Metasploitable 2.0 Tutorial pt 2: Scanning for Network Services

Tuesday, August 14, 2012

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

In our last Metasploitable tutorial we looked at scanning the system with Nmap looking for open ports and services.

This time we will take a look at some of the built in auxiliary scanners that come with Metasploit. These scanners let us search and recover service information from a single computer or an entire network!

So let’s get started! (As usual these techniques are for security professionals. Do not attempt to access systems that you do not own or have permission to do so, and do not use production systems to learn these techniques).

(click image to enlarge)

Lets get started, for this tutorial we again will be using our Backtrack 5 system as the testing platform and the purposefully vulnerable Metasploitable 2 virtual machine as our target system.

Runing our nmap scan produced a huge amount of open ports for us to pick and choose from. What many people don’t know is that Metasploit comes with a substantial amount of built in scanners.

Run “msfconsole” from a Backtrack command prompt. Then type “search scanner” at the prompt:

msf > search scanner

Read down through the massive list to see what is available. For this tutorial let’s focus on the ports that we found open. Let’s search for only ssh scanners:

(click image to enlarge)

Notice that several are available, we are just looking for version information for now, so we will use that one. Simply “use” the program, then “show options” to see what options you can use. In this case all we set was the “RHOSTS name” or remote host, which is our target.

Then just type “exploit” to run:

(click image to enlarge)

We see that our target is indeed running an SSH server and we see what version of the software is operating.

Some of the scanners are more helpful than others, for example, if we use the Mysql scan we get this:

(click image to enlarge)

The full version of MySQL that is running. But others aren’t quite as helpful, let’s look at Telnet:

(click image to enlarge)

Hmm… Just looks like a banner grab with no hint as to what level of software is running. But it is proof that there is something there.

What is interesting too is that with these scanner programs we have different options that we can set. For instance, let’s run the SMB scanner:

(click image to enlarge)

Okay, we put in 192.168.12.20 and it scanned it and returned the version of Samba that was running on it. But what if we wanted to scan the whole network for just systems running Samba. This is where the beauty of the RHOSTS command comes into play. Instead of just scanning the single host, let’s scan all 256 clients on the 192.168.12.0 network.

We use the same exact command, but modify the RHOSTS command like so:

(click image to enlarge)

Notice now it scanned all 256 hosts on the network and found Samba running on our Metasploitable 2 machine at 192.168.12.20!

This makes things much easier if you are just scanning for certain services running on a network. I set the threads command too. I believe this comes set to “1″ as default. If you are scanning a local LAN, you can bump this up to 255 to make it go faster, or up to 50 if testing a remote network.

Let’s use another scanner, this time let’s look for FTP servers running. We won’t scan for version information, though we could, let’s try the FTP anonymous scanner. This one scours a network and looks for FTP services that allow Read, Write or Both access to an anonymous user.

Just search for FTP scanner and use “ftp anonymous scanner”:

(click image to enlarge)

As you can see, this FTP server allows Read access to anonymous users. If would have been better if it also allowed write access, but this shows that we can check for certain vulnerabilities with the included scanners very easily.

Well, that’s it for this tutorial. Next time we will look at using information obtained from a scan to find and use a root level exploit on the Linux Metasploitable box!

(Want to learn a LOT more about penetration testing with Metasploit on the Backtrack platform? Check out the Bible of pentesting with Metasploit, “Metasploit: The Penetration Tester’s Guide“.)

Cross-posted from Cyber Arms

Possibly Related Articles:
18769
Network->General
Information Security
Hacking Tools Penetration Testing Metasploit Network Security Network Scanning Tutorial Backtrack 5 Metasploitable
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.