background image

26

Chapter 3

msf auxiliary(syn) > 

run

 [*]  TCP OPEN 192.168.1.155:135

[*]  TCP OPEN 192.168.1.155:139
[*]  TCP OPEN 192.168.1.155:445
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(syn) >

From the results, you can see at   that ports 135, 139, and 445 are open on 

IP address 192.168.1.155, leveraging the 

portscan

 

syn

 module within Metasploit.

Targeted Scanning

When you are conducting a penetration test, there is no shame in looking 
for an easy win. A 

targeted scan

 looks for specific operating systems, services, 

program versions, or configurations that are known to be exploitable and 
that provide an easy door into a target network. For example, it is common 
to scan a target network quickly for the vulnerability MS08-067, as this is 
(still) an extremely common hole that will give you SYSTEM access much 
more quickly than scanning an entire target network for vulnerabilities.

Server Message Block Scanning

Metasploit can scour a network and attempt to identify versions of Microsoft 
Windows using its 

smb_version

 module.

NOTE

If you are not familiar with Server Message Block (SMB, a common file-sharing protocol), 
study up a bit on the different protocols and their purposes before you continue. You will 
need to understand basic port information to learn how to attack a system successfully.

We run the module, list our options, set 

RHOSTS

, and begin scanning:

msf > 

use scanner/smb/smb_version

msf auxiliary(smb_version) > 

show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(smb_version) > 

set RHOSTS 192.168.1.155

RHOSTS => 192.168.1.155
msf auxiliary(smb_version) > 

run

 [*] 192.168.1.155 is running Windows XP Service Pack 2 (language: English) 

(name:DOOKIE-FA154354) (domain:WORKGROUP)

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed