Pentesting - Find your hosts with metasploit

Tue 07 April 2020

Some basic stuff to get you started with pentesting. This article will show you how to find potential hosts on your network.

Introduction - Prerequisites

For this introduction I use the Kali Linux distribution: https://www.kali.org/downloads/

Download the Kal Linux distribution and install it you virtual environment.

I will also make heavy use of the metasploit framework https://www.metasploit.com/ which is included in Kali Linux. Metasploit is a collection of many tools that we can use to do all sort of scanning, testing and exploiting of hosts. I also comes with a postgresdatabase, and its own shell that we will use to access all the stuff in the framework.

To be able to use all the tools in metasploit when running Kali Linux out of the box you have to do some minor tweaks to allow metasploit tools to capture packet on your network interface(s). This is especially if youy get this error message when trying to run some of the modules in metasploit: Auxiliary failed: RuntimeError don't have permission to capture on that device

  • create a new group 'pcap' and add my user to it.
  • change group on tcpdump and ruby2.5 binaries (metasploit it written i ruby, therefore ruby).
  • set file capabilities to allow raw packets and various admin tasks. Read more about capabilites here: https://linux.die.net/man/7/capabilities
  • get file capabilities just to show the previous command worked as intended.

The commands I used:

username@kali:~$ sudo groupadd pcap
username@kali:~$ sudo usermod -a -G pcap username
username@kali:~$ sudo chgrp pcap /usr/sbin/tcpdump
username@kali:~$ sudo chgrp pcap /usr/bin/ruby2.5
username@kali:~$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
username@kali:~$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/ruby2.5
username@kali:~$ sudo /usr/sbin/getcap /usr/sbin/tcpdump 
  /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
username@kali:~$ sudo /usr/sbin/getcap /usr/bin/ruby2.5
  /usr/bin/ruby2.5 = cap_net_admin,cap_net_raw+eip

Finding and scanning hosts

The here is multiple way to scan and find hosts that you want to test against. At this moment I want to find live hosts as fast as possible, and I do not attempt to be stealthy at any point.

When launching the metasploit framework from Kali Linux we already have a postgresdatabase that we can use to store stuff inside. The data inserted to this database will be persistent across boots and can be exported out of metasploit (i.e for use with other tools). But the most useful functions is probably that you can feed the various modules and scripts in metasploit wih information from the database.

Start metasploit from the menu inside Kali:

> Executing sudo msfdb init && msfconsole
[sudo] passord for username: 
[i] Database already started
[i] The database appears to be already configured, skipping initialization

               .;lxO0KXXXK0Oxl:.
           ,o0WMMMMMMMMMMMMMMMMMMKd,
        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
 oMMMMMMMMMMx.                    dMMMMMMMMMMx
.WMMMMMMMMM:                       :MMMMMMMMMM,
xMMMMMMMMMo                         lMMMMMMMMMO
NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd                        ,0MMMMMMMMMMK;
.WMMMMMMMMMc                         'OMMMMMM0,
 lMMMMMMMMMMk.                         .kMMO'
  dMMMMMMMMMMWd'                         ..
   cWMMMMMMMMMMMNxc'.                ##########
    .0MMMMMMMMMMMMMMMMWc            #+#    #+#
      ;0MMMMMMMMMMMMMMMo.          +:+
        .dNMMMMMMMMMMMMo          +#++:++#+
           'oOWMMMMMMMMo                +:+
               .,cdkO0K;        :+:    :+:                                
                                :::::::+:
                      Metasploit

       =[ metasploit v5.0.83-dev                          ]
+ -- --=[ 1994 exploits - 1090 auxiliary - 340 post       ]
+ -- --=[ 560 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Adapter names can be used for IP params set LHOST eth0

msf5 >

Finding hosts

The first thing we want to find is some live hosts that we can test against.

Lets query the database for any hosts:

msf5 > hosts

Hosts
=====

address  mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------  ---  ----  -------  ---------  -----  -------  ----  --------

As expected its empty. Lets try to use nmap to scan our network segment. In metasploit we can use the db_nmap command, which does a nmap scan AND record its findings into our database.

  • -sn: tells nmap to not do a portscan after host discovery. This is commonly known as a pingsweep.
  • 192.168.219.0/24: the network segment you want to scan.

PS: db_nmap can take alle the normal nmap options and parameters.

Read more about nmap here: https://nmap.org/

msf5 > db_nmap -sn 192.168.219.0/24
[*] Nmap: 'Warning:  You are not root -- using TCP pingscan rather than ICMP'
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-07 09:35 CEST
[*] Nmap: Nmap scan report for 192.168.219.2
[*] Nmap: Host is up (0.0013s latency).
[*] Nmap: Nmap scan report for 192.168.219.128
[*] Nmap: Host is up (0.0100s latency).
[*] Nmap: Nmap scan report for 192.168.219.130
[*] Nmap: Host is up (0.00080s latency).
[*] Nmap: Nmap scan report for 192.168.219.131
[*] Nmap: Host is up (0.0017s latency).
[*] Nmap: Nmap scan report for 192.168.219.132
[*] Nmap: Host is up (0.0040s latency).
[*] Nmap: Nmap scan report for 192.168.219.138
[*] Nmap: Host is up (0.0034s latency).
[*] Nmap: Nmap done: 256 IP addresses (6 hosts up) scanned in 1.08 seconds

msf5 > hosts

Hosts
=====

address          mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------          ---  ----  -------  ---------  -----  -------  ----  --------
192.168.219.2                                                         
192.168.219.128                                                       
192.168.219.130                                                       
192.168.219.131                                                       
192.168.219.132                                                       
192.168.219.138

We now have a list of 6 hosts on our network.

If we power down on of the host and run the db_nmap command again it will not remove a previously alive host. This means that if you want to always want to have a list of your live hosts you have to empty the hosts database before scanning:

msf5 > hosts -d

Hosts
=====

address          mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------          ---  ----  -------  ---------  -----  -------  ----  --------
192.168.219.2                                                         
192.168.219.128                                                       
192.168.219.130                                                       
192.168.219.131                                                       
192.168.219.132                                                       
192.168.219.138

[*] Deleted 6 hosts

msf5 > hosts

Hosts
=====

address  mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------  ---  ----  -------  ---------  -----  -------  ----  --------

So this is how you find the hosts you want to play with. Next up is to trye determine some information about the hosts.

Scanning hosts

We now have a list of hosts that we know is alive and can be probed. There are multiple ways to do this, but we are going to do what is called a portscan, but isntead of db_nmap we are using normal nmap. * -v: verbose output, add more v's to get more verbosity. * -sV: probe open ports to determine service/version info. * 192.168.219.0/24: the network segment you want to scan. * -oA: output result in three major fileformat at once.

msf5 > nmap -v -sV 192.168.219.0/24 -oA ~/result_1
[*] exec: nmap -v -sV 192.168.219.0/24 -oA ~/result_1

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-07 10:08 CEST
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 10:08
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 10:08, 2.42s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 10:08
Completed Parallel DNS resolution of 256 hosts. at 10:08, 0.03s elapsed
Nmap scan report for 192.168.219.0 [host down]
... alot of host down here ...
Nmap scan report for 192.168.219.255 [host down]
Initiating Connect Scan at 10:08
Scanning 6 hosts [1000 ports/host]
Discovered open port 22/tcp on 192.168.219.132
Discovered open port 80/tcp on 192.168.219.132
Discovered open port 25/tcp on 192.168.219.132
Discovered open port 111/tcp on 192.168.219.132
Discovered open port 23/tcp on 192.168.219.132
Discovered open port 139/tcp on 192.168.219.132
Discovered open port 21/tcp on 192.168.219.132
Discovered open port 53/tcp on 192.168.219.132
Discovered open port 445/tcp on 192.168.219.132
Discovered open port 3306/tcp on 192.168.219.132
Discovered open port 5900/tcp on 192.168.219.132
Discovered open port 6000/tcp on 192.168.219.132
Discovered open port 1524/tcp on 192.168.219.132
Discovered open port 6667/tcp on 192.168.219.132
Discovered open port 1099/tcp on 192.168.219.132
Discovered open port 2121/tcp on 192.168.219.132
Discovered open port 8009/tcp on 192.168.219.132
Discovered open port 8180/tcp on 192.168.219.132
Discovered open port 5432/tcp on 192.168.219.132
Discovered open port 514/tcp on 192.168.219.132
Discovered open port 512/tcp on 192.168.219.132
Discovered open port 2049/tcp on 192.168.219.132
Discovered open port 513/tcp on 192.168.219.132
Completed Connect Scan against 192.168.219.2 in 0.34s (5 hosts left)
Completed Connect Scan against 192.168.219.130 in 0.34s (4 hosts left)
Completed Connect Scan against 192.168.219.131 in 0.34s (3 hosts left)
Completed Connect Scan against 192.168.219.138 in 0.34s (2 hosts left)
Completed Connect Scan against 192.168.219.132 in 0.34s (1 host left)
Completed Connect Scan at 10:08, 6.00s elapsed (6000 total ports)
Initiating Service scan at 10:08
Scanning 23 services on 6 hosts
Completed Service scan at 10:09, 11.08s elapsed (23 services on 6 hosts)
NSE: Script scanning 6 hosts.
Initiating NSE at 10:09
Completed NSE at 10:09, 0.14s elapsed
Initiating NSE at 10:09
Completed NSE at 10:09, 0.04s elapsed
Nmap scan report for 192.168.219.2
Host is up (0.0014s latency).
All 1000 scanned ports on 192.168.219.2 are closed

Nmap scan report for 192.168.219.128
Host is up (0.00084s latency).
Not shown: 972 closed ports
PORT      STATE    SERVICE            VERSION
99/tcp    filtered metagram
366/tcp   filtered odmr
800/tcp   filtered mdbs_daemon
1002/tcp  filtered windows-icfw
1069/tcp  filtered cognex-insight
1084/tcp  filtered ansoft-lm-2
1186/tcp  filtered mysql-cluster
1719/tcp  filtered h323gatestat
2106/tcp  filtered ekshell
2301/tcp  filtered compaqdiag
2725/tcp  filtered msolap-ptp2
3003/tcp  filtered cgms
3268/tcp  filtered globalcatLDAP
3690/tcp  filtered svn
6789/tcp  filtered ibm-db2-admin
6881/tcp  filtered bittorrent-tracker
8400/tcp  filtered cvd
8800/tcp  filtered sunwebadmin
10000/tcp filtered snet-sensor-mgmt
14238/tcp filtered unknown
19101/tcp filtered unknown
20031/tcp filtered unknown
32775/tcp filtered sometimes-rpc13
32776/tcp filtered sometimes-rpc15
50500/tcp filtered unknown
51103/tcp filtered unknown
55056/tcp filtered unknown
61900/tcp filtered unknown

Nmap scan report for 192.168.219.130
Host is up (0.0019s latency).
All 1000 scanned ports on 192.168.219.130 are closed

Nmap scan report for 192.168.219.131
Host is up (0.0016s latency).
All 1000 scanned ports on 192.168.219.131 are closed

Nmap scan report for 192.168.219.132
Host is up (0.0019s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 192.168.219.138
Host is up (0.0011s latency).
All 1000 scanned ports on 192.168.219.138 are closed

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (6 hosts up) scanned in 20.24 seconds
msf5 >

So it now took 20.24 seconds to scan and probe all the hosts in our network segment. We also discovered alot of open ports and potentially services. And all the result is stored in files in our homefolder:

username@kali:~$ ls -la ~ | grep result
-rw-r--r--  1 username usergroup  4077 april  7 10:27 result_1.gnmap
-rw-r--r--  1 username usergroup   340 april  7 10:27 result_1.nmap
-rw-r--r--  1 username usergroup  4629 april  7 10:27 result_1.xml

Notice that we probed all the 255 adresses in our segment even we knew that only 6 of them was alive. We will try to fix this later.

If you want to record the result of the portscanning to the metasploit database instead of to 3 different files you could do this:

msf5 > db_nmap -v -sV 192.168.219.0/24
... alot of output ...
msf5 > hosts

Hosts
=====

address          mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------          ---  ----  -------  ---------  -----  -------  ----  --------
192.168.219.2                                                         
192.168.219.128             Unknown                    device         
192.168.219.130                                                       
192.168.219.131                                                       
192.168.219.132             Linux                      server         
192.168.219.138

as you can see there are some new information in our database, os_name and purpose column got some values. Let us check if our services table got more information:

msf5 > services 
Services
========

host             port   proto  name                  state     info
----             ----   -----  ----                  -----     ----
192.168.219.128  119    tcp    nntp                  filtered  
192.168.219.128  544    tcp    kshell                filtered  
192.168.219.128  1050   tcp    java-or-otgfileshare  filtered  
192.168.219.128  1062   tcp    veracity              filtered  
192.168.219.128  1072   tcp    cardax                filtered  
192.168.219.128  1137   tcp    trim                  filtered  
192.168.219.128  1186   tcp    mysql-cluster         filtered  
192.168.219.128  1433   tcp    ms-sql-s              filtered  
192.168.219.128  2191   tcp    tvbus                 filtered  
192.168.219.128  3551   tcp    apcupsd               filtered  
192.168.219.128  3809   tcp    apocd                 filtered  
192.168.219.128  3814   tcp    neto-dcs              filtered  
192.168.219.128  4321   tcp    rwhois                filtered  
192.168.219.128  5061   tcp    sip-tls               filtered  
192.168.219.128  5802   tcp    vnc-http-2            filtered  
192.168.219.128  7676   tcp    imqbrokerd            filtered  
192.168.219.128  8002   tcp    teradataordbms        filtered  
192.168.219.128  8087   tcp    simplifymedia         filtered  
192.168.219.128  8292   tcp    blp3                  filtered  
192.168.219.128  8300   tcp    tmi                   filtered  
192.168.219.128  8400   tcp    cvd                   filtered  
192.168.219.128  8800   tcp    sunwebadmin           filtered  
192.168.219.128  9502   tcp    unknown               filtered  
192.168.219.128  10180  tcp    unknown               filtered  
192.168.219.128  15660  tcp    bex-xr                filtered  
192.168.219.128  50636  tcp    unknown               filtered  
192.168.219.128  56737  tcp    unknown               filtered  
192.168.219.128  60020  tcp    unknown               filtered  
192.168.219.132  21     tcp    ftp                   open      vsftpd 2.3.4
192.168.219.132  22     tcp    ssh                   open      OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
192.168.219.132  23     tcp    telnet                open      Linux telnetd
192.168.219.132  25     tcp    smtp                  open      Postfix smtpd
192.168.219.132  53     tcp    domain                open      ISC BIND 9.4.2
192.168.219.132  80     tcp    http                  open      Apache httpd 2.2.8 (Ubuntu) DAV/2
192.168.219.132  111    tcp    rpcbind               open      2 RPC #100000
192.168.219.132  139    tcp    netbios-ssn           open      Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.219.132  445    tcp    netbios-ssn           open      Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.219.132  512    tcp    exec                  open      netkit-rsh rexecd
192.168.219.132  513    tcp    login                 open      
192.168.219.132  514    tcp    tcpwrapped            open      
192.168.219.132  1099   tcp    java-rmi              open      GNU Classpath grmiregistry
192.168.219.132  1524   tcp    bindshell             open      Metasploitable root shell
192.168.219.132  2049   tcp    nfs                   open      2-4 RPC #100003
192.168.219.132  2121   tcp    ftp                   open      ProFTPD 1.3.1
192.168.219.132  3306   tcp    mysql                 open      MySQL 5.0.51a-3ubuntu5
192.168.219.132  5432   tcp    postgresql            open      PostgreSQL DB 8.3.0 - 8.3.7
192.168.219.132  5900   tcp    vnc                   open      VNC protocol 3.3
192.168.219.132  6000   tcp    x11                   open      access denied
192.168.219.132  6667   tcp    irc                   open      UnrealIRCd
192.168.219.132  8009   tcp    ajp13                 open      Apache Jserv Protocol v1.3
192.168.219.132  8180   tcp    http                  open      Apache Tomcat/Coyote JSP engine 1.1

Now we start getting somewhere.

You can also combine the two methods of scanning to outputfiles and populate the metasploit database:

msf5 > nmap -v -sV 192.168.219.0/24 -oA ~/result_1
... a lot of output ...
msf5 > db_import result_1.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.10.9'
[*] Importing host 192.168.219.2
[*] Importing host 192.168.219.128
[*] Importing host 192.168.219.130
[*] Importing host 192.168.219.132
[*] Importing host 192.168.219.145
[*] Importing host 192.168.219.146
[*] Successfully imported /home/username/result_1.xml

The result is going to be the same when you query the hosts and services database.

Scanning hosts without nmap

I have used the nmap scanner in a couple of ways, and it is a very powerful scanner that will solve all your basic scanning needs, BUT it is not the only scanner you can use if you are using metasploit. If you find yourself in a situation where you have metasploit, but not nmap available you can use one of the several built-in scanners.

msf5 > search portscan

Matching Modules
================

   #  Name                                              Disclosure Date  Rank    Check  Description
   -  ----                                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/http/wordpress_pingback_access                   normal  No     Wordpress Pingback Locator
   1  auxiliary/scanner/natpmp/natpmp_portscan                           normal  No     NAT-PMP External Port Scanner
   2  auxiliary/scanner/portscan/ack                                     normal  No     TCP ACK Firewall Scanner
   3  auxiliary/scanner/portscan/ftpbounce                               normal  No     FTP Bounce Port Scanner
   4  auxiliary/scanner/portscan/syn                                     normal  No     TCP SYN Port Scanner
   5  auxiliary/scanner/portscan/tcp                                     normal  No     TCP Port Scanner
   6  auxiliary/scanner/portscan/xmas                                    normal  No     TCP "XMas" Port Scanner
   7  auxiliary/scanner/sap/sap_router_portscanner                       normal  No     SAPRouter Port Scanner

If you want to use one of the scanners you have to activate, configure and run it:

msf5 > use auxiliary/scanner/portscan/ack
msf5 auxiliary(scanner/portscan/ack) > hosts -R
Hosts
=====

address          mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------          ---  ----  -------  ---------  -----  -------  ----  --------
192.168.219.2               Unknown                    device         
192.168.219.128             Unknown                    device         
192.168.219.130             Unknown                    device         
192.168.219.132             Linux                      server         
192.168.219.145             Unknown                    device         
192.168.219.146             Unknown                    device

RHOSTS => file:/tmp/msf-db-rhosts-20200410-8449-1260kfr

msf5 auxiliary(scanner/portscan/ack) > run
... alot of output ...
[*]  TCP UNFILTERED 192.168.219.2:80
[*]  TCP UNFILTERED 192.168.219.128:80
[*]  TCP UNFILTERED 192.168.219.132:80
[*] Scanned 6 of 6 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/portscan/ack) >

Wrap up

The goal of this was to find a way to find and probe potential hosts. We have used various variants of nmap to achieve this goal and stored them outside the current msf5 session. We have stored our results in the internal metasploit database and in external files, both approach will save us time later on.

In our scanning I had multiple hosts up, all for testing purposes and we will probe more information about the hosts later. The hosts are choosen to reflect a variety of operatingsystem. Most of the hosts are normal operatingsystem, but one of them is an instance of the Metasploitable 2, a specialised Linuxflavor that is intended for pentest training.

Read more about Metasploitable 2: https://metasploit.help.rapid7.com/docs/metasploitable-2

In later articles I will probably cut the msf5 session outputs for readability, but in this first article I have decided that its ok to get a feeling on the full output you can expect when you run the commands.

Comments