background image

32

Chapter 3

        def run_host(ip)
                connect()

sock.puts('HELLO SERVER')

                data = sock.recv(1024)

print_status("Received: #{data} from #{ip}")

                disconnect()
        end
end

This simple scanner uses the 

Msf::Exploit::Remote::Tcp

   mixin to handle 

the TCP networking, and the 

Msf::Auxiliary::Scanner

 mixin exposes the vari-

ous settings that are required for scanners within the Framework  . This 
scanner is configured to use the default port of 12345  , and upon connect-
ing to the server, it sends a message  , receives the reply from the server, and 
then prints it out to the screen along with the server IP address  .

We have saved this custom script under 

modules/auxiliary/scanner/ 

as

 

simple_tcp.rb

. The saved location is important in Metasploit. For example, if 

the module is saved under 

modules/auxiliary/scanner/http/

, it would show up 

in the modules list as 

scanner/http/simple_tcp

.

To test this rudimentary scanner, we set up a 

netcat

 listener on port 12345 

and pipe in a text file to act as the server response.

root@bt:/# 

echo "Hello Metasploit" > banner.txt

root@bt:/# 

nc -lvnp 12345 < banner.txt

listening on [any] 12345...

Next, we load up 

msfconsole

, select our scanner module, set its param-

eters, and run it to see if it works.

msf > 

use auxiliary/scanner/simple_tcp

msf auxiliary(simple_tcp) > 

show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    12345            yes       The target port
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(simple_tcp) > 

set RHOSTS 192.168.1.101

RHOSTS => 192.168.1.101
msf auxiliary(simple_tcp) > 

run

[*] Received: Hello Metasploit from 192.168.1.101
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(simple_tcp) >