26
Chapter 3
msf auxiliary(syn) >
run
[*] TCP OPEN 192.168.1.155:135
[*] TCP OPEN 192.168.1.155:139
[*] TCP OPEN 192.168.1.155:445
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(syn) >
From the results, you can see at that ports 135, 139, and 445 are open on
IP address 192.168.1.155, leveraging the
portscan
syn
module within Metasploit.
Targeted Scanning
When you are conducting a penetration test, there is no shame in looking
for an easy win. A
targeted scan
looks for specific operating systems, services,
program versions, or configurations that are known to be exploitable and
that provide an easy door into a target network. For example, it is common
to scan a target network quickly for the vulnerability MS08-067, as this is
(still) an extremely common hole that will give you SYSTEM access much
more quickly than scanning an entire target network for vulnerabilities.
Server Message Block Scanning
Metasploit can scour a network and attempt to identify versions of Microsoft
Windows using its
smb_version
module.
NOTE
If you are not familiar with Server Message Block (SMB, a common file-sharing protocol),
study up a bit on the different protocols and their purposes before you continue. You will
need to understand basic port information to learn how to attack a system successfully.
We run the module, list our options, set
RHOSTS
, and begin scanning:
msf >
use scanner/smb/smb_version
msf auxiliary(smb_version) >
show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
msf auxiliary(smb_version) >
set RHOSTS 192.168.1.155
RHOSTS => 192.168.1.155
msf auxiliary(smb_version) >
run
[*] 192.168.1.155 is running Windows XP Service Pack 2 (language: English)
(name:DOOKIE-FA154354) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed