Intelligence Gathering
25
To check that the results from the scan are stored in the database, we
run
db_services
:
msf >
db_services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
172.16.32.131 135
tcp msrpc
open Microsoft Windows RPC
172.16.32.131 139
tcp netbios-ssn open
172.16.32.131 445
tcp microsoft-ds open Microsoft Windows XP microsoft-ds
172.16.32.131 777
tcp unknown
open
172.16.32.131 1433
tcp
ms-sql-s
open Microsoft SQL Server 2005 9.00.1399; RTM
We’re beginning to develop a picture of our target and exposed ports for
use as potential attack vectors.
Port Scanning with Metasploit
In addition to its ability to use third-party scanners, Metasploit has several
port scanners built into its auxiliary modules that directly integrate with most
aspects of the Framework. In later chapters, we’ll use these port scanners to
leverage compromised systems to access and attack; his process, often called
pivoting
, allows us to use internally connected systems to route traffic to a net-
work that would otherwise be inaccessible.
For example, suppose you compromise a system behind a firewall that is
using Network Address Translation (NAT). The system behind the NAT-based
firewall uses private IP addresses, which you cannot contact directly from the
Internet. If you use Metasploit to compromise a system behind a NAT, you
might be able to use that compromised internal system to pass traffic (pivot)
to internally hosted and private IP-based systems to penetrate the network
farther behind the firewall.
To see the list of port scanning tools that the Framework offers, enter the
following:
msf >
search portscan
Let’s conduct a simple scan of a single host using Metasploit’s SYN Port
Scanner. In the following listing, we start the scan with
use scanner/portscan/
syn
, set
RHOSTS
to 192.168.1.155, set
THREADS
to 50, and then run the scan.
msf >
use scanner/portscan/syn
msf auxiliary(syn) >
set RHOSTS 192.168.1.155
RHOSTS => 192.168.1.155
msf auxiliary(syn) >
set THREADS 50
THREADS => 50