Working with Metasploit scanners

Metasploit provides us with many scanning modules. To list the available scanners from within msfconsole, type

info auxiliary/scanner/


search scanner

and hit tab to discover that MSF has over 240 scanners available.

HTTP Scanning
There are many http scanners available in Metasploit. We are going to use the http_version
scanner. Select it,

use auxiliary/scanner/http/http_version

and type

show options

for a list of available options.

msf auxiliary(http_version) > show options
Module options (auxiliary/scanner/http/http_version):
Name Current Setting Required Description
—- ————— ——– ———–
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host

Select your target host,

set RHOSTS target_host_ip

and run the module.

Microsoft SQL Server discovery
To see a list of all modules relative to mssql issue the command

search mssql

Choose mssql_ping module,

use auxiliary/scanner/mssql/mssql_ping

scan the whole network

set THREADS 255

and run the module. Sit back and let Metasploit discover all mssql servers on the net!

MySQL discovery
To find all mysql auxiliary modules issue the command

search mysql

Choose mysql_version module,

use auxiliary/scanner/mysql/mysql_version

scan the whole network

set THREADS 50

and run the module.
Wait until Metasploit discovers all mysql servers and their versions!

FTP scanning
FTP is an insecure protocol. FTP servers are one of the easiest ways to get into the target network. Always check to see if anonymous access is allowed whenever you encounter an open FTP port. To check for anonymous access, issue the command

use auxiliary/scanner/ftp/anonymous

set the options appropriate and run the module. To identify ftp version, there is a suitable module called ftp_version. Type

use auxiliary/scanner/ftp/ftp_version

to use it.

SSH scanning
SSH although is a very secure protocol but there are vulnerabilities in various implementations and you should determine which version is running on the target . You can use the ssh_version module to determine the SSH version running on the target server. To choose ssh_version module,

use auxiliary/scanner/ssh/ssh_version

and set RHOSTS and THREADS accordingly.

SNMP enumeration and login
SNMP is typically used in network devices to report information. So there is a chance to find information about a specific system by enumerating SNMP port. If you can find a Cisco device running, and you can get the read/write SNMP community string, you can actually download the entire device configuration, modify it, and upload your own malicious configuration back to the router.
Metasploit comes with a built in auxiliary module specifically for sweeping SNMP devices. After you guess the community strings, SNMP itself can allow from excessive information disclosure to system compromise. To gain access to a switch, we have to guess its community strings. Execute the command

use auxiliary/scanner/snmp/snmp_login

set rhosts to target machine’s ip address and run the module.

VNC scanner
Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the RFB protocol to remotely control another computer. It transmits the keyboard and mouse events from
one computer to another, relaying the graphical screen updates back in the other direction, over a network. Imagine what control over the compromised machine you will have if you manage to
find a VNC server with default configuration or with no password at all. The VNC Authentication None Scanner scans an ip address or a range of IP addresses looking for targets that are
running a VNC server without a password configured. To use vnc scanner execute

use auxiliary/scanner/vnc/vnc_none_auth

set rhosts to an ip range, for example and run the module. Don’t forget to increase the number of the threads if you are scanning more than one targets.

Open_X11 scanner
The X window system is a software system and network protocol that provides a basis for graphical user interfaces and rich input device capability for networked computers. Like VNC, if
you find a host with X11 enabled and with default configuration, you will control the host completely. The open_x11 scanner module scans a target or multiple targets for X11 servers that will allow a user to connect without any authentication. To use the module, select the auxiliary module

use auxiliary/scanner/x11/open_x11

define your options and run it.

This post is part of my article about metasploit which was originally published in PenTest Magazine, August issue.