try hack me
  • what is this repo?
  • Pre Security
    • Introduction to Cyber Security
    • Linux Fundamentals
  • pre security Tools
    • gobuster
    • ping (ICMP)
    • nslookup
    • basic Linux commands
    • basic Linux operators
    • some Linux web command
    • processes
    • cron tabs (schedule)
    • Important Directories
    • basic CMD command
    • ssh
    • ftp
    • simple digital forensics commands
  • Complete Begginer
    • CVE tracking websites
    • traceroute
    • whois
    • dig
    • nmap
    • smb
    • Telnet
      • tcpdump listener & reverse shell
    • ftp
    • hydra
    • NFS
    • smtp
    • mysql
    • 🅱️Burp Suite
      • Proxy
      • target
      • intruder
      • simple XSS attack
    • OWASP top 10 : 2021
      • 1. Broken Access Control
      • 2. Cryptographic Failures
      • 3. Injection
      • 4. Insecure Design
      • 5. Security Misconfiguration
      • 6. Vulnerable and Outdated Components
      • 7. Identification and Authentication Failures
      • 8. Software and Data Integrity Failures
        • Software Integrity Failures
        • Data Integrity Failures
      • 9. Security Logging and Monitoring Failures
      • 10. Server-Side Request Forgery (SSRF)
    • file type recognition
      • How to change magic numbers
    • upload vulnerability exploiting
    • about hash
    • john the ripper
      • /etc/shadow
      • Single Crack Mode
      • Custom Rules
      • rar and zip
      • SSH Key Passwords
      • GPG/PGP
    • Encryption
      • SSH authentication
      • SSH configuration (sort of)
      • GnuPG (very basic)
    • metasploit
      • mian components
      • Scanner
      • The Metasploit Database
      • Vulnerability Scanning
      • exploiting
      • Msfvenom
      • Meterpreter>
        • Commands
        • Post-Exploitation
    • Shell
      • netcat
      • socat
      • common shell payloads
      • Next steps
    • privilege esclation
      • Exploiting Writeable /etc/passwd
      • Vi, sudo -l, GTFOBin
      • Cron tab exploitation
      • Exploiting PATH Variable
      • some checklists
      • windows
        • miscellaneous
      • Examples
        • mysql running as root
        • Weak File Permissions
        • Sudo
        • Cron Jobs
        • SUID / SGID Executables
        • Passwords & Keys
        • NFS
        • Kernel Exploits
    • file transfer between two machines
  • SQL injection
  • Google Dorking
  • Web hacking intro
    • Walking an application
    • Content Discovery(ffuf, dirb, gobuster)
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR
    • File Inclusion
Powered by GitBook
On this page
  • Port Scanning
  • UDP service Identification
  • SMB Scans
  1. Complete Begginer
  2. metasploit

Scanner

Port Scanning

Metasploit has a number of modules to scan open ports on the target system and network. You can list potential port scanning modules available using the search portscan command.

Search portscan
msf6 > search portscan

Matching Modules
================

   #  Name                                              Disclosure Date  Rank    Check  Description
   -  ----                                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/http/wordpress_pingback_access                   normal  No     Wordpress Pingback Locator
   1  auxiliary/scanner/natpmp/natpmp_portscan                           normal  No     NAT-PMP External Port Scanner
   2  auxiliary/scanner/portscan/ack                                     normal  No     TCP ACK Firewall Scanner
   3  auxiliary/scanner/portscan/ftpbounce                               normal  No     FTP Bounce Port Scanner
   4  auxiliary/scanner/portscan/syn                                     normal  No     TCP SYN Port Scanner
   5  auxiliary/scanner/portscan/tcp                                     normal  No     TCP Port Scanner
   6  auxiliary/scanner/portscan/xmas                                    normal  No     TCP "XMas" Port Scanner
   7  auxiliary/scanner/sap/sap_router_portscanner                       normal  No     SAPRouter Port Scanner


Interact with a module by name or index, for example use 7 or use auxiliary/scanner/sap/sap_router_portscanner

msf6 >

Port scanning modules will require you to set a few options:

Portscan options
msf6 auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   THREADS      1                yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf6 auxiliary(scanner/portscan/tcp) >

  • CONCURRENCY: Number of targets to be scanned simultaneously.

  • PORTS: Port range to be scanned. Please note that 1-1000 here will not be the same as using Nmap with the default configuration. Nmap will scan the 1000 most used ports, while Metasploit will scan port numbers from 1 to 10000.

  • RHOSTS: Target or target network to be scanned.

  • THREADS: Number of threads that will be used simultaneously. More threads will result in faster scans.

You can directly perform Nmap scans from the msfconsole prompt as shown below faster:

UsingNmapfrom the Msfconsole prompt
msf6 > nmap -sS 10.10.12.229
[*] exec: nmap -sS 10.10.12.229


Starting Nmap 7.60 ( https://nmap.org ) at 2021-08-20 03:54 BST
Nmap scan report for ip-10-10-12-229.eu-west-1.compute.internal (10.10.12.229)
Host is up (0.0011s latency).
Not shown: 992 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49158/tcp open  unknown
MAC Address: 02:CE:59:27:C8:E3 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 64.19 seconds
msf6 >

As for information gathering, if your engagement requires a speedier approach to port scanning, Metasploit may not be your first choice. However, a number of modules make Metasploit a useful tool for the scanning phase.

UDP service Identification

The scanner/discovery/udp_sweep module will allow you to quickly identify services running over the UDP (User Datagram Protocol). As you can see below, this module will not conduct an extensive scan of all possible UDP services but does provide a quick way to identify services such as DNS or NetBIOS.

UDP scan
msf6 auxiliary(scanner/discovery/udp_sweep) > run

[*] Sending 13 probes to 10.10.12.229->10.10.12.229 (1 hosts)
[*] Discovered NetBIOS on 10.10.12.229:137 (JON-PC::U :WORKGROUP::G :JON-PC::U :WORKGROUP::G :WORKGROUP::U :__MSBROWSE__::G :02:ce:59:27:c8:e3)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/discovery/udp_sweep) >

SMB Scans

Metasploit offers several useful auxiliary modules that allow us to scan specific services. Below is an example for the SMB. Especially useful in a corporate network would be smb_enumshares and smb_version but please spend some time to identify scanners that the Metasploit version installed on your system offers.

SMBscan
msf6 auxiliary(scanner/smb/smb_version) > run

[+] 10.10.12.229:445      - Host is running Windows 7 Professional SP1 (build:7601) (name:JON-PC) (workgroup:WORKGROUP ) (signatures:optional)
[*] 10.10.12.229:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_version) >

When performing service scans, it would be important not to omit more "exotic" services such as NetBIOS. NetBIOS (Network Basic Input Output System), similar to SMB, allows computers to communicate over the network to share files or send files to printers. The NetBIOS name of the target system can give you an idea about its role and even importance (e.g. CORP-DC, DEVOPS, SALES, etc.). You may also run across some shared files and folders that could be accessed either without a password or protected with a simple password (e.g. admin, administrator, root, toor, etc.).

Remember, Metasploit has many modules that can help you have a better understanding of the target system and possibly help you find vulnerabilities. It is always worth performing a quick search to see if there are any modules that could be helpful based on your target system.

Previousmian componentsNextThe Metasploit Database

Last updated 7 months ago