Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Description

The first series of videos in this module on Information Gathering explore the scanning functions available in Metasploit. It's possible to gather info about targets such as OS, IP addresses, open ports, and even banner grabs to determine running services.

Video Transcription

00:04
All right, welcome to the next module in our medicinally class. And this portion of the course will be looking at ways to gather information about your target systems
00:14
that includes things like the operating system. I P addresses
00:18
ports there, listening on the banner grabs to get service information and so on.
00:24
There are a lot of ways to do this from within medicine point directly.
00:28
And we can also integrate other tools,
00:31
uh, to add extra detail. For instance, if you want to do a vulnerabilities scan, you probably want you something like Nexus.
00:39
If we're doing a simple ports game we can use and Matt
00:44
So let's go to our
00:49
our back door a mess, for instance.
00:52
Now,
00:53
my, uh, since we ran that that post grass exploit before,
00:59
we should expect to see some information in the database Now,
01:02
uh, since I made a connection to the system that exploitable system, the databases automatically updated
01:10
to show me that, uh,
01:11
this system now exists. I can run the service's command to see what service's are known to my database.
01:19
The only service so far is the post rest service running on T. C. P. 5432
01:26
And we know this service exists because that was how we established her interpreter Shell.
01:33
However, what I what I want to do is
01:37
get rid of this host. I want to start with a clean slate
01:40
so that I can do a scan
01:42
and know that I've got
01:46
exactly what I what? I want to know that what I found in the scan is what's in the database.
01:53
You could certainly mix and match adding things to your database by using different tools. But I just wanted a clean everything out for right now.
02:00
Okay, So,
02:02
uh, back to end map and map allows are you can run at an end. Maps can
02:08
directly from
02:12
the command line. If I do not mad Dash h, I can see all of my options within medicine ploy.
02:19
I get a different scan types,
02:21
lists, camping scan
02:23
doing since scans
02:25
Christmas scan
02:28
no scans. I can control the speed of the scanning and so on.
02:34
Uh, generally, what I like to do as a first pass.
02:38
This isn't the stealthy a scan available, but it certainly gives a lot of good information. Is I like to do the dash a option
02:50
because this let's give me a lot of good information about the target
02:55
and gives me a clue as to what kind of service is running. It doesn't bother Bana Grams,
03:00
and we'll let this go. This might take a few minutes to run.
03:05
While that's well, that's running, we can talk about a couple of things so
03:08
and map as we're seeing it here,
03:10
we'll do the skin, but it doesn't actually add anything to the database.
03:16
And you might think, Well, what's the purpose of that? Then why wouldn't I want to keep in the database? Well, there's two different options when I can run the scan on something just to see what it's
03:25
what it's, uh,
03:28
characteristics are. But it may not want to store that information.
03:31
All right, so let's review the skin that completed fairly quickly.
03:37
All right, we can see that the host is up, of course,
03:39
977 closed ports. And then it tells me the ports that are open.
03:46
So we're running a running an FTP server v sftp.
03:53
We'll do some research and find out if that's vulnerable. There's an SS H surgery running on Port 22
03:58
I've got to tell night on 23
04:01
uh, SMTP
04:04
mail Mail transport. I'm poor 25. Ah, little bit of more information about the male configuration.
04:12
Also running on
04:14
buying Deena's bind on Port 53. I've got a Web server running on Port 80. Looks like Apache 2 to 8. So I'm getting some good information from my banner grabs here.
04:25
I also have our PC buying running import 1 11 with a whole bunch of good information about the R P C info it and service. Is that air running on this box?
04:36
I'm also running some net bios
04:40
on 1 39 4 45 So any kind of samba related vulnerability should also be explored.
04:48
That looks like some kind of remote shall running a port 5 12
04:53
maybe 5 13 has a remote shell running as well. We're not sure what those are yet, but we'll find out
05:00
some kind of Java registry on portend 99. I've got
05:04
a minister little route shell on 15 24 that ports usually associated with
05:10
Oracle databases, but it might be there for some other reason.
05:14
And if s I've got another FTP server running pro FTP,
05:18
my sequel with some good information about the mice Equal implementation
05:26
Post grass, which is the the default credentials that we used to
05:30
to log in earlier.
05:34
I could have shown the credentials command and seen that that was in the database as well. We'll review that again later.
05:42
Looks like I have a DNC servers. Bring import 5900.
05:46
I've got X 11 windows.
05:48
Looks like an unreal server is running over IRC Self for unreal gaming servers. One of those was apparently installed, so have to check and see if this has any vulnerabilities.
06:00
Oh, there's an Apache, your job, a server
06:03
running. I've also got another Apache instance, running on Port 80 81 80 for Tomcat and Coyote.
06:13
Then, lastly, I get my Mac address. What the what the linens Colonel is.
06:17
And even though the distance over the network is one hop away
06:23
and finally, some envy T stat information like Work group and Net bios name.
06:28
So some great information, right?
06:30
But as I run hosts, you'll see there's nothing in there
06:33
what I could do,
06:35
because I could change this to D B, Underscore and Matt,
06:41
and this is available from the help screen. Of course, if you go check
06:44
a d b underscore, and Matt will now run the same skin again. But it'll pull all the data from the scan and populate the database with this so we can poke around and see what that looks like here in just a moment.
07:01
In the meantime, Thea, the other port scanners that are available within medicine Lloyd, are fairly new verse. We get a lot of different choices there,
07:12
so we see the output looks more or less the same as it did before.
07:16
However, now, if I run hosts, I see that I've got a host there.
07:20
I can run the service's command and see what service is it? Discover These are all the open ports
07:27
on that particular system
07:30
for Mrs
07:31
has some interesting features as well. You can add service is to the list.
07:35
You can delete them. We should. We saw earlier I can look at the given columns.
07:41
I could also maybe I only want to display service. Is there up right? So a scan might return
07:46
all the different ports with services that are expected to be there, but they're not running,
07:53
so I can filter. But luckily, the, uh, the
07:57
and map skin just showed me those things that are ups. Now, I've got nice, concise list
08:01
of things that I could go after to break into this system.
08:05
Could try running the grandiose demand.
08:09
The post crest exploit, if I were to use that one again, would populate this
08:13
this particular
08:16
area. In fact, let's do that.
08:18
Let's do a search.
08:20
Four
08:22
post GREss.
08:24
And if I remember correctly, it was post crest payload.
08:35
So we will use post Crest payload
08:37
just to establish that the Kirk the credentials,
08:41
uh,
08:43
function works as I've explained,
08:46
notice that my remote host is set on a Mac because I did that set G earlier. The global setting for remote host you conglomerate set any,
08:54
um,
08:56
any of these parameters that you see?
09:01
So we'll go ahead and do the exploit
09:03
sending my stage,
09:07
and I've got my interpreter shelf,
09:09
and I can prove that I'm on
09:13
that system by running it if Confed
09:18
and there's the address 1 29
09:20
And we kind of reviewed some this earlier. But the great thing is, now I can
09:26
and exit out of my interpreter show
09:30
and I even exit out of the context of the post Crest Post Crest payload.
09:35
Now, if I look at my credentials,
09:43
user name and password were correct.
09:50
Well, it should have populate the database with my credentials. For some reason, that didn't work, but
09:56
we know the connection worked.

Up Next

Metasploit

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor