We are using Metasploit Framework, default application in kali Linux for gathering information about the host in a network. A Metasploit Framework is a powerful tool, popularly used for scanning & gathering information in the hacking environment.
1. To install Metasploit
*** kali Linux terminal ***
*** run command ***
sudo apt install metasploit-framework
msf6 > nmap -Pn -sS -A -oX Test 192.168.56.0/24
[*] exec: nmap -Pn -sS -A -oX Test 192.168.56.0/24
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-11 12:26 IST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
WARNING: RST from 192.168.56.1 port 1234 -- is this port really open?
WARNING: RST from 192.168.56.1 port 1234 -- is this port really open?
WARNING: RST from 192.168.56.1 port 1234 -- is this port really open?
WARNING: RST from 192.168.56.1 port 1234 -- is this port really open?
WARNING: RST from 192.168.56.1 port 1234 -- is this port really open?
WARNING: RST from 192.168.56.1 port 1234 -- is this port really open?
Nmap scan report for 192.168.56.1
Host is up (0.00028s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
1234/tcp open tcpwrapped
MAC Address: 0A:00:27:00:00:00 (Unknown)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4.21
OS details: Linux 2.4.21
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.28 ms 192.168.56.1
Nmap scan report for 192.168.56.100
Host is up (0.00027s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:91:F7:87 (Oracle VirtualBox virtual NIC)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.27 ms 192.168.56.100
Nmap scan report for 192.168.56.102
Host is up (0.00047s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32768/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after: 2010-09-26T09:32:06
|_ssl-date: 2021-03-11T17:24:16+00:00; +10h26m40s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
32768/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:F9:B5:26 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_clock-skew: 10h26m39s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 192.168.56.102
Nmap scan report for 192.168.56.106
Host is up (0.00046s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.56.105
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2021-03-11T06:57:35+00:00; -1s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 46605/tcp mountd
| 100005 1,2,3 60285/udp mountd
| 100021 1,3,4 33732/tcp nlockmgr
| 100021 1,3,4 35855/udp nlockmgr
| 100024 1 44344/udp status
|_ 100024 1 53871/tcp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open shell Netkit rshd
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Capabilities flags: 43564
| Some Capabilities: ConnectWithDatabase, Support41Auth, LongColumnFlag, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, SupportsCompression, SupportsTransactions
| Status: Autocommit
|_ Salt: !1pe+BL8rW<c^2x,kZaZ
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2021-03-11T06:57:34+00:00; -1s from scanner time.
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:29:89:86 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h14m59s, deviation: 2h30m00s, median: -1s
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: metasploitable
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: metasploitable.localdomain
|_ System time: 2021-03-11T01:56:44-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.46 ms 192.168.56.106
Nmap scan report for 192.168.56.105
Host is up (0.000038s latency).
All 1000 scanned ports on 192.168.56.105 are closed
Too many fingerprints match this host to give specific OS details
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (5 hosts up) scanned in 71.34 seconds
```
2. Importing Nmap XML file
db_import Test
hosts
3. Performing Service Scan
db_nmap -sS -A 192.168.56.102```
msf6 > db_nmap -sS -A 192.168.56.102
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-11 12:46 IST
[*] Nmap: 'mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers'
[*] Nmap: Nmap scan report for 192.168.56.102
[*] Nmap: Host is up (0.00061s latency).
[*] Nmap: Not shown: 994 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
[*] Nmap: | ssh-hostkey:
[*] Nmap: | 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
[*] Nmap: | 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
[*] Nmap: |_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
[*] Nmap: |_sshv1: Server supports SSHv1
[*] Nmap: 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
[*] Nmap: | http-methods:
[*] Nmap: |_ Potentially risky methods: TRACE
[*] Nmap: |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
[*] Nmap: |_http-title: Test Page for the Apache Web Server on Red Hat Linux
[*] Nmap: 111/tcp open rpcbind 2 (RPC #100000)
[*] Nmap: | rpcinfo:
[*] Nmap: | program version port/proto service
[*] Nmap: | 100000 2 111/tcp rpcbind
[*] Nmap: | 100000 2 111/udp rpcbind
[*] Nmap: | 100024 1 32768/tcp status
[*] Nmap: |_ 100024 1 32768/udp status
[*] Nmap: 139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
[*] Nmap: 443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
[*] Nmap: |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
[*] Nmap: |_http-title: 400 Bad Request
[*] Nmap: | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
[*] Nmap: | Not valid before: 2009-09-26T09:32:06
[*] Nmap: |_Not valid after: 2010-09-26T09:32:06
[*] Nmap: |_ssl-date: 2021-03-11T17:44:32+00:00; +10h26m40s from scanner time.
[*] Nmap: | sslv2:
[*] Nmap: | SSLv2 supported
[*] Nmap: | ciphers:
[*] Nmap: | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
[*] Nmap: | SSL2_RC2_128_CBC_WITH_MD5
[*] Nmap: | SSL2_RC4_128_WITH_MD5
[*] Nmap: | SSL2_RC4_64_WITH_MD5
[*] Nmap: | SSL2_DES_64_CBC_WITH_MD5
[*] Nmap: | SSL2_RC4_128_EXPORT40_WITH_MD5
[*] Nmap: |_ SSL2_DES_192_EDE3_CBC_WITH_MD5
[*] Nmap: 32768/tcp open status 1 (RPC #100024)
[*] Nmap: MAC Address: 08:00:27:F9:B5:26 (Oracle VirtualBox virtual NIC)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Linux 2.4.X
[*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:2.4
[*] Nmap: OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Host script results:
[*] Nmap: |_clock-skew: 10h26m39s
[*] Nmap: |_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
[*] Nmap: |_smb2-time: Protocol negotiation failed (SMB2)
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT ADDRESS
[*] Nmap: 1 0.61 ms 192.168.56.102
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 59.53 seconds
```
> services
> use scanner/smb/smb_version
> show options
> set RHOSTS 192.168.56.102
> set THREADS 100
> run
The latest tips and news from the industry straight to your inbox!
Join subscription for execlusive access to our monthly newsletter with insight to the cyber security.
