Metasploit: Basic Discovery

J

Jarret W. Buse

Guest
Metasploit: Basic Discovery

Discovering the information of computer systems can be a very important aspect of finding vulnerabilities. Keeping systems safe from attacks can be a very important aspect of dealing with a network or a web server.

For Metasploit, you can look over your network systems or a system on the Internet.

First, let's look over discovering local systems.

Once Metasploit is installed, make sure your services are running if you did not select them to be auto-started. Use the command “sudo service metasploit start”. After it is started, use the command “sudo msfconsole” to bring up the Metasploit Framework Console.

Metasploit uses a database to store information about local systems. It is this database we will use to check for information as we find it.

Let's start by finding all the systems on the network which are powered on, as well as a little information about them. To do a simple network scan, we will do an ARP Sweep.

The Address Resolution Protocol (ARP) is a non-routable protocol. It is non-routable since it is a broadcast sent out on the local subnet asking for the owner of an IP address. The system which has the IP address (receiving system) will respond to the broadcast. The Host system sending the ARP request has included its IP and MAC address in the packet. The receiving host will send a response to the Host system using the included IP and MAC address. Any packet sent on the network includes the IP and MAC address of the sending and receiving Host.

When performing a simple ARP Sweep, all Hosts online will respond to the request and Metasploit will receive the system's MAC address as well as be aware that the IP Address is in use.

In MSF, type the following commands:

use auxiliary/scanner/discovery/arp_sweep

set INTERFACE int0

set RHOSTS subnet

set THREADS 20


NOTE: For int0, use your network interface name such as “wlan0” or “eth0”. This is useful for systems with multiple network cards. For subnet, use your subnet address range or CIDR. For example, all of 192.168.2.x would be “192.168.2.0/24” or “192.168.2.1-254”. My screen shows the settings in Figure 1.

Figure1.jpg

FIGURE 1

Once all the entries are made, you can type “show options” to make sure the entries are correct. If they are correct, type “run” and press ENTER to start the scan.

Responding systems should cause an entry to be listed on the screen. Once done, type “hosts” and press ENTER to see a listing of found items. My listing is shown in Figure 2.

Figure2.jpg

FIGURE 2

Now, there are two items to mention about the scan. The scan will not include your Metasploit system. My system running Metasploit has an IP address of 192.168.2.201 which is not listed as found by the ARP Sweep. The second item to note is that Android systems will not respond to an ARP request unless they are using the Network. Be aware, an Android device must be connected to the network and performing some task to acknowledge an ARP request. The connection may be that it is on the Internet via a browser, apps store or an app that connects to a server such as “Clash of Clans”.

A minor note is to reiterate that ARP does not go past a router, so it is only for your local subnet. If your network is connected to the Internet, you will not get information about Internet systems.

The database now has a listing of available active devices on the network. It would be nice to know what Operating System (OS) the devices were using as well as any other information that could be gained from them. Our next step is to use Network Mapper (Nmap).

Nmap is a very powerful tool which is useful for finding security issues on the network. Be aware, if you can run these scans on the network, so can anyone else with access to your network.

Since we have a database going in Metasploit, we can continue to populate it with information as we go. The command we will use in Metasploit is “db_nmap”. The “db” shows that nmap is using the database for existing information, when needed, as well as placing newly found data into it.

In MSF, type the following commands:

db_nmap -T4 -A -sV -O -vv subnet

NOTE: The subnet is your network addresses as defined before in this article. For example, my command would be “db_nmap -T5 -A -sV -O -vv 192.168.2.0/24” to scan the whole subnet of 192.168.2.0. Keep in mind that the nmap command can be used without having to do an ARP Sweep.

The option “-T5” specifies the speed of the scan. The values allowed are 0-5 where 0 will take longer and level 5 will finish faster. The “-sV” parameter searches for the OS Version. The “-O” option checks for the OS itself. The “-A” parameter is the same as “-sV -O”, which makes it redundant. By using “-vv”, there is more verbosity displayed than when using “-v”.

NOTE: Systems which use an Intrusion Detection software system may have issues with performing long and intensive scans.

The results of “hosts” after doing this are shown in Figure 3.

Figure3.jpg

FIGURE 3

My systems are as follows:

  • 192.168.2.1 – Belkin WiFi Router
  • 192.168.2.2 – Windows XP SP3
  • 192.168.2.3 – Linux Ubuntu
  • 192.168.2.9 – Android Phone
  • 192.168.2.10 – Android Tablet
  • 192.168.2.11 – XBOX 360

Hopefully, you have a basic understanding of Metasploit and can see its uses to scan your system for basic information. In the next article, we can scan for open ports to see what could pose a vulnerability.
 

Attachments



Members online


Top