There are times where you may need a specific scanner, or having scan
activity conducted within Metasploit would be easier for scripting
purposes than using an external program. Metasploit has a lot of
features that can come in handy for this purpose, like access to all
of the exploit classes and methods, built in support for proxies, SSL,
reporting, and built in threading. Think of instances where you may
need to find every instance of a password on a system, or a scan for a
custom service.
Writing your own scanner module can also be extremely useful during
security audits by allowing you to locate every instance of a bad
password or you can scan in-house for a vulnerable service that needs
to be patched.
We will use this very simple TCP scanner that will connect to a host on
a default port of 1337 which can be changed via the module options
at run time. Upon connecting to the server, it sends 'Hello world',
receives the response and prints it out along with the IP address of
the remote host.
Here is the Source code
----------------------------------------------------------------------
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'My custom TCP scan',
'Version' => '$Revision: 1 $',
'Description' => 'My quick scanner',
'Author' => 'Your name here',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(1337)
], self.class)
end
def run_host(ip)
connect()
greeting = "Hello world"
sock.puts(greeting)
data = sock.recv(1024)
print_status("Received: #{data} from #{ip}")
disconnect()
end
end
--------------------------------------------------------------------------------------
We have saved this custom script under modules/auxiliary/scanner/ as
simple_tcp.rb. The saved location is important in Metasploit.
To test this rudimentary scanner, we set up a netcat listener on port
1337
and pipe in a text file to act as the server response.
root@bt:/# echo "Hello Metasploit" > banner.txt
root@bt:/# nc -lvnp 1337 < banner.txt
listening on [any] 1337...
Next, we load up msfconsole, select our scanner module, set its
parameters,
and run it to see if it works.
msf > use auxiliary/scanner/simple_tcp
msf auxiliary(simple_tcp) > show options
Module options:
Name CurrentSetting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1337 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(simple_tcp) > set RHOSTS 192.168.1.101
RHOSTS => 192.168.1.101
msf auxiliary(simple_tcp) > run
activity conducted within Metasploit would be easier for scripting
purposes than using an external program. Metasploit has a lot of
features that can come in handy for this purpose, like access to all
of the exploit classes and methods, built in support for proxies, SSL,
reporting, and built in threading. Think of instances where you may
need to find every instance of a password on a system, or a scan for a
custom service.
Writing your own scanner module can also be extremely useful during
security audits by allowing you to locate every instance of a bad
password or you can scan in-house for a vulnerable service that needs
to be patched.
We will use this very simple TCP scanner that will connect to a host on
a default port of 1337 which can be changed via the module options
at run time. Upon connecting to the server, it sends 'Hello world',
receives the response and prints it out along with the IP address of
the remote host.
Here is the Source code
----------------------------------------------------------------------
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'My custom TCP scan',
'Version' => '$Revision: 1 $',
'Description' => 'My quick scanner',
'Author' => 'Your name here',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(1337)
], self.class)
end
def run_host(ip)
connect()
greeting = "Hello world"
sock.puts(greeting)
data = sock.recv(1024)
print_status("Received: #{data} from #{ip}")
disconnect()
end
end
--------------------------------------------------------------------------------------
We have saved this custom script under modules/auxiliary/scanner/ as
simple_tcp.rb. The saved location is important in Metasploit.
To test this rudimentary scanner, we set up a netcat listener on port
1337
and pipe in a text file to act as the server response.
root@bt:/# echo "Hello Metasploit" > banner.txt
root@bt:/# nc -lvnp 1337 < banner.txt
listening on [any] 1337...
Next, we load up msfconsole, select our scanner module, set its
parameters,
and run it to see if it works.
msf > use auxiliary/scanner/simple_tcp
msf auxiliary(simple_tcp) > show options
Module options:
Name CurrentSetting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1337 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(simple_tcp) > set RHOSTS 192.168.1.101
RHOSTS => 192.168.1.101
msf auxiliary(simple_tcp) > run
No comments:
Post a Comment