Introduction - Prerequisites
For this introduction I use the Kali Linux distribution: https://www.kali.org/downloads/
Download the Kal Linux distribution and install it you virtual environment.
I will also make heavy use of the metasploit framework https://www.metasploit.com/ which is included in Kali Linux. Metasploit is a collection of many tools that we can use to do all sort of scanning, testing and exploiting of hosts. I also comes with a postgresdatabase, and its own shell that we will use to access all the stuff in the framework.
To be able to use all the tools in metasploit when running Kali Linux out of the box you have to do some minor tweaks to allow metasploit tools to capture packet on your network interface(s). This is especially if youy get this error message when trying to run some of the modules in metasploit: Auxiliary failed: RuntimeError don't have permission to capture on that device
- create a new group 'pcap' and add my user to it.
- change group on tcpdump and ruby2.5 binaries (metasploit it written i ruby, therefore ruby).
- set file capabilities to allow raw packets and various admin tasks. Read more about capabilites here: https://linux.die.net/man/7/capabilities
- get file capabilities just to show the previous command worked as intended.
The commands I used:
username@kali:~$ sudo groupadd pcap username@kali:~$ sudo usermod -a -G pcap username username@kali:~$ sudo chgrp pcap /usr/sbin/tcpdump username@kali:~$ sudo chgrp pcap /usr/bin/ruby2.5 username@kali:~$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump username@kali:~$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/ruby2.5 username@kali:~$ sudo /usr/sbin/getcap /usr/sbin/tcpdump /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip username@kali:~$ sudo /usr/sbin/getcap /usr/bin/ruby2.5 /usr/bin/ruby2.5 = cap_net_admin,cap_net_raw+eip
Finding and scanning hosts
The here is multiple way to scan and find hosts that you want to test against. At this moment I want to find live hosts as fast as possible, and I do not attempt to be stealthy at any point.
When launching the metasploit framework from Kali Linux we already have a postgresdatabase that we can use to store stuff inside. The data inserted to this database will be persistent across boots and can be exported out of metasploit (i.e for use with other tools). But the most useful functions is probably that you can feed the various modules and scripts in metasploit wih information from the database.
Start metasploit from the menu inside Kali:
> Executing “sudo msfdb init && msfconsole” [sudo] passord for username: [i] Database already started [i] The database appears to be already configured, skipping initialization .;lxO0KXXXK0Oxl:. ,o0WMMMMMMMMMMMMMMMMMMKd, 'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx, :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK: .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX, lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo xMMMMMMMMMMWd. .oNMMMMMMMMMMk oMMMMMMMMMMx. dMMMMMMMMMMx .WMMMMMMMMM: :MMMMMMMMMM, xMMMMMMMMMo lMMMMMMMMMO NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc; MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX: NMMMMMMMMW. ;KMMMMMMMMMMMMMMX: xMMMMMMMMMd ,0MMMMMMMMMMK; .WMMMMMMMMMc 'OMMMMMM0, lMMMMMMMMMMk. .kMMO' dMMMMMMMMMMWd' .. cWMMMMMMMMMMMNxc'. ########## .0MMMMMMMMMMMMMMMMWc #+# #+# ;0MMMMMMMMMMMMMMMo. +:+ .dNMMMMMMMMMMMMo +#++:++#+ 'oOWMMMMMMMMo +:+ .,cdkO0K; :+: :+: :::::::+: Metasploit =[ metasploit v5.0.83-dev ] + -- --=[ 1994 exploits - 1090 auxiliary - 340 post ] + -- --=[ 560 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] Metasploit tip: Adapter names can be used for IP params set LHOST eth0 msf5 >
The first thing we want to find is some live hosts that we can test against.
Lets query the database for any hosts:
msf5 > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- --------
As expected its empty. Lets try to use nmap to scan our network segment. In metasploit we can use the db_nmap command, which does a nmap scan AND record its findings into our database.
- -sn: tells nmap to not do a portscan after host discovery. This is commonly known as a pingsweep.
- 192.168.219.0/24: the network segment you want to scan.
PS: db_nmap can take alle the normal nmap options and parameters.
Read more about nmap here: https://nmap.org/
msf5 > db_nmap -sn 192.168.219.0/24 [*] Nmap: 'Warning: You are not root -- using TCP pingscan rather than ICMP' [*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-07 09:35 CEST [*] Nmap: Nmap scan report for 192.168.219.2 [*] Nmap: Host is up (0.0013s latency). [*] Nmap: Nmap scan report for 192.168.219.128 [*] Nmap: Host is up (0.0100s latency). [*] Nmap: Nmap scan report for 192.168.219.130 [*] Nmap: Host is up (0.00080s latency). [*] Nmap: Nmap scan report for 192.168.219.131 [*] Nmap: Host is up (0.0017s latency). [*] Nmap: Nmap scan report for 192.168.219.132 [*] Nmap: Host is up (0.0040s latency). [*] Nmap: Nmap scan report for 192.168.219.138 [*] Nmap: Host is up (0.0034s latency). [*] Nmap: Nmap done: 256 IP addresses (6 hosts up) scanned in 1.08 seconds msf5 > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.219.2 192.168.219.128 192.168.219.130 192.168.219.131 192.168.219.132 192.168.219.138
We now have a list of 6 hosts on our network.
If we power down on of the host and run the db_nmap command again it will not remove a previously alive host. This means that if you want to always want to have a list of your live hosts you have to empty the hosts database before scanning:
msf5 > hosts -d Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.219.2 192.168.219.128 192.168.219.130 192.168.219.131 192.168.219.132 192.168.219.138 [*] Deleted 6 hosts msf5 > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- --------
So this is how you find the hosts you want to play with. Next up is to trye determine some information about the hosts.
We now have a list of hosts that we know is alive and can be probed. There are multiple ways to do this, but we are going to do what is called a portscan, but isntead of db_nmap we are using normal nmap. * -v: verbose output, add more v's to get more verbosity. * -sV: probe open ports to determine service/version info. * 192.168.219.0/24: the network segment you want to scan. * -oA: output result in three major fileformat at once.
msf5 > nmap -v -sV 192.168.219.0/24 -oA ~/result_1 [*] exec: nmap -v -sV 192.168.219.0/24 -oA ~/result_1 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-07 10:08 CEST NSE: Loaded 45 scripts for scanning. Initiating Ping Scan at 10:08 Scanning 256 hosts [2 ports/host] Completed Ping Scan at 10:08, 2.42s elapsed (256 total hosts) Initiating Parallel DNS resolution of 256 hosts. at 10:08 Completed Parallel DNS resolution of 256 hosts. at 10:08, 0.03s elapsed Nmap scan report for 192.168.219.0 [host down] ... alot of host down here ... Nmap scan report for 192.168.219.255 [host down] Initiating Connect Scan at 10:08 Scanning 6 hosts [1000 ports/host] Discovered open port 22/tcp on 192.168.219.132 Discovered open port 80/tcp on 192.168.219.132 Discovered open port 25/tcp on 192.168.219.132 Discovered open port 111/tcp on 192.168.219.132 Discovered open port 23/tcp on 192.168.219.132 Discovered open port 139/tcp on 192.168.219.132 Discovered open port 21/tcp on 192.168.219.132 Discovered open port 53/tcp on 192.168.219.132 Discovered open port 445/tcp on 192.168.219.132 Discovered open port 3306/tcp on 192.168.219.132 Discovered open port 5900/tcp on 192.168.219.132 Discovered open port 6000/tcp on 192.168.219.132 Discovered open port 1524/tcp on 192.168.219.132 Discovered open port 6667/tcp on 192.168.219.132 Discovered open port 1099/tcp on 192.168.219.132 Discovered open port 2121/tcp on 192.168.219.132 Discovered open port 8009/tcp on 192.168.219.132 Discovered open port 8180/tcp on 192.168.219.132 Discovered open port 5432/tcp on 192.168.219.132 Discovered open port 514/tcp on 192.168.219.132 Discovered open port 512/tcp on 192.168.219.132 Discovered open port 2049/tcp on 192.168.219.132 Discovered open port 513/tcp on 192.168.219.132 Completed Connect Scan against 192.168.219.2 in 0.34s (5 hosts left) Completed Connect Scan against 192.168.219.130 in 0.34s (4 hosts left) Completed Connect Scan against 192.168.219.131 in 0.34s (3 hosts left) Completed Connect Scan against 192.168.219.138 in 0.34s (2 hosts left) Completed Connect Scan against 192.168.219.132 in 0.34s (1 host left) Completed Connect Scan at 10:08, 6.00s elapsed (6000 total ports) Initiating Service scan at 10:08 Scanning 23 services on 6 hosts Completed Service scan at 10:09, 11.08s elapsed (23 services on 6 hosts) NSE: Script scanning 6 hosts. Initiating NSE at 10:09 Completed NSE at 10:09, 0.14s elapsed Initiating NSE at 10:09 Completed NSE at 10:09, 0.04s elapsed Nmap scan report for 192.168.219.2 Host is up (0.0014s latency). All 1000 scanned ports on 192.168.219.2 are closed Nmap scan report for 192.168.219.128 Host is up (0.00084s latency). Not shown: 972 closed ports PORT STATE SERVICE VERSION 99/tcp filtered metagram 366/tcp filtered odmr 800/tcp filtered mdbs_daemon 1002/tcp filtered windows-icfw 1069/tcp filtered cognex-insight 1084/tcp filtered ansoft-lm-2 1186/tcp filtered mysql-cluster 1719/tcp filtered h323gatestat 2106/tcp filtered ekshell 2301/tcp filtered compaqdiag 2725/tcp filtered msolap-ptp2 3003/tcp filtered cgms 3268/tcp filtered globalcatLDAP 3690/tcp filtered svn 6789/tcp filtered ibm-db2-admin 6881/tcp filtered bittorrent-tracker 8400/tcp filtered cvd 8800/tcp filtered sunwebadmin 10000/tcp filtered snet-sensor-mgmt 14238/tcp filtered unknown 19101/tcp filtered unknown 20031/tcp filtered unknown 32775/tcp filtered sometimes-rpc13 32776/tcp filtered sometimes-rpc15 50500/tcp filtered unknown 51103/tcp filtered unknown 55056/tcp filtered unknown 61900/tcp filtered unknown Nmap scan report for 192.168.219.130 Host is up (0.0019s latency). All 1000 scanned ports on 192.168.219.130 are closed Nmap scan report for 192.168.219.131 Host is up (0.0016s latency). All 1000 scanned ports on 192.168.219.131 are closed Nmap scan report for 192.168.219.132 Host is up (0.0019s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open java-rmi GNU Classpath grmiregistry 1524/tcp open bindshell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11 (access denied) 6667/tcp open irc UnrealIRCd 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Nmap scan report for 192.168.219.138 Host is up (0.0011s latency). All 1000 scanned ports on 192.168.219.138 are closed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 256 IP addresses (6 hosts up) scanned in 20.24 seconds msf5 >
So it now took 20.24 seconds to scan and probe all the hosts in our network segment. We also discovered alot of open ports and potentially services. And all the result is stored in files in our homefolder:
username@kali:~$ ls -la ~ | grep result -rw-r--r-- 1 username usergroup 4077 april 7 10:27 result_1.gnmap -rw-r--r-- 1 username usergroup 340 april 7 10:27 result_1.nmap -rw-r--r-- 1 username usergroup 4629 april 7 10:27 result_1.xml
Notice that we probed all the 255 adresses in our segment even we knew that only 6 of them was alive. We will try to fix this later.
If you want to record the result of the portscanning to the metasploit database instead of to 3 different files you could do this:
msf5 > db_nmap -v -sV 192.168.219.0/24 ... alot of output ... msf5 > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.219.2 192.168.219.128 Unknown device 192.168.219.130 192.168.219.131 192.168.219.132 Linux server 192.168.219.138
as you can see there are some new information in our database, os_name and purpose column got some values. Let us check if our services table got more information:
msf5 > services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.219.128 119 tcp nntp filtered 192.168.219.128 544 tcp kshell filtered 192.168.219.128 1050 tcp java-or-otgfileshare filtered 192.168.219.128 1062 tcp veracity filtered 192.168.219.128 1072 tcp cardax filtered 192.168.219.128 1137 tcp trim filtered 192.168.219.128 1186 tcp mysql-cluster filtered 192.168.219.128 1433 tcp ms-sql-s filtered 192.168.219.128 2191 tcp tvbus filtered 192.168.219.128 3551 tcp apcupsd filtered 192.168.219.128 3809 tcp apocd filtered 192.168.219.128 3814 tcp neto-dcs filtered 192.168.219.128 4321 tcp rwhois filtered 192.168.219.128 5061 tcp sip-tls filtered 192.168.219.128 5802 tcp vnc-http-2 filtered 192.168.219.128 7676 tcp imqbrokerd filtered 192.168.219.128 8002 tcp teradataordbms filtered 192.168.219.128 8087 tcp simplifymedia filtered 192.168.219.128 8292 tcp blp3 filtered 192.168.219.128 8300 tcp tmi filtered 192.168.219.128 8400 tcp cvd filtered 192.168.219.128 8800 tcp sunwebadmin filtered 192.168.219.128 9502 tcp unknown filtered 192.168.219.128 10180 tcp unknown filtered 192.168.219.128 15660 tcp bex-xr filtered 192.168.219.128 50636 tcp unknown filtered 192.168.219.128 56737 tcp unknown filtered 192.168.219.128 60020 tcp unknown filtered 192.168.219.132 21 tcp ftp open vsftpd 2.3.4 192.168.219.132 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0 192.168.219.132 23 tcp telnet open Linux telnetd 192.168.219.132 25 tcp smtp open Postfix smtpd 192.168.219.132 53 tcp domain open ISC BIND 9.4.2 192.168.219.132 80 tcp http open Apache httpd 2.2.8 (Ubuntu) DAV/2 192.168.219.132 111 tcp rpcbind open 2 RPC #100000 192.168.219.132 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP 192.168.219.132 445 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP 192.168.219.132 512 tcp exec open netkit-rsh rexecd 192.168.219.132 513 tcp login open 192.168.219.132 514 tcp tcpwrapped open 192.168.219.132 1099 tcp java-rmi open GNU Classpath grmiregistry 192.168.219.132 1524 tcp bindshell open Metasploitable root shell 192.168.219.132 2049 tcp nfs open 2-4 RPC #100003 192.168.219.132 2121 tcp ftp open ProFTPD 1.3.1 192.168.219.132 3306 tcp mysql open MySQL 5.0.51a-3ubuntu5 192.168.219.132 5432 tcp postgresql open PostgreSQL DB 8.3.0 - 8.3.7 192.168.219.132 5900 tcp vnc open VNC protocol 3.3 192.168.219.132 6000 tcp x11 open access denied 192.168.219.132 6667 tcp irc open UnrealIRCd 192.168.219.132 8009 tcp ajp13 open Apache Jserv Protocol v1.3 192.168.219.132 8180 tcp http open Apache Tomcat/Coyote JSP engine 1.1
Now we start getting somewhere.
You can also combine the two methods of scanning to outputfiles and populate the metasploit database:
msf5 > nmap -v -sV 192.168.219.0/24 -oA ~/result_1 ... a lot of output ... msf5 > db_import result_1.xml [*] Importing 'Nmap XML' data [*] Import: Parsing with 'Nokogiri v1.10.9' [*] Importing host 192.168.219.2 [*] Importing host 192.168.219.128 [*] Importing host 192.168.219.130 [*] Importing host 192.168.219.132 [*] Importing host 192.168.219.145 [*] Importing host 192.168.219.146 [*] Successfully imported /home/username/result_1.xml
The result is going to be the same when you query the hosts and services database.
Scanning hosts without nmap
I have used the nmap scanner in a couple of ways, and it is a very powerful scanner that will solve all your basic scanning needs, BUT it is not the only scanner you can use if you are using metasploit. If you find yourself in a situation where you have metasploit, but not nmap available you can use one of the several built-in scanners.
msf5 > search portscan Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/http/wordpress_pingback_access normal No Wordpress Pingback Locator 1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner 2 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner 3 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner 4 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner 5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner 6 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner 7 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
If you want to use one of the scanners you have to activate, configure and run it:
msf5 > use auxiliary/scanner/portscan/ack msf5 auxiliary(scanner/portscan/ack) > hosts -R Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.219.2 Unknown device 192.168.219.128 Unknown device 192.168.219.130 Unknown device 192.168.219.132 Linux server 192.168.219.145 Unknown device 192.168.219.146 Unknown device RHOSTS => file:/tmp/msf-db-rhosts-20200410-8449-1260kfr msf5 auxiliary(scanner/portscan/ack) > run ... alot of output ... [*] TCP UNFILTERED 192.168.219.2:80 [*] TCP UNFILTERED 192.168.219.128:80 [*] TCP UNFILTERED 192.168.219.132:80 [*] Scanned 6 of 6 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/portscan/ack) >
The goal of this was to find a way to find and probe potential hosts. We have used various variants of nmap to achieve this goal and stored them outside the current msf5 session. We have stored our results in the internal metasploit database and in external files, both approach will save us time later on.
In our scanning I had multiple hosts up, all for testing purposes and we will probe more information about the hosts later. The hosts are choosen to reflect a variety of operatingsystem. Most of the hosts are normal operatingsystem, but one of them is an instance of the Metasploitable 2, a specialised Linuxflavor that is intended for pentest training.
Read more about Metasploitable 2: https://metasploit.help.rapid7.com/docs/metasploitable-2
In later articles I will probably cut the msf5 session outputs for readability, but in this first article I have decided that its ok to get a feeling on the full output you can expect when you run the commands.