Example 6-3. Services database
msf auxiliary
(
auxiliary/scanner/portscan/tcp
)
> services -S 192.168.86.48
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.86.48
22
tcp ssh open OpenSSH 7.1 protocol 2.0
192.168.86.48
135
tcp msrpc
open Microsoft Windows RPC
192.168.86.48
139
tcp netbios-ssn open Microsoft
Windows netbios-ssn
192.168.86.48
445
tcp microsoft-ds open Microsoft Windows Server 2008
R2 -
2012
microsoft-ds
192.168.86.48
1617
tcp open
192.168.86.48
3000
tcp http open WEBrick httpd 1.3.1 Ruby
2.3.3
(
2016-11-21
)
192.168.86.48
3306
tcp mysql open MySQL 5.5.20-log
192.168.86.48
3389
tcp ms-wbt-server open
192.168.86.48
3700
tcp open
192.168.86.48
3820
tcp open
192.168.86.48
3920
tcp ssl/exasoftport1 open
192.168.86.48
4848
tcp ssl/http open Oracle Glassfish
Application Server
192.168.86.48
5985
tcp open
192.168.86.48
7676
tcp java-message-service open Java Message Service 301
192.168.86.48
8009
tcp ajp13 open Apache Jserv Protocol v1.3
192.168.86.48
8019
tcp open
192.168.86.48
8020
tcp open
192.168.86.48
8022
tcp http open Apache Tomcat/Coyote JSP
engine 1.1
192.168.86.48
8027
tcp open
192.168.86.48
8028
tcp open
192.168.86.48
8031
tcp ssl/unknown open
192.168.86.48
8032
tcp open
192.168.86.48
8080
tcp http open Sun GlassFish Open Source
Edition 4.0
192.168.86.48
8181
tcp ssl/http open Oracle GlassFish 4.0
Servlet 3.1; JSP 2.3;
Java 1.8
192.168.86.48
8282
tcp open
192.168.86.48
8383
tcp ssl/http
open Apache httpd
192.168.86.48
8443
tcp ssl/https-alt open
192.168.86.48
8444
tcp open
192.168.86.48
8484
tcp open
192.168.86.48
8585
tcp open
192.168.86.48
8686
tcp open
192.168.86.48
9200
tcp http open Elasticsearch REST API
1.1.1 name: Super Rabbit;
Lucene 4.7
192.168.86.48
9300
tcp open
192.168.86.48
49152
tcp msrpc open Microsoft Windows RPC
Scanning for Targets | 179
192.168.86.48
49153
tcp msrpc open Microsoft Windows RPC
192.168.86.48
49154
tcp msrpc open Microsoft Windows RPC
192.168.86.48
49155
tcp msrpc open Microsoft Windows RPC
Based on this, we can go in numerous directions. It’s worth doing some service scan‐
ning, though, to see if we can get some additional details.
SMB Scanning
The Server Message Block (SMB) protocol has been used by Microsoft Windows as a
way to share information and manage systems remotely for many versions. Using this
protocol, we can gather a lot of details about our target. For starters, we can get the
operating system version as well as the name of the server.
Metasploit modules can be
used to extract details from the target. While many of them require authentication,
some can be used without needing any login credentials. The first one we will look at,
as you can see in
Example 6-4
, is the
smb_version
module.
This provides specifics
about our target system.
Example 6-4. Using smb_version against the target system
msf auxiliary
(
scanner/smb/smb2
)
> use auxiliary/scanner/smb/smb_version
msf auxiliary
(
scanner/smb/smb_version
)
>
set
RHOSTS 192.168.86.48
RHOSTS
=
> 192.168.86.48
msf auxiliary
(
scanner/smb/smb_version
)
> run
[
+
]
192.168.86.48:445
- Host is running Windows
2008
R2 Standard SP1
(
build:7601
)
(
name:VAGRANT-2008R2
)
(
workgroup:WORKGROUP
)
[
*
]
Scanned
1
of
1
hosts
(
100%
complete
)
[
*
]
Auxiliary module execution completed
Some systems will allow you to gather a list of shares directories that have been adver‐
tised on the network as being available to read or write to remotely without providing
credentials. If a system administrator is doing the right things, this wouldn’t be possi‐
ble. However, in the name of expedience, sometimes the wrong things are done. As a
result, it’s worth trying to enumerate the shares on remote systems.
Example 6-5
shows the use of
smb_enumshares
to acquire the shares that are exposed to the out‐
side world.
Example 6-5. Using msfconsole for scanning
msf auxiliary
(
scanner/smb/smb_enumusers_domain
)
> use auxiliary/scanner/smb/
smb_enumshares
msf auxiliary
(
scanner/smb/smb_enumshares
)
> show options
Module options
(
auxiliary/scanner/smb/smb_enumshares
)
:
Name Current
Setting Required Description
