• Scanning for Targets | 179
  • SMB Scanning
    		•

    | Chapter 6: Owning Metasploit




    Download 22,59 Mb.
    Pdf ko'rish
    bet164/225
    Sana14.05.2024
    Hajmi22,59 Mb.
    #232856
    1   ...   160   161   162   163   164   165   166   167   ...   225
    Bog'liq
    learningkalilinux

    178 | Chapter 6: Owning Metasploit

    Example 6-3. Services database
    msf auxiliary
    (
    auxiliary/scanner/portscan/tcp
    )
    > services -S 192.168.86.48
    Services
    ========
    host port proto name state info
    ---- ---- ----- ---- ----- ----
    192.168.86.48
    22
    tcp ssh open OpenSSH 7.1 protocol 2.0
    192.168.86.48
    135
    tcp msrpc open Microsoft Windows RPC
    192.168.86.48
    139
    tcp netbios-ssn open Microsoft Windows netbios-ssn
    192.168.86.48
    445
    tcp microsoft-ds open Microsoft Windows Server 2008
    R2 - 
    2012
    microsoft-ds
    192.168.86.48
    1617
    tcp open
    192.168.86.48
    3000
    tcp http open WEBrick httpd 1.3.1 Ruby
    2.3.3 
    (
    2016-11-21
    )
    192.168.86.48
    3306
    tcp mysql open MySQL 5.5.20-log
    192.168.86.48
    3389
    tcp ms-wbt-server open
    192.168.86.48
    3700
    tcp open
    192.168.86.48
    3820
    tcp open
    192.168.86.48
    3920
    tcp ssl/exasoftport1 open
    192.168.86.48
    4848
    tcp ssl/http open Oracle Glassfish
    Application Server
    192.168.86.48
    5985
    tcp open
    192.168.86.48
    7676
    tcp java-message-service open Java Message Service 301
    192.168.86.48
    8009
    tcp ajp13 open Apache Jserv Protocol v1.3
    192.168.86.48
    8019
    tcp open
    192.168.86.48
    8020
    tcp open
    192.168.86.48
    8022
    tcp http open Apache Tomcat/Coyote JSP
    engine 1.1
    192.168.86.48
    8027
    tcp open
    192.168.86.48
    8028
    tcp open
    192.168.86.48
    8031
    tcp ssl/unknown open
    192.168.86.48
    8032
    tcp open
    192.168.86.48
    8080
    tcp http open Sun GlassFish Open Source
    Edition 4.0
    192.168.86.48
    8181
    tcp ssl/http open Oracle GlassFish 4.0
    Servlet 3.1; JSP 2.3;
    Java 1.8
    192.168.86.48
    8282
    tcp open
    192.168.86.48
    8383
    tcp ssl/http open Apache httpd
    192.168.86.48
    8443
    tcp ssl/https-alt open
    192.168.86.48
    8444
    tcp open
    192.168.86.48
    8484
    tcp open
    192.168.86.48
    8585
    tcp open
    192.168.86.48
    8686
    tcp open
    192.168.86.48
    9200
    tcp http open Elasticsearch REST API
    1.1.1 name: Super Rabbit;
    Lucene 4.7
    192.168.86.48
    9300
    tcp open
    192.168.86.48
    49152
    tcp msrpc open Microsoft Windows RPC
    Scanning for Targets | 179

    192.168.86.48
    49153
    tcp msrpc open Microsoft Windows RPC
    192.168.86.48
    49154
    tcp msrpc open Microsoft Windows RPC
    192.168.86.48
    49155
    tcp msrpc open Microsoft Windows RPC
    Based on this, we can go in numerous directions. It’s worth doing some service scan‐
    ning, though, to see if we can get some additional details.
    SMB Scanning
    The Server Message Block (SMB) protocol has been used by Microsoft Windows as a
    way to share information and manage systems remotely for many versions. Using this
    protocol, we can gather a lot of details about our target. For starters, we can get the
    operating system version as well as the name of the server. Metasploit modules can be
    used to extract details from the target. While many of them require authentication,
    some can be used without needing any login credentials. The first one we will look at,
    as you can see in 
    Example 6-4
    , is the 
    smb_version
    module. This provides specifics
    about our target system.
    Example 6-4. Using smb_version against the target system
    msf auxiliary
    (
    scanner/smb/smb2
    )
    > use auxiliary/scanner/smb/smb_version
    msf auxiliary
    (
    scanner/smb/smb_version
    )

    set 
    RHOSTS 192.168.86.48
    RHOSTS
    =
    > 192.168.86.48
    msf auxiliary
    (
    scanner/smb/smb_version
    )
    > run
    [
    +
    ]
    192.168.86.48:445 - Host is running Windows 
    2008
    R2 Standard SP1 
    (
    build:7601
    )
    (
    name:VAGRANT-2008R2
    )
    (
    workgroup:WORKGROUP 
    )
    [
    *
    ]
    Scanned 
    1
    of 
    1
    hosts 
    (
    100% 
    complete
    )
    [
    *
    ]
    Auxiliary module execution completed
    Some systems will allow you to gather a list of shares directories that have been adver‐
    tised on the network as being available to read or write to remotely without providing
    credentials. If a system administrator is doing the right things, this wouldn’t be possi‐
    ble. However, in the name of expedience, sometimes the wrong things are done. As a
    result, it’s worth trying to enumerate the shares on remote systems. 
    Example 6-5
    shows the use of 
    smb_enumshares
    to acquire the shares that are exposed to the out‐
    side world.
    Example 6-5. Using msfconsole for scanning
    msf auxiliary
    (
    scanner/smb/smb_enumusers_domain
    )
    > use auxiliary/scanner/smb/
    smb_enumshares
    msf auxiliary
    (
    scanner/smb/smb_enumshares
    )
    > show options
    Module options 
    (
    auxiliary/scanner/smb/smb_enumshares
    )
    :
    Name Current Setting Required Description

    Download 22,59 Mb.
    1   ...   160   161   162   163   164   165   166   167   ...   225




    Download 22,59 Mb.
    Pdf ko'rish