background image


Chapter 3

   THREADS    1                yes       The number of concurrent threads
   USERNAME   sa               no        The username to authenticate as
   WORKSPACE                   no        The name of the workspace to report data into

msf auxiliary(mssql_ping) > 


msf auxiliary(mssql_ping) > 

set THREADS 255

THREADS => 255
msf auxiliary(mssql_ping) > 


 [*] SQL Server information for

[*]    ServerName      = V-XPSP2-BARE

 [*]    InstanceName    = SQLEXPRESS

[*]    IsClustered     = No

 [*]    Version         = 10.0.1600.22
 [*]    tcp             = 1433

As you can see, not only does the scanner locate a MS SQL server at  , 

but it also identifies the instance name at  , the SQL server version at  , and 
the TCP port number at   on which it is listening. Just think of how much 
time this targeted scan for SQL servers would save over running 



all ports on all machines in a target subnet in search of the elusive TCP port.

SSH Server Scanning

If during your scanning you encounter machines running Secure Shell (SSH), 
you should determine which version is running on the target. SSH is a secure 
protocol, but vulnerabilities in various implementations have been identified. 
You never know when you might get lucky and come across an old machine 
that hasn’t been updated. You can use the Framework’s 


 module to 

determine the SSH version running on the target server.

msf > 

use scanner/ssh/ssh_version

msf auxiliary(ssh_version) > 

set THREADS 50

msf auxiliary(ssh_version) > 


[*], SSH server version: SSH-2.0-dropbear_0.52
[*] Scanned 044 of 256 hosts (017% complete)
[*], SSH server version: SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
[*] Scanned 100 of 256 hosts (039% complete)
[*], SSH server version: SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1
[*], SSH server version: SSH-2.0-OpenSSH_4.3

This output tells us that a few different servers are running with various 

patch levels. This information could prove useful if, for example, we wanted 
to attack a specific version of OpenSSH as found with the