background image

Intelligence Gathering

31

You will encounter many jaw-dropping situations like these throughout 

your pen testing career, because many administrators simply attach devices to a 
network with all their defaults still in place. The situation is even scarier when 
you find these devices accessible from the Internet within a large corporation.

Writing a Custom Scanner

Many applications and services lack custom modules in Metasploit. Thank-
fully, the Framework has many features that can be useful when you’re build-
ing a custom scanner, including offering access to all of its exploit classes 
and methods, and support for proxies, Secure Sockets Layer (SSL), report-
ing, and threading. It can be very useful to write your own scanner during 
security assessments, because doing so will allow you to locate every instance 
of a bad password or unpatched service quickly on a target system.

The Metasploit Framework scanner modules include various mixins, such as 

exploit mixins for TCP, SMB, and so on, and the auxiliary 

scanner

 mixin that 

is built into the Framework. 

Mixins

 are portions of code with predefined 

functions and calls that are preconfigured for you. The 

Auxiliary::Scanner

 

mixin overloads the Auxiliary 

run

 method; calls the module method at runt-

ime with 

run_host(ip)

run_range(range)

, or 

run_batch(batch)

; and then pro-

cesses the IP addresses. We can leverage 

Auxiliary::Scanner

 to call additional, 

built-in Metasploit functionality.

Following is a Ruby script for a simple TCP scanner that will connect to a 

remote host on a default port of 12345 and upon connecting, send “HELLO 
SERVER,” receive the server response, and print it out along with the server’s 
IP address.

#

Metasploit

require 'msf/core'
class Metasploit3 < Msf::Auxiliary

include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner

        def initialize
                super(
                        'Name'           => 'My custom TCP scan',
                        'Version'        => '$Revision: 1 $',
                        'Description'    => 'My quick scanner',
                        'Author'         => 'Your name here',
                        'License'        => MSF_LICENSE
                )
                register_options(
                        [
                                 Opt::RPORT(12345)
                        ], self.class)
        end