Your goals during information gathering should be to gain accurate information about your targets without revealing your presence or your intentions, to learn how the organization operates, and to determine the best route. Metasploit is a best console for information gathering it is very comprehensive penetration testing tool. In this article, I am going to cover whole information gathering of a network using Metasploit.
Information gathering requires careful planning, research, and, most importantly, the ability to think like an attacker. At this step, you will attempt to collect as much information about the target environment as possible.
There are two types of information gathering passive and active.
1)Passive Information Gathering:-
Using passive information gathering you can discover information about targets without touching their systems. For example you can identify network boundaries, operating systems, open ports, web server software is in use on the target without touching there system.
2)Active information gathering:-
In active information gathering, we interact directly with a system to learn more about it.We might conduct port scans for open ports on the target or conduct scans to determine what services are running. Each system or running service that we discover gives us another opportunity for exploitation.
But beware If you get careless while active information gathering, you might be nabbed by an IDS or intrusion prevention system (IPS).
Starting msfconsole
•First, we start the database
#service postgresql start
•then start metasploit service
#service metasploit start
Using passive information gathering you can discover information about targets without touching their systems. For example you can identify network boundaries, operating systems, open ports, web server software is in use on the target without touching there system.
2)Active information gathering:-
In active information gathering, we interact directly with a system to learn more about it.We might conduct port scans for open ports on the target or conduct scans to determine what services are running. Each system or running service that we discover gives us another opportunity for exploitation.
But beware If you get careless while active information gathering, you might be nabbed by an IDS or intrusion prevention system (IPS).
Starting msfconsole
•First, we start the database
#service postgresql start
•then start metasploit service
#service metasploit start
•now start msfconsole.
#msfconsole
•now, we’ll use db_status to make
sure that we’re connected correctly.
Importing
Nmap Results into Metasploit
When you are working with other
team members, with various individuals scanning at different times and from
different locations, it helps to know how to import a basic nmap generated XML
export file into the Framework.
First, we scan the Windows virtual
machine using the -oX option to generate a Target.xml file.
#nmap -Pn -sS -A -oX Target 192.168.20.0/24
After generating the XML file, we
use the db_import command to import it into our database. We can then
verify that the import worked by using the “hosts” command, which lists
the systems entries that have been created, as shown here:
msf > db_import Subnet1.xml
msf> hosts
Running Nmap
from MSFconsole
we’ve performed advanced
enumeration on our target, let’s connect nmap with Metasploit. First we should be able to enter the db_nmap
command from within msfconsole to run nmap and have its results automatically
stored in our new database.
#msf > db_nmap -sS -A 172.16.32.131
To check that the results from the
scan are stored in the database, we run db_services.
#msf > db_services
Port Scanning
with Metasploit
Metasploit has several port
scanners built into its auxiliary modules that directly integrate with most
aspects of the Framework. We’ll use these port scanners to leverage compromised
systems to access and attack.
To see the list of port scanning
tools that the Framework offers, enter the following.
#msf > search portscan
Let’s conduct a simple scan of a
single host using Metasploit’s SYN Port Scanner. In the following listing, we start
the scan with use scanner/portscan/syn, set RHOSTS to 192.168.20.0/24, set
THREADS to 100, and then run the scan.
#msf > use scanner/portscan/syn
Server
Message Block Scanning
Metasploit can attempt to identify
versions of Microsoft Windows using its smb_version module.so we use
smb_version.
And set RHOSTS, and begin scanning
#msf > use scanner/smb/smb_version
The results of this
scan are stored in the Metasploit database for use at a later time and to be
accessed with the “hosts” command.
#msf auxiliary(smb_version) > hosts
We have discovered a system
running Windows XP without having to do a full scan of the network.
Gathering My
SQL server information
Many system administrators don’t
even realize that they have MS SQL servers installed on their workstations at
all, because the service is installed as a prerequisite for some common
software, such as Microsoft Visual Studio.
When MS SQL is installed, it
listens by default either on TCP port 1433 or on a random dynamic TCP port. If
MS SQL is listening on a dynamic port, simply query UDP port 1434 to discover
on what dynamic TCP port MS SQL is listening.
Metasploit has a module that can
make use of this “feature”: mssql_ping. It uses UDP. Metasploit finds MS SQL
servers, it displays all the details it can extract from them including,
perhaps most importantly, the TCP port on which the server is listening.
Now use mysql_ping:
#msf > use scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(mssql_ping) > set THREADS 255
THREADS => 255
msf auxiliary(mssql_ping) > run
As you can see, not only does the
scanner locate a MS SQL server at , but it also identifies the instance name at
, the SQL server version at , and the TCP port number at on which it is listening.
Gathering SSH Server
Information:-
If during your
scanning you target machines running Secure Shell (SSH),you should determine
which version is running on the target.
SSH is a secure
protocol, but vulnerabilities in various implementations have been identified.
You never know when you might get lucky and come across an old machine that
hasn’t been updated. You can use the Framework’s ssh_version module to
determine the SSH version running on the target server.
#msf > use scanner/ssh/ssh_version
Scanning FTP Version:
FTP servers are often
the easiest way into a target network, and you should always scan for,
identify, and fingerprint any FTP servers running on your target. According to
vulnerability you can launch attack and get target system.
Here we use ftp_version
module for scanning FTP server.
#msf > use scanner/ftp/ftp_version
The scanner
successfully identifies an FTP server. Now let’s see if this FTP server allows
anonymous logins. Here we use “scanner/ ftp/anonymous”.
The
scanner reports that anonymous access is allowed and that anonymous users have
read access to the server.in other words, we have only read access to the
remote system and the ability read any file that can be accessed by the FTP
server software.
Thus
how we can do an information gathering using Metasploit console, Probably in my
next article, I will move towards
vulnerability scanning and later on exploitation.
Special Thanks to Mr Bhargav Tandel for his valuable contribution in this article. Thank you and keep rocking.
References1. http://dieiskandar.blogspot.co.uk/
2. http://my.safaribooksonline.com/book/networking/security/9781593272883/3dot-intelligence-gathering/active_information_gathering
3. http://www.lookingglassnaturalhealth.com/sites/default/files/magnifying-glass-detective.gif
3 comments:
Thank you so much @chintan
Hey! These guys copied you: http://lucideustech.blogspot.in/2014/05/metasploit-part-13-information-gathering.html
Its me the same author who is copy pasting articles on both blogs here and there so no need to worry.
Post a Comment