Exploring auxiliary modules for scanning
Auxiliary modules are the in-built modules of a Metasploit that can help us perform a variety of tasks. They are different from exploits as they run on the pen-tester's machine and also it does not provide any shell. There are more than 350 different auxiliary modules present in the Metasploit framework, each having specific tasks. Here we will discuss the scanner auxiliary modules.
Getting ready
To use any auxiliary modules, we will have to follow three simple steps in order to make our module ready to launch. Let us go through the three-step process.
- Activating the module: The
usecommand is used to set the particular module active and ready to take commands. - Setting specifications: The
setcommand is used to set up the various parameters that the module requires to execute. - Running the module: After completing the first two steps, the
runcommand is used to finally execute the module and generate the result.
To view the available scanning modules in the Metasploit framework, we can browse to the following location:
root@bt:~# cd /pentest/exploits/framework3/modules/auxiliary/scanner
To start using the modules we will have to launch our msfconsole session.
How to do it...
Let us now practically implement these steps to run a port scanning auxiliary module.
To begin with, let us search for the port scanning modules available for us in the framework.
msf > search portscan Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner auxiliary/scanner/portscan/tcp normal TCP Port Scanner auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
We can see the list of available scanners. It contains some of the basic scan types that we have discussed in the previous recipes. Let us start with a simple SYN scan to start with.
How it works...
Now we will follow our three step process to start using the module. Let us start with the first step.
- To activate the module, we will execute the following command:
msf > use auxiliary/scanner/portscan/syn msf auxiliary(syn) >We will find that the prompt has changed to the module we want to use. This indicates that the module is now active.
- Now let us see what parameters are required by the module. This will be done by using the
show optionscommand:msf auxiliary(syn) > show options Module options (auxiliary/scanner/portscan/syn): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes number of hosts to scan per set INTERFACE no The name of the interface PORTS 1-10000 yes Ports to scan RHOSTS yes target address range or CIDR SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds msf auxiliary(syn) > show options Module options (auxiliary/scanner/portscan/syn): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes number of hosts to scan per set INTERFACE no The name of the interface PORTS 1-10000 yes Ports to scan RHOSTS yes target address range or CIDR SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in millisecondsThe first column lists all the required parameters. The column named
Requiredtells us which parameters are necessary to pass. It is necessary for all those parameters which are markedyesto contain a value. As we can see, all columns contain default values.RHOSTScontains the IP address range we want to scan. So let us set theRHOSTSparameter with our target IP address.msf auxiliary(syn) > set RHOSTS 192.168.56.1 RHOSTS => 192.168.56.1Now our module is ready to perform a SYN scan on our target IP address. Using the
setcommand, we can also change the other values as well. For example, if we want to change the range of port numbers, then the following command can solve our purpose:msf auxiliary(syn) > set PORTS 1-500 - Finally, our last step will be to execute the module to perform its respective action:
msf auxiliary(syn) > run
On successful execution of the run command, the module will perform a SYN scanning and produce results.
There's more...
Let us understand the use of threads in the next section.
Setting and managing the number of threads in auxiliary modules can greatly enhance the performance of auxiliary modules. In case you have to scan an entire network or a range of IP addresses, then increasing the number of threads will make the scanning process faster.
msf auxiliary(syn) > set THREADS 10