Pentesting - Find your hosts with metasploit
Introduction - Prerequisites
For this introduction I use the Kali Linux distribution: https://www.kali.org/downloads/
Download the Kal Linux distribution and install it you virtual environment.
I will also make heavy use of the metasploit framework https://www.metasploit.com/ which is included in Kali Linux. Metasploit is a collection of many tools that we can use to do all sort of scanning, testing and exploiting of hosts. I also comes with a postgresdatabase, and its own shell that we will use to access all the stuff in the framework.
To be able to use all the tools in metasploit when running Kali Linux out of the box you have to do some minor tweaks to allow metasploit tools to capture packet on your network interface(s). This is especially if youy get this error message when trying to run some of the modules in metasploit: Auxiliary failed: RuntimeError don't have permission to capture on that device
- create a new group 'pcap' and add my user to it.
- change group on tcpdump and ruby2.5 binaries (metasploit it written i ruby, therefore ruby).
- set file capabilities to allow raw packets and various admin tasks. Read more about capabilites here: https://linux.die.net/man/7/capabilities
- get file capabilities just to show the previous command worked as intended.
The commands I used:
username@kali:~$ sudo groupadd pcap
username@kali:~$ sudo usermod -a -G pcap username
username@kali:~$ sudo chgrp pcap /usr/sbin/tcpdump
username@kali:~$ sudo chgrp pcap /usr/bin/ruby2.5
username@kali:~$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
username@kali:~$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/ruby2.5
username@kali:~$ sudo /usr/sbin/getcap /usr/sbin/tcpdump
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
username@kali:~$ sudo /usr/sbin/getcap /usr/bin/ruby2.5
/usr/bin/ruby2.5 = cap_net_admin,cap_net_raw+eip
Finding and scanning hosts
The here is multiple way to scan and find hosts that you want to test against. At this moment I want to find live hosts as fast as possible, and I do not attempt to be stealthy at any point.
When launching the metasploit framework from Kali Linux we already have a postgresdatabase that we can use to store stuff inside. The data inserted to this database will be persistent across boots and can be exported out of metasploit (i.e for use with other tools). But the most useful functions is probably that you can feed the various modules and scripts in metasploit wih information from the database.
Start metasploit from the menu inside Kali:
> Executing “sudo msfdb init && msfconsole”
[sudo] passord for username:
[i] Database already started
[i] The database appears to be already configured, skipping initialization
.;lxO0KXXXK0Oxl:.
,o0WMMMMMMMMMMMMMMMMMMKd,
'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
:KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo
xMMMMMMMMMMWd. .oNMMMMMMMMMMk
oMMMMMMMMMMx. dMMMMMMMMMMx
.WMMMMMMMMM: :MMMMMMMMMM,
xMMMMMMMMMo lMMMMMMMMMO
NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW. ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd ,0MMMMMMMMMMK;
.WMMMMMMMMMc 'OMMMMMM0,
lMMMMMMMMMMk. .kMMO'
dMMMMMMMMMMWd' ..
cWMMMMMMMMMMMNxc'. ##########
.0MMMMMMMMMMMMMMMMWc #+# #+#
;0MMMMMMMMMMMMMMMo. +:+
.dNMMMMMMMMMMMMo +#++:++#+
'oOWMMMMMMMMo +:+
.,cdkO0K; :+: :+:
:::::::+:
Metasploit
=[ metasploit v5.0.83-dev ]
+ -- --=[ 1994 exploits - 1090 auxiliary - 340 post ]
+ -- --=[ 560 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Adapter names can be used for IP params set LHOST eth0
msf5 >
Finding hosts
The first thing we want to find is some live hosts that we can test against.
Lets query the database for any hosts:
msf5 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
As expected its empty. Lets try to use nmap to scan our network segment. In metasploit we can use the db_nmap command, which does a nmap scan AND record its findings into our database.
- -sn: tells nmap to not do a portscan after host discovery. This is commonly known as a pingsweep.
- 192.168.219.0/24: the network segment you want to scan.
PS: db_nmap can take alle the normal nmap options and parameters.
Read more about nmap here: https://nmap.org/
msf5 > db_nmap -sn 192.168.219.0/24
[*] Nmap: 'Warning: You are not root -- using TCP pingscan rather than ICMP'
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-07 09:35 CEST
[*] Nmap: Nmap scan report for 192.168.219.2
[*] Nmap: Host is up (0.0013s latency).
[*] Nmap: Nmap scan report for 192.168.219.128
[*] Nmap: Host is up (0.0100s latency).
[*] Nmap: Nmap scan report for 192.168.219.130
[*] Nmap: Host is up (0.00080s latency).
[*] Nmap: Nmap scan report for 192.168.219.131
[*] Nmap: Host is up (0.0017s latency).
[*] Nmap: Nmap scan report for 192.168.219.132
[*] Nmap: Host is up (0.0040s latency).
[*] Nmap: Nmap scan report for 192.168.219.138
[*] Nmap: Host is up (0.0034s latency).
[*] Nmap: Nmap done: 256 IP addresses (6 hosts up) scanned in 1.08 seconds
msf5 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.219.2
192.168.219.128
192.168.219.130
192.168.219.131
192.168.219.132
192.168.219.138
We now have a list of 6 hosts on our network.
If we power down on of the host and run the db_nmap command again it will not remove a previously alive host. This means that if you want to always want to have a list of your live hosts you have to empty the hosts database before scanning:
msf5 > hosts -d
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.219.2
192.168.219.128
192.168.219.130
192.168.219.131
192.168.219.132
192.168.219.138
[*] Deleted 6 hosts
msf5 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
So this is how you find the hosts you want to play with. Next up is to trye determine some information about the hosts.
Scanning hosts
We now have a list of hosts that we know is alive and can be probed. There are multiple ways to do this, but we are going to do what is called a portscan, but isntead of db_nmap we are using normal nmap. * -v: verbose output, add more v's to get more verbosity. * -sV: probe open ports to determine service/version info. * 192.168.219.0/24: the network segment you want to scan. * -oA: output result in three major fileformat at once.
msf5 > nmap -v -sV 192.168.219.0/24 -oA ~/result_1
[*] exec: nmap -v -sV 192.168.219.0/24 -oA ~/result_1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-07 10:08 CEST
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 10:08
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 10:08, 2.42s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 10:08
Completed Parallel DNS resolution of 256 hosts. at 10:08, 0.03s elapsed
Nmap scan report for 192.168.219.0 [host down]
... alot of host down here ...
Nmap scan report for 192.168.219.255 [host down]
Initiating Connect Scan at 10:08
Scanning 6 hosts [1000 ports/host]
Discovered open port 22/tcp on 192.168.219.132
Discovered open port 80/tcp on 192.168.219.132
Discovered open port 25/tcp on 192.168.219.132
Discovered open port 111/tcp on 192.168.219.132
Discovered open port 23/tcp on 192.168.219.132
Discovered open port 139/tcp on 192.168.219.132
Discovered open port 21/tcp on 192.168.219.132
Discovered open port 53/tcp on 192.168.219.132
Discovered open port 445/tcp on 192.168.219.132
Discovered open port 3306/tcp on 192.168.219.132
Discovered open port 5900/tcp on 192.168.219.132
Discovered open port 6000/tcp on 192.168.219.132
Discovered open port 1524/tcp on 192.168.219.132
Discovered open port 6667/tcp on 192.168.219.132
Discovered open port 1099/tcp on 192.168.219.132
Discovered open port 2121/tcp on 192.168.219.132
Discovered open port 8009/tcp on 192.168.219.132
Discovered open port 8180/tcp on 192.168.219.132
Discovered open port 5432/tcp on 192.168.219.132
Discovered open port 514/tcp on 192.168.219.132
Discovered open port 512/tcp on 192.168.219.132
Discovered open port 2049/tcp on 192.168.219.132
Discovered open port 513/tcp on 192.168.219.132
Completed Connect Scan against 192.168.219.2 in 0.34s (5 hosts left)
Completed Connect Scan against 192.168.219.130 in 0.34s (4 hosts left)
Completed Connect Scan against 192.168.219.131 in 0.34s (3 hosts left)
Completed Connect Scan against 192.168.219.138 in 0.34s (2 hosts left)
Completed Connect Scan against 192.168.219.132 in 0.34s (1 host left)
Completed Connect Scan at 10:08, 6.00s elapsed (6000 total ports)
Initiating Service scan at 10:08
Scanning 23 services on 6 hosts
Completed Service scan at 10:09, 11.08s elapsed (23 services on 6 hosts)
NSE: Script scanning 6 hosts.
Initiating NSE at 10:09
Completed NSE at 10:09, 0.14s elapsed
Initiating NSE at 10:09
Completed NSE at 10:09, 0.04s elapsed
Nmap scan report for 192.168.219.2
Host is up (0.0014s latency).
All 1000 scanned ports on 192.168.219.2 are closed
Nmap scan report for 192.168.219.128
Host is up (0.00084s latency).
Not shown: 972 closed ports
PORT STATE SERVICE VERSION
99/tcp filtered metagram
366/tcp filtered odmr
800/tcp filtered mdbs_daemon
1002/tcp filtered windows-icfw
1069/tcp filtered cognex-insight
1084/tcp filtered ansoft-lm-2
1186/tcp filtered mysql-cluster
1719/tcp filtered h323gatestat
2106/tcp filtered ekshell
2301/tcp filtered compaqdiag
2725/tcp filtered msolap-ptp2
3003/tcp filtered cgms
3268/tcp filtered globalcatLDAP
3690/tcp filtered svn
6789/tcp filtered ibm-db2-admin
6881/tcp filtered bittorrent-tracker
8400/tcp filtered cvd
8800/tcp filtered sunwebadmin
10000/tcp filtered snet-sensor-mgmt
14238/tcp filtered unknown
19101/tcp filtered unknown
20031/tcp filtered unknown
32775/tcp filtered sometimes-rpc13
32776/tcp filtered sometimes-rpc15
50500/tcp filtered unknown
51103/tcp filtered unknown
55056/tcp filtered unknown
61900/tcp filtered unknown
Nmap scan report for 192.168.219.130
Host is up (0.0019s latency).
All 1000 scanned ports on 192.168.219.130 are closed
Nmap scan report for 192.168.219.131
Host is up (0.0016s latency).
All 1000 scanned ports on 192.168.219.131 are closed
Nmap scan report for 192.168.219.132
Host is up (0.0019s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.219.138
Host is up (0.0011s latency).
All 1000 scanned ports on 192.168.219.138 are closed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (6 hosts up) scanned in 20.24 seconds
msf5 >
So it now took 20.24 seconds to scan and probe all the hosts in our network segment. We also discovered alot of open ports and potentially services. And all the result is stored in files in our homefolder:
username@kali:~$ ls -la ~ | grep result
-rw-r--r-- 1 username usergroup 4077 april 7 10:27 result_1.gnmap
-rw-r--r-- 1 username usergroup 340 april 7 10:27 result_1.nmap
-rw-r--r-- 1 username usergroup 4629 april 7 10:27 result_1.xml
Notice that we probed all the 255 adresses in our segment even we knew that only 6 of them was alive. We will try to fix this later.
If you want to record the result of the portscanning to the metasploit database instead of to 3 different files you could do this:
msf5 > db_nmap -v -sV 192.168.219.0/24
... alot of output ...
msf5 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.219.2
192.168.219.128 Unknown device
192.168.219.130
192.168.219.131
192.168.219.132 Linux server
192.168.219.138
as you can see there are some new information in our database, os_name and purpose column got some values. Let us check if our services table got more information:
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.219.128 119 tcp nntp filtered
192.168.219.128 544 tcp kshell filtered
192.168.219.128 1050 tcp java-or-otgfileshare filtered
192.168.219.128 1062 tcp veracity filtered
192.168.219.128 1072 tcp cardax filtered
192.168.219.128 1137 tcp trim filtered
192.168.219.128 1186 tcp mysql-cluster filtered
192.168.219.128 1433 tcp ms-sql-s filtered
192.168.219.128 2191 tcp tvbus filtered
192.168.219.128 3551 tcp apcupsd filtered
192.168.219.128 3809 tcp apocd filtered
192.168.219.128 3814 tcp neto-dcs filtered
192.168.219.128 4321 tcp rwhois filtered
192.168.219.128 5061 tcp sip-tls filtered
192.168.219.128 5802 tcp vnc-http-2 filtered
192.168.219.128 7676 tcp imqbrokerd filtered
192.168.219.128 8002 tcp teradataordbms filtered
192.168.219.128 8087 tcp simplifymedia filtered
192.168.219.128 8292 tcp blp3 filtered
192.168.219.128 8300 tcp tmi filtered
192.168.219.128 8400 tcp cvd filtered
192.168.219.128 8800 tcp sunwebadmin filtered
192.168.219.128 9502 tcp unknown filtered
192.168.219.128 10180 tcp unknown filtered
192.168.219.128 15660 tcp bex-xr filtered
192.168.219.128 50636 tcp unknown filtered
192.168.219.128 56737 tcp unknown filtered
192.168.219.128 60020 tcp unknown filtered
192.168.219.132 21 tcp ftp open vsftpd 2.3.4
192.168.219.132 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
192.168.219.132 23 tcp telnet open Linux telnetd
192.168.219.132 25 tcp smtp open Postfix smtpd
192.168.219.132 53 tcp domain open ISC BIND 9.4.2
192.168.219.132 80 tcp http open Apache httpd 2.2.8 (Ubuntu) DAV/2
192.168.219.132 111 tcp rpcbind open 2 RPC #100000
192.168.219.132 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.219.132 445 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.219.132 512 tcp exec open netkit-rsh rexecd
192.168.219.132 513 tcp login open
192.168.219.132 514 tcp tcpwrapped open
192.168.219.132 1099 tcp java-rmi open GNU Classpath grmiregistry
192.168.219.132 1524 tcp bindshell open Metasploitable root shell
192.168.219.132 2049 tcp nfs open 2-4 RPC #100003
192.168.219.132 2121 tcp ftp open ProFTPD 1.3.1
192.168.219.132 3306 tcp mysql open MySQL 5.0.51a-3ubuntu5
192.168.219.132 5432 tcp postgresql open PostgreSQL DB 8.3.0 - 8.3.7
192.168.219.132 5900 tcp vnc open VNC protocol 3.3
192.168.219.132 6000 tcp x11 open access denied
192.168.219.132 6667 tcp irc open UnrealIRCd
192.168.219.132 8009 tcp ajp13 open Apache Jserv Protocol v1.3
192.168.219.132 8180 tcp http open Apache Tomcat/Coyote JSP engine 1.1
Now we start getting somewhere.
You can also combine the two methods of scanning to outputfiles and populate the metasploit database:
msf5 > nmap -v -sV 192.168.219.0/24 -oA ~/result_1
... a lot of output ...
msf5 > db_import result_1.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.10.9'
[*] Importing host 192.168.219.2
[*] Importing host 192.168.219.128
[*] Importing host 192.168.219.130
[*] Importing host 192.168.219.132
[*] Importing host 192.168.219.145
[*] Importing host 192.168.219.146
[*] Successfully imported /home/username/result_1.xml
The result is going to be the same when you query the hosts and services database.
Scanning hosts without nmap
I have used the nmap scanner in a couple of ways, and it is a very powerful scanner that will solve all your basic scanning needs, BUT it is not the only scanner you can use if you are using metasploit. If you find yourself in a situation where you have metasploit, but not nmap available you can use one of the several built-in scanners.
msf5 > search portscan
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/wordpress_pingback_access normal No Wordpress Pingback Locator
1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner
2 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner
3 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner
4 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner
5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner
6 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner
7 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
If you want to use one of the scanners you have to activate, configure and run it:
msf5 > use auxiliary/scanner/portscan/ack
msf5 auxiliary(scanner/portscan/ack) > hosts -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.219.2 Unknown device
192.168.219.128 Unknown device
192.168.219.130 Unknown device
192.168.219.132 Linux server
192.168.219.145 Unknown device
192.168.219.146 Unknown device
RHOSTS => file:/tmp/msf-db-rhosts-20200410-8449-1260kfr
msf5 auxiliary(scanner/portscan/ack) > run
... alot of output ...
[*] TCP UNFILTERED 192.168.219.2:80
[*] TCP UNFILTERED 192.168.219.128:80
[*] TCP UNFILTERED 192.168.219.132:80
[*] Scanned 6 of 6 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/portscan/ack) >
Wrap up
The goal of this was to find a way to find and probe potential hosts. We have used various variants of nmap to achieve this goal and stored them outside the current msf5 session. We have stored our results in the internal metasploit database and in external files, both approach will save us time later on.
In our scanning I had multiple hosts up, all for testing purposes and we will probe more information about the hosts later. The hosts are choosen to reflect a variety of operatingsystem. Most of the hosts are normal operatingsystem, but one of them is an instance of the Metasploitable 2, a specialised Linuxflavor that is intended for pentest training.
Read more about Metasploitable 2: https://metasploit.help.rapid7.com/docs/metasploitable-2
In later articles I will probably cut the msf5 session outputs for readability, but in this first article I have decided that its ok to get a feeling on the full output you can expect when you run the commands.