background image

Intelligence Gathering

27

As you can see at   the 

smb_version

 scanner has pinpointed the operating 

system as Windows XP with Service Pack 2. Because we are scanning only one 
system, we leave 

THREADS

 set to 1. If we had been scanning a number of systems, 

such as a class C subnet range, we might consider upping the 

THREADS

 using the 

set THREADS 

number

 option. The results of this scan are stored in the Metasploit 

database for use at a later time and to be accessed with the 

db_hosts

 command.

msf auxiliary(smb_version) > 

db_hosts -c address,os_flavor

Hosts
=====

address        os_flavor   Svcs  Vulns  Workspace
-------        ---------   ----  -----  ---------
192.168.1.155  Windows XP  3     0      default
msf auxiliary(smb_version) >

We have discovered a system running Windows XP without having to do 

a full scan of the network. This is a great way to target hosts quickly and quietly 
that are likely to be more vulnerable when our goal is avoid being noticed.

Hunting for Poorly Configured Microsoft SQL Servers

Poorly configured Microsoft SQL Server (MS SQL) installations often provide 
an initial way into a target network. In fact, many system administrators don’t 
even realize that they have MS SQL servers installed on their workstations at 
all, because the service is installed as a prerequisite for some common soft-
ware, such as Microsoft Visual Studio. These installations are often unused, 
unpatched, or never even configured.

When MS SQL is installed, it listens by default either on TCP port 1433 

or on a random dynamic TCP port. If MS SQL is listening on a dynamic port, 
simply query UDP port 1434 to discover on what dynamic TCP port MS SQL 
is listening. Of course, Metasploit has a module that can make use of this 
“feature”: 

mssql_ping.

Because 

mssql_ping

 uses UDP, it can be quite slow to run across entire 

subnets because of issues with timeouts. But on a local LAN, setting 

THREADS

 

to 255 will greatly speed up the scan. As Metasploit finds MS SQL servers, it 
displays all the details it can extract from them including, perhaps most impor-
tantly, the TCP port on which the server is listening.

Here’s how you might run an 

mssql_ping

 scan, which includes starting the 

scan, listing and setting options, and the results.

msf > 

use scanner/mssql/mssql_ping

msf auxiliary(mssql_ping) > 

show options

Module options:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    no        The password for the specified username
   RHOSTS                      yes       The target address range or CIDR identifier