background image

Intelligence Gathering

25

To check that the results from the scan are stored in the database, we 

run 

db_services

:

msf > 

db_services

Services
========

host            port   proto  name          state  info
----            ----   -----  ----          -----  ----
172.16.32.131   135 

tcp   msrpc     

 open   Microsoft Windows RPC

172.16.32.131   139 

tcp   netbios-ssn   open  

172.16.32.131   445 

tcp   microsoft-ds  open   Microsoft Windows XP microsoft-ds

172.16.32.131   777 

tcp   unknown    

 open

172.16.32.131   1433

tcp

ms-sql-s

open   Microsoft SQL Server 2005 9.00.1399; RTM

We’re beginning to develop a picture of our target and exposed ports for 

use as potential attack vectors.

Port Scanning with Metasploit

In addition to its ability to use third-party scanners, Metasploit has several 
port scanners built into its auxiliary modules that directly integrate with most 
aspects of the Framework. In later chapters, we’ll use these port scanners to 
leverage compromised systems to access and attack; his process, often called 

pivoting

, allows us to use internally connected systems to route traffic to a net-

work that would otherwise be inaccessible.

For example, suppose you compromise a system behind a firewall that is 

using Network Address Translation (NAT). The system behind the NAT-based 
firewall uses private IP addresses, which you cannot contact directly from the 
Internet. If you use Metasploit to compromise a system behind a NAT, you 
might be able to use that compromised internal system to pass traffic (pivot) 
to internally hosted and private IP-based systems to penetrate the network 
farther behind the firewall.

To see the list of port scanning tools that the Framework offers, enter the 

following:

msf > 

search portscan

Let’s conduct a simple scan of a single host using Metasploit’s SYN Port 

Scanner. In the following listing, we start the scan with 

use scanner/portscan/

syn

, set 

RHOSTS

 to 192.168.1.155, set 

THREADS

 to 50, and then run the scan.

msf > 

use scanner/portscan/syn

msf auxiliary(syn) > 

set RHOSTS 192.168.1.155

RHOSTS => 192.168.1.155
msf auxiliary(syn) > 

set THREADS 50

THREADS => 50