A targeted scan looks for specific operating systems, services,
program versions, or configurations that are known to be exploitable
and that provide an easy door into a target network.
SMB Version Scanning :
Now that we have determined which hosts are available on the network,
we can attempt to determine which operating systems they are running.
we will use the 'scanner/smb/version' module to determine which
version of Windows is running on a target and which Samba version is
on a Linux host.
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 192.168.1.155
RHOSTS => 192.168.1.155
msf auxiliary(smb_version) > set THREADS 11
THREADS => 11
msf auxiliary(smb_version) > run
if we issue the 'hosts' command now, the newly acquired information is
stored in Metasploit's database.
Hunting for Poorly Configured Microsoft SQL Servers :
When MS SQL is installed, it listens by default either on TCP port 1433
or on a random dynamic TCP port. If MS SQL is listening on a dynamic port,
simply query UDP port 1434 to discover on what dynamic TCP port MS SQL
is listening.
Let us search and load the MSSQL ping module inside the msfconsole.
msf > search mssql
Exploits
========
Name Description
---- -----------
windows/mssql/lyris_listmanager_weak_pass Lyris ListManager MSDE Weak sa Password
windows/mssql/ms02_039_slammer Microsoft SQL Server Resolution Overflow
windows/mssql/ms02_056_hello Microsoft SQL Server Hello Overflow
windows/mssql/mssql_payload Microsoft SQL Server Payload Execution
Auxiliary
=========
Name Description
---- -----------
admin/mssql/mssql_enum Microsoft SQL Server Configuration Enumerator
admin/mssql/mssql_exec Microsoft SQL Server xp_cmdshell Command Execution
admin/mssql/mssql_sql Microsoft SQL Server Generic Query
scanner/mssql/mssql_login MSSQL Login Utility
scanner/mssql/mssql_ping MSSQL Ping Utility
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > show options
Module options (auxiliary/scanner/mssql/mssql_ping):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.0
RHOSTS => 10.211.55.1/24
msf auxiliary(mssql_ping) > exploit
The first command we issued was to search for any 'mssql' plugins. The
second set of instructions was the 'use scanner/mssql/mssql_ping',
this will load the scanner module for us.
Next, 'show options' allows us to see what we need to specify. The
'set RHOSTS 192.168.1.0' sets the target IP we want to start looking
for SQL servers on.
After the 'run' command is issued, a scan is going to be performed and
pull back specific information about the MSSQL server.
program versions, or configurations that are known to be exploitable
and that provide an easy door into a target network.
SMB Version Scanning :
Now that we have determined which hosts are available on the network,
we can attempt to determine which operating systems they are running.
we will use the 'scanner/smb/version' module to determine which
version of Windows is running on a target and which Samba version is
on a Linux host.
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 192.168.1.155
RHOSTS => 192.168.1.155
msf auxiliary(smb_version) > set THREADS 11
THREADS => 11
msf auxiliary(smb_version) > run
if we issue the 'hosts' command now, the newly acquired information is
stored in Metasploit's database.
Hunting for Poorly Configured Microsoft SQL Servers :
When MS SQL is installed, it listens by default either on TCP port 1433
or on a random dynamic TCP port. If MS SQL is listening on a dynamic port,
simply query UDP port 1434 to discover on what dynamic TCP port MS SQL
is listening.
Let us search and load the MSSQL ping module inside the msfconsole.
msf > search mssql
Exploits
========
Name Description
---- -----------
windows/mssql/lyris_listmanager_weak_pass Lyris ListManager MSDE Weak sa Password
windows/mssql/ms02_039_slammer Microsoft SQL Server Resolution Overflow
windows/mssql/ms02_056_hello Microsoft SQL Server Hello Overflow
windows/mssql/mssql_payload Microsoft SQL Server Payload Execution
Auxiliary
=========
Name Description
---- -----------
admin/mssql/mssql_enum Microsoft SQL Server Configuration Enumerator
admin/mssql/mssql_exec Microsoft SQL Server xp_cmdshell Command Execution
admin/mssql/mssql_sql Microsoft SQL Server Generic Query
scanner/mssql/mssql_login MSSQL Login Utility
scanner/mssql/mssql_ping MSSQL Ping Utility
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > show options
Module options (auxiliary/scanner/mssql/mssql_ping):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.0
RHOSTS => 10.211.55.1/24
msf auxiliary(mssql_ping) > exploit
The first command we issued was to search for any 'mssql' plugins. The
second set of instructions was the 'use scanner/mssql/mssql_ping',
this will load the scanner module for us.
Next, 'show options' allows us to see what we need to specify. The
'set RHOSTS 192.168.1.0' sets the target IP we want to start looking
for SQL servers on.
After the 'run' command is issued, a scan is going to be performed and
pull back specific information about the MSSQL server.
No comments:
Post a Comment