Close
Notification:  
Professional
Login
Loading

Writing your own Scanner

There are times where you may need a specific scanner, or having scan activity conducted within Metasploit would be easier for scripting purposes than using an external program. Metasploit has a lot of features that can come in handy for this purpose, like access to all of the exploit classes and methods, built in support for proxies, SSL, reporting, and built in threading. Think of instances where you may need to find every instance of a password on a system, or a scan for a custom service. Not to mention, it is fairly quick and easy to write up your own custom scanner.

We will use this very simple TCP scanner that will connect to a host on a default port of 12345 which can be changed via the module options at run time. Upon connecting to the server, it sends 'HELLO SERVER', receives the response and prints it out along with the IP address of the remote host.

require 'msf/core'

class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'My custom TCP scan',
'Version' => '$Revision: 1 $',
'Description' => 'My quick scanner',
'Author' => 'Your name here',
'License' => MSF_LICENSE
)
register_options( [
Opt::RPORT(12345)
], self.class)
end
def run_host(ip)
connect()
sock.puts('HELLO SERVER')
data = sock.recv(1024)
print_status("Received: #{data} from #{ip}")
disconnect()
end
end
We save the file into our ./modules/auxiliary/scanner/ directory as 'simple_tcp.rb' and load up msfconsole. It's important to note two things here. First, modules are loaded at run time, so our new module will not show up unless we restart our interface of choice. The second being that the folder structure is very important, if we would have saved our scanner under ./modules/auxiliary/scanner/http/ it would show up in the modules list as 'scanner/http/simple_tcp'.

To test this scanner, set up a netcat listener on port 12345 and pipe in a text file to act as the server response.

root@bt4:~/docs# nc -lnvp 12345 < response.txt
listening on [any] 12345 ...
Next, you select your new scanner module, set its parameters, and run it to see the results.

msf > use scanner/simple_tcp
msf auxiliary(simple_tcp) > set RHOSTS 192.168.1.101
RHOSTS => 192.168.1.101
msf auxiliary(simple_tcp) > run

[*] Received: hello metasploit from 192.168.1.101
[*] Auxiliary module execution completed

As you can tell from this simple example, this level of versatility can be of great help when you need some custom code in the middle of a penetration test. The power of the framework and reusable code really shines through here.



© Offensive Security 2009