22
Chapter 3
This tells us that we’ve successfully imported the output of our
nmap
scans into Metasploit, as evidenced by the IP addresses populated when we
run the
db_hosts
commands.
Advanced Nmap Scanning: TCP Idle Scan
A more advanced
nmap
scan method,
TCP idle scan
, allows us to scan a target
stealthily by spoofing the IP address of another host on the network. For this
type of scan to work, we first need to locate an idle host on the network that
uses incremental IP IDs (which are used to track packet order). When we
discover an idle system that uses incremental IP IDs, the IP IDs become pre-
dictable, and we can then predict the next ID. However, when spoofing the
address of an idle host while scanning a target’s responses from open ports,
we can see a break in the predictability of the IP ID sequence, which indi-
cates that we have discovered an open port. (To learn more about this mod-
ule and IP ID sequences, visit
http://www.metasploit.com/modules/auxiliary/
scanner/ip/ipidseq/
.)
Use the Framework’s
scanner/ip/ipidseq
module to scan for a host that fits
the TCP idle scan requirements, as shown next:
msf >
use auxiliary/scanner/ip/ipidseq
msf auxiliary(ipidseq) >
show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
GWHOST no The gateway IP address
INTERFACE no The name of the interface
LHOST no The local IP address
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
This listing displays the required options for the
ipidseq
scan. One notable
one,
RHOSTS
at , can take IP ranges (such as 192.168.1.20–192.168.1.30);
Classless Inter-Domain Routing (CIDR) ranges (such as 192.168.1.0/24);
multiple ranges separated by commas (such as 192.168.1.0/24, 192.168.3.0/24);
and a text file with one host per line (such as
file:/tmp/hostlist.txt
). All these
options give us quite a bit of flexibility in specifying our targets.
The
THREADS
value at sets the number of concurrent threads to use
while scanning. By default, all scanner modules have their
THREADS
value initially
set to 1. We can raise this value to speed up our scans or lower it to reduce
network traffic. In general, you should not set the
THREADS
value greater 16
when running Metasploit on Windows, and not greater than 128 on UNIX-
like operating systems.