Your goals during intelligence gathering should be to gain
accurate information about your targets without revealing
your presence or your intentions, to learn how the
organization operates, and to determine the best route
of entry.
If you don’t do a thorough job of intelligence gathering, you may
miss vulnerable systems.
It takes time and patience to
sort through web pages, perform Google hacking, and map systems
thoroughly in an attempt to understand the infrastructure of a
particular target.
At this step, you will attempt to collect
as much information about the target environment as possible.
Port Scanning :
we conduct port scans for open ports on
the target or conduct scans to determine what services are running.
Each system or running service that we discover gives us another
opportunity for exploitation. But beware: If you get careless while
active information gathering, you might be nabbed by an IDS or
intrusion prevention system (IPS)—not a good outcome for the covert
penetration tester.
Nmap is, by far, the most popular port scanning tool. It integrates
with Metasploit quite elegantly, storing scan output in a database.
Nmap lets you scan hosts to identify the services running on each,
any of which might offer a way in.
Nmap has a quite a few options, but we’ll use just a few of them for
the most part.
One of our preferred nmap options is -sS. This runs a stealth TCP scan
that determines whether a specific TCP-based port is open. Another
preferred option is -Pn, which tells nmap not to use ping to determine
whether a system is running; instead, it considers all hosts “alive.”
Now let’s run a quick nmap scan against a target using
both the -sS and -Pn flags:
root@kali:~# nmap -sS -Pn 127.0.0.1
When scan is completed, nmap reports a list of open ports, along with
a description of the associated service for each.
For more detail, try using the -A flag. This option will attempt
advanced service enumeration and banner grabbing, which may give you
even more details about the target system.
root@kali:~# nmap -Pn -sS -A 127.0.0.1
Working with Databases in Metasploit :
When you’re running a complex penetration test with a lot of targets,
keeping track of everything can be a challenge. Luckily, Metasploit
has you covered with expansive support for multiple database systems.
To ensure that database support is available for your system, you should
first decide which database system you want to run. Metasploit supports
MySQL and PostgreSQL; because PostgreSQL is the default, we’ll stick with
it in this discussion.
First, we start the database subsystem using the built-in kali-linux
init.d scripts.
root@kali~# /etc/init.d/postgresql-8.3 start
After PostgreSQL has started, we tell the Framework to connect to the
database instance. This connection requires a username, password, name of
the host on which the database is running, and the database name we want to
use.
Let’s make the connection.
msf > db_connect postgres:toor@127.0.0.1/msfbook
For now, we’ll use db_status to make sure that we’re connected
correctly.
Intelligence Gathering 21
msf > db_status
[*] postgresql connected to msfbook
[*] postgresql connected to msfbook
Importing Nmap Results into Metasploit :
First, we scan the target machine using the -oX option to generate
a Subnet1.xml file:
nmap -Pn -sS -A -oX Subnet1 192.168.1.0
After generating the XML file, we use the db_import command to import
it into our database. We can then verify that the import worked by using the
db_hosts command, which lists the systems entries that have been created, as
shown here:
msf > db_connect postgres:toor@127.0.0.1/msf3
msf > db_import Subnet1.xml
msf > db_hosts -c address
msf > db_import Subnet1.xml
msf > db_hosts -c address
No comments:
Post a Comment