Metasploit: Advanced Discovery


Jarret W. Buse

Metasploit: Advanced Discovery

Now that we have a basic understanding of discovering hosts on the network, we can look a little deeper into finding more details about the hosts which have been found.

So far, we have a way to find the IP Address, MAC Address and possibly the Operating System of a host. We can look deeper into finding the NetBIOS Name as well as open ports.

The NetBIOS name is mainly used with Windows. The NetBIOS name is used on a Local Area Network (LAN) similar to the Domain Name over the Internet. The NetBios name, or system name, is kept on a Windows Internet Name Service (WINS) Server with the system's IP Address. The WINS server allows for name resolution on the LAN. So, when scanning for NetBIOS names, only systems such as Windows Operating System (OS) or a Linux system running Samba. other Operating Systems running any type of NetBIOS Service will respond to the NetBIOS Name Service module.

Looking at my Hosts output in “msfconsole”, shown in Figure 1, the column for “name” is empty. We will look into filling in that column.



To load the module to scan for NetBIOS names, type the command “use auxiliary/scanner/netbios/nbname” in “msfconsole”. Type “show options” so we can see what needs to be entered to fulfill the module, as shown in Figure 2.



All we need to enter is the target hosts (RHOSTS), but other options can be changed. In this case, I will show you how to make a change which will remain until “msfconsole” is closed. If we are going to run a few modules, we can set an option to remain global. So, let's set the RHOSTS option globally to “”. The command is “setg RHOSTS”. The “setg” command makes the value for the given option global. Of course, you need to set the RHOSTS for your network subnet. Also, change the THREADS to a value of at least “20” by “setg THREADS 20”.

Using the “show options” command, you can see that the settings are set properly as shown in Figure 3.



To start the module to scan for NetBIOS names, enter “run” into the “msfconsole”. The scan should proceed and show which IP Addresses returned a NetBIOS value as shown in Figure 4. In Figure 5, you can see what has changed when using the “hosts” command.





Since the system at is the only Windows system or only system running a NetBIOS Service, it is the only one to return a NetwBIOS name.

There are two ways to perform a scan for ports. One is more stealthy to prevent detection by an Intrusion Detection System (IDS).

The stealthy scan uses the module with the command “use scanner/portscan/syn”. Using the “show options” command, you will see an output similar to Figure 6. The figure shows that my global setting for RHOSTS and THREADS are still being used. The option for PORTS shows that the first 10,000 ports will be scanned. We can change this to any number up to the maximum of 65,535 ports. Scanning the maximum could take quite a while to accomplish. Change the PORTS to “1000”. Set the INTERFACE, if you want, especially on a system with more than one Network Interface Card (NIC). Enter “run” to start the scan. Since the scan is a stealth scan, it will take longer than the other method. The method uses Synchronized (SYN) packets to initiate a connection to an IP address and Port, and if the port is accepting connections it will respond to the sending system. The response allows Metasploit to know that the port is open. Metasploit does not respond back to open the connection, so the connection is not completed. Since no connection is opened, it is considered stealth.



The second method is to perform a TCP Port Scan which does create a connection, making it non-stealthy. To load the module, use the command “use auxiliary/scanner/portscan/tcp”. Set the appropriate options and then type “run”. The results should be the same, but if an IDS is present it should detect what you are doing and alert an administrator. The output for the findings are shown in Figure 7.



Keep in mind that some ports are always open while others are opened only when in use by a specific application. For example, on most systems, Port 80 is opened when using a browser. Once the user closes the Internet Browser, the port is closed again. Some systems may leave Port 80 open at all times. For this reason, a port scan done at one time may have different findings than at other times. Another possibility is that a firewall is enabled on a system which handles the ports differently. They may allow only outgoing packets on some ports while others allow incoming as well.


Members online