Metasploitable: Scanning for Network Services with Metasploit
Sumber: https://cyberarms.wordpress.com/tag/metasploitable-tutorial/
msfconsole thankyou
search scanner search ssh scanner
Read down through the massive list to see what is available. For this tutorial let’s focus on the ports that we found open. Let’s search for only ssh scanners:
Notice that several are available, we are just looking for version information for now, so we will use that one. Simply “use” the program, then “show options” to see what options you can use. In this case all we set was the “RHOSTS name” or remote host, which is our target.
Then just type “exploit” to run:
We see that our target is indeed running an SSH server and we see what version of the software is operating.
Some of the scanners are more helpful than others, for example, if we use the Mysql scan we get this:
The full version of MySQL that is running. But others aren’t quite as helpful, let’s look at Telnet:
Hmm… Just looks like a banner grab with no hint as to what level of software is running. But it is proof that there is something there.
What is interesting too is that with these scanner programs we have different options that we can set. For instance, let’s run the SMB scanner:
Okay, we put in 192.168.12.20 and it scanned it and returned the version of Samba that was running on it. But what if we wanted to scan the whole network for just systems running Samba. This is where the beauty of the RHOSTS command comes into play. Instead of just scanning the single host, let’s scan all 256 clients on the 192.168.12.0 network.
We use the same exact command, but modify the RHOSTS command like so:
Notice now it scanned all 256 hosts on the network and found Samba running on our Metasploitable 2 machine at 192.168.12.20!
This makes things much easier if you are just scanning for certain services running on a network. I set the threads command too. I believe this comes set to “1” as default. If you are scanning a local LAN, you can bump this up to 255 to make it go faster, or up to 50 if testing a remote network.
Let’s use another scanner, this time let’s look for FTP servers running. We won’t scan for version information, though we could, let’s try the FTP anonymous scanner. This one scours a network and looks for FTP services that allow Read, Write or Both access to an anonymous user.
Just search for FTP scanner and use “ftp anonymous scanner”.
As you can see, this FTP server allows Read access to anonymous users. If would have been better if it also allowed write access, but this shows that we can check for certain vulnerabilities with the included scanners very easily.
Well, that’s it for this tutorial. Next time we will look at using information obtained from a scan to find and use a root level exploit on the Linux Metasploitable box!
(Want to learn a LOT more about penetration testing with Metasploit on the Backtrack platform? Check out the Bible of pentesting with Metasploit, “Metasploit: The Penetration Tester’s Guide“.)