Port Scanning

Although we have already set up and configured dradis to store our notes and findings, it is still good practice to create a new database from within Metasploit as the data can still be useful to have for quick retrieval and for use in certain attack scenarios.

msf > db_create [*] Creating a new database instance... [*] Successfully connected to the database [*] File: /root/.msf3/sqlite3.db msf > load db_tracker [*] Successfully loaded plugin: db_tracker msf > help ...snip... Database Backend Commands ========================= Command Description ------- ----------- db_add_host Add one or more hosts to the database db_add_note Add a note to host db_add_port Add a port to host db_autopwn Automatically exploit everything db_connect Connect to an existing database db_create Create a brand new database db_del_host Delete one or more hosts from the database db_del_port Delete one port from the database db_destroy Drop an existing database db_disconnect Disconnect from the current database instance db_driver Specify a database driver db_hosts List all hosts in the database db_import_amap_mlog Import a THC-Amap scan results file (-o -m) db_import_nessus_nbe Import a Nessus scan result file (NBE) db_import_nessus_xml Import a Nessus scan result file (NESSUS) db_import_nmap_xml Import a Nmap scan results file (-oX) db_nmap Executes nmap and records the output automatically db_notes List all notes in the database db_services List all services in the database db_vulns List all vulnerabilities in the database msf >
We can use the 'db_nmap' command to run an Nmap scan against our targets and have the scan results stored in the newly created database however, Metasploit will only create the xml output file as that is the format that it uses to populate the database whereas dradis can import either the grepable or normal output. It is always nice to have all three Nmap outputs (xml, grepable, and normal) so we can run the Nmap scan using the '-oA' flag to generate the three output files then issue the 'db_import_nmap_xml' command to populate the Metasploit database.

If you don't wish to import your results into dradis, simply run Nmap using 'db_nmap' with the options you would normally use, omitting the output flag. The example below would then be 'db_nmap -v -sV 192.168.1.0/24'.
msf > nmap -v -sV 192.168.1.0/24 -oA subnet_1 [*] exec: nmap -v -sV 192.168.1.0/24 -oA subnet_1 Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-13 19:29 MDT NSE: Loaded 3 scripts for scanning. Initiating ARP Ping Scan at 19:29 Scanning 101 hosts [1 port/host] ... Nmap done: 256 IP addresses (16 hosts up) scanned in 499.41 seconds Raw packets sent: 19973 (877.822KB) | Rcvd: 15125 (609.512KB)
With the scan finished, we will issue the 'db_import_nmap_xml' command to import the Nmap xml file.

msf > db_import_nmap_xml subnet_1.xml

Results of the imported Nmap scan can be viewed via the 'db_hosts' and 'db_services' commands:

msf > db_hosts [*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.1 Status: alive OS: [*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.2 Status: alive OS: [*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.10 Status: alive OS: [*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.100 Status: alive OS: ... msf > db_services [*] Time: Thu Aug 13 19:39:05 -0600 2009 Service: host=192.168.1.1 port=22 proto=tcp state=up name=ssh [*] Time: Thu Aug 13 19:39:05 -0600 2009 Service: host=192.168.1.1 port=23 proto=tcp state=up name=telnet [*] Time: Thu Aug 13 19:39:05 -0600 2009 Service: host=192.168.1.1 port=80 proto=tcp state=up name=http [*] Time: Thu Aug 13 19:39:05 -0600 2009 Service: host=192.168.1.2 port=23 proto=tcp state=up name=telnet ...
We are now ready to import our results into dradis by changing to the terminal where we have the dradis console running and issuing the 'import nmap ' command.

dradis> import nmap /pentest/exploits/framework3/subnet_1.nmap normal There has been an exception: [error] undefined method `each' for nil:NilClass /pentest/exploits/framework3/subnet_1.nmap was successfully imported dradis>
If you switch to your dradis web interface and refresh the view, you will see the results of the imported Nmap scan in an easy to navigate tree format.

Port Scanning

msf > db_create
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db
msf > load db_tracker
[*] Successfully loaded plugin: db_tracker
msf > help
...snip...
Database Backend Commands
=========================

    Command               Description
    -------               -----------
    db_add_host           Add one or more hosts to the database
    db_add_note           Add a note to host
    db_add_port           Add a port to host
    db_autopwn            Automatically exploit everything
    db_connect            Connect to an existing database
    db_create             Create a brand new database
    db_del_host           Delete one or more hosts from the database
    db_del_port           Delete one port from the database
    db_destroy            Drop an existing database
    db_disconnect         Disconnect from the current database instance
    db_driver             Specify a database driver
    db_hosts              List all hosts in the database
    db_import_amap_mlog   Import a THC-Amap scan results file (-o -m)
    db_import_nessus_nbe  Import a Nessus scan result file (NBE)
    db_import_nessus_xml  Import a Nessus scan result file (NESSUS)
    db_import_nmap_xml    Import a Nmap scan results file (-oX)
    db_nmap               Executes nmap and records the output automatically
    db_notes              List all notes in the database
    db_services           List all services in the database
    db_vulns              List all vulnerabilities in the database

msf >

We can use the 'db_nmap' command to run an Nmap scan against our targets and have the scan results stored in the newly created database however, Metasploit will only create the xml output file as that is the format that it uses to populate the database whereas dradis can import either the grepable or normal output. It is always nice to have all three Nmap outputs (xml, grepable, and normal) so we can run the Nmap scan using the '-oA' flag to generate the three output files then issue the 'db_import_nmap_xml' command to populate the Metasploit database.

If you don't wish to import your results into dradis, simply run Nmap using 'db_nmap' with the options you would normally use, omitting the output flag. The example below would then be 'db_nmap -v -sV 192.168.1.0/24'.

msf > nmap -v -sV 192.168.1.0/24 -oA subnet_1
[*] exec: nmap -v -sV 192.168.1.0/24 -oA subnet_1

Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-13 19:29 MDT
NSE: Loaded 3 scripts for scanning.
Initiating ARP Ping Scan at 19:29
Scanning 101 hosts [1 port/host]
...
Nmap done: 256 IP addresses (16 hosts up) scanned in 499.41 seconds
Raw packets sent: 19973 (877.822KB) | Rcvd: 15125 (609.512KB)

With the scan finished, we will issue the 'db_import_nmap_xml' command to import the Nmap xml file.

msf > db_import_nmap_xml subnet_1.xml

Results of the imported Nmap scan can be viewed via the 'db_hosts' and 'db_services' commands:

msf > db_hosts
[*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.1 Status: alive OS:
[*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.2 Status: alive OS:
[*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.10 Status: alive OS:
[*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.100 Status: alive OS:
...

msf > db_services
[*] Time: Thu Aug 13 19:39:05 -0600 2009 Service: host=192.168.1.1 port=22 proto=tcp state=up name=ssh
[*] Time: Thu Aug 13 19:39:05 -0600 2009 Service: host=192.168.1.1 port=23 proto=tcp state=up name=telnet
[*] Time: Thu Aug 13 19:39:05 -0600 2009 Service: host=192.168.1.1 port=80 proto=tcp state=up name=http
[*] Time: Thu Aug 13 19:39:05 -0600 2009 Service: host=192.168.1.2 port=23 proto=tcp state=up name=telnet
...

We are now ready to import our results into dradis by changing to the terminal where we have the dradis console running and issuing the 'import nmap ' command.

 dradis> import nmap /pentest/exploits/framework3/subnet_1.nmap normal
There has been an exception:
[error] undefined method `each' for nil:NilClass
/pentest/exploits/framework3/subnet_1.nmap was successfully imported dradis>

If you switch to your dradis web interface and refresh the view, you will see the results of the imported Nmap scan in an easy to navigate tree format.

Username
Password
Remember me

System message

Port Scanning

Port Scanning