28
Chapter 3
THREADS 1 yes The number of concurrent threads
USERNAME sa no The username to authenticate as
WORKSPACE no The name of the workspace to report data into
msf auxiliary(mssql_ping) >
set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(mssql_ping) >
set THREADS 255
THREADS => 255
msf auxiliary(mssql_ping) >
run
[*] SQL Server information for 192.168.1.155:
[*] ServerName = V-XPSP2-BARE
[*] InstanceName = SQLEXPRESS
[*] IsClustered = No
[*] Version = 10.0.1600.22
[*] tcp = 1433
As you can see, not only does the scanner locate a MS SQL server at ,
but it also identifies the instance name at , the SQL server version at , and
the TCP port number at on which it is listening. Just think of how much
time this targeted scan for SQL servers would save over running
nmap
against
all ports on all machines in a target subnet in search of the elusive TCP port.
SSH Server Scanning
If during your scanning you encounter machines running Secure Shell (SSH),
you should determine which version is running on the target. SSH is a secure
protocol, but vulnerabilities in various implementations have been identified.
You never know when you might get lucky and come across an old machine
that hasn’t been updated. You can use the Framework’s
ssh_version
module to
determine the SSH version running on the target server.
msf >
use scanner/ssh/ssh_version
msf auxiliary(ssh_version) >
set THREADS 50
THREADS => 50
msf auxiliary(ssh_version) >
run
[*] 192.168.1.1:22, SSH server version: SSH-2.0-dropbear_0.52
[*] Scanned 044 of 256 hosts (017% complete)
[*] 192.168.1.101:22, SSH server version: SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
[*] Scanned 100 of 256 hosts (039% complete)
[*] 192.168.1.153:22, SSH server version: SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1
[*] 192.168.1.185:22, SSH server version: SSH-2.0-OpenSSH_4.3
This output tells us that a few different servers are running with various
patch levels. This information could prove useful if, for example, we wanted
to attack a specific version of OpenSSH as found with the
ssh_version
scan.