Port Scanning

From Metasploit Unleashed

Although we have already set up and configured dradis to store our notes and findings, it is still good practice to create a new database from within Metasploit as the data can still be useful to have for quick retrieval and for use in certain attack scenarios.

msf > db_connect -y /opt/framework/config/database.yml
msf > help
...snip...
Database Backend Commands
=========================

    Command        Description
    -------        -----------
    creds          List all credentials in the database
    db_connect     Connect to an existing database
    db_disconnect  Disconnect from the current database instance
    db_driver      Specify a database driver
    db_export      Export a file containing the contents of the database
    db_import      Import a scan result file (filetype will be auto-detected)
    db_nmap        Executes nmap and records the output automatically
    db_status      Show the current database status
    hosts          List all hosts in the database
    loot           List all loot in the database
    notes          List all notes in the database
    services       List all services in the database
    vulns          List all vulnerabilities in the database
    workspace      Switch between database workspaces

msf >

We can use the 'db_nmap' command to run an Nmap scan against our targets and have the scan results stored in the newly created database however, if you also wish to import the scan results into dradis, you will likely want to export the scan results in XML format. It is always nice to have all three Nmap outputs (xml, grepable, and normal) so we can run the Nmap scan using the '-oA' flag followed by the desired filename to generate the three output files then issue the 'db_import' command to populate the Metasploit database.

If you don't wish to import your results into dradis, simply run Nmap using 'db_nmap' with the options you would normally use, omitting the output flag. The example below would then be "db_nmap -v -sV 192.168.1.0/24".

msf > nmap -v -sV 192.168.1.0/24 -oA subnet_1
[*] exec: nmap -v -sV 192.168.1.0/24 -oA subnet_1

Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-13 19:29 MDT
NSE: Loaded 3 scripts for scanning.
Initiating ARP Ping Scan at 19:29
Scanning 101 hosts [1 port/host]
...
Nmap done: 256 IP addresses (16 hosts up) scanned in 499.41 seconds
Raw packets sent: 19973 (877.822KB) | Rcvd: 15125 (609.512KB)

With the scan finished, we will issue the 'db_import' command which will automatically detect and import the Nmap xml file.

msf > db_import subnet_1.xml
[*] Importing 'Nmap XML' data
[*] Importing host 192.168.1.1
[*] Importing host 192.168.1.2
[*] Importing host 192.168.1.11
[*] Importing host 192.168.1.100
[*] Importing host 192.168.1.101
...snip...

Results of the imported Nmap scan can be viewed via the 'hosts' and 'services' commands:

msf > hosts -c address,mac

Hosts
=====

address        mac
-------        ---
192.168.1.1    C6:E9:5B:12:DC:5F
192.168.1.100  58:B0:35:6A:4E:CC
192.168.1.101  
192.168.1.102  58:55:CA:14:1E:61
...snip...

msf > services -c port,state

Services
========

host           port   state
----           ----   -----
192.168.1.1    22     open
192.168.1.1    53     open
192.168.1.1    80     open
192.168.1.1    3001   open
192.168.1.1    8080   closed
192.168.1.100  22     open
192.168.1.101  22     open
192.168.1.101  80     open
192.168.1.101  7004   open
192.168.1.101  9876   open
...snip...

Also, with the Nmap scan completed, we can import the results into dradis via the web interface. Once imported, refresh the view and you will see the results of the imported Nmap scan in an easy to navigate tree format.