE host IP>  host IP

Running Nmap from MSFconsole:
  • db_nmap -sS -A 172.16.32.131 // this is from MSFconsole;
  • Check results form the scan <>>> db_services

Port Scanning with Metasploit

  • search portscan

Metasploit's SYN Port Scanner.

  • msf> use scanner/portscan/syn
  • msf > set RHOSTS ip
  • msf > set THREADS 50
  • msf > run



 


Targeted Scanning (all scans use auxiliary/scanner same type of commands)
 Looks for specific operating system, service, program versions, or configuration that are known to be
  exploitable and that provide an easy door into a target network.

SMB > Server Message Block Scanning

Msf > use scanner/smb/smb_version
Msf > show options
Msf > set RHOSTS ipadd
Msf > run
  • smb_version scanner has pinpointed the operating system as Windows.
  • db_hosts -c address, os_flavor;

   
Hunting for Poorly Configured Microsoft SQL Servers

Poorly configured Microsoft SQL Server (MS SQL);
Listens by Default : TCP port 1433
UDP port : 1434

  • Mssql_ping uses UDP
Msf > use scanner/mssql/mssql_ping
Msf > show options
Msf > set RHOSTS ipadd
Msf > set THREADS 255
Msf > run

SSH Server Scanning
Secure Shell (SSH) : determine which version is running on the target. SSH is a secure protocol.
  • msf > scanner/ssh/ssh_version
  • Set THREADS 50
  •  run


FPT Scanning
FTP is a complicated and insecure protocol. FTP servers are often the easiest way into a 
target network, always scan for identify and fingerprint any FTP servers running on your target.

  • msf > use scanner/ftp/ftp_version
  • msf > show options
  • msf > set RHOSTS ipranges
  • msf > set THREADS 255
  • run

FTP server allows anoymous logins using the Framework scanner/ftp/anonymous

  • msf > use auxiliary/scanner/ftp/anonymous
  • msf > set RHOSTS iprange
  • msf > set THREADS 50
  • msf > run

Simple Network Management Protocol Sweeping
 Used in network devices to report information such as bandwidth utilization, collision rates,and other
 information. OS also have SNMP servers that can provide information such as CPU utilization, 
  free memory and other system-specific details.

Built-in auxiliary module called scanner/snmp/snmp_enum that is designed specifically for SNMP sweeps.

Read-only and read/write community strings will play an important role in the type of information you
 will be able to extract from a given device.

Windows based devices configured with SNMP, you can often use the RO or RW community strings to 
 extract patch levels, running services, username, uptime, routes and other information that can make 
things much easier for you during a pen test.

  • msf > use scanner/snmp/snmp_login
  • msf > set RHOSTS ipranges
  • msf > set THREADS 50
  • msf > run


Comments

Post a Comment

Popular posts from this blog

Remote Exploitation Part-0011 Metasploit With Windows Host

-
Image
S o now we exploit over first machine or Host for understand the deep down of Metasploit Framework and how to scan weak host's with Metasploit and Nmap . $ run getting_started.sh OS Windows XP Weakness : ms08_067_netapi OS : Windows XP Service Pack 2 Type : Remote code execution vulnerability Released : Oct:2008 Available : Windows XP, Windows 2000 and old OS of Windows OS's; Working Of Vulnerability : Attacker send's a specially crafted RPC requests which forces the program to behave in manner it was never intended to be, so it can be tricked behave how the attacker wants it to be, by crafting RPC requests that overruns a fixed-length buffer inside code, resulting in memory corruption which can be tricked to execute arbitrary code inside the machine. Scan With Nmap : nmap contains NSE: $ nmap -v --script scriptname <target> $ nmap --script=smb-vuln-ms08-067<target IP>   We search with Metasp...
Read more

Metasploit Framework Exploitation Basics

-
Image
The ability to gain full control over a targeted machine is a great feeling. how to scan vulnerability's watch this... Basic Exploitation The framework contains hundreds of modules. Running " show " from msfconsole will display every module available in                                the framework. msf > show exploits  Exploit operates against the vulnerabilities that you discover during a Penetration test. This command display all exploits msf  > show auxiliary Auxiliary operate as scanners, dos modules, fuzzers, and much more. This command will display them and list their features. msf > show options Options control various settings needed for proper functionality of Framework modules. When you use module to scan or exploit something you can use "show options"  command to see what thi...
Read more

Remote Exploitation Part-0001 Tools

-
Image
W e are Here! Exploitation . What We do Here? Use knowledge acquired so far to gain access to the target machine. Exploitation can be both side Client side and server side. Server Side - direct contact with the server it does not involve user             interaction . Network Protocols Why this is -> You just cannot attack a protocol without knowing how it works. Come across only three protocols.                      1. TCP (Transmission Control Protocol)           2. UDP (User Datagram Protocol)          3. ICMP (Internet Control Messaging Protocol) TCP : Most internet traffic is based upon TCP since it guarantees a reliable communication. Ex:: FTP, SMTP, Telnet, HTTP TCP is used we need to perform a relia...
Read more