Scanner discovery auxiliary modules - metasploit unleashed

ipv6_neighbor
ipv6_neighbor
udp_probe
udp_sweep
- Metasploit For Beginners – #3 – Information Gathering – Auxiliary Scanners

Whenever your target systems are on the same network as the attacking machine, you are able to enumerate systems by performing an ARP scan. Naturally, Metasploit includes a module to help you out.

msf > use auxiliary/scanner/discovery/arp_sweep

msf auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

Name Current Setting Needed Description

—- ————–:——:———-

INTERFACE no The specific interface

RHOSTS yes The prospective address range or CIDR identifier

SHOST no Source Ip

SMAC no Source MAC Address

THREADS 1 yes The amount of concurrent threads

TIMEOUT 5 yes The amount of seconds to hold back for brand new data

Because of the way ARP checking is conducted, you have to pass your MAC address and source Ip towards the scanner for it to operate correctly.

msf auxiliary(arp_sweep) > set RHOSTS 192.168.1.200-254

RHOSTS => 192.168.1.200-254

msf auxiliary(arp_sweep) > set SHOST 192.168.1.101

SHOST => 192.168.1.101

msf auxiliary(arp_sweep) > set SMAC d6:46:a7:38:15:65

SMAC => d6:46:a7:38:15:65

msf auxiliary(arp_sweep) > set THREADS 55

THREADS => 55

msf auxiliary(arp_sweep) > run

[*] 192.168.1.201 seems to become up.

[*] 192.168.1.203 seems to become up.

[*] 192.168.1.205 seems to become up.

[*] 192.168.1.206 seems to become up.

[*] 192.168.1.250 seems to become up.

[*] Scanned 55 of 55 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(arp_sweep) >

Because you will see when running this module, ARP checking becomes manifest pretty quickly.

ipv6_neighbor

The ipv6_neighbor auxiliary module probes the neighborhood network for IPv6 hosts that react to Neighbor Solicitations having a link-local address. This module, such as the arp_sweep one, will normally only work inside the attacking machine’s broadcast domain.

Scanner discovery auxiliary modules - metasploit unleashed set RHOSTS 192

msf > use auxiliary/scanner/discovery/ipv6_neighbor

msf auxiliary(ipv6_neighbor) > show options

Module options:

Name Current Setting Needed Description

—- ————–:——:———-

INTERFACE no The specific interface

PCAPFILE no The specific PCAP capture file to process

RHOSTS yes The prospective address range or CIDR identifier

SHOST yes Source Ip

SMAC yes Source MAC Address

THREADS 1 yes The amount of concurrent threads

TIMEOUT 500 yes The amount of seconds to hold back for brand new data

Whenever your target systems are on the same network as the attacking machine, you are able to enumerate systems by performing an ARP scan. Naturally, Metasploit includes a module to help you out.

msf > use auxiliary/scanner/discovery/arp_sweep

msf auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

Name Current Setting Needed Description

—- ————–:——:———-

INTERFACE no The specific interface

RHOSTS yes The prospective address range or CIDR identifier

SHOST no Source Ip

SMAC no Source MAC Address

THREADS 1 yes The amount of concurrent threads

TIMEOUT 5 yes The amount of seconds to hold back for brand new data

Because of the way ARP checking is conducted, you have to pass your MAC address and source Ip towards the scanner for it to operate correctly.

msf auxiliary(arp_sweep) > set RHOSTS 192.168.1.200-254

RHOSTS => 192.168.1.200-254

msf auxiliary(arp_sweep) > set SHOST 192.168.1.101

SHOST => 192.168.1.101

msf auxiliary(arp_sweep) > set SMAC d6:46:a7:38:15:65

SMAC => d6:46:a7:38:15:65

msf auxiliary(arp_sweep) > set THREADS 55

THREADS => 55

msf auxiliary(arp_sweep) > run

[*] 192.168.1.201 seems to become up.

[*] 192.168.1.203 seems to become up.

[*] 192.168.1.205 seems to become up.

[*] 192.168.1.206 seems to become up.

[*] 192.168.1.250 seems to become up.

[*] Scanned 55 of 55 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(arp_sweep) >

Because you will see when running this module, ARP checking becomes manifest pretty quickly.

ipv6_neighbor

msf > use auxiliary/scanner/discovery/ipv6_neighbor

msf auxiliary(ipv6_neighbor) > show options

Module options:

Name Current Setting Needed Description

—- ————–:——:———-

INTERFACE no The specific interface

PCAPFILE no The specific PCAP capture file to process

RHOSTS yes The prospective address range or CIDR identifier

SHOST yes Source Ip

SMAC yes Source MAC Address

THREADS 1 yes The amount of concurrent threads

TIMEOUT 500 yes The amount of seconds to hold back for brand new data

Additionally to setting our RHOSTS value, we should also set our source MAC address(SMAC) and source host(SHOST) Ip. Then we set our RHOSTS and THREADS values and allow the scanner run.

Scanner discovery auxiliary modules - metasploit unleashed Discovered MSSQL

msf auxiliary(ipv6_neighbor) > set RHOSTS 192.168.1.2-254

RHOSTS => 192.168.1.200-254

msf auxiliary(ipv6_neighbor) > set SHOST 192.168.1.101

SHOST => 192.168.1.101

msf auxiliary(ipv6_neighbor) > set SMAC d6:46:a7:38:15:65

SMAC => d6:46:a7:38:15:65

msf auxiliary(ipv6_neighbor) > set THREADS 55

THREADS => 55

msf auxiliary(ipv6_neighbor) > run

[*] IPv4 Hosts Discovery

[*] 192.168.1.10 is alive.

[*] 192.168.1.11 is alive.

[*] 192.168.1.2 is alive.

[*] 192.168.1.69 is alive.

[*] 192.168.1.109 is alive.

[*] 192.168.1.150 is alive.

[*] 192.168.1.61 is alive.

[*] 192.168.1.201 is alive.

[*] 192.168.1.203 is alive.

[*] 192.168.1.205 is alive.

[*] 192.168.1.206 is alive.

[*] 192.168.1.99 is alive.

[*] 192.168.1.97 is alive.

[*] 192.168.1.250 is alive.

[*] IPv6 Neighbor Discovery

[*] 192.168.1.69 maps to IPv6 link local address fe80::5a55:caff:fe14:1e61

[*] 192.168.1.99 maps to IPv6 link local address fe80::5ab0:35ff:fe6a:4ecc

[*] 192.168.1.97 maps to IPv6 link local address fe80::7ec5:37ff:fef9:a96a

[*] Scanned 253 of 253 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(ipv6_neighbor) >

Searching in the module output, you can observe this scanner serves the twin-reason for showing what hosts are online much like arp_sweep after which performs the IPv6 Neighbor Discovery.

udp_probe

The udp_probe module scans confirmed selection of hosts for common UDP services. Note: This module is deprecated and could disappear anytime.

msf > use auxiliary/scanner/discovery/udp_probe

[!] ******************************************************************************************

[!] * The module scanner/discovery/udp_probe is deprecated! *

[!] * It will likely be removed on or about 2016-11-23 *

[!] * Use auxiliary/scanner/discovery/udp_sweep rather *

[!] ******************************************************************************************

msf auxiliary(udp_probe) > show options

Module options (auxiliary/scanner/discovery/udp_probe):

Name Current Setting Needed Description

—- ————–:——:———-

CHOST no The neighborhood client address

RHOSTS yes The prospective address range or CIDR identifier

THREADS 1 yes The amount of concurrent threads

You will find very couple of needed settings with this module therefore we just configure the RHOSTS and THREADS values and turn it on.

msf auxiliary(udp_probe) > set RHOSTS 192.168.1.2-254

RHOSTS => 192.168.1.2-254

msf auxiliary(udp_probe) > set THREADS 253

THREADS => 253

msf auxiliary(udp_probe) > run

[*] Discovered SNMP on 192.168.1.2:161 (GSM7224 L2 Managed Gigabit Switch)

[*] Discovered NetBIOS on 192.168.1.109:137 (SAMSUNG::U :SAMSUNG::U :00:15:99:3f:40:bd)

[*] Discovered NetBIOS on 192.168.1.150:137 (XEN-WIN7-PROD::U :WORKGROUP::G :XEN-WIN7-PROD::U :WORKGROUP::G :aa:e3:27:6e:3b:a5)

[*] Discovered SNMP on 192.168.1.109:161 (Samsung CLX-3160 Series OS V1.01.01.16 02-25-2008Engine 6.01.00NIC V4.03.08(CLX-3160) 02-25-2008S/N 8Y61B1GP400065Y.)

[*] Discovered NetBIOS on 192.168.1.206:137 (XEN-XP-PATCHED::U :XEN-XP-PATCHED::U :HOTZONE::G :HOTZONE::G :12:fa:1a:75:b8:a5)

[*] Discovered NetBIOS on 192.168.1.203:137 (XEN-XP-SPLOIT::U :WORKGROUP::G :XEN-XP-SPLOIT::U :WORKGROUP::G :3e:ff:3c:4c:89:67)

[*] Discovered NetBIOS on 192.168.1.201:137 (XEN-XP-SP2-BARE::U :HOTZONE::G :XEN-XP-SP2-BARE::U :HOTZONE::G :HOTZONE::U :__MSBROWSE__::G :c6:ce:4e:d9:c9:6e)

[*] Discovered SNMP on 192.168.1.109:161 (Samsung CLX-3160 Series OS V1.01.01.16 02-25-2008Engine 6.01.00NIC V4.03.08(CLX-3160) 02-25-2008S/N 8Y61B1GP400065Y.)

[*] Discovered NTP on 192.168.1.69:123 (NTP v4)

[*] Discovered NetBIOS on 192.168.1.250:137 (FREENAS::U :FREENAS::U :FREENAS::U :__MSBROWSE__::G :WORKGROUP::U :WORKGROUP::G :WORKGROUP::G :00:00:00:00:00:00)

[*] Discovered NTP on 192.168.1.203:123 (Microsoft NTP)

[*] Discovered MSSQL on 192.168.1.206:1434 (ServerName=XEN-XP-PATCHED InstanceName=SQLEXPRESS IsClustered=No Version=9.00.4035.00 tcp=1050 np=XEN-XP-PATCHEDpipeMSSQL$SQLEXPRESSsqlquery )

[*] Discovered NTP on 192.168.1.206:123 (Microsoft NTP)

[*] Discovered NTP on 192.168.1.201:123 (Microsoft NTP)

[*] Scanned 029 of 253 hosts (011% complete)

[*] Scanned 052 of 253 hosts (020% complete)

[*] Scanned 084 of 253 hosts (033% complete)

[*] Scanned 114 of 253 hosts (045% complete)

[*] Scanned 140 of 253 hosts (055% complete)

[*] Scanned 160 of 253 hosts (063% complete)

[*] Scanned 184 of 253 hosts (072% complete)

[*] Scanned 243 of 253 hosts (096% complete)

[*] Scanned 250 of 253 hosts (098% complete)

[*] Scanned 253 of 253 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(udp_probe) >

As you can tell within the above output, our quick little scan discovered many services running on a multitude of platforms.

udp_sweep

The udp_sweep module scans across confirmed selection of hosts to identify generally available UDP services.

msf > use auxiliary/scanner/discovery/udp_sweep

msf auxiliary(udp_sweep) > show options

Module options (auxiliary/scanner/discovery/udp_sweep):

Name Current Setting Needed Description

—- ————–:——:———-

BATCHSIZE 256 yes The amount of hosts to probe in every set

RHOSTS yes The prospective address range or CIDR identifier

THREADS 10 yes The amount of concurrent threads

To configure this module, we simply need to set the RHOSTS and THREADS values and run it.

msf auxiliary(udp_sweep) > set RHOSTS 192.168.1.2-254

RHOSTS => 192.168.1.2-254

msf auxiliary(udp_sweep) > set THREADS 253

THREADS => 253

msf auxiliary(udp_sweep) > run

[*] Delivering 10 probes to 192.168.1.2->192.168.1.254 (253 hosts)