Service Identification

Again, other than using Nmap to perform scanning for services on our target network, Metasploit also includes a large variety of scanners for various services, often helping you determine potentially vulnerable running services on target machines.

msf auxiliary(tcp) > search auxiliary ^scanner [*] Searching loaded modules for pattern '^scanner'... Auxiliary =========    Name                                         Description    ----                                         -----------    scanner/db2/discovery                        DB2 Discovery Service Detection.    scanner/dcerpc/endpoint_mapper               Endpoint Mapper Service Discovery    scanner/dcerpc/hidden                        Hidden DCERPC Service Discovery    scanner/dcerpc/management                    Remote Management Interface Discovery    scanner/dcerpc/tcp_dcerpc_auditor            DCERPC TCP Service Auditor    scanner/dect/call_scanner                    DECT Call Scanner    scanner/dect/station_scanner                 DECT Base Station Scanner    scanner/discovery/arp_sweep                  ARP Sweep Local Network Discovery    scanner/discovery/sweep_udp                  UDP Service Sweeper    scanner/emc/alphastor_devicemanager          EMC AlphaStor Device Manager Service.    scanner/emc/alphastor_librarymanager         EMC AlphaStor Library Manager Service.    scanner/ftp/anonymous                        Anonymous FTP Access Detection    scanner/http/frontpage                       FrontPage Server Extensions Detection    scanner/http/frontpage_login                 FrontPage Server Extensions Login Utility    scanner/http/lucky_punch                     HTTP Microsoft SQL Injection Table XSS Infection    scanner/http/ms09_020_webdav_unicode_bypass MS09-020 IIS6 WebDAV Unicode Auth Bypass    scanner/http/options                         HTTP Options Detection    scanner/http/version                         HTTP Version Detection ...snip...    scanner/ip/ipidseq                           IPID Sequence Scanner    scanner/misc/ib_service_mgr_info             Borland InterBase Services Manager Information    scanner/motorola/timbuktu_udp                Motorola Timbuktu Service Detection.    scanner/mssql/mssql_login                    MSSQL Login Utility    scanner/mssql/mssql_ping                     MSSQL Ping Utility    scanner/mysql/version                        MySQL Server Version Enumeration    scanner/nfs/nfsmount                         NFS Mount Scanner    scanner/oracle/emc_sid                       Oracle Enterprise Manager Control SID Discovery    scanner/oracle/sid_enum                      SID Enumeration.    scanner/oracle/spy_sid                       Oracle Application Server Spy Servlet SID Enumeration.    scanner/oracle/tnslsnr_version               Oracle tnslsnr Service Version Query.    scanner/oracle/xdb_sid                       Oracle XML DB SID Discovery ...snip...    scanner/sip/enumerator                       SIP username enumerator    scanner/sip/options                          SIP Endpoint Scanner    scanner/smb/login                            SMB Login Check Scanner    scanner/smb/pipe_auditor                     SMB Session Pipe Auditor    scanner/smb/pipe_dcerpc_auditor              SMB Session Pipe DCERPC Auditor    scanner/smb/smb2                             SMB 2.0 Protocol Detection    scanner/smb/version                          SMB Version Detection    scanner/smtp/smtp_banner                     SMTP Banner Grabber    scanner/snmp/aix_version                     AIX SNMP Scanner Auxiliary Module    scanner/snmp/community                       SNMP Community Scanner    scanner/ssh/ssh_version                      SSH Version Scannner    scanner/telephony/wardial                    Wardialer    scanner/tftp/tftpbrute                       TFTP Brute Forcer    scanner/vnc/vnc_none_auth                    VNC Authentication None Detection    scanner/x11/open_x11                         X11 No-Auth Scanner
Our port scanning turned up some machines with TCP port 22 open. SSH is very secure but vulnerabilities are not unheard of and it always pays to gather as much information as possible from your targets. We'll put our grepable output file to use for this example, parsing out the hosts that have port 22 open and passing it to 'RHOSTS'.

msf auxiliary(arp_sweep) > use scanner/ssh/ssh_version msf auxiliary(ssh_version) > show options Module options:    Name     Current Setting Required Description    ----     --------------- -------- -----------    RHOSTS                    yes       The target address range or CIDR identifier    RPORT    22               yes       The target port    THREADS 1                yes       The number of concurrent threads msf auxiliary(ssh_version) > cat subnet_1.gnmap | grep 22/open | awk '{print $2}' > /tmp/22_open.txt [*] exec: cat subnet_1.gnmap | grep 22/open | awk '{print $2}' > /tmp/22_open.txt msf auxiliary(ssh_version) > set RHOSTS file:/tmp/22_open.txt RHOSTS => file:/tmp/22_open.txt msf auxiliary(ssh_version) > set THREADS 50 THREADS => 50 msf auxiliary(ssh_version) > run [*] 192.168.1.1:22, SSH server version: SSH-2.0-dropbear_0.52 [*] 192.168.1.137:22, SSH server version: SSH-1.99-OpenSSH_4.4 [*] Auxiliary module execution completed
Poorly configured FTP servers can frequently be the foothold you need in order to gain access to an entire network so it always pays off to check to see if anonymous access is allowed whenever you encounter an open FTP port which is usually on TCP port 21. We'll set the THREADS to 10 here as we're only going to scan a range of 10 hosts.

msf > use scanner/ftp/anonymous msf auxiliary(anonymous) > set RHOSTS 192.168.1.20-192.168.1.30 RHOSTS => 192.168.1.20-192.168.1.30 msf auxiliary(anonymous) > set THREADS 10 THREADS => 10 msf auxiliary(anonymous) > show options Module options:    Name     Current Setting      Required Description    ----     ---------------      -------- -----------    FTPPASS mozilla@example.com no        The password for the specified username    FTPUSER anonymous            no        The username to authenticate as    RHOSTS                        yes       The target address range or CIDR identifier    RPORT    21                   yes       The target port    THREADS 1                    yes       The number of concurrent threads msf auxiliary(anonymous) > run [*] 192.168.1.23:21 Anonymous READ (220 (vsFTPd 1.1.3)) [*] Recording successful FTP credentials for 192.168.1.23 [*] Auxiliary module execution completed
In a short amount of time and with very little work, we are able to acquire a great deal of information about the hosts residing on our network thus providing us with a much better picture of what we are facing when conducting our penetration test.

 msf auxiliary(tcp) > search auxiliary ^scanner
[*] Searching loaded modules for pattern '^scanner'...

Auxiliary
=========

   Name                                         Description
   ----                                         -----------
   scanner/db2/discovery                        DB2 Discovery Service Detection.
   scanner/dcerpc/endpoint_mapper               Endpoint Mapper Service Discovery
   scanner/dcerpc/hidden                        Hidden DCERPC Service Discovery
   scanner/dcerpc/management                    Remote Management Interface Discovery
   scanner/dcerpc/tcp_dcerpc_auditor            DCERPC TCP Service Auditor
   scanner/dect/call_scanner                    DECT Call Scanner
   scanner/dect/station_scanner                 DECT Base Station Scanner
   scanner/discovery/arp_sweep                  ARP Sweep Local Network Discovery
   scanner/discovery/sweep_udp                  UDP Service Sweeper
   scanner/emc/alphastor_devicemanager          EMC AlphaStor Device Manager Service.
   scanner/emc/alphastor_librarymanager         EMC AlphaStor Library Manager Service.
   scanner/ftp/anonymous                        Anonymous FTP Access Detection
   scanner/http/frontpage                       FrontPage Server Extensions Detection
   scanner/http/frontpage_login                 FrontPage Server Extensions Login Utility
   scanner/http/lucky_punch                     HTTP Microsoft SQL Injection Table XSS Infection
   scanner/http/ms09_020_webdav_unicode_bypass  MS09-020 IIS6 WebDAV Unicode Auth Bypass
   scanner/http/options                         HTTP Options Detection
   scanner/http/version                         HTTP Version Detection
...snip...
   scanner/ip/ipidseq                           IPID Sequence Scanner
   scanner/misc/ib_service_mgr_info             Borland InterBase Services Manager Information
   scanner/motorola/timbuktu_udp                Motorola Timbuktu Service Detection.
   scanner/mssql/mssql_login                    MSSQL Login Utility
   scanner/mssql/mssql_ping                     MSSQL Ping Utility
   scanner/mysql/version                        MySQL Server Version Enumeration
   scanner/nfs/nfsmount                         NFS Mount Scanner
   scanner/oracle/emc_sid                       Oracle Enterprise Manager Control SID Discovery
   scanner/oracle/sid_enum                      SID Enumeration.
   scanner/oracle/spy_sid                       Oracle Application Server Spy Servlet SID Enumeration.
   scanner/oracle/tnslsnr_version               Oracle tnslsnr Service Version Query.
   scanner/oracle/xdb_sid                       Oracle XML DB SID Discovery
...snip...
   scanner/sip/enumerator                       SIP username enumerator
   scanner/sip/options                          SIP Endpoint Scanner
   scanner/smb/login                            SMB Login Check Scanner
   scanner/smb/pipe_auditor                     SMB Session Pipe Auditor
   scanner/smb/pipe_dcerpc_auditor              SMB Session Pipe DCERPC Auditor
   scanner/smb/smb2                             SMB 2.0 Protocol Detection
   scanner/smb/version                          SMB Version Detection
   scanner/smtp/smtp_banner                     SMTP Banner Grabber
   scanner/snmp/aix_version                     AIX SNMP Scanner Auxiliary Module
   scanner/snmp/community                       SNMP Community Scanner
   scanner/ssh/ssh_version                      SSH Version Scannner
   scanner/telephony/wardial                    Wardialer
   scanner/tftp/tftpbrute                       TFTP Brute Forcer
   scanner/vnc/vnc_none_auth                    VNC Authentication None Detection
   scanner/x11/open_x11                         X11 No-Auth Scanner

Our port scanning turned up some machines with TCP port 22 open. SSH is very secure but vulnerabilities are not unheard of and it always pays to gather as much information as possible from your targets. We'll put our grepable output file to use for this example, parsing out the hosts that have port 22 open and passing it to 'RHOSTS'.

 msf auxiliary(arp_sweep) > use scanner/ssh/ssh_version
msf auxiliary(ssh_version) > show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    22               yes       The target port
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(ssh_version) > cat subnet_1.gnmap | grep 22/open | awk '{print $2}' > /tmp/22_open.txt
[*] exec: cat subnet_1.gnmap | grep 22/open | awk '{print $2}' > /tmp/22_open.txt

msf auxiliary(ssh_version) > set RHOSTS file:/tmp/22_open.txt
RHOSTS => file:/tmp/22_open.txt
msf auxiliary(ssh_version) > set THREADS 50
THREADS => 50
msf auxiliary(ssh_version) > run

[*] 192.168.1.1:22, SSH server version: SSH-2.0-dropbear_0.52
[*] 192.168.1.137:22, SSH server version: SSH-1.99-OpenSSH_4.4
[*] Auxiliary module execution completed

Poorly configured FTP servers can frequently be the foothold you need in order to gain access to an entire network so it always pays off to check to see if anonymous access is allowed whenever you encounter an open FTP port which is usually on TCP port 21. We'll set the THREADS to 10 here as we're only going to scan a range of 10 hosts.

 msf > use scanner/ftp/anonymous       
msf auxiliary(anonymous) > set RHOSTS 192.168.1.20-192.168.1.30
RHOSTS => 192.168.1.20-192.168.1.30

msf auxiliary(anonymous) > set THREADS 10 
THREADS => 10

msf auxiliary(anonymous) > show options

Module options:

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOSTS                        yes       The target address range or CIDR identifier
   RPORT    21                   yes       The target port
   THREADS  1                    yes       The number of concurrent threads

msf auxiliary(anonymous) > run

[*] 192.168.1.23:21 Anonymous READ (220 (vsFTPd 1.1.3))
[*] Recording successful FTP credentials for 192.168.1.23
[*] Auxiliary module execution completed

In a short amount of time and with very little work, we are able to acquire a great deal of information about the hosts residing on our network thus providing us with a much better picture of what we are facing when conducting our penetration test.

Username
Password
Remember me

System message

Service Identification

Service Identification