Target service scanning with auxiliary modules
Let us now try out some targeted scanning for specific services running on a range of IP addresses, or on a single target host. Various service-based scans are available; VNC, FTP, SMB, and so on. Auxiliary modules can be really handy in such situations when we are looking for specific types of services on our target.
Getting ready
Let us find out what service-based scanning auxiliary modules are available to us. We can navigate through the following path:
root@bt:~# cd /pentest/exploits/framework3/modules/auxiliary/scanner root@bt:/pentest/exploits/framework3/modules/auxiliary/scanner# ls backdoor emc ip mysql pop3 sap ssh vnc db2 finger lotus netbios portscan sip telephony voice dcerpc ftp misc nfs postgres smb telnet vxworks dect http motorola ntp rogue smtp tftp x11 discovery imap mssql oracle rservices snmp upnp
As we can see, there are lots of options for service scan modules which can be very handy during penetration testing. Let us quickly work some of them.
How to do it...
The working of these service scanning modules is similar to using any other module. We will follow the same three step process that we learned in the previous recipe.
Let us work on the NetBIOS module. Scanning for NetBIOS can be beneficial in identifying the Windows operating system. We will scan a range of networks this time to find out which machine is running a NetBIOS service.
msf > use auxiliary/scanner/netbios/nbname msf auxiliary(nbname) > show options Module options (auxiliary/scanner/netbios/nbname): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe CHOST no The local client address RHOSTS yes The target address range RPORT 137 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(nbname) > set RHOSTS 192.168.56.1/24 RHOSTS => 192.168.56.1/24 msf auxiliary(nbname) > set THREADS 10 THREADS => 10 msf > use auxiliary/scanner/netbios/nbname msf auxiliary(nbname) > show options Module options (auxiliary/scanner/netbios/nbname): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe CHOST no The local client address RHOSTS yes The target address range RPORT 137 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(nbname) > set RHOSTS 192.168.56.1/24 RHOSTS => 192.168.56.1/24 msf auxiliary(nbname) > set THREADS 10 THREADS => 10
RHOSTS is now set to scan the entire range of IP addresses and the number of threads is also set to ten. Let us now run this module and analyze the result.
msf auxiliary(nbname) > run [*] Sending NetBIOS status requests to 192.168.56.0->192.168.56.255 (256 hosts) [*] 192.168.56.1 [DARKLORD-PC] OS:Windows Names:(DARKLORD-PC, WORKGROUP, __MSBROWSE__) Addresses:(192.168.56.1) Mac:08:00:27:00:a8:a3 [*] 192.168.56.103 [SP3] OS:Windows Names:(SP3, WORKGROUP) Addresses:(10.0.2.15, 192.168.56.103) Mac:08:00:27:4b:65:35 [*] 192.168.56.102 [ABHINAV-5C02603] OS:Windows Names:(ABHINAV-5C02603, WORKGROUP) Addresses:(10.0.2.15, 192.168.56.102) Mac:08:00:27:34:a8:87 [*] Scanned 256 of 256 hosts (100% complete)
The network has three machines running on the scanned network that are using NetBIOS. The scan has also reported their respective MAC addresses.
Let us perform another service scan. This time we will try to locate which machines are running the MySQL database server. Also, we will try to find out the version of the server.
msf > use auxiliary/scanner/mysql/mysql_version msf auxiliary(mysql_version) > show options Module options (auxiliary/scanner/mysql/mysql_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range RPORT 3306 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(mysql_version) > set RHOSTS 192.168.56.1/24 RHOSTS => 192.168.56.1/24 msf auxiliary(mysql_version) > set THREADS 10 THREADS => 10 msf auxiliary(mysql_version) > run [*] 192.168.56.102:3306 is running MySQL, but responds with an error: \x04Host '192.168.56.101' is not allowed to connect to this MySQL server
The scanning process has detected that the IP address 192.168.56.102 is running a MySQL server, but unfortunately, it couldn't connect with the server. This is another demonstration of how easy and handy auxiliary modules are, and they can provide us with lots of useful information as well.
It is recommended that one should try out all the auxiliary scanner modules available as they can help you in better understanding your target.
How it works...
Auxiliary modules are special purpose modules that are built to perform a particular task. There can be situations when you have to perform only a particular type of scan to discover services. For example, the MySQL auxiliary scanner detects the presence of the database by pinging the default port number (3306). It further checks if the default login is enabled on the database or not. You can analyze the script at /modules/auxiliary/scanner. You can extend the code according to your need, or even re-use the script to build your own specific auxiliary scanner.