metasploit

 

 

Your goals during information gathering  should be to gain accurate information about your targets without revealing your presence or your intentions, to learn how the organization operates, and to determine the best route. Metasploit is the best console for information gathering, as it is a very comprehensive penetration testing tool. In this article, I am going to cover whole information gathering of a network using Metasploit.

 

Information gathering requires careful planning, research, and most importantly, the ability to think like an attacker. At this step, you will attempt to collect as much information about the target environment as possible.

 

 

 

 

There are two types of information gathering: passive and active.

 

1) Passive Information Gathering

 

Using passive information gathering, you can discover information about targets without touching their systems. For example, you can identify network boundaries, operating systems, open ports, and web server software in use on the target without touching their system.

 

2) Active Information Gathering

 

In active information gathering, we interact directly with a system to learn more about it. We might conduct port scans for open ports on the target or conduct scans to determine what services are running. Each system or running service that we discover gives us another opportunity for exploitation.

 

But beware If you get careless while active information gathering, you might be nabbed by an IDS or intrusion prevention system (IPS).

 

 

 

Starting msfconsole

 

•First, we start the database

 

#service postgresql start

 

•then start metasploit service

 

#service metasploit start

 

Screenshot from 2014-05-09 12:28:11

 

 

 

 

now start msfconsole.

 

#msfconsole

 

•now, we’ll use db_status to make sure that we’re connected correctly.

 

 

 

Screenshot from 2014-05-09 12:30:59

 

 

Importing Nmap Results into Metasploit

 

When you are working with other team members, with various individuals scanning at different times and from different locations, it helps to know how to import a basic nmap generated XML export file into the Framework.

 

First, we scan the Windows virtual machine using the -oX option to generate a Target.xml file.

 

#nmap -Pn -sS -A -oX Target 192.168.31.6

 

 

 

Screenshot from 2014-05-09 12:33:32

 

 

After generating the XML file, we use the db_import command to import it into our database. We can then verify that the import worked by using the “hosts” command, which lists the systems entries that have been created, as shown here:

 

msf > db_import Target

msf> hosts

 

 

Screenshot from 2014-05-09 12:35:18

 

 

 

 

Running Nmap from MSFconsole

 

We’ve performed advanced enumeration on our target, now let’s connect Nmap with Metasploit. First, we should be able to enter the db_nmap command from within msfconsole to run Nmap and have its results automatically stored in our new database.

 

#msf > db_nmap -sS -A 192.168.31.6

 

 

Screenshot from 2014-05-09 12:36:28

 

To check that the results from the scan are stored in the database, we run db_services.

 

#msf > db_services

 

Screenshot from 2014-05-09 12:37:31

 

 

 

 

 

 

Port Scanning with Metasploit

 

Metasploit has several port scanners built into its auxiliary modules that directly integrate with most aspects of the Framework. We’ll use these port scanners to leverage compromised systems to access and attack.

 

To see the list of port scanning tools that the Framework offers, enter the following.

 

#msf > search portscan

 

 

Screenshot from 2014-05-09 12:37:57

 

 

Let’s conduct a simple scan of a single host using Metasploit’s SYN Port Scanner. In the following listing, we start the scan with use scanner/portscan/syn, set RHOSTS to 192.168.31.6, set THREADS to 100, and then run the scan.

 

#msf > use scanner/portscan/syn

 

 

Screenshot from 2014-05-09 12:58:35

 

 

 

 

Gathering SSH Server Information

 

If during your scanning you target machines running Secure Shell (SSH), you should determine which version is running on the target.

 

SSH is a secure protocol, but vulnerabilities in various implementations have been identified. You never know when you might get lucky and come across an old machine that hasn’t been updated. You can use the Framework’s ssh_version module to determine the SSH version running on the target server.

 

#msf > use scanner/ssh/ssh_version

 

 

Screenshot from 2014-05-09 13:02:08

 

 

That’s it, like wise you can gather valuable information before attacking….

Advertisements