Using Metasploit to perform layer 2 discovery

Metasploit is primarily an exploitation tool, and this functionality will be discussed in great length in the upcoming chapters. However, in addition to its primary function, Metasploit also has a number of auxiliary modules that can be used for various scanning and information gathering tasks. One auxiliary module, in particular, can be used to perform ARP scanning on the local subnet. This is helpful for many, as Metasploit is a tool that most penetration testers are familiar with, and the integration of this function into Metasploit reduces the total number of tools required for the duration of a given test. This specific recipe will demonstrate how to use Metasploit to perform ARP discovery.

Getting ready

To use Metasploit to perform ARP discovery, you will need to have at least one system on the LAN that will respond to ARP requests. In the examples provided, a combination of Linux and Windows systems are used. For more information on setting up systems in a local lab environment, please refer to the Installing Metasploitable2 and Installing Windows Server recipes in Chapter 1, Getting Started.

How to do it…

Although often considered an exploitation framework, Metasploit also has a large number of auxiliary modules that can be useful in scanning and information gathering. There is one auxiliary module in particular that can be used to perform layer 2 discovery. To start the Metasploit framework, use the msfconsole command. Then, the use command in conjunction with the desired module can be used to configure the scan:

root@KaliLinux:~# msfconsole

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
 http://metasploit.pro


Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- type 'go_pro' to launch it now.

 =[ metasploit v4.6.0-dev [core:4.6 api:1.0]
+ -- --=[ 1053 exploits - 590 auxiliary - 174 post
+ -- --=[ 275 payloads - 28 encoders - 8 nops

msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) >

Once the module has been selected, you can view the configurable options, using the show options command:

msf auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

 Name Current Setting Required Description
 ---- --------------- -------- -----------
 INTERFACE no The name of the interface
 RHOSTS yes The target address range or CIDR identifier
 SHOST no Source IP Address
 SMAC no Source MAC Address
 THREADS 1 yes The number of concurrent threads
 TIMEOUT 5 yes The number of seconds to wait for new data

These are configuration options that specify information about the targets to be scanned, the scanning system, and scan settings. Most of the information for this particular scan can be collected by examining the interface configurations of the scanning system. Conveniently, system shell commands can be passed while in the Metasploit Framework Console. In the following example, a system call is made to execute ifconfig without ever leaving the Metasploit Framework Console interface:

msf auxiliary(arp_sweep) > ifconfig eth1
[*] exec: ifconfig eth1

eth1 Link encap:Ethernet HWaddr 00:0c:29:09:c3:79 
 inet addr:172.16.36.180 Bcast:172.16.36.255 Mask:255.255.255.0
 inet6 addr: fe80::20c:29ff:fe09:c379/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:1576971 errors:1 dropped:0 overruns:0 frame:0
 TX packets:1157669 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:226795966 (216.2 MiB) TX bytes:109929055 (104.8 MiB)
 Interrupt:19 Base address:0x2080

The interface to be used for this scan is the eth1 interface. As layer 2 scans are only effective to identify live hosts on the local subnet, we should look to the scanning system IP and subnet mask to determine the range to scan. In this case, the IP address and subnet mask indicate that we should scan the 172.16.36.0/24 range. Additionally, the source IP address and MAC address of the scanning system can be identified in these configurations. To define the configurations in Metasploit, use the set command, followed by the variable to be defined, and then the value that you want to assign it:

msf auxiliary(arp_sweep) > set interface eth1
interface => eth1
msf auxiliary(arp_sweep) > set RHOSTS 172.16.36.0/24
RHOSTS => 172.16.36.0/24
msf auxiliary(arp_sweep) > set SHOST 172.16.36.180
SHOST => 172.16.36.180
msf auxiliary(arp_sweep) > set SMAC 00:0c:29:09:c3:79
SMAC => 00:0c:29:09:c3:79
msf auxiliary(arp_sweep) > set THREADS 20
THREADS => 20
msf auxiliary(arp_sweep) > set TIMEOUT 1
TIMEOUT => 1

Once the scan configurations have been set, the settings can be reviewed once again by using the show options command. This should now display all the values that were previously set:

msf auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

 Name Current Setting Required Description
 ---- --------------- -------- -----------
 INTERFACE eth1 no The name of the interface
 RHOSTS 172.16.36.0/24 yes The target address range or CIDR identifier
 SHOST 172.16.36.180 no Source IP Address
 SMAC 00:0c:29:09:c3:79 no Source MAC Address
 THREADS 20 yes The number of concurrent threads
 TIMEOUT 1 yes The number of seconds to wait for new data

Upon verifying that all the settings are configured correctly, the scan can then be launched using the run command. This particular module will then print out any live hosts discovered with ARP. It will also indicate the Network Interface Card (NIC) vendor, as defined by the first 3 bytes in the MAC address of the discovered hosts:

msf auxiliary(arp_sweep) > run

[*] 172.16.36.1 appears to be up (VMware, Inc.).
[*] 172.16.36.2 appears to be up (VMware, Inc.).
[*] 172.16.36.132 appears to be up (VMware, Inc.).
[*] 172.16.36.135 appears to be up (VMware, Inc.).
[*] 172.16.36.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

How it works…

The underlying principle for how ARP discovery is performed by Metasploit is once again the same. A series of ARP requests are broadcast, and the ARP responses are recorded and output. The output of the Metasploit auxiliary module provides the IP address of all live systems, and then, it also provides the MAC vendor name in parentheses.