Auxiliary Plugins

Notes on Scanners and Auxiliary Modules

Scanners and most other auxiliary modules use the RHOSTS option instead of RHOST. RHOSTS can take IP ranges (192.168.1.20-192.168.1.30), CIDR ranges (192.168.1.0/24), multiple ranges separated by commas (192.168.1.0/24, 192.168.3.0/24), and line separated host list files (file:/tmp/hostlist.txt). This is another use for our grepable Nmap output file.

Note also that, by default, all of the scanner modules will have the THREADS value set to '1'. The THREADS value sets the number of concurrent threads to use while scanning. Set this value to a higher number in order to speed up your scans or keep it lower in order to reduce network traffic but be sure to adhere to the following guidelines:

Keep the THREADS value under 16 on native Win32 systems
Keep THREADS under 200 when running MSF under Cygwin
On Unix-like operating systems, THREADS can be set to 256.

Port Scanning

In addition to running Nmap, there are a variety of other port scanners that are available to us within the framework.

msf > search portscan [*] Searching loaded modules for pattern 'portscan'... Auxiliary ========= Name Description ---- ----------- scanner/portscan/ack TCP ACK Firewall Scanner scanner/portscan/ftpbounce FTP Bounce Port Scanner scanner/portscan/syn TCP SYN Port Scanner scanner/portscan/tcp TCP Port Scanner scanner/portscan/xmas TCP "XMas" Port Scanner
For the sake of comparison, we'll compare our Nmap scan results for port 80 with a Metasploit scanning module. First, let's determine what hosts had port 80 open according to Nmap.

msf > cat subnet_1.gnmap | grep 80/open | awk '{print $2}' [*] exec: cat subnet_1.gnmap | grep 80/open | awk '{print $2}' 192.168.1.1 192.168.1.2 192.168.1.10 192.168.1.109 192.168.1.116 192.168.1.150
The Nmap scan we ran earlier was a SYN scan so we'll run the same scan across the subnet looking for port 80 through our eth0 interface using Metasploit.

msf > use scanner/portscan/syn msf auxiliary(syn) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set INTERFACE no The name of the interface PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier THREADS 1 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds msf auxiliary(syn) > set INTERFACE eth0 INTERFACE => eth0 msf auxiliary(syn) > set PORTS 80 PORTS => 80 msf auxiliary(syn) > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf auxiliary(syn) > set THREADS 50 THREADS => 50 msf auxiliary(syn) > run [*] TCP OPEN 192.168.1.1:80 [*] TCP OPEN 192.168.1.2:80 [*] TCP OPEN 192.168.1.10:80 [*] TCP OPEN 192.168.1.109:80 [*] TCP OPEN 192.168.1.116:80 [*] TCP OPEN 192.168.1.150:80 [*] Auxiliary module execution completed
So we can see that Metasploit's built-in scanner modules are more than capable of finding systems and open port for us. It's just another excellent tool to have in your arsenal if you happen to be running Metasploit on a system without Nmap installed.

SMB Version Scanning

Now that we have determined which hosts are available on the network, we can attempt to determine which operating systems they are running. This will help us narrow down our attacks to target a specific system and will stop us from wasting time on those that aren't vulnerable to a particular exploit.

Since there are many systems in our scan that have port 445 open, we will use the 'scanner/smb/version' module to determine which version of Windows is running on a target and which Samba version is on a Linux host.

msf > use scanner/smb/version msf auxiliary(version) > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf auxiliary(version) > set THREADS 50 THREADS => 50 msf auxiliary(version) > run [*] 192.168.1.100 is running Windows 7 Enterprise (Build 7600) (language: Unknown) [*] 192.168.1.116 is running Unix Samba 3.0.22 (language: Unknown) [*] 192.168.1.121 is running Windows 7 Ultimate (Build 7100) (language: Unknown) [*] 192.168.1.151 is running Windows 2003 R2 Service Pack 2 (language: Unknown) [*] 192.168.1.111 is running Windows XP Service Pack 3 (language: English) [*] 192.168.1.114 is running Windows XP Service Pack 2 (language: English) [*] 192.168.1.124 is running Windows XP Service Pack 3 (language: English) [*] Auxiliary module execution completed
Also notice that if we issue the 'db_hosts' command now, the newly acquired information is stored in Metasploit's database.

msf auxiliary(version) > db_hosts [*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.1 Status: alive OS: [*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.2 Status: alive OS: [*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.10 Status: alive OS: [*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.100 Status: alive OS: Windows Windows 7 Enterprise [*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.104 Status: alive OS: [*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.109 Status: alive OS: [*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.111 Status: alive OS: Windows Windows XP [*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.114 Status: alive OS: Windows Windows XP [*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.116 Status: alive OS: Unknown Unix [*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.121 Status: alive OS: Windows Windows 7 Ultimate [*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.123 Status: alive OS: [*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.124 Status: alive OS: Windows Windows XP [*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.137 Status: alive OS: [*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.150 Status: alive OS: [*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.151 Status: alive OS: Windows Windows 2003 R2

Idle Scanning

Nmap's IPID Idle scanning allows us to be a little stealthy scanning a target while spoofing the IP address of another host on the network. In order for this type of scan to work, we will need to locate a host that is idle on the network and uses IPID sequences of either Incremental or Broken Little-Endian Incremental. Metasploit contains the module 'scanner/ip/ipidseq' to scan and look for a host that fits the requirements.

For more information on idle scanning with Nmap, see http://nmap.org/book/idlescan.html

msf auxiliary(writable) > use scanner/ip/ipidseq msf auxiliary(ipidseq) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port THREADS 1 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds msf auxiliary(ipidseq) > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf auxiliary(ipidseq) > set THREADS 50 THREADS => 50 msf auxiliary(ipidseq) > run [*] 192.168.1.1's IPID sequence class: All zeros [*] 192.168.1.2's IPID sequence class: Incremental! [*] 192.168.1.10's IPID sequence class: Incremental! [*] 192.168.1.104's IPID sequence class: Randomized [*] 192.168.1.109's IPID sequence class: Incremental! [*] 192.168.1.111's IPID sequence class: Incremental! [*] 192.168.1.114's IPID sequence class: Incremental! [*] 192.168.1.116's IPID sequence class: All zeros [*] 192.168.1.124's IPID sequence class: Incremental! [*] 192.168.1.123's IPID sequence class: Incremental! [*] 192.168.1.137's IPID sequence class: All zeros [*] 192.168.1.150's IPID sequence class: All zeros [*] 192.168.1.151's IPID sequence class: Incremental! [*] Auxiliary module execution completed
Judging by the results of our scan, we have a number of potential zombies we can use to perform idle scanning. We'll try scanning a host using the zombie at 192.168.1.109 and see if we get the same results we had earlier.

msf auxiliary(ipidseq) > nmap -PN -sI 192.168.1.109 192.168.1.114 [*] exec: nmap -PN -sI 192.168.1.109 192.168.1.114 Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-14 05:51 MDT Idle scan using zombie 192.168.1.109 (192.168.1.109:80); Class: Incremental Interesting ports on 192.168.1.114: Not shown: 996 closed|filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-term-serv MAC Address: 00:0C:29:41:F2:E8 (VMware) Nmap done: 1 IP address (1 host up) scanned in 5.56 seconds

Notes on Scanners and Auxiliary Modules

Keep the THREADS value under 16 on native Win32 systems

Keep THREADS under 200 when running MSF under Cygwin

On Unix-like operating systems, THREADS can be set to 256.

Port Scanning

In addition to running Nmap, there are a variety of other port scanners that are available to us within the framework.

msf > search portscan
[*] Searching loaded modules for pattern 'portscan'...

Auxiliary
=========

   Name                        Description
   ----                        -----------
   scanner/portscan/ack        TCP ACK Firewall Scanner
   scanner/portscan/ftpbounce  FTP Bounce Port Scanner
   scanner/portscan/syn        TCP SYN Port Scanner
   scanner/portscan/tcp        TCP Port Scanner
   scanner/portscan/xmas       TCP "XMas" Port Scanner

For the sake of comparison, we'll compare our Nmap scan results for port 80 with a Metasploit scanning module. First, let's determine what hosts had port 80 open according to Nmap.

msf > cat subnet_1.gnmap | grep 80/open | awk '{print $2}'
[*] exec: cat subnet_1.gnmap | grep 80/open | awk '{print $2}'

192.168.1.1
192.168.1.2
192.168.1.10
192.168.1.109
192.168.1.116
192.168.1.150

The Nmap scan we ran earlier was a SYN scan so we'll run the same scan across the subnet looking for port 80 through our eth0 interface using Metasploit.

msf > use scanner/portscan/syn
msf auxiliary(syn) > show options

Module options:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   INTERFACE                   no        The name of the interface
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target address range or CIDR identifier
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf auxiliary(syn) > set INTERFACE eth0
INTERFACE => eth0
msf auxiliary(syn) > set PORTS 80
PORTS => 80
msf auxiliary(syn) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(syn) > set THREADS 50
THREADS => 50
msf auxiliary(syn) > run

[*]  TCP OPEN 192.168.1.1:80
[*]  TCP OPEN 192.168.1.2:80
[*]  TCP OPEN 192.168.1.10:80
[*]  TCP OPEN 192.168.1.109:80
[*]  TCP OPEN 192.168.1.116:80
[*]  TCP OPEN 192.168.1.150:80
[*] Auxiliary module execution completed

So we can see that Metasploit's built-in scanner modules are more than capable of finding systems and open port for us. It's just another excellent tool to have in your arsenal if you happen to be running Metasploit on a system without Nmap installed.

SMB Version Scanning

msf > use scanner/smb/version
msf auxiliary(version) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(version) > set THREADS 50
THREADS => 50
msf auxiliary(version) > run

[*] 192.168.1.100 is running Windows 7 Enterprise (Build 7600) (language: Unknown)
[*] 192.168.1.116 is running Unix Samba 3.0.22 (language: Unknown)
[*] 192.168.1.121 is running Windows 7 Ultimate (Build 7100) (language: Unknown)
[*] 192.168.1.151 is running Windows 2003 R2 Service Pack 2 (language: Unknown)
[*] 192.168.1.111 is running Windows XP Service Pack 3 (language: English)
[*] 192.168.1.114 is running Windows XP Service Pack 2 (language: English)
[*] 192.168.1.124 is running Windows XP Service Pack 3 (language: English)
[*] Auxiliary module execution completed

Also notice that if we issue the 'db_hosts' command now, the newly acquired information is stored in Metasploit's database.

msf auxiliary(version) > db_hosts
[*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.1 Status: alive OS:
[*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.2 Status: alive OS:
[*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.10 Status: alive OS:
[*] Time: Thu Aug 13 19:39:05 -0600 2009 Host: 192.168.1.100 Status: alive OS: Windows Windows 7 Enterprise
[*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.104 Status: alive OS:
[*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.109 Status: alive OS:
[*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.111 Status: alive OS: Windows Windows XP
[*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.114 Status: alive OS: Windows Windows XP
[*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.116 Status: alive OS: Unknown Unix
[*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.121 Status: alive OS: Windows Windows 7 Ultimate
[*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.123 Status: alive OS:
[*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.124 Status: alive OS: Windows Windows XP
[*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.137 Status: alive OS:
[*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.150 Status: alive OS:
[*] Time: Thu Aug 13 19:39:06 -0600 2009 Host: 192.168.1.151 Status: alive OS: Windows Windows 2003 R2

Idle Scanning

msf auxiliary(writable) > use scanner/ip/ipidseq
msf auxiliary(ipidseq) > show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port
   THREADS  1                yes       The number of concurrent threads
   TIMEOUT  500              yes       The reply read timeout in milliseconds

msf auxiliary(ipidseq) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(ipidseq) > set THREADS 50
THREADS => 50
msf auxiliary(ipidseq) > run

[*] 192.168.1.1's IPID sequence class: All zeros
[*] 192.168.1.2's IPID sequence class: Incremental!
[*] 192.168.1.10's IPID sequence class: Incremental!
[*] 192.168.1.104's IPID sequence class: Randomized
[*] 192.168.1.109's IPID sequence class: Incremental!
[*] 192.168.1.111's IPID sequence class: Incremental!
[*] 192.168.1.114's IPID sequence class: Incremental!
[*] 192.168.1.116's IPID sequence class: All zeros
[*] 192.168.1.124's IPID sequence class: Incremental!
[*] 192.168.1.123's IPID sequence class: Incremental!
[*] 192.168.1.137's IPID sequence class: All zeros
[*] 192.168.1.150's IPID sequence class: All zeros
[*] 192.168.1.151's IPID sequence class: Incremental!
[*] Auxiliary module execution completed

Judging by the results of our scan, we have a number of potential zombies we can use to perform idle scanning. We'll try scanning a host using the zombie at 192.168.1.109 and see if we get the same results we had earlier.

msf auxiliary(ipidseq) > nmap -PN -sI 192.168.1.109 192.168.1.114
[*] exec: nmap -PN -sI 192.168.1.109 192.168.1.114

Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-14 05:51 MDT
Idle scan using zombie 192.168.1.109 (192.168.1.109:80); Class: Incremental
Interesting ports on 192.168.1.114:
Not shown: 996 closed|filtered ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
MAC Address: 00:0C:29:41:F2:E8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.56 seconds

Username
Password
Remember me

System message

Notes on Scanners and Auxiliary Modules

Port Scanning

SMB Version Scanning

Idle Scanning

Notes on Scanners and Auxiliary Modules

Port Scanning

SMB Version Scanning

Idle Scanning