Metasploit: Port Use

J

Jarret W. Buse

Guest
Metasploit: Port Use

Now that we have a better understanding of discovering hosts on the network, finding NetBIOS names and even open ports, we have a basic starting point.

Before we get into using ports on Metasploit, let's look at another program that can be used to find open ports as well as the same information we already have found. The other program allows for a Graphical User Interface for NMap (Network Mapper).

NMap is the powerhouse behind a lot of security scanners. More information on NMap can be found at www.nmap.org.

The second program to be used is called Zenmap. Here, you can see the use of NMap by “Ze-nmap”. For Debian systems, it is easy to find Zenmap in Synaptic.

Once Zenmap is installed, go to a terminal prompt and type “sudo zenmap”. Zenmap needs to be started as root just as Metasploit. If any messages appear, simply answer them to get to Zenmap. Zenmap should appear similar to Figure 1.

Figure 1.jpg

FIGURE 1

In the Target text box you can enter an IP Address for a single target (192.168.2.2), target range (192.168.2.2-10), target systems (192.168.2.2, 192.168.2.3), or a whole subnet (192.168.2.0/24).

In the Command text box you can see the current NMap command, which will be executed if you select the “Scan” button. The command can be manually edited if you choose to do so.

If needed, you can select a Profile to change the NMap settings to a pre-defined set. All you need to do is specify the Target and select “Scan”.

Once you perform a scan, any found systems should appear in the lower left box. By selecting a system, more information can be then be found in the lower right box of the window. The target OS, MAC Address, number of ports scanned, open and closed ports, and many other useful items will be listed.

We already know from the article “Metasploit: Advanced Discovery” how to find open ports. You may wonder, what use is that to someone?

An open port on a computer is the same thing as an open window or door to a house. Easy access is permitted to anyone who wants to gain access.

NOTE: Most people would not exploit a system which is not their own. It is important to remember that it is needed at times to scan your own systems to be aware of what ports or vulnerabilities are open. If a window or door was open in your house, you would want to close them to keep others out. The same philosophy is true to keep your systems and data safe from hackers.

Once a scan is completed on a system, you can click on the system IP Address in the left pane and then click on the “Host Details” tab on the right. You should see something similar to Figure 2.

Figure 2.jpg

FIGURE 2

From the figure you can see that the system was detected as a Windows XP SP2 or a Windows Server 2003. In this case, it was Windows XP SP2. The older version, XP SP2, is used to allow for more vulnerabilities which can be exploited.

If the tab “Ports/Hosts” were clicked, you should see a list of open ports. Both TCP and UDP ports are shown in Figure 3.

Figure 3.jpg

FIGURE 3

Also, you can see what possible applications have the ports open. As shown, Port 30,000 was opened by uTorrent. In this case, it is true since I opened the port on purpose to show how well the scanner works. Zenmap shows a wealth of information, especially for scanned Windows Systems.

In Zenmap, scans can be saved by selecting “Scan” from the menu, then click “Save Scan”. Enter a name and folder in which to place the saved scan. Leave the output as an XML file. You can load the save later in Zenmap or import it into Metasploit. To import the scan in Metasploit, type “db_import /folder/filename” at the “msf >” prompt. Fill in the location of the scan in the “/folder/” and the scan's filename in “filename”. After it is imported you can type “hosts” to see the imported information.

Now, for scanning a Linux system another Port Scanner works better to find the application which opened a port. The scanner is Netcat. If your system does not have Netcat you can install either “netcat-openbsd” or “netcat-traditional” to get the command.

If I run Zenmap on a Linux system and see that Port 22 is open, as shown in Figure 4, it shows it is SSH.

Figure 4.jpg

FIGURE 4

For more information about the process which opened the port, we use Netcat and pass it the IP Address and Port number. So, to run Netcat on the system and port as shown in Figure 4, the command would be “nc 192.168.2.3 22”.

The response given back from the command is “SSH-2.0-OpenSSH_6.7p1 Ubuntu-5ubuntu1”. If I look at the physical Linux system I can find the version for SSH is “2.0” and also OpenSSH which is “6.7p1 Ubuntu-5ubuntu1”.

Running a port scan in Metasploit shows that Port 22 is open for SSH on the system 192.168.2.3. The command I ran was “nmap -vv 192.168.2.3”. The information is basic, but does help a little.

NOTE: From an “msf >” prompt I can run a netcat command, as well.

Now that we have a list of open ports and what program is behind the port, you can look on the Internet for vulnerabilities. Two good sites to check are https://www.grc.com/portdatahelp.htm or http://exploit-db.com/search.

On the GRC website, type in the Port Address you need to learn about. Some ports offer a wealth of information.

Another option is to Google a port, OS, and the word “exploit” or “hack” to find a weakness.

Perform some of these tests to be familiar with the use of the applications and finding the information you need.
 

Attachments



Members online


Latest posts

Top