Part 1.1 - Scanners
Video Activity
The first series of videos in this module on Information Gathering explore the scanning functions available in Metasploit. It's possible to gather info about targets such as OS, IP addresses, open ports, and even banner grabs to determine running services.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
The first series of videos in this module on Information Gathering explore the scanning functions available in Metasploit. It's possible to gather info about targets such as OS, IP addresses, open ports, and even banner grabs to determine running services.
Video Transcription
00:03
>> Hi and welcome to the next module in our mastery class.
00:03
In this portion of the course,
00:03
we'll be looking at ways to gather
00:03
information about your target systems.
00:03
That includes things like
00:03
the operating system, IP addresses,
00:03
ports they're listening on,
00:03
some banner grams to get service information and so on.
00:03
There are a lot of ways to do this
00:03
from within Metasploit directly,
00:03
and we can also integrate
00:03
other tools to add extra detail.
00:03
For instance, if you want to do a vulnerability scan,
00:03
you probably want to use something like Nessus.
00:03
If we're doing a simple port scan,
00:03
we can use NMAC.
00:03
Let's go back to our mass point instance.
00:03
Now, since we ran that Postgres exploit before,
00:03
we should expect to see
00:03
some information in the database now,
00:03
since I made a connection to
00:03
the system and that exploitable system,
00:03
the database is automatically updated,
00:03
to show me that this system now exists.
00:03
I can run the services command to
00:03
see what services are known to my database.
00:03
The only service so far is
00:03
the postgres service running on TCP 5432.
00:03
We know this service exists because that was how
00:03
we established meterpreter shell.
00:03
However, what I want to do is get rid of this host.
00:03
I want to start with a clean slate so that I can
00:03
do a scan and know that I've
00:03
got exactly what I
00:03
found in the scan is what's in the database.
00:03
You can certainly mix and match adding
00:03
things to your database by using different tools,
00:03
but I just want to clean everything out for right now.
00:03
Back to Nmap.
00:03
You can run an Nmap scan directly from the command line.
00:03
If I do not map dash h,
00:03
I can see all of my options within Metasploit.
00:03
Again, a different scan types list scam, Ping scan,
00:03
doing sense scans, Christmas scan,
00:03
null scans, I can control
00:03
the speed of the scanning and so on.
00:03
Generally, what I like to do as a first pass,
00:03
this isn't the stealthiest scan available,
00:03
but it certainly gives a lot of good information,
00:03
is I like to do the dash a option.
00:03
Because this gives me a lot of
00:03
good information about the target,
00:03
and it gives me a clue as to what services are running
00:03
it does above banner grams, and we'll let this go.
00:03
This might take a few minutes to run.
00:03
While that's running, we can
00:03
talk about a couple of things.
00:03
Nmap as we're seeing it here,
00:03
we'll do the scan,
00:03
but it doesn't actually add anything to the database.
00:03
You might think, well, what's the purpose of that then?
00:03
Why wouldn't I want to keep it in the database?
00:03
Well, there's two different options where
00:03
I can run the scan on something
00:03
just to see what it's characteristics are,
00:03
but I may not want to store that information.
00:03
Let's review the scan and let's
00:03
complete it fairly quickly.
00:03
We can see that the host is up,
00:03
of course, 977 closed ports.
00:03
Then it tells me the ports that are open.
00:03
We're running an FTP server via SFTP.
00:03
We'll do some research and find out if that's vulnerable.
00:03
There's an SSH server running on port 22.
00:03
I've got to turn that on 23,
00:03
SMTP, mail Transport on port 25.
00:03
A little bit of more information
00:03
about the mail configuration.
00:03
Also running DNS bind on port 53.
00:03
I've got a web server running on port 80,
00:03
looks like Apache 228.
00:03
I'm getting some good information
00:03
from my banner grabs here.
00:03
I also have our PC buying
00:03
running on port 111 with a whole bunch of
00:03
good information about the RPC info
00:03
and services that are running on this box.
00:03
I'm also running some net bios on 139 and 445.
00:03
Any Samba related vulnerability should also be explored.
00:03
It looks like some remote shell running on port 512,
00:03
maybe 513 has a remote shell running as well.
00:03
We're not sure what those are yet, but we'll find out.
00:03
Some Java registry on port 1099,
00:03
I've got a Metasploitable root shell on
00:03
1524 that ports usually associated with Oracle databases,
00:03
but it might be there for some other reason.
00:03
FS I've got another FTP server running, Pro FTP.
00:03
MySQL, with some good information
00:03
about the MySQL implementation.
00:03
Postgres, which is the default credentials
00:03
that we use to login earlier.
00:03
I could have shown that the credentials command
00:03
and seeing that that was in the database as well.
00:03
I'll review that again later.
00:03
Looks like I have a VNC server ring and port 5900.
00:03
I've got X11 Windows.
00:03
Looks like an unreal server is running over IRC.
00:03
For unreal gaming servers,
00:03
one of those was apparently installed,
00:03
so I have to check it and see if
00:03
this has any vulnerabilities.
00:03
There's an Apache Java server running.
00:03
I've also got another Apache instance running on
00:03
port 8180 for Tomcat and Coyote.
00:03
Then lastly, I get my MAC address,
00:03
what the Linux kernel is,
00:03
and even the distance over the network,
00:03
it's one hop away, and finally,
00:03
some NVT stat information
00:03
like work-group and net bios name.
00:03
Some great information.
00:03
But as I run hosts,
00:03
you'll see there's nothing in there.
00:03
What I could do is I could
00:03
change this to DB underscore Nmap.
00:03
This is available from the help screen
00:03
of course, if you go check.
00:03
But DB underscore Nmap
00:03
>> will now run the same scan again,
00:03
>> but it'll pull all the data from
00:03
a scan and populate the database with us so we
00:03
can poke around and see
00:03
what that looks like here in just a moment.
00:03
In the meantime, the other port scanners that are
00:03
available within Metasploit are fairly numerous.
00:03
We've got a lot of different choices there.
00:03
We see the output looks more or less the
00:03
same as it did before.
00:03
However, now if I run hosts,
00:03
I see that I've got a host there.
00:03
I can run the services command
00:03
and see what services it discovered.
00:03
These are all the open ports on that particular system.
00:03
Services has some interesting features as well.
00:03
You can add services to the list, you can delete them.
00:03
We saw earlier I can look at the given columns.
00:03
I can also, maybe all I
00:03
want to display services that are up.
00:03
A scan might return
00:03
all the different ports with
00:03
services that are expected to be there,
00:03
but they're not running, so I can filter.
00:03
But luckily the Nmap scan
00:03
just show me those things that are up.
00:03
Now I've got a nice concise list of
00:03
things that I can go after to break into this system.
00:03
I can try running the credentials command,
00:03
the Postgres exploit,
00:03
if I were to use that one again,
00:03
would populate this particular area.
00:03
In fact, let's do that. Let's do a search for Postgres.
00:03
If I remember correctly,
00:03
it was Postgres payload.
00:03
We will use Postgres payload.
00:03
Just to establish that
00:03
the credentials function works as I've explained.
00:03
Notice that my remote host is
00:03
set automatically because I did that set G earlier,
00:03
the global setting for remote host.
00:03
You can globally set any
00:03
of these parameters that you see.
00:03
We'll go ahead and do the exploit,
00:03
sending my stage,
00:03
and I've got my meterpreter shell.
00:03
I can prove that I'm on that system
00:03
by running IF config and there's the address 129.
00:03
We've reviewed some of this earlier.
00:03
But the great thing is now I
00:03
can exit out of my meterpreter shell.
00:03
I can't even exit out of the context
00:03
of the postgres payload.
00:03
Now if I look at my credentials.
00:03
Username and password were correct.
00:03
Well, it should have populate the database with
00:03
my credentials for some reason that didn't work,
00:03
but we know the connection worked.
Up Next
Similar Content
