Intelligence Gathering
27
As you can see at the
smb_version
scanner has pinpointed the operating
system as Windows XP with Service Pack 2. Because we are scanning only one
system, we leave
THREADS
set to 1. If we had been scanning a number of systems,
such as a class C subnet range, we might consider upping the
THREADS
using the
set THREADS
number
option. The results of this scan are stored in the Metasploit
database for use at a later time and to be accessed with the
db_hosts
command.
msf auxiliary(smb_version) >
db_hosts -c address,os_flavor
Hosts
=====
address os_flavor Svcs Vulns Workspace
------- --------- ---- ----- ---------
192.168.1.155 Windows XP 3 0 default
msf auxiliary(smb_version) >
We have discovered a system running Windows XP without having to do
a full scan of the network. This is a great way to target hosts quickly and quietly
that are likely to be more vulnerable when our goal is avoid being noticed.
Hunting for Poorly Configured Microsoft SQL Servers
Poorly configured Microsoft SQL Server (MS SQL) installations often provide
an initial way into a target network. In fact, many system administrators don’t
even realize that they have MS SQL servers installed on their workstations at
all, because the service is installed as a prerequisite for some common soft-
ware, such as Microsoft Visual Studio. These installations are often unused,
unpatched, or never even configured.
When MS SQL is installed, it listens by default either on TCP port 1433
or on a random dynamic TCP port. If MS SQL is listening on a dynamic port,
simply query UDP port 1434 to discover on what dynamic TCP port MS SQL
is listening. Of course, Metasploit has a module that can make use of this
“feature”:
mssql_ping.
Because
mssql_ping
uses UDP, it can be quite slow to run across entire
subnets because of issues with timeouts. But on a local LAN, setting
THREADS
to 255 will greatly speed up the scan. As Metasploit finds MS SQL servers, it
displays all the details it can extract from them including, perhaps most impor-
tantly, the TCP port on which the server is listening.
Here’s how you might run an
mssql_ping
scan, which includes starting the
scan, listing and setting options, and the results.
msf >
use scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) >
show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier